Exploit Development

Our latest adventures in firmware exploitation

The TrendNet TEW–827DRU Vulnerability Assessment Series: Identification

Aug 13, 2020

Today we are going to talk about the vulnerability assessment I performed on a TRENDNet TEW–827DRU hardware revision 2, firmware version 2.04. I enjoyed this vulnerability assessment, mostly because there were a lot of vulnerabilities to discover, but also because it allowed me to tests out some new exploitation techniques involving ASLR. More on that later. For now, let’s all don our white hats and dive right in.

TEW–827DRU Router

In the Beginning

Just like all...

Continue Reading...

CVE–2019–8985 RCE

Aug 06, 2020

I came across this entry on Mitre’s CVE disclosure site and for some reason it really drew my attention.

I think it was the seemingly simple nature of the exploit. Just an overflow in the authorization header. How hard can this be to exploit?

The CVE description was a little vague, as they usually are. So I clicked on the reference link hoping to find a more thorough explanation. I was unfortunately greeted with a 404 page not found.. But with a little digging I found the overview...

Continue Reading...

MIPS Overflow Writer

Jun 25, 2020

Once you’ve written a fair share of MIPS buffer overflows, you’ll have a pretty good idea of how the stack is laid out and how the math works to perfectly overwrite the return address.

It becomes less of a learning experience and more of a tedious operation. This same feeling led me to write MOW, the MIPS Overflow Writer.

This Python script requires minimal, easily retrievable arguments to generate MIPS based buffer overflows and send it to the target. This saves time and prevents...

Continue Reading...

The .text Dilemma

Jun 23, 2020

Lately I find myself writing a lot of code to exploit MIPS buffer overflows. Each one is different and frustrating in it’s own little way, but fun none the less.

I usually write a small ROP gadget that will call system with a command I pass on the stack, but occasionally I find the perfect function in the .text section that does everything I need.

Typically it’s a leftover debug function that has no path for a user to call, but performs an operation that would be useful.

In the...

Continue Reading...