In the previous part, we looked at fuzzing simple IoT binaries with AFL++. These programs accepted input from a file and were straightforward to fuzz. In this post, we will be looking at socket'ed binaries. Fuzzing binaries that communicate over the network using sockets are different from fuzzing binaries that use file-based I/O. Vanilla AFL and AFL++ don’t support fuzzing socket'ed binaries although there have been projects such as AFLNet and AFLNW which use modified versions of AFL for the same. Here however, we will see how to use plain AFL++ to fuzz network programs. The httpd binary at ..read more

American fuzzy lop is a security-oriented fuzzer that employs a novel type of compile-time instrumentation and genetic algorithms to automatically discover clean, interesting test cases that trigger new internal states in the targeted binary. This substantially improves the functional coverage for the fuzzed code. AFL lives at https://lcamtuf.coredump.cx/afl/. It hasn't been updated in a while. While AFL still works fine, there's a new project AFL++, a fork of AFL with lots of improvements and new features. AFL++ can be found at https://aflplus.plus/ with its source on GitHub. In this article ..read more

Introduction In this post, we will be completing the loop on our three-part series by describing a specific attack vector that is available upon successful bypass of the bootloader process. Once landed within the Das U-Boot prompt, an attacker is able to surge forward to ultimately take over the device that underlies it.  As our attack vector, we will be looking at using TFTP to load a kernel and filesystem of our own onto the affected target.  We will look at how to first set up the attack device and then ultimately try our hand at gaining root access to our target device. What is ..read more

Introduction In this post, we will be describing the bootloader that goes by the name of Das U-Boot. We will delve into the following Das U-Boot features, including: - Das U-Boot Origin Story - The Building of Das U-Boot - Running Das U-Boot in an emulator (QEMU) - Das U-Boot command line - Attacker Options U-Boot Origin Story This open-source project first sprang into existence as a bootloader for the embedded PowerPC architecture. In this guise, it was initially known as 8xxROM and was later renamed to PPCBoot. Interestingly enough, the latter name, 'PPCBoot', was chosen somewhat based on t ..read more

Introduction This is Part 1 of a three-part blog post that will look to describe what a bootloader is and where it fits into the boot process. Part 2 will describe the U-Boot bootloader, specifically "Das U-Boot", where we will be further examining its origins and its usage in the world of embedded Linux systems. With a thorough understanding under our belt, we will look to examine the possible attack vectors available using practical examples in Part 3. What is a Bootloader In an embedded system context, the bootloader is simply the part of the system that is used at start-up to assist in th ..read more

In this post we will be looking at analyzing a STM32 firmware binary in Ghidra. In particular the firmware is for the STM32F103C development board from STMicroelectronics. The file can be downloaded from this link. Analyzing firmware binaries is often different from analyzing a PE or ELF file. A PE (Portable Executable) is the standard executable file format on Windows. An .exe file is a PE underneath. The PE file format is intended for 32-bit Windows systems. There’s the PE64 file format which is similar to PE but intended for 64-bit systems. Correspondingly on Linux we have the ELF (Executa ..read more

This is the twelfth and final part of the Flare-On 6 CTF WriteUp Series. 12 - help The challenge reads You're my only hope FLARE-On player! One of our developers was hacked and we're not sure what they took. We managed to set up a packet capture on the network once we found out but they were definitely already on the system. I think whatever they installed must be buggy - it looks like they crashed our developer box. We saved off the dump file but I can't make heads or tails of it - PLEASE HELP!!!!!! We have two files - help.dmp - A 2 GB memory dump help.pcapng - Packet capture Identifying ..read more

This is the eleventh part of the Flare-On 6 CTF WriteUp Series. 11 - vv_max The challenge reads Hey, at least its not subleq. Subleq is an esoteric language. The program grammar consists of a single instruction "Subtract and Branch if Less Than or Equal". The final challenge of Flare-on 5 deal with reversing such a binary. You can read more on it here. Different from previous year's, this year's penultimate challenge is not about Subleq but rather about a reversing a small VM which uses AVX instructions for its operation. For running the challenge binary our processor must support AVX. Nearly ..read more

This is the tenth part of the Flare-On 6 CTF WriteUp Series. 10 - Mugatu The challenge reads Hello, I’m working an incident response case for Derek Zoolander. He clicked a link and was infected with MugatuWare! As a result, his new headshot compilation GIF was encrypted. To secure an upcoming runway show, Derek needs this GIF decrypted; however, he refuses to pay the ransom. We received an additional encrypted GIF from an anonymous informant. The informant told us the GIF should help in our decryption efforts, but we were unable to figure it out. We’re reaching out to you, our best malware ana ..read more

This is the ninth part of the Flare-On 6 CTF WriteUp Series. 9 - reloaderd The challenge reads This is a simple challenge, enter the password, receive the key. I hear that it caused problems when trying to analyze it with ghidra. Remember that valid flare-on flags will always end with @flare-on.com From a cursory look, this does look look like a simple challenge. Running the provided PE file reloaderd.exe prompts for a key. Figure 1: We need a keyLoading the binary in x64dbg we notice two calls from the main function. Figure 2: Two calls in mainThe print_banner just prints the "ReLoaderd" bann ..read more