ELFXtract – An Automated Analysis Tool Used For Enumerating ELF Binaries
[*]
ELFXtract is an automated analysis tool used for enumerating ELF binaries
Powered by Radare2 and r2ghidra
This is specially developed for PWN challenges and it has many automated features
It almost displays every details of the ELF and also decompiles its ASM to C code using r2ghidra
Decompiling ELFs in Ghidra takes more time, but in elfxtract it decompiles and displays in few seconds
Features in ELFXtract
- File info
- Shared object dependency details
- ELF Security Mitigation details / Checksec
- String details
- Header memory map
- ROP gadgets
- PLT Table
- GOT Table
- Function Table
- ASM code of functions
- Decompiled code of functions
- Predicting possible vulnerable functions
Installation
git clone https://github.com/AidenPearce369/elfxtract
cd elfxtract
chmod +x install.sh
./install.sh
pip install -r requirements.txt
Working
You can run elfxtract with any ELF along with -a
to list all details from the ELF
ra@ubuntu:~/elfxtract$ python3 main.py --file programvuln -a
_____ _ ________ ___ _
| ___| | | ___ / / | | |
| |__ | | | |_ V /| |_ _ __ __ _ ___| |_
| __|| | | _| / | __| '__/ _` |/ __| __|
| |___| |____| | / /^ |_| | | (_| | (__| |_
____/_____/_| / /__|_| __,_|___|__|
@aidenpearce369
***************************************************************************
> FILE INFO :
ELF Name : programvuln
ELF Type : ELF 64-bit LSB shared object
ELF Arch : x86-64
ELF SHA1 Hash : BuildID[sha1]=cf149d97ad1e895561080b1f5c317bc5bc1e8652
This binary is dynamically linked & not stripped
********************** *****************************************************
> SHARED OBJECT DEPENDENCY :
linux-vdso.so.1 (0x00007ffd525a4000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd610d93000)
/lib64/ld-linux-x86-64.so.2 (0x00007fd610fa1000)
***************************************************************************
> ELF SECURITY MITIGATIONS :
RELRO : Full RELRO
STACK CANARY : No Canary found
NX BIT : NX disabled
PIE : PIE enabled
RPATH : No RPATH
RUNPATH : No RUNPATH
***************************************************************************
> POSSIBLE STRINGS :
nth paddr vaddr len size section type string
―――――――――――――――――――――――& #8213;―――――――――――――――――――――――――――――――
0 0x00002008 0x00002008 31 32 .rodata ascii You have bypassed this function
1 0x00002028 0x00002028 12 13 .rodata ascii cat flag.txt
2 0x00002035 0x00002035 15 16 .rodata ascii Enter your name
3 0x00002045 0x00002045 13 14 .rodata ascii Your name is
***************************************************************************
> RODATA HEXDUMP :
0x00002000 01000200 00000000 596f7520 68617665 ........You have
0x00002010 20627970 61737365 64207468 69732066 bypassed this f
0x00002020 756e6374 696f6e00 63617420 666c6167 unction.cat flag
0x00002030 2e747874 00456e74 65722079 6f757220 .txt.Enter your
0x00002040 6e616d65 00596f75 72206e61 6d652069 name.Your name i
0x00002050 732000 s .
***************************************************************************
> ELF ENTRY POINT :
The entry point of the ELF is at 0x10c0
***************************************************************************
> HEADER MEMORY MAP :
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
PHDR 0x0000000000000040 0x0000000000000040 0x0000000000000040
0x00000000000002d8 0x00000000000002d8 R 0x8
INTERP 0x0000000000000318 0x0000000000000318 0x0000000000000318
0x000000000000001c 0x000000000000001c R 0x1
[Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x00000000000006a8 0x00000000000006a8 R 0x1000
LOAD 0x0000000000001000 0x0000000000001000 0x0000000000001000
0x00000000000002b5 0x00000000000002b5 R E 0x1000
LOAD 0x0000000000002000 0x0000000000002000 0x0000000000002000
0x00000000000001c8 0x00000000000001c8 R 0x1000
LOAD 0x0000000000002da0 0x0000000000003da0 0x0000000000003da0
0x0000000000000270 0x0000000000000278 RW 0x1000
DYNAMIC 0x0000000000002db0 0x0000000000003db0 0x0000000000003db0
0x00000000000001f0 0x00000000000001f0 RW 0x8
NOTE 0x0000000000000338 0x0000000000000338 0x0000000000000338
0x0000000000000020 0x0000000000000020 R 0x8
NOTE 0x0000000000000358 0x0000000000000358 0x0000000000000358
0x0000000000000044 0x0000000000000044 R 0x4
GNU_PROPERTY 0x000000000 0000338 0x0000000000000338 0x0000000000000338
0x0000000000000020 0x0000000000000020 R 0x8
GNU_EH_FRAME 0x0000000000002054 0x0000000000002054 0x0000000000002054
0x000000000000004c 0x000000000000004c R 0x4
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RWE 0x10
GNU_RELRO 0x0000000000002da0 0x0000000000003da0 0x0000000000003da0
0x0000000000000260 0x0000000000000260 R 0x1
***************************************************************************
[*] Loaded 14 cached gadgets for 'programvuln'
> ROP GADGETS :
0x1017 : add esp, 8;ret
0x1016 : add rsp, 8;ret
0x1221 : leave;ret
0x128c : pop r12;pop r13;pop r14;pop r15;ret
0x128e : pop r13;pop r14;pop r15;ret
0x1290 : pop r14;pop r15;ret
0x12 92 : pop r15;ret
0x128b : pop rbp;pop r12;pop r13;pop r14;pop r15;ret
0x128f : pop rbp;pop r14;pop r15;ret
0x1193 : pop rbp;ret
0x1293 : pop rdi;ret
0x1291 : pop rsi;pop r15;ret
0x128d : pop rsp;pop r13;pop r14;pop r15;ret
0x101a : ret
***************************************************************************
> PLT TABLE :
__cxa_finalize : 0x1074
puts : 0x1084
system : 0x1094
printf : 0x10a4
gets : 0x10b4
***************************************************************************
> GOT TABLE :
_ITM_deregisterTMCloneTable : 0x3fd8
__libc_start_main : 0x3fe0
__gmon_start__ : 0x3fe8
_ITM_registerTMCloneTable : 0x3ff0
__cxa_finalize : 0x3ff8
puts : 0x3fb8
system : 0x3fc0
printf : 0x3fc8
gets : 0x3fd0
***************************************************************************
> FUNCTION TABLE :
__libc_csu_fini : 0x12a0
__libc_csu_init : 0x1230
win : 0x11a9
_start : 0x10c0
main : 0x11d6
***************************************************************************
> POSSIBLE USER DEFINED FUNCTIONS :
win : 0x11a9
main : 0x11d6
***************************************************************************
> ASSEMBLY AND DECOMPILED CODE :
[*] ASM - win :
┌ 45: sym.win ();
│ 0x000011a9 f30f1efa endbr64
│ 0x000011ad 55 push rbp
│ 0x000011ae 4889e5 mov rbp, rsp
│ 0x000011b1 488d3d500e00. lea rdi, str.You_have_bypassed_this_function ; 0x2008 ; "You have bypassed this function" ; const char *format
│ 0x000011b8 b800000000 mov eax, 0
│ 0x000011bd e8defeffff call sym.imp.printf ; int printf(const char *format)
│ 0x000011c2 488d3d5f0e00. lea rdi, str.cat_flag.txt ; 0x2028 ; "cat flag.txt" ; const char *string
│ 0x000011c9 b800000000 mov eax, 0
│ 0x000011ce e8bdfeffff call sym.imp.system ; int system(const char *string)
│ 0x000011d3 90 nop
│ 0x000011d4 5d pop rbp
└ 0x000011d5 c3 ret
[*] DECOMPILED CODE - win :
void sym.win(void)
{
sym.imp.printf("You have bypassed this function");
sym.imp.system("cat flag.txt");
return;
}
[*] ASM - main :
; DATA XREF from entry0 @ 0x10e1
┌ 77: int main (int argc, char **argv, char **envp);
│ ; var char *s @ rbp-0x40
│ 0x000011d6 f30f1efa endbr64
│ 0x000011da 55 push rbp
│ 0x000011db 4889e5 mov rbp, rsp
│ 0x000011de 4883ec40 sub rsp, 0x40
│ 0x000011e2 488d3d4c0e00. lea rdi, str.Enter_your_name ; 0x2035 ; "Enter your name" ; const char *s
│ 0x000011e9 e892feffff call sym.imp.puts ; int puts(const char *s)
│ 0x000011ee 488d45c0 lea rax, [s]
│ 0x000011f2 4889c7 mov rdi, rax ; char *s
│ 0x000011f5 b800000000 mov eax, 0
│ 0x000011fa e8b1feffff call sym.imp.gets ; char *gets(char *s)
│ 0x000011ff 488d3d3f0e00. lea rdi, str.Your_name_is_ ; 0x2045 ; "Your name is " ; const char *format
│ 0x00001206 b800000000 mov eax, 0
│ 0x0000120b e890feffff call sym.imp.printf ; int printf(const char *format)
│ 0x00001210 488d45c0 lea rax, [s]
│ 0x00001214 4889c7 mov rdi, rax ; const char *s
│ 0x00001217 e864feffff call sym.imp.puts ; int puts(const char *s)
│ 0x 0000121c b800000000 mov eax, 0
│ 0x00001221 c9 leave
└ 0x00001222 c3 ret
[*] DECOMPILED CODE - main :
// WARNING: [r2ghidra] Failed to match type char * for variable s to Decompiler type:
undefined8 main(void)
{
undefined8 s;
sym.imp.puts("Enter your name");
sym.imp.gets(&s);
sym.imp.printf("Your name is ");
sym.imp.puts(&s);
return 0;
}
***************************************************************************
> VULNERABLE FUNCTIONS :
Possible vulnerability locations - Command Execution
0x000011ce e8bdfeffff call sym.imp.system ; int system(const char *string)
Possible vulnerability locations - Format String
0x000011bd e8defeffff call sym.imp.printf ; int printf(const char * format)
0x0000120b e890feffff call sym.imp.printf ; int printf(const char *format)
Possible vulnerability locations - Buffer Overflow
0x000011fa e8b1feffff call sym.imp.gets ; char *gets(char *s)
***************************************************************************
You can also pass arguments and get the info based on your needs,
ra@ubuntu:~/elfxtract$ python3 main.py -h
_____ _ ________ ___ _
| ___| | | ___ / / | | |
| |__ | | | |_ V /| |_ _ __ __ _ ___| |_
| __|| | | _| / | __| '__/ _` |/ __| __|
| |___| |____| | / /^ |_| | | (_| | (__| |_
____/_____/_| / /__|_| __,_|___|__|
@aidenpearce369
***************************************************************************
usage: main.py [-h] -f FILE [-a] [-i] [-g] [--user-func] [--get-func GET_FUNC] [--asm-only]
[--decompiled-only] [-t]
optional arguments:
-h, --help show this help message and exit
-f FILE, --file FILE Path of the ELF
-a, --all Extract all info
-i, --info Displays bas ic info
-g, --gadgets Displays gadgets
--user-func Displays the details of user defined functions
--get-func GET_FUNC Displays the ASM & decompiled code of the given function
--asm-only Displays the ASM of ELF
--decompiled-only Displays the decompiled C code of ELF
-t, --tables Displays PLT, GOT & Function table
Updates
elfxtract is fully developed for parsing PWN binaries,
Soon, it will be added with new features to analyse system binaries
And also, auto-BOF and auto-ret2 exploit features will be added