Sunday, February 26, 2023

Reverse Engineering Notes - Radare2 Symbols + DLL Hijacking

Radare2 - Weak symbols


Weak symbols are symbols that are defined in a dynamic library and used by the binary, but they are not required for the binary to run. However, if these symbols are not present in the dynamic library at runtime, the binary will use a default implementation of these symbols or may crash.

To harden a binary with weak symbols, you should ensure that the required dynamic libraries are present at runtime and that they are up-to-date with no known vulnerabilities. If the dynamic library is not required for the binary to run, you can remove the weak symbol dependency from the binary by either linking the required function statically or removing the function call altogether.

In the case of the output from radare2 that you provided, some of the weak symbols are related to the POSIX threads library (pthread), which is commonly used for multithreaded programming in Unix-like systems. If your binary is using pthreads, you should ensure that the library is present and up-to-date at runtime to avoid vulnerabilities.

how can I check that with radare2?


You can use the ii command in radare2 to display the imports of a binary and look for weak symbols. Here's an example:

    Open the binary in radare2 using the following command:

vbnet

r2 /path/to/binary

    Once the binary is loaded, use the ii command to display the imports:

bash

[0x004004a0]> ii
[Imports]
nth vaddr      bind   type   lib name
...

    Look for any symbols with a WEAK bind type, which indicates that they can be overridden at runtime. You can filter the output using the grep command in the radare2 terminal:

python

[0x004004a0]> ii | grep WEAK
  1 0x000007b0 WEAK   FUNC       kernel32.dll_GetCurrentProcessId
  2 0x000007c0 WEAK   FUNC       kernel32.dll_GetCurrentThreadId
  3 0x000007d0 WEAK   FUNC       kernel32.dll_GetTickCount
  4 0x000007e0 WEAK   FUNC       kernel32.dll_QueryPerformanceCounter
  5 0x000007f0 WEAK   FUNC       kernel32.dll_IsDebuggerPresent
...

In this example, we can see that there are several weak symbols imported from kernel32.dll.

how can i use radare2 to make a proof of concept for this? and describe the logical steps it would take in radare2

To create a proof of concept for DLL hijacking using radare2, you can follow these logical steps:

    Find a vulnerable binary: Find a binary that has a weakly linked symbol in its Import Table that can be hijacked. Use radare2 -A [binary] to open the binary in radare2 and analyze it.

    Identify the vulnerable symbol: Use iE command in radare2 to list the symbols in the Import Table. Look for symbols that have a "WEAK" bind type and a "FUNC" or "OBJT" type. Note down the name and virtual address of the symbol you want to hijack.

    Create a malicious DLL: Create a malicious DLL that exports a function with the same name as the vulnerable symbol. This function should perform the desired action, such as executing arbitrary code or displaying a message box. The DLL should also contain the code that will execute the desired function when it is loaded.

    Place the malicious DLL in the current working directory or another directory that is in the system's DLL search path.

    Load the binary in radare2 and set a breakpoint at the address of the vulnerable symbol: Use radare2 -d [binary] to open the binary in debug mode. Use the db command to set a breakpoint at the address of the vulnerable symbol.

    Run the binary: Use the dc command to run the binary. The binary will load the malicious DLL instead of the legitimate one, and the function in the DLL will be executed.

    Verify the exploit: The code in the malicious DLL should have been executed, and you should see the expected behavior, such as a message box popping up.

Note that this is a simplified example of DLL hijacking, and in a real-world scenario, you would need to consider additional factors, such as the location of the vulnerable DLL, the search order of the DLLs, and the permissions required to place the malicious DLL in the desired directory.

No comments:

Post a Comment

A Guide to Multi-Level Pointer Analysis

  A Comprehensive Guide to Multi-Level Pointer Analysis   A regular pointer points to only one address, but when it's accompanied by a l...