################################################### # # # FLE-ELFcorrupt.s # # # # Just a lame ELF crasher... It replace the magic # # number 0x7f'ELF' by 0x7f'FLE' and obviously the # # binary goes to hell. # # # # $as FLE-ELFcorrupt.s -o FLE-ELFcorrupt.o # # $ld FLE-ELFcorrupt.o -o FLE-ELFcorrupt # # $./anyelf # # Hello World # # $./FLE-ELFcorrupt ./anyelf # # $./anyelf # # Cannot execute # # # # nitrous[at]conthackto[dot]com[dot]mx # # 29/11/2005 # ################################################### .section .data #GLOBAL VARS .equ SDTIN, 0 .equ STDOUT, 1 .equ STDERR, 2 .equ SYS_EXIT, 1 .equ SYS_READ, 3 .equ SYS_WRITE, 4 .equ SYS_OPEN, 5 .equ SYS_CLOSE, 6 .equ SYS_LSEEK, 19 .equ O_RDWR, 2 .equ SEEK_SET, 0 .equ MAGIC_YEAH, 0x464c457f #0x7f 'ELF' .equ MAGIC_HELL, 0x454c467f #0x7f 'FLE' .equ NULL, 0x00000000 NOARG: .ascii "I need an ELF file as argument\n" LENNOARG = . - NOARG ERROPEN: .ascii "Cannot open() file\n" LENERROPEN = . - ERROPEN NOELF: .ascii "This is not an ELF file\n" LENNOELF = . - NOELF INF: .ascii "Changed \"ELF\" to \"FLE\" hehehe }:-)\nBy -=[nITROUs]=-\n" LENINF = . - INF .section .text .globl _start _start: #CLEAR REGISTERS xorl %eax, %eax xorl %ebx, %ebx xorl %ecx, %ecx xorl %edx, %edx xorl %esi, %esi xorl %edi, %edi movl 8(%esp), %esi # %esi = argv[1] cmpl $NULL, %esi je usage # if(%esi == NULL){ goto usage;} jmp openfile usage: movb $SYS_WRITE, %al movb $STDERR, %bl movl $NOARG, %ecx movl $LENNOARG, %edx int $0x80 # write(1, NOARG, LENNOARG); jmp exit openfile: xorl %eax, %eax movb $SYS_OPEN, %al movl %esi, %ebx movb $O_RDWR, %cl int $0x80 # $eax = open(argv[1], 2); movl %eax, %edi # %edi = %eax //returned file descriptor cmpl $0x00, %edi jl erropen # if(%edi < 0){ goto erropen;} jmp checkifelf erropen: xorl %eax, %eax xorl %ebx, %ebx movb $SYS_WRITE, %al movb $STDERR, %bl movl $ERROPEN, %ecx movl $LENERROPEN, %edx int $0x80 # write(1, ERROPEN, LENERROPEN); jmp exit checkifelf: movb $SYS_READ, %al movl %edi, %ebx movl %esp, %ecx movl $0x4, %edx int $0x80 # read(%edi, (%esp), 4); cmpl $MAGIC_YEAH, (%esp) jne notelf # if(esp != MAGIC_YEAH){ goto notelf;} jmp infect # else jump to infect notelf: movb $SYS_WRITE, %al movb $STDERR, %bl movl $NOELF, %ecx movl $LENNOELF, %edx int $0x80 # write(1, NOELF, LENNOELF); jmp closefile infect: movb $SYS_WRITE, %al movb $STDOUT, %bl movl $INF, %ecx movl $LENINF, %edx int $0x80 # write(1, INF, LENINF); movb $SYS_LSEEK, %al movl %edi, %ebx xorl %ecx, %ecx movl $SEEK_SET, %edx int $0x80 # lseek(%edi, 0, 0); movb $SYS_WRITE, %al pushl $MAGIC_HELL movl %esp, %ecx movl $0x4, %edx int $0x80 # write(%edi, (%esp), 4); closefile: movb $SYS_CLOSE, %al xchgl %edi, %ebx int $0x80 # close(%edi); exit: movb $SYS_EXIT, %al xorl %ebx, %ebx int $0x80 # exit(0);