Thu, Nov 2, 2023
PARTE 2 - Explorando o Firmware. Na parte 1, encontramos a porta UART para realizar debug que nos deu acesso a um shell Linux. Neste ponto, temos o mesmo acesso ao roteador que um engenheiro/desenvolvedor usaria para analisar problemas, controlar o sistema, realizar suporte técnico etc.
Firmware é o software que controla e monitora o hardware em baixo nível. Está presente em praticamente todos os computadores e, no caso de sistemas operacionais embarcados.
Tue, Jul 18, 2023
PARTE 1 - Identificação de Hardware (identificando portas de debug). Nesta primeira parte, vamos passar pelo processo de engenharia reversa de um “roteador” MitraStar GPT-2741GNAC-N1. Este dispositivo é interessante pelo fato de ser um dos aparelhos mais utilizados nas casas dos brasileiros, fornecido por um dos provedores ou o maior provedor de acesso a internet no Brasil, é fácil de desmontar, há diversas informações principalmente de versões anteriores (GPT-2541GNAC) na internet, além de poder usar/testar alguns brinquedos de hardware hacking que adquirir recentemente.
Fri, Jan 6, 2023
CVE-2022-35568 A proof of concept for TP-LINK router AC1750 v2 Buffer Overflow.
Intro In July 2022 I found a new vulnerability in the TP-LINK router.
A buffer overflow in the httpd daemon on TP-Link Archer C7 v2 (firmware version 3.15.3 Build 180114 / 180305) devices allows an authenticated remote attacker to execute arbitrary code via a malicious Folder Sharing request to /userRpm/NasFolderSharingRpm.htm.
To exploit the vulnerability simple adding a new folder request could be abused to achieve a classic RCE bug, after playing around with the parameters I found sending a long string inside the parameter “shareFolderName” produced that the application gets stuck, and the web interface stops responding to requests and even the WIFI AP stop working.
Tue, Nov 8, 2022
CVE-2022-40486 A proof of concept for TP-LINK router Archer AX10 v1
Intro The device I conducted this research on was the Archer AX10 v1 home WiFi router from TP-Link (Firmware Version 1.3.1 Build 20220401 Rel. 57450(5553)).
My first approach was to get access via the UART Interface on the board.
You can see about “How to Detect Serial Pinout (GND, VCC, TX, RX)” in this link: (Youtube)
RouterConverter TX RX RX TX GND GND Thanks, Flashback Team you guys are the inspiration for this PoC.
Fri, May 3, 2019
CVE-2018-20580 A proof of concept for ReadyAPI 2.5.0/2.6.0 Remote Code Execution with interactions.
Intro In December 2018 I found a new vulnerability in the (ReadyAPI). It allows an attacker to execute a remote code on the local machine putting in danger the ReadyAPI users including developers, pentesters, etc…
The ReadyAPI allows users to open a SOAP project and import WSDL files that help the users to communicate with the remote server easily.
Tue, Jan 1, 2019
Hack the Planet!
