Red Teaming and Malware Analysis
  • About
  • Red Teaming
  • Cheat Sheet
    • Web
      • Misc
      • File Upload bypass
      • Authentication bypass
      • SQL Injection
      • XSS
      • XXE
      • Reverse-shell
      • Webshell
      • (De)Serialization
    • Active Directory
    • Services by port
      • Enum
      • 5060 - SIP
      • 25 - SMTP
      • 135 - RPC
      • 445 - SMB
      • 11211 - PHPMemCached
      • ldap
    • Hardening
    • Stuff
      • Basic tips/scripts
      • OpenBSD & NetBSD
      • File Transfer
      • Pivoting
  • Active Directory 101
    • Dumping Active Directory DNS using adidnsdump
    • PrintNightmare
    • From DFSCoercer to DA
  • Fuzzing and Web
    • Server Side Template Injection (SSTI)
    • Finding SSRF (all scope)
    • Format String Exploitation
    • Cache Poisoning using Nuclei
  • Initial Foothold
    • Browser In The Browser (BITB) Attack
    • Phishing with Office
      • Weaponizing XLM 4.0 macros
  • Privilege Escalation (Privesc)
    • AV/EDR Bypass
      • Bypass AV/EDR using Safe Mode
      • Resources
    • UAC bypass
    • Process migration like meterpreter
  • Lateral Movement (Pivoting)
    • From Windows VPN + Kali VPN + DC
      • By using Proxifier
  • Persistence
  • Command and Control (C&C)
    • CobaltStrike 101
      • Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux
      • Extras + Plugins
      • Resources
  • Data Exfiltration
    • Extracting certs/private keys from Windows using mimikatz and intercepting calls with burpsuite
  • CVE & Exploits / CTF
    • Privilege Escalation
    • Serialization
    • CVEs
      • CHIYU IoT devices
      • Chamilo-lms-1.11.x - From XSS to account takeover && backdoor implantation
    • CVE - Submission Guides
  • Tools
    • Intel
    • OSINT
    • DNS
    • WEB
      • API and WS Hacking
      • Web Discovery
      • Web Fuzzing
      • Path Traversal
      • GraphQL
      • JWT
    • Infrastructure and Network
      • Scan and Discovery
        • Network mapper
      • Automated Scanners
      • Misc
      • Active Directory
        • Burpsuite with Kerberos Auth
      • Cloud & Azure
      • Command and Control (C&C)
      • (De)serialization
      • Lateral Movement
      • Powershell
    • Privilege Escalation
    • Exfiltration
    • Persistence
    • Password & Cracking
      • Wordlists
      • Tips
      • Rainbow Crackalack
    • Static Code Analysis
    • Reporting
  • Resources
  • Pwnage
    • WiFi
      • HOSTAPD-WPE
      • Rogue APP
      • WPA3 Downgrade attack
    • NRF
    • rubber ducky
  • Malware Analysis
  • Unpacking
  • Basic tips
  • Malware instrumentation with frida
  • Tools
    • Debuggers / Disassemblers
    • Decompilers
    • Detection and Classification
    • Deobfuscation
    • Debugging and Reverse Engineering
    • Memory
    • File Analysis
    • Emulators
    • Network Traffic Analysis
    • Other
    • Online Tools
  • Resources
    • DFIR FTK Imager
    • Convert IP Range into CIDR
    • Parsing Large Raw Files and Excluding Country IP Address Ranges
    • Windows Logs Automation
      • amcache.hve
    • Windows EventViewer Analysis | DFIR
    • Prevent Windows shutdown after license expire
    • Firewall raw Logs
  • Mobile
    • Tools
    • Reverse iOS ipa
      • Jailbreak
      • Install Frida iPhone 5S
      • Frida instrumentation
      • Resources / Extra features
    • Reverse Android APKs
      • Android Dynamic Analysis
      • Bypass root + Frida
      • SSL unpining frida + Fiddler/Burp
      • Backdooring/patch APKs
    • Basic tips
    • Resources
  • IoT / Reverse / Firmware
    • Basic tips
      • Repair NTFS dirty disks
    • Reverse IoT devices
      • Reverse TP-Link Router TL-WR841N
      • Reverse Trendnet TS-S402 firmware
      • Full emulate Netgear WNAP320
      • Reverse ASUS RT-AC5300
      • Reverse LinkOne devices
    • Tools
      • Qemu + buildroot 101
      • Kernel
    • Resources
Powered by GitBook
On this page
  • Finding ELF format
  • Create file image with rootFS from scratch
  • DD
  • cpio unpacking
  • OverlayFS
  • sasquatch
  • GDB server
  • Trace apps with qemu-mipsel-static
  • Mips binaries

Was this helpful?

  1. IoT / Reverse / Firmware

Basic tips

PreviousResourcesNextRepair NTFS dirty disks

Last updated 1 year ago

Was this helpful?

Finding ELF format

readelf -h hotplug 

└─$ xxd -c 1 -l 6 hotplug
00000000: 7f  .
00000001: 45  E
00000002: 4c  L
00000003: 46  F
00000004: 01  .
00000005: 01  .

If the last line (the sixed byte) is 01, according to , 01 is little endian and 02 is big endian.

Create file image with rootFS from scratch

dd if=/dev/zero of=myimage.img bs=1M count=500
mkdir -p MountPoint
mkfs.ext2 myimage.img
mount -t ext2 -o loop myimage.img MountPoint

cp rootfs.tar MountPoint
cd MountPoint
tar -xvf rootfs.tar
df -h

umount MountPoint
dd if=myimage.img bs=1k | gzip -v9 > rootfs.gz

DD

dd bs=1 skip=THEOFFSET count=THELENGTH if=INPUTFILENAME of=OUTPUTFILENAME
file output # to check ;)

To cut the "Linux kernel version 2.6.36" we need to do:

  • Get the skip offset: 3163712

  • Get the count size: 3226456 - 3163712 = 62.744

dd if=1C bs=1 skip=3163712 count=62744 of=kernel_out
file kernel_out
kernel_out: DIY-Thermocam raw data (Lepton 3.x), scale 7417-5248, spot sensor temperature 0.000000,

cat kernel_out | strings | less

cpio unpacking

cpio -idm — no-absolute-filenames < cpio

OverlayFS

sudo docker run --privileged=true --name=firmware -p 2221:22 -p 8888:80 -p 4443:443 -p 2223:23 -it 8d319a850335

cd /tmp
mkdir lower upper workdir overlay

mount -t overlay -o lowerdir=/tmp/lower,upperdir=/tmp/upper,workdir=/tmp/workdir none /tmp/overlay

e.g.:
mount -t overlay -o lowerdir=/tmp/firmwarefs,upperdir=/,workdir=/tmp/workdir none /tmp/overlay
chroot /tmp/overlay /bin/sh

sasquatch

Since file doesn't recognize it, the vendor probably used a custom SquashFS magic signature. I expect that unsquashfs is also giving you an error about not being able to find a valid superblock.

GDB server

target:> gdbserver localhost:2000 /bin/httpd
or
target:> ./gdbserver-7.12-mips-be-stripped localhost:5555 /bin/httpd

host  :> gdb /bin/httpd
(gdb) target remote 127.0.0.1:2000
continue
stepi
next
disas "function"

Trace apps with qemu-mipsel-static

sudo apt-get install qemu qemu-user qemu-user-static
sudo apt-get install gdb-multiarch
sudo apt-get install 'binfmt*'

$ sudo apt-get install libc6-mipsel-cross      # For MIPS-EL
$ sudo apt-get install libc6-armhf-armel-cross # For ARM

$ sudo apt-get install gcc-4.4-mipsel-linux-gnu # For MIPS-EL on Ubuntu 14.04
$ sudo apt-get install gcc-mipsel-linux-gnu     # For MIPS-EL on Ubuntu 16.04
$ sudo apt-get install gcc-arm-linux-gnueabihf  # For ARM

$ sudo mkdir /etc/qemu-binfmt
$ sudo ln -s /usr/mipsel-linux-gnu /etc/qemu-binfmt/mipsel # MIPSEL
$ sudo ln -s /usr/arm-linux-gnueabihf /etc/qemu-binfmt/arm # ARM

---execution---------
qemu-mipsel -strace ./myelf
or
qemu-mipsel-static -strace ./myelf


------GDB--------
$ qemu-mipsel -g 12345 ./a.out &

or

./qemu-mipsel-static -g 12345 /bin/httpd

$ gdb-multiarch ./a.out
(gdb) set arch mips
The target architecture is assumed to be mips
(gdb) set endian little
The target is assumed to be little endian
(gdb) target remote localhost:12345
Remote debugging using localhost:12345

(gdb) info functions

Non-debugging symbols:
0x00407360  _init
0x004073f0  _ftext
0x004075a0  CheckWanType
0x004078ac  check_dhcpc
0x00407d80  CheckPPPOE
0x00407ed0  random_xid
0x004082bc  send_discover
0x00408754  udhcp_checksum
0x00408884  get_raw_packet
0x00408c60  parsePacket
0x004096c8  printErr
0x004097f8  computeTCPChecksum
0x0040a100  sendPADT
0x0040a874  pktLogErrs
0x0040bca0  discovery
0x0040c020  openInterface
0x0040c3e4  sendPacket
0x0040c498  receivePacket

(...)

Mips binaries

Give a try; it's a modified version of unsquashfs that attempts to support such vendor hacks.

ELF format
sasquatch
LogoReversing FirmwareMedium
LogoOverlayFS | Programster's Blog
LogoGitHub - devttys0/sasquatchGitHub
LogoGitHub - hugsy/gdb-static: Public repository of static GDB and GDBServerGitHub
LogoGitHub - darkerego/mips-binaries: Various binaries for the mips architecture.GitHub
LogoCross debugging for ARM / MIPS ELF with QEMU/toolchainReverse Engineering Stack Exchange
Logogdb-static-cross/prebuilt at master · stayliv3/gdb-static-crossGitHub