simulating router firmware for live demonstration, more advanced RE, or just giggles

-

So I needed to put together a live demonstration for a presentation I'm doing soon on the attack surface of embedded devices, and why the industry seems to want their devices vulnerable. I have never needed to boot a firmware image in such a controlled manner before, and decided this would be something nice to share with others so they can just get this kind of thing up and running without hassle for their warped projects. So without further ado, lets get started.

Before you set this up, you will need to set up a basic virtual machine with the GNU/Linux distribution of your choice. You will also need to have already extracted the firmware image into a folder called squashfs-root unless you want to do the smart thing, and apply these instructions to your own personal setup.

First open the /etc/inittab for your firmware image. locate the line for sysinit and take note of what it has there. 


::sysinit:/etc/rcS
::respawn:/sbin/getty 115200 ttyS1
::respawn:/bin/sh 
::restart:/sbin/init
::shutdown:/bin/umount -a -r

Ok, copy the squashfs-root folder to the root directory of the virtual machines disk image, then copy the following script into the root directory of the image as well after modifying it to meet the needs of your particular firmware image: 


#!/bin/bash

export FIRMROOT="/squashfs-root"
export SYSINIT="/etc/rcS"

ifconfig eth0 10.0.3.10

# bind mount the important things so that this acts like a real linux system
mount --bind /tmp $FIRMROOT/tmp
mount --bind /sys $FIRMROOT/sys
mount --bind /proc $FIRMROOT/proc
mount --bind /dev $FIRMROOT/dev

# chroot into the firmware image, and launch the correct sysinit script for your firmware.
chroot $FIRMROOT /bin/sh -c $SYSINIT

And thats how its done. Here is a screenshot of the web login for this router running in VM:

And here is a screenshot of the router VM being exploited:

Comments

Post a Comment

Popular posts from this blog

What is a canary, how does it work, and what does that mean if I want to write a modern exploit.

-
Image
Canaries were  once regularly used  in  coal mining as an early warning system . Toxic gases such as carbon monoxide or asphyxiant gases such as methane  in the mine  would kill the bird before affecting the  miners . Signs of distress from the bird indicated  to  the  miners  that conditions  were  unsafe . Let's start with some history Oh the good old days. I remember a time when hackthissite.org , and  Smash The Stack  were fresh, and BOF's were often as easy as shoving your shellcode where the buffer was supposed to be and overwriting the return pointer with where that buffer was... Then they had to go and ruin the fun by widely adopting ASLR (Address Space Layout Randomization), DEP (Data execution protection), and  canaries  (stack cookies). Now in these dark times not only do we have to ROP with return to libc, we have to chain that with a memory leak vulnerability if we have any hope of  smashing the stack. While I plan to do posts soon covering all of these exciti
Read more

Better visualization of data formats using assembly POC's to better implement them in C

-
Image
Are you tired of staring at hex dumps, white papers and manual pages? Want to feel like you truly know how a data type like a file format, or a disk partition LOOKS like. Well I can't help you with the manual pages and white papers, ( https://staff.washington.edu/dittrich/misc/fatgen103.pdf , http://www.eit.lth.se/fileadmin/eit/courses/eitn50/Projekt1/FAT12Description.pdf ) but here is a great example of implementing a fat12 floppy image in assembly. ;//////////////////////////////////////////////////////////////////////////////// ;// THE SCOTCH-WARE LICENSE (Revision 0): ;// <aaronryool@gmail.com> wrote this file. As long as you retain this notice you ;// can do whatever you want with this stuff. If we meet some day, and you think ;// this stuff is worth it, you can buy me a shot of scotch in return ;//////////////////////////////////////////////////////////////////////////////// ; This assembles to a floppy disk image [bits 16] [org 0x7C00] ;;;;;;;;;;;;;;;;;
Read more

Putting Linux on your Android device using debootstrap and chroot

-
Image
Ok, so first thing first. You will need a few things done BEFORE you attempt this tutorial: A rooted android device of sorts with debugging enabled and busybox installed An sdcard to store the debian image on A Linux machine (or live cd) to prepare the debian system image ADB for remounting the system partition and pushing startup scripts A terminal application installed on your droid and about an hour of free time Lets get right into it open up a terminal, and make a directory that you will be storing all of the files and things we create for easy cleanup later. I called mine linux_on_android. change to that directory, all instructions from here on out will be relative to whatever directory you are currently residing in after this step. Next, we create an empty raw disk image, make a directory to mount it under, create a filesystem on the image, and mount it under our new mount point. Now lets change into our mnt directory, install debootstrap, and use it to install a base system into
Read more