cshepherd

remapblock
# EXTRA_F1 is macro below to take a screenshot
  EXTRA_F2 ESC
  EXTRA_F3 app

  LALT     lgui       # map both Alts to command keys
  RALT     rgui       # map both Alts to command keys
  LANG_4   lalt       # center of dpad is option key
  EUROPE_1 backslash  # backslash left of enter/field exit
  EUROPE_2 back_quote # extra backquote to right of shift button

cshepherd

PowerPC Stack Attacks, Part 3 - June 5, 2000
Christopher A Shepherd <cshepher@linux-florida.com>

In the last installment, we got pretty close, developing our own eggshell code, with one lil problem! It had zeroes in it. Of course, strcpy(), gets(), and all our other favorite insecure functions are going to choke on those zeroes, so we must do what we can do to get around having zeroes in our code. The horrifying explanation follows here.

First, a look at the original code:
100003e4:       48 00 00 30     b       10000414 <.ahead>
100003e8 <.back>:
100003e8:       7c 08 02 a6     mflr    r0
100003ec:       7c 01 03 78     mr      r1,r0

cshepherd

PowerPC Stack Attacks, Part 2 - June 1, 2000
Christopher A Shepherd <cshepher@linux-florida.com>

In the last episode, we showed that it was possible to overwrite the return address with careful stack manipulation and execute the code of our choice. In this installment, we'll dig a bit deeper and write our own PowerPC eggshell code.

The first thing we want to do (and again folks, this really is a carbon copy of Aleph1's Intel-based explanation) is to run a sample program that spawns a shell, because presumably that's what our evil code will do. Thus:
#include 

void main() {
        char *name[2];

cshepherd

PowerPC Stack Attacks, Part 1 - May 31, 2000
Christopher A Shepherd <cshepher@linux-florida.com>

Introduction
This assumes the reader's familiarity with buffer-overflow attacks on the Intel architecture, and introduces the reader to the possibility of doing the same on the PowerPC. If you're not familiar with this, have a look at Phrack 49. Essentially, the return address is saved at the top of the stack frame, and data written below the return address can overwrite the return address, allowing us to execute evil code.

PowerPC Errata
Buffer overflow attacks have been easy to write for the Intel architecture, in part because function calls are implemented with the 'call' opcode, which saves the calling address on the stack, to be retrieved later when the function exits. But as we see here, this may not actually be the case on the PPC.

A typical ppc function call is executed with the 'blr' instruction, which saves the caller's return address to a special-purpose register called the 'link register.' If it wer

cshepherd

Keybase proof

I hereby claim:

• I am cshepherd on github.
• I am cshepherdfr (https://keybase.io/cshepherdfr) on keybase.
• I have a public key ASAoTA-wtihbyFwZ4PLJ13ArnDEVq-cSyZnmJnQg-6RHXwo

To claim this, I am signing this object:

cshepherd

P286
; Code to view an Apple //GS 320x200x256 picture ($C1)
; Format is as follows:
; $0000-$7CFF   Picture data, in nibbles. Each nibble has the value of
;               1-16, specifying a color in the palette assigned to that
;               line.
; $7D00-$7DC7   Scanline Control Bytes. There are 200 of these, one for
;               each scanline. They are byte values, and break down like this:
;               Bits 0-3: Palette Number For Line (0-15)
;               Bit   4 : Reserved (must be 0)