7200emu.hacki.at Forum Index 7200emu.hacki.at
Dynamips, Dynagen and all that stuff
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
7200emu.hacki.at Forum Index

hackibr>

Cracking LINA to make ASDM works
Goto page 1, 2, 3, 4, 5  Next
 
Post new topic   Reply to topic    7200emu.hacki.at Forum Index -> HOWTOs
View previous topic :: View next topic  
Author Message
nekkro-kvlt



Joined: 14 Jun 2007
Posts: 76
PostPosted: Tue Jun 16, 2009 9:34 am    Post subject: Cracking LINA to make ASDM works Reply with quote
Hi there, I'm working on reversing ASA Lina executable to inject the hardware model I want. Here the tutorial, I'll test ASDM and bring you news:

To unpack/repack, see http://ers.msk.ru/cisco/pix7-asa8.html

1) hexedit Lina and find Hardware:, 2nd occurence:
Code:
   Hardware:   %s, %d MB RAM,


2) Find a string longer than this, in the linux shell, type:
Code:
   strings -n 30 lina


3) Search this string in the hex editor, I'll take "pager_main() - Unable to create the pager initialization thread", so I'm looking for "pager_main", for example

4)Replace this string and end with 0s:
Code:
   "Hardware:   ASA5520, 128 MB RAM, CPU Pentium II 2000 MHz"

You can let the %s,%d or hard writting it, that what i'll do because otherwise couln't have the CPU name...
Before:
Code:
pager_main() - Unable to create the pager initialization.....thread

After:
Code:
Hardware:   ASA5520, 128 MB RAM, CPU Pentium II 2000 MHz..................thread

(Fill the old string with 00 hex, to not change exe structure, and don't forget the ,).

Well, I repacked it and try, but the show ver gave me:
Hardware: ASA5520, 128 RAM, CPU Pentium II 2000 MHzc
Notice the final C... It is due to the CPU Fetch function, so what you have to do, is to go back to the original string in your hex editor:
Notice the string:
Hardware: %s, %d MB RAM, .cpuid.c.CPU %s .%d MHz. reg%d: 0x%x..c....
There are two damned C(after cpuid, and at the end of the line), well, replace it with 00 hex and it's cool.

5) Disassemble lina with IDA Pro (wait the analysis to complete, long time), then click views, open subviews, string, and search(ALT+T) for the string you've written, with the 5520 or whatever you've put, and note the file offset, string address, and offset name. (you may have to select and right click and then select string to convert it to string)
In my case it is:
Code:

File offset:0x01280BD8
Adress:0x092C8BD8
Offset name: aHardware5515SD


then look for the original Hardware: %s, %d... string in the strings window Click on it
Note same infos as above
Code:
File offset:0x014AFB8F8
Adress:0x094F7BF8
Offset name:aHardware5520DM


6)Right click on the offset name and click jump to xrefs to operand and click ok. Note the file offset:
0x01024C30
Select aHardware5520DM and go to hex view.
You'll notice:
BB F8 7B 4F 09
That is 094F7BF8 reversed.
Then it's here you have to replace with your address!
So 09 2C 8B D8 would become
D8 8B 2C 09.
Return to your hex editor, go to the file offset 0x01024C30 and write down the new address of your edited string

7)Save the lina executable, and repack the IOS, then launch n prey
Code:
ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 8.0(2)

Compiled on Fri 15-Jun-07 19:29 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"

ciscoasa up 3 secs

Hardware:   ASA5520, 128 RAM,  CPU Pentium II 2000 MHz



WHOOOHOOO

Let's try ASDM: Work!!!

VM Image here:
http://dl.free.fr/qQK1wuZDn

Last edited by nekkro-kvlt on Tue Jun 16, 2009 12:25 pm; edited 2 times in total
Back to top
View user's profile Send private message
tecka



Joined: 20 Feb 2009
Posts: 15
PostPosted: Tue Jun 16, 2009 11:28 am    Post subject: Reply with quote
Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Back to top
View user's profile Send private message
nekkro-kvlt



Joined: 14 Jun 2007
Posts: 76
PostPosted: Tue Jun 16, 2009 11:29 am    Post subject: Reply with quote
Yeah, I juste noticed it, i'll try Smile
Back to top
View user's profile Send private message
nekkro-kvlt



Joined: 14 Jun 2007
Posts: 76
PostPosted: Tue Jun 16, 2009 12:06 pm    Post subject: Reply with quote
It work !!! I will upload a patched VM image of asa from there:
http://asa_project.gromnet.net/?p=25
I'll post the link once done
Back to top
View user's profile Send private message
tecka



Joined: 20 Feb 2009
Posts: 15
PostPosted: Tue Jun 16, 2009 12:42 pm    Post subject: Reply with quote
Good work ! Smile
Back to top
View user's profile Send private message
signal.quest



Joined: 14 Apr 2007
Posts: 113
PostPosted: Tue Jun 16, 2009 3:06 pm    Post subject: Reply with quote
Any luck doing this with the latest OS? 8.2?
Back to top
View user's profile Send private message Send e-mail
nekkro-kvlt



Joined: 14 Jun 2007
Posts: 76
PostPosted: Tue Jun 16, 2009 3:07 pm    Post subject: Reply with quote
didn't even tried, but if it can be unpacked, then it should work
Back to top
View user's profile Send private message
signal.quest



Joined: 14 Apr 2007
Posts: 113
PostPosted: Tue Jun 16, 2009 3:16 pm    Post subject: Reply with quote
Can you please try to unpack? Your posts indicate that you have a great understanding.
Back to top
View user's profile Send private message Send e-mail
nekkro-kvlt



Joined: 14 Jun 2007
Posts: 76
PostPosted: Tue Jun 16, 2009 3:18 pm    Post subject: Reply with quote
I'll take a look at this
Back to top
View user's profile Send private message
tecka



Joined: 20 Feb 2009
Posts: 15
PostPosted: Tue Jun 16, 2009 3:33 pm    Post subject: Reply with quote
Hint to unpack
Code:
D:\IOS\asa>tail -c 15083928 asa821-k8.bin > asa821-k8.gz
D:\IOS\asa>gzip -d asa821-k8.gz
gzip: asa821-k8.gz: decompression OK, trailing garbage ignored   
Back to top
View user's profile Send private message
nekkro-kvlt



Joined: 14 Jun 2007
Posts: 76
PostPosted: Tue Jun 16, 2009 3:42 pm    Post subject: Reply with quote
Yes, I searched in the file 1F 8B
and found it at 0x122E68 so I did :
Code:
bastien@bastien-laptop:~/asaemu/82$ perl -e '$x=16275456-0x122E68;print "$x\n"'15083928
bastien@bastien-laptop:~/asaemu/82$ tail -c 15083928 asa821-k8.bin > asa821-k8.gz
bastien@bastien-laptop:~/asaemu/82$ gzip -d asa821-k8.gz
gzip: asa821-k8.gz: decompression OK, trailing garbage ignored
bastien@bastien-laptop:~/asaemu/82$ mkdir uncompressed
bastien@bastien-laptop:~/asaemu/82$ cd uncompressed/
bastien@bastien-laptop:~/asaemu/82/uncompressed$ sudo cpio -id --no-absolute-filenames < ../asa821-k8
[sudo] password for bastien:
cpio: Removing leading `/' from member names
68058 blocks
bastien@bastien-laptop:~/asaemu/82/uncompressed$ ls
asa  dev  init  linuxrc  proc  sys         usr
bin  etc  lib   mnt      sbin  System.map  vmlinuz
bastien@bastien-laptop:~/asaemu/82/uncompressed$

Unpacking it is OK, I'll try to launch it with QEmu
Back to top
View user's profile Send private message
nekkro-kvlt



Joined: 14 Jun 2007
Posts: 76
PostPosted: Tue Jun 16, 2009 3:47 pm    Post subject: Reply with quote
Ok, I just rezipped it with:
Code:
gzip -9 asa821

Then launching QEmu with this:
Code:
qemu -hda ./FLASH -m 256 -kernel ./uncompressed/vmlinuz -initrd ./asa821-k8.gz --no-kqemu -nographic -append "auto console=ttyS0,9600 bigphysarea=16384 ide1=noprobe"

and it worked but then it crashed:

Code:

ype help or '?' for a list of available commands.
ciscoasa>
ciscoasa>
ciscoasa>
ciscoasa>
ciscoasa>

************************************************************
FATAL DEVICE ERROR DETECTED.  ERROR CODE: -9

Please copy the following exactly as it appears,
along with any visible version strings, and contact
your support representative.

Cisco Adaptive Security Appliance Software Version 8.2(1)

Compiled on Tue 05-May-09 22:45 by builders
Serial Number:
Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000

************************************************************
Process shutdown finished
Rebooting.....


I don't have any clues on this...
Back to top
View user's profile Send private message
signal.quest



Joined: 14 Apr 2007
Posts: 113
PostPosted: Tue Jun 16, 2009 3:48 pm    Post subject: Reply with quote
Thanks for the unpack tip! Excellent! Have you tried running it? I will try to run it!

Last edited by signal.quest on Tue Jun 16, 2009 3:49 pm; edited 1 time in total
Back to top
View user's profile Send private message Send e-mail
nekkro-kvlt



Joined: 14 Jun 2007
Posts: 76
PostPosted: Tue Jun 16, 2009 3:49 pm    Post subject: Reply with quote
signal.quest wrote:
Thanks! Excellent! Have you tried running it? I will try to run it!
See my post, it boot, but then it crash, but I Don't know why at all...
Edit:
open /dev/hda1:No such device or address
dosfsck(/dev/hda1) returned 1
mount: mounting /dev/hda1 on /mnt/disk0 failed: No such device or address


It maybe the hard drive that is failing, I'll try to partition it... If someone know how to do that Smile
Back to top
View user's profile Send private message
signal.quest



Joined: 14 Apr 2007
Posts: 113
PostPosted: Tue Jun 16, 2009 4:10 pm    Post subject: Reply with quote
I am trying to update my usb bootable drive with the new unpacked image. I have to refresh my memory on how to copy the unpacked image to the bootable disk w/o messing up the symbolic links...
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic   Reply to topic    7200emu.hacki.at Forum Index -> HOWTOs All times are GMT
Goto page 1, 2, 3, 4, 5  Next
Page 1 of 5

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


 


Powered by phpBB © 2001, 2005 phpBB Group