Router vulnerability reproduce the ultimate Upanishads--based on the MIPS shellcode writing-vulnerability warning-the black bar safety net

ID MYHACK58:62201891087
Type myhack58
Reporter 佚名
Modified 2018-08-04T00:00:00


Foreword Today we talk about how in the MIPS architecture to write shellcode for. In the previous two articles, we were introduced based on the MIPS buffer overflow practice, and further how to use learn to the overflow of knowledge reproduction and verification of router vulnerabilities. But in the above the router exploit example, we need to have a pre-condition, i.e., containing the vulnerability of the program must import the system library function, we can easily verify, however this conditions is not time effective. Therefore, in this paper, we describe routers vulnerabilities to reproduce the ultimate Upanishads--based on the MIPS shellcode to write. With a shellcode, if the target program can be overflowed, then we can perform any of the procedures. So that is the ultimate meaning of. Simple, shellcode is a piece to the process of implantation of a period for obtaining the shell code, the shell is an interactive command. Now, the shellcode from a broad sense, has a unified means in a buffer overflow attack in the implantation process of the code. Therefore, the shellcode is now the function includes not only the obtaining the shell, further comprising a pop-up message box, open a port and execute the command. In this article, I will introduce Based on the MIPS common shellcode; and 快速提取shellcode的二进制指令的工具; and The development of the shellcode how to in their own experimental procedures applied. Wherein, the shellcode binary instructions rapid extraction tool is my own development. I just search a bit, did not find similar to be able to meet my needs the tools, so we developed a tool, has open source in shell_extractor, and everyone is welcome to use. If we have better tools, and welcome comment.^_^

0. Bird's eye view of shellcode First, we start from a more intuitive perspective to understand what a shellcode it in buffer overflow attacks process the role of the and location. As shown a common MIPS stack allocation case ! Shellcode the most common usage, is to be executed command to override to the stack inside, by modifying the RA to jump to the stack starting position, reached in the stack inside the implementation of their desired commands. So the shellcode is actually a segment of the executable for the compilation command. Mentioned here, so the question is, how to write this section of the Assembly instructions? There are two ideas, first: from online search of some shellcode compile, compile after decompile, get the binary instruction. This method can be, it is relatively common practice. There is also one that needs a little take a little Kung Fu: the use of c language to write a system command call, compiled, and then used IDA to decompile, directly to the corresponding assembler instruction is extracted. However, in the extraction of the corresponding Assembly instructions when you need to store the parameters of the position, as well as for the Register of the processing for re-adjustment. For example, we write an execve of the calling program. execve is the shellcode used one of the programs, it's purpose is already embedded in the application program to perform another program such as/bin/sh. Linux the system calls are defined as follows: int execve(const char path, char const argv[], char *const envp[]); Then I a common c language to call the execve code can be like this:


int main() { char program = "/bin/ls"; char arg = "-l"; char *args[3]; args[0] = program; args[1] = arg; args[2] = 0; execve(program, args, 0); } Compile, look at the IDA decompiled out what kind of ! Will find that the parameters of the program and arg is the need for re-processing, such as follow the put in this shellcode program behind after the introduction of manually writing shellcode will be written to this process. execve after the jump, you will find, ultimately, is through the syscall system call. ! In summary, these two kinds of method for beginners a step-by-step corresponding to the c source code and assembler learning the assembler for shellcode written. However, direct extraction, then, will be found redundant instructions too. In the cover stack, the space occupied by the less exploits, the success rate will be higher. Therefore, this paper still focuses on the first way, i.e., from the Mature processing good shellcode learning. Interested readers can also further optimize the above code, so its volume is as small as possible, which for the Foundation is very good. Earlier we mentioned, the final execve is through a syscall this command the system calls, therefore, based on the MIPS shellcode to write, most of them are based on syscall for this command. syscall function parameter in the form of syscall($v0, $a0, $a1,...); where$v0 is used to save the need to perform a system call to the calling number, and in accordance with the corresponding function call the rules for placing parameters. For example calling exit Assembly code examples. li $a0, 0 li $v0, 4001 syscall Wherein the instruction li (x,y)mean the immediate data y is placed into register x. System call well in linux system I found, such as in/usr/include/mips-linux-gnu/asm/unistd. h inside. In this paper, we focus on two system commands to expand, and in-depth introduction to a complete shellcode development, and vulnerability of the process. I.e., write, execve instruction. The Write is the output string to the specified stream of system calls. We can find the write the called number is 4004, and execve is 4011. Overall, based on the MIPS shellcode development, and vulnerability of the process is divided into the following steps of the other platform shellcode development is also similar: the 1. Writing shellcode assembler code from online looking for, or your own writing. 2. Compile, de-compile after extract the shellcode binary code. 3. In c to test the extraction of a binary code. 4. Construct the payload to be tested.

1. Shellcode assembler code structure First the first step, the shellcode write. A typical call to write the c code as: Int main() { char *pstr = “ABCn”; write(1, pstr, 5); } Write a shellcode to write. S . section . text . globl __start . set noreorder __start: addiu $sp,$sp,-32 # raise stack, used to place the parameters

[1] [2] [3] next