Closed Summus-31c04089c3cd80 closed 9 years ago
You are right. There is a bad cast in umod/udiv arguments. I will fix this.
By the way: Here is a little script to handle correctly linux shellcode and syscalls. :warning: Sploiler included!
from pdb import pm
from miasm2.core.utils import *
from miasm2.jitter.jitload import EXCEPT_INT_XX
from miasm2.analysis.sandbox import Sandbox, OS_Linux_str, Arch_x86_32
class Sandbox_Linux_x86_32_str(Sandbox, Arch_x86_32, OS_Linux_str):
def __init__(self, *args, **kwargs):
Sandbox.__init__(self, *args, **kwargs)
self.jitter.push_uint32_t(0x1337beef)
# Set the runtime guard
self.jitter.add_breakpoint(0x1337beef, self.__class__.code_sentinelle)
def run(self, addr = None):
if addr is None and self.options.address is not None:
addr = int(self.options.address, 16)
super(Sandbox_Linux_x86_32_str, self).run(addr)
parser = Sandbox_Linux_x86_32_str.parser(description="str sandboxer")
parser.add_argument("filename", help="PE Filename")
options = parser.parse_args()
# Create sandbox
sb = Sandbox_Linux_x86_32_str(options.filename, options, globals())
def exception_int(jitter):
if jitter.cpu.EAX == 0x66:
# socketcall
print 'args', hex(jitter.cpu.EBX), hex(jitter.cpu.ECX)
if jitter.cpu.EBX == 1:
print 'SOCKET'
jitter.cpu.EAX = 3
elif jitter.cpu.EBX == 2:
print 'BIND'
jitter.cpu.EAX = 3
elif jitter.cpu.EBX == 4:
print 'LISTEN'
jitter.cpu.EAX = 3
elif jitter.cpu.EBX == 5:
print 'ACCEPT'
jitter.cpu.EAX = 3
elif jitter.cpu.EBX == 9:
args = []
for i in xrange(3):
args.append(upck32(jitter.vm.get_mem(jitter.cpu.ECX+4*i, 4)))
print [hex(arg) for arg in args]
buf = jitter.vm.get_mem(args[1], args[2])
print 'BUF sent', repr(buf)
jitter.cpu.EAX = len(buf)
elif jitter.cpu.EBX == 10:
print 'RECV'
args = []
for i in xrange(3):
args.append(upck32(jitter.vm.get_mem(jitter.cpu.ECX+4*i, 4)))
print [hex(arg) for arg in args]
buf = "gotfault"
jitter.vm.set_mem(args[1], buf)
print 'BUF RECV'
jitter.cpu.EAX = len(buf)
else:
raise NotImplementedError('unknown socketcall %d'%jitter.cpu.EAX)
elif jitter.cpu.EAX == 0x1:
print 'EXIT'
return False
pass
elif jitter.cpu.EAX == 63:
print "DUP2"
jitter.cpu.EAX = 8
else:
raise NotImplementedError('unknown syscall %d'%jitter.cpu.EAX)
jitter.cpu.set_exception(0)
return True
def dump_pwd(jitter):
print repr(jitter.vm.get_mem(jitter.cpu.ESI, jitter.cpu.ECX))
print repr(jitter.vm.get_mem(jitter.cpu.EDI, jitter.cpu.ECX))
return True
sb.jitter.add_exception_handler(EXCEPT_INT_XX, exception_int)
sb.jitter.add_breakpoint(0x80, dump_pwd)
sb.run(0x0)
Hi,
Thank you for the fix ! The script I gave you is only for testing when I have a problem with my complete script :) I use it on command line (ipython) to explore the jitter, or at least the memory, to understand what is going wrong.
Hello !
I got a strange Warning with a Linux shellcode.
This is the shellcode :
And this is the testing script i use :
Here is the latest prints :
This shellcode opens a socket (bind, listen, accept), sends a message ("Password: ") and receives a password. The part where there is the warning the password received is compared with the expected one and then exit (because it's false). I tried to modify the buffer which should contains the password received but the warning is still.
Regards
P.S. : If the correct password is set in the buffer the jump is executed and there is no warning. So I can tell you that this warning is occurring on the DIV instruction !