Gaining ROOTalways want that uid 0 - the usual tricks
• Removable root Media • hashcat / jtr
• kernel paramaters • init=/bin/sh • single user mode
• Lucky for us, the root password is
printed on the PCB (not even joking)
MANAGEMENT InTERFACEthe dububdub
MANAGEMENT InTERFACEthe dububdub
Logging INConnecting using the management USB interface
PortsANDProcessessWhats running on this thing?
PortsANDProcessessWhats running on this thing?
PortsANDProcessessWhats running on this thing?
Back to the SourceWhere is this process stored and launched from
DECOMPYLEUsing multiline strings as comments is great!
Vulnerability 1: UNPICKLESerializing objects its so convenient for passing them over a udp socket
Vulnerability 1: UNPICKLESerializing objects its so convenient for passing them over a udp socket
Putting it all Togethermaking use of our discovered vulnerabilities
Putting it all Togethermaking use of our discovered vulnerabilities
Putting it all Togethermaking use of our discovered vulnerabilities
Putting it all Togethermaking use of our discovered vulnerabilities
DEMO
One Step FURTHER
• Connect back payloads • Dial 1900 numbers for profit • UDP broadcast the attack • Intercept data and telephony • Insta-botnet / onion network • Other bad things
For internet bad men
QUESTIONS?
tIM NOISE
• twitter/dnoiz1 • github/dnoiz1 • mIRC/dnz • streetz/notorious D N Z • tim@drkns.net