ANALYSIS ENVIRONMENT SETUP


  • Please assure you have done the following.:


  • 1. Install a virtualization software. Check out Oracle Virtualbox, Xen, or Vmware Workstation. (Feel free to choose a different product.)

  • 2. Grab a copy of Ubuntu 16: ubuntu-16.04.1-desktop-amd64.iso from http://old-releases.ubuntu.com/releases/16.04.1/

  • 3. Add any virtualization tools needed based on the hosting virtualization software

  • 4. Open a terminal and execute "sudo su"

  • 5. Confirm you are running as root with "whoami"

  • 5. Install needed build tools with "apt-get install build-essential"

  • 6. Install kernel symbols "apt-get install linux-headers-4.4.0.31-generic"

  • 7. Install git tools "apt-get install git"

  • 8. Download LiME Toolkit "git clone https://github.com/504ensicsLabs/LiME.git"

  • 9. Download kernel symbol extraction tools "apt-get install dwarfdump"

  • 10. Download additional utils for symbol extract "apt-get install dwarf-utils"

  • 11. Download Python framework needed for Volatility Framework "apt-get install python2.7"

  • 12. Download Volatility Framework "git clone https://github.com/volatilityfoundation/volatility"

  • 13. Download supporting libraries for Volatility Framework "apt-get install pcregrep libpcre++-dev python-dev"

  • 14. Download Python Install tools "apt install python-setuptools"

  • 15. Download supporting module for Volatility Framework "easy_install pycrypto"

  • 16. Download supporting module for Volatility Framework "easy_install distorm3"

  • 17. Switch to git directory hosting Volatility Framework "cd ./volatility"

  • 18. Enable all the things for everyone: "chmod 777 ./*"

  • 19. Install Volatility Framework "./python setup.py install"

  • 20. Exit the git repository for Volatility Framework "cd .."

  • 21. Change directory to profile build tools in Volatility Framework "./volatility/tools/linux"

  • 22. Execute make on kernel symbols with Volatility Framework tools "make -C /lib/modules/4.4.0-31-generic/build CONFIG_DEBUG_INFO=y M=$PWD"

  • 23. Execute dwarfump on resulting file "dwarfdump -di ./module.o > module."

  • 24. Collect current kernel version "uname -a"

  • 25. Collect current distribution version "cat /etc/issue"

  • 26. Bundle a profile based on kernel/distro used for file naming "zip ./Linux_Ubuntu_16_04_01_LTS_4_4_0_31_generic module.dwarf /boot/System.map-4.4.0-31-generic"

  • 27. Move the resulting profile to the overlay folder in Volatility Framework "cp ./Linux_Ubuntu_16_04_01_LTS_4_4_0_31_generic.zip /usr/local/lib/python2.7/dist-packages/volatility/plugins/overlays/linux"

  • 28. Change Directory back to download folder containing LiME Git "cd ../../.."

  • 29. Change Directory to the LiME src folder "cd ./LiME/src"

  • 30. Build LiME "Make"

  • 31. Enter a editor and create the vulnerable code "vi vulnshell.c"

  • 32. Press "Esc" then "i"

  • 33. Paste the following: 

    
#include < \ >
    
#include < \ >
    
void main(int argc, char *argv[]) {
    
	copier(argv[1]);
    
	printf("Done!\n");
    
}
    
int copier(char *str) {
    
	setuid(0);
    
	char buffer[100];
    
	strcpy(buffer, str);
    
	
    
}

  • 34. exit VI and write the file "Esc" + ":wq!"

  • 35. Compile the code by removing all compile time controls "gcc -fno-stack-protector -z execstack -o copier -no-pie -m32 ./vulnshell.c"

  • 36. Change permissions to include SUID/GUID bit "chmod 5777 ./copier"

  • 37. Disable memory randomization "echo 0 | sudo tee /proc/sys/kernel/randomize_va_space"

  • 38. Snapshot your guest!