Upload File

defcon 2012 - firmware vulnerability hunting with frak

  • Home
  • Technology
  • DefCon 2012 - Firmware Vulnerability Hunting with FRAK
33
RED BALLOON Security FRAK: Firmware Reverse Analysis Konsole Ang Cui [email protected] 7.27.2012 Defcon 20

Upload: michael-smith

Post on 11-Nov-2014

1.959 views

Category:

Technology


4 download

Report

Tags:

DESCRIPTION

"Embedded Device Firmware Vulnerability Hunting Using FRAK, the Firmware Reverse Analysis Konsole -- FRAK is a framework for unpacking, analyzing, modifying and repacking the firmware images of proprietary embedded devices. The FRAK framework provides a programmatic environment for the analysis of arbitrary embedded device firmware as well as an interactive environment for the disassembly, manipulation and re-assembly of such binary images. We demonstrate the automated analysis of Cisco IOS, Cisco IP phone and HP LaserJet printer firmware images. We show how FRAK can integrate with existing vulnerability analysis tools to automate bug hunting for embedded devices. We also demonstrate how FRAK can be used to inject experimental host-based defenses into proprietary devices like Cisco routers and HP printers. "

TRANSCRIPT

Page 1: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

R E D BALLOON

S e c u r i t y

FRAK: Firmware Reverse Analysis Konsole

Ang Cui [email protected]

7.27.2012   Defcon  20  

Page 2: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

W h o a m

I W h a t d o I

D O

5th Year Ph.D. Candidate Intrusion Detection Systems Lab

Columbia University

7.27.2012   Defcon  20  

Page 3: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

W h o a m

I W h a t d o I

D O

5th Year Ph.D. Candidate Intrusion Detection Systems Lab

Columbia University

Co-Founder and CEO Red Balloon Security Inc. www.redballoonsecurity.com

7.27.2012   Defcon  20  

Page 4: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

W h o a m

I W h a t d o I

D O

5th Year Ph.D. Candidate Intrusion Detection Systems Lab

Columbia University

Co-Founder and CEO Red Balloon Security Inc. www.redballoonsecurity.com

Past publications:

•  Pervasive Insecurity of Embedded Network Devices. [RAID10]

•  A Quantitative Analysis of the Insecurity of Embedded Network Devices. [ACSAC10]

•  Killing the Myth of Cisco IOS Diversity: Towards Reliable Large-Scale Exploitation of Cisco IOS. [USENIX WOOT 11]

•  Defending Legacy Embedded Systems with Software Symbiotes. [RAID11]

•  From Prey to Hunter: Transforming Legacy Embedded Devices Into Exploitation Sensor Grids. [ACSAC11]

7.27.2012   Defcon  20  

Page 5: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

W h o a m

I W h a t d o I

D O

5th Year Ph.D. Candidate Intrusion Detection Systems Lab

Columbia University

Co-Founder and CEO Red Balloon Security Inc. www.redballoonsecurity.com

Past Embedded Tinkerings:

•  Interrupt-Hijack Cisco IOS Rootkit •  HP LaserJet Printer Rootkit

7.27.2012   Defcon  20  

Page 6: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

Interrupt-Hijack Shellcode [blackhat USA 2011]

7.27.2012   Defcon  20  

Page 7: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

HP-RFU Vulnerability HP LaserJet 2550 Rootkit

[28c3]

Firewall

Network Printer

Attacker

Server

1. Reverse ProxyPrinter -> Attacker

2. Reverse ProxyPrinter -> Victim

3. Attacker -> Server Via Reverse Proxy

4. Win: Reverse ShellServer -> Kitteh

7.27.2012   Defcon  20  

Page 8: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

Unpacking Process:

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

WORKFLOW [XYZ Embedded {Offense|Defense}]

7.27.2012   Defcon  20  

Page 9: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

Unpacking Process:

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

WORKFLOW [XYZ Embedded {Offense|Defense}]

7.27.2012   Defcon  20  

Page 10: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

Unpacking Process:

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

WORKFLOW [XYZ Embedded {Offense|Defense}]

7.27.2012   Defcon  20  

Page 11: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

Unpacking Process:

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

WORKFLOW [XYZ Embedded {Offense|Defense}]

7.27.2012   Defcon  20  

Page 12: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

Unpacking Process:

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

WORKFLOW [XYZ Embedded {Offense|Defense}]

7.27.2012   Defcon  20  

Page 13: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

Unpacking Process:

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

WORKFLOW [XYZ Embedded {Offense|Defense}]

7.27.2012   Defcon  20  

Page 14: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

Unpacking Process:

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Re-{cript,compress}, Recalculate Checksum, etc

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

WORKFLOW [XYZ Embedded {Offense|Defense}]

7.27.2012   Defcon  20  

Page 15: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

Unpacking Process:

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Re-{cript,compress}, Recalculate Checksum, etc

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Re-{cript,compress}, Recalculate Checksum, etc

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

RepackAll Binary"records"

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

WORKFLOW [XYZ Embedded {Offense|Defense}]

7.27.2012   Defcon  20  

Page 16: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

Unpacking Process:

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Re-{cript,compress}, Recalculate Checksum, etc

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Re-{cript,compress}, Recalculate Checksum, etc

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

RepackAll Binary"records"

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Re-{cript,compress}, Recalculate Checksum, etc

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

RepackAll Binary"records"

Re-generatePackageManifest

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

WORKFLOW [XYZ Embedded {Offense|Defense}]

7.27.2012   Defcon  20  

Page 17: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

Reasons why Ang stays home on Friday night

Payload Design

7.27.2012   Defcon  20  

Page 18: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

Reasons why Ang stays home on Friday night

Payload Developement

Payload Design

7.27.2012   Defcon  20  

Page 19: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

Reasons why Ang stays home on Friday night

Payload Developement

Payload Testing

Payload Design

7.27.2012   Defcon  20  

Page 20: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

Reasons why Ang stays home on Friday night

Payload Developement

Payload Testing

Payload Design

Payload Developement

Payload Testing

Payload Design

STARE

@

BINARY

BLOB

7.27.2012   Defcon  20  

Page 21: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

Reasons why Ang stays home on Friday night

Payload DesignPayload

Developement

Payload DesignPayload

Developement

Payload Testing

Payload Design

Payload Developement

Payload Testing

Payload Design

STARE

@

BINARY

BLOB

Payload Developement

Payload Testing

Payload Design

STARE

@

BINARY

BLOB

THIS PART

L  7.27.2012   Defcon  20  

Page 22: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

F R A K irmware everse nalysis onsole

[Better Living Through Software Engineering]

7.27.2012   Defcon  20  

Page 23: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

F R A K irmware everse nalysis onsole

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

7.27.2012   Defcon  20  

Page 24: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

F R A K irmware everse nalysis onsole

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

7.27.2012   Defcon  20  

Page 25: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

F R A K irmware everse nalysis onsole

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

Unpacked Firmware

Binary

7.27.2012   Defcon  20  

Page 26: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

F R A K irmware everse nalysis onsole

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

Unpacked Firmware

Binary

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

Unpacked Firmware

BinarySoftware Symbiotes

XYZ DynamicInstrumentation

&Rootkit

7.27.2012   Defcon  20  

Page 27: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

F R A K irmware everse nalysis onsole

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

Unpacked Firmware

Binary

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

Unpacked Firmware

BinarySoftware Symbiotes

XYZ DynamicInstrumentation

&Rootkit

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

Unpacked Firmware

BinarySoftware Symbiotes

XYZ DynamicInstrumentation

&Rootkit

7.27.2012   Defcon  20  

Page 28: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

F R A K irmware everse nalysis onsole

Unpack, Analyze, Modify, Repack: Cisco IOS

7.27.2012   Defcon  20  

Page 29: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

Reasons why Ang stays home on Friday night

Payload Developement

Payload Testing

Payload Design

Payload Developement

Payload Testing

Payload Design

STARE

@

BINARY

BLOB

THIS PART

L  

Payload Developement

Payload Testing

Payload Design

STARE @ BINARY BLOB

?Thanks FRAK!

7.27.2012   Defcon  20  

Page 30: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

Demos •  Packer/Repacker for Cisco IOS, HP-RFU •  Automagic Binary Analysis •  IDA-Pro Integration •  Entropy-related Analysis •  Automated IOS/RFU Rootkit Injection

7.27.2012   Defcon  20  

Page 31: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

FRAK Konsole

7.27.2012   Defcon  20  

Page 32: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

FRAK is still WIP. For Early Access

Contact [email protected]

7.27.2012   Defcon  20  

Page 33: DefCon 2012 - Firmware Vulnerability Hunting with FRAK

7.27.2012   Defcon  20  


Printer Hacking - DEFCON Presentation

Malicious Proxies - Defcon

ModScan - Defcon 2008

Defcon 16 Banks Carric

BitSec AB - Defcon

Defcon 17 Videoman Gnuradio

nosymbols - defcon russia 20

Defcon 23 Comedy inception

static - defcon russia 20

Seccubus - Defcon

Defcon - Veil-Pillage

Defcon 16 Perry

Church of WiFi - Defcon

Framework Agreement DSTL****** ACC Between ******* and ... · DEFCON 126 Edn 11/06 International Collaboration DEFCON 501 Edn 11/17 Definitions And Interpretations DEFCON 502 Edn

Defcon Manual en-Au

Download - Defcon

Blackjacking - Defcon 14

- 4.5 MB - Defcon

2011 Defcon

Frak Turco Lles

DEFCOn - cdn.cloudflare.steamstatic.com

DefCon 2012 - Finding Firmware Vulnerabilities

DEFCON 18 Heffner Routers

Frak Turd and is Lokas i PDF

DEFCOn - Hexusimg.hexus.net/v2/gaming/screenshots_pc/defcon/defconpreview.pdf · The harsh stark realities of nuclear warfare are further emphasised by the minimal atmosphere of DEFCON

Abusing Firefox Extensions - Defcon

Defcon 16 Alonso Parada

Evilgrade Defcon 18 2010

Con KUNG FU - Defcon

DefCon 14 DefCon Network Team. Do what?! The Networks –Public (wireless) –Speakers –Press –Goons –Public Servers DefCon TV

DEFCON fencing product guide

Defcon Docsis

03 De Frak Lynch, B. Diagnostico y terapias de parejas.pdf

Defcon Defending Red Team

How-to modify ARM Cortex-M based firmware: A step-by ......How-to modify ARM Cortex-M based firmware: A step-by-step approach for Xiaomi IoT Devices DEFCON 26 IoT Village –Dennis