(Pengetahuan Dasar untuk Menginfeksi ELF Binary Linux)

[mywisdom]

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>(Pengetahuan Dasar untuk Menginfeksi ELF)<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

prinsip: jangan cuma menghafal tapi mengerti logikanya

----------PEMAHAMAN ELF------------------

elf / executable and linking format di linux merupakan format file umum yang ada di linux. ada 4 jenis elf di linux:
(tutor kali ini kita terapkan utk sistem 32 bit dengan kernel 2.6.x):
sh-3.2# file /bin/bash
/bin/bash: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), for GNU/Linux 2.6.9, stripped
sh-3.2#)


----------LSB relocatable-------------

yg pertama dibahas adl lsb relocatable,ok mari kita cari di sistem kita, misal di mesin ane:

Code:

sh-3.2# locate *.o
/home/mysql/.../setreuid.o
/home/mysql/.../gdb-7.1/gdb/charset.o
/home/mysql/.../gdb-7.1/gdb/regset.o
/usr/local/src/httpd-2.2.6/server/util_charset.o
/usr/local/src/httpd-2.2.6/server/.libs/util_charset.o
/usr/local/src/httpd-2.2.6/srclib/apr/misc/unix/charset.o
/usr/local/src/httpd-2.2.6/srclib/apr/misc/unix/.libs/charset.o
/usr/local/src/mysql-5.0.45/libmysql/charset.o
/usr/local/src/mysql-5.0.45/libmysql/.libs/charset.o
/usr/local/src/mysql-5.0.45/mysys/charset.o
sh-3.2#

file ini merupakan hasil assemble yang belum dilinker. utk lebih jelas coba buat kode asm utk setreuid spt ini:

sh-3.2# cat /usr/include/unistd.h | grep reuid
extern int setreuid (__uid_t __ruid, __uid_t __euid) __THROW;

Code:

sh-3.2# cat setreuid.asm
global _start  ; _start dikenal kebanyakan linker seperti ld sbg entry point
_start:
xor eax,eax ;register eax direset
mov al,0x46 ;syscall no 70 sys_setreuid16
xor ebx,ebx ;register exb direset jadi nol -> untuk uid 0
xor ecx,ecx ;register ecx direset jadi nol -> uid 0
int 0x80    ;interup 80 hexa untuk eksekusi syscall
sh-3.2#

assemble ke format lsb relocatable :

Code:

sh-3.2# nasm -f elf setreuid.asm

untuk melihat bagian 2 dari file bisa dengan readelf:

Code:

sh-3.2# readelf -a setreuid.o
ELF Header:
  Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
  Class:                             ELF32
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              REL (Relocatable file)
  Machine:                           Intel 80386
  Version:                           0x1
  Entry point address:               0x0
  Start of program headers:          0 (bytes into file)
  Start of section headers:          64 (bytes into file)
  Flags:                             0x0
  Size of this header:               52 (bytes)
  Size of program headers:           0 (bytes)
  Number of program headers:         0
  Size of section headers:           40 (bytes)
  Number of section headers:         5
  Section header string table index: 2

Section Headers:
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            00000000 000000 000000 00      0   0  0
  [ 1] .text             PROGBITS        00000000 000110 00000a 00  AX  0   0 16
  [ 2] .shstrtab         STRTAB          00000000 000120 000021 00      0   0  1
  [ 3] .symtab           SYMTAB          00000000 000150 000040 10      4   3  4
  [ 4] .strtab           STRTAB          00000000 000190 000015 00      0   0  1
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings)
  I (info), L (link order), G (group), x (unknown)
  O (extra OS processing required) o (OS specific), p (processor specific)

There are no section groups in this file.

There are no program headers in this file.

There are no relocations in this file.

There are no unwind sections in this file.

Symbol table '.symtab' contains 4 entries:
   Num:    Value  Size Type    Bind   Vis      Ndx Name
     0: 00000000     0 NOTYPE  LOCAL  DEFAULT  UND
     1: 00000000     0 FILE    LOCAL  DEFAULT  ABS setreuid.asm
     2: 00000000     0 SECTION LOCAL  DEFAULT    1
     3: 00000000     0 NOTYPE  GLOBAL DEFAULT    1 _start

No version information found in this file.
sh-3.2#

header elf:
.symtab -> simbol tabel-> alamat memori fisik: 00000000 -> tidak merujuk ke alamat memori manapun
.shstrtab -> nama sections ->alamat memori fisik: 00000000 -> tidak merujuk ke alamat memori manapun
.strtab -> bisa berisi string yang diassiakan dg symbol table->alamat memori fisik: 00000000 -> tidak merujuk ke alamat memori manapun
.text -> bagian .text bisa merujuk ke instruksi program ->alamat memori fisik: 00000000 -> tidak merujuk ke alamat memori manapun



---------------LSB executable-----------------

lsb executable merupakan elf binary yg bisa dieksekusi yg merupakan hasil linker dari lsb relocatable. mari kita tes linker dg ld si setreuid.o menjadi
binary executable:

Code:

sh-3.2# ld -o setreuid setreuid.o
sh-3.2# file setreuid
setreuid: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
sh-3.2#

keterangan:
elf 32 bit utk mesin intel 80386

see? hmmm static sebenernya bagusan yg dinamis :-?

next:
untuk melakukan disassemble dari elf binary bisa dg objdump atau readelf:

Code:

sh-3.2# objdump -d setreuid

setreuid:     file format elf32-i386

Disassembly of section .text:

08048060 <_start>:
8048060:       31 c0                   xor    %eax,%eax
8048062:       b0 46                   mov    $0x46,%al
8048064:       31 db                   xor    %ebx,%ebx
8048066:       31 c9                   xor    %ecx,%ecx
8048068:       cd 80                   int    $0x80

sh-3.2#

alamat fisik memori (proram belum diload ke vma) | shellcode | | instruksi asm at&t |
08048060 <_start>:
8048060: 31 c0 xor %eax,%eax -> reset eax dulu
8048062: b0 46 mov $0x46,%al -> al 46 hex -> sys_setreuid16 bit
8048064: 31 db xor %ebx,%ebx -> ebx=0
8048066: 31 c9 xor %ecx,%ecx -> ebx=0
8048068: cd 80 int $0x80 -> interup 80 hexa

--------------------LSB shared object----------------------
ekstensinya yg *.so

Code:

sh-3.2# locate *.so | less
/home/mysql/.../enlightenment/exp_cheddarbay.so
/home/mysql/.../enlightenment/exp_ingom0wnar.so
/home/mysql/.../enlightenment/exp_moosecox.so
/home/mysql/.../enlightenment/exp_paokara.so
/home/mysql/.../enlightenment/exp_powerglove.so
/home/mysql/.../enlightenment/exp_sieve.so
/home/mysql/.../enlightenment/exp_therebel.so
/home/mysql/.../enlightenment/exp_vmware.so
/home/mysql/.../enlightenment/exp_wunderbar.so

merupakan shared objek yg dipakai saat eksekusi elf binary lain.

biar lebih paham coba ya ane tes pake exploit yang make file shared object misal enlightenment:

Code:

sh-3.2# ./run_null_exploits.sh
Compiling exp_cheddarbay.c...OK.
Compiling exp_ingom0wnar.c...OK.
Compiling exp_moosecox.c...OK.
Compiling exp_paokara.c...OK.
Compiling exp_powerglove.c...OK.
Compiling exp_sieve.c...OK.
Compiling exp_therebel.c...OK.
Compiling exp_vmware.c...OK.
Compiling exp_wunderbar.c...OK.
[+] MAPPED ZERO PAGE!
Choose your exploit:
[0] Cheddar Bay: Linux 2.6.30/2.6.30.1 /dev/net/tun local root
[1] MooseCox: Linux <= 2.6.31.5 pipe local root
[2] Paokara: Linux 2.6.19->2.6.31.1 eCryptfs local root
[3] Powerglove: Linux 2.6.31 perf_counter local root
[4] The Rebel: Linux < 2.6.19 udp_sendmsg() local root
[5] CVE-2009-2267: VMWare vm86 guest local root
[6] Wunderbar Emporium: Linux 2.X sendpage() local root
[7] Exit
>

mari kita liat di proc:

Code:

sh-3.2# ps aux | grep exploit
root     13055  0.0  0.0   4480  1088 pts/2    S+   02:13   0:00 /bin/sh ./run_null_exploits.sh
root     13143  0.0  0.0   3200   708 pts/2    S+   02:13   0:00 ./exploit
root     13188  0.0  0.0   3908   664 pts/1    R+   02:15   0:00 grep exploit
sh-3.2#

pid exploit:13143

untuk melihat shared 2 objek apa aja yg diloar ke virtual memori kita bisa lihat di /proc/13143/maps

Code:

sh-3.2# cat /proc/13143/maps | grep .so
00110000-00111000 r-xp 00000000 fd:00 25133177   /home/mysql/.../enlightenment/exp_ingom0wnar.so
00111000-00112000 rwxp 00000000 fd:00 25133177   /home/mysql/.../enlightenment/exp_ingom0wnar.so
00112000-00113000 r-xp 00000000 fd:00 25133181   /home/mysql/.../enlightenment/exp_paokara.so
00113000-00114000 rwxp 00000000 fd:00 25133181   /home/mysql/.../enlightenment/exp_paokara.so
00114000-00115000 r-xp 00000000 fd:00 25133162   /home/mysql/.../enlightenment/exp_powerglove.so
00115000-00116000 rwxp 00000000 fd:00 25133162   /home/mysql/.../enlightenment/exp_powerglove.so
00116000-00117000 r-xp 00000000 fd:00 25133175   /home/mysql/.../enlightenment/exp_vmware.so
00117000-00118000 rwxp 00000000 fd:00 25133175   /home/mysql/.../enlightenment/exp_vmware.so
00118000-00119000 r-xp 00000000 fd:00 25133176   /home/mysql/.../enlightenment/exp_wunderbar.so
00119000-0011a000 rwxp 00000000 fd:00 25133176   /home/mysql/.../enlightenment/exp_wunderbar.so
00156000-00157000 r-xp 00000000 fd:00 25133174   /home/mysql/.../enlightenment/exp_therebel.so
00157000-00158000 rwxp 00000000 fd:00 25133174   /home/mysql/.../enlightenment/exp_therebel.so
001bb000-001bd000 r-xp 00000000 fd:00 25133173   /home/mysql/.../enlightenment/exp_sieve.so
001bd000-001be000 rwxp 00001000 fd:00 25133173   /home/mysql/.../enlightenment/exp_sieve.so
004cf000-004e9000 r-xp 00000000 fd:00 1409063    /lib/ld-2.5.so
004e9000-004ea000 r-xp 00019000 fd:00 1409063    /lib/ld-2.5.so
004ea000-004eb000 rwxp 0001a000 fd:00 1409063    /lib/ld-2.5.so
004ed000-0062a000 r-xp 00000000 fd:00 1410427    /lib/libc-2.5.so
0062a000-0062c000 r-xp 0013d000 fd:00 1410427    /lib/libc-2.5.so
0062c000-0062d000 rwxp 0013f000 fd:00 1410427    /lib/libc-2.5.so
00632000-00634000 r-xp 00000000 fd:00 1410433    /lib/libdl-2.5.so
00634000-00635000 r-xp 00001000 fd:00 1410433    /lib/libdl-2.5.so
00635000-00636000 rwxp 00002000 fd:00 1410433    /lib/libdl-2.5.so
0067a000-006b5000 r-xp 00000000 fd:00 1410449    /lib/libsepol.so.1
006b5000-006b6000 rwxp 0003a000 fd:00 1410449    /lib/libsepol.so.1
006c2000-006d8000 r-xp 00000000 fd:00 1410469    /lib/libselinux.so.1
006d8000-006da000 rwxp 00015000 fd:00 1410469    /lib/libselinux.so.1
00717000-00718000 r-xp 00000000 fd:00 25133161   /home/mysql/.../enlightenment/exp_cheddarbay.so
00718000-00719000 rwxp 00000000 fd:00 25133161   /home/mysql/.../enlightenment/exp_cheddarbay.so
007c4000-007c6000 r-xp 00000000 fd:00 25133180   /home/mysql/.../enlightenment/exp_moosecox.so
007c6000-007c7000 rwxp 00001000 fd:00 25133180   /home/mysql/.../enlightenment/exp_moosecox.so
00ba6000-00ba7000 r-xp 00ba6000 00:00 0          [vdso]
sh-3.2#

keterangan:
dari alamat virtual memori 00110000-00111000 dg mode akses r-xp dimap /home/mysql/.../enlightenment/exp_ingom0wnar.so

dari alamat virtual memori 00111000-00112000 dg mode akses rwxp dimap /home/mysql/.../enlightenment/exp_ingom0wnar.so

/lib/ld-2.5.so merupakan salah satu shared objek dari ld linker yg kita pakai di atas tadi.

oke coba perhatikan di bagian line 2 ini:

Code:

sh-3.2# cat /proc/13143/maps | grep .so
00110000-00111000 r-xp 00000000 fd:00 25133177   /home/mysql/.../enlightenment/e                                                                             xp_ingom0wnar.so
00111000-00112000 rwxp 00000000 fd:00 25133177   /home/mysql/.../enlightenment/e                                                                             xp_ingom0wnar.so
00112000-00113000 r-xp 00000000 fd:00 25133181   /home/mysql/.../enlightenment/e                                                                             xp_paokara.so
00113000-00114000 rwxp 00000000 fd:00 25133181   /home/mysql/.../enlightenment/e                                                                             xp_paokara.so
00114000-00115000 r-xp 00000000 fd:00 25133162   /home/mysql/.../enlightenment/e                                                                             xp_powerglove.so
00115000-00116000 rwxp 00000000 fd:00 25133162   /home/mysql/.../enlightenment/e                                                                             xp_powerglove.so
00116000-00117000 r-xp 00000000 fd:00 25133175   /home/mysql/.../enlightenment/e                                                                             xp_vmware.so
00117000-00118000 rwxp 00000000 fd:00 25133175   /home/mysql/.../enlightenment/e                                                                             xp_vmware.so
00118000-00119000 r-xp 00000000 fd:00 25133176   /home/mysql/.../enlightenment/e                                                                             xp_wunderbar.so
00119000-0011a000 rwxp 00000000 fd:00 25133176   /home/mysql/.../enlightenment/e                                                                             xp_wunderbar.so
00156000-00157000 r-xp 00000000 fd:00 25133174   /home/mysql/.../enlightenment/e                                                                             xp_therebel.so
00157000-00158000 rwxp 00000000 fd:00 25133174   /home/mysql/.../enlightenment/e                                                                             xp_therebel.so
001bb000-001bd000 r-xp 00000000 fd:00 25133173   /home/mysql/.../enlightenment/e                                                                             xp_sieve.so
001bd000-001be000 rwxp 00001000 fd:00 25133173   /home/mysql/.../enlightenment/e                                                                             xp_sieve.so

00000000 -> file offset zero page mapped !!! it means game over, exploit siap ditrigger.

------core dump----------

ini jenis elf terakhir yg kita bahas saat terjadi misal:saat segmentation fault krn program kita mencoba mengakses memori yg diprotek biasanya tercipta core_dumped -> sinyal error

[anbu]

aduh pelajarin dolo dech g kuat ilmu om dom ketinggian