https://github.com/arisada/midgetpack

midgetpack is a multiplatform secure ELF packer
https://github.com/arisada/midgetpack

Last synced: 25 days ago
JSON representation

midgetpack is a multiplatform secure ELF packer

• Host: GitHub
• URL: https://github.com/arisada/midgetpack
• Owner: arisada
• License: other
• Created: 2014-07-24T20:51:10.000Z (over 10 years ago)
• Default Branch: master
• Last Pushed: 2014-07-29T08:41:20.000Z (over 10 years ago)
• Last Synced: 2024-08-03T22:04:39.685Z (4 months ago)
• Language: C
• Size: 4.06 MB
• Stars: 195
• Watchers: 19
• Forks: 39
• Open Issues: 6
• Metadata Files:
  • Readme: README
  • License: LICENSE

Awesome Lists containing this project

• awesome-anti-forensic - Midgetpack

README

        
  Midgetpack

  ~-~-~-~-~-

    [email protected]

  

  Table of contents:

  

1- What is Midgetpack

2- Features

3- Use

4- Shortcomings

5- Installation

***********************************************************

1- What is Midgetpack

 Midgetpack is a binary packer for ELF binaries, such as burneye, upx or 

 other tools. Its goal is to protect your assets (tools, exploits) when using

 them on untrusted systems (e.g on a monitored customer's system during a

 pentest).

 Midgetpack contains two modes of operation: password and curve25519 key exchange.

 

 The password mode is the classical password that is asked when starting the

 binary. I believe the binary to be secure against cracking if you choose a

 strong password, but once someone has both binary and password he can do whatever

 he wants.

 

 The curve25519 is the real advantage of midgetpack. In this mode, you do not

 provide any password or key. Instead, a key file is generated at packing time.

 This key file must be used everytime you wish to use the binary. When you start

 the binary, it will give a challenge and expect a response. You copy/paste the

 challenge in the input of the mpkex tool and receive a response containing the

 encrypted key to the binary.

 This key exchange is protected by Curve25519 key exchange, the key is encrypted

 with aes-128 and the whole exchange is authenticated with HMAC-SHA256 to avoid

 generic man-in-the-middle attacks.

 This mode is truly secure as eavesdropping the terminal will *not* be enough to

 recover the key or the unprotected binary.

 

2- Features

 Midgetpack is able to pack binaries in different architectures using the same

 executable. This makes possible to pack an x86 binary on an amd64 one.

 

 Currently Linux and freebsd are supported.

 CPU supported: x86-32, x86-64, arm

 

 Encryption: 

  - Password (PBKCS2, AES128-cbc, HMAC-SHA256)

  - curve25519 (Curve25519 kex, AES128-cbc, HMAC-SHA256)

  

3- Use

 As stated above, there are 2 different operation modes: password and curve25519.

 

 - Password:

   $ ./midgetpack -o binary -p src/tests/test32-dynamic 

   x86 ELF file

   Adding new pheader with vaddr base badd000, offset 0 of filesz 5eca

   Please enter password:

   Enter the password again:

   $ chmod +x binary 

   $ ./binary 

   starting stub...

   Password: 

   Hello, world !

 

 - Curve25519

   $ ./midgetpack -o binary -c src/tests/test32-dynamic

   x86 ELF file

   Adding new pheader with vaddr base badd000, offset 0 of filesz 5eca

   Key data written in file key

   

   Then, two consoles are needed:

 

 $ ./binary                            | $ src/packer/mpkex key 

starting stub...                       | Waiting for challenge...

challenge:                             |

ZABpaSpiAkNzJTFKkiE3S7mW-vC7YrcBainilU |

1yScpWEWZB9epppJHeicqd9wj4             |

                                       | ZABpaSpiAkNzJTFKkiE3S7mW-vC7YrcBainilU

                                       | 1yScpWEWZB9epppJHeicqd9wj4

                                       | Response:

                                       | jvDFJApVgXUASz-7hLj_2BJ40ppY0EsJ9GOsM-f

                                       | 7pkBVFsu6cnV4XWBSO5nz82lVopPJJ5PRy7Pi-l

                                       | urGgtPDDAA

jvDFJApVgXUASz-7hLj_2BJ40ppY0EsJ9GOsM- | $ 

f7pkBVFsu6cnV4XWBSO5nz82lVopPJJ5PRy7Pi |

-lurGgtPDDAA                           |

Hello, world !                         |

4- Shortcomings

 The password version of midgetpack is not very secure. The password is currently

 echoed back so it appears in cleartext on honeypots. However it may be enough when

 there's good confidence that the system is not monitored.

 

 The Curve25519 version is stronger, but is subject to replay attacks if the PRNG

 can be forced to replay same numbers. To do so, an attacker would need to hook

 /dev/urandom, the rdtsc instruction and the ELF Aux vector on the first run

 to force output of the same numbers.

 

 The Curve25519 version is also vulnerable to some active man-in-the middle attacks

 in which an attacker would need to extract the HMAC key from the binary and dynamically

 replace the binary's challenge with its own.

 

 Both these attacks are unlikely to be seen in the wild.

 

 Both versions are vulnerable to snapshots attacks, in which a snapshot of the VM or

 the running process is taken in order to analyse the cleartext version of the binary.

 Reducing the impact of these attacks may be a target for next versions.

 

5- Installation

 Requirements:

 - cmake

 - C compiler (tested with gcc, may fail on clang)

 $ mkdir build/

 $ cd build/

 $ cmake ..

  (note: cmake .. -DWITH_PRECOMPILED_STUBS if you don't want any binary blob)

 $ make

 $ src/packer/midgetpack -o packed -P mypassword src/tests/test32-dynamic

 $ ./packed