Full Disclosure mailing list archives

By Date By Thread Broken, Abandoned, and Forgotten Code From: Zach C <uid000 () gmail com>

Date: Sun, 10 May 2015 00:22:02 -0700

Hello, I'm posting a multipart reversing and exploitation series entitled "Broken, Abandoned, and Forgotten Code." It explores the discovery, reverse engineering, and exploitation of an unauthenticated firmware update capability in the UPnP stack of Netgear SOHO routers. This isn't your typical "OMG command injection SOHO Routers are so insecure!!!1!" project. We all know they are; that's been covered ad nauseam. This project was a challenge to exploit partially implemented, forgotten code that appeared too broken to actually work. I set out to craft an exploit and a special firmware image that would avoid crashing the UPNP server and would leave the router with persistent backdoor access. This was a really fun project, and I want to share it anyone who might be interested in embedded Linux reversing and exploitation. I walk the reader from start to finish through the process of vulnerability discovery, reverse engineering, exploitation, and post-exploitation. I tried to make it so the reader can follow along with their own router, some basic reversing experience, and the right tools. There should be something for everyone. We'll cover figuring out how to form the SOAP request. There will be lots of MIPS Linux disassembly. There's debugging, binary patching, and emulation. There is a section toward the end where we take apart the router to look for a debugging port. The intro, and Part 1, 2 and 3 are up already. Part 4 comes Thursday, followed by a new installation each week. I have twelve parts written, and expect there to be around fourteen total. Here are links to what's up so far: Prologue (includes PoC exploit video): http://shadow-file.blogspot.com/2015/04/broken-abandoned-and-forgotten-code_22.html Part 1: http://shadow-file.blogspot.com/2015/04/abandoned-part-01.html Part 2: http://shadow-file.blogspot.com/2015/04/abandoned-part-02.html Part 3: http://shadow-file.blogspot.com/2015/05/abandoned-part-03.html If you enjoy it, and you're on Twitter, please give me a mention or retweet; I'm @zcutlip. I've had a blast writing this and I hope you all have as much fun reading it and following along. Cheers! Zach _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: Broken, Abandoned, and Forgotten Code Zach C (May 10)