Vulnerability Development mailing list archives

Re: BitchX /ignore bug

From: drow () FALSE ORG (Daniel Jacobowitz)
Date: Wed, 5 Jul 2000 12:59:10 -0700


On Wed, Jul 05, 2000 at 10:45:22AM -0400, Benjamin Karas wrote:

I just wanted to point out that the PowerPC is one of the unbelievably bizarre
platforms -- it passes parameters in registers.  I've also seen some pretty
strange stuff on OpenBSD with parameter passing.


It should be fairly independent of operating system; ABIs tend to be
pretty consistent on the same hardware target (well, there are usually
two or three different ones at least, but OpenBSD probably doesn't have
its own).

For those who are curious, exploiting a PowerPC program can be a bit more
difficult than an x86 program.  First, PPC code is optimized such that frames
are 32 *byte* aligned.  I've been told this is becuase of how the PPC cache
works.  Furthermore, strings and stuff are 4 byte aligned.  This all means
that there are often unused bytes on the stack.  This means strings might not
be adjacent on the stack, which eliminates the attacks described in Phrack 56,
article 0x0e.


Not really.  Programmers usually pick multiples of four for buffer
sizes.  You also have no guarantee that a string starts at a
four-byte alignment - if it is, for instance, in the middle of a struct
that may not be the case.

Another difficulty is that a lot of opcodes in PPC assembly contain zeros in
them (each is 4 bytes long).


This is not an issue, I can assure you.  There's more than enough that
do not.

I just wanted to point these things out.  Running a server on PPC hardware
might be slightly more secure than Intel simply from an obscurity standpoint.


Bad, bad idea.  At least two working PPC shellcodes have been
published; I've written two others, and they did not take me terribly
long to turn out.

As it turns out, the worst thing about PowerPC from the hacker's
standpoint is that most recent PPC chips have separate data and
instruction caches.  Getting your code flushed into main memory so that
the icache will find it can be a spot of difficulty.

Dan

/--------------------------------\  /--------------------------------\
|       Daniel Jacobowitz        |__|        SCS Class of 2002       |
|   Debian GNU/Linux Developer    __    Carnegie Mellon University   |
|         dan () debian org         |  |       dmj+ () andrew cmu edu      |
\--------------------------------/  \--------------------------------/

Current thread:

Re: BitchX /ignore bug Stephen J. Friedl (Jul 04)
- Re: BitchX /ignore bug Stephen J. Friedl (Jul 05)
- Re: BitchX /ignore bug Benjamin Karas (Jul 05)
  - Re: BitchX /ignore bug Daniel Jacobowitz (Jul 05)
- <Possible follow-ups>
- Re: BitchX /ignore bug Thomas Dullien (Jul 05)
  - Re: BitchX /ignore bug Ron DuFresne (Jul 06)
    - Re: BitchX /ignore bug Keith Simonsen (Jul 06)
    - Re: BitchX /ignore bug Steve Mosher (Jul 06)
    - Re: BitchX /ignore bug Joe User (Jul 06)
    - Re: BitchX /ignore bug Security Mail Acct. (Jul 06)
    - wwwboard my help reveal user name and password Julian Linton (Jul 07)
    - Re: wwwboard my help reveal user name and password Shelagh Pepper (Jul 07)
    - Re: wwwboard my help reveal user name and password Shadowboxer (Jul 07)
    - Re: wwwboard my help reveal user name and password Jason Legate (Jul 07)

(Thread continues...)