new, much smaller, elf template

git-svn-id: file:///home/svn/framework3/trunk@8448 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-11 02:31:36 +00:00 · 2010-02-11 02:31:36 +00:00 · 2f4ab39712
parent 13f837c340
commit 2f4ab39712
3 changed files with 51 additions and 3 deletions
--- a/data/templates/elf_template.s
+++ b/data/templates/elf_template.s
@ -0,0 +1,40 @@
+; build with:
+;   nasm elf_template.s -f bin -o template_x86_linux.bin
+
+BITS 32
+
+org 0x08048000
+
+ehdr:                            ; Elf32_Ehdr
+  db    0x7F, "ELF", 1, 1, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    2                        ;   e_type       = ET_EXEC for an executable
+  dw    3                        ;   e_machine
+  dd    1                        ;   e_version
+  dd    _start                   ;   e_entry
+  dd    phdr - $$                ;   e_phoff
+  dd    0                        ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    ehdrsize                 ;   e_ehsize
+  dw    phdrsize                 ;   e_phentsize
+  dw    1                        ;   e_phnum
+  dw    0                        ;   e_shentsize
+  dw    0                        ;   e_shnum
+  dw    0                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf32_Phdr
+  dd    1                        ;   p_type       = PT_LOAD
+  dd    0                        ;   p_offset
+  dd    $$                       ;   p_vaddr
+  dd    $$                       ;   p_paddr
+  dd    0xDEADBEEF               ;   p_filesz
+  dd    0xDEADBEEF               ;   p_memsz
+  dd    7                        ;   p_flags      = rwx
+  dd    0x1000                   ;   p_align
+
+phdrsize equ  $ - phdr
+
+_start:
+
--- a/data/templates/template_x86_linux.bin
+++ b/data/templates/template_x86_linux.bin
--- a/lib/msf/util/exe.rb
+++ b/lib/msf/util/exe.rb
@ -310,10 +310,18 @@ require 'metasm'
 		mo = fd.read(fd.stat.size)
 		fd.close

-		bo = mo.index( "\x90\x90\x90\x90" * 1024 )
-		co = mo.index( " " * 512 )
+		# The old way to do it is like other formats, just overwrite a big
+		# block of rwx mem with our shellcode.
+		#bo = mo.index( "\x90\x90\x90\x90" * 1024 )
+		#co = mo.index( " " * 512 )
+		#mo[bo, 2048] = [code].pack('a2048') if bo

-		mo[bo, 2048] = [code].pack('a2048') if bo
+		# The new template is just an ELF header with its entry point set to
+		# the end of the file, so just append shellcode to it and fixup
+		# p_filesz and p_memsz in the header for a working ELF executable.
+		mo << code
+		mo[0x44,4] = [mo.length + code.length].pack('V')
+		mo[0x48,4] = [mo.length + code.length].pack('V')

 		return mo
 	end