Bowcaster Feature: multipart/form-data

Need to reverse engineer or exploit a file upload vulnerability in an embedded web server? I added a multipart/form-data class to Bowcaster to help with that. You can have a look here: https://github.com/zcutlip/bowcaster/blob/master/src/bowcaster/clients/http.py Here’s some background: I’ve been reverse engineering how the Netgear R6200 web server parses a new firmware image when you use the firmware update facility in the web interface. Manually browsing to the router’s web interface, then to the firmware update form, then browsing to a firmware file on disk, then clicking “upload” gets really tedious after a few times.
Read more

Patching, Emulating, and Debugging a Netgear Embedded Web Server

Previously I posted about running and remotely debugging a Netgear UPnP daemon using QEMU and IDA Pro. This time we’ll take on the challenge of running the built-in web server from the Netgear R6200 in emulation. The httpd daemon is responsible for so much more than the web interface. This daemon is responsible for a silly amount of system management, including configuring firewall rules, managing the samba and ftp file servers, managing attached USB storage, and many other things.
Read more

Remote Debugging with QEMU and IDA Pro

It’s often the case, when analyzing an embedded device’s firmware, that static analysis isn’t enough. You need to actually execute a binary you’re analyzing in order to see how it behaves. In the world of embedded Linux devices, it’s often fairly easy to put a debugger on the target hardware for debugging. However it’s a lot more convenient if you can run the binary right on your own system and not have to drag hardware around to do your analysis.
Read more

Exploit Tunneling and Callback

A few years ago, when I worked for my previous employer, I put together a proof-of-concept that was to be part of a client demo. I thought it was kind of cool, so I recorded a screencast of it in action. I’ve had the video sitting on my laptop ever since, not really sure what to do with it. I finally decided to post it. In the video, what you see is a custom exploit script that exploits a buffer overflow in the web interfaces of several D-Link webcams.
Read more

Infiltrate 2014

Here are some additional resources I may have mentioned in my Infiltrate 2014 presentation. White Paper: SQL Injection to MIPS Overflows - Part Deux Slides: SQL Injection to MIPS Overflows - Part Deux Original white paper from Black Hat USA 2012: SQL Injections to MIPS Overflows: Rooting SOHO Routers Proof of Concept Exploit code: Here’s my Github repository for proof-of-concept exploit code. In it, you’ll find the exploit code for the Netgear WNDR 3700v3 that I demoed at Infiltrate, among a few others.
Read more

Emulating and Debugging Workspace

A grad student emailed me in response to my Netgear auth bypass post. He’s working on a research project and wanted to know if I knew of any resources or techniques to use emulation for executing and debugging the net-cgi binary in the Netgear firmware. It turns out I’ve got all the resources to do just that. I replied with a description of my workspace and some links to resources I use, and, in many cases, have developed.
Read more

BayThreat 2013 Presentation - Additional Resources

For my presentation at BayThreat, entitled “BT Wireless Routers: Adventures in Reversing and Exploiting”, rather than have one or two or three slides packed with hard to read URLs, I included a single slide with a link to this post. Here you’ll find links to additional resources that I may have referenced in my talk. White paper: Reverse Engineering and Exploiting the BT HomeHub 3.0b (pdf) Slides: BT Wireless Routers: Adventures in Reversing and Exploiting
Read more

Netgear Root Compromise via Command Injection

At the end of my post on the Netgear wndr3700v4’s authentication bugs, I said to expect followup posts. Once the web interface is unlocked, any further bugs that normally require authentication become fair game. Well good news, everyone!! Previously, I talked about the net-cgi executable in the wndr3700’s firmware. ;net-cgi is a multi-call binary, a little like busybox. As such it has a lot of functionality baked in. One of its more interesting functions is called cmd_ping6().
Read more

Complete, Persistent Compromise of Netgear Wireless Routers

UPDATE: Turns out, Jacob Holocomb (@rootHak42 on Twitter) of Independent Security Evaluators found this bug back in April on a different device, the WNDR4700. Thanks for letting me know, Jacob. Nice find. Here’s a link to that report. UPDATE 2: Because there are almost certainly fools who would go hack somebody’s router and say I told them to do it, I added a warning to not do this. DON’T DO IT.
Read more

A Connect-back HTTP Exploit Server for Bowcaster

I’ve just added a module to Bowcaster that I think is cool. Actually, I just got around to finishing a module that was there all along. It’s a basic HTTP server module, but it has some unique features that make it suitable for serving payloads to remotely exploited targets. The connect-back server modules in Bowcaster are designed to run asynchronously so that they can be used right in line with your exploit code.
Read more