This repository has been archived by the owner on Jun 29, 2020. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 60245db
Showing
14 changed files
with
815 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
#### Get Debian for MIPS | ||
|
||
* http://ftp.debian.org/debian/dists/stretch/main/installer-mips/current/images/malta/netboot/ | ||
|
||
* Download both files. | ||
|
||
#### Building QEMU (optional) | ||
|
||
``` | ||
./configure --prefix=$HOME/QEMU --target-list=mips-softmmu,mips-linux-user | ||
make | ||
make install | ||
``` | ||
|
||
#### HOWTO | ||
|
||
##### Install | ||
|
||
``` | ||
qemu-img create -f qcow2 hda.img 32G | ||
qemu-system-mips -M malta -m 256 -hda hda.img -kernel vmlinux-4.9.0-3-4kc-malta \ | ||
-initrd initrd.gz -append "console=ttyS0 nokaslr" -nographic | ||
``` | ||
|
||
Copy `initrd.img-4.9.0-3-4kc-malta` from the installed VM to the host machine. | ||
|
||
##### Boot: | ||
|
||
``` | ||
qemu-system-mips -M malta -m 256 -hda hda.img -kernel vmlinux-4.9.0-3-4kc-malta \ | ||
-initrd initrd.img-4.9.0-3-4kc-malta \ | ||
-append "root=/dev/sda1 console=ttyS0 nokaslr" -nographic \ | ||
-netdev user,id=net0 \ | ||
-device e1000-82545em,netdev=net0,id=net0,mac=52:54:00:c9:18:27 \ | ||
-net user -redir tcp:2222::22 | ||
``` | ||
|
||
`C-a h` key combination is useful to interacting with QEMU in `-nographic` mode. | ||
|
||
#### Notes | ||
|
||
* Kernel (and initrd.gz) from Debian 9 MIPS (version 20170615) does not boot in | ||
QEMU 2.9.0. It fails with `Initramfs unpacking failed: uncompression error` or | ||
`Initramfs unpacking failed: junk in compressed archive` error messages. | ||
|
||
Update: In Debian 9, the initrd load address clashes with kernel address | ||
randomization due to a bug in QEMU. Pass "nokaslr" to the append option. | ||
|
||
* Debugging a MIPS binary directly under QEMU, | ||
|
||
``` | ||
$ qemu-mips -g 1234 ./mips.binary | ||
$ gdb ./mips.binary # in another terminal | ||
(gdb) set architecture mips | ||
(gdb) target remote localhost:1234 | ||
``` | ||
|
||
Run dynamically linked MIPS binary with QEMU, | ||
|
||
``` | ||
LD_LIBRARY_PATH=. qemu-mips ./routerlocker | ||
``` | ||
|
||
Check behaviour of a MIPS binary, | ||
|
||
``` | ||
LD_LIBRARY_PATH=. qemu-mips -strace ./routerlocker | ||
``` | ||
|
||
#### References | ||
|
||
* https://people.debian.org/~aurel32/qemu/mips/ | ||
|
||
* https://gmplib.org/~tege/qemu.html | ||
|
||
* http://toolchains.free-electrons.com/ | ||
|
||
* https://en.wikibooks.org/wiki/QEMU/Networking | ||
|
||
* https://github.com/kholia/kernel-configs | ||
|
||
#### Thanks | ||
|
||
* rofl0r | ||
|
||
* aurel32 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
#### Patching notes | ||
|
||
Patching `ptrace` call, | ||
|
||
``` | ||
$ sed -i 's|ptrace|isnanl|' routerlocker | ||
``` | ||
|
||
For patching `fork` call, replace `jal fork@plt` instruction bytes with `move v0, zero` instruction bytes. | ||
|
||
``` | ||
$ mips-linux-objdump -d routerlocker | ||
... | ||
4008d4: 0c1001d4 jal 400750 <fork@plt> | ||
4008ec: 00001021 move v0,zero | ||
``` | ||
|
||
### QEMU debugging | ||
|
||
``` | ||
$ LD_LIBRARY_PATH=. qemu-mips -g 1234 ./routerlocker.patched | ||
``` | ||
|
||
#### QEMU easier userspace emulation | ||
|
||
``` | ||
$ sudo dnf install -C qemu-user-binfmt -y | ||
$ sudo service systemd-binfmt restart | ||
$ LD_LIBRARY_PATH=. ./ld.so.1 ./routerlocker | ||
``` | ||
|
||
### Build GDB-with-Python for MIPS | ||
|
||
Fetch and extract `gdb-8.0.tar.xz`. | ||
|
||
``` | ||
$ sudo dnf builddep gdb | ||
``` | ||
|
||
``` | ||
$ targets="--enable-targets=x86_64-linux,i386-linux,powerpc-linux,arm-linux,mips-linux,mipsel-linux" | ||
$ ./configure --enable-64-bit-bfd $targets | ||
$ make | ||
$ make install | ||
``` | ||
|
||
``` | ||
$ cat ~/.gdbinit | ||
set history save on | ||
set print pretty on | ||
set pagination off | ||
set confirm off | ||
set follow-fork-mode child | ||
``` | ||
|
||
``` | ||
$ /usr/local/bin/gdb ./routerlocker | ||
``` | ||
|
||
#### References | ||
|
||
* http://chortle.ccsu.edu/assemblytutorial/ | ||
|
||
#### Thanks | ||
|
||
* rofl0r | ||
|
||
* csec |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
// Sample program to test GDB brute-forcing script | ||
|
||
#include <stdint.h> | ||
#include <stdio.h> | ||
#include <stdlib.h> | ||
#include <string.h> | ||
|
||
int main(int argc, char ** argv) | ||
{ | ||
unsigned char data[32]; | ||
int i = 0; | ||
|
||
FILE *file = fopen("/tmp/router.lck", "r"); | ||
if (file == NULL) { | ||
fwrite("License file not found.\n", 1, 24, stdout); | ||
fwrite("Lock it up, and lock it out.\n", 1, 29, stdout); | ||
return 1; | ||
} | ||
|
||
if (fread(data, 1, 29, file) >= 29) { | ||
fclose(file); | ||
|
||
while (1) { | ||
if (data[i] == 'X') { | ||
i++; // find out how many times this is getting hit! | ||
} | ||
else { | ||
break; | ||
} | ||
|
||
if (i >= 29) | ||
break; | ||
} | ||
|
||
if (i == 29) { | ||
puts("Success!"); | ||
return 0; | ||
} | ||
|
||
} | ||
|
||
puts("Serial is invalid!"); | ||
return 3; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
that_ransomware_ran_somewhere |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
#!/usr/bin/gdb -x | ||
# Based on https://github.com/crossbowerbt/GDB-Python-Utils | ||
|
||
import gdb | ||
import traceback | ||
import string | ||
|
||
|
||
def usage(): | ||
print("Usage: gdb -x ./gdb_bruteforce.py") | ||
gdb.execute('quit') | ||
|
||
|
||
""" | ||
amd64, i++ operation in app.c | ||
0x0000000000400736 <+176>: add DWORD PTR [rbp-0x4],0x1 | ||
0x000000000040073a <+180>: cmp DWORD PTR [rbp-0x4],0x1c | ||
mips, i++ operation in app.c | ||
lw v0,24(s8) | ||
addiu v0,v0,1 | ||
amd64, int v7 = i + 1; operation in routerlocker-clone.c | ||
0x0000000000400cae <+1208>: mov eax,DWORD PTR [rbp-0x18] | ||
0x0000000000400cb1 <+1211>: add eax,0x1 | ||
""" | ||
|
||
count = 0 | ||
|
||
|
||
class SnifferBreakpoint(gdb.Breakpoint): | ||
# Initialize the breakpoint | ||
def __init__(self): | ||
# super(SnifferBreakpoint, self).__init__('*0x400736') | ||
# super(SnifferBreakpoint, self).__init__('*0x555559c8') | ||
super(SnifferBreakpoint, self).__init__('*0x400cb1') | ||
|
||
# Called when the breakpoint is hit | ||
def stop(self): | ||
global count | ||
try: | ||
# count = int(gdb.parse_and_eval('*(int*)($rbp - 0x4)')) | ||
# count = int(gdb.parse_and_eval('$v0')) | ||
count = int(gdb.parse_and_eval('$eax')) | ||
count = count + 1 | ||
except: | ||
traceback.print_exc() | ||
return True | ||
|
||
# GDB setup | ||
gdb.execute("set print repeats unlimited") | ||
gdb.execute("set print elements unlimited") | ||
gdb.execute("set pagination off") | ||
gdb.execute("set follow-fork-mode child") | ||
|
||
# generate sniffer breakpoint | ||
SnifferBreakpoint() | ||
|
||
known = "" | ||
|
||
for i in range(0, 29): | ||
count = 0 | ||
# for c in "XYZ": | ||
for c in string.printable: | ||
# for c in "that": | ||
output = known + (c + "a" * (29 - len(known) - 1)) | ||
print("Trying %s" % (output)) | ||
with open("/tmp/router.lck", "w") as f: | ||
f.write(output) | ||
|
||
gdb.execute('file ./a.out') | ||
gdb.execute('run ./a.out') | ||
if count > len(known): | ||
known = known + c | ||
|
||
gdb.execute('quit') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,83 @@ | ||
#!/usr/bin/gdb -x | ||
# Based on https://github.com/crossbowerbt/GDB-Python-Utils | ||
|
||
import gdb | ||
import traceback | ||
import string | ||
import subprocess | ||
|
||
|
||
def usage(): | ||
print("Usage: gdb -x ./gdb_bruteforce.py") | ||
gdb.execute('quit') | ||
|
||
|
||
""" | ||
mips, int v7 = i + 1; operation in routerlocker-clone.c | ||
lw $v0, 0x90+var_74($fp) | ||
addiu $v0, 1 <-- track this, 0x00400fb8 | ||
sw $v0, 0x90+var_58($fp) | ||
lw $v0, 0x90+var_74($fp) | ||
addiu $v0, 1 | ||
sltiu $v0, 1 | ||
andi $s0, $v0, 0xFF | ||
addiu $v0, $fp, 0x90+var_34 | ||
move $a0, $v0 | ||
la $v0, strlen | ||
move $t9, $v0 | ||
jalr $t9 ; strlen | ||
""" | ||
|
||
count = 0 | ||
|
||
|
||
class SnifferBreakpoint(gdb.Breakpoint): | ||
# Initialize the breakpoint | ||
def __init__(self): | ||
# super(SnifferBreakpoint, self).__init__('*0x400736') | ||
# super(SnifferBreakpoint, self).__init__('*0x555559c8') | ||
super(SnifferBreakpoint, self).__init__('*0x00400fb8') | ||
|
||
# Called when the breakpoint is hit | ||
def stop(self): | ||
global count | ||
try: | ||
# count = int(gdb.parse_and_eval('*(int*)($rbp - 0x4)')) | ||
# count = int(gdb.parse_and_eval('$v0')) | ||
count = int(gdb.parse_and_eval('$v0')) | ||
count = count + 1 | ||
except: | ||
traceback.print_exc() | ||
return True | ||
|
||
# GDB setup | ||
gdb.execute("set print repeats unlimited") | ||
gdb.execute("set print elements unlimited") | ||
gdb.execute("set pagination off") | ||
gdb.execute("set follow-fork-mode child") | ||
|
||
known = "" | ||
|
||
# generate sniffer breakpoint | ||
SnifferBreakpoint() | ||
|
||
for i in range(0, 29): | ||
count = 0 | ||
# for c in "XYZ": | ||
for c in string.printable: | ||
# for c in "that": | ||
output = known + (c + "a" * (29 - len(known) - 1)) | ||
print("Trying %s" % (output)) | ||
with open("/tmp/router.lck", "w") as f: | ||
f.write(output) | ||
|
||
p = subprocess.Popen("qemu-mips -g 1234 ./routerlocker-clone", shell=True) | ||
gdb.execute('file routerlocker-clone') | ||
gdb.execute('target remote localhost:1234') | ||
gdb.execute('continue') | ||
if count > len(known): | ||
known = known + c | ||
break | ||
|
||
gdb.execute('quit') |
Oops, something went wrong.