Masande Mtintsilana - Junk Hacking to skill up

now we have Sunday and they're talking to us about junk hacking to scale up okay IRA so thanks for coming to attend my talk so yeah the title of my talk is John taking to scale up learning through reversing embedded devices which I plan to share my personal journey in hacking a particular consumer product and trying some useful tools and techniques which might be helpful for your own projects the overarching goal of this presentation is to provide a sense can you guys hear me right okay the overarching goal of this presentation is bright this sense that opening up and trying to understand how things work on the inside is a good way to approach learning so disappeared about myself so

I'm a security consultant at MWR where I spend most of my time saying web and mobile applications I actually started here in Cape Town at you city did a degree in electrical and computer engineering and as many of you know universities typically approach learning form starting from first principles work your way up until you can expose something so this is actually the first time way I start from a finished product working my way backwards and trying to understand how things work so yeah before I actually get into what I looked into I'll just talk about my inspiration so there's this YouTube channel run by user named live overflow or he doubts on the point short of hacking tutorials

about cryptography reverse engineering things like that so at the beginning of the year least a two part series where he reversed this particular device which is called a personal cloud device by ionic basically it's Wi-Fi enabled palshare so you can connect to it and get out of it but the point of it is that he found multiple vulnerabilities in it which allowed him to get shell on this device it looked interesting little fun I was owning what I would say so I had a look on take a lot PC there's anything that matches this description I came across something called not cloud storage and media streamer so how this thing works is you've got an SD

card you put media files on it such as mp3s mp4s you plug it in you turn it on and then it's like a tablet or cell phones you can just install a tap in it and then connect to this device and the interesting content so I was like ok that's a reasonable thing to want to have can i hack it so yeah so many of you know who are on the offensive side of security probably know there's this obsession with getting of unauthorized code execution or a shell on device and the quickest way of getting that is finding the low-hanging fruit so to find out what are the low-hanging fruit you need to find out what is actually

running on this device so one reader of thinness is asking it what services are running so how this is practically done is you tell in map the device so yeah this was the list that came up so if your strategy at this point was to poke at the first service nope and then work your way down you driven in luck because the first thing that was there was Talmadge and it had rich guests were credentials of Edmund Edmund so within 10 minutes of buying the device opening it I had a root shell in device yeah I hadn't learned anything at this point so I said ok I'm gonna ignore this and move on so I thought to myself I'm quite

familiar with mobile applications so let me start with what I know best and the reason why I like studying mobile applications because mobile applications provide a detailed description of how to use a specific API the in this case is an application I am just devices for the some API so it exposes what functions can be called what arguments do these functions need and what data types the arguments are so the reason why you can do this is because Android applications are easily be compatible especially if they're written in Java so there's various java decompiler is out there such as JD dead x CF orphan flower how this actually looks so yeah so I open it

this application it's cool what's called shouts interact I open it up in decompiler where I think it was jeddaks so your basically hide looks if you can get back basically the functions that are being call that I understand the data types of these the data types of the arguments the names of the variables things like that so it looks pretty much how I imagine the source code to look right so often reading the source code for awhile I came across something looks like this they were creating a cake request where the constructing indicate parameter they had get parameter hat that had the value of like RM and make their and move so i did a search for the source code for the

specific string and you came up multiple types so seeing this I'm like okay can I change that because RM maker and move all the flight Linux come on so maybe let me change that just to my own command and see if I can get come on injection so I captured one request which was the gate parameters something like that so like in the CMD gate parameter you got the value of vector and then it the name is the folder that is created so I change the command to try ping myself that fell so I'm like okay maybe they're doing something right to this so I moved on and I tried to attend my command to

the end of the foul that also failed so I realized that you need to play around with quotation marks so I added two double quotes and I got a ping back I think the basic show this is with the demo okay

you guys see that

okay so let me just show you the script that I created for the so basically I've got this that did that requests that I captured what I'm doing is adding a new user called back to a user into the ATC posted file and then afterwards connecting at the town it write some creating new news on the device so that I can connect to the Talmud it should work but yeah running okay created a new user now put a towel niche connection to it and I can catch EGC password so using that command injection creating user chemicals on it if you watch

okay yeah yeah so everything runs into it on this device and this anyway okay so I just went I'm like okay I haven't learnt anything about I use the skills that I've I normally use in web application assessment but I wanted to know if I can use a fact that are part physical access to this device to just sort of get the applications of it maybe dump the firmware so a lot of experiences this so I did a lot of research and so what people do online and actually found out this is a common problem that hardware hackers have so the security researcher named Nettie Ivanovich who works at project zero where she hacked a tamagotchi which is a

virtual pet right the later releases of this virtual pet had these figures the screen thing on the right that you can attach to the top of that right what she found is that she couldn't control weighing memory code is being executed with this figure and she wanted to dump the firmware but also the thing that you could do this figure is display images on the Tamagotchi and these images are stored in memory right so she wrote shellcode and embedded it in an image and then point using the fact that you could point in win memory and execute the code they she executed code form her image which was a shell code and what the shout would did

was to dump the firmware out of one of the buttons so she was one of the input buttons and an output so that she could dump the foaming spider price to that but luckily for me it was it needed that complicated but yeah for me to get started this I need to find out what is actually running on this device so I open it up what I found so it had it was a header a rolling or two five three five zero MIPS processor drain it 360 megahertz it's got 32 megabytes of RAM which is a blue to do that long blue chip they then on top of it it's there's an eight megabytes flash

to turn the device around you see there's a SD card reader but then on the top is this mango pad so I came across a blog called apt to is zero and he defined he describes a way of how you can dump Fermi by trying to find C reports and what C reports are normally used for is to sort of spread out debug messages or also to interactive device while it's of developing the thing so what he says you should do is for serial communications you normally have four pens a VCC ground TX pin and an or expand right so he says ok if you find something that sort of matches this description you need you to

find dispensed so you can make educated guesses right in my case I could see there was a ground pin and there's a on the floor right there's like a 3.3 what label so I knew those were the ground and participants but then yeah the basic assumptions were that with GCC pen it'll always stay the constant voltage of different three volts when the things on then ground panel of these zero volts the T expand when data's being transmitted out of this thing it will fluctuate and they are explained which is when you're sending okay so when you sending data to this device you pull the or expand down yeah but that's unimportant right now suppose I want to

see if I can if this is accurately backwards so I sold it on okay so I sold it on breakaway pins onto those pads for them and then I connect a jumper cables which go through a USB to UART converter which is that red thing there what basically that does it takes the silicon that come out of this device and converts it to to a format that my laptop can understand and then part of this is also trying to determine what the board rate is basically what board rate is is trying to know how many bits per second does this device spit out so today's our finalist is actually within the process a data sheet or just

taking educated guess because they are common baud rate that you can use so yeah then you try demonstrate how the statue looks all right

alright so the same guy runs a block dave22 is or created a tool called baud rate by which basically tries different baud rates to see if if any day it is coming out of this device that it can understand so firstly if if you've got the wrong baud rate you'll get nonsensical data coming out but once you get to the right baud rate you'll get eschatos ticks okay so okay so it's shining that port right here one one five two zero zero so when I start it up it doesn't understand what it's spitting out so if I change the border edge to that so nothing nothing nothing okay I'm getting full stops ah right I'm

getting printable ASCII characters so at this point now I can only get data coming out of this device I can't actually interact with it so I need a serial terminal to connect to this thing so I'm gonna stop this okay so I'm sucking at the dark those are debug messages coming out but also now I can interact with this so I'm just gonna wait for some of the debug messages to stop until I can maybe interact with it yeah so they're gonna put sort of a Cylon device debug messages in between kppc for the game to get to use oh yeah I shot again but now I wanted the Fermi of this device so there is a character

device in the dev folder which is called entity block which maps onto the to the flash memory so if you catch one of these files out to instance the SD card you can get a dump of the flash okay so okay so with with that shawl I want them to get dumped the firm way but I didn't really know what was involved what makes up a firmer image so there's a bit of research online and I found out that the firmware image is can basically basically people for broken up into three parts so firstly brought the bootloader which is when you turn on the sister face this is the first program that runs and it initializes the hard way and then

loads up the kernel welcome back yeah so once kernel is started the kernel does what it does in this case across linux and can we move on to load the root filesystem so so so yeah those come on J is what I used to dump the the flash image and then you can use tools like Ben Walker for my my pitch to analyze this from an image to see what are the sections of the Femi image so you can see at hex address 17 5 D 0 there's the yeah this is you watch and then address 50000 there's a Linux kernel kernel image and then at 18 to ef3 there's a root fastest images of the

squatchiest file format I'm so I matched up with the expectation of what I read online I was happy about that so what from day I dumped I got oh I extracted the file system and then got the applications of it so once I got the applications of it I found it as one of those one of these applications called mini Deal DLNA that's on it right what this application don't really know should I plug it in and out again okay so yeah so the minute II DLNA application is used to serve files to client applications at the under network so this is your the app that is installed on your mobile phone on your tablet right so why this is an

interesting targeted application is because this application parses media files and plus the media files it's quite a difficult thing to do this is just like you you know you hear from future researchers online so it's a good candidate for trying to find memory corruption bugs so there's two ways you can go about finding the bugs so you can do it dynamically where you take and in mp3 file mp4 file and then change random parts of it like literally flipping random bits and bytes open it up with the application and see if the application crashes ideally you want to do this thousands of times but there is a bit of a high set-up cost on this

because you need to be able to restart the application if it crashes collect debug know crash dumps and also like the input so this is a lot involved with it second approach is statically where you can just give you the source code so this application is an open source application so since I had access to the binary of it I stringed it for the version I mean I wrap it for the version and then got the version of it so then download the source code of it and then got the latest source code and then compared these two source code bases to see if there's any security bug fixes so yeah i'm using a tool called mount which

opens up the to source code bases and shows you the differences so in the second line you can see they fixed a string copy to a string and copy which and string copies are normally signed of there's a potential buffer overflow in this application so if I remove unimportant details what this code basically does is it forms a sequel request and then from it so there's a database on this device it from the city request and then gets the album which is album name from this result and then create an object which is of the type struct virtual icon and then following this it takes if album if it returns all for the album and if it did it just

copies it into this last album that name buffer the problem is it doesn't check that the last album dot name buffer we were able to fit the data then it's come from album so just a quick primer on buffer overflows so why this is the program is the cause and right so in c and c++ if you try to put more data than a perfect and handle c c will allow you to do that and it'll override adjacent memory and the result of this is that you can override important addresses around memory such as function pointers return addresses and then since you can overwrite these addresses you can redirect your code to another location and in the worst case cause arbitrary

code execution but there are two conditions to be able to exploit a buffer overflow so firstly you need to be able to pause use a controllable data to the application so in my case the string that was vulnerable was or the part of empathy file that was wonderful was the other name so I could just change the name to whatever I wanted and then open up in the application and you okay so yeah shake the second one was I need to be able to change code that has a string copy in it so this application used the I notified subsystem which basically monitors for read and write in a specific directory and once read and write event occurs it

calls a function which resulted in this specific function being called so I could trigger this code quite reliably to test that theory I just changed the other name of an mp3 file and then uploaded it tried 100 crash Charles no crash tried a thousand no cache try 10,000 I got a crash but I know why it crashed so I need to debug that so there's two approaches that I could have done for debugging local debugging way I use something like fimo to emulate a MIPS processor and then in this one suffered a monotonous processor I saw the red space Linux and then I stole gdb and then start this application and attach it so that I can actually debug

it but the support for me it seemed like gonna take a bit of time and I was like familiar with a lot of the tools yeah so I skip through the next approach which is remote debugging yet so what you do in this case you upload a gdb server onto the embedded device and then you just start the gdb server and it'll connect to that unity like DLNA process and then from your local machine using gdb you can debug this device so yeah that's what I did after debugging it for a while I realized that from like reading online how to exploit stack I mean buffer which was normally this will happen on the stack but in my case it was a little bit

different so when an operating system starts an application the allocates certain parts of memory for this application right so the ones that developers and other people are mostly familiar with it's like the stake the stack the heap right through the stack it's where it stores local variables so when you're calling a function all those variables within the function are normally stored in the stack and the heap is when you keep this area where dynamic memory is allocated so when you come back and things like that the PSS section is very aesthetic uninitialized variables or stored which in my case that started lost of album object was stack together so when I was overflowing the name buffer I overrode have a

function pointer the thing that I need to be to consider is because if I added too much data to the loss of that name buffer out over item mutex lock and the application will crash in a way that it's not exploitable so I needed to play within that bigger room I had there but at the point is not I could override a function point and I realized I could control where the code is going to execute next so normally what will happen at this point you would generate shellcode that I too like MSF venom creature exploit exploit the device to the shell but in my case things were different so the album name is stored as utf-8

string what this practically means for me is that so this table yeah is basically just it's showing so for each byte right it can be represented by two XML T digits ranging from 0 to F so you got zero at the top and then ending at FF so those are all the babies you can have for a byte represent in hexadecimal I could only use the bytes in the green range from 0 to 80 7f anything in the yellow range had to follow specific rules which meant that the shout code that of generator with msf venom or in word or other expert development rules didn't have encoders to make it UTF compatible so this was quite a problem

so I thought okay if they isn't you to have 18 coders from its I need to try find another buffer overflow so that I can get a shot on this device so I found other places where there was a buffer overflow so the artist named the album name the joinin name the day taken name of an entity for good causes puff overflow but it all had the same restriction of EGF awkward so yeah it seems like when I have to try right you have compatible charcoal so I generated an MS using a mr. venom Maps professional shell code which basically what that does is when this thing runs on the device I get a connection back to me then I can do more

to control this device so I took each instruction of the shell code right and tried to get let me go through this example yeah so on the left hand side you've got a st. the instruction or pointing structure which is this cage move the Amman add the value 0 to the SP register and store it in the a user register the machine code representation is two zero two zero eight zero zero three the problem is now that a zero is in that range that I don't want which yeah so I had to change the instruction to something that does the equivalent thing but so that that doesn't have this eight zero in it so basically once I

swapped either an SP in the instruction it was in a format that didn't have that restriction so look okay I could do this for each instruction in the shellcode okay I moved on to another instruction so such as adding zero to 160 they're stored in a one register the equivalent of instruction was adding ten to the a one register and then shifting it left by four which is basically pumping a point 64 those were familiar with binary so it got public ated real quickly when stuff like this happen so like okay okay now I can't do this so I'm gonna need to try find another place in memory back and show my shell code so I read the

source code I gave up read the source code gave up over and over again but then that's really example I showed you with the tamagochi where delayed they naturally put her short code image I mean short code in an image seed relevant yeah so the mini DLNA application process the album art out of an mp3 file right and then so on at an uber body image is a JPEG image and JPEG images doesn't have this utf-8 restriction and what I found when the application cache this JPEG image was in memory so I could use the JPEG image to put my chakra in it so to test this I embedded a unique thing into an image and then edit an image to the

cover art of an mp3 file and then ran the application until it crashed once I uploaded mp3 image and then there's a useful gdb plugin called poem DBG which has come on called DMAP which will give you all the like the area of the heap on the stack and I knew that the image was going to be in the heap so yeah I found the address range of the heap what we are other opinions is caching and apartments follow this process so I try to search memory for my string but do to be kept fading so a workaround of this I just dumped a heap into a file and then manually search the file for my

string what I found is that the string is always in a different location every single time I run this so it's not in a fixed location in memory so I needed to build a shell code that is reliable so that it's always in that location that I want it to be a memory so what I did is took lob instructions which is an abstraction that does nothing and appended it through my shell code to make my shell code really big so it's in a certain place in memory and then I sort of stitched many of these payloads together so that just to make it more reliable so a summary of what I need to do takes for this thing so I need to

generate a map shellcode is easier to like msi venom and then add might not sled and then chain it together and then add the JPEG image into so a - opportunity big image and then add the JPEG image to mp3 file and then start an activist on my device upload this mp3 image and then write forward

okay so oh my better side so my this device had a Cindy she so I could connect to it so this directly here is connected to say Cindy Sharon threat so I could get the father or in a specific directory but I'm only restricted to this directory on my machine yeah I've created this malicious mp3 file we just got myself would embed into it so whatever idea is further let catalyst now okay and then okay okay so the listener started copy it onto the device now wait then shake on this am I actually predicted the public [Laughter]

so there's no connection to the foot but the listener hey-up loan yet

[Applause]

okay yeah after this a now of just flat pop so the conclusion is that better device is a great way to learn about this aspect of security whether things like network services that mobile apps it sometimes come with this actual hardware and then there's was a web application this device that I didn't actually look at I'm trying to find a way to write utf-8 compatible short code I've got an idea where you could do this generically but there may be future project and nightly in her talk made a good point about reverse engineering she said I just wanted to have fun you know all those cool kids go out go to cloth they just haven't discovered reverse engineering

yet okay Christians yes uh-huh next question now so I did you put this to the original manufacturer I got no emails back for them so this product was rear-ended by another company I did send them an email and they said Oh give me a call back and then they never go back what can I do in terms of hours I would say maybe about a hundred or so but yeah yeah it was like two weeks research almost every day and then few hours off dollars

[Applause]