A Practical Approach In Exploit Development For Embedded Devices

hey guys um welcome to my talk about the practical approach exploit development for embedded devices so while I prepare to talk I realized the topic so huge so today we will not focus on the an exploit development process by third because I think it's well documented over the internet and today we will focus more on the step right before on getting the testing environment I'm setting everything up to start your exploit development experience so we will talk about emulation but give me a second give you a few slides then you will see what I mean I'm a penetration tester d-mont Simunic a while ago I've written a book hacking mid spot and during the last few years has developed

a bunch of or exploit modules a bunch of auxiliary modules for the metasploit framework most of them are focused on the embedded device area so today you won't hear anything special anything new anything super exciting probably everything that i will show you is documented somewhere in the internet but that's the problem to start in this area you have to read through a huge amount of blog posts or in different qualities and in the beginning you probably waste a huge amount of time so today we don't talk about a special rocket science we talk about the practical approach so this approach I've used multiple times to develop different exploit and so probably you can also use it but take a

look be careful because we can talk about its theoretical approach which is nice shiny and clean are probably in our process it's getting quite dirty but we are result oriented and our result is a working exploit exploit must work on the final on the unreal device so if it's not working then we have to go a step back a little bit and analyze it why it's not working but this is our goal so on slide after mentioned emulation so what is the simulation thing at all so Wikipedia quite nice definition for us in emulating an emulator is hardware or software that enables one computer system which is called the host the hosts more or less hours a system that

we are using for our analysis tasks or for example our kali linux and this system should behave like another computer system the guests are the guests is small s or embedded device or the operating system of our embedded device and an emulator typical enables the host system to run software design for the guests system so in short words that means that we have an embedded device with the operating system of the embedded device we would analyze some some part of this and we try to run this park on our whole system on our system that we're performing our analysis within the emulator or dress direct access to everything why should we do that if you're starting taking a little

bit into embedded device exploitation then you're running into multiple problems oh one of the first problems you're running into is how do i get my minories my files my tools to the device so probably you have chillaxes probably data w get on the device then you're fine you can just download upload it to the device probably hardware accessed by a yurt or and you can use it or there's some problems in the update mechanism so you can create a new firmware image or bad with your binaries and upload it to device but probably you can't do anything of this as an emulation you have the control of the file system and so you can trust in ideal world can just

copy and paste it to the file system and you're ready to go we will see it a little bit later another interesting aspect for emulation is are the debugging capabilities if you're trying to get back in that it divides you have different possibilities you can you skate egg you can upload a GD be serviced up in an emulator like qmo you have a directly pissed income gdp service top so you can just switch it on or connect to the debugger and you're ready to go then you are cutting control of the resources you can configure how much CPU power how much memory power of memory space to devices and finally I think for me the

most important aspect for emulation is that i can analyze the device that the can you write exploits without having the device i can do it in the train i can do it at home i can do it wherever i want without need the box in front of me so our emulator of choice is qmo her evil stands for quick emulator was created in 2003 but agrees cookie and it supports a huge amount of different architectures for example it support 686 it supports mips spark our power pc and you typically will find different architectures in such a medic devices so many more or architectures are supported by an emulator or the more flexible you can can work with it then we don't write

it at horse with TMO because qmo is heavily developed or since 2003 and also there are different other projects based on TMO or some examples or unicorn witches cpu emulator then there are we have the bill the bill is more less of brute forcing tools a brute forcing a tool for 40 discovering function the function LED or functions for example if you are dealing with a pic of binary which is stripped down you don't have function names or the bill is probably able to discover at least some basic functions like a steer copy and then we have the avatar framework which is a huge framework for embedded device emulation so to start with qmo feel free to just

install the packages of the distribution or install it from source it's not the dark and then think about what we wanted to do with this new and shiny emulator so I don't think of the emulation in a way that yeah now we can emulate our embedded device we can work with it like I'm do like the real device and we can break it like the real device now keep it simple keep it as simple as possible because otherwise it bites you so if you if you are dealing with a Malaysian if you want to analyze some parts of the embedded device and try to emulate this path nothing else try chance to focus on this part keep it as simple as possible

otherwise you're wasting you will wait so much time so to do this to do this quite effectively we have different approaches different possibilities to do it so the first one I've mentioned before is the CPU emulation which is done by unicornis ability q mu by itself myself will help you with the user mode emulation and typically use the user mode emulation to get the first smell first taste of the binary is it possible to emulate it by at all or how feasible is it how does the binary working in user mode emulator but it's typically just for a first try if you are taking a little bit deeper in emulation then you're typically dealing with Justin

mode emulation sister called annihilation means that you're booting up and a whole operating system within your system that you're using further for your analysis job if you are having your kali linux then you're starting your emulator within the emulator you're looking up another operating system too because this operating system matches the architecture of of the embedded devices so then we have different approaches we can use a completely first party system or which is or has nothing to do with the with the embedded device that we are analyzing expect the architecture then we can boot up the file system of the embedded device with a different kernel so as long as we don't do anything colonel related we are probably

good to go and another crop possibility the possibility that we have is um if we're dealing with some crappy related stuff um so for example if your embedded device has some kernel modules shipped with and you wanted to analyze kernel modules more dynamically then you can try to build your own kernel that fulfills the needs of the kernel modules and it fulfills also the needs of your QA mode of your emulator so bhutesu boot so you you're then able to boot up your new kernel are that is able to hopefully load their original kernel modules and finally I've mentioned before the full system emulation which also includes unknown peripherals or which is done by the other top framework but this is a

completely different stories today we will primarily focus or a short shot we have unusable emulation will take the longest shot on the system elimination with a third-party operating system and the system mod emulation or with the original file system from the embedded device on to start with your user mode emulation you probably on they did well shut to to use some embedded device from some file system update 5 from a vendor you can go to the footnotes as an advisory from from vulnerability and dealing TR dir 645 device oh they go to the websites download the firmware from the vendor and extract it with bin walk-in work is a firm very structured framework by Craig Hefner and um for for

such safe / fabrice it's doing a really really good job so then you need a statically compiled user mode qmo you can install it while you're catch management system on TBN I know the statically compiled user mode qmo binaries are available or you compare answers and copy it to year to year to the folder where the server is extracted to change to the phone works to the to the folder arm and then started by a change route start your static compiled emulator and this case just for the first test start being a less command or something else which is in this case a simple link to too busy box to analyze now such a binary a little bit more in

detail you can for example use the included street racing command so if the asteroid switch you are now able to trace the source codes of this binary it's quite fine to check it out if it's missing something some files and directories or something else that is typically created during a boot up process or song from some other binary or something else so for first analysis it's quite fine and then you can also tired please start the debugging stop it will start the HTTP server and then with the minus cheese switch and then you're able to connect to this GTP server to the client or either profile example this in this case are emulated CGI it is

the authentication CGI of the dr 6 45 which has a buffalo ploy in it and gigi is among our needs them the parameters lime environment variables and so you are able to use the capital e letter as an option we've been curable and past is this options to the authentication cgi binary so with this method you're quite fine and you are now able to develop a full-blown memory corruption exploit we then use a multi malaysian but as soon as you're trying to Turan this exploit on the real hardware you're running into troubles because um in such embedded device exploitation for example for mips or arm architectures you're typically using a exploitation technique which is called return

oriented programming and you need table library addresses for example if you're using Rock catches rap/rock gadgets from your micro lipsy which is in this case the catering in this exploit or talented way then in emulation or the micro lipsy is loaded on a four or eight address but if you are dealing with the real hardware you can see that it's on a completely other address so you now you're able to develop a full-blown exploit but the next post won't run on the real hardware so for developing the exploits on the real hardware or modifying your exploits to work on the real Hardware you probably need access to the hardware to take a look at there

is no the process of the libraries and fix it up or you can all use system mode emulation and now i will give you a short introduction into the system mod emulation thing in the easiest way so we are looking up a third-party operating system which is completely pre-installed and use this first party operating system to install out to to develop our export so as before are we dealing with real-world scenarios where were all abilities so while ago i will take a shift as of the development kit with our abilities to different of the windows different partners and they have just useless as it was and they got the nice and shiny command ejection vulnerability

in their upnp soap interface um it was in that in the area where can configure port forwarding by upnp and there is a variable new internal client I would you saw your internal IP address within this variably we are able to check arbitrary commands as typical for such devices everything runs its root so you don't need any privilege escalation process for it or you're directly root or you'll have direct route root access so our goal is to verify this vulnerability to write something like a proof of concept to write the full-blown exploit everything in emulation without owning the device so now let's start and download the firmware one of the vulnerable farmers for example from the

link in the footnote extract the tanker again with pin walk and next step is to to to Anna to do it first quick analysis to find out which architecture test embedded devices use using so for example use a file command you can also use read else or you can use a pin walk and with this knowledge you are now able to go to the Debian website download take you in words within images and let it run we think um so before installing you remove from the packages or from source code and then you are able to put it up login and you have a full-blown midst a deviant sister or running on your or for example on x86 architecture

on your kali linux or something else i'm a glide useful step is a set of bridging between your emulated device and your host device because it simplifies your life now you can just as or copy something wherever I see be or if there if the service you're analyzing is opening some parts you can directly access is for accessibility network so it will help you now we are on the on a deviant sister or you can see it on the comment on TV admits or because the cameras MIPS architecture big-endian and now you don't need any emulator anymore because you are already in the right architecture so you're now able to just run the binaries from the original

embedded device on our emulators TV environment the problem now is that we don't have our tools anymore like before on user mode emulation we were able to use just a straight switch to do a little bit tracing of the binary now we have to compile it by ourselves or get it from somewhere which means we need a static compiled estrace the easiest ways just to install your cheesy see for example on your TV admit system and compile it over there or you are also able to take some some trust compilation toolchain we can build it by ourselves with built route for example and then compile a stress Oh compile estrace GP server and netcat i think is adam the

free most most use binary sin in a basic analysis way so now on now we are able to try that oh let's try with mini itt which is our upp sierra complains okay there's something with the one type or probably it needs some some options we have it in an unconsidered state so after taking a little bit deeper in the firmware and why Google found out okay with these options it's quite happy so this is our network interface is just some dummy IP address and then it's fine mini HD is fine and or tries to start up a little bit more or the next arrow that is running into it we don't have a configuration file because probably

stored somewhere or its draught not in the not defend my upgrade its throat somewhere else somewhere in the flesh routine and so we have to create some configuration file I don't know how it looks like so well but probably I don't care about it because in the first step just create the file don't create an accountant keep it as simple as possible and as we have created a file mini HD was quite happy with that and proceeded and the next problem that it's right I was running into is that it tries to find something director as you know side Chiddy some files over there and after short checks the linens HT directory wasn't there so

probably oh so step a little bit back and think about our environment we have a Linux system the boots up our deeply engine up system within the emulator and within our own directory we have our embedded device the embedded devices in an uncoated state so that means that everything that is done typically during the boot up process we have to do it manually so check out our the whole initialization scripts this case is in its dot E or folders the lgs file and if you're looking for little side GD you can see that the director is created during the Buddha process and it copies something from and temporal directory to the Linux igg directly so now we know

okay where everything happens what happens and now let's do it manually and finally the next problem uh it has some troubles of the temp directory yeah the temp directory was a simple link to another directory at the bottom there so I mean create it or just remove the simple link and create the new temp directory and then we're ready to go our mini HEG doesn't die anymore starts off quite fine and it creates support and it's listening on it finally we are now able to connect this port where typically web browser and we can see the description of the soap interface on with this description we are now able to build our soap request our proof of

concept all of this is running in a Malaysian so now I'll use just or simple interception proxy with a repeater or something else like that and you're able to create your view you pnp request for the port forwarding and in the new internet client come the new internal planet option you can see just the first proof of concept I by Michelle command with tactics so that if there is a if the device creates a bigger common with with the new intern client IP included so I think it executes my command first and uses the the value that is the output of my command for the bigger command so my command is executed data commander don't

care anymore and we can see on there on the left side that the file is created and so our proof concept succeeded too nice time to create the full-blown exposure I stand it for you and just shut the Vics quickstep about the configuration we have a mystic endian device so I'll choose the right target the right payload and the interacting stuff with the exploitation process by itself it looks a little bit weird um that's because I've used the GPS data technique which means we don't use any any download or upload mechanism from the device or we don't need any w get or any other stuff we only need one echo command and we can use this echo command

to to write our payload while the command injection vulnerability to the embedded device so we're a few lines of output that's because they're our space of the command injection is quite limited there's around 40 to 50 character space so we need to do it again and again and again and again and again until the whole payload is transferred to the target device and then it gets executed and you can see we are now on we've now holding cell for embedded device in emulation so consider the whole file system over there and we have exploited we always you verified vulnerabilities or exploited it and written a full-blown exploit without having the device but yeah probably i'm

correct probably not so then trust me the guy that has original discovered the vulnerability seen the exploit has verified it and it totally totally touch work on the real device so now we were able to exploit or the right full-blown exploit without having the device so let's go on to the next step the emulation of the whole operating system no no you don't emulate the whole operating system because as I mentioned before keep it simple as simple as possible so get rid of the crown stuff because you don't need it now I'm also sorry get rid of the concepts and out we just use the extracted directory structure from the original file system we create a new

file system and put this new file system are up on river with another kernel for example we can use the same avail cuddle that was used for the given system also for this or new file system or you can build your own so as before we talk about real-world abilities this time in an NCC binary and the sea service of different dealing intranet devices the NGC service is quite a huge binary plot which does everything on the device on it started at the configuration stuff it loads kernel modules it starts up the web server with the management interface and it also also includes a diagnostics area and the diagnostics area is available on all dedicated and you can

ping our assistance but you can do much more as you can see over there in the ping ipv6 address um you can you check your own comments once again arbitrary commands and they are getting executed or with full route exits on the device our goal is the same as before set it up in emulation verify the proof of concept right a full-blown export which works on the real device so time we can use some some other proper orders will not be for your chip for testing extracted once again with bin walk to somewhere extraction framework and now create a new virtual hard disk or you can do it with qmo image create or typically it is enough between 10 and

20 max I've used 100 max because I've played a little bit with the kernel modules then create a file system on your new hard disk typically I use X 2 because it simplifies your life are they are a colonel support x2 and it's also quite easy to compile economy takes to support mount this new hard disk copy your extracted file system the whole directory structure to ER to your Mountain mounted hard drive and then think about your current stuff because you probably need some kernel modules for your for your network interface for other hardware area so if you're using the only cuddle copy the kernel modules from Abu tutorial image copy down and copied up to this this file system and

then you're ready to go or compile your own kernel like in this case of the 26 to 26 kernel running and you can compile it in a way that you are able to load the original kernel modules from the firmware and you can also use your own kernel motors now you have a directory structure on your hard drive and then unmount it and oh do it too a quick check on multiple times the problem that the deep of the device directory wasn't filled up so do a quick check or if the basic devices like the knowledge device you rendleman console and then you're probably able to boot it up and you're ready to run so this time we will mix

with linear device um so use the qms the Mitchell and give it your newly channel created a harddrive and in this case the orale carnal hooted up to system boot sock monster root file system for sure it takes to particular region and is because the device has no TTYL 0 configured so in this case you can see it's quite easily it's quite easy to reconfigure our emulated environment because just a mount on your heart the virtual hard drive or change the needed settings and then unmount it and boot it up again in emulation and then on the next try tries to start the ncc binary that's fine because it's the main binary but it fails quite hard

because it hangs around in a loop and it tries to load a configuration file oh I love configuration files so this time it doesn't help to just create the configuration file as an empty file it hangs around because it cannot reach this because there is no configuration in it so there are different possibilities now you can probably go to be real device oh we have no real device that's not that good so we can we have to find another way we can reverse it now a little bit more or we can just remove it hmm this slide you can see both 10g zipper is a really nice binary because it's not stripped down it has

all of the function names in it so after just looking a little bit in it you can find a function that is called load CFG and in this case you can see you typical mix of function call it all CFG address from the branch is loaded into the t9 a register which is a quite nice indicator that they're using chooses he is in compiler and then on the road see if key function is called by a champion league register and interesting thing in mixes that denote our structure is quite important over there because mix is using pipelining and this is called a branch delay rod which means that as the champion link register that the more or less the

card of the of the loti of key function is executed then the next instruction is already in the cash that means before the first instruction of the load CFG function is executed the next instruction our case did not be executed so that's quite interesting as soon as there's something else in the next instruction is a knob so always take a look over there because it can bite you quite hard so our we can argue fix again as I mentioned before it gets dirty so just not be that we don't need any configuration and the next thing that you're running into on the next next boot up process that is me needs access to the to the flash device to get into G

device and we don't have it so we just give it an empty text file and again it is quite happy with that so now let's go on it tries to configure a device without its configuration file probably that's not the best idea for the device [Music] but you have a lot of debug messages and we can use the debug messages again to find the right area in the NC binary for example is something you can see it over there something is breaching tries to set up the bridging and you can see in the strings output that is some Bridge control command and with this a little hint you're getting getting quite fast to a function that is cloud layer to a

p-funk this function is called multiple times during the whole binary so our first approach from just patching the call or would be a little bit of work here so it's probably a little bit easier so just say ok then metal from their yard I will go back to you so our function or is not that big anymore it's just one instruction and it goes back to that so the place was called from and now we are able to run them see binary without any any and including the Arabs anymore you can see it over there there's a call a teapot 403 probably the web server and we can now try the proof of concept so

just use the original proof of contact the cold command you can see it on the on the bottom that in our regulated environment it tries to execute the pin 6 command and now we are ready to turn it into this device or into this emulated environment of our device so again we can write the middle spot module this time I have chosen another another technique I've chosen the technique to download and execute the payload so this time we're using W get or we set up a web server with the payload and we in initiates the W get command by the command injection vulnerability so YW get we take the payload download it or make it

executable or give it executable rights and execute it and finally on the command shell gets opened we can see it over there the basics command is executed again in this case multiple times don't see it over there so emulation is quite a fine thing but are you have multiple limitations in your emulated environment so in emulation everything needs a little bit longer if it fails or it works you take more time for failing over working if you are not able to extract the firmer or you have troubles because these the shown techniques won't work um if you are dealing with Colonel stuff it's quite messy but it can work in different situations um and it gets really painful

as soon as the device is doing a lot of hardware interaction so then you probably have to filter or if you reverse the hardware or you have to fetch much more areas from there from the binaries you're probably directly in kernel area um really painful and they approaches that you have seen are primarily targeting linux-based operating systems if you're talking or if you are trying to analyze real-time operating systems then it's a completely different story so thank you very much thank you for your interest my name is Martinez know or feel free to contact me and enjoy the b-sides and if you have questions I tried ranted yeah yeah typically it's purely riveting until you have to analyze that the

decryption algorithm um where I gets the keys from is it encroaches is obfuscated it so it's it's getting getting real hard and will you need a huge amount of time for it and if the key material is thought quite secure then your your as an in-plane test all in trouble um you can see it much more on very important devices yes oh yeah pure pure reverse engineering to appear angle analysis and you typically need the hardware for it because somewhere in the hardware typically sticky material source for that colleagues that are doing such stuff from your

it depends on which which focus we are talking about on such a home home router stuff I'll t stuff in this area um I don't see so much scientific stuff the femoris is quite quite simple or it's typically you're able to modify for and update it also in in a more professional area you see see more so as we just saw when I asked at the very beginning whose ears hurt Barry who hears software there were many people who raised their hands on hardware yes the hardware is becoming more and more important because we're controlling the world what sort of attackers do you expect who are actually doing this kind of attack is it typical

cutie hackers is the nation state is it somewhere in the middle what kind of attackers do you see oh I think one of the biggest problems for our typical kidney HEK assisting you you need a box as soon as you're talking about hardware hacking you need the box and the box is a quite expensive so most of the most of these teenagers are probably trying to start with with with the software side or stay with defender and if you are talking about the encrypted femoris with key material in the Boxton or the key is also a chance so I think that the bar is getting higher and higher as more as we are we having our professional harder

because because it's just expensive for usual hackers but it's no no reason for for stage of devices boxes so in this case or state they will pass them on to it and then if you want to carry somebody sorry and if they're a software a person you wanted to migrate into the hardware all we wanted to try something I was who and what firmware would you recommend that a problem with the farmers from good notes you can i also have a natural at any step but usually you should be able to do it by our own with downloading the sundress from the footnotes and reprocessing all stuff and then you should be able to get the same

results are there any other question thank you Mike should you very much