Penetration Testing mailing list archives
Re: Exploring Windows CE Shellcode
From: Tim Hurman <tim.hurman () pentest co uk>
Date: Fri, 30 Sep 2005 12:08:13 +0100
On Wed, Sep 28, 2005 at 02:41:55PM +0000, Justin Ferguson wrote:
Hello Tim, I am curious- I developed some shellcode for a zaurus which is also arm, well xscale to be exact but thats arm v5 IIRC. Because of it being a harvard arch (seperate instruction and data cache for those who are unaware of what this is), self-modifying code is made more difficult under xscale.
Hi, I have not had much chance to look at shellcode for Linux on ARM. Under WinCE, user processes appear to run in privileged mode, allowing the use of the MCR/MRC instructions that invalidate caches and flush buffers. According to an ARM/Linux kernel developer I talked to, processes/threads under Linux do not run in privileged mode. This seems to imply that you would have to be in kernel mode to call these instructions and get shellcode to run. You might be lucky and get enough code running to be able to call a kernel function flushed the buffers anyway.
With that said, under linux the base system call address is 0x90000000, which obviously has null's in it and in order to counter this I switch one byte to be 0xFF and then incremented it.
You could also generate this value with a mov/mvn instructions and shift values. There are quite a lot of ways achieve the same thing using ARM instructions. To get around \0 I send a decoder at the beginning of my shellcode, this is the only part that cannot contain zero characters. Rather than having a single base address, each WinCE DLL has it's own base address. Therefore I was able to go through memory and calculate the symbol address from the base address plus an offset.
I have not read your paper as of yet, but I am curious how you overcame similar problems in your WinCE shellcode? I found the only effective way for me to do this was to drain the write buffer/invalidate the caches, but I was curious if have another method.
I found that I did not need to invalidate the caches, since instructions will not have been read from that area of memory yet. This meant I only had to flush the write buffer, which is only a 3 instruction command. However, you do need to be in privileged mode for that. From what I can see, there is no way around this as none of the caches or buffers have any consistency checking with each other. Hope that helps, it is quite difficult to explain without going into great detail about WinCE. Tim -- Tim Hurman - IT Security Consultant - Pentest ltd. Email disclaimer: http://www.pentest.co.uk/legal.shtml#emailpolicy ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Exploring Windows CE Shellcode Tim Hurman (Oct 01)
- <Possible follow-ups>
- Re: Exploring Windows CE Shellcode Nicolas RUFF (Oct 05)