Penetration Testing mailing list archives
Re: Exploring Windows CE Shellcode
From: Nicolas RUFF <nicolas.ruff () gmail com>
Date: Tue, 04 Oct 2005 10:53:52 +0200
I am curious- I developed some shellcode for a zaurus which is also arm, well xscale to be exact but thats arm v5 IIRC. Because of it being a harvard arch (seperate instruction and data cache for those who are unaware of what this is), self-modifying code is made more difficult under xscale. With that said, under linux the base system call address is 0x90000000, which obviously has null's in it and in order to counter this I switch one byte to be 0xFF and then incremented it. I have not read your paper as of yet, but I am curious how you overcame similar problems in your WinCE shellcode? I found the only effective way for me to do this was to drain the write buffer/invalidate the caches, but I was curious if have another method.
Hello, I guess you should take time to read Tim's paper, for it is very good (maybe better than Phrack #63-6 ?). Tim is flushing the cache using the following instruction : "mcr p15, 0, r7, c7, c10, 4" I am no expert of ARM Linux (I prefer Windows Mobile :), but Phil (the creator of ShellForge, who worked on ARM shellcodes) told me once that encoding and decoding of Linux syscalls is not a problem ! It seems that on ARM Linux, the kernel is getting the syscall number by peeking at the opcode that raised the call. Since the "read" instruction will get data from the data cache, not the instruction cache, your decoded syscall should work "out of the box" ! Regards, - Nicolas RUFF Security researcher @ EADS-CCR ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Exploring Windows CE Shellcode Tim Hurman (Oct 01)
- <Possible follow-ups>
- Re: Exploring Windows CE Shellcode Nicolas RUFF (Oct 05)