Pwn@Home An Attack Path to jailbreaking your home router

Recommendations

Info

Set-<strong>to</strong>p-box Router Firmware Arbitrary code execution Usage of Lua OS library os.execute([command]) Execute an operating system shell command. This is like the C system() function. The system dependent status code is returned. src/loslib.c static int os_execute (lua_State *L) { const char *cmd = luaL_optstring(L, 1, NULL); int stat = system(cmd); if (cmd != NULL) return luaL_execresult(L, stat); else { lua_pushboolean(L, stat); /* true if there is a shell */ return 1; } }
Set-<strong>to</strong>p-box Router Firmware Arbitrary code execution Lua interpreter exploitation 5.1 version contains several bugs Lack of bytecode verification, directly loaded by the VM Must read: http://www.lua.org/wshop11/Cawley.pdf Exploitation by Peter Cawley, but no public exploit available Direct bytecode loading disabled in version 5.2
Page 1 and 2: Pwn@Home An Attack Path to jailbrea
Page 3 and 4: Set-top-box Router Firmware Context
Page 5 and 6: Set-top-box Router Firmware Targets
Page 7 and 8: Set-top-box Router Firmware Plan 1
Page 9: Set-top-box Router Firmware Code ex
Page 12 and 13: Set-top-box Router Firmware Code ex
Page 16 and 17: Set-top-box Router Firmware Chroot
Page 22 and 23: Set-top-box Router Firmware Plan 1
Page 34 and 35: Set-top-box Router Firmware Arbitra
Page 36 and 37: Set-top-box Router Firmware Arbitra
Page 45 and 46: Set-top-box Router Firmware Firmwar
Page 51 and 52: Set-top-box Router Firmware Kernel
Page 53 and 54: Set-top-box Router Firmware File sy
Page 55 and 56: Set-top-box Router Firmware Untethe
Page 57 and 58: Set-top-box Router Firmware Untethe
Page 59: Set-top-box Router Firmware Conclus

Pwn@Home An Attack Path to jailbreaking your home router

Create successful ePaper yourself

Delete template?

Save as template?