Merge pull request #11 from shaymargolis/more-stuff

shellblocks: primitive: Use mno-shared to avoid use of $gp

Author: shaymargolis

shellblocks/primitives/print.py

@@ -5,7 +5,7 @@ class ShellcodePrimitivePrint(ShellcodePrimitive):
     def __init__(self, nickname: str, print_function: int, print_string: str):
         super().__init__(
             nickname,
-            ["print.S", "utils.h"],
+            ["print.S", "utils_asm.h"],
             "print.S",
             "print.h"
         )

shellblocks/shellcode_primitive.py

@@ -50,6 +50,7 @@ def generate(self, path: Path):
             "mips-linux-gnu-gcc-9",
             "-nostdlib",
             "-ffreestanding",
+            "-mno-shared",
             "-c", self.sources[0],
             "-o", "final.o",
             "-O3"

shellblocks/src/goto.S

@@ -1,5 +1,7 @@
 #include "goto.h"
 
+.set noreorder
+
 .global start
 start:
     lui $v0, %hi(GOTO_ADDRESS)

shellblocks/src/print.S

@@ -1,18 +1,18 @@
 #include "print.h"
+#include "utils_asm.h"
+
+.set noreorder
 
 .global start
 start:
     // Save $ra
     addiu $sp, -4
     sw $ra, 0($sp)
 
-    // Get $pc using bal
-    bal code
-    nop
-code:
-    // bal somehow compiles to "bal + nop" so 2 opcodes
-    addiu $a0, $ra, (print_string - code + 4)
-    nop
+    // Calculate address of `print_string`
+    // relative to current $pc
+    GET_PC($v0)
+    GET_ADDRESS($a0, print_string, $v0)
 
     lui $v0, %hi(PRINT_FUNCTION_ADDRESS)
     addiu $v0, %lo(PRINT_FUNCTION_ADDRESS)
@@ -27,10 +27,12 @@ code:
     // Jump over the printed string, to ensure we can run
     // another primitive after this one.
     b end_of_code
+    nop
 
 print_string:
     .asciiz PRINT_STRING
     .align 2
 
 end_of_code:
     nop
+

shellblocks/src/utils_asm.h

@@ -0,0 +1,14 @@
+#ifndef SHELLCODE_BLOCKS_UTILS_ASM_H
+#define SHELLCODE_BLOCKS_UTILS_ASM_H
+
+#define GET_PC(dst) \
+    bal get_ip_reference; \
+    nop; \
+get_ip_reference:       \
+    move dst, $ra
+
+#define GET_ADDRESS(dst, label, base) \
+    move dst, base; \
+    addiu dst, (label - get_ip_reference)
+
+#endif // !SHELLCODE_BLOCKS_UTILS_ASM_H

tests/test_jump_hook.py

@@ -9,6 +9,12 @@
 SECTOR_SIZE = 0x2000
 
 
+@pytest.mark.parametrize('shellcode_run_addr', [
+    (0x82000010),
+    (0xbc100010),
+    (0xbcd00010),
+    (0x91100118),
+])
 @pytest.mark.parametrize('jump_hook_location', [
     0x81000010,
     0xbc000010,
@@ -21,11 +27,12 @@
     0xbcf00070,
     0x910f0218,
 ])
-def test_jump_hook_sanity(temp_dir_path, jump_hook_location, jump_hook_goto):
+def test_jump_hook_sanity(temp_dir_path, shellcode_run_addr, jump_hook_location, jump_hook_goto):
     # Generate shellcode
     # ------------------
     shellcode_address = 0xbfc00000
     jump_hook_sector = int(jump_hook_location/SECTOR_SIZE) * SECTOR_SIZE
+    shellcode_run_sector = int(shellcode_run_addr/SECTOR_SIZE) * SECTOR_SIZE
 
     step = ShellcodeStep(
         "first_step",
@@ -57,15 +64,15 @@ def test_jump_hook_sanity(temp_dir_path, jump_hook_location, jump_hook_goto):
     # --------------------
 
     mu = Uc(UC_ARCH_MIPS, UC_MODE_32 | UC_MODE_BIG_ENDIAN)
-    mu.mem_map(shellcode_address, 0x2000)
+    mu.mem_map(shellcode_run_sector, 0x2000)
     mu.mem_map(jump_hook_sector, 0x2000)
 
     # write machine code to be emulated to memory
-    mu.mem_write(shellcode_address, shellcode)
+    mu.mem_write(shellcode_run_addr, shellcode)
     mu.mem_write(jump_hook_sector, b"\x00" * 0x1000)
 
     # emulate code in infinite time & unlimited instructions
-    mu.emu_start(shellcode_address, shellcode_address + len(shellcode))
+    mu.emu_start(shellcode_run_addr, shellcode_run_addr + len(shellcode))
 
     assert mu.mem_read(jump_hook_location, len(EXPECTED_HOOK)) == EXPECTED_HOOK
     assert mu.mem_read(jump_hook_location+len(EXPECTED_HOOK), 1) == (b"\x00")