About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

No Hardware, No Problem: Emulation and Exploitation - 834

GrimmPosted 3 Years Ago
  • This post is about emulating the Netgear R7000 UPnP daemon in QEMU. This is beneficial because it allows for easier testing and dynamic reverse engineering.
  • First, they download the firmware and use binwalk to unpack it. Once they find the UPnP daemon, they extract the root file system and stick it into a pre-built ARM Debian OS via mount. They mention that it is much easier to emulate individual processes instead of the whole OS. Additionally, ARM tends to be easier to emulate than MIPS because of architecture changes between generations.
  • The author then creates a few device drivers for the file system, in order to allow everything to work as normal. In particular, dev/urandom, dev/null and proc (mounted to the regular proc of the debian OS). The Netgear devices use NVRAM in order to read settings, such the device type and the IP address to use. So, a custom version of the NVRAM library had to be used, in order to return the expected values to get everything to run.
  • The author then chroots into the file system to run the binary. However, it does not work as expected. When attaching GDB to the process there is a problem with the network settings; this can be fixed with a little GDBscript to hop over this check or patching the binary itself.
  • From previous research, they knew that the firmware update routine had a buffer overflow in it. Using this overflow (which required authentication), it is trivial to create a return-to-libc attack to pop a shell.
  • The updates for the Circle firmware, platform and loader are all encrypted. A good use of this is emulation is to allow the program to perform the decryption for us then extract it. To do this, they tell GDB to jump to the code that would decrypt the firmware and pass it a file to decrypt. Of course, this required a bunch of reverse engineering to get working.
  • The binary has anti-debugger features. At the beginning of the program, if it detects that GDB is being used, then it will reuse to decrypt the firmware. The detection methods are as follows:
    • The PID of the parent process has ltrace, strace or GDB.
    • ENV variables used in GDB, such as COLUMNS and LINES.
    • Check the path of the ENV variables.
    • LD_PRELOAD cannot be defined.
  • By starting the process then immediately jumping to the firmware decryption routine, all of these can be avoided. With anti-debugging, it is important to spread out the checking code in order to make it annoying for attackers. Overall, good article on what it takes to emulate router firmware.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed