RischardV / Riscv Alphanumeric Shellcoding
Programming Languages
Labels
Projects that are alternatives of or similar to Riscv Alphanumeric Shellcoding
RISC-V: #/'Alphanumeric Shellcoding
By Hаdrien Ваrrаl, Rémi Géraud-Stewart, Georges-Axel Jaloyan, and David Naccache
This work has been presented at WOOT'19 (paper) and DEFCON27 (slides)
Overview
This tool helps design RISC-V (specifically RV64GC) shellcodes capable of running arbitrary code, whose ASCII binary representation
use only letters a–zA–Z, digits 0–9, and either of the three characters: #
, /
, ’
.
It consists of an alphanumeric (+1 character) unpacker. For any target shellcode (non-alphanumeric), the tool will produce an alphanumeric (+1 character) shellcode with the unpacker and the packed version of your shellcode. Run it on a RISC-V simulator/cpu and enjoy!
For a general introduction on RISC-V shellcoding, you may read the blog post by Thomas Karpiniec.
Folder contents:
-
baremetal
: Full source code and QEMU demo for each of the three variants -
fedora
: Demos running on Fedora on QEMU -
hifiveu
: Demos running on the HiFive-Unleashed board -
payload
: Source code of the payloads used -
lists
: How we generated the available instructions -
scripts
/tools
: Various helpers
Quick-try
Building the shellcodes requires to build a RISC-V toolchain from source. We only provide easy-to-test pre-built baremetal shellcodes.
The only prerequisite is having a RISC-V QEMU v4.0.0 or newer https://www.qemu.org/
Then:
cd riscv-alphanumeric-shellcoding/baremetal/prebuilt
-
cat hash.bin
(optional, to print the shellcode) -
sh launch_hash
use Ctrl+A then X to exit -
cat slash.bin
(optional, to print the shellcode) -
sh launch_slash
use Ctrl+A then X to exit -
cat tick.bin
(optional, to print the shellcode) -
sh launch_tick
use Ctrl+A then X to exit
Building && Testing
Start by cloning the repository:
git clone https://github.com/RischardV/riscv-alphanumeric-shellcoding.git
cd riscv-alphanumeric-shellcoding
Prerequisites:
/!\ Warning: unless you are using a rolling-release distribution, you probably will not be able to simply install packages. You will need to install yourself the tools below:
- RISC-V toolchain: install https://github.com/riscv/riscv-gnu-toolchain
- RISC-V QEMU: install QEMU v4.0.0 or newer https://www.qemu.org/
QEMU bare-metal shellcodes
- Build the instructions lists (takes some time)
cd riscv-alphanumeric-shellcoding/baremetal/lists
make
- Build the shellcodes
cd riscv-alphanumeric-shellcoding/baremetal/hash
make
cd riscv-alphanumeric-shellcoding/baremetal/slash
make
cd riscv-alphanumeric-shellcoding/baremetal/tick
make
- Run the shellcodes
cd riscv-alphanumeric-shellcoding/baremetal/hash
-
cat shellcode.bin
(optional, to print the shellcode) -
sh l
use Ctrl+A then X to exit cd riscv-alphanumeric-shellcoding/baremetal/slash
-
cat shellcode.bin
(optional, to print the shellcode) -
sh l
use Ctrl+A then X to exit cd riscv-alphanumeric-shellcoding/baremetal/tick
-
cat shellcode.bin
(optional, to print the shellcode) -
sh l
use Ctrl+A then X to exit Expected results: The string "Hello, world!" should print on the screen.
QEMU Linux shellcodes
Prerequisites: A Fedora 28 Linux image running in a QEMU riscv environment (see here and here).
- Build the shellcodes
cd riscv-alphanumeric-shellcoding/fedora
make
- Run the shellcodes
-
Start your Fedora RISC-V virtual machine
-
From the host: Send the compiled files
riscv-alphanumeric-shellcoding/fedora/{out,build/vuln.bin}
to the virtual machine (e.g. using scp) -
On the guest Fedora VM: run the shellcodes using:
- Hello word shellcodes:
-
./vuln.bin < out/hello_hash.txt
for the 'hash' flavored shellcode -
./vuln.bin < out/hello_slash.txt
for the 'slash' flavored shellcode -
./vuln.bin < out/hello_tick.txt
for the 'tick' flavored shellcode
-
Expected results: the string "Hello, world from shellcode!\n" should print on stdout
- Execve /bin/sh shellcodes:
-
(cat out/shell_hash.txt; echo ""; cat) | ./vuln.bin
for the 'hash' flavored shellcode -
(cat out/shell_slash.txt; echo ""; cat) | ./vuln.bin
for the 'slash' flavored shellcode -
(cat out/shell_tick.txt; echo ""; cat) | ./vuln.bin
for the 'tick' flavored shellcode
-
Expected results: a shell should spawn with no prompt. To test it, type any command (e.g.
id
) and press enter. To exit the shell, type exit and then press enter.- Printing /etc/shadow shellcodes:
-
./vuln.bin < out/shadow_hash.txt
for the 'hash' flavored shellcode -
./vuln.bin < out/shadow_slash.txt
for the 'slash' flavored shellcode -
./vuln.bin < out/shadow_tick.txt
for the 'tick' flavored shellcode
-
Expected results: the contents of the shadow file should be printed on stdout
- Custom payloads (section 5.3 of the paper). You may modify the payload located in the
riscv_alphanumeric/payload
directory.
- Hello word shellcodes:
-
HiFive Unleashed Linux shellcodes
Prerequisites:
-
A HiFive-Unleashed board: https://www.sifive.com/boards/hifive-unleashed
-
The HiFive toolchain: https://github.com/sifive/freedom-u-sdk
-
Build the shellcodes
cd riscv-alphanumeric-shellcoding/hifiveu
make
Running instructions are very similar to QEMU Linux shellcodes above. Refer to them.
Documentation
Our academic paper gives a lot of details about design choices. We encourage you to read it if you want to understand how the code works.
License
This tool is released under MIT license. See LICENSE
file.