2015-08-14
I recently participated in a CTF with a MIPS pwning challenge. A MIPS binary was provided for a service running remotely on a MIPS box. The challenge was to analyze the binary, figure out the security hole, and pop a shell on the remote service.
When analyzing binaries and writing exploits, it is often useful to be able to run the binary locally. A MIPS binary cannot run on an x86 machine, so an emulator must be used.
This article explains how to setup a Debian MIPS guest for running and debugging MIPS binaries on an Arch Linux host. A lot of this information was taken from my friend Zach Cutlip's blog.
Qemu
First, QEMU needs to be installed. This is the emulator that will allow us to emulate MIPS on x86.
(host)$ pacman -S qemu
Debian QEMU Guest Images
Debian QEMU guest images need to be downloaded or created from scratch. Creating from scratch is time consuming, so we will download premade images.
Here we download 32-bit MIPS Debian 7 images:
(host)$ wget 'https://people.debian.org/~aurel32/qemu/mips/debian_wheezy_mips_standard.qcow2'
(host)$ wget 'https://people.debian.org/~aurel32/qemu/mips/vmlinux-2.6.32-5-4kc-malta
The .qcow2 file is the filesystem for the MIPS guest
system. A basic Debian installation has been done on this system.
The vmlinux file is the kernel.
Running the MIPS Guest
The MIPS guest can be run as follows:
(host)$ qemu-system-mips -nographic -M malta \
-kernel ./vmlinux-3.2.0-4-4kc-malta \
-hda ./debian_wheezy_mips_standard.qcow2 \
-append "root=/dev/sda1 console=ttys0"
This will boot up the guest. It will take a long time to boot. It
seems that boot messages from init don't get written to
the screen, so it can appear to have frozen during boot. If you wait
long enough (several minutes), you will eventually see a familiar
user name prompt.
You will be able to login as the user root with password 'root'.
Setup the MIPS Guest
This is just a normal Debian machine, so you can do things like adding users and installing programs. I usually do something like the following. These commands are being run as root.
(mips)$ groupadd me
(mips)$ useradd -g me -G users,sudo -m me
(mips)$ apt-get update
(mips)$ apt-get install \
sudo screen vim tree git gdb strace openssh-server
(mips)$ update-rc.d ssh enable
Networking
At this point, you should have your MIPS machine setup and working nicely. By default, QEMU sets up networking so that the guest MIPS machine can connect to your host, but your host cannot connect to your guest. Your guest also cannot use ICMP.
In order to make networking more convenient, most people recommend setting up bridged networking. However, this takes time to setup. One easy thing to do is to use remote forwarding with SSH.
On the MIPS guest, run the following command to connect to your host:
(mips)$ ssh -NR 2222:localhost:22 your-user-on-host@10.0.2.2
Now, on your host, you should have port 2222 open.
(host)$ netstat -lanp
Active Internet connections (servers and established)
Proto Local Address Foreign Address State PID/Program name
tcp 0.0.0.0:2222 0.0.0.0:* LISTEN 21760/qemu-system-mips
...
You can connect to it using ssh in order to access your MIPS machine.
(host)$ ssh -p 2222 me@localhost