I’m trying to generate a simple static ELF using libelf, but I seem to be having troubles.
I do not wish to generate an object file and then link it w/ LD, instead I wish to generate it on my own.
The main purpose of this program is to generate a static ELF with one LOAD segment and to execute the code.
The main problem is not in the shellcode itself,but probably in some of headers I try to produce in a wrong way. When I try to run the generated ELF it gets killed as if the kernel doesn’t manage to find the segment it just loaded, etc.
I would be fond if you guys could hint me.
create_elf.3.c
#include <err.h>
#include <fcntl.h>
#include <libelf.h>
#include <stdio.h>
#include <stdlib.h>
#include <sysexits.h>
#include <unistd.h>
unsigned char code[] =
"\x0b\x58\x99\x52\x66\x68\x2d\x70"
"\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61"
"\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52"
"\x51\x53\x89\xe1\xcd\x80";
int main(int argc, char *argv[])
{
int fd;
Elf *e;
Elf_Scn *scn;
Elf_Data *data;
Elf32_Ehdr *ehdr;
Elf32_Phdr *phdr;
Elf32_Shdr *shdr;
if (argc != 2)
errx(EX_USAGE,"input... ./%s filename\n",argv[0]);
if (elf_version(EV_CURRENT) == EV_NONE)
errx(EX_SOFTWARE,"elf_version is ev_none, wtf? %s\n",elf_errmsg(-1));
if ((fd = open(argv[1], O_WRONLY | O_CREAT, 0777)) < 0)
errx(EX_OSERR, "open %s\n",elf_errmsg(-1));
if ((e = elf_begin(fd, ELF_C_WRITE, NULL)) == NULL)
errx(EX_SOFTWARE,"elf_begin %s\n",elf_errmsg(-1));
if ((ehdr = elf32_newehdr(e)) == NULL)
errx(EX_SOFTWARE,"elf32_newehdr %s\n",elf_errmsg(-1));
/*
without these definitions objdump/readelf/strace/elf loader
will fail to load the binary correctly
be sure to pick them carefully and correctly, preferred exactly like the
ones like the system you are running on (so if you are running x86,
pick the same values you seen on a regular readelf -a /bin/ls
*/
ehdr->e_ident[EI_DATA] = ELFDATA2LSB;
ehdr->e_ident[EI_CLASS] = ELFCLASS32;
ehdr->e_machine = EM_386;
ehdr->e_type = ET_EXEC;
ehdr->e_entry = 0x8040800;
if ((phdr = elf32_newphdr(e,1)) == NULL)
errx(EX_SOFTWARE,"elf32_newphdr %s\n",elf_errmsg(-1));
if ((scn = elf_newscn(e)) == NULL)
errx(EX_SOFTWARE,"elf32_newscn %s\n",elf_errmsg(-1));
if ((data = elf_newdata(scn)) == NULL)
errx(EX_SOFTWARE,"elf32_newdata %s\n",elf_errmsg(-1));
data->d_align = 4;
data->d_off = 0LL;
data->d_buf = code;
data->d_type = ELF_T_WORD; // code :x
data->d_size = sizeof(code);
data->d_version = EV_CURRENT;
if ((shdr = elf32_getshdr(scn)) == NULL)
errx(EX_SOFTWARE,"elf32_getshdr %s\n",elf_errmsg(-1));
shdr->sh_name = 0;
shdr->sh_type = SHT_PROGBITS;
shdr->sh_flags = SHF_EXECINSTR | SHF_ALLOC;
shdr->sh_entsize = 0; // only used if we hold a table
if (elf_update(e, ELF_C_NULL) < 0)
errx(EX_SOFTWARE,"elf_update_1 %s\n",elf_errmsg(-1));
phdr->p_type = PT_LOAD;
phdr->p_offset = ehdr->e_phoff;
phdr->p_filesz = elf32_fsize(ELF_T_PHDR, 1, EV_CURRENT);
phdr->p_vaddr = 0x8040800;
phdr->p_paddr = 0x8040800;
phdr->p_align = 4;
phdr->p_filesz = sizeof(code);
phdr->p_memsz = sizeof(code);
phdr->p_flags = PF_X | PF_R;
elf_flagphdr(e, ELF_C_SET, ELF_F_DIRTY);
if (elf_update(e, ELF_C_WRITE) < 0 )
errx(EX_SOFTWARE,"elf32_update_2 %s\n",elf_errmsg(-1));
elf_end(e);
close(fd);
return 1;
}
I would be fond if someone could hint me what’s wrong here
Thanks
edit
Sorry for not giving more details,
The ELF generation seems to be working ok, I do not get any syntax errors etc,
however whenever I try to run ELF I generated, e.g ./create_elf.3 foo14 (and foo14 is the generated ELF)
It gets killed, as if execve/kernel doesn’t wish to load it properly
I tried loading it w/ IDA but IDA shows the disassembled code fine enough
here’s the output from readelf
readelf -a foo14
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0x8040800
Start of program headers: 52 (bytes into file)
Start of section headers: 116 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 1
Size of section headers: 40 (bytes)
Number of section headers: 2
Section header string table index: 0
Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
[ 0] <no-name> NULL 00000000 000000 000000 00 0 0 0
[ 1] <no-name> PROGBITS 00000000 000054 000020 00 AX 0 0 4
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings)
I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown)
O (extra OS processing required) o (OS specific), p (processor specific)
There are no section groups in this file.
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x000034 0x08040800 0x08040800 0x00021 0x00021 R E 0x4
There is no dynamic section in this file.
There are no relocations in this file.
There are no unwind sections in this file.
No version information found in this file.
First, it would be a good idea during testing to replace the code
fragment containing (naughty) shell code with something harmless, say:
On an i386 GNU/Linux system this revised code fragment causes the process
to immediately exit with an exit code of 42.
The following ASCII art illustrates the layout of the ELF executable
being built:
The section name string table is optional. It helps to neaten the
output of readelf.
The executable will be loaded at the virtual address named by
LOADADDR. The value forLOADADDRis system dependent—a value of0x08048000 seems to work well on my system.
The executable code fragment is placed just after the PHDR table. The
e_entryfield of the ELF Executable Header holds the virtual addressto which control will be transferred to. The value of the field
should therefore be:
Code segments would use a data type of
ELF_T_BYTEand a section typeof
SHT_PROGBITS, with an alignment of 1.The
sh_addrfield of the section header table entry holds thevirtual address of the start of the section’s data.
The sole entry in the ELF Program Header table covers the area to be
loaded, starting with the ELF header and including the executable
code.
A section name string table is optional, and makes for nicer output
from readelf. A hand-rolled string table suffices:
The code to add the string table to the executable is:
With these changes the ELF binary created by your program should be
runnable.
The structure of the generated executable would be as follows: