or
or
By clicking below, you agree to our terms of service.
Sign in with Wallet
New to HackMD? Sign up
| Syntax | Example | Reference | |
|---|---|---|---|
| # Header | Header | 基本排版 | |
| - Unordered List |
|
||
| 1. Ordered List |
|
||
| - [ ] Todo List |
|
||
| > Blockquote | Blockquote |
||
| **Bold font** | Bold font | ||
| *Italics font* | Italics font | ||
| ~~Strikethrough~~ | |||
| 19^th^ | 19th | ||
| H~2~O | H2O | ||
| ++Inserted text++ | Inserted text | ||
| ==Marked text== | Marked text | ||
| [link text](https:// "title") | Link | ||
|  | Image | ||
| `Code` | Code |
在筆記中貼入程式碼 | |
| ```javascript var i = 0; ``` |
|
||
| :smile: |  |
Emoji list | |
| {%youtube youtube_id %} | Externals | ||
| $L^aT_eX$ | LaTeX | ||
| :::info This is a alert area. ::: |
This is a alert area. |
On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?
Please give us some advice and help us improve HackMD.
Syncing
xxxxxxxxxx-
Any changes
Be notified of any changes
-
Mention me
Be notified of mention me
-
Unsubscribe
SubscribeExploiting overlooked vulnerability in Published work - An analysis of Realtek SoC SDK exploitation - Bronson113
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →歡迎來到 HITCON CMT 2024 共筆
共筆入口:https://hackmd.io/@HITCON/2024-note
整體挖洞步驟
background –> firmware –> vulnerability –> exploitation –> aftermath
挖洞
Linux Kernel -> failed
D-LINK DIR612 :
firmware analyze (review source code)
官網 -> 可以直接找到新版firmware
binwalk -> many LZMA compressed data
解壓出來全部都是html、txt等 -> router前端
把所有firmware抓下來,不一定每次release都有所有IMG
發現很多mips
ghidra開逆
update_fireware() –> findheader()
用xxd去抓
we have firmware
分析了很久 -> 沒找到
選擇去看歷史洞紀錄 -> 新聞有realtek RCE洞
CVE-2022-27255
Realtek eCos SDK SIP ALG buffer overflow
https://github.com/infobyte/cve-2022-27255
分析別人的exploit
跑跑看發現不行 -> ghidra分析漏洞是否被補掉 -> bug exist
漏洞程式碼仍缺少長度檢查功能
what is SIP ALG
ALG = Application Level Gateway
Assists NAT traversal
SIP = Session Initiation Protocol
how to trigger
要讓router認為他是個SIP
在ALG上
複現成功
strcpy
buffer overflow
no null byte
exploit
NO NX
NO canary
給他一堆A -> crash
DEBUG –-> UART (廠商所留的硬體接孔)
crash log
需要兩條網路線
jmp to shellcode
因為Address隨機 -> 行不通
ROP
串完後 -> 機器當機
memset -> 被蓋掉
IoT值非常大所以當機
shorter ROP
jump delay slot
COP = call oriented programming
改寫完後又死掉了
What does shellcode die
mips16(shellcode) vs mips32 (OS)
ROP+shellcode
DEMO
default environment: WAN is BLOCK INPUT to WEB
after
effect - CVE-2022-27255(原先的CVE)
most vendors don't care
每個廠商不一定用stack,有的會用heap
其他廠商不一定能處理這個CVE,因為是SDK問題,因此尋求原廠 realtek協助
what can you da