the elf in elf
play

The elf in ELF use 0-day to cheat all disassemblers david942j @ - PowerPoint PPT Presentation

Aug 20, 2022 •544 likes •1.16k views

The elf in ELF use 0-day to cheat all disassemblers david942j @ CyberSEC 2019 1 . 1 This talk Tricks to cheat disassemblers objdump, readelf, IDA Pro, etc. 2 . 1 IDA Pro The best tool for reverse-engineering Take it as examples in this

  1. The elf in ELF use 0-day to cheat all disassemblers david942j @ CyberSEC 2019 1 . 1

  2. This talk Tricks to cheat disassemblers objdump, readelf, IDA Pro, etc. 2 . 1

  3. IDA Pro The best tool for reverse-engineering Take it as examples in this talk 2 . 2

  4. anti-reverse-engineering - What you see is NOT what it really is IDA Pro 2 . 3

  5. Introduction to ELF 3 . 1

  6. ELF Executable and Linkable Format Linux 3 . 2

  7. Header ELF header Section header (not important here) Program header 3 . 3

  8. 3 . 4

  9. ELF header ELF class: 32 / 64-bit arch: x86 / ARM / MIPS .. section / program header 3 . 5

  10. Section header (static linker) ELF .text , .rodata , etc. 3 . 6

  11. Program header Needed Libraries, Segment Permissions, etc. _DYNAMIC table 3 . 7

  12. _DYNAMIC 3 . 8

  13. Example #include <stdio.h> #include <iostream> using std::cout; int main() { char s[100] = {}; scanf("%99s", s); // libc.so.6#scanf cout << "Hello, " << s << "!\n"; // libstdc++.so.6#std::cout return 0; } 3 . 9

  14. _DYNAMIC Need libraries: libc.so.6, libstdc++.so.6 Need functions: scanf & std::cout ld.so _DYNAMIC function 3 . 10

  15. In this talk IDA Pro _DYNAMIC table e.g. IDA Pro printf system 0-day bug in Linux kernel Bug(?) in ld.so 3 . 11

  16. The Linux 0-day bug 4 . 1

  17. PT_LOAD 4 . 2

  18. PT_LOAD Program header PT_LOAD entry ELF memory 4 . 3

  19. PT_LOAD 4 . 4

  20. Memory mapping ELF file In memory 0x0 0x400000 ELF header program header many tables.. executable executable code .rodata .eh_frame 0x400e08 0xe08 ... .init_array/.fini_array 0x600000 .dynamic 0x600e08 .data/.bss data 4 . 5

  21. Linux#execve 4 . 6

  22. linux/fs/binfmt_elf.c#load_elf_binary Read and check ELF header Parse program header PT_INTERP PT_LOAD PT_GNU_STACK Setup AUXV 4 . 7

  23. AUXV AUXiliary Vector interpreter(ld.so) AT_PHDR AT_ENTRY AT_UID ... 4 . 8

  24. Flow of execve execve("a.out", ... ) load_elf_binary mmap(PT_LOADs) kernel space load_elf_interp (ld.so) create_elf_tables (AUXV) *phdr, phnum, *entry, *auxv ld.so#dl_main load_libraries elf_dynamic_do_rela (relocation) 4 . 9

  25. Bug Kernel AT_PHDR 4 . 10

  26. binfmt_elf.c#create_elf_tables 4 . 11

  27. Normally load_addr exec->e_phoff 0x400000 0x40 0x400040 4 . 12

  28. load_addr is The �rst LOADed address 4 . 13

  29. ELF file In memory 0x0 0x400000 ELF header program header many tables.. executable executable code .rodata .eh_frame 0x400e08 0xe08 ... .init_array/.fini_array 0x600000 .dynamic 0x600e08 .data/.bss data 4 . 14

  30. Nobody promises PHDR is located in the �rst PT_LOAD 4 . 15

  31. Put PHDR in the second PT_LOAD 4 . 16

  32. ELF file In memory 0x0 0x400000 ELF header load_addr many tables.. executable code .eh_frame ... .init_array/.fini_array 0x4000 fake program header 0x604000 fake prog. hdr e_phoff .data .data 0x204000 program header 0x804000 program header 4 . 17

  33. Effect Kernel loads binary correctly But kernel cheats ld.so the address of PHDR 4 . 18

  34. ld.so 4 . 19

  35. ld.so ? Load shared libraries Process dynamic relocation 4 . 20

  36. _DYNAMIC 4 . 21

  37. function e.g. printf -> system 4 . 22

  38. 4 . 23

  39. Relocation type 1: scanf scanf@got type 2: put backdoor on scanf@got 4 . 24

  40. relocation table IDA scanf relocate 4 . 25

  41. lea rdi,[rip+0xba] int ret = scanf(args); mov eax,0x0 if ( trigger (args)) call 5f0 <scanf@plt> backdoor (); lea rdx,[rbp­0xe0] return ret; lea rax,[rbp­0x70] 4 . 26

  42. Demo 4 . 27

  43. Let's play ld.so 5 . 1

  44. PT_PHDR in Program header 5 . 2

  45. PT_PHDR points to itself ELF file ELF header program header PT_PHDR PT_LOAD PT_LOAD ... 5 . 3

  46. glibc/elf/rtld.c#1147 for (ph = phdr; ph < &phdr[phnum]; ++ph) switch (ph->p_type) { case PT_PHDR: /* Find out the load address. */ main_map->l_addr = phdr - ph->p_vaddr; break; case PT_DYNAMIC: /* This tells us where to find the dynamic section, which tells us everything we need to do. */ main_map->l_ld = main_map->l_addr + ph->p_vaddr; break; 5 . 4

  47. PT_PHDR ld.so binary ! 5 . 5

  48. the Linux kernel bug Program header for kernel for ld.so 5 . 6

  49. ? ld.so binary 5 . 7

  50. program header PT_PHDR main_map->l_addr = phdr - ph->p_vaddr PT_LOAD PT_LOAD PT_DYNAMIC main_map->l_ld = main_map->l_addr + ph->p_vaddr ... 5 . 8

  51. Use two PT_PHDR s 5 . 9

  52. glibc/elf/rtld.c#1147 for (ph = phdr; ph < &phdr[phnum]; ++ph) switch (ph->p_type) { case PT_PHDR: /* Find out the load address. */ main_map->l_addr = phdr - ph->p_vaddr; break; case PT_DYNAMIC: /* This tells us where to find the dynamic section, which tells us everything we need to do. */ main_map->l_ld = main_map->l_addr + ph->p_vaddr; break; 5 . 10

  53. Two PT_PHDR s PT_PHDR main_map->l_addr = phdr - ph->p_vaddr PT_DYNAMIC main_map->l_ld = main_map->l_addr + ph->p_vaddr PT_PHDR main_map->l_addr = phdr - ph->p_vaddr PT_LOAD PT_LOAD ... 5 . 11

  54. _DYNAMIC relocation 5 . 12

  55. Demo Given two ELFs Looks like A in IDA Pro but actually B 5 . 13

  56. Conclusion 6 . 1

  57. The Linux kernel 0-day bug Kernel calculates PHDR incorrectly ld.so gets wrong address of program header 6 . 2

  58. ld.so ld.so using PT_PHDR for calculating base address Nobody checks correctness of PT_PHDR 6 . 3

  59. _DYNAMIC table 6 . 4

  60. david942j @ 7 . 1

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Approximate Query Service on Autonomous IoT Cameras Mengwei Xu 1 , Xiwen Zhang 2 , Yunxin Liu 3

Approximate Query Service on Autonomous IoT Cameras Mengwei Xu 1 , Xiwen Zhang 2 , Yunxin Liu 3

Approximate Query Service on Autonomous IoT Cameras Mengwei Xu 1 , Xiwen Zhang 2 , Yunxin Liu 3 Gang Huang 1 , Xuanzhe Liu 1 , Felix Xiaozhu Lin 2 1 Peking University, 2 Purdue University, 3 Microsoft Research, 1 Video Analytics is a Killer App

984 views • 39 slides
LIEF: Library to Instrument Executable Formats Table of Contents Introduction Architecture Demo

LIEF: Library to Instrument Executable Formats Table of Contents Introduction Architecture Demo

Romain Thomas - rthomas@quarkslab.com LIEF: Library to Instrument Executable Formats Table of Contents Introduction Architecture Demo Conclusion About Romain Thomas - Security engineer at Quarkslab Working on obfuscation and software

614 views • 27 slides
CPSC 121: Models of Computation Unit 12 Sets and Functions Based on slides by Patrice Belleville

CPSC 121: Models of Computation Unit 12 Sets and Functions Based on slides by Patrice Belleville

CPSC 121: Models of Computation Unit 12 Sets and Functions Based on slides by Patrice Belleville and Steve Wolfman PART 1 SETS Unit 12: Sets and Functions 2 What is a Set? A set is an unordered collection of objects. The objects in a set

797 views • 32 slides
Field-Sensitive Unreachability and Non-Cyclicity Analysis Enrico Scapin and Fausto Spoto

Field-Sensitive Unreachability and Non-Cyclicity Analysis Enrico Scapin and Fausto Spoto

Field-Sensitive Unreachability and Non-Cyclicity Analysis Enrico Scapin and Fausto Spoto Dipartimento di Informatica - University of Verona (Italy) BYTECODE/ETAPS 2013 Scapin and Spoto (univr.it) Unreachability &amp; Non-Cyclicity Analysis

776 views • 26 slides
Optimizing C For Microcontrollers Khem Raj, Comcast Embedded Linux Conference &amp; IOT summit -

Optimizing C For Microcontrollers Khem Raj, Comcast Embedded Linux Conference &amp; IOT summit -

Optimizing C For Microcontrollers Khem Raj, Comcast Embedded Linux Conference &amp; IOT summit - Portland OR Agenda Introduction Knowing the Tools Data Types and sizes Variable and Function Types Loops Low Level

580 views • 27 slides
:i extensions ) characterizations for Galois Thin ( Equivalent - Gal ( EIF ) . Then and

:i extensions ) characterizations for Galois Thin ( Equivalent - Gal ( EIF ) . Then and

Extension , Galois Galois Intermediate I : Extensions lame l Gal LEIF ) t.EE if ] ' tf Galois Elf is :i extensions ) characterizations for Galois Thin ( Equivalent - Gal ( EIF ) . Then and [ E : F) so let G - suppose

1.01k views • 15 slides
Metasm a ruby (dis)assembler Yoann Guillot 20 october 2007 Metasm Demonstrations Presentation

Metasm a ruby (dis)assembler Yoann Guillot 20 october 2007 Metasm Demonstrations Presentation

Metasm a ruby (dis)assembler Yoann Guillot 20 october 2007 Metasm Demonstrations Presentation I am Yoann Guillot I work for Sogeti/ESEC in the security R&amp;D lab Metasm HACK.LU 2007 2 / 23 Architecture overview Assembly Disassembly

708 views • 26 slides
Project 1: Bootloader COS 318 Fall 2016 Project 1: Schedule Design Review - Monday, 9/26 -

Project 1: Bootloader COS 318 Fall 2016 Project 1: Schedule Design Review - Monday, 9/26 -

Project 1: Bootloader COS 318 Fall 2016 Project 1: Schedule Design Review - Monday, 9/26 - 10-min time slots from 1:30pm-9:20pm - Write functions print_char and print_string - Answer the questions: How to move the kernel from disk to

835 views • 27 slides
Binary compatibility on NetBSD Emmanuel Dreyfus, july 2014 About me Emmanuel Dreyfus

Binary compatibility on NetBSD Emmanuel Dreyfus, july 2014 About me Emmanuel Dreyfus

Binary compatibility on NetBSD Emmanuel Dreyfus, july 2014 About me Emmanuel Dreyfus &lt;manu@netbsd.org&gt; IT manager at ESPCI ParisTech as daylight job NetBSD contributor since 2001 Milter-greylist since 2006 OpenLDAP,

589 views • 22 slides
&amp; Process Address Space Nima Honarmand Spring 2017 :: CSE 506 Virtual Memory (VM) Recap

&amp; Process Address Space Nima Honarmand Spring 2017 :: CSE 506 Virtual Memory (VM) Recap

Spring 2017 :: CSE 506 Virtual Memory &amp; Process Address Space Nima Honarmand Spring 2017 :: CSE 506 Virtual Memory (VM) Recap Primary purpose? Isolate each process to its own address space Components Address translation

716 views • 36 slides
Arm cross development tools the GNU C compiler, binutils and glibc can be configured to target the

Arm cross development tools the GNU C compiler, binutils and glibc can be configured to target the

slide 1 gaius Arm cross development tools the GNU C compiler, binutils and glibc can be configured to target the arm series of microprocessors Raspberry Pi uses an arm11 processor processor runs at 700Mhz cross development tools are much

193 views • 17 slides
Linking Eric McCreath Introduction One of the key resources that an operating system is called

Linking Eric McCreath Introduction One of the key resources that an operating system is called

Linking Eric McCreath Introduction One of the key resources that an operating system is called upon to manage is main (primary) memory. Generally a programer does not have to worry about which particular addresses are used for their programs.

735 views • 7 slides
The Usefulness of Sparsifiable Inputs: How to Avoid Subexponential iO Thomas Agrikola 1 Geoffroy

The Usefulness of Sparsifiable Inputs: How to Avoid Subexponential iO Thomas Agrikola 1 Geoffroy

The Usefulness of Sparsifiable Inputs: How to Avoid Subexponential iO Thomas Agrikola 1 Geoffroy Couteau 2 Dennis Hofheinz 3 1 Karlsruhe Institute of Technology (KIT), Germany 2 IRIF, Paris-Diderot University, CNRS, France 3 ETH Zurich, Switzerland

909 views • 47 slides
Embedded Systems Programming ES Development Environment (Module 3) Yann-Hang Lee Arizona State

Embedded Systems Programming ES Development Environment (Module 3) Yann-Hang Lee Arizona State

Embedded Systems Programming ES Development Environment (Module 3) Yann-Hang Lee Arizona State University yhlee@asu.edu (480) 727-7507 Summer 2014 Real-time Systems Lab, Computer Science and Engineering, ASU Embedded System Development

403 views • 11 slides
Santa Claus with Mobile with Mobile Santa Claus with Mobile Santa Claus Reindeer

Santa Claus with Mobile with Mobile Santa Claus with Mobile Santa Claus Reindeer

Santa Claus with Mobile with Mobile Santa Claus with Mobile Santa Claus Reindeer and Elves Reindeer and Elves Reindeer and Elves Peter Welch ( phw@kent.ac.uk ) Matt Pedersen ( matt@faculty.egr.unlv.edu ) CPA 2008 (09/07/2008)

1.27k views • 60 slides
Makefiles CS 2XA3 Term I, 2020/21 Outline Example Calling make Syntax How it works Macros

Makefiles CS 2XA3 Term I, 2020/21 Outline Example Calling make Syntax How it works Macros

Makefiles CS 2XA3 Term I, 2020/21 Outline Example Calling make Syntax How it works Macros Suffix rules Command line options Example Assume we have files main.c , test.c , and lo.asm Consider the makefile program: main.o test.o lo.o gcc

417 views • 19 slides
WEIRD MACHINES IN PROGRAM METADATA: ATTACKS AND DEFENSES NOVEMBER 2013 REBECCA . bx

WEIRD MACHINES IN PROGRAM METADATA: ATTACKS AND DEFENSES NOVEMBER 2013 REBECCA . bx

ANNUAL INDUSTRY WORKSHOP NOVEMBER 6-7, 2013 WEIRD MACHINES IN PROGRAM METADATA: ATTACKS AND DEFENSES NOVEMBER 2013 REBECCA . bx SHAPIRO DARTMOUTH COLLEGE TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.ORG 1 UNIVERSITY

566 views • 13 slides
Person Re-identification Introduction and Future Trends Shengcai Liao Institute of Automation

Person Re-identification Introduction and Future Trends Shengcai Liao Institute of Automation

Person Re-identification Introduction and Future Trends Shengcai Liao Institute of Automation Chinese Academy of Sciences ICPR 2018 Tutorial Beijing CONTENT Introduction 01 02 Approach 03 Evaluation and Benchmark 04 Future

855 views • 37 slides
in Virtual Environments Representing People Representing People Whats in this lecture?

in Virtual Environments Representing People Representing People Whats in this lecture?

Will Steptoe 30 th November 2010 in Virtual Environments Representing People Representing People Whats in this lecture? Part 1 : Virtual Characters History, Agency, Control in Immersive and Non- History Agency Control in Immersive

1.01k views • 69 slides
AIs in Social Environments CS 278 | Stanford University | Michael Bernstein Announcements

AIs in Social Environments CS 278 | Stanford University | Michael Bernstein Announcements

AIs in Social Environments CS 278 | Stanford University | Michael Bernstein Announcements Project presentations on Wednesday What we care about Final projects due next Tuesday, June 11 Class evaluations now open, feedback welcome 2 Last time

735 views • 39 slides
Introduction to Natural Language Processing CMSC 470 Marine Carpuat Natural Language Processing

Introduction to Natural Language Processing CMSC 470 Marine Carpuat Natural Language Processing

Introduction to Natural Language Processing CMSC 470 Marine Carpuat Natural Language Processing (NLP) The engineering discipline of doing what people do with language, but using computers Computational Linguistics (CL) The science of

934 views • 28 slides
The ShanghAI Lectures An experiment in global teaching Fabio Bonsignorio The BioRobotics

The ShanghAI Lectures An experiment in global teaching Fabio Bonsignorio The BioRobotics

The ShanghAI Lectures An experiment in global teaching Fabio Bonsignorio The BioRobotics Institute, SSSA and Heron Robots Today from the BioRobotics Institute, Pontedera (PI)

557 views • 24 slides
PDSF User Meeting September 1, 2015 Lisa Gerhardt Utilization -

PDSF User Meeting September 1, 2015 Lisa Gerhardt Utilization -

PDSF User Meeting September 1, 2015 Lisa Gerhardt Utilization - 2 - Past Outages 8/12/15 (2 days): NERSC system wide outage from power event Planned

198 views • 8 slides
Language Processing with Perl and Prolog Chapter 10: Partial Parsing Pierre Nugues Lund

Language Processing with Perl and Prolog Chapter 10: Partial Parsing Pierre Nugues Lund

Language Technology Language Processing with Perl and Prolog Chapter 10: Partial Parsing Pierre Nugues Lund University Pierre.Nugues@cs.lth.se http://cs.lth.se/pierre_nugues/ Pierre Nugues Language Processing with Perl and Prolog 1 / 44

578 views • 44 slides

More recommend