Syscalls linux32

.travis.yml

@@ -24,7 +24,8 @@ env:
     - MIASM_TEST_EXTRA_ARG="-o python -t qemu,long"
     - MIASM_TEST_EXTRA_ARG="-o z3"
     - MIASM_TEST_EXTRA_ARG="-o cparser"
-    - MIASM_EXTENTED_TESTS="ls_x64"
+    - MIASM_EXTENTED_TESTS_1="ls_x64"
+    - MIASM_EXTENTED_TESTS_2="shellcode_x86"
 before_script:
 - pip install -r optional_requirements.txt
 # codespell
@@ -36,4 +37,5 @@ before_script:
 - git clone https://github.com/cea-sec/miasm-extended-tests
 script:
   - test -z "$MIASM_TEST_EXTRA_ARG" || (cd test && flags=""; python --version |& grep -q "Python 3" || flags="-W error"; python $flags test_all.py $MIASM_TEST_EXTRA_ARG && git ls-files -o --exclude-standard)
-  - test -z "$MIASM_EXTENTED_TESTS" || (cd "miasm-extended-tests/$MIASM_EXTENTED_TESTS" && ./run.sh "$TRAVIS_BUILD_DIR")
+  - test -z "$MIASM_EXTENTED_TESTS_1" || (cd "miasm-extended-tests/$MIASM_EXTENTED_TESTS_1" && ./run.sh "$TRAVIS_BUILD_DIR")
+  - test -z "$MIASM_EXTENTED_TESTS_2" || (cd "miasm-extended-tests/$MIASM_EXTENTED_TESTS_2" && ./run.sh "$TRAVIS_BUILD_DIR")

example/jitter/simu_sc_linux.py

@@ -0,0 +1,63 @@
+from argparse import ArgumentParser
+from pdb import pm
+from miasm.jitter.csts import PAGE_READ, PAGE_WRITE, EXCEPT_INT_XX, EXCEPT_ACCESS_VIOL, EXCEPT_PRIV_INSN
+from miasm.analysis.machine import Machine
+from miasm.os_dep.linux import environment, syscall
+import logging
+
+
+def code_sentinelle(jitter):
+    print("Done")
+    jitter.run = False
+    jitter.pc = 0
+    return True
+
+def priv(jitter):
+    print("Privilege Exception")
+    return False
+
+
+if __name__ == '__main__':
+    parser = ArgumentParser(description="Linux shellcode")
+    parser.add_argument("filename", help="Shellcode filename")
+    parser.add_argument("-j", "--jitter",
+                        help="Jitter engine",
+                        default="python")
+    parser.add_argument("-a", "--arch", help="Architecture (x86_32, \
+            x86_64, arml)", choices=["x86_32", "x86_64", "arml"],
+            default="x86_32")
+    parser.add_argument("--verbose", "-v", action="store_true",
+            help="Verbose mode")
+    args = parser.parse_args()
+
+    myjit = Machine(args.arch).jitter(args.jitter)
+    myjit.init_stack()
+
+
+    data = open(args.filename, 'rb').read()
+    run_addr = 0x40000000
+    myjit.vm.add_memory_page(run_addr, PAGE_READ | PAGE_WRITE, data)
+    if args.verbose:
+        myjit.set_trace_log()
+    myjit.add_exception_handler(EXCEPT_PRIV_INSN, priv)
+    myjit.add_exception_handler(EXCEPT_ACCESS_VIOL, code_sentinelle)
+
+    # Log syscalls
+    log = logging.getLogger('syscalls')
+    log.setLevel(logging.DEBUG)
+
+    # Enable syscall handling
+    if args.arch == "x86_32":
+        myjit.push_uint32_t(0x1337beef)
+        myjit.add_breakpoint(0x1337beef, code_sentinelle)
+        env = environment.LinuxEnvironment_x86_32()
+        syscall.enable_syscall_handling(myjit, env, syscall.syscall_callbacks_x86_32)
+    elif args.arch == "x86_64":
+        myjit.push_uint64_t(0x1337beef)
+        myjit.add_breakpoint(0x1337beef, code_sentinelle)
+        env = environment.LinuxEnvironment_x86_64()
+        syscall.enable_syscall_handling(myjit, env, syscall.syscall_callbacks_x86_64)
+    else:
+        env = environment.LinuxEnvironment_arml()
+        syscall.enable_syscall_handling(myjit, env, syscall.syscall_callbacks_arml)
+    myjit.run(run_addr)

miasm/os_dep/linux/environment.py

@@ -183,6 +183,9 @@ def __init__(self, number, family, type_, protocol):
         self.type_ = type_
         self.protocol = protocol
 
+    def read(self, count):
+        return b""
+
 
 class FileSystem(object):
     """File system abstraction
@@ -365,6 +368,18 @@ def open_(self, path, flags, follow_link=True):
         fdesc.blocks = (size + ((512 - (size % 512)) % 512)) // 512
         return fd
 
+    def chmod(self, path, mode):
+        """Stub for 'chmod' syscall"""
+        sb_path = self.resolve_path(path)
+        if os.path.exists(sb_path):
+            try:
+                os.chmod(sb_path, mode)
+            except (OverflowError, FileNotFoundError):
+                return -1
+            return 0
+        else:
+            return -1
+
 
 class Networking(object):
     """Network abstraction"""

miasm/os_dep/linux/syscall.py

@@ -68,6 +68,193 @@ def _dump_struct_stat_arml(info):
     return data
 
 
+def sys_x86_32_execve(jitter, linux_env):
+    # int execve(const char *pathname, char *const argv[],
+    #              char *const envp[]);
+    pathname_addr, argv_ptr, envp_addr = jitter.syscall_args_systemv(3)
+    pathname = jitter.get_c_str(pathname_addr)
+    argv = []
+    i = 0
+    argv_addr = jitter.vm.get_u32(argv_ptr)
+    while argv_addr != 0:
+        argv.append(jitter.get_c_str(argv_addr))
+        argv_ptr += 4
+        argv_addr = jitter.vm.get_u32(argv_ptr)
+    envp = []
+    i = 0
+    while envp_addr != 0:
+        envp.append(jitter.get_c_str(envp_addr))
+        i += 4
+        envp_addr = jitter.vm.get_u32(jitter.cpu.EDX+i)
+    log.debug("sys_execve(%s, [%s], [%s])", pathname,
+            ", ".join(argv), ", ".join(envp))
+    jitter.syscall_ret_systemv(0)
+
+
+def sys_x86_64_execve(jitter, linux_env):
+    # int execve(const char *pathname, char *const argv[],
+    #              char *const envp[]);
+    # TODO : merge that into a generic execve
+    pathname_addr, argv_ptr, envp_addr = jitter.syscall_args_systemv(3)
+    pathname = jitter.get_c_str(pathname_addr)
+    argv = []
+    i = 0
+    argv_addr = jitter.vm.get_u64(argv_ptr)
+    while argv_addr != 0:
+        argv.append(jitter.get_c_str(argv_addr))
+        argv_ptr += 8
+        argv_addr = jitter.vm.get_u64(argv_ptr)
+    envp = []
+    i = 0
+    while envp_addr != 0:
+        envp.append(jitter.get_c_str(envp_addr))
+        i += 8
+        envp_addr = jitter.vm.get_u64(jitter.cpu.EDX+i)
+    log.debug("sys_execve(%s, [%s], [%s])", pathname,
+            ", ".join(argv), ", ".join(envp))
+    jitter.syscall_ret_systemv(0)
+
+
+def sys_x86_32_socket(jitter, linux_env):
+    # int socketcall(int call, unsigned long *args)
+    # Redirect to several other socket syscalls
+    # https://github.com/torvalds/linux/blob/master/include/uapi/linux/net.h
+    SOCKET_CALLS = {
+        1: "SYS_SOCKET",
+        2: "SYS_BIND",
+        3: "SYS_CONNECT",
+        4: "SYS_LISTEN",
+        5: "SYS_ACCEPT",
+        14: "SYS_SETSOCKOPT"
+    }
+
+    SOCKET_DOMAINS = {
+        0: "AF_UNSPEC",
+        1: "AF_UNIX",
+        2: "AF_INET",
+        3: "AF_AX25",
+        4: "AF_IPX",
+        5: "AF_APPLETALK",
+        6: "AF_NETROM",
+        7: "AF_BRIDGE",
+        8: "AF_AAL5",
+        9: "AF_X25", #Who cares ?
+        10: "AF_INET6",
+        11: "AF_MAX"
+    }
+
+    SOCKET_TYPE = {
+        1: "SOCK_STREAM",
+        2: "SOCK_DGRAM",
+        3: "SOCK_RAW"
+    }
+
+    if jitter.cpu.EBX not in SOCKET_CALLS.keys():
+        raise NotImplemented("SysCall Not Implemented")
+    if SOCKET_CALLS[jitter.cpu.EBX] == "SYS_SOCKET":
+        # int socket(int domain, int type, int protocol);
+        domain = jitter.vm.get_u32(jitter.cpu.ESP)
+        stype = jitter.vm.get_u32(jitter.cpu.ESP+4)
+        proto = jitter.vm.get_u32(jitter.cpu.ESP+8)
+        fd = linux_env.socket(domain, stype, proto)
+        log.debug("socket(%s, %s, %s)", SOCKET_DOMAINS[domain],
+                SOCKET_TYPE[stype], proto)
+        jitter.syscall_ret_systemv(fd)
+    elif SOCKET_CALLS[jitter.cpu.EBX] == "SYS_BIND":
+        # int bind(int sockfd, const struct sockaddr *addr,
+        #         socklen_t addrlen);
+        fd = jitter.vm.get_u32(jitter.cpu.ESP)
+        socklen = jitter.vm.get_u32(jitter.cpu.ESP+8)
+        try:
+            sockaddr = jitter.vm.get_mem(
+                    jitter.vm.get_u32(jitter.cpu.ESP+4),
+                    socklen)
+        except RuntimeError:
+            # Not the exact size because shellcodes won't provide the full struct
+            sockaddr = jitter.vm.get_mem(jitter.vm.get_u32(jitter.cpu.ESP+4), 8)
+        family = struct.unpack("H", sockaddr[0:2])[0]
+        if family == 2:
+            # IPv4
+            port = struct.unpack(">H", sockaddr[2:4])[0]
+            ip = ".".join([str(i) for i in struct.unpack("BBBB", sockaddr[4:8])])
+            log.debug("socket_bind(fd, [%s, %i, %s], %i)", "AF_INET",
+                    port, ip, socklen)
+        elif family == 10:
+            # IPv6
+            port = struct.unpack(">H", sockaddr[2:4])[0]
+            ip = ".".join([str(i) for i in struct.unpack("B"*16, sockaddr[8:24])])
+            log.debug("socket_bind(fd, [%s, %i, %s], %i)", "AF_INET6",
+                    port, ip, socklen)
+        else:
+            log.debug("socket_bind(fd, sockaddr, socklen_t)")
+        jitter.syscall_ret_systemv(0)
+    elif SOCKET_CALLS[jitter.cpu.EBX] == "SYS_CONNECT":
+        # int connect(int sockfd, const struct sockaddr *addr,
+        #           socklen_t addrlen);
+        fd = jitter.vm.get_u32(jitter.cpu.ESP)
+        socklen = jitter.vm.get_u32(jitter.cpu.ESP+8)
+        try:
+            sockaddr = jitter.vm.get_mem(
+                    jitter.vm.get_u32(jitter.cpu.ESP+4),
+                    socklen)
+        except RuntimeError:
+            # Not the exact size because shellcodes won't provide the full struct
+            sockaddr = jitter.vm.get_mem(jitter.vm.get_u32(jitter.cpu.ESP+4), 8)
+        family = struct.unpack("H", sockaddr[0:2])[0]
+        if family == 2:
+            # IPv4
+            port = struct.unpack(">H", sockaddr[2:4])[0]
+            ip = ".".join([str(i) for i in struct.unpack("BBBB", sockaddr[4:8])])
+            log.debug("socket_connect(fd, [%s, %i, %s], %i)", "AF_INET",
+                    port, ip, socklen)
+        elif family == 10:
+            port = struct.unpack(">H", sockaddr[2:4])[0]
+            ip = ".".join([str(i) for i in struct.unpack("B"*16, sockaddr[8:24])])
+            log.debug("socket_connect(fd, [%s, %i, %s], %i)", "AF_INET6",
+                    port, ip, socklen)
+        else:
+            log.debug("socket_connect(fd, sockaddr, socklen)")
+        jitter.syscall_ret_systemv(0)
+    elif SOCKET_CALLS[jitter.cpu.EBX] == "SYS_LISTEN":
+        #  int listen(int sockfd, int backlog);
+        sockfd = jitter.vm.get_u32(jitter.cpu.ESP)
+        backlog = jitter.vm.get_u32(jitter.cpu.ESP+4)
+        log.debug("socket_listen(%x, %x)", sockfd, backlog)
+        jitter.syscall_ret_systemv(0)
+    elif SOCKET_CALLS[jitter.cpu.EBX] == "SYS_ACCEPT":
+        # int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
+        sockfd = jitter.vm.get_u32(jitter.cpu.ESP)
+        sockaddr = jitter.vm.get_u32(jitter.cpu.ESP+4)
+        addrlen = jitter.vm.get_u32(jitter.cpu.ESP+8)
+        log.debug("socket_accept(%x, %x, %x)", sockfd, sockaddr, addrlen)
+        jitter.syscall_ret_systemv(0)
+    elif SOCKET_CALLS[jitter.cpu.EBX] == "SYS_SETSOCKOPT":
+        # SYS_SETSOCKOPT
+        # int setsockopt(int sockfd, int level, int optname,
+        #     const void *optval, socklen_t optlen);
+        sockfd = jitter.vm.get_u32(jitter.cpu.ESP)
+        level = jitter.vm.get_u32(jitter.cpu.ESP+4)
+        optname = jitter.vm.get_u32(jitter.cpu.ESP+8)
+        optval_addr = jitter.vm.get_u32(jitter.cpu.ESP+12)
+        optlen = jitter.vm.get_u32(jitter.cpu.ESP+16)
+        log.debug("socket_setsockopt(%x, %x, %x, %x, %x)", sockfd, level, optname,
+                optval_addr, optlen)
+        jitter.syscall_ret_systemv(0)
+    else:
+        raise NotImplemented()
+
+
+def sys_generic_chmod(jitter, linux_env):
+    # int chmod(const char *pathname, mode_t mode);
+    path_addr, mode = jitter.syscall_args_systemv(2)
+    pathname = jitter.get_c_str(path_addr)
+    log.debug("sys_chmod(%s, %x)", pathname, mode)
+
+    # Stub
+    ret = linux_env.filesystem.chmod(pathname, mode)
+    jitter.syscall_ret_systemv(ret)
+
+
 def sys_x86_64_rt_sigaction(jitter, linux_env):
     # Parse arguments
     sig, act, oact, sigsetsize = jitter.syscall_args_systemv(4)
@@ -531,7 +718,12 @@ def sys_generic_write(jitter, linux_env):
 
     # Stub
     data = jitter.vm.get_mem(buf, count)
-    jitter.syscall_ret_systemv(linux_env.write(fd, data))
+    r = linux_env.write(fd, data)
+    if r is None:
+        log.debug("-> write : failed")
+        jitter.syscall_ret_systemv(-1)
+    else:
+        jitter.syscall_ret_systemv(r)
 
 
 def sys_x86_64_getdents(jitter, linux_env):
@@ -614,6 +806,13 @@ def sys_x86_64_newlstat(jitter, linux_env):
         jitter.cpu.RAX = 0
 
 
+def sys_generic_exit(jitter, linux_env):
+    # void exit(int status);
+    status, = jitter.syscall_args_systemv(1)
+    log.debug("sys_exit(%i)", status)
+    jitter.run = False
+
+
 def sys_arml_lstat64(jitter, linux_env):
     # Parse arguments
     filename = jitter.cpu.R0
@@ -821,6 +1020,21 @@ def sys_generic_setgid(jitter, linux_env):
         jitter.syscall_ret_systemv(0)
 
 
+def sys_generic_setreuid(jitter, linux_env):
+    # Parse arguments
+    ruid, euid = jitter.syscall_args_systemv(2)
+    log.debug("sys_setreuid(%x, %x)", ruid, euid)
+
+    # WARNING : no privilege check here
+    # Easy privilege escalation, just ask
+    if ruid > -1:
+        linux_env.user_uid = ruid
+    if euid > -1:
+        linux_env.user_euid = euid
+
+    jitter.syscall_ret_systemv(0)
+
+
 def sys_generic_setuid(jitter, linux_env):
     # Parse arguments
     uid, = jitter.syscall_args_systemv(1)
@@ -899,7 +1113,16 @@ def sys_arml_gettimeofday(jitter, linux_env):
 
 
 syscall_callbacks_x86_32 = {
+    0x1: sys_generic_exit,
+    0x3: sys_generic_read,
+    0x4: sys_generic_write,
+    0x5: sys_generic_open,
+    0xB: sys_x86_32_execve,
+    0xF: sys_generic_chmod,
+    0x46: sys_generic_setreuid,
+    0x66: sys_x86_32_socket,
     0x7A: sys_x86_32_newuname,
+    0x7D: sys_generic_mprotect,
 }
 
 
@@ -925,15 +1148,18 @@ def sys_arml_gettimeofday(jitter, linux_env):
     0x27: sys_x86_64_getpid,
     0x29: sys_x86_64_socket,
     0x2A: sys_x86_64_connect,
+    0x3B: sys_x86_64_execve,
     0x3F: sys_x86_64_newuname,
     0x48: sys_generic_fcntl64,
     0x4E: sys_x86_64_getdents,
     0x59: sys_x86_64_readlink,
+    0x5A: sys_generic_chmod,
     0x63: sys_x86_64_sysinfo,
     0x66: sys_generic_getuid,
     0x68: sys_generic_getgid,
     0x6B: sys_generic_geteuid,
     0x6C: sys_generic_getegid,
+    0x71: sys_generic_setreuid,
     0xE4: sys_x86_64_clock_gettime,
     0x89: sys_x86_64_statfs,
     0x9E: sys_x86_64_arch_prctl,