This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
session:03 [2020/06/24 14:26] Liza-Elena BABU (78556) |
session:03 [2020/07/19 12:49] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== 0x02. Executable File Formats ====== | ====== 0x02. Executable File Formats ====== | ||
- | == Resources | + | ===== Resources |
[[https:// | [[https:// | ||
Line 52: | Line 52: | ||
There are several ELF types but the most common types we will be dealing with are: | There are several ELF types but the most common types we will be dealing with are: | ||
- | * Relocatable Files | + | |
- | * Executable Files | + | * Executable Files |
- | * Shared Objects | + | * Shared Objects |
=== Relocatable Files === | === Relocatable Files === | ||
Line 94: | Line 94: | ||
All libraries should adhere to a strict naming convention. | All libraries should adhere to a strict naming convention. | ||
Shared objects have two names: | Shared objects have two names: | ||
- | * **soname** - that consists of the prefix //lib// followed by the library name, a //.so// , another dot, then the major version (ex: | + | |
- | * **real name** - is actually a file name, that usually adds a dot and minor version number along with the release version (ex: libtest.so.1.23.3) | + | * **real name** - is actually a file name, that usually adds a dot and minor version number along with the release version (ex: libtest.so.1.23.3) |
Additionally, | Additionally, | ||
Line 127: | Line 127: | ||
<note important> | <note important> | ||
- | ** The chapters on ELF structure are not meant to be known by heart, don't try and read them all in one breath, but rather use them as a reference for the exercises ** | + | |
**Tools of the trade** | **Tools of the trade** | ||
- | * [[http:// | + | |
- | * [[http:// | + | * [[http:// |
- | * [[http:// | + | * [[http:// |
Because IDA is expensive and rarely found on machines you just hacked | Because IDA is expensive and rarely found on machines you just hacked | ||
Line 284: | Line 284: | ||
</ | </ | ||
- | * **Name** - is obtained by reading the value of the section names table at the specified index | + | |
- | * **Type** | + | * **Type** |
* **PROGBITS** - information that is given meaning by the program when loaded into memory | * **PROGBITS** - information that is given meaning by the program when loaded into memory | ||
* **NOBITS** - similar to PROGBITS in meaning but occupies no space in the file | * **NOBITS** - similar to PROGBITS in meaning but occupies no space in the file | ||
Line 293: | Line 293: | ||
* **DYNSYM** - holds a set of symbols used in the dynamic linking process | * **DYNSYM** - holds a set of symbols used in the dynamic linking process | ||
* **REL** - holds relocation entries | * **REL** - holds relocation entries | ||
- | * **Addr** - if the section is part of an executable it will hold the virtual address where the section could be found in memory. If not it would be 0. | + | |
- | * **Off** - offset from the beginning of the file to where the section starts | + | * **Off** - offset from the beginning of the file to where the section starts |
- | * **Size** - size of the section in bytes | + | * **Size** - size of the section in bytes |
- | * **ES** - size in bytes per entry, if fixed entry size is used | + | * **ES** - size in bytes per entry, if fixed entry size is used |
- | * **FLG** | + | * **FLG** |
* **X** - contains executable code | * **X** - contains executable code | ||
* **W** - contains writable code | * **W** - contains writable code | ||
* **A** - will be loaded into memory as-is during process execution | * **A** - will be loaded into memory as-is during process execution | ||
- | * **Al** - section alignment constraints | + | |
**Inf** and **Lnk** have specific interpretations depending on the section type | **Inf** and **Lnk** have specific interpretations depending on the section type | ||
Line 427: | Line 427: | ||
Relocations and how they get applied are very complex topic and we will only try to cover as far is helps detecting file and symbol types | Relocations and how they get applied are very complex topic and we will only try to cover as far is helps detecting file and symbol types | ||
If you want to read more you can refer to some of these resources: | If you want to read more you can refer to some of these resources: | ||
- | * [[http:// | + | |
- | * [[http:// | + | * [[http:// |
</ | </ | ||
Line 459: | Line 459: | ||
</ | </ | ||
- | * **Offset** - In relocatable files and linked shared objects it contains the offset from the beginning of the section , where the relocation needs to be applied | + | |
- | * **Info** - This field is used to derive the index in the symbol table to the affected symbol as well as the algorithm needed for fixing. | + | * **Info** - This field is used to derive the index in the symbol table to the affected symbol as well as the algorithm needed for fixing. |
* **info>> | * **info>> | ||
* **info& | * **info& | ||
Line 468: | Line 468: | ||
By looking at the types of relocations we can draw some basic conclusions about the symbol types and also about the files. | By looking at the types of relocations we can draw some basic conclusions about the symbol types and also about the files. | ||
- | * **Reloctable Files** | + | |
* **R_386_32 ** - usually used to reference changes to a local symbol | * **R_386_32 ** - usually used to reference changes to a local symbol | ||
* **R_386_PC32 ** - reference a relative distance from here to the symbol | * **R_386_PC32 ** - reference a relative distance from here to the symbol | ||
- | * **Relocatable Files for Shared object ** | + | |
* **R_386_GOTOFF** - usually found in the code area, describes the offset from the beginning of GOT to a local symbol | * **R_386_GOTOFF** - usually found in the code area, describes the offset from the beginning of GOT to a local symbol | ||
* **R_386_GOT32 ** - also speicific to the code area. These entries persist in the linkage phase | * **R_386_GOT32 ** - also speicific to the code area. These entries persist in the linkage phase | ||
* **R_386_PLT32 ** - used when describing calls to global subroutines. when the linker will read this information it will generate an entry in the **GOT** and **PLT** tables | * **R_386_PLT32 ** - used when describing calls to global subroutines. when the linker will read this information it will generate an entry in the **GOT** and **PLT** tables | ||
* **R_386_GOTPC** - used in function to calculate the start address of the **GOT** | * **R_386_GOTPC** - used in function to calculate the start address of the **GOT** | ||
- | * **Executables that use dynamic linking ** | + | |
* **R_386_JMP** - the dynamic linker will deposit the address of the external subroutine during execution | * **R_386_JMP** - the dynamic linker will deposit the address of the external subroutine during execution | ||
* **R_386_COPY** - the address of global variable from shared object will be deposited here | * **R_386_COPY** - the address of global variable from shared object will be deposited here | ||
- | * **Shared object files ** | + | |
* **R_386_JMP** - the dynamic linker will deposit the address of the external subroutine from one of the shared object dependencies during execution | * **R_386_JMP** - the dynamic linker will deposit the address of the external subroutine from one of the shared object dependencies during execution | ||
* **R_386_GLOB_DATA** - used to deposit the address of a global symbol defined in one of the shared object dependencies | * **R_386_GLOB_DATA** - used to deposit the address of a global symbol defined in one of the shared object dependencies | ||
Line 485: | Line 485: | ||
<note important> | <note important> | ||
- | ** Executable files that are statically linked do not contain relocations ** | + | |
</ | </ | ||
Line 984: | Line 984: | ||
* which point to the library/ | * which point to the library/ | ||
- | ==== 04. Print Flag ==== | + | ==== 04. Compiler Flags ==== |
+ | |||
+ | Use proper compiler/ | ||
+ | |||
+ | <note tip> | ||
+ | It's the same flag, it's just to make sure you are able to find the flag with both formats of the '' | ||
+ | </ | ||
+ | |||
+ | ==== 05. Print Flag ==== | ||
Someone has tampered with the executable file '' | Someone has tampered with the executable file '' | ||
Line 999: | Line 1007: | ||
Follow the actions from the entry point in the ELF file and see what is the spot where the program doesn' | Follow the actions from the entry point in the ELF file and see what is the spot where the program doesn' | ||
</ | </ | ||
- | ==== Bonus: | + | |
+ | ==== 06. Matryoshka ==== | ||
+ | |||
+ | Look carefully inside the '' | ||
+ | |||
+ | Submit the flag [[https:// | ||
+ | |||
+ | ==== Bonus: | ||
You are given a binary that was stored on a USB stick in space where it was hit by gamma rays thus altering its content. Fortunately, | You are given a binary that was stored on a USB stick in space where it was hit by gamma rays thus altering its content. Fortunately, | ||
Line 1019: | Line 1034: | ||
</ | </ | ||
- | + | ==== Further pwning | |
- | === Further pwning | + | |
[[http:// | [[http:// | ||