Re: Exploring Windows CE Shellcode

From: Nicolas RUFF (nicolas.ruff_at_gmail.com)
Date: 10/04/05

  • Next message: anonymous1_at_anonymous.com: "scanrand ver 2" 
    Date: Tue, 04 Oct 2005 10:53:52 +0200
To: pen-test@securityfocus.com

    > I am curious- I developed some shellcode for a zaurus which is also arm,
    > well xscale to be exact but thats arm v5 IIRC. Because of it being a harvard
    > arch (seperate instruction and data cache for those who are unaware of what
    > this is), self-modifying code is made more difficult under xscale.
    >
    > With that said, under linux the base system call address is 0x90000000,
    > which obviously has null's in it and in order to counter this I switch one
    > byte to be 0xFF and then incremented it.
    >
    > I have not read your paper as of yet, but I am curious how you overcame
    > similar problems in your WinCE shellcode? I found the only effective way for
    > me to do this was to drain the write buffer/invalidate the caches, but I was
    > curious if have another method.

            Hello,

    I guess you should take time to read Tim's paper, for it is very good
    (maybe better than Phrack #63-6 ?).

    Tim is flushing the cache using the following instruction :
    "mcr p15, 0, r7, c7, c10, 4"

    I am no expert of ARM Linux (I prefer Windows Mobile :), but Phil (the
    creator of ShellForge, who worked on ARM shellcodes) told me once that
    encoding and decoding of Linux syscalls is not a problem !

    It seems that on ARM Linux, the kernel is getting the syscall number by
    peeking at the opcode that raised the call. Since the "read" instruction
    will get data from the data cache, not the instruction cache, your
    decoded syscall should work "out of the box" !

    Regards,
    - Nicolas RUFF
    Security researcher @ EADS-CCR

    ------------------------------------------------------------------------------
    Audit your website security with Acunetix Web Vulnerability Scanner:

    Hackers are concentrating their efforts on attacking applications on your
    website. Up to 75% of cyber attacks are launched on shopping carts, forms,
    login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
    futile against web application hacking. Check your website for vulnerabilities
    to SQL injection, Cross site scripting and other web attacks before hackers do!
    Download Trial at:

    http://www.securityfocus.com/sponsor/pen-test_050831
    -------------------------------------------------------------------------------

  • Next message: anonymous1_at_anonymous.com: "scanrand ver 2"

    Relevant Pages

    • Re: IBM 45nm -- new or licensed from Intel?
      ... constant table would be used while in cache, ... that much of the code in an instruction block is likely to be used. ... Yes constant loads can be scheduled freely, ... number of registers (which is not the case between x86-64 and ARM), ...
      (comp.arch)
    • Re: Assembly question: Problem with coprocessor instructions
      ... to read/write the cache enable flag at coprocessor 15 (which, ... it gives an "undefined instruction" exception when attempting to ... the "ARM ARM" states about STC: ... "The STC (Store Coprocessor) instruction stores data from the ...
      (comp.sys.acorn.programmer)
    • Re: Exploring Windows CE Shellcode
      ... > well xscale to be exact but thats arm v5 IIRC. ... I have not had much chance to look at shellcode for Linux on ARM. ... of the MCR/MRC instructions that invalidate caches and flush buffers. ...
      (Pen-Test)
    • Re: The coming death of all RISC chips.
      ... Thumb-2 instructions to become a standalone instruction set. ... Thumb-1 instruction set always needed ARM at startup and for things like ... ARM instruction set. ...
      (comp.arch)
    • Re: Broken ARM atomic ops wrt memory barriers (was : [PATCH] Add cmpxchg support for ARMv6+ systems)
      ... I use a local cmpxchg in the LTTng tree as key instruction to manage the ... On ARM, the semantic looks a bit like PowerPC with linked load/linked ... and you don't seem to need memory barriers. ... Where the smp_mbmaps to dmb() on SMP systems: ...
      (Linux-Kernel)