Reverse Engineering for exploit

writers

Jonathan Brossard, iViZ Research Team

Clubhack 2008

Pune, India

Who Am I ?

(and why am I writing this ??)

We are recruting ! Send me your CVs at :

[email protected]

Roadmap

A (short) reminder of the ELF file format

Introducing the problem

How (not) to work with proprietary binaries anyway ?

What to rebuild ?

Refactoring the binary

Refactoring in practice

©iViZ Techno Solutions Pvt Ltd.

A (short) reminder of the ELF format

A (short) reminder of the ELF format

©iViZ Techno Solutions Pvt Ltd.

A(short)reminderofthe ELF format

The ELF header : (mandatory)

typedef struct {

 

 

 

unsigned char e_ident[EI_NIDENT];

 

Elf32_Half

e_type;

 

 

 

Elf32_Half

e_machine;

 

 

Elf32_Word

e_version;

 

 

Elf32_Addr

e_entry;

 

 

 

Elf32_Off

e_phoff;

// offset to Program

Header Table

Elf32_Off

e_shoff;

// offset to Section

Header Table

Elf32_Word

e_flags;

 

 

 

Elf32_Half

e_ehsize;

 

 

 

Elf32_Half

e_phentsize;

 

 

Elf32_Half

e_phnum;

 

 

Elf32_Half

e_shentsize;

// size of a section header

Elf32_Half

e_shnum;

// number of section headers

Elf32_Half

e_shtrndx;

// offset of associated string table

} Elf32_Ehdr;

©iViZ Techno Solutions Pvt Ltd.

A(short)reminderofthe ELF format

Program Headers : (mandatory, one per segment)

typedef struct {

 

Elf32_Word

p_type; // Segment type (Alocate ? Null ?

Dynamic ? …)

 

Elf32_Off

p_offset; // offset in file

Elf32_Addr p_vaddr;

Elf32_Addr p_paddr;

Elf32_Word

p_filesz; // length in file

Elf32_Word p_memsz;

Elf32_Word p_flags;

Elf32_Word

p_align;

} Elf32_Phdr;

 

©iViZ Techno Solutions Pvt Ltd.

A(short)reminderofthe ELF format

Section Headers : (optional, one per section)

typedef struct

 

{

 

Elf32_Word

sh_name;// index in string table

Elf32_Word

sh_type; // type of section

Elf32_Word

sh_flags;

Elf32_Addr sh_addr;

Elf32_Off sh_offset;

Elf32_Word

sh_size;

Elf32_Word

sh_link;

Elf32_Word

sh_info;

Elf32_Word

sh_addralign;

Elf32_Word

sh_entsize;

} Elf32_Shdr;

 

©iViZ Techno Solutions Pvt Ltd.

A(short)reminderofthe ELF format

Symbols : (the Symbol table is an array of Elf32_sym)

typedef struct

{

Elf32_Word st_name; Elf32_Addr st_value; Elf32_Word st_size; unsigned char st_info; unsigned char st_other; Elf32_Section st_shndx;

} Elf32_Sym;

//Symbol name (string tbl index)

//Symbol value

//Symbol size

//Symbol type and binding

//Symbol visibility

//Section index

©iViZ Techno Solutions Pvt Ltd.

Introducingtheproblem

Proprietary binaries are commonly modified to make the job of security analysts difficult:

-Sometimes packed (out of topic)

-Usually don’t have a symbol table (stripped)

-More and more have a missing/corrupted Section Header Table (sstripped, a la sstrip from elfkickers…) and/or zeroed Section Headers.

©iViZ Techno Solutions Pvt Ltd.

Introducingtheproblem

Before :

- We know where the Segments are

- We know where the Sections are located

- The application has a symbol table

©iViZ Techno Solutions Pvt Ltd.

Introducingtheproblem

After :

- We know where the Segments are : the loader/dynamic linker can still do their jobs

- We don’t know where the Sections start/end

- The application has no symbol table

©iViZ Techno Solutions Pvt Ltd.

Introducing the problem

Tools based on libbfd need to read the Section Headers to analyse it.

Therefore, the handy GNU binutils utilities won't manage to analyze the target (readelf, objdump, objcopy, nm...)

Debugging with gdb will be really uneasy :

-no symbols, so no breakpoints on symbol names. :(

-the application doesn't even have a “main”. How to get a prompt once the shared

libraries are loaded ?

©iViZ Techno Solutions Pvt Ltd.

Introducingtheproblem

DEMO

©iViZ Techno Solutions Pvt Ltd.

How(not)toworkwith proprietary binaries anyway ?

Use tools that aren't based on libbfd ?

-Fenris (M Zalewski) : rebuilds a symbol table for dynamically linked binaries (moderately interresting for us) http://lcamtuf.coredump.cx/fenris/

-Elfsh from the Eresi project (attempts to rebuild the missing ELF section header and a symbol table) plus its debugger, tracer… http://www.eresi-project.org/

©iViZ Techno Solutions Pvt Ltd.

How(not)toworkwith proprietary binaries anyway ?

The problem with existing tools...

DEMO

Hrm... so we will code our own ;)

©iViZ Techno Solutions Pvt Ltd.