Issues with elf file injection tutorial by pico

linux

(sam) #1

So i’ve been reading through and understanding pico’s elf file injector tutorial. Everything so far i’m understanding, however when it comes to the patching of the entry points etc in the:

elfi_mem_subst() function within the tutorial code.

From my understanding once the .text section of the payload has been written to the code cave after the .text section within the target file, we then have to use the elfi_mem_subst function to patch the return address to be the original entry point of the file right? So the original program can execute once our payload has been executed? (correct me if i’m misunderstanding)

Here is the code for the function:
indent preformatted text by 4 spaces

int
elfi_mem_subst (void *m, int len, long pat, long val)
{
  unsigned char *p = (unsigned char*)m;
  long v;
  int i, r;

for (i = 0; i < len; i++)
{
  v = *((long*)(p+i));
  r = v ^pat;

  if (r ==0) 
{
  printf ("+ Pattern %lx found at offset %d -> %lx\n", pat, i, val);
  *((long*)(p+i)) = val;
  return 0;
}
}
 return -1;
}

So from my understanding we are looping n times the size of the payload and we keep adding each increment of i to the pointer which starts at the start of the end of .text section of the target file until we get to the end of the payload text within the gap to reach where the return address should be , to change the return address to patch it and point to the entry point of the target program. (correct me if i’m inccorect)

However I’m unsure of what this command is supposed to be doing, and why?

r = v ^pat;

and once this function is called we then patch the entry point of the file to point to this payload and then once called the payload the return address of the function will take us to the start executing the original target file’s code?

However once i run the code, it succesffuly infects the file, however the original code results in a unauthorised access of memory error:

segmentation fault

I’m just wondering why this is the case? because we patched the original entry point and the return address to point back to the original code for normal execution after our payload right? So is the return address pointing to the wrong location?

If anyone who is experienced with this could you kindly help me understand this part and what is going on with the patching and why i’m getting a segmentation fault and some pointers on how to resolve this?

thanks in advance,
Bramble.


(sam) #2

@slevin in the comments you seemed to off ran into the same issues? i attempted with ur payload with the same results. Or am i missing something?(in terms of theory)

I would greatly appreciate it if you, or @0x00pf could help me out? No worries if you guys can’t and thanks for the time. ^.^


(sam) #3

I’ve managed to get the example code in the tutorial working, apparently it only works when the elf is static , not dynamically linked. Though i am curious as to why? hmmm.


(pico) #4

Hi @bramble,

Thanks for reading my tutorial hope you enjoyed it and find it somehow useful.

This is just a XOR that will be 0 whenever both values v and pat are equal. It is just a way to check if you have found the pattern you are looking for.

That is probably the case. The best way to find out is just to debug your patched program and see what is going on. Actually that’s the best way to fully understand this kind of stuff.

Go run the debugger, find the problem and fix it! :wink:

I’d used dynamic binaries while writing the tutorial, so, I believe the real reason behind this behaviour is something else… Verify your binaries are not PIE, for instance.

Take a look to this other thread

Hope this helps


#5

Sorry for the late reply. Glad you got it working!

I got a version working with PIE (Position-Independent Executables), where the you don’t set the entry point statically, but by offset. It’s a while a go, but you’re welcome to check it the code.


(sam) #6

Thank you much guys, and thanks for sharing your code! I’ll disect and learn from it now :wink:


(system) #7

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.