MIPS ROP IDA Plugin

I’ve previously written some examples of how to exploit MIPS stack overflows using ROP techniques. The problem is that finding suitable MIPS ROP gadgets manually can be quite tedious, so I have added a new IDA plugin – mipsrop.py – to my github repository.

This plugin searches the code segment(s) of your IDB looking for potentially controllable jump instructions. You can then search the code surrounding these controllable jumps for useful instructions that you might need in your ROP chain.

“Controllable jumps” are defined as jumps whose destination addresses are loaded from the stack, or from other registers (typically during a stack overflow you control several, if not all, of the MIPS subroutine registers, for example).

The plugin’s searches are “dumb” in that they don’t follow code branches, but none-the-less it has proven to be quite effective. As a quick example, let’s look inside a Linux MIPS libc library for ROP gadgets that will let us call sleep(1) in order to force a cache flush.

Continue reading

Binwalk 1.2.2 Release

Binwalk 1.2.2 has just been released which introduces some useful new features:

  • Binary diffing of an arbitrary number of files
  • Heuristic compression/encryption analysis
  • Identification of zlib compression streams (implemented via a plugin)

Here are three thousand words to demonstrate these new features:

Diffing two firmware headers

Heuristic analysis of firmware with zlib compressed data

Heuristic analysis of firmware with zlib compressed data

Identifying zlib compression in an Apple firmware update

Identifying zlib compression in an Apple firmware update

From China, With Love

Lest anyone think that D-Link is the only vendor who puts backdoors in their products, here’s one that can be exploited with a single UDP packet, courtesy of Tenda.

After extracting the latest firmware for Tenda’s W302R wireless router, I started looking at /bin/httpd, which turned out to be the GoAhead webserver:

Server header string in /bin/httpd

Server header string in /bin/httpd

But Tenda has made a lot of special modifications themselves. Just before entering the HTTP receive loop, main calls InitMfgTask, which spawns the MfgThread function as a separate thread:

pthread_create(&var_10, 0, MfgThread, 0);

pthread_create(&var_10, 0, MfgThread, 0);

Hmmm…InitMfgTask and MfgThread? Related to manufacturing tasks perhaps? Iiiiiinteresting…

Continue reading

Some IDA Plugins

I’ve posted a few of my IDA plugins on github. Though simple, I’ve found their functionality quite useful when reversing firmware and RISC architectures:

  • Defining ASCII strings not defined during IDA’s auto analysis
  • Defining undefined bytes in the data segment as DWORDs (allowing IDA to resolve function/jump table pointers, etc)
  • Defining undefined bytes in the code segment as code/functions
  • Finding references to any highlighted text (such as registers and immediate values) within the current function
  • Auto-naming MIPS stack variables generated by the compiler for storing registers ($s0-$s7, $gp, etc)

Hopefully others will find them useful as well.

Reverse Engineering a D-Link Backdoor

All right. It’s Saturday night, I have no date, a two-liter bottle of Shasta and my all-Rush mix-tape…let’s hack.

On a whim I downloaded firmware v1.13 for the DIR-100 revA. Binwalk quickly found and extracted a SquashFS file system, and soon I had the firmware’s web server (/bin/webs) loaded into IDA:

Strings inside /bin/webs

Strings inside /bin/webs

Based on the above strings listing, the /bin/webs binary is a modified version of thttpd which provides the administrative interface for the router. It appears to have been modified by Alphanetworks (a spin-off of D-Link). They were even thoughtful enough to prepend many of their custom function names with the string “alpha”:

Alphanetworks' custom functions

Alphanetworks’ custom functions

The alpha_auth_check function sounds interesting!

Continue reading