AdSense
Monday, May 22, 2017
11 - Extracting and analyzing firmware of KANKUN SMART PLUG
EXTRACTING AND ANALYZING FIRMWARE OF KANKUN SMART PLUG
- Layout for this exercise:
1 - Getting the mobile application
- As the product booklet indicates, this is the downloading page for the mobile application software smartwifi.apk:
http://kk.huafeng.com:8081/none/android/smartwifi.apk
2 - Decompiling the mobile application with jadx
- Once smartwifi.apk downloaded, let's decompile the apk file with jadx:
https://sourceforge.net/projects/jadx/
- Copying the .apk into the folder /jadx/bin:
- Decompiling, the original Java source code of the application is available:
- Although several error messages are prompted to the user, eventually a new folder smartwifi is created:
- Copying the newly created folder to ~/kankun:
- Going into the folder smartwifi there are the Java class files of the mobile application:
3 - Getting the firmware
- Examining the contents of AndroidManifest.xml we find that the package of the applications is hangzhou.zx:
- Going into hangzhou:
- Going into zx:
- Opening PreferencesUtil.java:
- There is a very interesting line that gives us a hint about where to download the firmware from:
- Downloading the firmware with wget:
- Now, the firmware of the application kkeps.bin is available for further study and analysis:
- Checking the file type:
4 - Extracting the root file system with binwalk
- Extracting the file system of the binary (LZMA compressed and Squashfs filesystem):
- A new folder _kkeps.bin.extracted is available:
- Going into _kkeps.bin.extracted there is the root file system squashfs-root:
- Going into squashfs-root the entire root file system is found:
Tuesday, May 2, 2017
10 - Buffer Overflow exploitation on MIPS architecture emulated with QEMU by remote debugging with GDB
BUFFER OVERFLOW EXPLOITATION ON MIPS ARCHITECTURE EMULATED WITH QEMU BY REMOTE DEBUGGING WITH GDB
- Layout for this exercise:
1 - Introduction
- This exercise is based on the previous one, where the source code of the binary stack_bof_01 (belonging to DVRF) was analyzed.
- In this case we will try to exploit the Buffer Overflow vulnerability present on the file, due to the usage of the strcpy function.
- The executable stack_bof_01 is intended for a MIPS architecture, and it is emulated with qemu-mipsel by enabling chroot command.
- Let's pass to the program a simple parameter like asdfg:
- The answer corresponds to this part of the source code of the program:
2 - Remote debugging with gdb-multiarch
- Let's install the package gdb-multiarch, what is a version of the GNU Debugger with support for multiple artchitectures:
http://packages.ubuntu.com/precise/devel/gdb-multiarch
- The program is emulated again, now with the parameter AAAA and the option "-g 1234", meaning that the file is going to be debugged remotely at port 1234:
- Running the debugger gdb-multiarch in a quiet mode (-q):
- Setting the architecture option for MIPS:
- The remote target will be the Qemu instance launched before, that is running locally at the port 1234:
- Continuing the execution:
- The usual output is displayed:
3 - Preparing the attack
- Now, in order to prepare the attack, let's examine the functions of the binary. Specifically, because we are interested to control the flow of the program to execute the function dat_shell, let's notice that this function starts at 0x004000950:
- Also:
- In order to overwrite the buffer, let's use a pattern of 300 characters generated by a Perl script like this:
https://securitythoughts.wordpress.com/2010/03/18/tool-unique-pattern-generator-for-exploit-development/
- Copying the pattern, and pasting it as a parameter to the program:
- Debugging again:
- Continuing the execution, there is a segmentation fault at 0x41386740, a non executable area of memory:
- As before, the usual message is displayed:
- Examining the registers, we see that the PC (Program Counter) has been overwritten with the 0x41386741 direction:
- Converting the hexadecimal number 0x41386741 into ASCII:
http://www.asciitohex.com/
- After reversing A8gA to Ag8A, locating it into the pattern, there is an offset of 204:
- Marking Ag8A into the pattern:
4 - Launching the exploitation
- The key concept to perform the attack is that the buffer must be rewriten with the first 204 characters (all characters before Ag8A) followed by the address of the function dat_shell().
- Now, creating a new pattern of just 204 characters and copying them:
- Instead of choosing the beginning address of dat_shell(), let's pick four more advance instructions (0x0040095c). Otherwise the exploit does not work, and to be honest I don't understand why:
- Crafting a new parameter, composed of the 204 set of characters of the pattern, plus echoing 0x0040095c in a Little Indian format with option -e, to enable the interpretation of backslash escapes:
- Let's pass the argument to the program:
- Setting a breakpoint at the function dat_shell():
- Remote debugging again:
- Continuing the execution:
- At this point let's have a look at the registers. Now the PC has been loaded with the function dat_shell():
- Eventually the buffer overflow attack is successful because dat_shell() function is executed:
- Remembering the code for the function data_shell():
Subscribe to:
Posts (Atom)