Parsing the webshell of the Elf File DT_RPATH in Linux

Article Title: parsing the webshell of the Elf File DT_RPATH in Linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

I. Preface

Some time ago, when I reviewed the elf File knowledge, I flipped through many excellent articles in the past and saw the alert7 hero in the unix Version of the xfocus Help File <> this article, I took a look at the time on October 14, September. During that time, I was busy rebuilding and didn't go to the Internet cafe. Alert7 does not post code. I think some people may not understand it. I will write this article to give you a brief introduction. This article refers to linux.

This article is not about the basics of elf, so for some conceptual things, please refer to elf identification, and then pick up your gdb to learn what it is called got, plt, and redirection, for more information about Dynamic and Static connections, see readelf or objdump. For more information, see what you need. Errors in the text are inevitable. please correct me ;)

II. Analysis

Reasons for backdoor existence:

Reference <>

* The Dynamic Array mark DT_RPATH stores the directory list string (separated by a colon ).

For example, the/home/dir/lib:/home/dir2/lib string tells the dynamic connector to search for/home/dir/lib first, and then/home/dir2/lib, then the current directory.

The directory set by the LD_LIBRARY_PATH environment variable is searched after the directory pointed to by DT_RPATH. For security reasons, the dynamic connector ignores the search directory specified by LD_LIBRARY_PATH of the set-user and set-group programs. However, it will search for the directory specified by DT_RPATH and/usr/lib. Therefore, this DT_RPATH is quite interesting.

With the above basic knowledge, we can install a DT_RPATH entry on a set-user program (generally none of the programs ). First, set the search path to the current directory. Put our own library in the current directory with its name, and let it add our own dynamic library. In this way, we can get the set-user permission.

When _ libc_start_main is intercepted, the ping program must be executed before giving up the privilege. (If malloc is intercepted, it cannot be ensured ). Because we use libc. So. So we need to use our own LIB to libresolv. So. The name of 2 is stored in the current directory.

The key to implementing this backdoor is:

A: modify or add (usually does not exist) in. The (array) d_tag in the dynamic section is the entry structure (entry) d_un of DT_RPATH. D_val points. Offset of a string ending with ** NULL in the dynstr section (if DT_RATH exists ). This string is a set of paths, in which the paths are separated.

Last one: The following indicates the current directory. If the preceding string is changed to "_ wujianqiang: \ 0" (This indicates a NULL value ;)) it indicates that the _ wujianqiang sub-directory in the current directory is searched and then searched in the current directory. Obviously, the relative directory is used here. We mainly construct this string, and at the same time we need to think about it, we need to add such a string or modify a string to become the form we need. Obviously, the former is complicated, so we need to change the program header and some members of the section, therefore, we use the modification method to find a dynamic symbol to modify. Here I chose the _ gmon_start _ string. Of course, other functions are acceptable, but it is found that _ gmon_start _ is special, and almost all programs have this symbol, so I chose this one.

Usually, the entry structure of d_tag as DT_RPATH does not exist, so we need to add this DT_RPATH, in fact. The dynamic array should contain a few NULL entries that are useless (usually available). So what I find in the program is the first NULL entry, there is no way to modify some entries. In the same way, we do not need to modify any section or some structure members of the program header. Because there is an entry structure, we do not need to add any modifications. So far, our elf File Modification task has ended.

B. Now all we need to do is intercept that function. alert7 proposed intercept the _ libc_start_main function, we will intercept this function, but the reason for "being able to intercept this function is described later.

Let's first solve the problem:

The following are related knowledge:

Generally, the program header table of each dynamically connected object will have an element of the type PT_DYNAMIC. This section contains. Dynamic section.

The structure of each entry is as follows:

+. Dynamic Structure

Typedef struct

{

Elf32_Sword d_tag;/* Dynamic entry type */

Union

{

Elf32_Word d_val;/* Integer value */

Elf32_Addr d_ptr;/* Address value */

} D_un;

} Elf32_Dyn;

The following uses readelf to explain

+

[Wujian @ redhat72 elf_door] $ readelf-l. /PinG

Program Headers:

Type Offset incluaddr PhysAddr FileSiz MemSiz Flg Align [...]

DYNAMIC 0x005618 0x0804e618 0x0804e618 0x000d0 0x000d0 RW 0x4

Section to Segment mapping:

Segment Sections...

[...]

04 dynamic

[Wujian @ redhat72 elf_door] $ readelf-S. /PinG

There are 24 section headers, starting at offset 0x57cc:

Section Headers: omitted

[Nr] Name Type Addr Off Size ES Flg Lk Inf Al

[4]. Dynsym DYNSYM 080482a0 0002a0 000370 10 A 5 1 4

[5]. Dynstr STRTAB 08048610 000610 000233 00 A 0 0 1

[8]. Rel. Dyn REL 080488e4 0008e4 000030 08 A 4 0 4

[9]. Rel. Plt REL 08048914 000914 000168 08 A 4 B 4

[11]. Plt PROGBITS 08048a94 000a94 0002e0 04 AX 0 0 4

[12]. Text PROGBITS 08048d80 000d80 003230 00 AX 0 0 16

[19]. Got PROGBITS 0804e554 005554 running C4 04 WA 0 0 4

[20]. Dynamic DYNAMIC 0804e618 005618 running D0 08 WA 5 0 4

[1] [2] [3] [4] [5] [6] [7] Next page