GDB/ltrace errors when debugging drow payloads

[ghost]

Hey zznop.

• While trying to figure something out I noticed that GDB and other tools like ltrace don't like the binaries produced by drow. I've included the original target binary and the backdoored one. ls.gz ls-bd.gz

"0x7ffc14b4cce0s": not in executable format: file format not recognized ------- tip of the day (disable with set show-tips off) ------- Use the canary command to see all stack canary/cookie values on the stack (based on the usual stack canary value initialized by glibc) pwndbg>

ltrace ./ls-bd Couldn't get section #1 from "/proc/994604/exe": invalid section index

• While I have you I might as well ask - Are we supposed to be able to call libc functions from drow payloads? I've been experimenting with different payloads like the one below and haven't been able to figure it out. You can see I'm just trying to call libc puts. I've tried various ways like puts@PLT. Do I have to find the address of libc functions my self and then call them or is the an easier way? Thanks!

.intel_syntax noprefix

jmp past

message: .string "See, I am drow, and I'd like to say hello,\n"

past: lea rdi, [rip + message] call puts ret

[zznop]

Sorry for the late response: I noticed the same and have not dug into exactly why. My best guess is it doesn't like some of the mods that drow is making to program headers.

As for your assembly, drow injects shellcode payloads. When the example payload is built, only the .text section is objcopy-ed out of the ELF to the shellcode bin file (see here). Therefore you can't use imports, such as libc functions, without knowing / resolving the address yourself. All code needs to be self-contained and position-independent, as there is nothing that will fix-up relocations for you.

[Risminator]

I think I've found the root of the problem. At least it stopped crashing gdb for me.

The problem is adjusting the elf headers: _eshoff and _ephoff in _expandsection(). It's written like this:

printf(INFO "Adjusting ELF header offsets ...\n");
if (ehdr->e_shoff > tinfo->base)
    ehdr->e_shoff = ehdr->e_shoff + patch_size + stager_size;
if (ehdr->e_phoff > tinfo->base)
    ehdr->e_phoff = ehdr->e_phoff + patch_size + stager_size;

However, it shouldn't adjust ELF header offsets if nothing was expanded beforehand. In other words, the adjustment should only come when the inject method is _METHOD_EXPAND_ANDINJECT. For example, like this (not the best look, but works as an example):

if (sinfo->inject_method == METHOD_EXPAND_AND_INJECT) {
    printf(INFO "Adjusting ELF header offsets ...\n");
    if (ehdr->e_shoff > tinfo->base)
        ehdr->e_shoff = ehdr->e_shoff + patch_size + stager_size;
    if (ehdr->e_phoff > tinfo->base)
        ehdr->e_phoff = ehdr->e_phoff + patch_size + stager_size;
}

After this change (accounting for this condition the same way the other parts of _expandsection() are), the problem with gdb and other ELF utilities saying "file format not recognized" disappeared. Maybe this should help?