Security Blog

The goal of the DVRF project is to simulate a real-world environment to help people learn about other CPU architectures outside of the x86_64 space. The project will also help people get into discovering new things about hardware. As of now this DVRF firmware is tailored for the Linksys E1550 Device. If you do not have one don’t worry! Ready to get a jump start on learning aspects of embedded device hacking for exploit development? If so, this project is for you.

Now that v0.1 has been released for DVRF, I wanted to make this post to help people get started with DVRF even if they don't have an E1550 in hand. For this post we'll be going over how to use DVRF with QEMU.

To get started you'll need to do the following:

-- CODE lang-shell --$ sudo apt-get install qemu-user-static
Reading package lists… Done
Building dependency tree      
Reading state information… Done
The following NEW packages will be installed:
 qemu-user-static
0 upgraded, 1 newly installed, 0 to remove and 25 not upgraded.
Need to get 0 B/7,795 kB of archives.
After this operation, 79.4 MB of additional disk space will be used.
Selecting previously unselected package qemu-user-static.
(Reading database ... 173955 files and directories currently installed.)
Preparing to unpack .../qemu-user-static_2.0.0+dfsg-2ubuntu1.21_amd64.deb ...
Unpacking qemu-user-static (2.0.0+dfsg-2ubuntu1.21) ...
Processing triggers for man-db (2.6.7.1-1ubuntu1) ...
Setting up qemu-user-static (2.0.0+dfsg-2ubuntu1.21) ...

Once you have qemu-user-static installed you'll next want to install Binwalk. Make sure to follow the instructions so you have all of the dependancies needed to extract the squash-fs within the DVRF binary. Once Binwalk is installed you will also want to download the uClibc Buildroot tar file. This is crucial since this is going to be your bread and butter for cross compiling and also debugging, especially if you don't have IDA. To get started do the following:

-- CODE lang-shell --$ wget https://buildroot.org/downloads/buildroot-2015.11.1.tar.gz
––2016-01-20 22:53:34––  https://buildroot.org/downloads/buildroot-2015.11.1.tar.gz
Resolving buildroot.org (buildroot.org)... 140.211.167.224
Connecting to buildroot.org (buildroot.org)|140.211.167.224|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 5460407 (5.2M) [application/x-gzip]
Saving to: ‘buildroot-2015.11.1.tar.gz’

100%[======================================>] 5,460,407   87.5KB/s   in 57s    

2016-01-20 22:54:33 (92.7 KB/s) - ‘buildroot-2015.11.1.tar.gz’ saved [5460407/5460407]

$ tar xzf buildroot-2015.11.1.tar.gz
$ cd buildroot-2015.11.1/

b1ack0wl@b1ack0wl-VM ~/DVRF/buildroot-2015.11.1 $ ls
arch   build      Config.in.legacy  docs   Makefile         README   toolchain
board  CHANGES    configs           fs     Makefile.legacy  support
boot   Config.in  COPYING           linux  package          system

Now you're going to type make menuconfig and when it's done you're going to see the following:

Under Target you're going to select MIPS little endian, ELF, and mips32. Soft float can be enabled since for now it doesn't matter for the exercises I have under /pwnables.

Under Toolkit you'll want to set the C Library to uClibc since the binary is compiled with this library and most devices you'll come across will be using this C library.

Also under Toolkit you'll want to enable "Build cross gdb for the host." This will create a gdb binary that will run on your host (e.g. x86_64) but will support your target Architecture (e.g. MIPS). This is helpful for debugging applications when using the -g argument in Qemu.

Make sure to save your configuration changes so that your toolkit will compile for the right Architecture we've chosen.

Now feel free to either explore what other options the toolkit can provide or exit the menu and type "make" but be warned that this process does take a while so it might be a good time to go grab a cup of coffee and also make sure you have an internet connection since this process will download tar files that are needed for compiling.

-- CODE lang-shell --b1ack0wl@b1ack0wl-VM ~/DVRF/buildroot-2015.11.1 $ make menuconfig

*** End of the configuration.
*** Execute 'make' to start the build or try 'make help'.

b1ack0wl@b1ack0wl-VM ~/DVRF/buildroot-2015.11.1 $ make
/usr/bin/make -j1  HOSTCC="/usr/bin/gcc" HOSTCXX="/usr/bin/g++" silentoldconfig
make[1]: Entering directory /home/b1ack0wl/DVRF/buildroot-2015.11.1'
mkdir -p /home/b1ack0wl/DVRF/buildroot-2015.11.1/output/build/buildroot-config/lxdialog
[...Truncated…]

Once the toolkit has finished compiling you'll see a new folder called output. This is where the toolkit compiled, but we'll only care about what's been compiled into the host folder within output.

-- CODE lang-shell --b1ack0wl@b1ack0wl-VM ~/DVRF/buildroot-2015.11.1 $ ls
arch   build      Config.in.legacy  dl    linux            output   support
board  CHANGES    configs           docs  Makefile         package  system
boot   Config.in  COPYING           fs    Makefile.legacy  README   toolchain
b1ack0wl@b1ack0wl-VM ~/DVRF/buildroot-2015.11.1 $ cd output/
b1ack0wl@b1ack0wl-VM ~/DVRF/buildroot-2015.11.1/output $ ls
build  host  images  staging  target
b1ack0wl@b1ack0wl-VM ~/DVRF/buildroot-2015.11.1/output $ cd host/usr/
b1ack0wl@b1ack0wl-VM ~/DVRF/buildroot-2015.11.1/output/host/usr $ ls
bin  include  lib  libexec  mipsel-buildroot-linux-uclibc  share  x86_64-unknown-linux-gnu
b1ack0wl@b1ack0wl-VM ~/DVRF/buildroot-2015.11.1/output/host/usr $ cd bin/
b1ack0wl@b1ack0wl-VM ~/DVRF/buildroot-2015.11.1/output/host/usr/bin $ ls *-build*
mipsel-buildroot-linux-uclibc-addr2line          mipsel-buildroot-linux-uclibc-gcov
mipsel-buildroot-linux-uclibc-ar                 mipsel-buildroot-linux-uclibc-gdb
mipsel-buildroot-linux-uclibc-as                 mipsel-buildroot-linux-uclibc-gprof
mipsel-buildroot-linux-uclibc-cc                 mipsel-buildroot-linux-uclibc-ld
mipsel-buildroot-linux-uclibc-cc.br_real         mipsel-buildroot-linux-uclibc-ld.bfd
mipsel-buildroot-linux-uclibc-c++filt            mipsel-buildroot-linux-uclibc-ldconfig
mipsel-buildroot-linux-uclibc-cpp                mipsel-buildroot-linux-uclibc-ldd
mipsel-buildroot-linux-uclibc-cpp.br_real        mipsel-buildroot-linux-uclibc-nm
mipsel-buildroot-linux-uclibc-elfedit            mipsel-buildroot-linux-uclibc-objcopy
mipsel-buildroot-linux-uclibc-gcc                mipsel-buildroot-linux-uclibc-objdump
mipsel-buildroot-linux-uclibc-gcc-4.9.3          mipsel-buildroot-linux-uclibc-ranlib
mipsel-buildroot-linux-uclibc-gcc-4.9.3.br_real  mipsel-buildroot-linux-uclibc-readelf
mipsel-buildroot-linux-uclibc-gcc-ar             mipsel-buildroot-linux-uclibc-size
mipsel-buildroot-linux-uclibc-gcc.br_real        mipsel-buildroot-linux-uclibc-strings
mipsel-buildroot-linux-uclibc-gcc-nm             mipsel-buildroot-linux-uclibc-strip
mipsel-buildroot-linux-uclibc-gcc-ranlib

You can see that we have cross compilers and an instance of gdb. We will use this for crafting our exploits. Now that we have binwalk, buildroot, and qemu-user-static installed we can get started on the first pwnable within the Intro folder. First we need to extract the contents within the binary file. We will use binwalk to help us extract the binary with options -e for Extract and -M for Matryoshka which will extract recursively for up to 8 layers deep.

-- CODE lang-shell --$ binwalk -eM ./DVRF_v01.bin

Scan Time:     2016-01-21 19:44:52
Target File:   /home/b1ack0wl/DVRF/DVRF_v01.bin
MD5 Checksum:  34dced9038b2d1e205b6c0f68991ccfe
Signatures:    343

DECIMAL       HEXADECIMAL     DESCRIPTION
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
0             0x0             BIN-Header, board ID: 1550, hardware version: 4702, firmware version: 1.0.0, build date: 2012-02-08
32            0x20            TRX firmware header, little endian, image size: 7753728 bytes, CRC32: 0x97096BA6, flags: 0x0, version: 1, header size: 28 bytes, loader offset: 0x1C, linux kernel offset: 0x192704, rootfs offset: 0x0
60            0x3C            gzip compressed data, maximum compression, has original file name: "piggy", from Unix, last modified: 2015-12-31 10:44:22
1648420       0x192724        Squashfs filesystem, little endian, non-standard signature, version 3.0, size: 6099526 bytes, 447 inodes, blocksize: 65536 bytes, created: 2016-01-19 01:47:20
[...Truncated…]

You will now have a folder that should start with _DVRF which contains all of the necessary files for these exercises. So go ahead and change directory to DVRFv01.bin.extracted/squashfs-root/ and perform the following.

-- CODE lang-shell --b1ack0wl@b1ack0wl-VM ~/DVRF/_DVRF_v01.bin.extracted/squashfs-root $ cp `which qemu-mipsel-static` ./
b1ack0wl@b1ack0wl-VM ~/DVRF/_DVRF_v01.bin.extracted/squashfs-root $ ls
bin  etc  media  proc     qemu-mipsel-static  sys  usr  www
dev  lib  mnt    pwnable  sbin                tmp  var
b1ack0wl@b1ack0wl-VM ~/DVRF/_DVRF_v01.bin.extracted/squashfs-root $  

We need to have the statically built Qemu instance on our squash-fs root directory since we are going to chroot the environment when emulating the binaries. So we're pretty much ready to get started! Let's go ahead and test out our environment by performing the following command: sudo chroot <current directory> <qemu-mipsel-static> <path to binary to emulate> argv[1]

-- CODE lang-shell --b1ack0wl@b1ack0wl-VM ~/DVRF/_DVRF_v01.bin.extracted/squashfs-root $ sudo chroot . ./qemu-mipsel-static ./pwnable/Intro/stack_bof_01 test123
Welcome to the first BoF exercise!

You entered test123
Try Again

Awesome!! We can execute the binary without any issues! Now for the last step we need to debug the application and we will use qemu again but we will feed it the -g argument which will attach a gdbserver instance to it but won't execute the binary until an attached gdb instance initiates the continue instruction.

First get two terminals open and in one terminal type in the following command: sudo chroot . ./qemu-mipsel-static -g 1234 ./pwnable/Intro/stackbof01 test123 Remember -g 1234 means that gdbserver is going to start listening on port 1234. Now in the other terminal window you'll want to use the crossed compiled gdb that's located within the buildroot output folder.

You should now be at this step:

Just for fun you can even disassemble the file using the objdump we compiled with option -D

-- CODE lang-shell --b1ack0wl@b1ack0wl-VM ~/DVRF/buildroot-2015.11.1/output/host/usr/bin $ ./mipsel-buildroot-linux-uclibc-objdump -D ~/DVRF/_DVRF_v01.bin.extracted/squashfs-root/pwnable/Intro/stack_bof_01 | more

/home/b1ack0wl/DVRF/_DVRF_v01.bin.extracted/squashfs-root/pwnable/Intro/stack_bof_01:     file f
ormat elf32-tradlittlemips


Disassembly of section .interp:

004000f4 <.interp>:
 4000f4:   62696c2f    0x62696c2f
 4000f8:   2d646c2f    sltiu   a0,t3,27695
 4000fc:   696c4375    0x696c4375
 400100:   732e6362    0x732e6362
 400104:   00302e6f    0x302e6f

Disassembly of section .reginfo:

00400108 <.reginfo>:
 400108:   b20001f6    0xb20001f6
   ...
 40011c:   00448ce0    0x448ce0

Disassembly of section .dynamic:

00400120 <_DYNAMIC>:
 400120:   00000001    movf    zero,zero,$fcc0
 400124:   00000083    sra zero,zero,0x2
 400128:   00000001    movf    zero,zero,$fcc0
 40012c:   000000ac    0xac
 400130:   0000000c    syscall
 400134:   0040059c    0x40059c
[...Truncated…]

004007e0 <main>:
 4007e0:   3c1c0005    lui gp,0x5
 4007e4:   279c8500    addiu   gp,gp,-31488
 4007e8:   0399e021    addu    gp,gp,t9
 4007ec:   27bdff18    addiu   sp,sp,-232
 4007f0:   afbf00e4    sw  ra,228(sp)
 4007f4:   afbe00e0    sw  s8,224(sp)
 4007f8:   03a0f021    move    s8,sp
 4007fc:   afbc0010    sw  gp,16(sp)
 400800:   afc400e8    sw  a0,232(s8)
 400804:   afc500ec    sw  a1,236(s8)
 400808:   8f82801c    lw  v0,-32740(gp)
 40080c:   00000000    nop
 400810:   94420b98    lhu v0,2968(v0)
 400814:   00000000    nop
 400818:   a7c20018    sh  v0,24(s8)
 40081c:   27c2001a    addiu   v0,s8,26
 400820:   240300c6    li  v1,198
 400824:   00402021    move    a0,v0
 400828:   00002821    move    a1,zero
 40082c:   00603021    move    a2,v1
 400830:   8f998040    lw  t9,-32704(gp)
 400834:   00000000    nop
 400838:   0320f809    jalr    t9
 40083c:   00000000    nop
 400840:   8fdc0010    lw  gp,16(s8)
 400844:   8fc200e8    lw  v0,232(s8)
 [...Truncated…]

  00400950 <dat_shell>:
 400950:   3c1c0005    lui gp,0x5
 400954:   279c8390    addiu   gp,gp,-31856
 400958:   0399e021    addu    gp,gp,t9
 40095c:   27bdffe0    addiu   sp,sp,-32
 400960:   afbf001c    sw  ra,28(sp)
 400964:   afbe0018    sw  s8,24(sp)
 400968:   03a0f021    move    s8,sp
 40096c:   afbc0010    sw  gp,16(sp)
 400970:   8f82801c    lw  v0,-32740(gp)
 400974:   00000000    nop
 400978:   24440c60    addiu   a0,v0,3168
 40097c:   8f998050    lw  t9,-32688(gp)
 400980:   00000000    nop
 400984:   0320f809    jalr    t9
 400988:   00000000    nop
 40098c:   8fdc0010    lw  gp,16(s8)
 400990:   00000000    nop
 400994:   8f82801c    lw  v0,-32740(gp)
 400998:   00000000    nop
 40099c:   24440c94    addiu   a0,v0,3220
[...Truncated…]

So all we need to do to solve this is change the return pointer to function <dat_shell> which is located at 0x00400950 remember this is little endian and we cannot use NULL bytes but once you get the picture you should just about have the following:

-- CODE lang-shell --b1ack0wl@b1ack0wl-VM ~/DVRF/_DVRF_v01.bin.extracted/squashfs-root $ sudo chroot . ./qemu-mipsel-static  ./pwnable/Intro/stack_bof_01 "[REDACTED]"
Welcome to the first BoF exercise!

You entered [REDACTED]
Try Again
Congrats! I will now execute /bin/sh
- b1ack0wl
qemu: uncaught target signal 11 (Segmentation fault) - core dumped

You can see the Segmentation Fault this is due to a pointer within the stack being corrupted during the overflow. Your goal is to make this program not segfault so use the tools I provided and make sure to use breakpoints! To get you started here is a proof of concept:

I hope this has helped you get started into your journey into embedded device exploitation. If you have any questions feel free to find me on twitter at @b1ack0wl

DVRF v0.1 has been released on GitHub!!