[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] Broken, Abandoned, and Forgotten Code
From:       Zach C <uid000 () gmail ! com>
Date:       2015-05-10 7:22:02
Message-ID: CACxx4MTDqBtxPaYgrGfO_QODqYpKrutqOHtWq8a2=RE8yXuiTA () mail ! gmail ! com
[Download RAW message or body]

Hello,

I'm posting a multipart reversing and exploitation series entitled "Broken,
Abandoned, and Forgotten Code." It explores the discovery, reverse
engineering, and exploitation of an unauthenticated firmware update
capability in the UPnP stack of Netgear SOHO routers.

This isn't your typical "OMG command injection SOHO Routers are so
insecure!!!1!" project. We all know they are; that's been covered ad
nauseam.

This project was a challenge to exploit partially implemented, forgotten
code that appeared too broken to actually work. I set out to craft an
exploit and a special firmware image that would avoid crashing the UPNP
server and would leave the router with persistent backdoor access.

This was a really fun project, and I want to share it anyone who might be
interested in embedded Linux reversing and exploitation. I walk the reader
from start to finish through the process of vulnerability discovery,
reverse engineering, exploitation, and post-exploitation. I tried to make
it so the reader can follow along with their own router, some basic
reversing experience, and the right tools.

There should be something for everyone. We'll cover figuring out how to
form the SOAP request. There will be lots of MIPS Linux disassembly.
There's debugging, binary patching, and emulation. There is a section
toward the end where we take apart the router to look for a debugging port.

The intro, and Part 1, 2 and 3 are up already. Part 4 comes Thursday,
followed by a new installation each week. I have twelve parts written, and
expect there to be around fourteen total.

Here are links to what's up so far:
Prologue (includes PoC exploit video):
http://shadow-file.blogspot.com/2015/04/broken-abandoned-and-forgotten-code_22.html
Part 1: http://shadow-file.blogspot.com/2015/04/abandoned-part-01.html
Part 2: http://shadow-file.blogspot.com/2015/04/abandoned-part-02.html
Part 3: http://shadow-file.blogspot.com/2015/05/abandoned-part-03.html

If you enjoy it, and you're on Twitter, please give me a mention or
retweet; I'm @zcutlip.

I've had a blast writing this and I hope you all have as much fun reading
it and following along.

Cheers!
Zach

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic