1

I am currently working on an ELF-injector and my approach is standard: find code cave (long enough sequence of 0's), rewrite it with the instructions I want to execute and then jump back to the start of the original program to execute it as it normally would. ida

enter image description here

enter image description here

*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'Meizu/MeizuE3_CN/MeizuE3:7.1.1/NGI77B/1578882816:user/release-keys'
Revision: '0'
ABI: 'arm'
pid: 14576, tid: 14576, name: load_lib.so  >>> ./load_lib.so <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x14608
    r0 000775bd  r1 00000002  r2 00014608  r3 0000000a
    r4 f2d62279  r5 f28bfcc0  r6 f2d04a90  r7 0000000a
    r8 f2d62279  r9 f2d725f0  sl f2d62268  fp ffc08818
    ip 00000000  sp ffc08818  lr f28bfce0  pc 00014608  cpsr 800e0010
    d0  0000000000000000  d1  0000000000000000
    d2  0000000000000000  d3  0000000000000000
    d4  0000000000000000  d5  0000000000000000
    d6  0000000000000000  d7  0000000000000000
    d8  0000000000000000  d9  0000000000000000
    d10 0000000000000000  d11 0000000000000000
    d12 0000000000000000  d13 0000000000000000
    d14 0000000000000000  d15 0000000000000000
    d16 0000001ff2c72000  d17 0000000000000000
    d18 0000000000002a98  d19 0000000000001080
    d20 0000000000000000  d21 0000000000000000
    d22 0000000000000000  d23 0000000000000000
    d24 0000000000000000  d25 0000000000000000
    d26 0000000000000000  d27 0000000000000000
    d28 0000000000000000  d29 0000000000000000
    d30 0000000000000000  d31 0000000000000000
    scr 80000000

backtrace:
    #00 pc 00014608  <unknown>
    #01 pc 00074cdc  /data/local/tmp/libc.so

stack:
         ffc087d8  f2d01370  [anon:linker_alloc]
         ffc087dc  f2cff040  [anon:linker_alloc]
         ffc087e0  00000000
         ffc087e4  00000002
         ffc087e8  f2c77010
         ffc087ec  00000001
         ffc087f0  3f800000
         ffc087f4  00000000
         ffc087f8  f2d03d40  [anon:linker_alloc_small_objects]
         ffc087fc  f2d03d40  [anon:linker_alloc_small_objects]
         ffc08800  f2d03d48  [anon:linker_alloc_small_objects]
         ffc08804  ffc08878  [stack]
         ffc08808  f2d04010  [anon:linker_alloc]
         ffc0880c  f2d72010
         ffc08810  f2d03d20  [anon:linker_alloc_small_objects]
         ffc08814  f2d03d20  [anon:linker_alloc_small_objects]
    #00  ffc08818  f2d04a90  [anon:linker_alloc]
         ........  ........
    #01  ffc08818  f2d04a90  [anon:linker_alloc]
         ffc0881c  f2d127e3  /system/bin/linker (__dl__ZN6soinfo13call_functionEPKcPFvvE+86)
         ffc08820  00000000
         ffc08824  f2d01220  [anon:linker_alloc]
         ffc08828  00000001
         ffc0882c  00000001
         ffc08830  f28d0de0  /data/local/tmp/libc.so
         ffc08834  f2d12703  /system/bin/linker (__dl__ZN6soinfo10call_arrayEPKcPPFvvEjb+190)
         ffc08838  00000000
         ffc0883c  00000000
         ffc08840  00000000
         ffc08844  f2d721d0
         ffc08848  f2d62345  /system/bin/linker
         ffc0884c  f2d04a90  [anon:linker_alloc]
         ffc08850  00000000
         ffc08854  f2d721d0
//my shellcode
e92d4800    push    {fp, lr}
e1a0b00d    mov fp, sp
e3042608    movw    r2, #17928  ; 0x4608
e3402001    movt    r2, #1
e30705bd    movw    r0, #30141  ; 0x75bd
e3400007    movt    r0, #7
e3a01002    mov r1, #2
e12fff32    blx r2
e3060e45    movw    r0, #28229  ; 0x6e45
e3400001    movt    r0, #1
e12fff30    blx r0
e8bd8800    pop {fp, pc}
.init_array:00085DE0 ; ELF Initialization Function Table
.init_array:00085DE0 ; ===========================================================================
.init_array:00085DE0
.init_array:00085DE0 ; Segment type: Pure data
.init_array:00085DE0                 AREA .init_array, DATA
.init_array:00085DE0                 ; ORG 0x85DE0
.init_array:00085DE0 off_85DE0       DCD __start_ae          ; DATA XREF: LOAD:off_9C↑o
.init_array:00085DE0                                         ; LOAD:off_15C↑o
.init_array:00085DE4                 DCD sub_74CC0 ;<---my shellcode--------- 
.init_array:00085DE8                 DCD _GLOBAL__sub_I_libgen.cpp+1
.init_array:00085DEC                 DCD _GLOBAL__sub_I_mntent.cpp+1
.init_array:00085DF0                 DCD _GLOBAL__sub_I_pty.cpp+1
.init_array:00085DF4                 DCD _GLOBAL__sub_I_strerror.cpp+1
.init_array:00085DF8                 DCD _GLOBAL__sub_I_strsignal.cpp+1
.init_array:00085DFC                 DCD _GLOBAL__sub_I_stubs.cpp+1
.init_array:00085E00                 DCD __res_key_init+1
.init_array:00085E04                 DCD jemalloc_constructor+1
.init_array:00085E04 ; .init_array   ends
.init_array:00085E04
.text:00074CC0 sub_74CC0                               ; DATA XREF: .init_array:00085DE4↓o
.text:00074CC0                 STMFD           SP!, {R11,LR}
.text:00074CC4                 MOV             R11, SP
.text:00074CC8                 MOV             R2, #0x14608
.text:00074CD0                 MOV             R0, #(aSLibomegaSo+4) ; file
.text:00074CD8                 MOV             R1, #2  ; mode
.text:00074CDC                 BLX             R2      ; dlopen;<---When the code runs here , got signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x14608
.text:00074CE0                 MOV             R0, #0x16E45
.text:00074CE8                 BLX             R0      ; __libc_preinit(void)
.text:00074CEC                 LDMFD           SP!, {R11,PC}
.text:00074CEC ; End of function sub_74CC0
.text:00074CEC
.plt:00014608
.plt:00014608 ; =============== S U B R O U T I N E =======================================
.plt:00014608
.plt:00014608 ; Attributes: thunk
.plt:00014608
.plt:00014608 ; void *dlopen(const char *file, int mode)
.plt:00014608 dlopen                                  ; CODE XREF: __libc_init_malloc(libc_globals *)+84↓p
.plt:00014608                                         ; netdClientInitImpl(void)+8↓p ...
.plt:00014608                 ADRL            R12, 0x87610
.plt:00014610                 LDR             PC, [R12,#(dlopen_ptr - 0x87610)]! ; __imp_dlopen
.plt:00014610 ; End of function dlopen
.plt:00014610

I've looked up a lot of relevant posts, but I still don't have a clue.

A week, I still have not found the specific reason, I sincerely hope someone can help me

1 Answer 1

1

Is your binary relocated on load (ASLR)? In that case 14608 points to some random memory (probably unallocated). You need to use a position-independent instruction to load the address of the dlopen stub (e.g. ADRL).

1
  • In just one sentence, you solved the problem that has been bothering me for a week. Thank you very much for your answer.
    – 桂冠-
    Commented Dec 30, 2020 at 4:30

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.