0

I'm reading practical-binary-analysis book about binary analysis but at chapter 7 "SIMPLE CODE INJECTION TECHNIQUES FOR ELF", I learned about hexedit a binary and injecting code section to it there is a tool named elfinject I compiled it in code/chapter7/ directory with the command

sudo apt install libelf-dev && make elfinject

after it i copy my ls binary with cmd

cp /bin/ls ls.entry

then I figured out the entry point of the binary which was 0x67d0 ( maybe different for u )

readelf -h ls.entry

after that I replaced entry point I found with readelf in hello.s

push 0x67d0

ok after this I compiled hello.s with cmd

nasm -fbin -o hello.bin hello.s

now, i injected it in ls.entry binary with cmd

./elfinject ls.entry hello.bin ".injected" 0x800000 0

but in the output it segfault after printing hello world message I'm not noob I just explained everything to make things clear, I also tried gdb but it didn't worked also can u elaborate PLT_NOTE segment overriding in bit details?

avocadoLambda
  • 1,332
  • 7
  • 16
  • 33
Ronny
  • 1
  • 3
  • Why do you expect that injecting a `push` instruction on its own would do anything? Messing up the stack seems likely to cause a segfault. Also note that your `ls` is a PIE executable that gets ASLRed to a random base address every time you run it. `0x67d0` is just the address relative to a base of `0` or `0x1000`, not a real absolute address. The real address will be `0x555...something`, as you can see in GDB. – Peter Cordes Jun 08 '20 at 14:47
  • well then why its added to the book if its not gonna work ? – Ronny Jun 08 '20 at 14:52
  • Is that one `push` instruction not the only instruction in `hello.s`? I thought it was the first time I read your question, but I think you're saying there was a whole example and you're only showing 1 line of it. Probably it breaks because the book was written for non-PIE executables where `readelf` could give you actual absolute addresses. Position-Independent Executables are new in the last few years, and only enabled by default in distros in the last 2 or 3. – Peter Cordes Jun 08 '20 at 15:01
  • i attached a tar.gz in it there's chapter7 and example lies there – Ronny Jun 08 '20 at 15:07
  • can u answer post a answer with it ? i mean explain about section injecting a bit and i will accept the answer – Ronny Jun 09 '20 at 05:31
  • I don't really know anything about section injection, only that the payload you're injecting won't work in a PIE if it depends on hard-coding an absolute address. Related: [32-bit absolute addresses no longer allowed in x86-64 Linux?](https://stackoverflow.com/q/43367427). (But remember you're generating machine code separately, without relocations). If you want to answer your own question, that would be fine, otherwise probably best to wait for someone to answer who knows what this tool does. – Peter Cordes Jun 09 '20 at 05:32

0 Answers0