What is ELF (Binary Exploitation ) and How to Exploiting ELF - 1 - Tutorial Boy -->

What is ELF (Binary Exploitation ) and How to Exploiting ELF - 1

Binary Exploitation

Binary exploitation is the process of subverting a compiled application such that it violates some trust boundary in a way that is advantageous to you, the attacker. In this module, we are going to focus on a memory corruption. By abusing vulnerabilities that corrupt memory in the software we can often rewrite critical application state information in a way that allows us to elevate privileges inside the context of a particular application (like a remote desktop server) or perform arbitrary computation by hijacking control flow and running code of our choosing.

In this blog, we gonna see about the file format that we mostly deal in Binary Exploitation, ELF. Let’s get started

ELF

ELF stands for Executable and Linkable Format. At first, it was introduced as the ABI(Application Binary Interface) for “Unix System V” later in 1999 it became a standard binary file format for * NIX-like system and some other devices namely Play Stations, Wii, etc….
ABI(Application Binary Interface)

It leads a way for communication between User-written programs and System Library namely Libc library or between operating systems. For example, if you’re writing a program that makes use of the libc library, in this scenario your program needs to communicate with that library so that your program will execute correctly for this purpose ABI was used.
An ELF

When it comes to ELF, Commonly we use this file format for three types of files. An Executable file, Shared Library, and Object file.
  • Executable File --  It holds a program that is suitable for execution. For example our normal executable files
  • Shared Library --  This is nothing but our Libc like libraries which also follows this kind of file format namely ELF it may seem in various extensions like “.so”, “.lib”, “.a” but this is only for our convenience but they don’t have any major difference
  • Object File --  Object file is a Binary file format that is in the ready to link stage

LIBC

As you may notice, I use the word “libc” in the above sentences, but what does it actually mean
“The C Standard Library” is commonly named as Libc library, Most of all the functions we used in C is comes from this library file.

Linking

  • Linking is the process of merging our program with the system library like Libc so that it will execute without any error

Let’s make it simple with an example



Here in our first line of code, we’ve included Header file<stdio.h> in which the “printf” function is placed but where does <stdio.h> is come from? The answer is from “Libc”, our <stdio.h> header was comes from libc “The C standard Library”. In C language, every function belongs to the respective header file and each header files belong to the LIBC library. Now you may doubt “How many header files does C owns??” The answer is unlimited means you can write your own Header file for your program, but according to C11 standard 29 common header files are placed in the LIBC library.

So in every program that is written by us, it must be linked with that LIBC library to be run without any error. So here we aim to link our program with a system library called libc, We can do that in two ways that are called Statically Linking and Dynamically Linking

Statically Linking

  • We wrap the libc library into our source code and compile it to create a final executable in the statically linking process.
  • The type of executable made by this kind of linking process is not dependent on any external source at the time of execution. But the size of the output file may be large.

Dynamically Linking

  • In the dynamically linking process, we link our source code into the system library at only the time of execution, it is also known as runtime linking.
  • The Linux operating system is mostly written in C. So in Linux programs that are in running state also use the libc library, So in this scenario, we will use the running library by linking our source file into it only at the time of execution.

Inside the ELF

For now, we saw about the things which are required to understand the in-depth mechanism of ELF. So now dive deep into it.

When it comes to an ELF file, we have to consider three main things: ELF Header, Segments, Sections. In this blog, we only going to see about the Segments and Sections basics in the next part of this blog we’ll see about the interior mechanism and the magics that are happening behind the screen of ELF.
Segments

Before we go to see it we have to know the difference between the Segments and Sections. So it is valuable to have an ELF Executable file that has Segments alone, Meanwhile, it is also valid to have an Object file that only contains Sections. But it is also valid to have both on an Executable file.

The segment contains data through which our executable file’s data are mapped into main memory(RAM).

At the time of execution, every executable file is mapped into the main memory by following certain Data Structures. So that segment contains data and instructions about the executable file’s and the CPU and Operating system go through it and then all the data are mapped into the main memory. This is the purpose of having a Segment in the ELF executable file.

In a statically linked ELF executable, three common segments take place. Those are Data, Uninitialized data, Code.
  • Data -- In this segment, variables, and constants that we have written in our program are placed
  • Uninitialized data -- If we declare any space for our program that will be placed here, and if we specified and variable that gets input from the user that is also present in this segment
  • Code -- In this segment, our actual executable code takes place
But the above things are only for the statically linked binary for dynamically linked binary an additional segment will take place. That is for the system library in which our program will communicate at the time of execution. Here functions like ASLR(Address Space Layout Randomization) are takes place. Remember that in Dynamically linked binary the address of the binary will change in the time of every single execution, but in statically linked binary it will not change for any launch.
Sections

Sections are also like Segments. But the one thing which varies from both of the files is “The place where it is used”. Section files are only used in Object files for the Linking process where Segment files are used by executable files for the execution process.

Sections may be present in ELF executable file but must be present in the ELF object file. Sections contain data, instructions, symbols by which the linking process was done.