Re: Exploring Windows CE Shellcode

From: Nicolas RUFF (nicolas.ruff@gmail.com)
Date: Tue Oct 04 2005 - 04:53:52 EDT

• Next message: anonymous1@anonymous.com: "scanrand ver 2"
• Previous message: BSK: "[PT] Load Balancers?"
• In reply to: Justin Ferguson: "Re: Exploring Windows CE Shellcode"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> I am curious- I developed some shellcode for a zaurus which is also arm,
> well xscale to be exact but thats arm v5 IIRC. Because of it being a harvard
> arch (seperate instruction and data cache for those who are unaware of what
> this is), self-modifying code is made more difficult under xscale.
>
> With that said, under linux the base system call address is 0x90000000,
> which obviously has null's in it and in order to counter this I switch one
> byte to be 0xFF and then incremented it.
>
> I have not read your paper as of yet, but I am curious how you overcame
> similar problems in your WinCE shellcode? I found the only effective way for
> me to do this was to drain the write buffer/invalidate the caches, but I was
> curious if have another method.

        Hello,

I guess you should take time to read Tim's paper, for it is very good
(maybe better than Phrack #63-6 ?).

Tim is flushing the cache using the following instruction :
"mcr p15, 0, r7, c7, c10, 4"

I am no expert of ARM Linux (I prefer Windows Mobile :), but Phil (the
creator of ShellForge, who worked on ARM shellcodes) told me once that
encoding and decoding of Linux syscalls is not a problem !

It seems that on ARM Linux, the kernel is getting the syscall number by
peeking at the opcode that raised the call. Since the "read" instruction
will get data from the data cache, not the instruction cache, your
decoded syscall should work "out of the box" !

Regards,
- Nicolas RUFF
Security researcher @ EADS-CCR

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: anonymous1@anonymous.com: "scanrand ver 2"
• Previous message: BSK: "[PT] Load Balancers?"
• In reply to: Justin Ferguson: "Re: Exploring Windows CE Shellcode"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:02 EDT