-
Notifications
You must be signed in to change notification settings - Fork 216
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Library injection path error: Segfault simple_timer and simple_open #44
Comments
@Ifex370 can you give me more information about the error? Please provide me with the following information:
|
1. Does the segmentation fault happen when the rootkit is active, or just during the normal execution of a program? After modifying the Then, on a different terminal. 2. I need info about your Linux version. Please execute uname -a and lsb_release -a and paste the output. |
Alright so it seems that the GOT hijacking technique succeeds, but the shellcode faults while running before calling the malicious library. This can be because of multiple reasons. Different glibc versionFirstly, you are using Ubuntu 21.10 (I tested 21.04) which may include a different glibc version. This may lead eBPF into detecting the GOT section wrongly. Please check your glibc version ( Different library pathSecondly, the shellcode is generated dynamically but, since it is a PoC, it is prepared to work under a specific environment. In particular, the shellcode calls the malicious library /home/osboxes/TFG/src/helpers/injection_lib.so, meaning that since yours is under /home/ubuntu/Desktop/TripleCross/src/helpers/injection_lib.so, you will need to modify the shellcode yourself (or store the malicious library under the same path as I did). Please check page 214 of the thesis document. In there, you will find the following: That shellcode there loads the path of the library (/home/osboxes/TFG/src/helpers/injection_lib.so) to the heap so that it is called later. What you will have to do is modify the bytes that are getting loaded so that it corresponds to your library: You would then load the bytes into the heap just as I did, with mov instructions, taking endianness into account. Taking the bytes I showed you in the screenshot before, the first instructions in your case should be the same as mine: Then, you need to get the x86_64 assembly opcodes corresponding to these instructions, which I wrote as comments in the screenshot of the document I shared. In order to do this you can use your favorite method, I personally used nasmshell. Remember to set the 64 bits mode: Once you have all the opcodes you must include them into the rootkit. You can find the shellcode at src/common/constants.h: The highlighted part corresponds to the assembly code where we load the path of the library into the heap. That is the one you should be modifying in the end. If your shellcode for loading the library path is larger than the original, you have to modify the constant CODE_CAVE_SHELLCODE_ASSEMBLE_2_LEN accordingly. |
Different glibc versionPlease check your glibc version (ldd --version) and I can tell you more information about this. Different library pathI'm sorry Assembly might not be my first, second even fifth language so you will find me struggling a bit. From the endian topics from university, I knwo how you got this
I'm not particularly sure as to how you arrived at this second shell code
and also generating the opcodes using nasm wasn't so good as well. Bottomline is I will retry with the exact ubuntu version. I just want to see the exploit in action so I can can study the way the system responds to it, and that is where the work begins for me. |
Illegal instruction (core dumped)
- when I run./simple_timer
. and asegmentation fault (core dumped)
- when I run./simple_open
?I have not been able to carry out a PoC due to the above errors.
Originally posted by @Ifex370 in #40 (comment)
The text was updated successfully, but these errors were encountered: