MIPS ROP IDA Plugin – /dev/ttyS0

I’ve previously written some examples of how to exploit MIPS stack overflows using ROP techniques. The problem is that finding suitable MIPS ROP gadgets manually can be quite tedious, so I have added a new IDA plugin – mipsrop.py – to my github repository. This plugin searches the code segment(s)… Continue reading

Binwalk 1.2.2 Release – /dev/ttyS0

Binwalk 1.2.2 has just been released which introduces some useful new features: Binary diffing of an arbitrary number of files Heuristic compression/encryption analysis Identification of zlib compression streams (implemented via a plugin) Here are three thousand words to demonstrate these new features: Diffing two firmware headers Heuristic analysis of firmware… Continue reading

Some IDA Plugins – /dev/ttyS0

I’ve posted a few of my IDA plugins on github. Though simple, I’ve found their functionality quite useful when reversing firmware and RISC architectures: Defining ASCII strings not defined during IDA’s auto analysis Defining undefined bytes in the data segment as DWORDs (allowing IDA to resolve function/jump table pointers, etc)… Continue reading

From China, With Love – /dev/ttyS0

Lest anyone think that D-Link is the only vendor who puts backdoors in their products, here’s one that can be exploited with a single UDP packet, courtesy of Tenda. After extracting the latest firmware for Tenda’s W302R wireless router, I started looking at /bin/httpd, which turned out to be the… Continue reading

Reverse Engineering a D-Link Backdoor – /dev/ttyS0

All right. It’s Saturday night, I have no date, a two-liter bottle of Shasta and my all-Rush mix-tape…let’s hack. On a whim I downloaded firmware v1.13 for the DIR-100 revA. Binwalk quickly found and extracted a SquashFS file system, and soon I had the firmware’s web server (/bin/webs) loaded into… Continue reading