0pack
Description
An ELF x64 binary payload injector written in c++ using the LIEF library. Injects shellcode written in fasm as relocations into the header. Execution begins at entrypoint 0 aka the header, this confuses or downright breaks debuggers. The whole first segment is rwx, this can be mitigated at runtime through an injected payload which sets the binaries segment to just rx.
Compiler flags
The targeted binary must have following flags: gcc -m64 -fPIE -pie
Statically linking is not possible as -pie and -static are incompatible flags. Or in other terms:
-static means a statically linked executable with no dynamic
> relocations and only PT_LOAD segments. -pie means a shared library with
> dynamic relocations and PT_INTERP and PT_DYNAMIC segments.
Presentation links
HTML: https://luis-hebendanz.github.io/0pack/
PDF: https://github.com/Luis-Hebendanz/0pack/raw/master/0pack-presentation.pdf
Video: https://github.com/Luis-Hebendanz/0pack/raw/master/html/showcase_video.webm
Debugger behaviour
Debuggers don't generally like 0 as the entrypoint and oftentimes it is impossible to set breakpoints at the header area.
Another often occured issue is that the entry0 label gets set incorrectly to the main label.
Which means the attacker can purposely mislead the reverse engineer into reverse engineering fake code by jumping over the main method.
Executing db entry0
in radare2 has this behaviour.
Affected debuggers
- radare2
- Hopper
- gdb
- IDA Pro --> Not tested
0pack help
Injects shellcode as relocations into an ELF binary
Usage:
0pack [OPTION...]
-d, --debug Enable debugging
-i, --input arg Input file path. Required.
-p, --payload arg Fasm payload path.
-b, --bin_payload arg Binary payload path.
-o, --output arg Output file path. Required.
-s, --strip Strip the binary. Optional.
-b, --bin_payload
The bin_payload
option reads a binary file and converts it to ELF relocations.
0pack appends to the binary payload a jmp to the original entrypoint.
-p, --payload
Needs a fasm payload, 0pack prepends and appends a "push/pop all registers" and a jmp to the original entrypoint to the payload.
Remarks
Altough I used the LIEF library to accomplish this task, I wouldn't encourage to use it. It is very inconsistent and intransparant in what it is doing. Often times the library is downright broken. I did not find a working library for x64 PIE enabled ELF binaries. If someone has suggestions, feel free to email me on: [email protected]
Dependencies
- cmake version 3.12.2 or higher
- build-essential
- gcc
- fasm
Use build script
$ ./build.sh
Build it manually
$ mkdir build
$ cd build
$ cmake ..
$ make
$ ./../main.elf