AdSense

Tuesday, May 2, 2017

9 - Analysis with RADARE2 of MIPS architecture


ANALYSIS WITH RADARE2 OF MIPS ARCHITECTURE

- Layout for this exercise:




1 - DAMN VULNERABLE ROUTER FIRMWARE (DVRF)

- DVRF is a firmware that was built vulnerable on purpose whith the goal of providing a simulated learning environment for architectures different to x86.

- DVRF can be found here:

https://github.com/praetorian-inc/DVRF







- Downloading the firmware:








- Extracting with binwalk:






- Going into the extracted folder, the usual squashfs-root folder is found:




- Checking the content of  squashfs-root the full system file is available:





- The folder pwnable contains some vulnerable binaries, for instance the executable stack_bof_01 that suffers from a Stack Buffer Overflow vulnerability, as its name indicates:




2 - ANALYZING THE BINARY WITH RADARE2/R2

- radare2/r2 is a complete framework for reverse-engineering and analyzing binaries, composed of a set of small utilities that can be used together or independently from the command line. 

- Built around a disassembler for computer software which generates assembly language source code from machine-executable code, it supports a variety of executable formats for different processors and operating systems.

https://github.com/radare/radare2

https://radare.org/r/

https://en.wikipedia.org/wiki/Radare2


- rabin2 is a tool that is part of the Radare2 framework, useful for extracting information from executable binaries like ELF, PE, Java CLASS, MACH-O. It's used from the core to get exported symbols, imports, file information, xrefs, library dependencies, sections, ...

https://github.com/radare/radare2/wiki/Rabin2


- Using rabin2 to achieve information about stack_bof_01, for instance that the file is intended to be run under MIPS architecture:




- Now, applying the analyzer radare2 to stack_bof_01:




- aa (analyze all):




- afl (analyze functions):




- uClibc (aka µClibc/pronounced yew-see-lib-see) is a C library for developing embedded Linux systems, much smaller than the GNU C Library.


https://www.uclibc.org/about.html





- Also, the vulnerable strcpy function is found, a well-known C function related with Stack Buffer Overflow vulnerabilities:

https://en.wikipedia.org/wiki/Stack_buffer_overflow





- Checking the source code stack_bof_01.c the strcpy function can be detected:









- The goal of the Stack Buffer Overflow attack would be the execution of the function dat_shell so that the "/bin/sh" shell is launched.

 - Finally, the function dat_shell displays a congrats message once a Buffer Overflow has been performed successfully, as it will be seen during the next exercise









- Disassembling the first 20 lines of the main function:





- However, the look of the previous code is not very convenient, so it could be changed using some of the functionalities of radare2.

- Going to the source code of radare2:





 - Some of the options are removed and the rest is copied to a new file radare2rc:





- Now, the new disassembled code look reflects in an easy way what is happening as the function main is executed:





- izz (printing all the strings), the strings that are part of the binary are displayed, for instance the congrats message after the BoF attack is successfully performed:




- VV (starting an HTTP server working on localhost and port 9090):




- Now, connecting the browser to localhost:9090, a visual mode of the binary is available: