Intro to Hardware Firmware Hacking

Andrew Freeborn

1

• The Wild West

• What’s MIPS

• Let’s break it

• Pictures!

Agenda

2

Embedded Devices

3

• Cheap and everywhere

• Lots of options for home routers, modems, etc

• New models every year with new features

• No real regulation of the safety and strength of the security of the device (CyberUL to help?)

• Krebs attack / Ukraine power grid

Embedded Devices Are Awesome

4

We get it, they’re bad

5

TLC?

6

• Easy to get into surprisingly

• Easier if you stick to the rivers and lakes.... Software

• Like many problems, issues can be fixed when there is attention on them

They’re not bad, they just need TLC

7

• All software updated

• Kernel updates

• Kernel hardening

• Compiler protections

• Make updating easy and secure with little effort

• Scanned for vulnerabilities

Embedded Device Solutions

8

• DVRF

• MIPS CPU

• MIPS assembly >>

• ???

• Profit • MIPS binaries

When do we get to see dat MIPS

• hello.c • MIPS diassembly

What the MIPS?

https://www.onlinedisassembler.com/odaweb/GzjLonX7

•Anybody can do this search and find this information

• Source: https://www.shodan.io/search?query=netgear

What about security?

• Prologue

• Middle-logue?

• Epilogue

Show me that MIPS again

•Why do we care?

•Are there other buffer overflows?

• Source: https://en.wikipedia.org/wiki/Call_stack

What’s a stack buffer overflow?

13

• Why start here?

• How many challenges are there?

Stack buffer overflows in DVRF

Intro •stack_bof_01 •heap_overflow_01 •uaf_01

ShellCode_Required •stack_bof_02 •socket_bof •socket_cmd

14

• Let’s run it!

stack_bof_01

15

• Hulk smash!

stack_bof_01

• Static analysis with floss (the new strings!)

Smashed the stack, now what

• Lots of ways to do this

•

• IDA

• Online Disassembler >>

Graph me like one of your French binaries

www.onlinedisassembler.com/odaweb/OXabeNP7

• Functions

• main

• dat_shell

• other things we don’t care about

What’s on the menu?

• Debugger like GDB

• Plain GDB is not pretty

• pwndbg makes it nice >>

• Use gdb-multiarch

• This really is helpful >>

Dynamic analysis

• You just need the right amount of “As”

• Provide the memory address of dat_shell

Python to the rescue

21

• vivirytech@gmail.com

• https://vivirytech.blogspot.com

• Twitter: @vivirytech

Thanks!

22