智能硬件漏洞挖掘与利用
主讲人: 杨坤 kun.yang@chaitin.com
How do hackers find your bug?
Buy one from
Official Site
Find the firmware
Get shell for debugging
and achieving more info
Identify attack surfaces
Reverse engineering or
script review
Write an exploit
Capture download links from
App or Web control portal
Serial Port?
Repacking firmware
nmap,if you have shell, use netstat
wireless protocol like bluetooth?
Outline
● Gathering Information
Find firmware
○
○ Get shell
○ Attack surface analysis
● Vulnerability Discovery
○ Reverse Engineering
○
Fuzzing
● Exploitation
○ Mitigations
○ Shellcode
○ ROP
Pwning devices step by step
● 华为荣耀路由 WS831
● 华硕 RT-AC68U 无线路由器
● 思科 CVR100W 无线路由器
Finding firmware
● Get firmware from official site
● Capture download links from App or Web control portal
Repacking firmware
$ mkimage -l xxxxxxxxxx
Image Name: xxxxxxxxxxxxxx
Created: Mon Aug 31 03:43:45 2015
Image Type: ARM Linux Filesystem Image (uncompressed)
Data Size: 8023212 Bytes = 7835.17 kB = 7.65 MB
Load Address: 00000000
Entry Point: 00000000
$ dd if=xxxxxxxxxx of=image bs=1 skip=64 count=8023212
8023212+0 records in
8023212+0 records out
8023212 bytes (8.0 MB) copied, 727.991 s, 11.0 kB/s
$ file image
image: Linux jffs2 filesystem data little endian
$ mkfs.jffs2 --little-endian -n -d -o
Get root shell by serial connection
Finding serial port