|
@@ -0,0 +1,93 @@
|
|
|
+---
|
|
|
+title: Finding Command Injections
|
|
|
+categories: [cheatsheets]
|
|
|
+tags: [exploitation,reversing, command injections, embedded]
|
|
|
+---
|
|
|
+
|
|
|
+# Finding Command Injections
|
|
|
+
|
|
|
+## Analysis system calls
|
|
|
+
|
|
|
+Common system calls the execute OS commands:
|
|
|
+
|
|
|
+* system()
|
|
|
+* exec()
|
|
|
+* execve()
|
|
|
+* ...
|
|
|
+
|
|
|
+Often, wrapper are build around those syscalls.
|
|
|
+Such as in the alphapd webserver from D-Link, where every command is executed in a call to `doSystem()`
|
|
|
+
|
|
|
+
|
|
|
+## Analysing Functions Calls
|
|
|
+
|
|
|
+### Method 1: Preloading hook
|
|
|
+
|
|
|
+* Hook the system calls by preloading a hooking library using `LD_PRELOAD`
|
|
|
+
|
|
|
+E.g hooking the `system()` functon:
|
|
|
+
|
|
|
+```c
|
|
|
+#define _GNU_SOURCE
|
|
|
+#include <dlfcn.h>
|
|
|
+#include <stdlib.h>
|
|
|
+#include <stdio.h>
|
|
|
+
|
|
|
+typedef int (*orig_system_f_type)(const char *command);
|
|
|
+
|
|
|
+ int system(const char *command) {
|
|
|
+ printf("\n--------\nsystem(%s)\n---------\n", command);
|
|
|
+ orig_system_f_type orig_system;
|
|
|
+ orig_system = (orig_system_f_type)dlsym(RTLD_NEXT,"system");
|
|
|
+ return 0;
|
|
|
+ }
|
|
|
+```
|
|
|
+
|
|
|
+* When emulating the firmware with qemu (e.g. qemu-mipsel-static) the LD_PRELOAD env. variable can be passed
|
|
|
+using the `-E` flag as follows:
|
|
|
+
|
|
|
+```
|
|
|
+qemu-mipsel-static -E LD_PRELOAD=./hooking.so alphapd
|
|
|
+```
|
|
|
+
|
|
|
+### Method 2: Debugging and GDB Hooks
|
|
|
+
|
|
|
+Using qemu, a gdbserver can be spawned with the `-g <port>` parameter.
|
|
|
+In gdb, functions can be hooked and connected to scripts that get executed as soon as the breakpoint is hit.
|
|
|
+
|
|
|
+This method can be used to analyze the `system()` function as well.
|
|
|
+This can be accomplished using the following gbd scripting snippet:
|
|
|
+
|
|
|
+```gdb
|
|
|
+break system
|
|
|
+commands
|
|
|
+silent
|
|
|
+printf "[*] system(%s)\n", $a0
|
|
|
+continue
|
|
|
+end
|
|
|
+```
|
|
|
+
|
|
|
+Multiple of such scripts can be written in an extern script and loaded into gdb with the `--command <file>` parameter.
|
|
|
+
|
|
|
+
|
|
|
+## External Script Injections
|
|
|
+
|
|
|
+Parameters that are supplied via a web-app are often saved and re-used in shellscripts.
|
|
|
+Therefore, the method of using those parameters in the scripts and the scripts itself must be analyzed.
|
|
|
+
|
|
|
+### Searching shellscripts
|
|
|
+
|
|
|
+In the D-Link example, several shellscripts used parameters that are passed using nvram buffers.
|
|
|
+Those parameters can be detected by searching the filesystem of the firmware:
|
|
|
+
|
|
|
+```
|
|
|
+rg '=`nvram_get'
|
|
|
+```
|
|
|
+
|
|
|
+This commands outputs all parameters that are processed in scripts.
|
|
|
+Important are only those that are used as parameters for binary executions and are not-escaped.
|
|
|
+
|
|
|
+To detect vulnerabilities a connection between the user supplied parameter and the scripting execution must be found.
|
|
|
+
|
|
|
+
|
|
|
+
|