Tuesday, May 2, 2017

9 - Analysis with RADARE2 of MIPS architecture


- Layout for this exercise:


- DVRF is a firmware that was built vulnerable on purpose whith the goal of providing a simulated learning environment for architectures different to x86.

- DVRF can be found here:

- Downloading the firmware:

- Extracting with binwalk:

- Going into the extracted folder, the usual squashfs-root folder is found:

- Checking the content of  squashfs-root the full system file is available:

- The folder pwnable contains some vulnerable binaries, for instance the executable stack_bof_01 that suffers from a Stack Buffer Overflow vulnerability, as its name indicates:


- radare2/r2 is a complete framework for reverse-engineering and analyzing binaries, composed of a set of small utilities that can be used together or independently from the command line. 

- Built around a disassembler for computer software which generates assembly language source code from machine-executable code, it supports a variety of executable formats for different processors and operating systems.

- rabin2 is a tool that is part of the Radare2 framework, useful for extracting information from executable binaries like ELF, PE, Java CLASS, MACH-O. It's used from the core to get exported symbols, imports, file information, xrefs, library dependencies, sections, ...

- Using rabin2 to achieve information about stack_bof_01, for instance that the file is intended to be run under MIPS architecture:

- Now, applying the analyzer radare2 to stack_bof_01:

- aa (analyze all):

- afl (analyze functions):

- uClibc (aka µClibc/pronounced yew-see-lib-see) is a C library for developing embedded Linux systems, much smaller than the GNU C Library.

- Also, the vulnerable strcpy function is found, a well-known C function related with Stack Buffer Overflow vulnerabilities:

- Checking the source code stack_bof_01.c the strcpy function can be detected:

- The goal of the Stack Buffer Overflow attack would be the execution of the function dat_shell so that the "/bin/sh" shell is launched.

 - Finally, the function dat_shell displays a congrats message once a Buffer Overflow has been performed successfully, as it will be seen during the next exercise

- Disassembling the first 20 lines of the main function:

- However, the look of the previous code is not very convenient, so it could be changed using some of the functionalities of radare2.

- Going to the source code of radare2:

 - Some of the options are removed and the rest is copied to a new file radare2rc:

- Now, the new disassembled code look reflects in an easy way what is happening as the function main is executed:

- izz (printing all the strings), the strings that are part of the binary are displayed, for instance the congrats message after the BoF attack is successfully performed:

- VV (starting an HTTP server working on localhost and port 9090):

- Now, connecting the browser to localhost:9090, a visual mode of the binary is available: