Perfection is reached, not when there is no longer anything to add, but when there is no longer anything to take away. | |
Antoine de Saint-Exupery |
This is the platform dependent part of Additional code segments (i).
Using the scanner in Scanning for NOTE (i) we exercise a systematic search for targets. The scripts and intermediate steps are shown in Food for segment padding. Here come just the results:
Output: out/sparc-sunos5.9/scanner/additional_cs/find-ok
4 out/sparc-sunos5.9/scanner/additional_cs/big.dynamic.ok
0 out/sparc-sunos5.9/scanner/additional_cs/big.static.ok
4 total |
With 4 + 0 possible targets the NOTE segment is nothing more than a curiosity on Solaris.
Output: out/sparc-sunos5.9/scanner/additional_cs/infect.filetype
/usr/bin/crle: ELF 32-bit MSB executable SPARC Version 1, dynamically
linked, stripped
/usr/bin/ldd: ELF 32-bit MSB executable SPARC Version 1, dynamically
linked, stripped
/usr/bin/pvs: ELF 32-bit MSB executable SPARC Version 1, dynamically
linked, stripped |
And this should give you an idea of minimum and maximum size of found segments.
Output: out/sparc-sunos5.9/scanner/additional_cs/big.dynamic
CHECK: 0 != 0; 0 != 0
CHECK: /usr/lib/ssh/ssh-http-proxy-connect
CHECK: src/scanner/additional_cs/action.inc#9
CHECK: (phdr_note) != (0)
CHECK: 0 != 0; 0 != 0
CHECK: /usr/lib/ssh/ssh-socks5-proxy-connect
CHECK: src/scanner/additional_cs/action.inc#9
CHECK: (phdr_note) != (0)
CHECK: 0 != 0; 0 != 0
files=928; ok=4; detected=924; min=46; max=46 |
Command: pre/sparc-sunos5.9/additional_cs/note/objdump-name.sh
#!/usr/xpg4/bin/sh
shell=$( /usr/xpg4/bin/sed 1q \
out/sparc-sunos5.9/scanner/additional_cs/infect )
[ -x ${shell} ] || exit 1
/usr/bin/echo shell="${shell}"
/opt/sfw/bin/gobjdump -h ${shell} \
| /usr/perl5/5.6.1/bin/perl -ane \
'if (/\s+\.note[A-Za-z\.-]*\s+/) {
print "index=$F[0]\nname=\"$F[1]\"\n# $_";
exit 0;
}' |
Output: out/sparc-sunos5.9/additional_cs/note/objdump-name
shell=/usr/bin/crle
index=24
name=".note"
# 24 .note 0000002e 0000000000000000 0000000000000000 00008d70 2**2 |
Command: pre/sparc-sunos5.9/additional_cs/note/objdump.sh
#!/usr/xpg4/bin/sh
. out/sparc-sunos5.9/additional_cs/note/objdump-name
/opt/sfw/bin/gobjdump -j ${name} -d ${shell} \
2>&1 | pre/sparc-sunos5.9/magic_elf/objdump_format.pl |
Output: out/sparc-sunos5.9/additional_cs/note/objdump
/opt/sfw/bin/gobjdump: /usr/bin/crle: no symbols
/usr/bin/crle: file format elf32-sparc
|
Command: pre/sparc-sunos5.9/additional_cs/note/readelf-name.sh
#!/usr/xpg4/bin/sh
shell=$( /usr/xpg4/bin/sed 1q \
out/sparc-sunos5.9/scanner/additional_cs/infect )
[ -x ${shell} ] || exit 1
/usr/bin/echo shell="${shell}"
/opt/sfw/bin/greadelf -S ${shell} \
| /usr/perl5/5.6.1/bin/perl '-anF/[\s\[\]]+/' -e \
'if ($F[3] eq "NOTE") {
print "index=$F[1]\nname=\"$F[2]\"\n";
exit 0;
}' |
Output: out/sparc-sunos5.9/additional_cs/note/readelf-name
shell=/usr/bin/crle
index=25
name=".note" |
Command: pre/sparc-sunos5.9/additional_cs/note/readelf.sh
#!/usr/xpg4/bin/sh
. out/sparc-sunos5.9/additional_cs/note/readelf-name
/opt/sfw/bin/greadelf -x ${index} ${shell}
/usr/bin/echo "section=${index} status=$?" |
Output: out/sparc-sunos5.9/additional_cs/note/readelf
section=25 status=139 |
Command: pre/sparc-sunos5.9/additional_cs/note/offset.sh
#!/usr/xpg4/bin/sh
shell=$( /usr/xpg4/bin/sed 1q \
out/sparc-sunos5.9/scanner/additional_cs/infect )
echo "shell='${shell}'"
/opt/sfw/bin/gobjdump -p ${shell} \
| /usr/perl5/5.6.1/bin/perl -ne \
'if (s/^\s*NOTE\s+//) {
# convert all hexadecimal fields into assignments
s/ *(\w+)\s+0x([0-9a-fA-F]+)/sprintf("%s=%d\n", $1, hex($2))/ge;
s/\n .*//; # cut off trailing "align 2**2"
$_ .= <>; # append second line
# convert all appended hexadecimal fields into assignments
s/ *(\w+)\s+0x([0-9a-fA-F]+)/sprintf("%s=%d\n", $1, hex($2))/ge;
s/\n .*//; # cut off trailing "flags r--"
print $_;
exit 0;
}' |
Output: out/sparc-sunos5.9/additional_cs/note/offset
shell='/usr/bin/crle'
off=36208
vaddr=0
paddr=0
filesz=46
memsz=0 |
At this point the actual dump is just a variation on Strings and dumps. A classic byte-wise octal dump using only classic options of classic tools:
Command: pre/sparc-sunos5.9/additional_cs/note/od.sh
#!/usr/xpg4/bin/sh
. out/sparc-sunos5.9/additional_cs/note/offset
/usr/bin/dd if=${shell} bs=1 skip=${off} count=${filesz} \
| /usr/xpg4/bin/od -c |
Output: out/sparc-sunos5.9/additional_cs/note/od
0000000 \0 \0 \0 " \0 \0 \0 \0 \0 \0 \0 \0 \t S o l
0000020 a r i s L i n k E d i t o r
0000040 s : 5 . 9 - 1 . 2 7 6 \n \0
0000056 |
Command: pre/sparc-sunos5.9/additional_cs/note/xxd.sh
#!/usr/xpg4/bin/sh
. out/sparc-sunos5.9/additional_cs/note/offset
/opt/sfw/bin/xxd -l ${filesz} -s ${off} ${shell} |
Output: out/sparc-sunos5.9/additional_cs/note/xxd
0008d70: 0000 0022 0000 0000 0000 0000 0953 6f6c ...".........Sol
0008d80: 6172 6973 204c 696e 6b20 4564 6974 6f72 aris Link Editor
0008d90: 733a 2035 2e39 2d31 2e32 3736 0a00 s: 5.9-1.276.. |
Output: out/sparc-sunos5.9/additional_cs/e1i1/infect
/usr/bin/crle ... wrote 80 bytes, Ok
/usr/bin/ldd ... wrote 80 bytes, Ok
/usr/bin/pvs ... wrote 80 bytes, Ok
files=3; ok=3; failed=0 |
Output = Command: out/sparc-sunos5.9/additional_cs/test-e1i1.sh
#!/usr/xpg4/bin/sh
echo "pid=[$$]"
cd tmp/sparc-sunos5.9/additional_cs/e1i1
echo "TERM=[$TERM]"
./ldd_infected -h | sed 1q
./pvs_infected 2>&1
echo "---"
/usr/bin/cat crle_infected > strip_crle_infected \
&& /usr/ccs/bin/strip strip_crle_infected \
&& /usr/bin/chmod 755 strip_crle_infected \
&& ./strip_crle_infected |
Output: out/sparc-sunos5.9/additional_cs/test-e1i1
pid=[14659]
TERM=[xterm]
ELF libelf.so.1 => /usr/lib/libelf.so.1
ELF---
ELF |
This method works, but is not safe to strip. Well, let's compare the infected target with the the original.
Output: out/sparc-sunos5.9/additional_cs/readelf
-rwxr-xr-x 1 alba alba 37712 Feb 15 2003 crle_infected
-rwxr-xr-x 1 alba alba 37712 Feb 15 2003 strip_crle_infected
-r-xr-xr-x 1 root bin 37624 Sep 6 02:29 /usr/bin/crle
Elf file type is EXEC (Executable file)
Entry point 0xe300
There are 7 program headers, starting at offset 52
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000034 0x00010034 0x00000000 0x000e0 0x000e0 R E 0
INTERP 0x000114 0x00000000 0x00000000 0x00011 0x00000 R 0
[Requesting program interpreter: /usr/lib/ld.so.1]
LOAD 0x000000 0x00010000 0x00000000 0x0865d 0x0865d R E 0x10000
LOAD 0x008660 0x00028660 0x00000000 0x00710 0x0106c RWE 0x10000
DYNAMIC 0x008a1c 0x00028a1c 0x00000000 0x000e8 0x00000 RWE 0
LOOS+ffffffb 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0
LOAD 0x009300 0x0000e300 0x0000e300 0x00050 0x00050 R E 0x10000
Section to Segment mapping:
Segment Sections...
00
01
02 .interp .hash .dynsym .dynstr .SUNW_version .SUNW_version .SUNW_versym .rela.ex_shared .rela.cpp_finidata .rela.data .rela.bss .rela.plt .text .init .fini .exception_ranges .rodata
03 .got .plt .dynamic .ex_shared .cpp_finidata .data .bss
04
05
06 |
File size grew 37712 - 37624 = 88 bytes. This number is meaningless if the original target was stripped. In that case the additional bytes of the symbol table far outweigh the infection. Anyway, even an unmodified entry point is pointless in this case. Anybody can notice LOAD instead of NOTE.
Command: pre/sparc-sunos5.9/additional_cs/scan_segment.sh
#!/usr/xpg4/bin/sh
TEVWH_TMP=tmp/sparc-sunos5.9
export TEVWH_TMP
shell=$( /usr/xpg4/bin/sed 1q \
out/sparc-sunos5.9/scanner/segment_padding/infect )
/usr/bin/echo "${shell}
tmp/sparc-sunos5.9/additional_cs/e1i1/${shell##*/}_infected" \
| tmp/sparc-sunos5.9/scanner/segment_padding |
Output: out/sparc-sunos5.9/additional_cs/scan
/usr/bin/csh ... delta=0x10b5c, Ok
(2) No such file or directory
CHECK: additional_cs/e1i1/csh_infected
CHECK: src/one_step_closer/open_src.inc#9
CHECK: (0) <= (t->fd_src = open(t->src_file, 0))
CHECK: 0 <= -1; 0 <= 0xffffffff
files=2; ok=1; det_page=1; det_align=0; min=0x10b5c; max=0x10b5c |
Case closed. Guilty of failure.