In Discover Pro firmware 388 it is possible to execute a script named autorun placed on USB stick:
from etc/mcd.conf:
Код:
[AUTORUN]
Callout = FNAME_MATCH
Argument = /autorun
Match Rule = INSERTED
Fail Rule = SW_UPDATE
However autorun is only executed when there is a matching signature in file called autorun.sig.
I think autorun.sig must have sha1 hash of autorun but that autorun is scrambled similar to copie_scr.sh in audi MIB but not exactly the same.
Check is performed in ELF file autorunner, when autorun loaded it will show png files below:
fail.pngsuccess.pngwait.png
Here is a piece of pseudo code from autorunner:
Код:
DataFileBytes = ReadDataFile(hDataFile);
if ( DataFileBytes )
{
SignatureFileBytes = ReadSignatureFile(hSignatureFile);
SignatureFileBytesVar = SignatureFileBytes;
if ( SignatureFileBytes )
{
SignatureFileBytesOffset3 = SignatureFileBytes[3];
if ( HashFileSha1(DataFileBytes[3], DataFileBytes[2], &Sha1Hash) == 1 )
{
fwrite("[autorunner] Failed to calculate SHA1 hash", 1u, 0x2Au, (FILE *)&Stderr);
fputc(10, (FILE *)&Stderr);
fflush((FILE *)&Stderr);
}
else if ( sub_102D9C(
(int)&Sha1Hash,
SignatureFileBytesOffset3,
0x106B78,
(unsigned __int8 *)&dword_106B68[36]) )
It takes a normal sha1hash of file but then sub_102D9C does something I don't understand.
dword_106b68 is a large array:
Код:
LOAD:00106B68 dword_106B68 DCD 0x9302130, 0xE2B0506, 0x51A0203, 0x140400, 0x23014CDA
LOAD:00106B68 DCD 0x577F385A, 0x7F74C77E, 0x5A4225EE, 0x5F0D17E6, 0x44F768D3
LOAD:00106B68 DCD 0xACA00C32, 0x9DA05E8C, 0xA2DCE67, 0x697DCA67, 0xF460E8AA
LOAD:00106B68 DCD 0x351ADB6A, 0x5A8B1317, 0x6AAB4480, 0x79977987, 0xCFB62FC5
LOAD:00106B68 DCD 0xF271641E, 0x6FCFFFDB, 0x125781C5, 0x4C0B99EB, 0xD606FCFC
LOAD:00106B68 DCD 0xF19D2E10, 0xDE167181, 0xA9C480F0, 0x6B1C99E4, 0x7549E0C0
LOAD:00106B68 DCD 0xC07CE5CC, 0xABFE4E9E, 0xF8078B03, 0x4F390997, 0x2A5CA779
LOAD:00106B68 DCD 0x27B2E66F, 0x10001
here is code from sub_102D9C:
Код:
signed int __fastcall sub_102D9C(int a1, int a2, int a3, unsigned __int8 *a4)
{
int v4; // r4@1
signed int v5; // r3@2
int v6; // r3@4
signed int v7; // r2@4
char *v8; // r2@6
int v9; // r3@6
signed int v10; // r3@9
char v12[128]; // [sp+0h] [bp-110h]@1
char v13; // [sp+80h] [bp-90h]@2
char v14; // [sp+81h] [bp-8Fh]@2
char v15; // [sp+DCh] [bp-34h]@4
char v16; // [sp+100h] [bp-10h]@5
v4 = a1;
if ( !sub_103B88(a2, a3, a4[2] | (*a4 << 16) | (a4[1] << 8), (int)v12) )
{
v13 = 0;
v14 = 1;
v5 = 2;
do
*(&v13 + v5++) = -1;
while ( v5 != 92 );
v6 = 0;
v15 = 0;
v7 = 93;
do
{
*(&v16 + v7 - 128) = *(_BYTE *)(v6 + 0x106B68);
v7 = (unsigned __int16)(v7 + 1);
++v6;
}
while ( v6 != 15 );
v8 = &v13;
v9 = 0;
do
(v8++)[108] = *(_BYTE *)(v4 + v9++);
while ( v9 != 20 );
if ( v13 == v12[0] )
{
v10 = 1;
while ( *(&v13 + v10) == v12[v10] )
{
if ( ++v10 == 128 )
return 1;
}
}
}
return 0;
signed int __fastcall sub_103B88(int a1, int a2, unsigned int a3, int a4)
{
int v4; // r12@1
int v6; // [sp+0h] [bp-88h]@2
char v7; // [sp+7Ch] [bp-Ch]@3
char v8; // [sp+7Dh] [bp-Bh]@3
char v9; // [sp+7Eh] [bp-Ah]@3
char v10; // [sp+7Fh] [bp-9h]@3
v4 = 0;
do
*((_BYTE *)&v6 + v4++) = 0;
while ( v4 != 124 );
v9 = BYTE1(a3);
v10 = a3;
v8 = a3 >> 16;
v7 = BYTE3(a3);
return sub_1037E4(a1, a2, (int)&v6, a4);
}
I'm looking for calculation of hash in autorun.sig so that it will match, maybe someone has an idea or has seen this before?
PS: I also found a challenge/response system in unit that allows root access via telnet without password but need to tackle this one first...