search

radareorg / radare2

UNIX-like reverse engineering framework and command-line toolset
https://www.radare.org/
GNU Lesser General Public License v3.0
20.69k stars 3.01k forks source link

ELF corruption #15480

Closed shijiameng closed 1 year ago

shijiameng commented 4 years ago

Work environment

OS: Ubuntu x86_64 File format: ELF Bits of the file: x86/64 radare2 4.1.0-git 23283 @ linux-x86-64 git.4.0.0-107-gff71c411c commit: ff71c411c7cd806f22c4705d67a0086cbefd9662 build: 2019-11-18__15:29:57

Expected behavior

Insert an assembler instruction, meanwhile shifting following instructions rather than overwriting

For example: insert an instruction (e.g. add eax, 2) in 0x653

┌ 15: sym.foo (int64_t arg1); │ ; var int64_t var_4h @ rbp-0x4 │ ; arg int64_t arg1 @ rdi │ 0x0000064a 55 push rbp │ 0x0000064b 4889e5 mov rbp, rsp │ 0x0000064e 897dfc mov dword [var_4h], edi ; arg1 │ 0x00000651 8b45fc mov eax, dword [var_4h] │ 0x00000653 83c002 add eax, 20x00000656 83c001 add eax, 1 │ 0x00000659 5d pop rbp └ 0x0000065a c3 ret

Actual behavior

The ELF file corrupted:

[0x00000540]> iS [Sections]

nth paddr size vaddr vsize perm name ――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――― 0 0x00000000 0x0 0x00000000 0x0 ---- 1 0x238000000 0x1c000000 0x238000000 0x1c000000 ---- unknown0 2 0x254000000 0x20000000 0x254000000 0x20000000 ---- unknown1 3 0x274000000 0x24000000 0x274000000 0x24000000 ---- unknown2 4 0x298000000 0x1c000000 0x298000000 0x1c000000 -rwx unknown3 5 0x2b8000000 0xa8000000 0x2b8000000 0xa8000000 ---- unknown4 6 0x360000000 0x84000000 0x360000000 0x84000000 ---- unknown5 7 0x3e4000000 0xe000000 0x3e4000000 0xe000000 -rwx unknown6 8 0x3f8000000 0x20000000 0x3f8000000 0x20000000 -rwx unknown7 9 0x418000000 0xc0000000 0x418000000 0xc0000000 ---- unknown8 10 0x4d8000000 0x18000000 0x4d8000000 0x18000000 ---- invalid0 11 0x4f0000000 0x17000000 0x4f0000000 0x17000000 ---- invalid1 12 0x510000000 0x20000000 0x510000000 0x20000000 ---- invalid2 13 0x530000000 0x8000000 0x530000000 0x8000000 ---- invalid3 14 0x540000000 0x1d2000000 0x540000000 0x1d2000000 ---- invalid4 15 0x714000000 0x9000000 0x714000000 0x9000000 ---- invalid5 16 0x720000000 0x19000000 0x720000000 0x19000000 ---- invalid6 17 0x73c000000 0x44000000 0x73c000000 0x44000000 ---- invalid7 18 0x780000000 0x128000000 0x780000000 0x128000000 ---- invalid8 19 0xdb8000000 0x8000000 0x200db8000000 0x8000000 ---- invalid9 20 0xdc0000000 0x8000000 0x200dc0000000 0x8000000 ---- invalid10 21 0xdc8000000 0x1f0000000 0x200dc8000000 0x1f0000000 ---- invalid11 22 0xfb8000000 0x48000000 0x200fb8000000 0x48000000 ---- invalid12 23 0x1000000000 0x10000000 0x201000000000 0x10000000 ---- invalid13 24 0x1010000000 0x8000000 0x201010000000 0x8000000 ---- invalid14 25 0x1010000000 0x2b000000 0x00000000 0x2b000000 ---- invalid15 26 0x1040000000 0x600000000 0x00000000 0x600000000 ---- unknown9 27 0x1640000000 0x208000000 0x00000000 0x208000000 ---- unknown10 28 0x1848000000 0xfe000000 0x00000000 0xfe000000 ---- unknown11

Steps to reproduce the behavior

$ r2 test [0x00000540]> aaaa [0x00000540]> oo+ [0x00000540]> s sym.foo [0x0000064a]> pdf ; CALL XREF from main @ 0x66d ┌ 15: sym.foo (int64_t arg1); │ ; var int64_t var_4h @ rbp-0x4 │ ; arg int64_t arg1 @ rdi │ 0x0000064a 55 push rbp │ 0x0000064b 4889e5 mov rbp, rsp │ 0x0000064e 897dfc mov dword [var_4h], edi ; arg1 │ 0x00000651 8b45fc mov eax, dword [var_4h] │ 0x00000654 83c001 add eax, 1 │ 0x00000657 5d pop rbp └ 0x00000658 c3 ret [0x0000064a]>

[0x0000064a]> iS [Sections]

nth paddr size vaddr vsize perm name ――――――――――――――――――――――――――――――――――――――――――――――――― 0 0x00000000 0x0 0x00000000 0x0 ---- 1 0x00000238 0x1c 0x00000238 0x1c -r-- .interp 2 0x00000254 0x20 0x00000254 0x20 -r-- .note.ABI_tag 3 0x00000274 0x24 0x00000274 0x24 -r-- .note.gnu.build_id 4 0x00000298 0x1c 0x00000298 0x1c -r-- .gnu.hash 5 0x000002b8 0xa8 0x000002b8 0xa8 -r-- .dynsym 6 0x00000360 0x84 0x00000360 0x84 -r-- .dynstr 7 0x000003e4 0xe 0x000003e4 0xe -r-- .gnu.version 8 0x000003f8 0x20 0x000003f8 0x20 -r-- .gnu.version_r 9 0x00000418 0xc0 0x00000418 0xc0 -r-- .rela.dyn 10 0x000004d8 0x18 0x000004d8 0x18 -r-- .rela.plt 11 0x000004f0 0x17 0x000004f0 0x17 -r-x .init 12 0x00000510 0x20 0x00000510 0x20 -r-x .plt 13 0x00000530 0x8 0x00000530 0x8 -r-x .plt.got 14 0x00000540 0x1d2 0x00000540 0x1d2 -r-x .text 15 0x00000714 0x9 0x00000714 0x9 -r-x .fini 16 0x00000720 0x19 0x00000720 0x19 -r-- .rodata 17 0x0000073c 0x44 0x0000073c 0x44 -r-- .eh_frame_hdr 18 0x00000780 0x128 0x00000780 0x128 -r-- .eh_frame 19 0x00000db8 0x8 0x00200db8 0x8 -rw- .init_array 20 0x00000dc0 0x8 0x00200dc0 0x8 -rw- .fini_array 21 0x00000dc8 0x1f0 0x00200dc8 0x1f0 -rw- .dynamic 22 0x00000fb8 0x48 0x00200fb8 0x48 -rw- .got 23 0x00001000 0x10 0x00201000 0x10 -rw- .data 24 0x00001010 0x0 0x00201010 0x8 -rw- .bss 25 0x00001010 0x2b 0x00000000 0x2b ---- .comment 26 0x00001040 0x600 0x00000000 0x600 ---- .symtab 27 0x00001640 0x208 0x00000000 0x208 ---- .strtab 28 0x00001848 0xfe 0x00000000 0xfe ---- .shstrtab

[0x0000064a]> iO r/.text/0x1d5 // resize text section to 0x1d5 (original: 0x1d2) delta: 3 -> elf section () -> elf section (.interp) -> elf section (.note.ABI-tag) -> elf section (.note.gnu.build-id) -> elf section (.gnu.hash) -> elf section (.dynsym) -> elf section (.dynstr) -> elf section (.gnu.version) -> elf section (.gnu.version_r) -> elf section (.rela.dyn) -> elf section (.rela.plt) -> elf section (.init) -> elf section (.plt) -> elf section (.plt.got) -> elf section (.text) -> elf section (.fini) -> elf section (.rodata) -> elf section (.eh_frame_hdr) -> elf section (.eh_frame) -> elf section (.init_array) -> elf section (.fini_array) -> elf section (.dynamic) -> elf section (.got) -> elf section (.data) -> elf section (.bss) -> elf section (.comment) -> elf section (.symtab) -> elf section (.strtab) -> elf section (.shstrtab) -> program header (0x00000040) -> program header (0x00000238) -> program header (0x00000000) -> program header (0x00000dbb) -> program header (0x00000dcb) -> program header (0x00000254) -> program header (0x0000073f) -> program header (0x00000000) -> program header (0x00000dbb) COPY FROM 0x00000712 COPY TO 0x00000715 Shifted 3 byte(s)

[0x0000064a]> s 0x654 [0x00000654]> wen 3 [0x00000654]> wa add eax, 3 Written 3 byte(s) (add eax, 3) = wx 83c003 [0x00000654]> q

Binary ELF and source code

test-elf.zip

The sample code is very simple:

`#include

include

int foo(int n) { return n + 1; }

int main(int argc, char *argv[]) { int n;

n = foo(1);
printf("hello world, n = %d\n", n);

return 0;

} `

radare commented 4 years ago

thats completely expected. if you ressize a section the code and data will not be relocated so the binary will not work unless you adjust all this by hand.

On 18 Nov 2019, at 22:11, Jiameng Shi notifications@github.com wrote:

Work environment

OS: Ubuntu x86_64 File format: ELF Bits of the file: x86/64 radare2 4.1.0-git 23283 @ linux-x86-64 git.4.0.0-107-gff71c411c commit: ff71c41 https://github.com/radareorg/radare2/commit/ff71c411c7cd806f22c4705d67a0086cbefd9662 build: 2019-11-18__15:29:57

Expected behavior

Insert an assembler instruction, meanwhile shifting following instructions rather than overwriting

For example: insert an instruction (e.g. add eax, 2) in 0x653

┌ 15: sym.foo (int64_t arg1); │ ; var int64_t var_4h @ rbp-0x4 │ ; arg int64_t arg1 @ rdi │ 0x0000064a 55 push rbp │ 0x0000064b 4889e5 mov rbp, rsp │ 0x0000064e 897dfc mov dword [var_4h], edi ; arg1 │ 0x00000651 8b45fc mov eax, dword [var_4h] │ 0x00000653 83c002 add eax, 2 │ 0x00000656 83c001 add eax, 1 │ 0x00000659 5d pop rbp └ 0x0000065a c3 ret

Actual behavior

The ELF file corrupted:

[0x00000540]> iS [Sections]

nth paddr size vaddr vsize perm name ――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――― 0 0x00000000 0x0 0x00000000 0x0 ---- 1 0x238000000 0x1c000000 0x238000000 0x1c000000 ---- unknown0 2 0x254000000 0x20000000 0x254000000 0x20000000 ---- unknown1 3 0x274000000 0x24000000 0x274000000 0x24000000 ---- unknown2 4 0x298000000 0x1c000000 0x298000000 0x1c000000 -rwx unknown3 5 0x2b8000000 0xa8000000 0x2b8000000 0xa8000000 ---- unknown4 6 0x360000000 0x84000000 0x360000000 0x84000000 ---- unknown5 7 0x3e4000000 0xe000000 0x3e4000000 0xe000000 -rwx unknown6 8 0x3f8000000 0x20000000 0x3f8000000 0x20000000 -rwx unknown7 9 0x418000000 0xc0000000 0x418000000 0xc0000000 ---- unknown8 10 0x4d8000000 0x18000000 0x4d8000000 0x18000000 ---- invalid0 11 0x4f0000000 0x17000000 0x4f0000000 0x17000000 ---- invalid1 12 0x510000000 0x20000000 0x510000000 0x20000000 ---- invalid2 13 0x530000000 0x8000000 0x530000000 0x8000000 ---- invalid3 14 0x540000000 0x1d2000000 0x540000000 0x1d2000000 ---- invalid4 15 0x714000000 0x9000000 0x714000000 0x9000000 ---- invalid5 16 0x720000000 0x19000000 0x720000000 0x19000000 ---- invalid6 17 0x73c000000 0x44000000 0x73c000000 0x44000000 ---- invalid7 18 0x780000000 0x128000000 0x780000000 0x128000000 ---- invalid8 19 0xdb8000000 0x8000000 0x200db8000000 0x8000000 ---- invalid9 20 0xdc0000000 0x8000000 0x200dc0000000 0x8000000 ---- invalid10 21 0xdc8000000 0x1f0000000 0x200dc8000000 0x1f0000000 ---- invalid11 22 0xfb8000000 0x48000000 0x200fb8000000 0x48000000 ---- invalid12 23 0x1000000000 0x10000000 0x201000000000 0x10000000 ---- invalid13 24 0x1010000000 0x8000000 0x201010000000 0x8000000 ---- invalid14 25 0x1010000000 0x2b000000 0x00000000 0x2b000000 ---- invalid15 26 0x1040000000 0x600000000 0x00000000 0x600000000 ---- unknown9 27 0x1640000000 0x208000000 0x00000000 0x208000000 ---- unknown10 28 0x1848000000 0xfe000000 0x00000000 0xfe000000 ---- unknown11

Steps to reproduce the behavior

$ r2 test [0x00000540]> aaaa [0x00000540]> oo+ [0x00000540]> s sym.foo [0x0000064a]> pdf ; CALL XREF from main @ 0x66d ┌ 15: sym.foo (int64_t arg1); │ ; var int64_t var_4h @ rbp-0x4 │ ; arg int64_t arg1 @ rdi │ 0x0000064a 55 push rbp │ 0x0000064b 4889e5 mov rbp, rsp │ 0x0000064e 897dfc mov dword [var_4h], edi ; arg1 │ 0x00000651 8b45fc mov eax, dword [var_4h] │ 0x00000654 83c001 add eax, 1 │ 0x00000657 5d pop rbp └ 0x00000658 c3 ret [0x0000064a]>

[0x0000064a]> iS [Sections]

nth paddr size vaddr vsize perm name ――――――――――――――――――――――――――――――――――――――――――――――――― 0 0x00000000 0x0 0x00000000 0x0 ---- 1 0x00000238 0x1c 0x00000238 0x1c -r-- .interp 2 0x00000254 0x20 0x00000254 0x20 -r-- .note.ABI_tag 3 0x00000274 0x24 0x00000274 0x24 -r-- .note.gnu.build_id 4 0x00000298 0x1c 0x00000298 0x1c -r-- .gnu.hash 5 0x000002b8 0xa8 0x000002b8 0xa8 -r-- .dynsym 6 0x00000360 0x84 0x00000360 0x84 -r-- .dynstr 7 0x000003e4 0xe 0x000003e4 0xe -r-- .gnu.version 8 0x000003f8 0x20 0x000003f8 0x20 -r-- .gnu.version_r 9 0x00000418 0xc0 0x00000418 0xc0 -r-- .rela.dyn 10 0x000004d8 0x18 0x000004d8 0x18 -r-- .rela.plt 11 0x000004f0 0x17 0x000004f0 0x17 -r-x .init 12 0x00000510 0x20 0x00000510 0x20 -r-x .plt 13 0x00000530 0x8 0x00000530 0x8 -r-x .plt.got 14 0x00000540 0x1d2 0x00000540 0x1d2 -r-x .text 15 0x00000714 0x9 0x00000714 0x9 -r-x .fini 16 0x00000720 0x19 0x00000720 0x19 -r-- .rodata 17 0x0000073c 0x44 0x0000073c 0x44 -r-- .eh_frame_hdr 18 0x00000780 0x128 0x00000780 0x128 -r-- .eh_frame 19 0x00000db8 0x8 0x00200db8 0x8 -rw- .init_array 20 0x00000dc0 0x8 0x00200dc0 0x8 -rw- .fini_array 21 0x00000dc8 0x1f0 0x00200dc8 0x1f0 -rw- .dynamic 22 0x00000fb8 0x48 0x00200fb8 0x48 -rw- .got 23 0x00001000 0x10 0x00201000 0x10 -rw- .data 24 0x00001010 0x0 0x00201010 0x8 -rw- .bss 25 0x00001010 0x2b 0x00000000 0x2b ---- .comment 26 0x00001040 0x600 0x00000000 0x600 ---- .symtab 27 0x00001640 0x208 0x00000000 0x208 ---- .strtab 28 0x00001848 0xfe 0x00000000 0xfe ---- .shstrtab

[0x0000064a]> iO r/.text/0x1d5 // resize text section to 0x1d5 (original: 0x1d2) delta: 3 -> elf section () -> elf section (.interp) -> elf section (.note.ABI-tag) -> elf section (.note.gnu.build-id) -> elf section (.gnu.hash) -> elf section (.dynsym) -> elf section (.dynstr) -> elf section (.gnu.version) -> elf section (.gnu.version_r) -> elf section (.rela.dyn) -> elf section (.rela.plt) -> elf section (.init) -> elf section (.plt) -> elf section (.plt.got) -> elf section (.text) -> elf section (.fini) -> elf section (.rodata) -> elf section (.eh_frame_hdr) -> elf section (.eh_frame) -> elf section (.init_array) -> elf section (.fini_array) -> elf section (.dynamic) -> elf section (.got) -> elf section (.data) -> elf section (.bss) -> elf section (.comment) -> elf section (.symtab) -> elf section (.strtab) -> elf section (.shstrtab) -> program header (0x00000040) -> program header (0x00000238) -> program header (0x00000000) -> program header (0x00000dbb) -> program header (0x00000dcb) -> program header (0x00000254) -> program header (0x0000073f) -> program header (0x00000000) -> program header (0x00000dbb) COPY FROM 0x00000712 COPY TO 0x00000715 Shifted 3 byte(s)

[0x0000064a]> s 0x654 [0x00000654]> wen 3 [0x00000654]> wa add eax, 3 Written 3 byte(s) (add eax, 3) = wx 83c003 [0x00000654]> q

Binary ELF and source code

test-elf.zip https://github.com/radareorg/radare2/files/3860653/test-elf.zip The sample code is very simple:

`#include

include

int foo(int n) { return n + 1; }

int main(int argc, char *argv[]) { int n;

n = foo(1); printf("hello world, n = %d\n", n);

return 0; } `

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/radareorg/radare2/issues/15480?email_source=notifications&email_token=AAG75FTSRSBKFVRMNDSICB3QUMAGJA5CNFSM4JO2F2XKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4H2FC6IA, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAG75FWHC4BR2IG5DK6JSVDQUMAGJANCNFSM4JO2F2XA.