[Boards: 3 / a / aco / adv / an / asp / b / bant / biz / c / can / cgl / ck / cm / co / cock / d / diy / e / fa / fap / fit / fitlit / g / gd / gif / h / hc / his / hm / hr / i / ic / int / jp / k / lgbt / lit / m / mlp / mlpol / mo / mtv / mu / n / news / o / out / outsoc / p / po / pol / qa / qst / r / r9k / s / s4s / sci / soc / sp / spa / t / tg / toy / trash / trv / tv / u / v / vg / vint / vip / vp / vr / w / wg / wsg / wsr / x / y ] [Search | Free Show | Home]

How can I call libc functions from positionally independent shellcode

This is a blue board which means that it's for everybody (Safe For Work content only). If you see any adult content, please report it.
  1. Home
  2. /g/ - Technology
  3. How can I call libc functions from positionally independent shellcode
Thread replies: 9
Thread images: 1

Anonymous
2017-03-28 09:56:02 Post No. 59626248
[Report] Image search: [Google]
File: 2017-03-28-144019_945x1039_scrot.png (128KB, 945x1039px) Image search: [Google]
2017-03-28-144019_945x1039_scrot.png
128KB, 945x1039px
Anonymous 2017-03-28 09:56:02 Post No. 59626248 [Report]
How can I call libc functions from positionally independent shellcode in Linux?

In windows, the address of the PEB is located at an offset of the FS register, so no high level calls are required to get it. In the PEB, you can find the base address of all of the loaded DLLs. Of these DLLs, kernel32.dll holds the GetProcAddress and LoadLibrary/GetModuleHandle functions which can be used to resolve other functions.

I'm trying to do something similar for Linux. How can I call dlopen/dlsym/dlclose from standalone shellcode?
>>
Anonymous 2017-03-28 10:04:38 Post No.59626361
[Report]
Anonymous 2017-03-28 10:04:38 Post No.59626361 [Report]
The best I've come up with is to read /usr/lib/libdl.so into memory, perform the relocations, and find it within there. I have some POC but it's not positionally independent and it even uses dlopen.

At this point, I'd settle for finding the base address of libc or libdl (preferably without reading /proc/[pid]/mem)
>>
Anonymous 2017-03-28 10:05:01 Post No.59626368
[Report]
Anonymous 2017-03-28 10:05:01 Post No.59626368 [Report]
>>59626248
Nobody here understands a word of what you said.

Make a thread about phones.
>>
Anonymous 2017-03-28 10:06:46 Post No.59626393
[Report]
Anonymous 2017-03-28 10:06:46 Post No.59626393 [Report]
>>59626368
Someone knows. Any basic windows malware dev/analyst should know exactly what I'm talking about with the windows section. I'm just hoping one of those people also know a bit about Linux...
>>
Anonymous 2017-03-28 10:10:56 Post No.59626474
[Report]
Anonymous 2017-03-28 10:10:56 Post No.59626474 [Report]
>>59626393
Not a malware dev but I'm a software developer people here are on entry level shit p much they wouldn't be able to tell u how to make a 2D dynamic string array in C LEL
>>
Anonymous 2017-03-28 10:12:26 Post No.59626499
[Report]
Anonymous 2017-03-28 10:12:26 Post No.59626499 [Report]
Maybe scan memory for byte match.. Get first n bytes of some known function from compiled kernel source, scan for it and later use is as an offset.
>>
Anonymous 2017-03-28 10:13:50 Post No.59626527
[Report]
Anonymous 2017-03-28 10:13:50 Post No.59626527 [Report]
>>59626499
ive meant libc not kernel
>>
Anonymous 2017-03-28 10:16:20 Post No.59626560
[Report]
Anonymous 2017-03-28 10:16:20 Post No.59626560 [Report]
>>59626499
Neat concept. Not a terrible idea, but it may be somewhat unreliable since I'm not sure how often certain functions change. I assume not very often, but still.

I'm also curious as to what the FS and GS registers are used for in linux.

This SO answer is pretty interesting, but can't really find a ton of information on it:
http://stackoverflow.com/questions/6611346/how-are-the-fs-gs-registers-used-in-linux-amd64
>>
Anonymous 2017-03-28 10:34:01 Post No.59626848
[Report]
Anonymous 2017-03-28 10:34:01 Post No.59626848 [Report]
>>59626560
https://github.com/lattera/glibc/blob/master/dlfcn/dlopen.c
For example dlopen looks really old. License has 2005 as last date. That code probably hasnt changed much for long time.

FS GS - Idk what they are for but you could try read them from your test program and see what values they hold. See if they are pointing somewhere in loaded libc range.. Any stable pointer to libc code can be useful.
Thread posts: 9
Thread images: 1
[Boards: 3 / a / aco / adv / an / asp / b / bant / biz / c / can / cgl / ck / cm / co / cock / d / diy / e / fa / fap / fit / fitlit / g / gd / gif / h / hc / his / hm / hr / i / ic / int / jp / k / lgbt / lit / m / mlp / mlpol / mo / mtv / mu / n / news / o / out / outsoc / p / po / pol / qa / qst / r / r9k / s / s4s / sci / soc / sp / spa / t / tg / toy / trash / trv / tv / u / v / vg / vint / vip / vp / vr / w / wg / wsg / wsr / x / y] [Search | Top | Home]

I'm aware that Imgur.com will stop allowing adult images since 15th of May. I'm taking actions to backup as much data as possible.
Read more on this topic here - https://archived.moe/talk/thread/1694/


If you need a post removed click on it's [Report] button and follow the instruction.
DMCA Content Takedown via dmca.com
All images are hosted on imgur.com.
If you like this website please support us by donating with Bitcoins at 16mKtbZiwW52BLkibtCr8jUg2KVUMTxVQ5
All trademarks and copyrights on this page are owned by their respective parties.
Images uploaded are the responsibility of the Poster. Comments are owned by the Poster.
This is a 4chan archive - all of the content originated from that site.
This means that RandomArchive shows their content, archived.
If you need information for a Poster - contact them.