Patching ELF with Rair

Introduction

In this post, I will try to solve oracle level 3 challenge from chapter 5 of practical binary analysis book using Rair which is a Reverse Engineering Framework that's under development. Briefly, Its rewrite of radare2 but in rust to become more memory safe and more stable along with superior features that are under development. Today, I will just use Rair hex-editor feature for patching the ELF Binary file to solve our challenge.

Installation in Linux

1. Install Rust.

2. Add Rust to your system PATH manually.

3. Use cargo Rust’s build system and package manager to download Rair.


Level-3 Analysis

At the start, I execute the lvl3 binary and kinda get an error that file has an invalid format.  

Also, when I tried to check the file format of lvl3 using file utility command I still get an error.

Now we know something wrong is going on with format and we need to dig deeper by checking ELF headers to know what causes this error with the help of readelf utility. So let's start taking look on the executable header.

The start of program headers did not make sense because its value is greater than the file size value. Also, It should follow executable header so its offset should be 64 bytes into the file. Also, OS/ABI and machine did not make sense so I will change them to UNIX-System V and Advanced Micro Devices X86-64 respectively to make ELF file executing on normal Linux machine. Now, let's check Section headers.

In the above snippet, .text section type is NOBITS but this section exists in a disk image of the file so it should be PROGBITS type. PROGBITS value means the section contains program data or instructions. so lets in the next section patch the issues we discovered.

Playing with Rair

Now, we will start to see how to use Rair to patch the binary file. At first, we should open the file for dumping or patching with read/write permissions as the following.


So to make sure that file opened with right permissions besides knowing which address the file mapped into. we will use the following files command.


One cool feature of Rair,  It can allow you to open many files and work on them at the same time by using open command. you can know about it using open? command. Now, I'm going to seek to start the address of a file using seek command then dump the ELF executable header which has 64 bytes size using px command.


Right now, we need to know offsets of OS/ABI, Machine, and Start of program headers inside the ELF executable headers so let's check the Elf64_Ehdr struct to know the offsets.

In the last snippet, we can get that offset of OS/ABI =7 with size =1 byte, Machine =18 with size =2 bytes, and offset the start of the program header =32 with size =4 bytes let's seek the offsets and overwrite them with the right values which are OS/ABI =0x0 (UNIX-System V), Machine =0x3e00 (Advanced Micro Devices X86-64) and finally, the start of program headers =0x40000000 (64 in little-endian) using the wx command.


Now we have done with ELF executable header. It's time for fixing .text section type in the ELF section headers. The start of .text section header = Start_of_section_headers + (Size of section headers *  index_of_text_section) = 4480 + (64*14) =5376. All numbers in the equation are extracted from readelf command results from previous snippets. Now, we need to define the offset of section type from the start of the .text section header by looking into Elf64_Shdr struct.

Based on the previous snippet, the type of .text section header now located at 4 bytes from the start of the .text section header (type offset = 5376+4=5380 from start ELF file) with size =4 bytes. So we will seek to offset 5480 to overwrite it with value PROGBITS (0x01000000 in little-endian).


Finishing it

After I have done with patching the headers, I executed the binary file and it executed successfully by printing a hash.

I used ltrace to know about that hash. I find out the binary calculates a hash for its file image. so I just feed that hash to oracle and successfully level 3 is done.

Comments

Post a Comment

Popular posts from this blog

CSAW CTF 2014: greenhornd Writeup

Image
Introduction Nowadays, I'm trying to learn windows exploitation by reading the tutorials and solving tasks that recommended by open-source seminar written with the Korean language (Thanks to google translate) besides other external resources. So, I decided to provide writeups for the chosen challenges existed within the seminar repository. Consequently, I am going today to solve my first 32-bit windows pwn challenge within window10 which is greenhornd from CSAW CTF 2014 using the Open-Read-Write ROP chain to read the file named key from a remote server. Additionally, I will use AppJailLauncher to launch the exe file for providing a game server experience using the following command. Finding the Vulnerability First of All, I executed the greenhornd exe, and the following text got printed to the screen which asks you to find the secret key and it suggested that you can look at strings within the binary using strings utility or IDA disassembler (sorry I will use R2 cutter xD ).  ...
Read more

Windows Service Analysis

Image
Introduction In my first post, I will analyze the dropper of Shamoon 3.0 malware which is windows service executable that differs from a normal executable structure and execution method. So by analyzing dropper of Shamoon 3.0, we can understand: 1) windows service structure. 2) how to analyze & debug windows service.    So let us understand what's windows service and how it structured before jumping to Analysis. Windows service program a program that executed by Service Control Manager (SCM) and conforms to its rules. it runs in the background with no GUI interface as it doesn't need a user to interact with it. It can be started automatically at system boot. Windows Service Structure The Window Service Structure program consists of three important functions as seen in windows service structure Figure: 1. Main entry point function  the main function of the windows service program, its goal to inform the...
Read more