Zachary Cutlip has posted his FINAL part of the 14-part post on router firmware security, “Broken, Abandoned, and Forgotten Code, Part 14”:
“In the previous post, we walked through building a stage 1 firmware image that can be flashed to the Netgear R6200 by exploiting the hidden SetFirmware SOAP action in upnpd. Due to an undersized memory allocation, we aren’t able to flash a full sized image using this exploit. Whereas a stock firmware is nearly 9MB, the buffer upnpd base64 decodes into is 4MB, leading to a crash. As a result we have to load our trojanized firmware in two stages. The first stage is stripped down to bare essentials and contains an agent that downloads and flashes a full sized second stage providing persistent remote access. In this part, we conclude the series with a discussion of how to prepare the stage 2 and what it should contain.” […]
http://shadow-file.blogspot.com/2015/11/abandoned-part-14.html
Firmware Security 