SlideShare ist ein Scribd-Unternehmen logo

ARM IoT Firmware Emulation Workshop

Saumil Shah
Saumil Shah

Saumil Shah gives a presentation on extracting firmware from IoT devices and emulating it using QEMU. He discusses obtaining firmware by downloading from the manufacturer's site, extracting over a UART serial connection, or directly from hardware. The case study looks at a DLink DIR-880L router. The extracted firmware is transferred to a QEMU ARM VM and chrooted to emulate the device and allow debugging and testing.

Geräte & Hardware
1 von 32
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 ARM IoT FIRMWARE EMULATION WORKSHOP Saumil Shah @therealsaumil 12 September 2018
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 # who am i CEO Net-square. • Hacker, Speaker, Trainer, Author. • M.S. Computer Science Purdue University. • LinkedIn: saumilshah • Twitter: @therealsaumil
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Objective • Extract the firmware from an IoT device. • Emulate the firmware in QEMU. • "Boot up" the virtual device. • Debugging, Testing and Fuzzing environment.
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Case Study DLINK DIR-880L
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Setup • armplayer2.zip - VMware image • dir880_mtdblocks.zip - firmware blobs • dir880_minicom.txt - console msgs • static_arm_bins.zip - fun t00lz • Extract the VM and start it up. • You need SSH/SCP on your laptop.
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Lab Virtual Machine All passwords are "exploitlab" J Yes you may write it down
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 armplayer host SSH to port 2222 username: exploitlab QEMU ARMv7 SSH to port 22 username: root
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Pentesting Embedded ARM ARM IoT Devices
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Take a look at an IoT device...
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 CPU and Hardware Kernel Drivers File System nvram User Processes API UI libnvram JTAG RS 232 SPI notaccessible ...it is a special computer...
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 CPU and Hardware Kernel Drivers File System nvram User Processes API UI libnvram JTAG RS 232 SPI notaccessible Authentication Bypass Insecure Direct Obj Ref File Retrieval Remote Command Exec Memory Corruption Buffer Overflows Backdoors Default Passwords Hidden Paths Memory Corruption Buffer Overflows ...with "special" vulnerabilities
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 compressed FS CPU Kernel Boot Loader mounted FS nvram init scripts Services Apps libnvram The IoT Boot Up Process conf conf conf conf firmware Loads Kernel. Uncompresses FS to ramdisk, invokes init process. ramdiskuserland Reads config from nvram. Builds system config files on the fly. Starts up system services. Invokes Applications and Application services. READY POWER ON
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Obtaining the Firmware • Download the firmware files from the device update website. – binwalk • Find the UART pins on the device's board, solder and connect via serial console. – Extract the firmware via shell over serial console. • Direct hardware level extraction.
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Serial Console • Most devices run a privileged shell on serial console. • Kernel boot arguments: • Getting firmware from a shell is easy... • ...finding the serial port is a challenge :) root=/dev/mtdblock2 console=ttyS0,115200 init=/sbin/preinit earlyprintk debug
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Discovering the UART pins • Usually unsoldered. • Identify candidate pins. • Test for Vcc (+3.3V) and GND. • Test for TX, RX. • Important pins – TX, RX, GND.
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Discovering UART pins Possible UART pins False Positive
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Discovering UART pins Second Possibility
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Testing Voltages Vcc (+3.3V) GND GND runs through- out the board
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Testing Voltages Vcc (+3.3V) GND The other two pins have to be TX, RX. GND Verify continuity across GND
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Serial Console Device GND TX RX GND TX RX minicom Serial Port = /dev/ttyUSB0 115200 baud 8N1 Vcc
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Serial Console - working
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Finished Serial Port Projects
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 # cat /proc/partitions major minor #blocks name 31 0 256 mtdblock0 31 1 64 mtdblock1 31 2 64 mtdblock2 31 3 1472 mtdblock3 31 4 128 mtdblock4 31 5 64 mtdblock5 31 6 2048 mtdblock6 31 7 32768 mtdblock7 31 8 30975 mtdblock8 31 9 131072 mtdblock9 31 10 98304 mtdblock10 Firmware Extraction # cat /proc/cmdline root=/dev/mtdblock8 mtdparts=bcmsflash:256k(u- boot)ro,64k(devconf),64k(devdata),1472k(mydlink),128k(langpack),64k(nvram), 2m@0(flash);nflash:32m(upgrade),32m@0(rootfs)ro,128m@0(nflash);brcmnand:96m @32m(storage) console=ttyS0,115200 init=/sbin/preinit earlyprintk debug # cat /proc/mtd dev: size erasesize name mtd0: 00040000 00010000 "u-boot" mtd1: 00010000 00010000 "devconf" mtd2: 00010000 00010000 "devdata" mtd3: 00170000 00010000 "mydlink" mtd4: 00020000 00010000 "langpack" mtd5: 00010000 00010000 "nvram" mtd6: 00200000 00010000 "flash" mtd7: 02000000 00020000 "upgrade" mtd8: 01e3ffa0 00020000 "rootfs" mtd9: 08000000 00020000 "nflash" mtd10: 06000000 00020000 "storage"
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 New vs Legacy Memory Layout Heap Binary Stack Lib Lib 0x00008000 0xbf000000 0xb6f00000 0xbefdf000 /proc/sys/vm/legacy_va_layout = 0 Heap Binary Stack Lib Lib 0x00008000 0xbf000000 0x40000000 0xbefdf000 /proc/sys/vm/legacy_va_layout = 1 New Layout Legacy Layout
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 QEMU ARM Kernel Emulator Driven Test Bench proc sys dev etc bin squashfs-root chroot environment proc sys dev etc bin init system services user processes nvram config (ini file) nvram shim gdb server multiarch gdb
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Extract the rootfs
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 rsync rootfs to ARM QEMU
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 chroot the rootfs in QEMU Setup commands for binding /proc, /sys and /dev and running chroot kick off the init scripts
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 The virtual router "boots up"
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 SUCCESS!
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 THANK YOU! Saumil Shah @therealsaumil saumil@net-square.com LinkedIn: saumilshah Follow us on Twitter for: updates new classes on-site training announcements Blog: http://blog.exploitlab.net

Empfohlen

Firmadyne
FirmadyneFirmadyne
FirmadyneRedhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
 
Access control list acl - permissions in linux
Access control list acl - permissions in linuxAccess control list acl - permissions in linux
Access control list acl - permissions in linuxSreenatha Reddy K R
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
 
Monitoring IO performance with iostat and pt-diskstats
Monitoring IO performance with iostat and pt-diskstatsMonitoring IO performance with iostat and pt-diskstats
Monitoring IO performance with iostat and pt-diskstatsBen Mildren
 
Linux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisLinux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisPaul V. Novarese
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
Uboot startup sequence
Uboot startup sequenceUboot startup sequence
Uboot startup sequenceHoucheng Lin
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptablesKernel TLV
 

Empfohlen

Firmadyne
FirmadyneFirmadyne
FirmadyneRedhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
 
Access control list acl - permissions in linux
Access control list acl - permissions in linuxAccess control list acl - permissions in linux
Access control list acl - permissions in linuxSreenatha Reddy K R
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
 
Monitoring IO performance with iostat and pt-diskstats
Monitoring IO performance with iostat and pt-diskstatsMonitoring IO performance with iostat and pt-diskstats
Monitoring IO performance with iostat and pt-diskstatsBen Mildren
 
Linux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisLinux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisPaul V. Novarese
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
Uboot startup sequence
Uboot startup sequenceUboot startup sequence
Uboot startup sequenceHoucheng Lin
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptablesKernel TLV
 
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopHack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopSaumil Shah
 
User and groups administrator
User and groups administratorUser and groups administrator
User and groups administratorAisha Talat
 
ansible why ?
ansible why ?ansible why ?
ansible why ?Yashar Esmaildokht
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecturehugo lu
 
PORT TARAMA ve KEŞİF ÇALIŞMALARI
PORT TARAMA ve KEŞİF ÇALIŞMALARI PORT TARAMA ve KEŞİF ÇALIŞMALARI
PORT TARAMA ve KEŞİF ÇALIŞMALARI BGA Cyber Security
 
Metasploit El Kitabı
Metasploit El KitabıMetasploit El Kitabı
Metasploit El KitabıBGA Cyber Security
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)Brendan Gregg
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Kdump and the kernel crash dump analysis
Kdump and the kernel crash dump analysisKdump and the kernel crash dump analysis
Kdump and the kernel crash dump analysisBuland Singh
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageKernel TLV
 
eBPF Perf Tools 2019
eBPF Perf Tools 2019eBPF Perf Tools 2019
eBPF Perf Tools 2019Brendan Gregg
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network InterfacesKernel TLV
 
Introduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsIntroduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsQUONTRASOLUTIONS
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelDivye Kapoor
 
Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)RuggedBoardGroup
 
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device driversHoucheng Lin
 
malloc & vmalloc in Linux
malloc & vmalloc in Linuxmalloc & vmalloc in Linux
malloc & vmalloc in LinuxAdrian Huang
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSSaumil Shah
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel CrashdumpMarian Marinov
 
Deep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesDeep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesortegaalfredo
 
Using VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersUsing VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersMichelle Holley
 

Weitere ähnliche Inhalte

Was ist angesagt?

Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopHack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopSaumil Shah
 
User and groups administrator
User and groups administratorUser and groups administrator
User and groups administratorAisha Talat
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecturehugo lu
 
PORT TARAMA ve KEŞİF ÇALIŞMALARI
PORT TARAMA ve KEŞİF ÇALIŞMALARI PORT TARAMA ve KEŞİF ÇALIŞMALARI
PORT TARAMA ve KEŞİF ÇALIŞMALARI BGA Cyber Security
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)Brendan Gregg
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Kdump and the kernel crash dump analysis
Kdump and the kernel crash dump analysisKdump and the kernel crash dump analysis
Kdump and the kernel crash dump analysisBuland Singh
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageKernel TLV
 
eBPF Perf Tools 2019
eBPF Perf Tools 2019eBPF Perf Tools 2019
eBPF Perf Tools 2019Brendan Gregg
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network InterfacesKernel TLV
 
Introduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsIntroduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsQUONTRASOLUTIONS
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelDivye Kapoor
 
Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)RuggedBoardGroup
 
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device driversHoucheng Lin
 
malloc & vmalloc in Linux
malloc & vmalloc in Linuxmalloc & vmalloc in Linux
malloc & vmalloc in LinuxAdrian Huang
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSSaumil Shah
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel CrashdumpMarian Marinov
 

Was ist angesagt? (20)

Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopHack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
 
User and groups administrator
User and groups administratorUser and groups administrator
User and groups administrator
 
ansible why ?
ansible why ?ansible why ?
ansible why ?
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecture
 
PORT TARAMA ve KEŞİF ÇALIŞMALARI
PORT TARAMA ve KEŞİF ÇALIŞMALARI PORT TARAMA ve KEŞİF ÇALIŞMALARI
PORT TARAMA ve KEŞİF ÇALIŞMALARI
 
Metasploit El Kitabı
Metasploit El KitabıMetasploit El Kitabı
Metasploit El Kitabı
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 
Kdump and the kernel crash dump analysis
Kdump and the kernel crash dump analysisKdump and the kernel crash dump analysis
Kdump and the kernel crash dump analysis
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast Storage
 
eBPF Perf Tools 2019
eBPF Perf Tools 2019eBPF Perf Tools 2019
eBPF Perf Tools 2019
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network Interfaces
 
Introduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsIntroduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra Solutions
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux Kernel
 
Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)
 
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device drivers
 
malloc & vmalloc in Linux
malloc & vmalloc in Linuxmalloc & vmalloc in Linux
malloc & vmalloc in Linux
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel Crashdump
 

Ähnlich wie ARM IoT Firmware Emulation Workshop

Deep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesDeep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesortegaalfredo
 
Using VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersUsing VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersMichelle Holley
 
The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]Mahmoud Hatem
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020Jose Palanco
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
20131015_demo_oshk
20131015_demo_oshk20131015_demo_oshk
20131015_demo_oshkJeff Yang
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptxssuserfcf43f
 
IoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoIoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoCodemotion
 
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...Codemotion
 
Ironic 140622212631-phpapp02
Ironic 140622212631-phpapp02Ironic 140622212631-phpapp02
Ironic 140622212631-phpapp02Narender Kumar
 
Ironic 140622212631-phpapp02
Ironic 140622212631-phpapp02Ironic 140622212631-phpapp02
Ironic 140622212631-phpapp02Narender Kumar
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploitsvirtualabs
 
Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96波 董
 
Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96波 董
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar Santhosh Kumar
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerunidsecconf
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time OptimizationKan-Ru Chen
 

Ähnlich wie ARM IoT Firmware Emulation Workshop (20)

Deep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesDeep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slides
 
Using VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersUsing VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear Containers
 
The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
20131015_demo_oshk
20131015_demo_oshk20131015_demo_oshk
20131015_demo_oshk
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptx
 
IoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoIoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco Romano
 
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
 
Ironic 140622212631-phpapp02
Ironic 140622212631-phpapp02Ironic 140622212631-phpapp02
Ironic 140622212631-phpapp02
 
Ironic
IronicIronic
Ironic
 
Ironic 140622212631-phpapp02
Ironic 140622212631-phpapp02Ironic 140622212631-phpapp02
Ironic 140622212631-phpapp02
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploits
 
Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96
 
Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerun
 
PNETLab.pdf
PNETLab.pdfPNETLab.pdf
PNETLab.pdf
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time Optimization
 

Mehr von Saumil Shah

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksSaumil Shah
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkSaumil Shah
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Saumil Shah
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise PresentationsSaumil Shah
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceSaumil Shah
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020Saumil Shah
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadSaumil Shah
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceSaumil Shah
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadSaumil Shah
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadSaumil Shah
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019Saumil Shah
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-XSaumil Shah
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDSaumil Shah
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019Saumil Shah
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019Saumil Shah
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM AssemblySaumil Shah
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSSaumil Shah
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling PhotographSaumil Shah
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKSaumil Shah
 
HackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainHackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainSaumil Shah
 

Mehr von Saumil Shah (20)

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise Presentations
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual Audience
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade Ahead
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade Ahead
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade Ahead
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-X
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBD
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM Assembly
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMS
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling Photograph
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEK
 
HackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainHackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great Again
 

Kürzlich hochgeladen

Low Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service Nashik
Low Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service NashikLow Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service Nashik
Low Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
Call Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 
Kalyan callg Girls, { 07738631006 } || Call Girl In Kalyan Women Seeking Men ...
Kalyan callg Girls, { 07738631006 } || Call Girl In Kalyan Women Seeking Men ...Kalyan callg Girls, { 07738631006 } || Call Girl In Kalyan Women Seeking Men ...
Kalyan callg Girls, { 07738631006 } || Call Girl In Kalyan Women Seeking Men ...Pooja Nehwal
 
9892124323, Call Girl in Juhu Call Girls Services (Rate ₹8.5K) 24×7 with Hote...
9892124323, Call Girl in Juhu Call Girls Services (Rate ₹8.5K) 24×7 with Hote...9892124323, Call Girl in Juhu Call Girls Services (Rate ₹8.5K) 24×7 with Hote...
9892124323, Call Girl in Juhu Call Girls Services (Rate ₹8.5K) 24×7 with Hote...Pooja Nehwal
 
(=Towel) Dubai Call Girls O525547819 Call Girls In Dubai (Fav0r)
(=Towel) Dubai Call Girls O525547819 Call Girls In Dubai (Fav0r)(=Towel) Dubai Call Girls O525547819 Call Girls In Dubai (Fav0r)
(=Towel) Dubai Call Girls O525547819 Call Girls In Dubai (Fav0r)kojalkojal131
 
Call Girls in Nagpur Sakshi Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Sakshi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Sakshi Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Sakshi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
9004554577, Get Adorable Call Girls service. Book call girls & escort service...
9004554577, Get Adorable Call Girls service. Book call girls & escort service...9004554577, Get Adorable Call Girls service. Book call girls & escort service...
9004554577, Get Adorable Call Girls service. Book call girls & escort service...Pooja Nehwal
 
Lubrication and it's types and properties of the libricabt
Lubrication and it's types and properties of the libricabtLubrication and it's types and properties of the libricabt
Lubrication and it's types and properties of the libricabtdineshkumar430venkat
 
NO1 Verified Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi A...
NO1 Verified Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi A...NO1 Verified Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi A...
NO1 Verified Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi A...Amil baba
 
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 
Book Sex Workers Available Pune Call Girls Yerwada 6297143586 Call Hot India...
Book Sex Workers Available Pune Call Girls Yerwada 6297143586 Call Hot India...Book Sex Workers Available Pune Call Girls Yerwada 6297143586 Call Hot India...
Book Sex Workers Available Pune Call Girls Yerwada 6297143586 Call Hot India...Call Girls in Nagpur High Profile
 
CALL GIRLS IN Saket 83778-77756 | Escort Service In DELHI NcR
CALL GIRLS IN Saket 83778-77756 | Escort Service In DELHI NcRCALL GIRLS IN Saket 83778-77756 | Escort Service In DELHI NcR
CALL GIRLS IN Saket 83778-77756 | Escort Service In DELHI NcRdollysharma2066
 
VIP Call Girls Dharwad 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Dharwad 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Dharwad 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Dharwad 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
Book Paid Lohegaon Call Girls Pune 8250192130Low Budget Full Independent High...
Book Paid Lohegaon Call Girls Pune 8250192130Low Budget Full Independent High...Book Paid Lohegaon Call Girls Pune 8250192130Low Budget Full Independent High...
Book Paid Lohegaon Call Girls Pune 8250192130Low Budget Full Independent High...ranjana rawat
 
VVIP Pune Call Girls Karve Nagar (7001035870) Pune Escorts Nearby with Comple...
VVIP Pune Call Girls Karve Nagar (7001035870) Pune Escorts Nearby with Comple...VVIP Pune Call Girls Karve Nagar (7001035870) Pune Escorts Nearby with Comple...
VVIP Pune Call Girls Karve Nagar (7001035870) Pune Escorts Nearby with Comple...Call Girls in Nagpur High Profile
 
Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...Call Girls in Nagpur High Profile
 
Lucknow 💋 Call Girls Adil Nagar | ₹,9500 Pay Cash 8923113531 Free Home Delive...
Lucknow 💋 Call Girls Adil Nagar | ₹,9500 Pay Cash 8923113531 Free Home Delive...Lucknow 💋 Call Girls Adil Nagar | ₹,9500 Pay Cash 8923113531 Free Home Delive...
Lucknow 💋 Call Girls Adil Nagar | ₹,9500 Pay Cash 8923113531 Free Home Delive...anilsa9823
 
VVIP Pune Call Girls Warje (7001035870) Pune Escorts Nearby with Complete Sat...
VVIP Pune Call Girls Warje (7001035870) Pune Escorts Nearby with Complete Sat...VVIP Pune Call Girls Warje (7001035870) Pune Escorts Nearby with Complete Sat...
VVIP Pune Call Girls Warje (7001035870) Pune Escorts Nearby with Complete Sat...Call Girls in Nagpur High Profile
 

Kürzlich hochgeladen (20)

Low Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service Nashik
Low Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service NashikLow Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service Nashik
Low Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service Nashik
 
Call Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance Booking
 
Kalyan callg Girls, { 07738631006 } || Call Girl In Kalyan Women Seeking Men ...
Kalyan callg Girls, { 07738631006 } || Call Girl In Kalyan Women Seeking Men ...Kalyan callg Girls, { 07738631006 } || Call Girl In Kalyan Women Seeking Men ...
Kalyan callg Girls, { 07738631006 } || Call Girl In Kalyan Women Seeking Men ...
 
9892124323, Call Girl in Juhu Call Girls Services (Rate ₹8.5K) 24×7 with Hote...
9892124323, Call Girl in Juhu Call Girls Services (Rate ₹8.5K) 24×7 with Hote...9892124323, Call Girl in Juhu Call Girls Services (Rate ₹8.5K) 24×7 with Hote...
9892124323, Call Girl in Juhu Call Girls Services (Rate ₹8.5K) 24×7 with Hote...
 
(=Towel) Dubai Call Girls O525547819 Call Girls In Dubai (Fav0r)
(=Towel) Dubai Call Girls O525547819 Call Girls In Dubai (Fav0r)(=Towel) Dubai Call Girls O525547819 Call Girls In Dubai (Fav0r)
(=Towel) Dubai Call Girls O525547819 Call Girls In Dubai (Fav0r)
 
Call Girls in Nagpur Sakshi Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Sakshi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Sakshi Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Sakshi Call 7001035870 Meet With Nagpur Escorts
 
9004554577, Get Adorable Call Girls service. Book call girls & escort service...
9004554577, Get Adorable Call Girls service. Book call girls & escort service...9004554577, Get Adorable Call Girls service. Book call girls & escort service...
9004554577, Get Adorable Call Girls service. Book call girls & escort service...
 
CHEAP Call Girls in Mayapuri (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Mayapuri (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Mayapuri (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Mayapuri (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Lubrication and it's types and properties of the libricabt
Lubrication and it's types and properties of the libricabtLubrication and it's types and properties of the libricabt
Lubrication and it's types and properties of the libricabt
 
NO1 Verified Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi A...
NO1 Verified Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi A...NO1 Verified Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi A...
NO1 Verified Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi A...
 
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Booking
 
Book Sex Workers Available Pune Call Girls Yerwada 6297143586 Call Hot India...
Book Sex Workers Available Pune Call Girls Yerwada 6297143586 Call Hot India...Book Sex Workers Available Pune Call Girls Yerwada 6297143586 Call Hot India...
Book Sex Workers Available Pune Call Girls Yerwada 6297143586 Call Hot India...
 
CALL GIRLS IN Saket 83778-77756 | Escort Service In DELHI NcR
CALL GIRLS IN Saket 83778-77756 | Escort Service In DELHI NcRCALL GIRLS IN Saket 83778-77756 | Escort Service In DELHI NcR
CALL GIRLS IN Saket 83778-77756 | Escort Service In DELHI NcR
 
VIP Call Girls Dharwad 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Dharwad 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Dharwad 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Dharwad 7001035870 Whatsapp Number, 24/07 Booking
 
CHEAP Call Girls in Hauz Quazi (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Hauz Quazi (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Hauz Quazi (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Hauz Quazi (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Book Paid Lohegaon Call Girls Pune 8250192130Low Budget Full Independent High...
Book Paid Lohegaon Call Girls Pune 8250192130Low Budget Full Independent High...Book Paid Lohegaon Call Girls Pune 8250192130Low Budget Full Independent High...
Book Paid Lohegaon Call Girls Pune 8250192130Low Budget Full Independent High...
 
VVIP Pune Call Girls Karve Nagar (7001035870) Pune Escorts Nearby with Comple...
VVIP Pune Call Girls Karve Nagar (7001035870) Pune Escorts Nearby with Comple...VVIP Pune Call Girls Karve Nagar (7001035870) Pune Escorts Nearby with Comple...
VVIP Pune Call Girls Karve Nagar (7001035870) Pune Escorts Nearby with Comple...
 
Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
 
Lucknow 💋 Call Girls Adil Nagar | ₹,9500 Pay Cash 8923113531 Free Home Delive...
Lucknow 💋 Call Girls Adil Nagar | ₹,9500 Pay Cash 8923113531 Free Home Delive...Lucknow 💋 Call Girls Adil Nagar | ₹,9500 Pay Cash 8923113531 Free Home Delive...
Lucknow 💋 Call Girls Adil Nagar | ₹,9500 Pay Cash 8923113531 Free Home Delive...
 
VVIP Pune Call Girls Warje (7001035870) Pune Escorts Nearby with Complete Sat...
VVIP Pune Call Girls Warje (7001035870) Pune Escorts Nearby with Complete Sat...VVIP Pune Call Girls Warje (7001035870) Pune Escorts Nearby with Complete Sat...
VVIP Pune Call Girls Warje (7001035870) Pune Escorts Nearby with Complete Sat...
 

ARM IoT Firmware Emulation Workshop

  • 1. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 ARM IoT FIRMWARE EMULATION WORKSHOP Saumil Shah @therealsaumil 12 September 2018
  • 2. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 # who am i CEO Net-square. • Hacker, Speaker, Trainer, Author. • M.S. Computer Science Purdue University. • LinkedIn: saumilshah • Twitter: @therealsaumil
  • 3. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Objective • Extract the firmware from an IoT device. • Emulate the firmware in QEMU. • "Boot up" the virtual device. • Debugging, Testing and Fuzzing environment.
  • 4. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Case Study DLINK DIR-880L
  • 5. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Setup • armplayer2.zip - VMware image • dir880_mtdblocks.zip - firmware blobs • dir880_minicom.txt - console msgs • static_arm_bins.zip - fun t00lz • Extract the VM and start it up. • You need SSH/SCP on your laptop.
  • 6. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Lab Virtual Machine All passwords are "exploitlab" J Yes you may write it down
  • 7. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 armplayer host SSH to port 2222 username: exploitlab QEMU ARMv7 SSH to port 22 username: root
  • 8. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Pentesting Embedded ARM ARM IoT Devices
  • 9. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
  • 10. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Take a look at an IoT device...
  • 11. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 CPU and Hardware Kernel Drivers File System nvram User Processes API UI libnvram JTAG RS 232 SPI notaccessible ...it is a special computer...
  • 12. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 CPU and Hardware Kernel Drivers File System nvram User Processes API UI libnvram JTAG RS 232 SPI notaccessible Authentication Bypass Insecure Direct Obj Ref File Retrieval Remote Command Exec Memory Corruption Buffer Overflows Backdoors Default Passwords Hidden Paths Memory Corruption Buffer Overflows ...with "special" vulnerabilities
  • 13. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 compressed FS CPU Kernel Boot Loader mounted FS nvram init scripts Services Apps libnvram The IoT Boot Up Process conf conf conf conf firmware Loads Kernel. Uncompresses FS to ramdisk, invokes init process. ramdiskuserland Reads config from nvram. Builds system config files on the fly. Starts up system services. Invokes Applications and Application services. READY POWER ON
  • 14. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Obtaining the Firmware • Download the firmware files from the device update website. – binwalk • Find the UART pins on the device's board, solder and connect via serial console. – Extract the firmware via shell over serial console. • Direct hardware level extraction.
  • 15. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Serial Console • Most devices run a privileged shell on serial console. • Kernel boot arguments: • Getting firmware from a shell is easy... • ...finding the serial port is a challenge :) root=/dev/mtdblock2 console=ttyS0,115200 init=/sbin/preinit earlyprintk debug
  • 16. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Discovering the UART pins • Usually unsoldered. • Identify candidate pins. • Test for Vcc (+3.3V) and GND. • Test for TX, RX. • Important pins – TX, RX, GND.
  • 17. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Discovering UART pins Possible UART pins False Positive
  • 18. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Discovering UART pins Second Possibility
  • 19. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Testing Voltages Vcc (+3.3V) GND GND runs through- out the board
  • 20. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Testing Voltages Vcc (+3.3V) GND The other two pins have to be TX, RX. GND Verify continuity across GND
  • 21. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Serial Console Device GND TX RX GND TX RX minicom Serial Port = /dev/ttyUSB0 115200 baud 8N1 Vcc
  • 22. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Serial Console - working
  • 23. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Finished Serial Port Projects
  • 24. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 # cat /proc/partitions major minor #blocks name 31 0 256 mtdblock0 31 1 64 mtdblock1 31 2 64 mtdblock2 31 3 1472 mtdblock3 31 4 128 mtdblock4 31 5 64 mtdblock5 31 6 2048 mtdblock6 31 7 32768 mtdblock7 31 8 30975 mtdblock8 31 9 131072 mtdblock9 31 10 98304 mtdblock10 Firmware Extraction # cat /proc/cmdline root=/dev/mtdblock8 mtdparts=bcmsflash:256k(u- boot)ro,64k(devconf),64k(devdata),1472k(mydlink),128k(langpack),64k(nvram), 2m@0(flash);nflash:32m(upgrade),32m@0(rootfs)ro,128m@0(nflash);brcmnand:96m @32m(storage) console=ttyS0,115200 init=/sbin/preinit earlyprintk debug # cat /proc/mtd dev: size erasesize name mtd0: 00040000 00010000 "u-boot" mtd1: 00010000 00010000 "devconf" mtd2: 00010000 00010000 "devdata" mtd3: 00170000 00010000 "mydlink" mtd4: 00020000 00010000 "langpack" mtd5: 00010000 00010000 "nvram" mtd6: 00200000 00010000 "flash" mtd7: 02000000 00020000 "upgrade" mtd8: 01e3ffa0 00020000 "rootfs" mtd9: 08000000 00020000 "nflash" mtd10: 06000000 00020000 "storage"
  • 25. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 New vs Legacy Memory Layout Heap Binary Stack Lib Lib 0x00008000 0xbf000000 0xb6f00000 0xbefdf000 /proc/sys/vm/legacy_va_layout = 0 Heap Binary Stack Lib Lib 0x00008000 0xbf000000 0x40000000 0xbefdf000 /proc/sys/vm/legacy_va_layout = 1 New Layout Legacy Layout
  • 26. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 QEMU ARM Kernel Emulator Driven Test Bench proc sys dev etc bin squashfs-root chroot environment proc sys dev etc bin init system services user processes nvram config (ini file) nvram shim gdb server multiarch gdb
  • 27. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Extract the rootfs
  • 28. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 rsync rootfs to ARM QEMU
  • 29. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 chroot the rootfs in QEMU Setup commands for binding /proc, /sys and /dev and running chroot kick off the init scripts
  • 30. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 The virtual router "boots up"
  • 31. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 SUCCESS!
  • 32. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 THANK YOU! Saumil Shah @therealsaumil saumil@net-square.com LinkedIn: saumilshah Follow us on Twitter for: updates new classes on-site training announcements Blog: http://blog.exploitlab.net