embedded-exploitation.md 1.5 KB
title: Embedded Exploitation date: 2021-01-13 categories: [cheatsheets]
As an example, the firmware of the device D-Link DC932L
- Firmware available on the Web
- Running on MIPS architecture
Binwalk is your best friend
binwalk -e <firmware.bin>Extract LZMA archives:
unlzma <file.lzma>Mounting CPIO Filesystems
cpio -idm --no-absolute-filenames < ../kernel
- Analysing
bin/alphapd
-> qemu-mipsel-static to run the binary
-> Using chroot to use the correct libraries
sudo chroot . ./qemu-mipsel-static /bin/alphapd
- Problem: nvram iteams are needed:
As we are emulating the binary, no real hardware is available. -> No nvram deamon is running.
-> Fake nvram by preloading a nvram-faker library
-> LD_PRELOAD is perfect for that
sudo chroot . ./qemu-mipsel-static -E LD_PRELOAD=/nvram-faker.so /bin/alphapd
Important: nvram library must be compiled on the same platform. A similar build setup as the vendor is needed.
In this case it was possible to compile the nvram lib using gcc-mipsel-gnu-linx.
-> Some libs of the target platform must be used to compile it properly (copy the libs from the fw /lib dir to the buildchain builddir)
- qemu can spawn a GDB server with
-g <port> - to dbug,
gdb-multiarchis needed (apt install gdb-multiarch)
Connect to the GDB server:
gdb bin/alphapd
gdb> target remote localhost:<port>