Post on 11-Nov-2014
description
R E D BALLOON
S e c u r i t y
FRAK: Firmware Reverse Analysis Konsole
Ang Cui a@redballoonsecurity.com
7.27.2012 Defcon 20
W h o a m
I W h a t d o I
D O
5th Year Ph.D. Candidate Intrusion Detection Systems Lab
Columbia University
7.27.2012 Defcon 20
W h o a m
I W h a t d o I
D O
5th Year Ph.D. Candidate Intrusion Detection Systems Lab
Columbia University
Co-Founder and CEO Red Balloon Security Inc. www.redballoonsecurity.com
7.27.2012 Defcon 20
W h o a m
I W h a t d o I
D O
5th Year Ph.D. Candidate Intrusion Detection Systems Lab
Columbia University
Co-Founder and CEO Red Balloon Security Inc. www.redballoonsecurity.com
Past publications:
• Pervasive Insecurity of Embedded Network Devices. [RAID10]
• A Quantitative Analysis of the Insecurity of Embedded Network Devices. [ACSAC10]
• Killing the Myth of Cisco IOS Diversity: Towards Reliable Large-Scale Exploitation of Cisco IOS. [USENIX WOOT 11]
• Defending Legacy Embedded Systems with Software Symbiotes. [RAID11]
• From Prey to Hunter: Transforming Legacy Embedded Devices Into Exploitation Sensor Grids. [ACSAC11]
7.27.2012 Defcon 20
W h o a m
I W h a t d o I
D O
5th Year Ph.D. Candidate Intrusion Detection Systems Lab
Columbia University
Co-Founder and CEO Red Balloon Security Inc. www.redballoonsecurity.com
Past Embedded Tinkerings:
• Interrupt-Hijack Cisco IOS Rootkit • HP LaserJet Printer Rootkit
7.27.2012 Defcon 20
Interrupt-Hijack Shellcode [blackhat USA 2011]
7.27.2012 Defcon 20
HP-RFU Vulnerability HP LaserJet 2550 Rootkit
[28c3]
Firewall
Network Printer
Attacker
Server
1. Reverse ProxyPrinter -> Attacker
2. Reverse ProxyPrinter -> Victim
3. Attacker -> Server Via Reverse Proxy
4. Win: Reverse ShellServer -> Kitteh
7.27.2012 Defcon 20
Unpacking Process:
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
WORKFLOW [XYZ Embedded {Offense|Defense}]
7.27.2012 Defcon 20
Unpacking Process:
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
WORKFLOW [XYZ Embedded {Offense|Defense}]
7.27.2012 Defcon 20
Unpacking Process:
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
De{cript,compress}
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
For each "Record"
In Firmware
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
WORKFLOW [XYZ Embedded {Offense|Defense}]
7.27.2012 Defcon 20
Unpacking Process:
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
De{cript,compress}
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
For each "Record"
In Firmware
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
De{cript,compress}
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
For each "Record"
In Firmware
Known Format or Proprietary Format?
FileSystem Extraction
For each "unpacked Record"
In Firmware
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
WORKFLOW [XYZ Embedded {Offense|Defense}]
7.27.2012 Defcon 20
Unpacking Process:
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
De{cript,compress}
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
For each "Record"
In Firmware
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
De{cript,compress}
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
For each "Record"
In Firmware
Known Format or Proprietary Format?
FileSystem Extraction
For each "unpacked Record"
In Firmware
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
De{cript,compress}
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
For each "Record"
In Firmware
Known Format or Proprietary Format?
FileSystem Extraction
For each "unpacked Record"
In Firmware
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
WORKFLOW [XYZ Embedded {Offense|Defense}]
7.27.2012 Defcon 20
Unpacking Process:
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
De{cript,compress}
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
For each "Record"
In Firmware
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
De{cript,compress}
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
For each "Record"
In Firmware
Known Format or Proprietary Format?
FileSystem Extraction
For each "unpacked Record"
In Firmware
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
De{cript,compress}
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
For each "Record"
In Firmware
Known Format or Proprietary Format?
FileSystem Extraction
For each "unpacked Record"
In Firmware
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
De{cript,compress}
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
For each "Record"
In Firmware
Known Format or Proprietary Format?
FileSystem Extraction
For each "unpacked Record"
In Firmware
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Known Format or Proprietary Format?
Re-Pack ModifiedFile System
Bin
ary
Fir
mw
are
Imag
e
For each "unpacked Record"
In Firmware
WORKFLOW [XYZ Embedded {Offense|Defense}]
7.27.2012 Defcon 20
Unpacking Process:
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
De{cript,compress}
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
For each "Record"
In Firmware
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
De{cript,compress}
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
For each "Record"
In Firmware
Known Format or Proprietary Format?
FileSystem Extraction
For each "unpacked Record"
In Firmware
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
De{cript,compress}
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
For each "Record"
In Firmware
Known Format or Proprietary Format?
FileSystem Extraction
For each "unpacked Record"
In Firmware
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
De{cript,compress}
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
For each "Record"
In Firmware
Known Format or Proprietary Format?
FileSystem Extraction
For each "unpacked Record"
In Firmware
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Known Format or Proprietary Format?
Re-Pack ModifiedFile System
Bin
ary
Fir
mw
are
Imag
e
For each "unpacked Record"
In Firmware
Unpacking Process:
Parse Package Manifest
De{cript,compress}
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
For each "Record"
In Firmware
Known Format or Proprietary Format?
FileSystem Extraction
For each "unpacked Record"
In Firmware
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Known Format or Proprietary Format?
Re-Pack ModifiedFile System
Re-{cript,compress}, Recalculate Checksum, etc
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
Bin
ary
Fir
mw
are
Imag
e
For each "unpacked Record"
In Firmware
WORKFLOW [XYZ Embedded {Offense|Defense}]
7.27.2012 Defcon 20
Unpacking Process:
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
De{cript,compress}
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
For each "Record"
In Firmware
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
De{cript,compress}
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
For each "Record"
In Firmware
Known Format or Proprietary Format?
FileSystem Extraction
For each "unpacked Record"
In Firmware
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
De{cript,compress}
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
For each "Record"
In Firmware
Known Format or Proprietary Format?
FileSystem Extraction
For each "unpacked Record"
In Firmware
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
De{cript,compress}
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
For each "Record"
In Firmware
Known Format or Proprietary Format?
FileSystem Extraction
For each "unpacked Record"
In Firmware
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Known Format or Proprietary Format?
Re-Pack ModifiedFile System
Bin
ary
Fir
mw
are
Imag
e
For each "unpacked Record"
In Firmware
Unpacking Process:
Parse Package Manifest
De{cript,compress}
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
For each "Record"
In Firmware
Known Format or Proprietary Format?
FileSystem Extraction
For each "unpacked Record"
In Firmware
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Known Format or Proprietary Format?
Re-Pack ModifiedFile System
Re-{cript,compress}, Recalculate Checksum, etc
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
Bin
ary
Fir
mw
are
Imag
e
For each "unpacked Record"
In Firmware
Unpacking Process:
Parse Package Manifest
De{cript,compress}
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
For each "Record"
In Firmware
Known Format or Proprietary Format?
FileSystem Extraction
For each "unpacked Record"
In Firmware
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Known Format or Proprietary Format?
Re-Pack ModifiedFile System
Re-{cript,compress}, Recalculate Checksum, etc
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
RepackAll Binary"records"
Bin
ary
Fir
mw
are
Imag
e
For each "unpacked Record"
In Firmware
WORKFLOW [XYZ Embedded {Offense|Defense}]
7.27.2012 Defcon 20
Unpacking Process:
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
De{cript,compress}
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
For each "Record"
In Firmware
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
De{cript,compress}
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
For each "Record"
In Firmware
Known Format or Proprietary Format?
FileSystem Extraction
For each "unpacked Record"
In Firmware
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
De{cript,compress}
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
For each "Record"
In Firmware
Known Format or Proprietary Format?
FileSystem Extraction
For each "unpacked Record"
In Firmware
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Bin
ary
Fir
mw
are
Imag
e
Unpacking Process:
Parse Package Manifest
De{cript,compress}
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
For each "Record"
In Firmware
Known Format or Proprietary Format?
FileSystem Extraction
For each "unpacked Record"
In Firmware
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Known Format or Proprietary Format?
Re-Pack ModifiedFile System
Bin
ary
Fir
mw
are
Imag
e
For each "unpacked Record"
In Firmware
Unpacking Process:
Parse Package Manifest
De{cript,compress}
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
For each "Record"
In Firmware
Known Format or Proprietary Format?
FileSystem Extraction
For each "unpacked Record"
In Firmware
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Known Format or Proprietary Format?
Re-Pack ModifiedFile System
Re-{cript,compress}, Recalculate Checksum, etc
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
Bin
ary
Fir
mw
are
Imag
e
For each "unpacked Record"
In Firmware
Unpacking Process:
Parse Package Manifest
De{cript,compress}
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
For each "Record"
In Firmware
Known Format or Proprietary Format?
FileSystem Extraction
For each "unpacked Record"
In Firmware
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Known Format or Proprietary Format?
Re-Pack ModifiedFile System
Re-{cript,compress}, Recalculate Checksum, etc
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
RepackAll Binary"records"
Bin
ary
Fir
mw
are
Imag
e
For each "unpacked Record"
In Firmware
Unpacking Process:
Parse Package Manifest
De{cript,compress}
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
For each "Record"
In Firmware
Known Format or Proprietary Format?
FileSystem Extraction
For each "unpacked Record"
In Firmware
Fir
mw
are
An
alys
is a
nd
Man
ipu
lati
on
Re-Packing Process
Known Format or Proprietary Format?
Re-Pack ModifiedFile System
Re-{cript,compress}, Recalculate Checksum, etc
Known Algorithm or Proprietary Algorithm?
RecordEncrypted?
RecordCompressed?
RecordChecksummed?
RecordDigitally Signed?
RepackAll Binary"records"
Re-generatePackageManifest
Bin
ary
Fir
mw
are
Imag
e
For each "unpacked Record"
In Firmware
WORKFLOW [XYZ Embedded {Offense|Defense}]
7.27.2012 Defcon 20
Reasons why Ang stays home on Friday night
Payload Design
7.27.2012 Defcon 20
Reasons why Ang stays home on Friday night
Payload Developement
Payload Design
7.27.2012 Defcon 20
Reasons why Ang stays home on Friday night
Payload Developement
Payload Testing
Payload Design
7.27.2012 Defcon 20
Reasons why Ang stays home on Friday night
Payload Developement
Payload Testing
Payload Design
Payload Developement
Payload Testing
Payload Design
STARE
@
BINARY
BLOB
7.27.2012 Defcon 20
Reasons why Ang stays home on Friday night
Payload DesignPayload
Developement
Payload DesignPayload
Developement
Payload Testing
Payload Design
Payload Developement
Payload Testing
Payload Design
STARE
@
BINARY
BLOB
Payload Developement
Payload Testing
Payload Design
STARE
@
BINARY
BLOB
THIS PART
L 7.27.2012 Defcon 20
F R A K irmware everse nalysis onsole
[Better Living Through Software Engineering]
7.27.2012 Defcon 20
F R A K irmware everse nalysis onsole
Firmware Unpacking Engine
Firmware ModificationEngine
Firmware Analysis Engine
Programmatic API ACCESS
Interactive ConsoleAccess
Firmware Repacking Engine
7.27.2012 Defcon 20
F R A K irmware everse nalysis onsole
Firmware Unpacking Engine
Firmware ModificationEngine
Firmware Analysis Engine
Programmatic API ACCESS
Interactive ConsoleAccess
Firmware Repacking Engine
Firmware Unpacking Engine
Firmware ModificationEngine
Firmware Analysis Engine
Programmatic API ACCESS
Interactive ConsoleAccess
Firmware Repacking Engine
HP-RFUModule
Cisco IOSModule
Cisco-CNUModule
XYZ-FormatModule
ArbitraryFirmware Image
of Unknown Format
7.27.2012 Defcon 20
F R A K irmware everse nalysis onsole
Firmware Unpacking Engine
Firmware ModificationEngine
Firmware Analysis Engine
Programmatic API ACCESS
Interactive ConsoleAccess
Firmware Repacking Engine
Firmware Unpacking Engine
Firmware ModificationEngine
Firmware Analysis Engine
Programmatic API ACCESS
Interactive ConsoleAccess
Firmware Repacking Engine
HP-RFUModule
Cisco IOSModule
Cisco-CNUModule
XYZ-FormatModule
ArbitraryFirmware Image
of Unknown Format
Firmware Unpacking Engine
Firmware ModificationEngine
Firmware Analysis Engine
Programmatic API ACCESS
Interactive ConsoleAccess
Firmware Repacking Engine
HP-RFUModule
Cisco IOSModule
Cisco-CNUModule
XYZ-FormatModule
ArbitraryFirmware Image
of Unknown Format
Unpacked Firmware
Binary
7.27.2012 Defcon 20
F R A K irmware everse nalysis onsole
Firmware Unpacking Engine
Firmware ModificationEngine
Firmware Analysis Engine
Programmatic API ACCESS
Interactive ConsoleAccess
Firmware Repacking Engine
Firmware Unpacking Engine
Firmware ModificationEngine
Firmware Analysis Engine
Programmatic API ACCESS
Interactive ConsoleAccess
Firmware Repacking Engine
HP-RFUModule
Cisco IOSModule
Cisco-CNUModule
XYZ-FormatModule
ArbitraryFirmware Image
of Unknown Format
Firmware Unpacking Engine
Firmware ModificationEngine
Firmware Analysis Engine
Programmatic API ACCESS
Interactive ConsoleAccess
Firmware Repacking Engine
HP-RFUModule
Cisco IOSModule
Cisco-CNUModule
XYZ-FormatModule
ArbitraryFirmware Image
of Unknown Format
Unpacked Firmware
Binary
Firmware Unpacking Engine
Firmware ModificationEngine
Firmware Analysis Engine
Programmatic API ACCESS
Interactive ConsoleAccess
Firmware Repacking Engine
HP-RFUModule
Cisco IOSModule
Cisco-CNUModule
XYZ-FormatModule
ArbitraryFirmware Image
of Unknown Format
Unpacked Firmware
BinarySoftware Symbiotes
XYZ DynamicInstrumentation
&Rootkit
7.27.2012 Defcon 20
F R A K irmware everse nalysis onsole
Firmware Unpacking Engine
Firmware ModificationEngine
Firmware Analysis Engine
Programmatic API ACCESS
Interactive ConsoleAccess
Firmware Repacking Engine
Firmware Unpacking Engine
Firmware ModificationEngine
Firmware Analysis Engine
Programmatic API ACCESS
Interactive ConsoleAccess
Firmware Repacking Engine
HP-RFUModule
Cisco IOSModule
Cisco-CNUModule
XYZ-FormatModule
ArbitraryFirmware Image
of Unknown Format
Firmware Unpacking Engine
Firmware ModificationEngine
Firmware Analysis Engine
Programmatic API ACCESS
Interactive ConsoleAccess
Firmware Repacking Engine
HP-RFUModule
Cisco IOSModule
Cisco-CNUModule
XYZ-FormatModule
ArbitraryFirmware Image
of Unknown Format
Unpacked Firmware
Binary
Firmware Unpacking Engine
Firmware ModificationEngine
Firmware Analysis Engine
Programmatic API ACCESS
Interactive ConsoleAccess
Firmware Repacking Engine
HP-RFUModule
Cisco IOSModule
Cisco-CNUModule
XYZ-FormatModule
ArbitraryFirmware Image
of Unknown Format
Unpacked Firmware
BinarySoftware Symbiotes
XYZ DynamicInstrumentation
&Rootkit
Firmware Unpacking Engine
Firmware ModificationEngine
Firmware Analysis Engine
Programmatic API ACCESS
Interactive ConsoleAccess
Firmware Repacking Engine
HP-RFUModule
Cisco IOSModule
Cisco-CNUModule
XYZ-FormatModule
ArbitraryFirmware Image
of Unknown Format
Unpacked Firmware
BinarySoftware Symbiotes
XYZ DynamicInstrumentation
&Rootkit
7.27.2012 Defcon 20
F R A K irmware everse nalysis onsole
Unpack, Analyze, Modify, Repack: Cisco IOS
7.27.2012 Defcon 20
Reasons why Ang stays home on Friday night
Payload Developement
Payload Testing
Payload Design
Payload Developement
Payload Testing
Payload Design
STARE
@
BINARY
BLOB
THIS PART
L
Payload Developement
Payload Testing
Payload Design
STARE @ BINARY BLOB
?Thanks FRAK!
7.27.2012 Defcon 20
Demos • Packer/Repacker for Cisco IOS, HP-RFU • Automagic Binary Analysis • IDA-Pro Integration • Entropy-related Analysis • Automated IOS/RFU Rootkit Injection
7.27.2012 Defcon 20
FRAK Konsole
7.27.2012 Defcon 20
FRAK is still WIP. For Early Access
Contact Frak-request@redballoonsecurity.com
7.27.2012 Defcon 20
7.27.2012 Defcon 20