The elf in ELF. use 0-day(s) to cheat all disassemblers 1. 1

Transcription

1 The elf in ELF use 0-day(s) to cheat all disassemblers HITCON CMT

2 david942j Who Am I Linux 2. 1

3 This talk 3 tricks to cheat disassemblers objdump, IDA Pro, etc. 3. 1

4 IDA Pro's bug Linux kernel 0-day bug Cheating ELF interpreter (ld.so) 3. 2

5 What you see is NOT how it runs / scanner anti-reverse-engineering 3. 3

6 Introduction to ELF 4. 1

7 ELF Executable and Linkable Format Linux 4. 2

8 Header ELF header Program header Section header 4. 3

9 4. 4

10 ELF header ELF class: 32/64-bit arch: x86/arm/mips.. program/section header 4. 5

11 Program header Needed Libraries, Segment Permissions, etc. 4. 6

12 Section header Compile ELF.text,.rodata, etc. (static linker) 4. 7

13 In brief ELF header mandatory Program header Runtime Section header Compile time 4. 8

14 5. 1

15 Idea Section header can be removed can be forged 5. 2

16 Forge section header Cheating objdump Cheating IDA Pro 5. 3

17 IDA Pro considers sections 5. 4

18 .text 5. 5

19 .text user IDA Pro code.text 5. 6

20 .text 5. 7

21 Shrink.text 5. 8

22 ) ) 5. 9

23 But

24 code code 5. 11

25 : binary 5. 12

26 .init_array/.fini_array 5. 13

27 INIT / FINI_ARRAY Array of function pointers before / after main 5. 14

28 #include <stdio.h> attribute ((constructor)) void before() { puts("before main"); } attribute ((destructor)) void after() { puts("after main"); } int main() { puts("hi"); return 0; } 5. 15

29 In program header dynamic_tag 5. 16

30 In section header 5. 17

31 .text 5. 18

32 Shrink.fini_array's size 5. 19

33 1. code.text 2. FINI_ARRAY entry code 3..text &.fini_array 4. main 5. 20

34 Demo? 5. 21

35 IDA Pro 5. 22

36 Try newer version of IDA Pro 5. 23

37 (T T) 5. 24

38 IDA Pro

39 IDA Pro 7.0 uses LOAD instead of.text Bug xed QQ 5. 26

40 is dead IDA Pro 6.x IDA Pro

41 2 6. 1

42 IDA Pro relocation.init_array/.fini_array

43 Relocation? 6. 3

44 Relocation phdr DYNAMIC 6. 4

45 FINI_ARRAY PIE (position-independent executable) FINI_ARRAY ld.so relocation table function FINI_ARRAY 6. 5

46 Relocation of FINI_ARRAY ELF File RELA put base+0xab0 at base+0x200db0... FINI_ARRAY 0xab0 Memory base+0xab0 base base+0x200db0 6. 6

47 Relocation of FINI_ARRAY ELF File RELA put base+0xab0 at base+0x200db0... FINI_ARRAY 0xab0 Memory base+0xab0 base base+0x200db0 6. 7

48 Value of FINI_ARRAY means nothing relocation is the boss 6. 8

49 2 IDA Pro only uses value on FINI_ARRAY! 6. 9

50 IDA Pro (!) 6. 10

51 But

52 IDA Pro 7.0 LOAD 6. 12

53 We have arbitrary function call 6. 13

54 Where to put malicious code? 6. 14

55 (?) section code.eh_frame Error Handling Who care error handling 0x100 byte #func Nice to hide code 6. 15

56 Normal.eh_frame looks like 6. 16

57 2 1..eh_frame 2. relocation table FINI_ARRAY 3. main 6. 17

58 HITCON CTF Quals 2017 void 6. 18

59 The Linux 0-day bug 7. 1

60 PT_LOAD 7. 2

61 PT_LOAD ELF memory PT_LOAD entry 7. 3

62 PT_LOAD 7. 4

63 Memory mapping 0x0 ELF file ELF header In memory 0x program header many tables.. executable code executable 0xe08.rodata.eh_frame.init_array/.fini_array.dynamic.data/.bss... 0x400e08 0x x600e08 data 7. 5

64 execve 7. 6

65 linux/fs/binfmt_elf.c#load_elf_binary 7. 7

66 #load_elf_binary Read and check ELF header Parse program header PT_INTERP PT_LOAD PT_GNU_STACK Setup AUXV 7. 8

67 AUXV AUXiliary Vector interpreter(ld.so) AT_PHDR AT_ENTRY AT_UID

68 Flow of execve execve("a.out",...) load_elf_binary kernel space mmap(pt_loads) load_elf_interp (ld.so) create_elf_tables (AUXV) ld.so#dl_main *phdr, phnum, *entry, *auxv load_libraries elf_dynamic_do_rela (relocation) 7. 10

69 Bug Kernel AT_PHDR 7. 11

70 binfmt_elf.c#create_elf_tables 7. 12

71 Normally load_addr exec->e_phoff 0x x40 0x

72 load_addr is The rst LOADed address 7. 14

73 0x0 ELF file ELF header In memory 0x program header many tables.. executable code executable 0xe08.rodata.eh_frame.init_array/.fini_array.dynamic.data/.bss... 0x400e08 0x x600e08 data 7. 15

74 Nobody promises PHDR is located in the rst PT_LOAD 7. 16

75 Put PHDR in the second PT_LOAD 7. 17

76 0x0 ELF file In memory 0x ELF header many tables.. load_addr executable code.eh_frame 0x4000.init_array/.fini_array fake program header... 0x e_phoff.data fake prog. hdr 0x program header.data program header 0x

77 Effect Kernel loads binary correctly While kernel cheats ld.so address of PHDR 7. 19

78 ld.so 7. 20

79 ld.so? Load shared libraries Process dynamic relocation 7. 21

80 Dynamic 7. 22

81 Forge relocation on INIT_ARRAY/FINI_ARRAY

82 7. 24

83 Relocation library printf/scanf 7. 25

84 relocation table scanf 7. 26

85 lea mov call lea lea rdi,[rip+0xba] eax,0x0 5f0 rdx,[rbp 0xe0] rax,[rbp 0x70] int ret = scanf(args); if(trigger(args)) backdoor(); return ret; 7. 27

86 Demo 7. 28

87 Let's play ld.so 8. 1

88 PT_PHDR in PHDR 8. 2

89 PT_PHDR points to itself ELF file ELF header program header PT_PHDR PT_LOAD PT_LOAD

90 glibc/elf/rtld.c#1147 for (ph = phdr; ph < &phdr[phnum]; ++ph) switch (ph->p_type) { case PT_PHDR: /* Find out the load address. */ main_map->l_addr = phdr - ph->p_vaddr; break; case PT_DYNAMIC: /* This tells us where to find the dynamic section, which tells us everything we need to do. */ main_map->l_ld = main_map->l_addr + ph->p_vaddr; break; 8. 4

91 Forge PT_PHDR ld.so will completely misunderstand base of binary! 8. 5

92 Program header for kernel for ld.so 8. 6

93 ? ld.so binary 8. 7

94 program header PT_PHDR PT_LOAD PT_LOAD PT_DYNAMIC... main_map->l_addr = phdr - ph->p_vaddr main_map->l_ld = main_map->l_addr + ph->p_vaddr 8. 8

95 Use two PT_PHDR 8. 9

96 glibc/elf/rtld.c#1147 for (ph = phdr; ph < &phdr[phnum]; ++ph) switch (ph->p_type) { case PT_PHDR: /* Find out the load address. */ main_map->l_addr = phdr - ph->p_vaddr; break; case PT_DYNAMIC: /* This tells us where to find the dynamic section, which tells us everything we need to do. */ main_map->l_ld = main_map->l_addr + ph->p_vaddr; break; 8. 10

97 PT_PHDR PT_DYNAMIC PT_PHDR PT_LOAD PT_LOAD... main_map->l_addr = phdr - ph->p_vaddr main_map->l_ld = main_map->l_addr + ph->p_vaddr main_map->l_addr = phdr - ph->p_vaddr 8. 11

98 dynamic INIT_ARRAY/FINI_ARRAY/Relocation 8. 12

99 Conclusion 9. 1

100 1. IDA Pro trusts section header 2. Not using relocation for INIT/FINI_ARRAY 9. 2

101 Kernel calculates PHDR incorrectly ld.so get wrong address 9. 3

102 ld.so using PT_PHDR for calculating base address Nobody checks correctness of PT_PHDR 9. 4

103 9. 5

104 Demo Give me two ELFs Looks like A in IDA pro but actually B 9. 6

105