ANALYSIS WITH RADARE2 OF MIPS ARCHITECTURE
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3eR4kN5YKT_Ep_KBw2A2PgQXXGlrBf40-x9JHpbrTC4EkdlYrz1SwKns_Ln3xnwzoc_3A50twnfkaVqvCghyvyEFIL_e29k0U-mwb_ehnpr1Tk21duEmmLLLy5-zXGgldwW0PWc7zSBH0/s400/layout.jpg)
1 - DAMN VULNERABLE ROUTER FIRMWARE (DVRF)
- DVRF is a firmware that was built vulnerable on purpose whith the goal of providing a simulated learning environment for architectures different to x86.
- DVRF can be found here:
https://github.com/praetorian-inc/DVRF
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmS1V_kutLBFldhCTSb3oJccl6vuI4nc_OgrkkL9GWr4zpN2W8cQtu43DnQxjbt_yAIfLkjynPQoTL4vYp2LoivUVmEmtCNIYQMAhjVaNnI5LnmSsvaDe4Wvq4HibRU_KyMKgc-S9oAfo-/s1600/screenshot.3.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh76O2i1YOzfQE4iHDPlz8-ZlVPi7w1GMZiFcH7e7Acgs9Thyphenhyphen5-JvdIX16JKb-G8MCB80Rm8vSf9g5Qkx03uSESS2r06jW2cutd4f3q4rHH3HN9h1VWRgCWfEMb7P1IXnGVplTLcUm8YSDN/s640/screenshot.4.jpg)
- Downloading the firmware:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5ZktSozofB7aA03FcZAQ4iiw9HpQ2k-WG0NiPDiiYhSbgvty1KqZhniZWPzwwsvSIy2xI60koyBsFSKD9_Ytp09xfyEOMGODpX8hnT3gYphb3jDrh3d-cLHWWUhk1YSpkr1JPQmcXUcmw/s1600/screenshot.1.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdYZ5Zf-GnkD0Bvj61J6B4a3rBr-GcanFYaBATsObLeMzHYb-w6eszSByW-74-kCmt7201SLxKA0SGLXFTztYk4HMsuKPOKdLT3-M_oDkAEQzCX20a64yn_PTjNmBIV6ppuziS0fdeLaSc/s1600/screenshot.6.jpg)
- Extracting with binwalk:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0SImTdCDwcK15dteoVrdzX8ir8AW0sjhr-MrKnL4GdFfEACYbclygBxy4QhARG1nmN31hVUK0biKU9xYAwsj6FVmVW3c8UPgNvA5mOg6ycDv88JZuXuKnR9ezQvya4YxqxKTqxy8DkCbL/s1600/screenshot.7.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwIXd3CvMCwIj-EISoikkCajQ39GMY7nAselrA2cF7_q-aErxJdZcLQ76CiDPnaBdecUVKmfA0AWitnY7CTATNpKqsfsvbJHiXmleGPJVHYVy4hpi6z7sfsjB1wmuZ6_mtFvcge1CD6TZB/s1600/screenshot.8.jpg)
- Going into the extracted folder, the usual squashfs-root folder is found:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhEdMB0SQSLLcJYdf44MCXlffEb93nzOWSt6BtYj2JSvubF0ujErDf_GoitQ8CaZ4PrJZct5f5e9VMQkd0LcsEEtBY86qGLCJwgwTeYuCqiWVvfd1kN8RL1xmx2ni8ssw6FtxAyf8jMM-O/s1600/screenshot.9.jpg)
- Checking the content of squashfs-root the full system file is available:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqI5TTd944QzgpfMz9SOw4ZVN9msvg6jiu3ZQlIeI41RTfPp2PpvYih0UsrPoVOoh2cVg1l74kmHsXYFB4L-WwcUL6gP6kxA-K-LrvPrjlDcjXrFfSNP1bn0OlArqB3rpvRaSxoSpYmGXf/s1600/screenshot.10.jpg)
- The folder pwnable contains some vulnerable binaries, for instance the executable stack_bof_01 that suffers from a Stack Buffer Overflow vulnerability, as its name indicates:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioKzVDAVmh9NVz3sjEePkSLX48j96MnBmPgiXoA023rI1PKKNCQ6_j5Tj38krHfOr0niuVLLi9D-WpsW0NweaJ9PUnTjF7nNY_kBTLJQhBbk0g3MGZAfHkfEeKgGgRarUfiV9C5NKbb4fw/s1600/screenshot.14.jpg)
2 - ANALYZING THE BINARY WITH RADARE2/R2
- radare2/r2 is a complete framework for reverse-engineering and analyzing binaries, composed of a set of small utilities that can be used together or independently from the command line.
- Built around a disassembler for computer software which generates assembly language source code from machine-executable code, it supports a variety of executable formats for different processors and operating systems.
https://github.com/radare/radare2
https://radare.org/r/
https://en.wikipedia.org/wiki/Radare2
- rabin2 is a tool that is part of the Radare2 framework, useful for extracting information from executable binaries like ELF, PE, Java CLASS, MACH-O. It's used from the core to get exported symbols, imports, file information, xrefs, library dependencies, sections, ...
https://github.com/radare/radare2/wiki/Rabin2
- Using rabin2 to achieve information about stack_bof_01, for instance that the file is intended to be run under MIPS architecture:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGhfCyOiG3KjL9zHNuznrU-u_KSXwpjmzme93KESLoAlNuSKXFoqzzzqUVA9hWiCCbPkAHO7w2a19I5YJKkXRS0Sc90Fg2oQB132NNzC_DQnmxPI4VGb5DdQbnIjnzkQqcN5TihAbzCU_I/s1600/screenshot.15.jpg)
- Now, applying the analyzer radare2 to stack_bof_01:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidjE-YIgyg4M6RnHNQ0bkuAhajWxb0WpafotG4nXuKZ3jTJyiUoy4raNpSApLBqC_W7viobYn00zCvA2p-cwnG9p2DmvL-icO3F-iaZcX6hZf29j-hFX8neovf-SXyxb2zF6mQaMHoRICH/s1600/screenshot.16.jpg)
- aa (analyze all):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIb7z_Ba_cMkO2jtshC-jr26FZbT5xu1hfDY3-flepH4FXszH2wOuN068ZMliT0N22NqJ4il1Z77Rm7AFVhf6QSG69eriN-7MRdkB-ZCUrkgWHTaB8oO6UPlYdERVxQa237W0Vm0U8cNDg/s400/screenshot.17.jpg)
- afl (analyze functions):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuLEOkB1zH78c6u8eiSvfj8iVEDnDo2QLnXlH_U47iIwezT75P3DIhlM3R8gWib-ieEO_7R_S0Twla4YBKofZ7YrK-1RMMrPJvFoPMM4BASLIXvTFA-tnrFR0u35qeJf0sBjgTQOdPP3wf/s1600/screenshot.18.jpg)
- uClibc (aka µClibc/pronounced yew-see-lib-see) is a C library for developing embedded Linux systems, much smaller than the GNU C Library.
https://www.uclibc.org/about.html
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgN5w7TgZtLsqs7oG3eii1tKZuZr7IoBbrFuN_EgT7qPyZ0PLM1SJDOKks3GsuXtnHDgP6Di2z6BN6spqqMrM-F2B6ZnrNa-7HxBeAnm7LaI2pYdttVDMLiLcg3-Uoiftv_uX14WkHLHsaR/s1600/screenshot.20.jpg)
- Also, the vulnerable strcpy function is found, a well-known C function related with Stack Buffer Overflow vulnerabilities:
https://en.wikipedia.org/wiki/Stack_buffer_overflow
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoFKZ-8CLrfZDjYBv96rfrkDRhUF33SswakJkrtA4FtlqmOMS_S7WSqBz7xYReG5WDT3oMl9XQ_HByTr1Nl47Yt-he1W3TeF84NQWlYm_DjyIa8BD0srPozH0z2vZBl62l-vAi6RuiB3fW/s1600/screenshot.19.jpg)
- Checking the source code stack_bof_01.c the strcpy function can be detected:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOCWFsKCk6F1BdiMNLAO7f_r1mzxvOC5kZxo468b67_IQLAIuI8pY84z97UVJVMe2k6WjnAN9GBynKKgNMMxoy0p4NtXQIWzwjzgisz4wjtVQQts4TWMirAdfZtkyc9NdGERsfhnVkzTX0/s1600/screenshot.21.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilMwFQNfPD814ecRkvzPPj2OdXBfEC7OjjBS_r2qkuC2bQlL8hKRlWZrvCrAcybmKt1s0D4FvtHZAcKUn35hStCntHvggGsBn0c9H-oZbGvDzs7wdL6CXFYua8tW4yKVxbC8m8CSUs05q5/s400/screenshot.22.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpeA2rNi4LJSQSQYMxV6xGTS1S7huhWtE22pQ5a8CkRp-Joo4yo9vRWzwOC8eTqf0oRzQ64Nr1EdPoZGK-yqViG1Um7cQRy8WWC-geP57JSWmBp0Wo4cAkdxh8QPw5CYwgdyYvAFaTXQAn/s400/screenshot.23.jpg)
- The goal of the Stack Buffer Overflow attack would be the execution of the function dat_shell so that the "/bin/sh" shell is launched.
- Finally, the function dat_shell displays a congrats message once a Buffer Overflow has been performed successfully, as it will be seen during the next exercise
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgv4uxWsmhcgb-xwSes2yjZkxHeQ52-y4us5ilXKESFr9zB1ucwlaShwzKydfOMGsxgfpDTHy6BdBef1BObkTGt423FXXKlb5i5lhS0KXFr_jYW3bIqcsRUVeY5L2N6b_1sv2N01dQrSEk_/s320/screenshot.25.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhU7areegHm1DBoJW9FbVIM71OFclcWmmzzPmfNSMy4yu7Ko5fkpQkVOy6cn4hbmaPoSowcfQisNs_ZRUHIOWzUvo12MVYFpVeN_CEMtocDppa7nfn2t50r3_GkgmzDwroouuubNjer3xqm/s1600/screenshot.24.jpg)
- Disassembling the first 20 lines of the main function:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPdQ_nlCPYw25-HxwkLxpbFv7xcoMSPNdbUwZO_tlFq_G27afT3Wc3F-7iie3syKbQ0fT-oLmDYv8t4RAkoaiUucA6OzO7ihOjFwDS8359GDWFTKvMqvDgD3z3mbEvFtEXisZ60wePuRDv/s1600/screenshot.26.jpg)
- However, the look of the previous code is not very convenient, so it could be changed using some of the functionalities of radare2.
- Going to the source code of radare2:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHP_lPFdeVwHO3kbBIbDOzzHYD2Ud0jwe_cwFkhHZHaeK4cESpQpL8rxhqe0d8_-VNngweQ1MzJ655kHxGf8iuOjAjxP9o-sSMi-kLRoFuupWuyzB2oVcS6pCFqC7_aqiQy8NWfchDpSV6/s1600/screenshot.27.jpg)
- Some of the options are removed and the rest is copied to a new file radare2rc:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXUxXJi82YsgTGSd5htSuSqW_qkRKa5A3joxvEZcPP_uROPKQ4FEBQfQWofQbrGiQ0mAteXRSzkps8m6Z1exwvnQNJRiKO7vXm5B1FyXO_PZMf_FP9dY-1cTspT1-XRA_uSfEQxKqFTkKU/s1600/screenshot.29.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3oEKjBV_cjutkrYFsg3hhn6-fNCv1pSUZ7xr10auwx1rnVA0l0vs4AxGoIVb8YmcgF7Fe8Mmnu2YagDuDe_tuyxAu7jBzF6lXNTmC__Orlbu-thO3WPo1E4ydLXuEYos4I0JCDT30GCnp/s1600/screenshot.28.jpg)
- Now, the new disassembled code look reflects in an easy way what is happening as the function main is executed:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5ak2Uafme7_SBHjuJJ2ZAnOZJuinK8rXtju1u_k50vvK9jveobpSb0nAsNZs_sWAeswS7YoqQg5LftG1TxcOJF-pIdxeI1sNIk4NXvYoBjiTAkgm16sSgyeprEQq1iQZrMeHqLdmEjn0p/s1600/screenshot.30.jpg)
- izz (printing all the strings), the strings that are part of the binary are displayed, for instance the congrats message after the BoF attack is successfully performed:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfYvHKZEOwEIwQxOXx40NWvPQwxQKnQrJzygolmrdu4y7KCmJzoM576BGeRr3EipjY45CXcVYZvW-7Zmo7ut_pc-RIjdNBaIcoc84x3927w9lPRzr2l9n8Ofz1OP3ZLXy_QSSkfXOC4oo5/s1600/screenshot.31.jpg)
- VV (starting an HTTP server working on localhost and port 9090):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQBLRDqoiTSWFq-EX0gjY_p5w3ppFv1jqD9DgJLRwRrKOIlg8H2Iv26h6vb0qb3L8SUmYQ24i6j6z0M3x9-8UnZNeiOH3ZxL0DvvM3cC1TyTwE8204WNLnEcF9UC1W4a7ez2PTfwKncbf6/s400/screenshot.32.jpg)
- Now, connecting the browser to localhost:9090, a visual mode of the binary is available:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrHG2oArOF6z-00QZKV49LqTm9xX4WwXPiwlZpBuhMgiLvU_tj0BYxV4pooqBp534akK4219XWK0Gikkal-S-oGovbZWc979yXGQv-7ZEklMePjm_IKy8aGuiJ5eilUtkF21gihfPrrZeB/s1600/screenshot.33.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2IAr4wOuhaAXIMV4_jZ6kkPa8FtpM-Ucr1wkMV2LZSCRIqLIQTwfivqOyl275CMzOzSHCEJNyQGkKPauhTEvFxh6U5k2zuWdui6awtTZLqpPVgpbm1QyAsJk4k4UPMvzLV3ieugIbs-ly/s1600/screenshot.34.jpg)