Re: Exploring Windows CE Shellcode

From: Tim Hurman (tim.hurman@pentest.co.uk)
Date: Fri Sep 30 2005 - 07:08:13 EDT


On Wed, Sep 28, 2005 at 02:41:55PM +0000, Justin Ferguson wrote:
> Hello Tim,
>
> I am curious- I developed some shellcode for a zaurus which is also arm,
> well xscale to be exact but thats arm v5 IIRC. Because of it being a harvard
> arch (seperate instruction and data cache for those who are unaware of what
> this is), self-modifying code is made more difficult under xscale.
>

Hi,

I have not had much chance to look at shellcode for Linux on ARM. Under
WinCE, user processes appear to run in privileged mode, allowing the use
of the MCR/MRC instructions that invalidate caches and flush buffers.
According to an ARM/Linux kernel developer I talked to, processes/threads
under Linux do not run in privileged mode. This seems to imply that you
would have to be in kernel mode to call these instructions and get
shellcode to run. You might be lucky and get enough code running to be
able to call a kernel function flushed the buffers anyway.

> With that said, under linux the base system call address is 0x90000000,
> which obviously has null's in it and in order to counter this I switch one
> byte to be 0xFF and then incremented it.
>

You could also generate this value with a mov/mvn instructions and shift
values. There are quite a lot of ways achieve the same thing using ARM
instructions. To get around \0 I send a decoder at the beginning of my
shellcode, this is the only part that cannot contain zero characters.

Rather than having a single base address, each WinCE DLL has it's own base
address. Therefore I was able to go through memory and calculate the
symbol address from the base address plus an offset.

> I have not read your paper as of yet, but I am curious how you overcame
> similar problems in your WinCE shellcode? I found the only effective way for
> me to do this was to drain the write buffer/invalidate the caches, but I was
> curious if have another method.

I found that I did not need to invalidate the caches, since instructions
will not have been read from that area of memory yet. This meant I only
had to flush the write buffer, which is only a 3 instruction command.
However, you do need to be in privileged mode for that. From what I can
see, there is no way around this as none of the caches or buffers have any
consistency checking with each other.

Hope that helps, it is quite difficult to explain without going into great
detail about WinCE.

Tim

-- 
Tim Hurman - IT Security Consultant - Pentest ltd.
Email disclaimer: http://www.pentest.co.uk/legal.shtml#emailpolicy
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:01 EDT