Monday, May 22, 2017

12 - Cracking the root password and connecting via SSH to the KANKUN SMART PLUG


- Layout for this exercise:

1 - Cracking the root password with John The Ripper

- This exercise is based on the previous one, where the firmware of Kankun Smart Plug was extracted:

- Checking the interesting contents of the file system, for instance the passwords file /etc/passwd:

- Also, the encrypted file for passwords is /etc/shadow:

- Before using John The Ripper to decrypt the passwords, let's unshadow /etc/passwd and /etc/shadow creating a file test:

unshadow combines /etc/passwd and /etc/shadow:

- Using John The Ripper for decryption, the root password is p9z34c:

2 - Connecting to the network created by Kankun Smart Plug

- When the Smart Plug is plugged, and after 20 seconds of solid blue light, it starts blinking slowly:

- At that time Kankun works as a hotspot or Access Point creating a WiFi network of SSID OK_SP3.

- The device used in this exercise is an Ubuntu virtual machine hosted by a Windows 10, what detects the newly created WiFi network OK_SP3:

- The characteristics of the wireless network OK_SP3:

- The Virtual Machine is attached with the mode Bridged Adapter, so that it is networked directly to OK_SP3:

- Once inside the Ubuntu virtual machine we notice that Kankun (acting as Access Point) assigns an IP to Ubuntu:

3- Accessing via SSH

- From Ubuntu, connected to the network ( of the hotspot Kankun, let's discover any other host:

- The host corresponds to the Kankun Smart Plug, acting as gateway for all possible connected devices to OK_SP3. Pinging it from Ubuntu:

- Let's scan ports of Kankun:

- Once detected that SSH port 22 is open, let's try to connect to Kankun via SSH, taking advantage that we know the root password of the device (p9z34c):

- The connection has all the privileges of the user root:

- Checking the IP of Kankun:

- We have access to the whole root file system of the Kakun Smart Plug:

11 - Extracting and analyzing firmware of KANKUN SMART PLUG


- Layout for this exercise:

1 - Getting the mobile application

- As the product booklet indicates, this is the downloading page for the mobile application software smartwifi.apk:

2 - Decompiling the mobile application with jadx

- Once smartwifi.apk downloaded, let's decompile the apk file with jadx:

- Copying the .apk into the folder /jadx/bin:

- Decompiling, the original Java source code of the application is available:

- Although several error messages are prompted to the user, eventually a new folder smartwifi is created:

- Copying the newly created folder to ~/kankun:

- Going into the folder smartwifi there are the Java class files of the mobile application:

3 - Getting the firmware

- Examining the contents of AndroidManifest.xml we find that the package of the applications is hangzhou.zx:

- Going into hangzhou:

- Going into zx:

- Opening

- There is a very interesting line that gives us a hint about where to download the firmware from:

- Downloading the firmware with wget:

- Now, the firmware of the application kkeps.bin is available for further study and analysis:

- Checking the file type:

4 - Extracting the root file system with binwalk

- Extracting the file system of the binary (LZMA compressed and Squashfs filesystem):

- A new folder _kkeps.bin.extracted is available:

- Going into _kkeps.bin.extracted there is the root file system squashfs-root:

- Going into squashfs-root the entire root file system is found:

Tuesday, May 2, 2017

10 - Buffer Overflow exploitation on MIPS architecture emulated with QEMU by remote debugging with GDB


- Layout for this exercise:

1 - Introduction

- This exercise is based on the previous one, where the source code of the binary stack_bof_01 (belonging to DVRF) was analyzed.

- In this case we will try to exploit the Buffer Overflow vulnerability present on the file, due to the usage of the strcpy function.

The executable stack_bof_01 is intended for a MIPS architecture, and it is emulated with qemu-mipsel by enabling chroot command.

- Let's pass to the program a simple parameter like asdfg:

- The answer corresponds to this part of the source code of the program:

2 - Remote debugging with gdb-multiarch 

- Let's install the package gdb-multiarch, what is a version of the GNU Debugger with support for multiple artchitectures:

- The program is emulated again, now with the parameter AAAA and the option "-g 1234", meaning that the file is going to be debugged remotely at port 1234:

- Running the debugger gdb-multiarch in a quiet mode (-q):

- Setting the architecture option for MIPS:

- The remote target will be the Qemu instance launched before, that is running locally at the port 1234:

- Continuing the execution:

- The usual output is displayed:

3 - Preparing the attack

- Now, in order to prepare the attack, let's examine the functions of the binary. Specifically, because we are interested to control the flow of the program to execute the function dat_shell, let's notice that this function starts at 0x004000950:

- Also:

- In order to overwrite the buffer, let's use a pattern of 300 characters generated by a Perl script like this:

- Copying the pattern, and pasting it as a parameter to the program:

- Debugging again:

- Continuing the execution, there is a segmentation fault at 0x41386740, a non executable area of memory:

- As before, the usual message is displayed:

- Examining the registers, we see that the PC (Program Counter) has been overwritten with the 0x41386741 direction:

- Converting the hexadecimal number 0x41386741 into ASCII:

- After reversing A8gA to Ag8A, locating it into the pattern, there is an offset of 204:

- Marking Ag8A into the pattern:

4 - Launching the exploitation

- The key concept to perform the attack is that the buffer must be rewriten with the first 204 characters (all characters before Ag8A) followed by the address of the function dat_shell().

- Now, creating a new pattern of just 204 characters and copying them:


- Instead of choosing the beginning address of dat_shell(), let's pick four more advance instructions (0x0040095c). Otherwise the exploit does not work, and to be honest I don't understand why:

- Crafting a new parameter, composed of the 204 set of characters of the pattern, plus echoing 0x0040095c in a Little Indian format with option -e, to enable the interpretation of backslash escapes:

- Let's pass the argument to the program:

- Setting a breakpoint at the function dat_shell():

- Remote debugging again:

- Continuing the execution:

- At this point let's have a look at the registers. Now the PC has been loaded with the function dat_shell():

Eventually the buffer overflow attack is successful because dat_shell() function is executed:

- Remembering the code for the function data_shell():