hacktracking: # Enabling lina debug mode

# Enabling lina debug mode

Preparing .gdbinit

# r2 lina
[0x0804d520]> aar
[0x0804d520]> s sym.imp.setitimer
[0x0804cf94]> vp
  |||||||   ;-- imp.setitimer:
  |||||||   ; CALL XREF from 0x08c8ff2b (unk)
  |||||||   ; CALL XREF from 0x08c8ffc8 (unk)
  |||||||   ; CALL XREF from 0x08c900d8 (unk)
  |||||||   ; CALL XREF from 0x08c9011e (unk)
  |||||||   0x0804cf94      ff253c93bc09   jmp dword [reloc.setitimer_60] ; reloc.setitimer
  |||||||   0x0804cf9a      6878060000     push 0x678
  ========< 0x0804cf9f      e9f0f2ffff     jmp 0x804c294               ;[1]
:> s 0x08c900d8
            0x08c900d8      e8b7ce3bff     call sym.imp.setitimer      ;[1]
            0x08c900dd      c9             leave
            0x08c900de      c3             ret
            0x08c900df      90             nop
            ; CALL XREF from 0x0805e9ba (unk)
            ; CALL XREF from 0x08c91ed9 (unk)
            0x08c900e0      55             push ebp
            0x08c900e1      89e5           mov ebp, esp
            0x08c900e3      83ec28         sub esp, 0x28               ; '('
            0x08c900e6      8b0da46ad109   mov ecx, dword [0x9d16aa4]  ; [0x9d16aa4:4]=0x4c
            0x08c900ec      81f93f420f00   cmp ecx, 0xf423f
        ,=< 0x08c900f2      7f34           jg 0x8c90128


# cat .gdbinit
set debug remote 1
set disassembly-flavor intel
target remote /dev/ttyUSB0
# Patch the watchdog
set *0x9d16aa4=0
file ~/lina

Option 1: Modifying the rootfs

# cat enable_gdb.sh
#!/bin/bash

binary="$1"
rfs='rootfs.img'
rfsgz="$rfs.gz"
d='extracted'
rcs='asa/scripts/rcS'

cp $binary $binary.orig

echo "[+] cp $binary $binary.orig"

offset=`binwalk -y='gzip' $binary | grep rootfs | awk '{print $1}'`
end=`binwalk --raw='\x0b\x01\x64\x00\x00' $binary | grep 00 | tail -n 1 | awk '{print $1}'`

size=`expr $end - $offset`

echo "[+] $binary"
echo "[+] \__ $rfsgz - $size bytes"

dd if=$binary of=$rfsgz skip=$offset count=$size bs=1

echo "[+] $binary >> $rfsgz"

mkdir $d
cd $d
gunzip -c ../$rfsgz | cpio -i --no-absolute-filenames --make-directories
gzip -f -d ../$rfsgz
mv ../$rfs .
echo "[+] $rfsgz ~ $rfs"

sed -i 's/#\(.*ttyUSB0.*\)/\1/' $rcs
sed -i 's/ttyUSB0/ttyS0/' $rcs

echo "[+] gdb enabled in $rcs"

echo "$rcs" | cpio --format='newc' -o --append -F $rfs

echo "[+] $rfs updated"

gzip -f -9 $rfs
mv $rfsgz ../.

echo "[+] $rfs ~ $rfsgz"

cd ..
rm -rf $d

nsize=`stat -c%s $rfsgz`
sizediff=`expr $size - $nsize`

dd if=/dev/zero count=$sizediff bs=1 conv=notrunc,noerror status=noxfer >> $rfsgz
nsize=`stat -c%s $rfsgz`
dd if=$rfsgz of=$binary seek=$offset count=$nsize bs=1 conv=notrunc,noerror

echo "[+] $rfsgz >> $binary"

rm $rfsgz

echo "[+] Done!"

# ./enable_gdb.sh asa842-k8.bin
[+] cp asa842-k8.bin asa842-k8.bin.orig
[+] asa842-k8.bin
[+] \__ rootfs.img.gz = 23628432 bytes
[+] asa842-k8.bin >> rootfs.img.gz
[+] rootfs.img.gz ~ rootfs.img
[+] gdb enabled in asa/scripts/rcS
[+] rootfs.img updated
[+] rootfs.img ~ rootfs.img.gz
[+] rootfs.img.gz >> asa842-k8.bin
[+] Done!

# # Checksum bypass
# scp -oKexAlgorithms=+diffie-hellman-group1-sha1 asa842-k8.bin admin@asa:asa842-k8-gdb.bin
# gdb

asa(config)# boot system disk0:/asa842-k8-gdb.bin
asa(config)# wr
asa(config)# reload

...
SMFW PID: 479, SMFW started in mode 0
SMFW PID: 481, Starting /asa/bin/lina under gdbserver /dev/ttyS0
SMFW PID: 479, started gdbserver on member: 481//asa/bin/lina
SMFW PID: 479, created member ASA BLOB, PID=481
Process /asa/bin/lina created; pid = 484
Remote debugging using /dev/ttyS0

Option 2: Modifying kernel boot parameters

# r2 -w asa842-k8.bin
[0x00000000]> / quiet
[0x00000000]> s hit0_1
[0x017ed8dc]> px
- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
0x017ed8dc  7175 6965 7420 6c6f 676c 6576 656c 3d30  quiet loglevel=0
0x017ed8ec  2061 7574 6f20 6b73 7461 636b 3d31 3238   auto kstack=128
[0x017ed8dc]> w rdinit=/bin/sh        k
[0x017ed8dc]> px
- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
0x017ed8dc  7264 696e 6974 3d2f 6269 6e2f 7368 2020  rdinit=/bin/sh
0x017ed8ec  2020 2020 2020 6b73 7461 636b 3d31 3238        kstack=128

# # Checksum bypass
# scp -oKexAlgorithms=+diffie-hellman-group1-sha1 asa842-k8.bin admin@asa:asa842-k8-binsh.bin
# gdb

asa(config)# boot system disk0:/asa842-k8-binsh.bin
asa(config)# wr
asa(config)# reload

...
Freeing unused kernel memory: 156k freed
Write protecting the kernel text: 1716k
Write protecting the kernel read-only data: 504k
/bin/sh: can't access tty; job control turned off
# sed -i 's/#\(.*\)ttyUSB0\(.*\)/\1ttyS0\2/' /asa/scripts/rcS
# exec /sbin/init

...
SMFW PID: 479, SMFW started in mode 0
SMFW PID: 481, Starting /asa/bin/lina under gdbserver /dev/ttyS0
SMFW PID: 479, started gdbserver on member: 481//asa/bin/lina
SMFW PID: 479, created member ASA BLOB, PID=481
Process /asa/bin/lina created; pid = 484
Remote debugging using /dev/ttyS0

References

http://www.slideshare.net/CanSecWest/csw2016-wheeler-barksdalegruskovnjakexecutemypacket
http://2014.ruxcon.org.au/assets/2014/slides/Breaking%20Bricks%20Ruxcon%202014.pdf
https://community.rapid7.com/community/metasploit/blog/2016/06/14/asa-hack
https://blog.silentsignal.eu/2016/08/25/bake-your-own-extrabacon/

# Enabling lina debug mode

No comments: