Termux ID: Phone -->

    Social Items

Home / Phone

BootStomp is a boot-loader bug finder. It looks for two different class of bugs: memory corruption and state storage vulnerabilities. For more info please refer to the BootStomp paper at https://seclab.cs.ucsb.edu/academic/publishing/#bootstomp-security-bootloaders-mobile-devices-2017
To run BootStomp's analyses, please read the following instructions. Note that BootStomp works with boot-loaders compiled for ARM architectures (32 and 64 bits both) and that results might slightly vary depending on angr and Z3's versions. This is because of the time angr takes to analyze basic blocks and to Z3's expression concretization results.

Directory structure
  • analysis: Contains analysis results (Ex: IDA idbs etc) of boot images of different devices.
  • tools: Contains tools that can be used to work with various images.

Pre-requisites
$ pip install angr

How to run it

Run BootStomp using docker
The easiest way to use BootStomp is to run it in a docker container. The folder docker contains an appropriate Dockerfile. These are the commands to use it.
cd docker
# build the docker image
docker build -t bootstomp .
# run the docker image (if you need, use proper options to have persistent changes or shared files)
docker run -it bootstomp

# now you are inside a docker container
cd BootStomp
# run BootStomp's taint analysis on one of the examples
# this will take about 30 minutes
python taint_analysis/bootloadertaint.py config/config.huawei
# the last line of the output will be something like:
# INFO    | 2017-10-14 01:54:10,617 | _CoreTaint | Results in /tmp/BootloaderTaint_fastboot.img_.out

# you can then "pretty print" the results using:
python taint_analysis/result_pretty_print.py /tmp/BootloaderTaint_fastboot.img_.out
The output should be something like this:
...
17)
===================== Start Info path =====================
Dereference address at: 0x5319cL
Reason: at location 0x5319cL a tainted variable is dereferenced and used as address.
...
Tainted Path 
----------------
0x52f3cL -> 0x52f78L -> 0x52f8cL -> 0x52fb8L -> 0x52fc8L -> 0x52fecL -> 0x53000L -> 0x53014L -> 0x5301cL -> 0x53030L -> 0x53044L -> 0x53050L -> 0x5305cL -> 0x53068L
===================== End Info path =====================
# Total sinks related alerts: 5
# Total loop related alerts: 8
# Total dereference related alerts: 4

Run BootStomp manually

Automatic detection of taint sources and sinks
  1. Load the boot-loader binary in IDA (we used v6.95). Depending on the CPU architecture of the phone it has been extracted from, 32 bit or 64 bit IDA is needed.
  2. From the menu-bar, run File => Script file => find_taint.py
  3. Output will appear in the file taint_source_sink.txt under the same directory as the boot-loader itself.

Configuration file
Create a JSON configuration file for the boot-loader binary (see examples in config/), where:
  • bootloader: boot-loader file path
  • info_path: boot-loader source/sink info file path (i.e., taint_source_sink.txt )
  • arch: architecture's number of bits (available options are 32 and 64)
  • enable_thumb: consider thumb mode (when needed) during the analysis
  • start_with_thumb: starts the analysis with thumb mode enabled
  • exit_on_dec_error: stop the analysis if some instructions cannot be decoded
  • unlock_addr: unlocking function address. This field is necessary only for finding insecure state storage vulnerabilities.

Finding memory corruption vulnerabilities
Run
python bootloadertaint.py config-file-path
Results will be stored in /tmp/BootloaderTaint_[boot-loader].out, where [boot-loader] is the name of the analyzed boot-loader. Note that paths involving loops might appear more than once.

Finding insecure state storage vulnerability
Run
python unlock_checker.py config-file-path
Results will be stored in /tmp/UnlockChecker_[boot-loader].out, where [boot-loader] is the name of the analyzed boot-loader. Note that paths involving loops might appear more than once.

Checking results
To check BootStomp results, use the script result_pretty_print.py, as follows:
python result_pretty_print.py results_file

Exploit for CVE-2017-2729

Other references


BootStomp - A Bootloader Vulnerability Finder


Easily launch a new phishing site fully presented with SSL and capture credentials along with 2FA tokens using CredSniper. The API provides secure access to the currently captured credentials which can be consumed by other applications using a randomly generated API token.

Benefits
  • Fully supported SSL via Let's Encrypt
  • Exact login form clones for realistic phishing
  • Any number of intermediate pages
    • (i.e. Gmail login, password and two-factor pages then a redirect)
  • Supports phishing 2FA tokens
  • API for integrating credentials into other applications
  • Easy to personalize using a templating framework

Basic Usage
usage: credsniper.py [-h] --module MODULE [--twofactor] [--port PORT] [--ssl] [--verbose] --final FINAL --hostname HOSTNAME
optional arguments:
  -h, --help           show this help message and exit
  --module MODULE      phishing module name - for example, "gmail"
  --twofactor          enable two-factor phishing
  --port PORT          listening port (default: 80/443)
  --ssl                use SSL via Let's Encrypt
  --verbose            enable verbose output
  --final FINAL        final url the user is redirected to after phishing is done
  --hostname HOSTNAME  hostname for SSL

Credentials
.cache : Temporarily store username/password when phishing 2FA
.sniped : Flat-file storage for captured credentials and other information

API End-point
  • View Credentials (GET) https://<phish site>/creds/view?api_token=<api token>
  • Mark Credential as Seen (GET) https://<phish site>/creds/seen/<cred_id>?api_token=<api token>
  • Update Configuration (POST) https://<phish site>/config
 {
    'enable_2fa': true,
    'module': 'gmail',
    'api_token': 'some-random-string'
 }

Modules
All modules can be loaded by passing the --module <name> command to CredSniper. These are loaded from a directory inside /modules. CredSniper is built using Python Flask and all the module HTML templates are rendered using Jinja2.
  • Gmail: The latest Gmail login cloned and customized to trigger/phish all forms of 2FA
    • modules/gmail/gmail.py: Main module loaded w/ --module gmail
    • modules/gmail/templates/error.html: Error page for 404's
    • modules/gmail/templates/login.html: Gmail Login Page
    • modules/gmail/templates/password.html: Gmail Password Page
    • modules/gmail/templates/authenticator.html: Google Authenticator 2FA page
    • modules/gmail/templates/sms.html: SMS 2FA page
    • modules/gmail/templates/touchscreen.html: Phone Prompt 2FA page

Installation

Ubuntu 16.04
You can install and run automatically with the following command:
$ git clone https://github.com/ustayready/CredSniper
$ cd CredSniper
~/CredSniper$ ./install.sh
Then, to run manually use the following commands:
~/$ cd CredSniper
~/CredSniper$ source bin/activate
(CredSniper) ~/CredSniper$ python credsniper.py --help
Note that Python 3 is required.

Screenshots

Gmail Module





CredSniper - Phishing Framework which supports SSL and capture credentials with 2FA tokens


Tallow is a small program that redirects all outbound traffic from a Windows machine via the Tor anonymity network. Any traffic that cannot be handled by Tor, e.g. UDP, is blocked. Tallow also intercepts and handles DNS requests preventing potential leaks.
Tallow has several applications, including:
  • "Tor-ifying" applications there were never designed to use Tor
  • Filter circumvention -- if you wish to bypass a local filter and are not so concerned about anonymity
  • Better-than-nothing-Tor -- Some Tor may be better than no Tor.

Usage
Using the Tallow GUI, simply press the big "Tor" button to start redirecting traffic via the Tor network. Press the button again to stop Tor redirection. Note that your Internet connection may be temporarily interrupted each time you toggle the button.
To test if Tor redirection is working, please visit the following site: https://check.torproject.org.

Technical
Tallow uses the following configuration to connect to the Internet:
+-----------+        +-----------+        +----------+
|    PC     |------->|    TOR    |------->|  SERVER  |
|  a.b.c.d  |<-------|  a.b.c.d  |<-------|  x.y.z.w |
+-----------+        +-----------+        +----------+
Here (a.b.c.d) represents the local address, and (x.y.z.w) represents a remote server.
Tallow uses WinDivert to intercept all traffic to/from your PC. Tallow handles two main traffic types: DNS traffic and TCP streams.
DNS queries are intercepted and handled by Tallow itself. Instead of finding the real IP address of a domain, Tallow generates a pseudo-random "fake" domain (in the range 44.0.0.0/24) and uses this address in the query response. The fake-IP is also associated with the domain and recorded in a table for later reference. The alternative would be to look up the real IP via the Tor (which supports DNS). However, since Tallow uses SOCKS4a the real IP is not necessary. Handling DNS requests locally is significantly faster.
TCP connections are also intercepted. Tallow "reflects" outbound TCP connects into inbound SOCKS4a connects to the Tor program. If the connection is to a fake-IP, Tallow looks up the corresponding domain and uses this for the SOCKS4a connection. Otherwise the connection is blocked (by default) or a SOCKS4 direct connection via Tor is used. Connecting TCP to SOCKS4(a) is possible with a bit of magic (see redirect.c).
All other traffic is simply blocked. This includes all inbound (non-Tor) traffic and outbound traffic that is not TCP nor DNS. In addition, Tallow blocks all domains listed in the hosts.deny file. This includes domains such as Windows update, Windows phone home, and some common ad servers, to help prevent Tor bandwidth wastage. It is possible to edit and customize your hosts.deny file as you see fit.
Note that Tallow does not intercept TCP ports 9001 and 9030 that are used by Tor. As a side-effect, Tallow will not work on any other program that uses these ports.

History
Tallow was derived from the TorWall prototype (where "tallow" is an anagram of "torwall" minus the 'r').
Tallow works slightly differently, and aims to redirect all traffic rather than just HTTP port 80. Also, unlike the prototype, Tallow does not use Privoxy nor does it alter the content of any TCP streams in any way (see warnings below).

Building
To build Tallow you need the MinGW cross-compiler for Linux.
You also need to download and place the following external dependencies and place them in the contrib/ directory:
Then simply run the build.sh script.


TorWall - Transparent Tor for Windows

Subscribe to: Posts (Atom)