Tuesday, May 2, 2017
9 - Analysis with RADARE2 of MIPS architecture
ANALYSIS WITH RADARE2 OF MIPS ARCHITECTURE
- Layout for this exercise:
1 - DAMN VULNERABLE ROUTER FIRMWARE (DVRF)
- DVRF is a firmware that was built vulnerable on purpose whith the goal of providing a simulated learning environment for architectures different to x86.
- DVRF can be found here:
- Downloading the firmware:
- Extracting with binwalk:
- Going into the extracted folder, the usual squashfs-root folder is found:
- Checking the content of squashfs-root the full system file is available:
- The folder pwnable contains some vulnerable binaries, for instance the executable stack_bof_01 that suffers from a Stack Buffer Overflow vulnerability, as its name indicates:
2 - ANALYZING THE BINARY WITH RADARE2/R2
- radare2/r2 is a complete framework for reverse-engineering and analyzing binaries, composed of a set of small utilities that can be used together or independently from the command line.
- Built around a disassembler for computer software which generates assembly language source code from machine-executable code, it supports a variety of executable formats for different processors and operating systems.
- rabin2 is a tool that is part of the Radare2 framework, useful for extracting information from executable binaries like ELF, PE, Java CLASS, MACH-O. It's used from the core to get exported symbols, imports, file information, xrefs, library dependencies, sections, ...
- Using rabin2 to achieve information about stack_bof_01, for instance that the file is intended to be run under MIPS architecture:
- Now, applying the analyzer radare2 to stack_bof_01:
- aa (analyze all):
- afl (analyze functions):
- uClibc (aka µClibc/pronounced yew-see-lib-see) is a C library for developing embedded Linux systems, much smaller than the GNU C Library.
- Also, the vulnerable strcpy function is found, a well-known C function related with Stack Buffer Overflow vulnerabilities:
- Checking the source code stack_bof_01.c the strcpy function can be detected:
- The goal of the Stack Buffer Overflow attack would be the execution of the function dat_shell so that the "/bin/sh" shell is launched.
- Finally, the function dat_shell displays a congrats message once a Buffer Overflow has been performed successfully, as it will be seen during the next exercise
- Disassembling the first 20 lines of the main function:
- However, the look of the previous code is not very convenient, so it could be changed using some of the functionalities of radare2.
- Going to the source code of radare2:
- Some of the options are removed and the rest is copied to a new file radare2rc:
- Now, the new disassembled code look reflects in an easy way what is happening as the function main is executed:
- izz (printing all the strings), the strings that are part of the binary are displayed, for instance the congrats message after the BoF attack is successfully performed:
- VV (starting an HTTP server working on localhost and port 9090):
- Now, connecting the browser to localhost:9090, a visual mode of the binary is available: