Breaking News



[*]

ELFXtract is an computerized research instrument used for enumerating ELF binaries

Powered by means of Radare2 and r2ghidra

That is specifically complicated for PWN tough eventualities and it has many computerized alternatives

It just about presentations each main points of the ELF and likewise decompiles its ASM to C code the use of r2ghidra

Decompiling ELFs in Ghidra takes additional time, alternatively in elfxtract it decompiles and presentations in few seconds

Possible choices in ELFXtract

  1. Record knowledge
  2. Shared object dependency main points
  3. ELF Coverage Mitigation main points / Checksec
  4. String main points
  5. Header reminiscence map
  6. ROP items
  7. PLT Desk
  8. GOT Desk
  9. Serve as Desk
  10. ASM code of purposes
  11. Decompiled code of purposes
  12. Predicting conceivable susceptible purposes

Prepare

git clone https://github.com/AidenPearce369/elfxtract
cd elfxtract
chmod +x prepare.sh
./prepare.sh
pip prepare -r should haves.txt

Working

You are able to run elfxtract with any ELF along side -a to report all main points from the ELF

Decompiler sort: undefined8 number one(void) { undefined8 s; sym.imp.places(“Input your title”); sym.imp.will get(&s); sym.imp.printf(“Your title is “); sym.imp.places(&s); go back 0; } *************************************************************************** > VULNERABLE FUNCTIONS : Conceivable vulnerability places – Command Execution 0x000011ce e8bdfeffff establish sym.imp.device ; int device(const char *string) Conceivable vulnerability places – Development String 0x000011bd e8defeffff establish sym.imp.printf ; int printf(const char *construction) 0x0000120b e890feffff establish sym.imp.printf ; int printf(const char *construction) Conceivable vulnerability places – Buffer Overflow 0x000011fa e8b1feffff establish sym.imp.will get ; char *will get(char *s) *************************************************************************** “>

[email protected]:~/elfxtract$ python3 number one.py --file programvuln -a

_____ _ ________ ___ _
| ___| | | ___ / / | | |
| |__ | | | |_ V /| |_ _ __ __ _ ___| |_
| __|| | | _| / | __| '__/ _` |/ __| __|
| |___| |____| | / /^ |_| | | (_| | (__| |_
____/_____/_| / /__|_| __,_|___|__|

@aidenpearce369

***************************************************************************

> FILE INFO :

ELF Establish : programvuln
ELF Sort : ELF 64-bit LSB shared object
ELF Arch : x86-64
ELF SHA1 Hash : BuildID[sha1]=cf149d97ad1e895561080b1f5c317bc5bc1e8652

This binary is dynamically related & now not stripped

********************** *****************************************************

> SHARED OBJECT DEPENDENCY :

linux-vdso.so.1 (0x00007ffd525a4000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd610d93000)
/lib64/ld-linux-x86-64.so.2 (0x00007fd610fa1000)

***************************************************************************

> ELF SECURITY MITIGATIONS :

RELRO : Whole RELRO
STACK CANARY : No Canary discovered
NX BIT : NX disabled
PIE : PIE enabled
RPATH : No RPATH
RUNPATH : No RUNPATH

***************************************************************************

> POSSIBLE STRINGS :

nth paddr vaddr len size phase sort string
―――――――――――――――――――――――& #8213;―――――――――――――――――――――――――――――――
0 0x00002008 0x00002008 31 32 .rodata ascii You should have bypassed this serve as
1 0x00002028 0x00002028 12 13 .rodata ascii cat flag.txt
2 0x00002035 0x00002035 15 16 .rodata ascii Input your title
3 0x00002045 0x00002045 13 14 .rodata ascii Your title is

***************************************************************************

> RODATA HEXDUMP :

0x00002000 01000200 00000000 596f7520 68617665 ........You should have
0x00002010 20627970 61737365 64207468 69732066 bypassed this f
0x00002020 756e6374 696f6e00 63617420 666c6167 unction.cat flag
0x00002030 2e747874 00456e74 65722079 6f757220 .txt.Input your
0x00002040 6e616d65 00596f75 72206e61 6d652069 title.Your title i
0x00002050 732000 s .


***************************************************************************

> ELF ENTRY POINT :

The get right to use level of the ELF is at 0x10c0

***************************************************************************

> HEADER MEMORY MAP :

Sort Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
PHDR 0x0000000000000040 0x0000000000000040 0x0000000000000040
0x00000000000002d8 0x00000000000002d8 R 0x8
INTERP 0x0000000000000318 0x0000000000000318 0x0000000000000318
0x000000000000001c 0x000000000000001c R 0x1
[Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x00000000000006a8 0x00000000000006a8 R 0x1000
LOAD 0x0000000000001000 0x0000000000001000 0x0000000000001000
0x00000000000002b5 0x00000000000002b5 R E 0x1000
LOAD 0x0000000000002000 0x0000000000002000 0x0000000000002000
0x00000000000001c8 0x00000000000001c8 R 0x1000
LOAD 0x0000000000002da0 0x0000000000003da0 0x0000000000003da0
0x0000000000000270 0x0000000000000278 RW 0x1000
DYNAMIC 0x0000000000002db0 0x0000000000003db0 0x0000000000003db0
0x00000000000001f0 0x00000000000001f0 RW 0x8
NOTE 0x0000000000000338 0x0000000000000338 0x0000000000000338
0x0000000000000020 0x0000000000000020 R 0x8
NOTE 0x0000000000000358 0x0000000000000358 0x0000000000000358
0x0000000000000044 0x0000000000000044 R 0x4
GNU_PROPERTY 0x000000000 0000338 0x0000000000000338 0x0000000000000338
0x0000000000000020 0x0000000000000020 R 0x8
GNU_EH_FRAME 0x0000000000002054 0x0000000000002054 0x0000000000002054
0x000000000000004c 0x000000000000004c R 0x4
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RWE 0x10
GNU_RELRO 0x0000000000002da0 0x0000000000003da0 0x0000000000003da0
0x0000000000000260 0x0000000000000260 R 0x1

***************************************************************************
[*] Loaded 14 cached items for 'programvuln'

> ROP GADGETS :

0x1017 : upload esp, 8;ret
0x1016 : upload rsp, 8;ret
0x1221 : go away;ret
0x128c : pop r12;pop r13;pop r14;pop r15;ret
0x128e : pop r13;pop r14;pop r15;ret
0x1290 : pop r14;pop r15;ret
0x12 92 : pop r15;ret
0x128b : pop rbp;pop r12;pop r13;pop r14;pop r15;ret
0x128f : pop rbp;pop r14;pop r15;ret
0x1193 : pop rbp;ret
0x1293 : pop rdi;ret
0x1291 : pop rsi;pop r15;ret
0x128d : pop rsp;pop r13;pop r14;pop r15;ret
0x101a : ret

***************************************************************************

> PLT TABLE :

__cxa_finalize : 0x1074
places : 0x1084
device : 0x1094
printf : 0x10a4
will get : 0x10b4

***************************************************************************

> GOT TABLE :

_ITM_deregisterTMCloneTable : 0x3fd8
__libc_start_main : 0x3fe0
__gmon_start__ : 0x3fe8
_ITM_registerTMCloneTable : 0x3ff0
__cxa_finalize : 0x3ff8
places : 0x3fb8
device : 0x3fc0
printf : 0x3fc8
will get : 0x3fd0

***************************************************************************

> FUNCTION TABLE :

__libc_csu_fini : 0x12a0
__libc_csu_init : 0x1230
win : 0x11a9
_start : 0x10c0
number one : 0x11d6

***************************************************************************

> POSSIBLE USER DEFINED FUNCTIONS :

win : 0x11a9
number one : 0x11d6

***************************************************************************

> ASSEMBLY AND DECOMPILED CODE :


[*] ASM - win :

┌ 45: sym.win ();
│ 0x000011a9 f30f1efa endbr64
│ 0x000011ad 55 push rbp
│ 0x000011ae 4889e5 mov rbp, rsp
│ 0x000011b1 488d3d500e00. lea rdi, str.You_have_bypassed_this_function ; 0x2008 ; "You should have bypassed this serve as" ; const char *construction
│ 0x000011b8 b800000000 mov eax, 0
│ 0x000011bd e8defeffff establish sym.imp.printf ; int printf(const char *construction)
│ 0x000011c2 488d3d5f0e00. lea rdi, str.cat_flag.txt ; 0x2028 ; "cat flag.txt" ; const char *string
│ 0x000011c9 b800000000 mov eax, 0
│ 0x000011ce e8bdfeffff establish sym.imp.device ; int device(const char *string)
│ 0x000011d3 90 nop
│ 0x000011d4 5d pop rbp
└ 0x000011d5 c3 ret

[*] DECOMPILED CODE - win :

void sym.win(void)

{
sym.imp.printf("You should have bypassed this serve as");
sym.imp.device("cat flag.txt");
go back;
}

[*] ASM - number one :

; DATA XREF from entry0 @ 0x10e1
┌ 77: int number one (int argc, char **argv, char **envp);
│ ; var char *s @ rbp-0x40
│ 0x000011d6 f30f1efa endbr64
│ 0x000011da 55 push rbp
│ 0x000011db 4889e5 mov rbp, rsp
│ 0x000011de 4883ec40 sub rsp, 0x40
│ 0x000011e2 488d3d4c0e00. lea rdi, str.Enter_your_name ; 0x2035 ; "Input your title" ; const char *s
│ 0x000011e9 e892feffff establish sym.imp.places ; int places(const char *s)
│ 0x000011ee 488d45c0 lea rax, [s]
│ 0x000011f2 4889c7 mov rdi, rax ; char *s
│ 0x000011f5 b800000000 mov eax, 0
│ 0x000011fa e8b1feffff establish sym.imp.will get ; char *will get(char *s)
│ 0x000011ff 488d3d3f0e00. lea rdi, str.Your_name_is_ ; 0x2045 ; "Your title is " ; const char *construction
│ 0x00001206 b800000000 mov eax, 0
│ 0x0000120b e890feffff establish sym.imp.printf ; int printf(const char *construction)
│ 0x00001210 488d45c0 lea rax, [s]
│ 0x00001214 4889c7 mov rdi, rax ; const char *s
│ 0x00001217 e864feffff establish sym.imp.places ; int places(const char *s)
│ 0x 0000121c b800000000 mov eax, 0
│ 0x00001221 c9 go away
└ 0x00001222 c3 ret

[*] DECOMPILED CODE - number one :

// WARNING: [r2ghidra] Failed to check sort char * for variable s to Decompiler sort:

undefined8 number one(void)

{
undefined8 s;

sym.imp.places("Input your title");
sym.imp.will get(&s);
sym.imp.printf("Your title is ");
sym.imp.places(&s);
go back 0;
}

***************************************************************************

> VULNERABLE FUNCTIONS :

Conceivable vulnerability places - Command Execution

0x000011ce e8bdfeffff establish sym.imp.device ; int device(const char *string)

Conceivable vulnerability places - Development String

0x000011bd e8defeffff establish sym.imp.printf ; int printf(const char * construction)
0x0000120b e890feffff establish sym.imp.printf ; int printf(const char *construction)

Conceivable vulnerability places - Buffer Overflow

0x000011fa e8b1feffff establish sym.imp.will get ; char *will get(char *s)


***************************************************************************

You are able to additionally transfer arguments and get the guidelines in step with your wishes,

[email protected]:~/elfxtract$ python3 number one.py -h

_____ _ ________ ___ _
| ___| | | ___ / / | | |
| |__ | | | |_ V /| |_ _ __ __ _ ___| |_
| __|| | | _| / | __| '__/ _` |/ __| __|
| |___| |____| | / /^ |_| | | (_| | (__| |_
____/_____/_| / /__|_| __,_|___|__|

@aidenpearce369

***************************************************************************
utilization: number one.py [-h] -f FILE [-a] [-i] [-g] [--user-func] [--get-func GET_FUNC] [--asm-only]
[--decompiled-only] [-t]

not obligatory arguments:
-h, --help display this assist message and transfer out
-f FILE, --file FILE Trail of the ELF
-a, --all Extract all knowledge
-i, --info Displays bas ic knowledge
-g, --gadgets Displays items
--user-func Displays the main points of shopper outlined purposes
--get-func GET_FUNC Displays the ASM & decompiled code of the given serve as
--asm-only Displays the ASM of ELF
--decompiled-only Displays the decompiled C code of ELF
-t, --tables Displays PLT, GOT & Serve as desk

Updates

elfxtract is principally complicated for parsing PWN binaries,

In brief, it is going to be added with new alternatives to analyse device binaries

And in addition to, auto-BOF and auto-ret2 exploit alternatives shall be added

[*]

Leave a Reply

Your email address will not be published. Required fields are marked *

Donate Us

X