Uncategorized

BootStomp: Android bootloader vulnerability finder

BootStomp is a boot-loader bug finder. It looks for two different class of bugs: memory corruption and state storage vulnerabilities. For more info please refer to the BootStomp paper. To run BootStomp’s analyses, please read the following instructions. Note that BootStomp works with boot-loaders compiled for ARM architectures (32 and 64 bits both) and that results might slightly vary depending on angr and Z3’s versions. This is because of the time angr takes to analyze basic blocks and to Z3’s expression concretization results.[…]

https://seclab.cs.ucsb.edu/academic/publishing/#bootstomp-security-bootloaders-mobile-devices-2017

https://github.com/ucsb-seclab/BootStomp/blob/master/tools/huawei_tools/oeminfo_exploit.py

https://github.com/ucsb-seclab/BootStomp

print [!] Usage: + sys.argv[0] + <oeminfo.img> <exploit_oeminfo.img>\n

Lots of links to read at the end of the github readme web page.

 

Standard
Uncategorized

uEmu: Unicorn-based emulator plugin for IDA

uEmu is a tiny cute emulator plugin for IDA based on unicorn engine.

Supports following architectures out of the box: x86, x64, ARM, ARM64.

What is it GOOD for?
* Emulate bare metal code (bootloaders, embedded firmware etc)
* Emulate standalone functions

https://github.com/alexhude/uEmu

Standard
Uncategorized

Unicorn-based EFI emulator?

OSX Reverser has a new blog post on Apple EFI firmware passwords:

[…] This is when I had an idea! How about creating an EFI emulator and debugger using the Unicorn Engine framework? I had a feeling this wouldn’t be extremely hard and time consuming because the EFI environment is self contained – for example no linkers and syscalls to emulate. I also knew that this binary was more or less isolated, only using a few Boot and RunTime services and very few external protocols. Since the total number of Boot and RunTime services are very small this meant that there wasn’t a lot of code to be emulated. And with a couple of days work the EFI DXE Emulator was born. To my surprise I was finally able to run and debug an EFI binary in userland, speeding the reverse engineering process up immensely and quickly providing insight to previously tricky code. […]

Apple EFI firmware passwords and the SCBO myth

Apple EFI firmware passwords and the SCBO myth

Looking forward to an URL to this EFISwissKnife IDA plugin, and ESPECIALLY this new Unicorn-based EFI emulator! I can’t find an URL yet, though. 😦

Standard
Uncategorized

ARMpwn and ARMpwn Challenge

“ARMPwn: Repository to train/learn memory corruption exploitation on the ARM platform. This is the material of a workshop I prepared for my CTF Team”

https://github.com/saelo/armpwn

ARMPWN challenge write-up:
A few weeks ago, I came accross @5aelo repo called armpwn for people wanting to have a bit of ARM fun. I had recently spent some time adding new features and perfectionning old ones to my exploit helper gdb-gef and I saw there a perfect practice case. On top of that, I had nothing better to do yesterday ☺ This challenge was really fun, and made so much easier thanks to gef especially to defeat real life protections (NX/ASLR/PIC/Canary), and on a different architecture (Intel is so ‘90). This is mostly why I’m doing this write-up, but feel curious and do it by yourself. Fun time ahead guaranteed ☺ […]

https://blahcat.github.io/2016/06/13/armpwn-challenge.html

Standard
Uncategorized

Hex-Rays Decompiler plugin for IDA, updated for OS X

If you use IDA, check out the Hex-Rays Decompiler plugin is very powerful, and now available for Mac OS X users.

http://www.surrendercontrol.com/2016/02/more-ida-pro-plugins-for-os-x.html
https://github.com/REhints/HexRaysCodeXplorer/tree/master/bin/v2.0%20%5BBlackHat%20Edition%5D/IDA%20v6.8/Mac

The Hex-Rays Decompiler plugin for better code navigation in RE process. CodeXplorer automates code REconstruction of C++ applications or modern malware.

It has multiple experienced contributors:

Alex Matrosov (@matrosov)
Eugene Rodionov (@rodionov)
Rodrigo Branco (@rrbranco)
Gabriel Barbosa (@gabrielnb)

 

Standard