文章作者:
Newbug@chroot.org
For chr00t meeting.
2004/8/21
ELF
• What is ELF
1. Executable and Linkable Format
2. Main type of object files
relocatble file
executable file
shared file
ELF
• File Format
Linking View Execution View
----------------------------------------------------------------------
ELF Header ELF Header
-------------------- --------------------
Program Header Table Program Header Table
( optional )
-------------------- --------------------
Section 1 Segment 1
-------------------- --------------------
... Segment 2
--------------------
Section n
--------------------
...
-------------------- --------------------
... ...
-------------------- --------------------
Section Header Table Section Header Table
(optional)
-------------------- --------------------
Dump shellcode
• How to dump ShellCode ( original method )
1. Write an assembly program , compile it & run it.
2. Dump code by gdb/objdump. ( tried and easy typo )
Ex:
newbug@bugjun:/tmp$ gcc -o chr00t chr00t.c
chr00t.c: In function `main':
chr00t.c:4: warning: return type of `main' is not `int'
newbug@bugjun:/tmp$ gdb -q ./chr00t
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) x/30x main
0x80483c4 <main>: 0x31e58955 0x31db31c0 0xb0d231c9 0x6801b304
0x80483d4 <main+16>: 0x0a0d7430 0x72686368 0xb2e18930 0xb080cd08
0x80483e4 <main+32>: 0xcddb3101 0x90c3c980 0x90909090 0x57e58955
Dump2Code
• What is dump2code
ELF Code Reader -- dump2code is a ELF file section reader,
you can dump any executable section ( .interp , .dtors , .text ...etc)
or any symbol ( like main ...etc. ) from binary code to hex code.
Dump2Code
• Feature
1. Support specific any executable section (default is .text ) or symbol.
2. Support specific offset & length from section/symbol.
3. Induct libdisasm
Dump2Code
• How to dump ShellCode ( with dump2code )
1. Write an assembly program , compile it & run it.
2. Dump shellcode by dump2code.
Ex:
/* without libdisasm */
newbug@bugjun:/tmp$ ./dump2code -f ./chr00t -S main -O code.c
[newbug@localhost dump2code]$ more code.c
char code[] =
"\x55\x89\xe5\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x04\xb3"
"\x01\x68\x30\x74\x0d\x0a\x68\x63\x68\x72\x30\x89\xe1\xb2"
"\x08\xcd\x80\xb0\x01\x31\xdb\xcd\x80\xc9\xc3"
;
Dump2Code
newbug@bugjun:/tmp$ ./dump2code -f ./chr00t -S main -d -O code.c
[newbug@localhost dump2code]$ more code.c
/* AT&T SYNTAX */
char code[] =
"\x55" /* push %ebp */
"\x89\xe5" /* mov %ebp,%esp */
"\x31\xc0" /* xor %eax,%eax */
"\x31\xdb" /* xor %ebx,%ebx */
"\x31\xc9" /* xor %ecx,%ecx */
"\x31\xd2" /* xor %edx,%edx */
"\xb0\x04" /* mov %al,$0x4 */
"\xb3\x01" /* mov %bl,$0x1 */
"\x68\x30\x74\x0d\x0a" /* push $0xA0D7430 */
"\x68\x63\x68\x72\x30" /* push $0x30726863 */
"\x89\xe1" /* mov %ecx,%esp */
"\xb2\x08" /* mov %dl,$0x8 */
"\xcd\x80" /* int $0x80 */
"\xb0\x01" /* mov %al,$0x1 */
"\x31\xdb" /* xor %ebx,%ebx */
"\xcd\x80" /* int $0x80 */
"\xc9" /* leave */
"\xc3" /* ret */
;
Dump2Code
• Current Status
• Download
http://packetstormsecurity.org/shellcode/dump2code.0.30.tgz
TODO
• Auto search a specific symbol
• Auto patch a specific symbol
• Interactive shellcode editor
• More friendly UI
• A complete document
Reference
• ELF TIS reference
http://x86.ddj.com/ftp/manuals/tools/elf.pdf
