nockty/riscv-alphanumeric-shellcoding

Alphanumeric+1 shellcoding tools for RISC-V

SSI project

This fork contains a Python application and a vulnerable C code for the mini demo of our SSI project.

Our code is located in several folders:

• fedora/python_chat for the Python app.
• fedora/main.c for the vulnerable C code.
• payload/payload_linux_etc_shadow.c for the shellcode.

Here is the scenario: the QEMU RISC-V linux emulator is supposed to be the victim's phone. It contains sensitive information in /root/very_sensitive_data. The Python application is a messaging app where users can share URLs. The application then gives a description of the URL by using some optimized, vulnerable C code. To get a URL, the victim must set up a server (python3 server.py localhost 8080). The attacker must connect to this server (python3 client.py localhost 8080, can be run on QEMU to make life easier, but we could use port forwarding to run it from the host). For this demo, only the attacker can send messages to the victim. To send an URL to be processed, the attacker must send @URL:<some_url> with a valid URL (only alphanumeric characters and / and .). The URL is then processed by the vulnerable C code and its description should be displayed in the chat.

About the C code

The C code should display a short description of the URL being processed. When the attacker sends the out/shadow_slash.txt payload instead, the content of /root/very_sensitive_data is displayed. The C code is coded to have the same vulnerability as the C code in the original repository.

Original README below

RISC-V: #/'Alphanumeric Shellcoding

By Hаdrien Ваrrаl, Rémi Géraud-Stewart, Georges-Axel Jaloyan, and David Naccache

This work has been presented at WOOT'19 (paper) and DEFCON27 (slides)

Overview

This tool helps design RISC-V (specifically RV64GC) shellcodes capable of running arbitrary code, whose ASCII binary representation use only letters a–zA–Z, digits 0–9, and either of the three characters: #, /, ’.

It consists of an alphanumeric (+1 character) unpacker. For any target shellcode (non-alphanumeric), the tool will produce an alphanumeric (+1 character) shellcode with the unpacker and the packed version of your shellcode. Run it on a RISC-V simulator/cpu and enjoy!

For a general introduction on RISC-V shellcoding, you may read the blog post by Thomas Karpiniec.

Folder contents:

• baremetal: Full source code and QEMU demo for each of the three variants
• fedora: Demos running on Fedora on QEMU
• hifiveu: Demos running on the HiFive-Unleashed board
• payload: Source code of the payloads used
• lists: How we generated the available instructions
• scripts / tools: Various helpers

Quick-try

Building the shellcodes requires to build a RISC-V toolchain from source. We only provide easy-to-test pre-built baremetal shellcodes.

The only prerequisite is having a RISC-V QEMU v4.0.0 or newer https://www.qemu.org/

Then:

• cd riscv-alphanumeric-shellcoding/baremetal/prebuilt
• cat hash.bin (optional, to print the shellcode)
• sh launch_hash use Ctrl+A then X to exit
• cat slash.bin (optional, to print the shellcode)
• sh launch_slash use Ctrl+A then X to exit
• cat tick.bin (optional, to print the shellcode)
• sh launch_tick use Ctrl+A then X to exit

Building && Testing

Start by cloning the repository:

git clone https://github.com/RischardV/riscv-alphanumeric-shellcoding.git
cd riscv-alphanumeric-shellcoding

Prerequisites:

/!\ Warning: unless you are using a rolling-release distribution, you probably will not be able to simply install packages. You will need to install yourself the tools below:

• RISC-V toolchain: install https://github.com/riscv/riscv-gnu-toolchain
• RISC-V QEMU: install QEMU v4.0.0 or newer https://www.qemu.org/

QEMU bare-metal shellcodes

• Build the instructions lists (takes some time)
  • cd riscv-alphanumeric-shellcoding/baremetal/lists
  • make
• Build the shellcodes
  • cd riscv-alphanumeric-shellcoding/baremetal/hash
  • make
  • cd riscv-alphanumeric-shellcoding/baremetal/slash
  • make
  • cd riscv-alphanumeric-shellcoding/baremetal/tick
  • make
• Run the shellcodes
  • cd riscv-alphanumeric-shellcoding/baremetal/hash
  • cat shellcode.bin (optional, to print the shellcode)
  • sh l use Ctrl+A then X to exit
  • cd riscv-alphanumeric-shellcoding/baremetal/slash
  • cat shellcode.bin (optional, to print the shellcode)
  • sh l use Ctrl+A then X to exit
  • cd riscv-alphanumeric-shellcoding/baremetal/tick
  • cat shellcode.bin (optional, to print the shellcode)
  • sh l use Ctrl+A then X to exit Expected results: The string "Hello, world!" should print on the screen.

QEMU Linux shellcodes

Prerequisites: A Fedora 28 Linux image running in a QEMU riscv environment (see here and here).

• Build the shellcodes
  • cd riscv-alphanumeric-shellcoding/fedora
  • make
• Run the shellcodes

  • Start your Fedora RISC-V virtual machine

  • From the host: Send the compiled files riscv-alphanumeric-shellcoding/fedora/{out,build/vuln.bin} to the virtual machine (e.g. using scp)

  • On the guest Fedora VM: run the shellcodes using:

    • Hello word shellcodes:
      • ./vuln.bin < out/hello_hash.txt for the 'hash' flavored shellcode
      • ./vuln.bin < out/hello_slash.txt for the 'slash' flavored shellcode
      • ./vuln.bin < out/hello_tick.txt for the 'tick' flavored shellcode

    Expected results: the string "Hello, world from shellcode!\n" should print on stdout

    • Execve /bin/sh shellcodes:
      • (cat out/shell_hash.txt; echo ""; cat) | ./vuln.bin for the 'hash' flavored shellcode
      • (cat out/shell_slash.txt; echo ""; cat) | ./vuln.bin for the 'slash' flavored shellcode
      • (cat out/shell_tick.txt; echo ""; cat) | ./vuln.bin for the 'tick' flavored shellcode

    Expected results: a shell should spawn with no prompt. To test it, type any command (e.g. id) and press enter. To exit the shell, type exit and then press enter.

    • Printing /etc/shadow shellcodes:
      • ./vuln.bin < out/shadow_hash.txt for the 'hash' flavored shellcode
      • ./vuln.bin < out/shadow_slash.txt for the 'slash' flavored shellcode
      • ./vuln.bin < out/shadow_tick.txt for the 'tick' flavored shellcode

    Expected results: the contents of the shadow file should be printed on stdout

    • Custom payloads (section 5.3 of the paper). You may modify the payload located in the riscv_alphanumeric/payload directory.

HiFive Unleashed Linux shellcodes

Prerequisites:

• A HiFive-Unleashed board: https://www.sifive.com/boards/hifive-unleashed

• The HiFive toolchain: https://github.com/sifive/freedom-u-sdk

• Build the shellcodes

  • cd riscv-alphanumeric-shellcoding/hifiveu
  • make

Running instructions are very similar to QEMU Linux shellcodes above. Refer to them.

Documentation

Our academic paper gives a lot of details about design choices. We encourage you to read it if you want to understand how the code works.

Link to paper

License

This tool is released under MIT license. See LICENSE file.