Monday, August 12, 2013

Defcon 21 CTF - Binaries and environment

Vulnerable boxes were LXC containers with Ubuntu and Linux 3.8 kernel on ODROID-U2 boards (ARMv7 CPU). ARMv7 means you can't debug on your SheevaPlug (ARMv5) or RaspberryPi (ARMv6) so either you have an ARMv7 handy (e.g. Chromebook) or you need to use QEMU.

We were given 6 binaries (4 on the first day, 2 on the second day) so it's doable by a team of 8 people (the limit) and hopefully doesn't benefit larger teams. We didn't have root, but a user ctf with sudo access to users running the binaries, which were run by xinetd, so the teams didn't have to keep a server running. Binaries had one or multiple vulnerabilities, and some of them had bugs which were patched during the CTF.

The nice part is that the OS had ASLR and NX enabled, and some binaries were PIE. Finally stepping up the game!

Binaries

  • atmail: mail server
  • lonetuna (+libc.a): a little game; v2 was provided on second day to fix the bug and introduce a new one
  • bookworm: book review service
  • reeses: signed MIPS emulator; teams had to find out that firmwares were sent over the network by the organizers (only them could sign), and that you had to reverse and exploit them
  • avoir: authenticated prompt with commands; v2 was provided after some time to fix a DoS
  • trouver: same idea, different commands; v2 was provided after some time to fix a DoS

Environment


As said above, it was LXC container with Ubuntu and Linux 3.8 kernel on ODROID-U2 boards (ARMv7 CPU). It's very useful for dynamic analysis and exploit debugging to have an environment where to run the binaries. Since we didn't have ARMv7 hardware, we resorted to QEMU. Here is how to set up one similar to the organizer's machine:
  1. Install QEMU for ARM:
  2. $ apt-get install qemu-system
  3. Get an ARMv7 kernel from odroid.us community website:
  4. $ wget http://odroid.us/odroid/users/osterluk/qemu-example/qemu-example.tgz
    $ tar zxf qemu-example.tgz ./zImage
    $ rm -f qemu-example.tgz
    
  5. Get an Ubuntu 12.04 base image:
  6. $ wget http://releases.linaro.org/12.04/ubuntu/precise-images/developer/linaro-precise-developer-20120426-86.tar.gz
    $ tar zxf linaro-precise-developer-20120426-86.tar.gz # creates binary/
    $ rm -f linaro-precise-developer-20120426-86.tar.gz
    
  7. Prepare it on a QEMU disk image:
  8. $ qemu-img create -f raw rootfs.img 3G
    $ mkfs.ext3 rootfs.img
    $ mkdir mnt
    $ mount -o loop rootfs.img mnt
    $ rsync -a binary/boot/filesystem.dir/ mnt/
    $ umount mnt
    $ rm -rf binary
    
  9. Start QEMU, with user networking and port forwarding on 2222 to SSH to it:
  10. $ qemu-system-arm -M vexpress-a9 -m 512 -kernel zImage -sd rootfs.img \
      -append "root=/dev/mmcblk0 rw physmap.enabled=0 console=ttyAMA0" \
      -net nic -net user,hostfwd=tcp:0.0.0.0:2222-10.0.2.15:22 -nographic
    [...]
    root@linaro-developer:~# uname -a
    Linux linaro-developer 3.2.0 #7 SMP Thu Feb 28 16:20:18 PST 2013 armv7l armv7l armv7l GNU/Linux
    

6 comments:

  1. The link to avoir v2 goes to trouver v2 and the link to trouver goes to avoir v2. many thanks for the great explanation. At quals, we were using Raspberry Pi to debug because we didn't understand it well enough. Next year we'll understand it much better.

    ReplyDelete
  2. unfortunately, I can't login after installing.

    "root/password”is not accepted.

    any help would be greatly appreciated..

    ReplyDelete
    Replies
    1. You can add “init=/bin/bash” (single user mode) to get a root shell and change the password.

      Delete
  3. Updated instructions with a linaro image, no root password needed.

    ReplyDelete
  4. A few stumbling blocks I encountered with the linaro image - eth0 is not set to use DHCP by default, and SSH is not installed. See https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Virtual_ARM_Linux_environment for more info on fixing these problems.

    ReplyDelete