Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

VX32 library example

  • Loading branch information...
commit 8df12f8289f55d6dce903606ef90170c1ab7c033 1 parent aae2b48
@majek authored
Showing with 179 additions and 0 deletions.
  1. +48 −0 Makefile
  2. +7 −0 payload.c
  3. +124 −0 vx32example.c
View
48 Makefile
@@ -0,0 +1,48 @@
+VX32DIR = vx32/src
+VXCDIR=$(VX32DIR)/libvxc
+
+CC = gcc
+LD = $(CC)
+LDFLAGS =
+CFLAGS = -Wall -I$(VX32DIR)
+
+OBJS = \
+ vx32example.o \
+ $(VX32DIR)/libvx32/libvx32.a \
+
+VX32_CC = $(CC)
+VX32_CFLAGS = -m32 -Wall -O2 -Wl,-melf_i386 -nostdlib -mfp-ret-in-387 \
+ -I$(VXCDIR)/include -L$(VXCDIR)
+VX32_LIBS=$(VXCDIR)/vx32/crt0.o -lc -lgcc
+
+all: $(VX32DIR) vx32example payload
+ @echo "[*] Running untrusted code inside vx32"
+ ./vx32example ./payload
+
+vx32example: $(OBJS)
+ $(LD) $(LDFLAGS) -o $@ $^
+
+payload: $(VXCDIR)/vx32/crt0.o $(VXCDIR)/libc.a payload.c
+ $(VX32_CC) $(VX32_CFLAGS) \
+ -o payload payload.c \
+ $(VX32_LIBS)
+
+
+$(VX32DIR):
+ hg clone http://hg.pdos.csail.mit.edu/hg/vx32/
+
+
+$(VX32DIR)/libvx32/libvx32.a:
+ make -C $(VX32DIR) libvx32/libvx32.a
+
+$(VXCDIR)/vx32/crt0.o:
+ make -C $(VX32DIR) libvxc/vx32/crt0.o
+
+$(VXCDIR)/libc.a:
+ make -C $(VX32DIR) libvxc/libc.a
+
+clean:
+ make -C $(VX32DIR) clean
+ rm -f *.o payload vx32example
+
+
View
7 payload.c
@@ -0,0 +1,7 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+int main(int argc, char *argv[]) {
+ printf("Hello world from untrusted binary!\n");
+ return(0);
+}
View
124 vx32example.c
@@ -0,0 +1,124 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "libvx32/vx32.h"
+#include "libvx32/args.h"
+
+#define syscall xxxsyscall // don't redefine 'syscall' function. FIXME
+#include "libvxc/syscall.h"
+
+void syscall_brk(vxproc *proc);
+
+int main(int argc, char *argv[]) {
+ if (argc != 2) {
+ printf("Usage: %s elf_binary\n", argv[0]);
+ abort();
+ }
+ char *elf_filename = argv[1];
+
+
+ int result = 0;
+ struct vxproc *p;
+
+ vx32_siginit();
+
+ p = vxproc_alloc();
+
+ const char *p_argv[] = {elf_filename, NULL};
+ const char *p_env[] = {NULL, NULL};
+
+ int r = vxproc_loadelffile(p, elf_filename, p_argv, p_env);
+ if(r < 0) {
+ printf("vxproc_loadelffile(\"%s\")\n", elf_filename);
+ result = -1;
+ goto out;
+ }
+
+ for (;;) {
+ int rc = vxproc_run(p);
+ switch(rc) {
+ case VXTRAP_SYSCALL:
+ switch(p->cpu->reg[EAX]) {
+ case VXSYSBRK:
+ syscall_brk(p);
+ break;
+
+ case VXSYSEXIT:
+ printf("exited with %i\n", p->cpu->reg[EDX]);
+ goto out;
+ case VXSYSSTAT:
+ case VXSYSFSTAT:
+ p->cpu->reg[EAX] = -EINVAL;
+ break;
+ case VXSYSWRITE: {
+ uint32_t addr = p->cpu->reg[ECX];
+ uint32_t len = p->cpu->reg[EBX];
+ int r = 0;
+ if (!vxmem_checkperm(p->mem, addr, len,
+ VXPERM_READ, NULL)) {
+ r = -EINVAL;
+ } else {
+ vxmmap *m = vxmem_map(p->mem, 0);
+ r = printf("%s", (char*)m->base + addr);
+ }
+ p->cpu->reg[EAX] = r;
+ break; }
+ default:
+ printf("bad syscall %#x\n", p->cpu->reg[EAX]);
+ result = -1;
+ goto out;
+ }
+ break;
+
+ default:
+ printf("vxproc_run trap %#x\n", rc);
+ result = -1;
+ goto out;
+ }
+ }
+
+out:
+ vxproc_free(p);
+ return result;
+}
+
+
+
+/* Don't worry about this one, it's usually a boilerplate. */
+void syscall_brk(vxproc *proc) {
+ uint32_t arg1 = proc->cpu->reg[EDX];
+ uint32_t oaddr;
+ uint32_t addr = arg1;
+ uint32_t inc = 1<<20;
+ int ret = 0;
+ vxmmap *m = vxmem_map(proc->mem, 0);
+
+ addr = (addr + inc - 1) & ~(inc - 1);
+ oaddr = m->size;
+ if(addr == oaddr) {
+ ret = 0;
+ goto out;
+ }
+
+ if(addr > m->size) {
+ ret = vxmem_resize(proc->mem, addr);
+ if(ret < 0) {
+ printf("sbrk failed. caller will be unhappy!\n");
+ ret = -EINVAL;
+ goto out;
+ }
+ }
+ if (ret >= 0) {
+ if (addr > oaddr) {
+ ret = vxmem_setperm(proc->mem, oaddr, addr - oaddr,
+ VXPERM_READ|VXPERM_WRITE);
+ if(ret < 0) {
+ printf("setperm is failing!\n");
+ ret = -EINVAL;
+ goto out;
+ }
+ }
+ }
+out:;
+ proc->cpu->reg[EAX] = ret;
+}
Please sign in to comment.
Something went wrong with that request. Please try again.