Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
bx
committed
May 31, 2012
0 parents
commit ae93af8
Showing
30 changed files
with
2,059 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| # Copyright (c) <year> <copyright holders> | ||
| # | ||
| # Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: | ||
|
|
||
| # The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. | ||
|
|
||
| # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | ||
|
|
||
| cmake_minimum_required(VERSION 2.6) | ||
| project(elf-bf-tools) | ||
|
|
||
| #set (elf-bf-tools_VERSION_MAJOR 1) | ||
| #set (elf-bf-tools_VERSION_MINOR 0) | ||
|
|
||
|
|
||
|
|
||
| set(CMAKE_C_FLAGS "-g -Wall -I /usr/local/libelfsh/include -DERESI64 -I /usr/local/libaspect/include -I /usr/local/libasm/include") | ||
|
|
||
| set(ELFBF_LIBS elf_bf elfsh64 aspect64 asm64) | ||
| add_subdirectory(libelf_bf) | ||
| add_subdirectory(elf_bf_compiler) | ||
| add_subdirectory(ping_backdoor) | ||
| add_subdirectory(demo) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| Copyright (c) 2012 Rebecca (bx) Shapiro | ||
|
|
||
| Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: | ||
|
|
||
| The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. | ||
|
|
||
| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| Copyright (c) 2012 Rebecca (bx) Shapiro | ||
|
|
||
| Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: | ||
|
|
||
| The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. | ||
|
|
||
| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | ||
|
|
||
| OVERVIEW | ||
| This project contains tools that can be used to coarse the gcc's runtime loader | ||
| into performing interesing operations using only valid relocation entires and | ||
| symbols. | ||
|
|
||
| Slides from our BerlinSides0x3 talk can be found here: | ||
| http://www.cs.dartmouth.edu/~bx/elf-bf-tools/slides/ELF-berlinsides-0x3.pdf | ||
|
|
||
| directories: | ||
| libelf_bf/ contains files that make up the library | ||
| elf_bf_compiler/ implementation for Brainfuck to ELF compiler | ||
| elf_bf_debug/ contains useful scripts for debugging the rultime loading process | ||
| as it processes relocation entries | ||
| ping_backdoor/ contains code that uses relocation entries to build a backdoor | ||
| into ping | ||
| demo/ contains a simple c program to play with | ||
| eresi/ contains a patch for the eresi toolkit | ||
|
|
||
|
|
||
|
|
||
| BUILDING | ||
|
|
||
| At the moment these instructions are for amd64 machines running | ||
| Ubuntu 11.10. I reccomend using the same setup. If you are running ubuntu, but | ||
| not the correct version, you can setup a Ubuntu 11.10 schroot environment. | ||
|
|
||
| You will need to install eresi from source, which can be found at | ||
| http://www.eresi-project.org/ | ||
| Their code can be checked out using: | ||
| $> svn checkout http://svn.eresi-project.org/svn/trunk/ eresi | ||
|
|
||
| Next, apply the patch in eresi/eresi.patch. To do so, change into the eresi source directory and | ||
| patch -p0 -i <path to eresi/eresi.patch> | ||
|
|
||
| build eresi as follows; | ||
| ./configure --prefix /usr/local --enable-64 | ||
| make | ||
| sudo make install64 | ||
|
|
||
| To build elf-bf-tools, in the elf-bf-tools directory | ||
| > cmake . | ||
| > make | ||
|
|
||
| ..and that's it | ||
|
|
||
| Thank's for reading, be sure to visit the README files located in | ||
| elf_bf_compiler, elf_bf_debuf, and ping_backdoor if you endup working with the | ||
| code there. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
|
|
||
| # Copyright (c) 2012 Rebecca (bx) Shapiro | ||
|
|
||
| # Permission is hereby granted, free of charge, to any person obtaining a copy | ||
| # of this software and associated documentation files (the "Software"), to deal | ||
| # in the Software without restriction, including without limitation the rights | ||
| # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
| # copies of the Software, and to permit persons to whom the Software is | ||
| # furnished to do so, subject to the following conditions: | ||
|
|
||
| # The above copyright notice and this permission notice shall be included in all | ||
| # copies or substantial portions of the Software. | ||
|
|
||
| # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
| # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
| # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
| # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
| # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
| # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | ||
| # SOFTWARE. | ||
|
|
||
| set(GLIBC "${CMAKE_SOURCE_DIR}/elf_bf_debug/eglibc/root") | ||
|
|
||
| if (EXISTS "${GLIBC}/lib/ld-2.13.so") | ||
| set(CMAKE_C_FLAGS "-g -Wall -Wl,-dynamic-linker=${GLIBC}/lib/ld-2.13.so -Wl,-R${GLIBC}/lib/ -I${GLIBC}/include -L${GLIBC}/lib") | ||
| else(EXISTS "${GLIBC}/lib/ld-2.13.so") | ||
| set(CMAKE_C_FLAGS "-g -Wall") | ||
| endif(EXISTS "${GLIBC}/lib/ld-2.13.so") | ||
|
|
||
| add_executable(demo demo.c) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| /* Copyright (c) 2012 Rebecca (bx) Shapiro | ||
| Permission is hereby granted, free of charge, to any person obtaining a copy | ||
| of this software and associated documentation files (the "Software"), to deal | ||
| in the Software without restriction, including without limitation the rights | ||
| to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
| copies of the Software, and to permit persons to whom the Software is | ||
| furnished to do so, subject to the following conditions: | ||
| The above copyright notice and this permission notice shall be included in all | ||
| copies or substantial portions of the Software. | ||
| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
| IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
| FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
| AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
| LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
| OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | ||
| SOFTWARE. | ||
| */ | ||
|
|
||
| #include <stdio.h> | ||
| #include <stdlib.h> | ||
|
|
||
| int main( int argc, char **argv ) { | ||
| printf("hello, world!\n"); | ||
| exit(0); | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
|
|
||
| # Copyright (c) 2012 Rebecca (bx) Shapiro | ||
|
|
||
| # Permission is hereby granted, free of charge, to any person obtaining a copy | ||
| # of this software and associated documentation files (the "Software"), to deal | ||
| # in the Software without restriction, including without limitation the rights | ||
| # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
| # copies of the Software, and to permit persons to whom the Software is | ||
| # furnished to do so, subject to the following conditions: | ||
|
|
||
| # The above copyright notice and this permission notice shall be included in all | ||
| # copies or substantial portions of the Software. | ||
|
|
||
| # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
| # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
| # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
| # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
| # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
| # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | ||
| # SOFTWARE. | ||
|
|
||
| include_directories(${elf-bf-tools_SOURCE_DIR}/libelf_bf) | ||
|
|
||
| add_executable(elf_bf_compiler elf_bf_compiler.c) | ||
|
|
||
| link_directories(/usr/local/lib) | ||
| target_link_libraries(elf_bf_compiler ${ELFBF_LIBS}) |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| /* Copyright (c) 2012 Rebecca (bx) Shapiro | ||
| Permission is hereby granted, free of charge, to any person obtaining a copy | ||
| of this software and associated documentation files (the "Software"), to deal | ||
| in the Software without restriction, including without limitation the rights | ||
| to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
| copies of the Software, and to permit persons to whom the Software is | ||
| furnished to do so, subject to the following conditions: | ||
| The above copyright notice and this permission notice shall be included in all | ||
| copies or substantial portions of the Software. | ||
| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
| IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
| FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
| AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
| LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
| OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | ||
| SOFTWARE. | ||
| */ | ||
|
|
||
| #include <stdio.h> | ||
| #include "elf_bf_utils.h" | ||
|
|
||
| #define INPUT_FILE "../demo/demo" | ||
| #define OUTPUT_FILE "demo" | ||
|
|
||
| #define TAPE_LEN 10 | ||
|
|
||
| void create_relas(); | ||
|
|
||
| int main(int argv, char *argc[]) | ||
| { | ||
| if (argv != 2) { | ||
| fprintf(stderr, "usage: %s <brainfuck source file>\n",argc[0]); | ||
| exit(-1); | ||
| } | ||
|
|
||
|
|
||
| elf_bf_env_t e; | ||
| elfutils_setup_env(argc[1],INPUT_FILE,OUTPUT_FILE, | ||
| TAPE_LEN, | ||
| 0x5555555688dc, /*ifunc .. __sigsetjmp*/ | ||
| 0x555555773220, /*exec l*/ | ||
| 0x7fffffffd9b0, /*exec reloc end*/ | ||
| 0x600f28, /* location of dt_rela */ | ||
| 0x600f38, /* location of dt_relasz */ | ||
| 0x600ea8, /* location of dt_sym */ | ||
| 0x600f18, /* location of dt_jumprel */ | ||
| 0x601ef8, /* location of dt_pltrelsz */ | ||
| &e); | ||
| compile_bf_instructions(&e); | ||
|
|
||
| elfutils_save_env(&e); | ||
| return 0; | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| Copyright (c) 2012 Rebecca (bx) Shapiro | ||
|
|
||
| Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: | ||
|
|
||
| The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. | ||
|
|
||
| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | ||
|
|
||
|
|
||
| BUILD | ||
| You will need to build eglibc from scratch in order to use this tool. setup.sh | ||
| should do all the work for you, just go ahead and run it. | ||
|
|
||
| building eglibc requies ~800Mb of free space. | ||
|
|
||
| RUNNING | ||
|
|
||
| run debug_rtld_exec.sh <path to executable> to debug the runtime loader as it | ||
| runs that executable. It also loads a set of tools that can be used to inspect | ||
| a Brainfuck stack. The following commands are available | ||
|
|
||
| elfbf set_tape <address> | ||
| -This must always be run. The last argument is the address of the symbol that holds the address of where the tape pointer is currently pointing. | ||
|
|
||
| elfbf print_current_entry | ||
| -prints the current tape entry's value | ||
|
|
||
| elfbf print_entry <num> | ||
| -prints entry at tape slot # <num> | ||
|
|
||
| elfbf get_tape_index | ||
| -prints the index of the slot on the tape where the tape pointer is currently pointing | ||
|
|
||
| elfbf print_tape_range <low> <high> | ||
| -prints the values on the tape from <low> to <high>, not including <high> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| #!/bin/bash | ||
|
|
||
|
|
||
| # Copyright (c) 2012 Rebecca (bx) Shapiro | ||
|
|
||
| # Permission is hereby granted, free of charge, to any person obtaining a copy | ||
| # of this software and associated documentation files (the "Software"), to deal | ||
| # in the Software without restriction, including without limitation the rights | ||
| # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
| # copies of the Software, and to permit persons to whom the Software is | ||
| # furnished to do so, subject to the following conditions: | ||
|
|
||
| # The above copyright notice and this permission notice shall be included in all | ||
| # copies or substantial portions of the Software. | ||
|
|
||
| # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
| # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
| # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
| # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
| # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
| # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | ||
| # SOFTWARE. | ||
|
|
||
| # first argument is executable to run | ||
|
|
||
| ulimit -c unlimited | ||
|
|
||
| DIR=${PWD}/.. | ||
| GLIBC=${PWD}/eglibc/eglibc-2.13 | ||
| echo "set environment C -E -x c-header | ||
| python execfile(\"$PWD/elfbfgdb.py\") | ||
| break do-rel.h:116 | ||
| break _dl_start | ||
| run --library-path $GLIBC:$GLIBC/nptl:$GLIBC/math:$GLIBC/elf:$GLIBC/dlfcn:$GLIBC/nss:$GLIBC/nis:$GLIBC/rt:$GLIBC/resolv:$GLIBC/crypt:$GLIBC/ntlp:$GLIBC/nplp_db $PWD/$1" > temp.gdb | ||
|
|
||
| ${GLIBC}/../root/lib/ld-2.13.so --library-path \ | ||
| ${GLIBC}:\ | ||
| ${GLIBC}/math:\ | ||
| ${GLIBC}/elf:\ | ||
| ${GLIBC}/dlfcn:\ | ||
| ${GLIBC}/nss:\ | ||
| ${GLIBC}/nis:\ | ||
| ${GLIBC}/rt:\ | ||
| ${GLIBC}/resolv:\ | ||
| ${GLIBC}/crypt:\ | ||
| ${GLIBC}/nptl:\ | ||
| ${GLIBC}/nptl_db:\ | ||
| /lib/:\ | ||
| /usr/lib/x86_64-linux-gnu/:\ | ||
| /lib/x86_64-linux-gnu/:\ | ||
| /usr/lib/: \ | ||
| /usr/bin/ddd -x ${PWD}/temp.gdb -d ${GLIBC} ${GLIBC}/../build/elf/ld.so |
Oops, something went wrong.