ELFXtract is an automated analysis tool used for enumerating ELF binaries

Overview

ELFXtract

ELFXtract is an automated analysis tool used for enumerating ELF binaries

Powered by Radare2 and r2ghidra

This is specially developed for PWN challenges and it has many automated features

It almost displays every details of the ELF and also decompiles its ASM to C code using r2ghidra

Decompiling ELFs in Ghidra takes more time, but in elfxtract it decompiles and displays in few seconds

Features in ELFXtract

  1. File info
  2. Shared object dependency details
  3. ELF Security Mitigation details / Checksec
  4. String details
  5. Header memory map
  6. ROP gadgets
  7. PLT Table
  8. GOT Table
  9. Function Table
  10. ASM code of functions
  11. Decompiled code of functions
  12. Predicting possible vulnerable functions

Installation

git clone https://github.com/AidenPearce369/elfxtract
cd elfxtract
chmod +x install.sh
./install.sh
pip install -r requirements.txt

Working

You can run elfxtract with any ELF along with -a to list all details from the ELF

VULNERABLE FUNCTIONS : Possible vulnerability locations - Command Execution 0x000011ce e8bdfeffff call sym.imp.system ; int system(const char *string) Possible vulnerability locations - Format String 0x000011bd e8defeffff call sym.imp.printf ; int printf(const char *format) 0x0000120b e890feffff call sym.imp.printf ; int printf(const char *format) Possible vulnerability locations - Buffer Overflow 0x000011fa e8b1feffff call sym.imp.gets ; char *gets(char *s) *************************************************************************** ">
ra@ubuntu:~/elfxtract$ python3 main.py --file programvuln -a

         _____ _     ________   ___                  _   
        |  ___| |    |  ___\ \ / / |                | |  
        | |__ | |    | |_   \ V /| |_ _ __ __ _  ___| |_ 
        |  __|| |    |  _|  /   \| __| '__/ _` |/ __| __|
        | |___| |____| |   / /^\ \ |_| | | (_| | (__| |_ 
        \____/\_____/\_|   \/   \/\__|_|  \__,_|\___|\__|

                        @aidenpearce369                                                                  
        
***************************************************************************

> FILE INFO : 

    ELF Name       :  programvuln
    ELF Type       :  ELF 64-bit LSB shared object
    ELF Arch       :  x86-64
    ELF SHA1 Hash  :  BuildID[sha1]=cf149d97ad1e895561080b1f5c317bc5bc1e8652

    This binary is dynamically linked & not stripped

***************************************************************************

> SHARED OBJECT DEPENDENCY : 

    linux-vdso.so.1 (0x00007ffd525a4000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd610d93000)
    /lib64/ld-linux-x86-64.so.2 (0x00007fd610fa1000)

***************************************************************************

> ELF SECURITY MITIGATIONS : 

    RELRO          :  Full RELRO
    STACK CANARY   :  No Canary found
    NX BIT         :  NX disabled
    PIE            :  PIE enabled
    RPATH          :  No RPATH
    RUNPATH        :  No RUNPATH

***************************************************************************

> POSSIBLE STRINGS : 

    nth paddr      vaddr      len size section type  string
    ―――――――――――――――――――――――――――――――――――――――――――――――――――――――
    0   0x00002008 0x00002008 31  32   .rodata ascii You have bypassed this function
    1   0x00002028 0x00002028 12  13   .rodata ascii cat flag.txt
    2   0x00002035 0x00002035 15  16   .rodata ascii Enter your name
    3   0x00002045 0x00002045 13  14   .rodata ascii Your name is 
    
***************************************************************************

> RODATA HEXDUMP : 

      0x00002000 01000200 00000000 596f7520 68617665 ........You have
      0x00002010 20627970 61737365 64207468 69732066  bypassed this f
      0x00002020 756e6374 696f6e00 63617420 666c6167 unction.cat flag
      0x00002030 2e747874 00456e74 65722079 6f757220 .txt.Enter your 
      0x00002040 6e616d65 00596f75 72206e61 6d652069 name.Your name i
      0x00002050 732000                              s .
    
    
***************************************************************************

> ELF ENTRY POINT : 

    The entry point of the ELF is at 0x10c0

***************************************************************************

> HEADER MEMORY MAP : 

  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  PHDR           0x0000000000000040 0x0000000000000040 0x0000000000000040
                 0x00000000000002d8 0x00000000000002d8  R      0x8
  INTERP         0x0000000000000318 0x0000000000000318 0x0000000000000318
                 0x000000000000001c 0x000000000000001c  R      0x1
      [Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
  LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x00000000000006a8 0x00000000000006a8  R      0x1000
  LOAD           0x0000000000001000 0x0000000000001000 0x0000000000001000
                 0x00000000000002b5 0x00000000000002b5  R E    0x1000
  LOAD           0x0000000000002000 0x0000000000002000 0x0000000000002000
                 0x00000000000001c8 0x00000000000001c8  R      0x1000
  LOAD           0x0000000000002da0 0x0000000000003da0 0x0000000000003da0
                 0x0000000000000270 0x0000000000000278  RW     0x1000
  DYNAMIC        0x0000000000002db0 0x0000000000003db0 0x0000000000003db0
                 0x00000000000001f0 0x00000000000001f0  RW     0x8
  NOTE           0x0000000000000338 0x0000000000000338 0x0000000000000338
                 0x0000000000000020 0x0000000000000020  R      0x8
  NOTE           0x0000000000000358 0x0000000000000358 0x0000000000000358
                 0x0000000000000044 0x0000000000000044  R      0x4
  GNU_PROPERTY   0x0000000000000338 0x0000000000000338 0x0000000000000338
                 0x0000000000000020 0x0000000000000020  R      0x8
  GNU_EH_FRAME   0x0000000000002054 0x0000000000002054 0x0000000000002054
                 0x000000000000004c 0x000000000000004c  R      0x4
  GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000000 0x0000000000000000  RWE    0x10
  GNU_RELRO      0x0000000000002da0 0x0000000000003da0 0x0000000000003da0
                 0x0000000000000260 0x0000000000000260  R      0x1

***************************************************************************
[*] Loaded 14 cached gadgets for 'programvuln'

> ROP GADGETS : 

    0x1017     : add esp, 8;ret
    0x1016     : add rsp, 8;ret
    0x1221     : leave;ret
    0x128c     : pop r12;pop r13;pop r14;pop r15;ret
    0x128e     : pop r13;pop r14;pop r15;ret
    0x1290     : pop r14;pop r15;ret
    0x1292     : pop r15;ret
    0x128b     : pop rbp;pop r12;pop r13;pop r14;pop r15;ret
    0x128f     : pop rbp;pop r14;pop r15;ret
    0x1193     : pop rbp;ret
    0x1293     : pop rdi;ret
    0x1291     : pop rsi;pop r15;ret
    0x128d     : pop rsp;pop r13;pop r14;pop r15;ret
    0x101a     : ret

***************************************************************************

> PLT TABLE : 

    __cxa_finalize                      :     0x1074
    puts                                :     0x1084
    system                              :     0x1094
    printf                              :     0x10a4
    gets                                :     0x10b4

***************************************************************************

> GOT TABLE : 

    _ITM_deregisterTMCloneTable         :     0x3fd8
    __libc_start_main                   :     0x3fe0
    __gmon_start__                      :     0x3fe8
    _ITM_registerTMCloneTable           :     0x3ff0
    __cxa_finalize                      :     0x3ff8
    puts                                :     0x3fb8
    system                              :     0x3fc0
    printf                              :     0x3fc8
    gets                                :     0x3fd0

***************************************************************************

> FUNCTION TABLE : 

    __libc_csu_fini                     :     0x12a0
    __libc_csu_init                     :     0x1230
    win                                 :     0x11a9
    _start                              :     0x10c0
    main                                :     0x11d6

***************************************************************************

> POSSIBLE USER DEFINED FUNCTIONS : 

    win                  :     0x11a9
    main                 :     0x11d6

***************************************************************************

> ASSEMBLY AND DECOMPILED CODE : 


[*] ASM - win : 

┌ 45: sym.win ();
│           0x000011a9      f30f1efa       endbr64
│           0x000011ad      55             push rbp
│           0x000011ae      4889e5         mov rbp, rsp
│           0x000011b1      488d3d500e00.  lea rdi, str.You_have_bypassed_this_function ; 0x2008 ; "You have bypassed this function" ; const char *format
│           0x000011b8      b800000000     mov eax, 0
│           0x000011bd      e8defeffff     call sym.imp.printf         ; int printf(const char *format)
│           0x000011c2      488d3d5f0e00.  lea rdi, str.cat_flag.txt   ; 0x2028 ; "cat flag.txt" ; const char *string
│           0x000011c9      b800000000     mov eax, 0
│           0x000011ce      e8bdfeffff     call sym.imp.system         ; int system(const char *string)
│           0x000011d3      90             nop
│           0x000011d4      5d             pop rbp
└           0x000011d5      c3             ret

[*] DECOMPILED CODE - win : 

void sym.win(void)

{
    sym.imp.printf("You have bypassed this function");
    sym.imp.system("cat flag.txt");
    return;
}

[*] ASM - main : 

; DATA XREF from entry0 @ 0x10e1
┌ 77: int main (int argc, char **argv, char **envp);
│           ; var char *s @ rbp-0x40
│           0x000011d6      f30f1efa       endbr64
│           0x000011da      55             push rbp
│           0x000011db      4889e5         mov rbp, rsp
│           0x000011de      4883ec40       sub rsp, 0x40
│           0x000011e2      488d3d4c0e00.  lea rdi, str.Enter_your_name ; 0x2035 ; "Enter your name" ; const char *s
│           0x000011e9      e892feffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000011ee      488d45c0       lea rax, [s]
│           0x000011f2      4889c7         mov rdi, rax                ; char *s
│           0x000011f5      b800000000     mov eax, 0
│           0x000011fa      e8b1feffff     call sym.imp.gets           ; char *gets(char *s)
│           0x000011ff      488d3d3f0e00.  lea rdi, str.Your_name_is_  ; 0x2045 ; "Your name is " ; const char *format
│           0x00001206      b800000000     mov eax, 0
│           0x0000120b      e890feffff     call sym.imp.printf         ; int printf(const char *format)
│           0x00001210      488d45c0       lea rax, [s]
│           0x00001214      4889c7         mov rdi, rax                ; const char *s
│           0x00001217      e864feffff     call sym.imp.puts           ; int puts(const char *s)
│           0x0000121c      b800000000     mov eax, 0
│           0x00001221      c9             leave
└           0x00001222      c3             ret

[*] DECOMPILED CODE - main : 

// WARNING: [r2ghidra] Failed to match type char * for variable s to Decompiler type: 

undefined8 main(void)

{
    undefined8 s;
    
    sym.imp.puts("Enter your name");
    sym.imp.gets(&s);
    sym.imp.printf("Your name is ");
    sym.imp.puts(&s);
    return 0;
}

***************************************************************************

> VULNERABLE FUNCTIONS : 

    Possible vulnerability locations - Command Execution

           0x000011ce      e8bdfeffff     call sym.imp.system         ; int system(const char *string)

    Possible vulnerability locations - Format String

           0x000011bd      e8defeffff     call sym.imp.printf         ; int printf(const char *format)
           0x0000120b      e890feffff     call sym.imp.printf         ; int printf(const char *format)

    Possible vulnerability locations - Buffer Overflow

           0x000011fa      e8b1feffff     call sym.imp.gets           ; char *gets(char *s)


***************************************************************************

You can also pass arguments and get the info based on your needs,

ra@ubuntu:~/elfxtract$ python3 main.py -h

         _____ _     ________   ___                  _   
        |  ___| |    |  ___\ \ / / |                | |  
        | |__ | |    | |_   \ V /| |_ _ __ __ _  ___| |_ 
        |  __|| |    |  _|  /   \| __| '__/ _` |/ __| __|
        | |___| |____| |   / /^\ \ |_| | | (_| | (__| |_ 
        \____/\_____/\_|   \/   \/\__|_|  \__,_|\___|\__|

                        @aidenpearce369                                                                  
        
***************************************************************************
usage: main.py [-h] -f FILE [-a] [-i] [-g] [--user-func] [--asm-only] [--decompiled-only] [-t]

optional arguments:
  -h, --help            show this help message and exit
  -f FILE, --file FILE  Path of the ELF
  -a, --all             Extract all info
  -i, --info            Displays basic info
  -g, --gadgets         Displays gadgets
  --user-func           Displays the details of user defined functions
  --asm-only            Displays the ASM of ELF
  --decompiled-only     Displays the decompiled C code of ELF
  -t, --tables          Displays PLT, GOT & Function table

Updates

elfxtract is fully developed for parsing PWN binaries,

Soon, it will be added with new features to analyse system binaries

And also, auto-BOF and auto-ret2 exploit features will be added

You might also like...
Office365 (Microsoft365) audit log analysis tool

Office365 (Microsoft365) audit log analysis tool The header describes it all WHY?? The first line of code was written long time before other colleague

A data parser for the internal syncing data format used by Fog of World.
A data parser for the internal syncing data format used by Fog of World.

A data parser for the internal syncing data format used by Fog of World. The parser is not designed to be a well-coded library with good performance, it is more like a demo for showing the data structure.

Package for decomposing EMG signals into motor unit firings, as used in Formento et al 2021.

EMGDecomp Package for decomposing EMG signals into motor unit firings, created for Formento et al 2021. Based heavily on Negro et al, 2016. Supports G

API>local_db>AWS_RDS - Disclaimer! All data used is for educational purposes only.
APIlocal_dbAWS_RDS - Disclaimer! All data used is for educational purposes only.

APIlocal_dbAWS_RDS Disclaimer! All data used is for educational purposes only. ETL pipeline diagram. Aim of project By creating a fully working pipe

Used for data processing in machine learning, and help us to construct ML model more easily from scratch

Used for data processing in machine learning, and help us to construct ML model more easily from scratch. Can be used in linear model, logistic regression model, and decision tree.

Validated, scalable, community developed variant calling, RNA-seq and small RNA analysis
Validated, scalable, community developed variant calling, RNA-seq and small RNA analysis

Validated, scalable, community developed variant calling, RNA-seq and small RNA analysis. You write a high level configuration file specifying your in

Performance analysis of predictive (alpha) stock factors
Performance analysis of predictive (alpha) stock factors

Alphalens Alphalens is a Python Library for performance analysis of predictive (alpha) stock factors. Alphalens works great with the Zipline open sour

Probabilistic reasoning and statistical analysis in TensorFlow

TensorFlow Probability TensorFlow Probability is a library for probabilistic reasoning and statistical analysis in TensorFlow. As part of the TensorFl

Sensitivity Analysis Library in Python (Numpy). Contains Sobol, Morris, Fractional Factorial and FAST methods.

Sensitivity Analysis Library (SALib) Python implementations of commonly used sensitivity analysis methods. Useful in systems modeling to calculate the

Owner
Monish Kumar
null
Monish Kumar
Driver Analysis with Factors and Forests: An Automated Data Science Tool using Python

Driver Analysis with Factors and Forests: An Automated Data Science Tool using Python ??

Thomas 2 May 26, 2022
Statistical Analysis 📈 focused on statistical analysis and exploration used on various data sets for personal and professional projects.

Statistical Analysis ?? This repository focuses on statistical analysis and the exploration used on various data sets for personal and professional pr

Andy Pham 1 Sep 3, 2022
A set of functions and analysis classes for solvation structure analysis

SolvationAnalysis The macroscopic behavior of a liquid is determined by its microscopic structure. For ionic systems, like batteries and many enzymes,

MDAnalysis 19 Nov 24, 2022
Lale is a Python library for semi-automated data science.

Lale is a Python library for semi-automated data science. Lale makes it easy to automatically select algorithms and tune hyperparameters of pipelines that are compatible with scikit-learn, in a type-safe fashion.

International Business Machines 293 Dec 29, 2022
Data Competition: automated systems that can detect whether people are not wearing masks or are wearing masks incorrectly

Table of contents Introduction Dataset Model & Metrics How to Run Quickstart Install Training Evaluation Detection DATA COMPETITION The COVID-19 pande

Thanh Dat Vu 1 Feb 27, 2022
Full automated data pipeline using docker images

Create postgres tables from CSV files This first section is only relate to creating tables from CSV files using postgres container alone. Just one of

null 1 Nov 21, 2021
A neural-based binary analysis tool

A neural-based binary analysis tool Introduction This directory contains the demo of a neural-based binary analysis tool. We test the framework using

Facebook Research 208 Dec 22, 2022
This tool parses log data and allows to define analysis pipelines for anomaly detection.

logdata-anomaly-miner This tool parses log data and allows to define analysis pipelines for anomaly detection. It was designed to run the analysis wit

AECID 32 Nov 27, 2022
cLoops2: full stack analysis tool for chromatin interactions

cLoops2: full stack analysis tool for chromatin interactions Introduction cLoops2 is an extension of our previous work, cLoops. From loop-calling base

YaqiangCao 25 Dec 14, 2022
Unsub is a collection analysis tool that assists libraries in analyzing their journal subscriptions.

About Unsub is a collection analysis tool that assists libraries in analyzing their journal subscriptions. The tool provides rich data and a summary g

null 9 Nov 16, 2022