9. Additional code segments


Perfection is reached, not when there is no longer anything to add, but when there is no longer anything to take away.

 Antoine de Saint-Exupery

This is the platform dependent part of Additional code segments (i).

9.1. Scanning for NOTE

Using the scanner in Scanning for NOTE (i) we exercise a systematic search for targets. The scripts and intermediate steps are shown in Food for segment padding. Here come just the results:

Output: out/sparc-sunos5.9/scanner/additional_cs/find-ok
       4 out/sparc-sunos5.9/scanner/additional_cs/big.dynamic.ok
       0 out/sparc-sunos5.9/scanner/additional_cs/big.static.ok
       4 total

With 4 + 0 possible targets the NOTE segment is nothing more than a curiosity on Solaris.

Output: out/sparc-sunos5.9/scanner/additional_cs/infect.filetype
/usr/bin/crle:  ELF 32-bit MSB executable SPARC Version 1, dynamically
linked, stripped
/usr/bin/ldd:   ELF 32-bit MSB executable SPARC Version 1, dynamically
linked, stripped
/usr/bin/pvs:   ELF 32-bit MSB executable SPARC Version 1, dynamically
linked, stripped

And this should give you an idea of minimum and maximum size of found segments.

Output: out/sparc-sunos5.9/scanner/additional_cs/big.dynamic
CHECK: 0 != 0; 0 != 0
CHECK: /usr/lib/ssh/ssh-http-proxy-connect
CHECK: src/scanner/additional_cs/action.inc#9
CHECK: (phdr_note) != (0)
CHECK: 0 != 0; 0 != 0
CHECK: /usr/lib/ssh/ssh-socks5-proxy-connect
CHECK: src/scanner/additional_cs/action.inc#9
CHECK: (phdr_note) != (0)
CHECK: 0 != 0; 0 != 0
files=928; ok=4; detected=924; min=46; max=46

9.2. Give me NOTE

9.2.1. objdump

Before we overwrite the section we should take a close at what's in there. Both objdump and readelf can show the contents of sections, specified by name or index. There is no direct access according to section type. The name of the section differs between Linux and Solaris, however. Unfortunately the output of objdump -h does not include section types. As a work around we can search for a pattern matching both names. If more than one entry is found the first one will win.

objdump can disassemble sections specified by name. There is no similar support for segments. There is nothing like a plain old hexdump. And even the disassembly is refused if the executable has no symbol table. But don't let useless oddity stop our zeal.

9.2.3. Classic dump

Enough of that crap. To actually see the bytes of a segment we first have to retrieve the file offset. The following evil perl script could almost be implemented with even more evil sed. But I found no equally evil way to convert numbers from hexadecimal.

At this point the actual dump is just a variation on Strings and dumps. A classic byte-wise octal dump using only classic options of classic tools:

Command: pre/sparc-sunos5.9/additional_cs/note/od.sh
. out/sparc-sunos5.9/additional_cs/note/offset
/usr/bin/dd if=${shell} bs=1 skip=${off} count=${filesz} \
| /usr/xpg4/bin/od -c

Output: out/sparc-sunos5.9/additional_cs/note/od
0000000  \0  \0  \0   "  \0  \0  \0  \0  \0  \0  \0  \0  \t   S   o   l
0000020   a   r   i   s       L   i   n   k       E   d   i   t   o   r
0000040   s   :       5   .   9   -   1   .   2   7   6  \n  \0

9.3. To serve & detect

This method works, but is not safe to strip. Well, let's compare the infected target with the the original.

Output: out/sparc-sunos5.9/additional_cs/readelf
-rwxr-xr-x   1 alba     alba       37712 Feb 15  2003 crle_infected
-rwxr-xr-x   1 alba     alba       37712 Feb 15  2003 strip_crle_infected
-r-xr-xr-x   1 root     bin        37624 Sep  6 02:29 /usr/bin/crle

Elf file type is EXEC (Executable file)
Entry point 0xe300
There are 7 program headers, starting at offset 52

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  PHDR           0x000034 0x00010034 0x00000000 0x000e0 0x000e0 R E 0
  INTERP         0x000114 0x00000000 0x00000000 0x00011 0x00000 R   0
      [Requesting program interpreter: /usr/lib/ld.so.1]
  LOAD           0x000000 0x00010000 0x00000000 0x0865d 0x0865d R E 0x10000
  LOAD           0x008660 0x00028660 0x00000000 0x00710 0x0106c RWE 0x10000
  DYNAMIC        0x008a1c 0x00028a1c 0x00000000 0x000e8 0x00000 RWE 0
  LOOS+ffffffb   0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0
  LOAD           0x009300 0x0000e300 0x0000e300 0x00050 0x00050 R E 0x10000

 Section to Segment mapping:
  Segment Sections...
   02     .interp .hash .dynsym .dynstr .SUNW_version .SUNW_version .SUNW_versym .rela.ex_shared .rela.cpp_finidata .rela.data .rela.bss .rela.plt .text .init .fini .exception_ranges .rodata 
   03     .got .plt .dynamic .ex_shared .cpp_finidata .data .bss 

File size grew 37712 - 37624 = 88 bytes. This number is meaningless if the original target was stripped. In that case the additional bytes of the symbol table far outweigh the infection. Anyway, even an unmodified entry point is pointless in this case. Anybody can notice LOAD instead of NOTE.

Command: pre/sparc-sunos5.9/additional_cs/scan_segment.sh
export TEVWH_TMP
shell=$( /usr/xpg4/bin/sed 1q \
	out/sparc-sunos5.9/scanner/segment_padding/infect )

/usr/bin/echo "${shell}
tmp/sparc-sunos5.9/additional_cs/e1i1/${shell##*/}_infected" \
| tmp/sparc-sunos5.9/scanner/segment_padding

Output: out/sparc-sunos5.9/additional_cs/scan
/usr/bin/csh ... delta=0x10b5c, Ok
(2) No such file or directory
CHECK: additional_cs/e1i1/csh_infected
CHECK: src/one_step_closer/open_src.inc#9
CHECK: (0) <= (t->fd_src = open(t->src_file, 0))
CHECK: 0 <= -1; 0 <= 0xffffffff
files=2; ok=1; det_page=1; det_align=0; min=0x10b5c; max=0x10b5c

Case closed. Guilty of failure.