Re: is this a bug ?

[BORBELY Zoltan <bozo () ANDREWS HU>]

Hello,

On Sun, Dec 10, 2000 at 01:35:27PM +0100, Jonathan James wrote:
> Guy,
> No this isn't a bug, you are forcing the CPU into an infinite loop..
> First you jump to "start" where the "call doit" instruction is passed.
> When the CPU has executed the instructions at label "doit" it will continue
> to execute whatever follows, i.e label "start" again which
> just jumps back to label "doit".

No. If this program executes correctly, it isn't a cpu hog :-) It is a
shellcode skeleton. But if you modify the string it'll be a cpu eating
bastard.

I'll comment this code a little:

        jmp start

doit:
        popl    %esi
        ...

start:
        call    doit
        __data_starts_here__

This is a common shellcode format. It's a variation of the following sequence:

        call    next
next:
        pop     %esi

The call instruction push the %eip to the stack. The pop %esi reads the
address of the instruction following the call statement. This is the common
method to indentify the starting address of the position independent code.

The problem is the parameter following the jmp and call instructions is a
_relative_ address, and the shellcodes mustn't contains NUL bytes. So you
have to transform to the jmp start/pop %esi/call doit format. In this case
the relative address of the call instruction will be negative, for example
0xffffffed. The jmp instruction has a special version where the relative
address only one bytes, so it won't contains NUL byte too. :-)


> > first i mast explain i am no programmer, i just read a few documents
> > on the web and try to play with stuff. If this is inappropriate here
> > please tell me and except my apologize.
> >
> > anyhow,
> > i have this asm code:
> >
> > .global id
> > .global end
> > .data
> > id:
> >         jmp start
> > doit:
> >         popl %esi

> >         movl %esi,0x08(%esi)
> >         xorl %eax,%eax
> >         movb %eax,0x07(%esi)
> >         movl %eax,0xc(%esi)
> >
> >         movb $0xb,%eax
> >         movl %esi,%ebx
> >         leal 0x8(%esi),%ecx
> >         xorl %edx,%edx

This code builds the parameter block of the execve syscall on the stack
directly after the string. The character at _string_address_+7 position
(the X character) will be changed to NUL ('\0').

> >         int  $0x80

And this is the system call entry point of the linux kernel. If it's execute
properly, it will never returns. So if you modify the string and the new
length isn't equal to 7 byte (without the termination character which will
be overwritten) or there are any error (file missing, isn't executable, ...)
the system call will fail and returns.

> > start:
> >         call doit
> >         .string "/bin/idX"
> > end:
> >
> > and the c to run it:
> > extern void id();
> > extern void end();
> > main()
> > {
> >   id();
> > }
> >
> > both a ripof from Marc Blumenauer <marc () system-security net>
> >
> > but what strikes me odd is that if i cange any of the length of the string
> > to a wrong lenght (0x09 for example)  my cpu get to 98.8 usage % after 5
> > seconds. (this is run by regular user)
> >
> > Can any one explain/verify this on a computer with more the 133MHz and 48
> RAM ?

The system call returned, and the execution continued at the call instruction.
_This_ is the infinite loop :-)

Bye,
Zoltan BORBELY