defcon 2012 - firmware vulnerability hunting with frak

Report

Tags:

Post on 11-Nov-2014

1.959 Views

Category:

Technology

4 Downloads

Preview:

Click to see full reader

DESCRIPTION

"Embedded Device Firmware Vulnerability Hunting Using FRAK, the Firmware Reverse Analysis Konsole -- FRAK is a framework for unpacking, analyzing, modifying and repacking the firmware images of proprietary embedded devices. The FRAK framework provides a programmatic environment for the analysis of arbitrary embedded device firmware as well as an interactive environment for the disassembly, manipulation and re-assembly of such binary images. We demonstrate the automated analysis of Cisco IOS, Cisco IP phone and HP LaserJet printer firmware images. We show how FRAK can integrate with existing vulnerability analysis tools to automate bug hunting for embedded devices. We also demonstrate how FRAK can be used to inject experimental host-based defenses into proprietary devices like Cisco routers and HP printers. "

TRANSCRIPT

R E D BALLOON

S e c u r i t y

FRAK: Firmware Reverse Analysis Konsole

Ang Cui a@redballoonsecurity.com

7.27.2012   Defcon  20  

W h o a m

I W h a t d o I

D O

5th Year Ph.D. Candidate Intrusion Detection Systems Lab

Columbia University

7.27.2012   Defcon  20  

W h o a m

I W h a t d o I

D O

5th Year Ph.D. Candidate Intrusion Detection Systems Lab

Columbia University

Co-Founder and CEO Red Balloon Security Inc. www.redballoonsecurity.com

7.27.2012   Defcon  20  

W h o a m

I W h a t d o I

D O

5th Year Ph.D. Candidate Intrusion Detection Systems Lab

Columbia University

Co-Founder and CEO Red Balloon Security Inc. www.redballoonsecurity.com

Past publications:

•  Pervasive Insecurity of Embedded Network Devices. [RAID10]

•  A Quantitative Analysis of the Insecurity of Embedded Network Devices. [ACSAC10]

•  Killing the Myth of Cisco IOS Diversity: Towards Reliable Large-Scale Exploitation of Cisco IOS. [USENIX WOOT 11]

•  Defending Legacy Embedded Systems with Software Symbiotes. [RAID11]

•  From Prey to Hunter: Transforming Legacy Embedded Devices Into Exploitation Sensor Grids. [ACSAC11]

7.27.2012   Defcon  20  

W h o a m

I W h a t d o I

D O

5th Year Ph.D. Candidate Intrusion Detection Systems Lab

Columbia University

Co-Founder and CEO Red Balloon Security Inc. www.redballoonsecurity.com

Past Embedded Tinkerings:

•  Interrupt-Hijack Cisco IOS Rootkit •  HP LaserJet Printer Rootkit

7.27.2012   Defcon  20  

Interrupt-Hijack Shellcode [blackhat USA 2011]

7.27.2012   Defcon  20  

HP-RFU Vulnerability HP LaserJet 2550 Rootkit

[28c3]

Firewall

Network Printer

Attacker

Server

1. Reverse ProxyPrinter -> Attacker

2. Reverse ProxyPrinter -> Victim

3. Attacker -> Server Via Reverse Proxy

4. Win: Reverse ShellServer -> Kitteh

7.27.2012   Defcon  20  

Unpacking Process:

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

WORKFLOW [XYZ Embedded {Offense|Defense}]

7.27.2012   Defcon  20  

Unpacking Process:

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

WORKFLOW [XYZ Embedded {Offense|Defense}]

7.27.2012   Defcon  20  

Unpacking Process:

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

WORKFLOW [XYZ Embedded {Offense|Defense}]

7.27.2012   Defcon  20  

Unpacking Process:

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

WORKFLOW [XYZ Embedded {Offense|Defense}]

7.27.2012   Defcon  20  

Unpacking Process:

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

WORKFLOW [XYZ Embedded {Offense|Defense}]

7.27.2012   Defcon  20  

Unpacking Process:

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

WORKFLOW [XYZ Embedded {Offense|Defense}]

7.27.2012   Defcon  20  

Unpacking Process:

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Re-{cript,compress}, Recalculate Checksum, etc

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

WORKFLOW [XYZ Embedded {Offense|Defense}]

7.27.2012   Defcon  20  

Unpacking Process:

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Re-{cript,compress}, Recalculate Checksum, etc

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Re-{cript,compress}, Recalculate Checksum, etc

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

RepackAll Binary"records"

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

WORKFLOW [XYZ Embedded {Offense|Defense}]

7.27.2012   Defcon  20  

Unpacking Process:

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Re-{cript,compress}, Recalculate Checksum, etc

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Re-{cript,compress}, Recalculate Checksum, etc

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

RepackAll Binary"records"

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Re-{cript,compress}, Recalculate Checksum, etc

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

RepackAll Binary"records"

Re-generatePackageManifest

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

WORKFLOW [XYZ Embedded {Offense|Defense}]

7.27.2012   Defcon  20  

Reasons why Ang stays home on Friday night

Payload Design

7.27.2012   Defcon  20  

Reasons why Ang stays home on Friday night

Payload Developement

Payload Design

7.27.2012   Defcon  20  

Reasons why Ang stays home on Friday night

Payload Developement

Payload Testing

Payload Design

7.27.2012   Defcon  20  

Reasons why Ang stays home on Friday night

Payload Developement

Payload Testing

Payload Design

Payload Developement

Payload Testing

Payload Design

STARE

@

BINARY

BLOB

7.27.2012   Defcon  20  

Reasons why Ang stays home on Friday night

Payload DesignPayload

Developement

Payload DesignPayload

Developement

Payload Testing

Payload Design

Payload Developement

Payload Testing

Payload Design

STARE

@

BINARY

BLOB

Payload Developement

Payload Testing

Payload Design

STARE

@

BINARY

BLOB

THIS PART

L  7.27.2012   Defcon  20  

F R A K irmware everse nalysis onsole

[Better Living Through Software Engineering]

7.27.2012   Defcon  20  

F R A K irmware everse nalysis onsole

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

7.27.2012   Defcon  20  

F R A K irmware everse nalysis onsole

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

7.27.2012   Defcon  20  

F R A K irmware everse nalysis onsole

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

Unpacked Firmware

Binary

7.27.2012   Defcon  20  

F R A K irmware everse nalysis onsole

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

Unpacked Firmware

Binary

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

Unpacked Firmware

BinarySoftware Symbiotes

XYZ DynamicInstrumentation

&Rootkit

7.27.2012   Defcon  20  

F R A K irmware everse nalysis onsole

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

Unpacked Firmware

Binary

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

Unpacked Firmware

BinarySoftware Symbiotes

XYZ DynamicInstrumentation

&Rootkit

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

Unpacked Firmware

BinarySoftware Symbiotes

XYZ DynamicInstrumentation

&Rootkit

7.27.2012   Defcon  20  

F R A K irmware everse nalysis onsole

Unpack, Analyze, Modify, Repack: Cisco IOS

7.27.2012   Defcon  20  

Reasons why Ang stays home on Friday night

Payload Developement

Payload Testing

Payload Design

Payload Developement

Payload Testing

Payload Design

STARE

@

BINARY

BLOB

THIS PART

L  

Payload Developement

Payload Testing

Payload Design

STARE @ BINARY BLOB

?Thanks FRAK!

7.27.2012   Defcon  20  

Demos •  Packer/Repacker for Cisco IOS, HP-RFU •  Automagic Binary Analysis •  IDA-Pro Integration •  Entropy-related Analysis •  Automated IOS/RFU Rootkit Injection

7.27.2012   Defcon  20  

FRAK Konsole

7.27.2012   Defcon  20  

FRAK is still WIP. For Early Access

Contact Frak-request@redballoonsecurity.com

7.27.2012   Defcon  20  

7.27.2012   Defcon  20  

top related

frak turd and is lokas i pdf
Documents
defcon 18: foca 2
Documents
electronic weapons - defcon
Documents
nosymbols - defcon russia 20
Technology
defcon 18 heffner routers
Documents
defcon docsis
Documents
defcon presentation
Documents
malicious proxies - defcon
Documents
how-to modify arm cortex-m based firmware: a step-by...
Documents
defcon - manual
Documents
bitsec ab - defcon
Documents
defcon indice2014
Documents
download - defcon
Documents
attacking jboss - defcon
Documents
defcon ctf quals
Technology
defcon 14 defcon network team. do what?! the networks...
Documents
defcon 25 the internet already knows i’m pregnant con...
Documents
fox group · 2021. 3. 22. · nasce defcon 5. defcon 5 is...
Documents
defcon 17 videoman gnuradio
Documents
2011 defcon
Documents