Initial public commit for the project, resign and clean up old for pu…

…blic release

.gitignore

@@ -5,3 +5,6 @@ asm1
 asm2
 asm3
 shellcode
+bin/
+.*.sw*
+*.tar.gz

LICENSE

@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2019 Cale Black
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

Makefile

@@ -1,29 +1,75 @@
+BINPATH = bin
+
 OBJ =\
-       asm1.o\
-       asm2.o
+       $(BINPATH)/asm1.o\
+       $(BINPATH)/asm2.o\
+       $(BINPATH)/asm3.o\
+       $(BINPATH)/asm4.o\
+       $(BINPATH)/asm5.o\
+       $(BINPATH)/asm6.o\
+       $(BINPATH)/asm6c.o\
+       $(BINPATH)/asm7.o\
+       $(BINPATH)/asm8.o
 BIN =\
-     simple1\
-     simple2\
-     simple3\
-     asm1\
-     asm2\
-     asm3\
-     shellcode
+     $(BINPATH)/simple1\
+     $(BINPATH)/simple2\
+     $(BINPATH)/simple3\
+     $(BINPATH)/asm1\
+     $(BINPATH)/asm2\
+     $(BINPATH)/asm3\
+     $(BINPATH)/asm4\
+     $(BINPATH)/asm5\
+     $(BINPATH)/asm6\
+     $(BINPATH)/asm6c\
+     $(BINPATH)/asm7\
+     $(BINPATH)/asm8\
+     $(BINPATH)/sc1\
+     $(BINPATH)/sc2
 
-BINPATH = bin
+JNK =\
+     shellcoding-riscv.tar.gz
 
-all: c asm shellcode
+all: c asm compressed shellcode
 
 c:
-	gcc -O0 -pic simple1.c -o $(BINPATH)/simple1
-	gcc -O0 -pic simple2.c -o $(BINPATH)/simple2
-	gcc -O0 -pic simple3.c -o $(BINPATH)/simple3
+	gcc -O0 -fpic src/simple1.c -o $(BINPATH)/simple1
+	gcc -O0 -fpic src/simple2.c -o $(BINPATH)/simple2
+	gcc -O0 -fpic src/simple3.c -o $(BINPATH)/simple3
 
 asm:
-	gcc -c asm1.s -o $(BINPATH)/asm1.s
+	gcc -march=rv64g -c src/asm1.s -o $(BINPATH)/asm1.o
 	ld $(BINPATH)/asm1.o -o $(BINPATH)/asm1 
-	gcc -c asm2.s -o $(BINPATH)/asm2.s
+	gcc -march=rv64g -c src/asm2.s -o $(BINPATH)/asm2.o
 	ld $(BINPATH)/asm2.o -o $(BINPATH)/asm2 
+	gcc -march=rv64g -c src/asm3.s -o $(BINPATH)/asm3.o
+	ld $(BINPATH)/asm3.o -o $(BINPATH)/asm3 
+	gcc -march=rv64g -c src/asm4.s -o $(BINPATH)/asm4.o
+	ld $(BINPATH)/asm4.o -o $(BINPATH)/asm4 
+	gcc -march=rv64g -c src/asm5.s -o $(BINPATH)/asm5.o
+	ld $(BINPATH)/asm5.o -o $(BINPATH)/asm5 
+	gcc -march=rv64g -c src/asm6.s -o $(BINPATH)/asm6.o
+	ld $(BINPATH)/asm6.o -o $(BINPATH)/asm6 
+	gcc -march=rv64g -c src/asm7.s -o $(BINPATH)/asm7.o
+	ld $(BINPATH)/asm7.o -o $(BINPATH)/asm7 
+	gcc -march=rv64g -z execstack -c src/asm8.s -o $(BINPATH)/asm8.o
+	ld $(BINPATH)/asm8.o -z execstack -o $(BINPATH)/asm8 
+
+compressed:
+	gcc -march=rv64gc -c src/asm6c.s -o $(BINPATH)/asm6c.o
+	ld $(BINPATH)/asm6c.o -o $(BINPATH)/asm6c 
+	gcc -march=rv64gc -c src/asm7.s -o $(BINPATH)/asm7c.o
+	ld $(BINPATH)/asm7c.o -o $(BINPATH)/asm7c 
+
 
 clean:
-	rm -f $(BINPATH)/$(OBJ) $(BINPATH)/$(BIN)
+	rm -f $(OBJ) $(BIN) $(JNK)
+
+shellcode:
+	gcc -DSC1 -g -fno-stack-protector -z execstack src/sctester.c -o $(BINPATH)/sc1
+	gcc -DSC2 -g -fno-stack-protector -z execstack src/sctester.c -o $(BINPATH)/sc2
+
+package: c asm shellcode
+	tar cvzf riscv-$(shell date +%s).tar.gz $(BINPATH)/*
+
+.PHONY:
+	all clean asm shellcode package c

README.md

@@ -0,0 +1,57 @@
+RISC-V 64LE Linux Shellcoding
+=============================
+
+This repository contains all the code used to create a minimal example
+of creating shellcode for RISC-V 64LE. I attempted to do this as black-
+box as possible using only the RISC-V documentation and source from gcc,
+glibc, and the linux kernel. This was dual purpose to work on furthering
+my understanding of hardware specifics, to learn to shellcode on a
+lesser known/new ISA, and to attempt to get some payloads available even
+before common adoption.
+
+Repository Layout
+-----------------
+Inside of the `src/` directory there are simple C examples
+(`simpleN.c`), assembly examples (`asmN.s`), and shellcode examples
+(`scN.h`) that are included by `sctester.c` and executed using a GCC
+trampoline.
+
+The reading path is not one-to-one by the numbers, instead it should be
+read in the following manner or as described in the coming blogpost:
+
+| files | lesson |
+| :----- | :------ |
+|`asm1.s`, `asm2.s` | Learn about the basic calling conventions, linux specifics for system calls, data access |
+| `asm3.s` | Port a program to not use the rodata section and learn about PIC |
+| `asm4.s` | Graceful shell spawning in assembly |
+| `sc1.h`, `asm5.s` | Learn about the pitfalls of shellcode and use a simple shellcode tester to check for null chars |
+| `sc2.h`, `asm6.s` | Discover more pitfalls, solutions, and port the more advanced shell exec shellcode |
+| `asm7.s` | Create a reverse shell in assembly |
+| `asm8.s`, `sc3.h` | Porting the reverse shell to shellcode |
+
+Additionally, it is extremely common for most of the implimentations of
+RISC-V to contain the C compressed instruction extension. For that
+reason I decided to add a few examples:
+
+| files | lesson |
+| :----- | :------ |
+|`asm6c.s` | An example of some shellcode with compressed instructions and less xor |
+
+Usage / Building
+----------------
+It is expected that you have a VM to test with, the instructions for
+running will be here. Once you have the VM the code can either be
+compiled from the directly from the root of the repository with a simple
+`make` in the root of the directory. This expect you to have `gcc(1)` and
+`as(1)` for assembly.
+
+Additionally the realease page should have a copy of the bin directory 
+after a successful compilation.
+
+Supporting/Helpful Documents
+---------------------------- 
+- [RISC-V Green Card](https://www.cl.cam.ac.uk/teaching/1617/ECAD+Arch/files/docs/RISCVGreenCardv8-20151013.pdf)
+- [RISC-V User-Level ISA](https://content.riscv.org/wp-content/uploads/2017/05/riscv-spec-v2.2.pdf)
+- [Linux RISC-V Kernel](https://github.com/torvalds/linux/tree/master/arch/riscv)
+- [Linux Architecture Specific syscall(2) Info](http://man7.org/linux/man-pages/man2/syscall.2.html#NOTES)
+- [Fedora RISC-V Images](https://fedoraproject.org/wiki/Architectures/RISC-V/Installing)

doc/a1_0xcafebabe.s

@@ -0,0 +1,20 @@
+.section .text
+.globl _start
+_start:
+	li a0,0x0
+	li a2,16
+	# without using the li pseudo instruction load a1 with 0xcafebabe
+	lui a1,0x33
+	addi a1,a1,-1029
+	slli a1,a1,0xe
+	addi a1,a1,-1346
+	ret
+	#li a7, 64              # 64 is the __NR_write syscall 
+	#ecall
+	#li a0, 0x0
+	#li a7, 93
+	#ecall
+
+.section .rodata
+msg:
+	    .string "Hello MWR Labs\n\0"

doc/asm1-objdump.txt

@@ -0,0 +1,11 @@
+
+bin/asm1:     file format elf64-littleriscv
+
+
+Disassembly of section .text:
+
+0000000000010078 <_start>:
+   10078:	00a54533          	xor	a0,a0,a0
+   1007c:	00750513          	addi	a0,a0,7
+   10080:	05d00893          	li	a7,93
+   10084:	00000073          	ecall

doc/cpuinfo.txt

@@ -0,0 +1,21 @@
+[root@fedora-riscv ~]# cat /proc/cpuinfo 
+processor	: 0
+hart		: 3
+isa		: rv64imafdcu
+mmu		: sv48
+
+processor	: 1
+hart		: 0
+isa		: rv64imafdcu
+mmu		: sv48
+
+processor	: 2
+hart		: 1
+isa		: rv64imafdcu
+mmu		: sv48
+
+processor	: 3
+hart		: 2
+isa		: rv64imafdcu
+mmu		: sv48
+

doc/fig-2-blog.txt

@@ -0,0 +1,6 @@
+[root@fedora-riscv riscv]# ./util/trashfmt.py $(./util/trashdis.sh "ADD a0,a7,a6")
+00000001 00001000 10000101 00110011
+[root@fedora-riscv riscv]# ./util/trashdis.sh "ADD a0,a7,a6" && ./util/trashfmt.py $(./util/trashdis.sh "ADD a0,a7,a6")
+01088533 add a0,a7,a6
+00000001 00001000 10000101 00110011
+

doc/noptest.s

@@ -0,0 +1,29 @@
+.section .text
+.globl _start
+_start:
+	xor x0,x0,0
+	xor x0,x0,1
+	xor x0,x0,0xff
+	and x0,x0,0	
+	and x0,x0,1	
+	and x0,x0,0xff	
+	and x0,x0,x0	
+	addi x0,x0,0
+	addi x0,x0,1
+	addi x0,x1,0
+	addi x0,x1,1
+	addi x0,x8,0
+	addi x0,x8,1
+	addi x0,x15,0
+	addi x0,x15,1
+	addi x0,x31,0
+	addi x0,x31,1
+	addiw x0,x0,0xff	
+	rdcycle x0
+	rdcycle x30
+	#c.addi x17,1
+	#c.addi x17,0x0
+	li a0, 0x0
+	li a7, 93
+	#c.ebreak
+	ecall