 Alright now, we're having that fun. So, yeah, I had to do that, got forced to do that. Good morning everyone, I'm FX, this is FTR. We're from Phoenix Lead, nobody can pronounce that. And we're talking about attacking network embedded systems. All kinds of, actually. Yeah, what are we gonna do? It's like today's session over here. I can't see my screen, so I have to look over there all the time. We're talking about design failures. Actually, FTR is gonna cover some need shit you can do with printers. Basically, complimentary to Little Wolf's talk yesterday. And we, of course, released some tools, so you guys have some fun. And, yeah, after that we talk about software vulnerabilities in embedded systems, get some examples out, and then run a tutorial on how to root a Cisco. So, I pass on to FTR. Thanks for that. Okay, first we have to define somehow what for us an embedded system is. And for the purpose of this speech we think about an embedded system just as a small computer device running as custom OS, which is used for one particular job. And, yeah, it's actually something small. It doesn't need a keyboard or a screen or something like that. And it's more fun if it has some kind of network connection so that we can play with it and we'll have some fun. What are the most common problems within embedded systems? Obviously, since nobody is thinking about attacking them, the operating system itself covers lots of undocumented functionality which is still hidden and therefore normally developers leave back some back doors from the beginning of the development and you can still access these functionalities and so you can play with the system and have some more fun. And there are lots of different other features like how to do something functions, what basically means you get a system out of the box and it's getting from some configuration and therefore some kind of communication required and sometimes you can break into these protocols and have some fun with it. And finally the biggest problem for the developers of these kinds of systems is that marketing comes up with a cool new feature that's required on a marketplace, everything is fine, we're going to need this. And they enforce the developers to bring it out and bring it up and running and they develop it and the time frame is really short and really limited and so nobody is able to spend a solid security and how the new feature impacts the original design within this embedded system. Okay, let's have some examples. Our first example will be the Loosen Brick. Loosen Brick actually is a really cool, really neat handy layer 2 firewall which is certified from the NSA and seems to be secure but somehow it has some problem with the app functionality and what's with the beam over there? Give me my scan, okay, we don't need to take that one for sure. The app functionality in there has some really, really important problems like at first, the biggest problem is that our app traffic will be forward to any... Oh, thanks. All app traffic from a brick through a brick is forward to any network segment this brick firewall is based on and so knowing that ability you can do an app sweep through the whole network regardless what the firewall itself says and that might be a big problem. Actually, a firewall is supposed to block traffic and somehow if you use the blocking feature as firewall roots and it's still forwarding traffic, I mean, what's the use in that? The next problem in here is that you'll be able to poisoning the app table itself with you just send an app reply at this normal C9 network it will insert this entry into the app table and replace the existing one and therefore we have a cool example, the management server on top of the system is actually the heartbeat of the whole box I mean, all configuration, all logging, everything is done on this and with this server and therefore it's really needful and if you send in a spoofed app reply with the IP address of that server and another MAC address the brick firewall will insert this one into its own app table and it will replace the app that was from the management server and you guess what the solution, the result of this is the management server goes away and not so long available and what that means for us is actually no logging, no management and then that's when the fun begins, okay? I mean, this is one point and it becomes harder since the whole app functionality is not stateful as it is supposed to be you can send in tons of app replies they never ask it for and it will fill up the app table it means normally it's not a problem since the app cache is supposed to time out but loose and brick firewall doesn't even let the app cache time out and so far you just fill up the app table till all the memory is exhausted and the machine crashes and I think that's something different than I would expect from an MSA certified device maybe the MSA wants to have it that way, who knows? the next example we have over here are some ASAN routers the ASAN routers themselves uses an undocumented discovery protocol which is sent to the discount pod and normally you would expect that the discount pod discards the packet while that's what it's used for, but no, we adapt this then we do something different, lost the idea while asking so when you send the right packet to the spot you will get a new packet with lots of nice informations on it these informations contain the IP addresses, the MAC addresses the names, even what kind of devices you will find from a machine like T1 interface or something like that I mean that's one thing you can get or some information but if you use that packet and change the values and send it right back and use the SNMP write community which is by guideline wide you can change these values and obviously you don't want that something someone is changing the IP address of a T1 interface okay, the next point HP printers HP printers are quite handy and useful for printing and to configure these machines you can have several ways of accessing these machines like HTTP, Talented, FTP, whatever the most important ones are the HTTP port and the PGA airport which allows you different informations together from the machine HP thought about security in some way and introduced several ways of accessing these restrictions on that so it seems to be pretty cool but there's one little problem you have someone who thought about security and the other one thought about usability they're sitting far away in HP and they don't know it until we come to one major problem for example with only the knowledge of the SNMP read community you can gather with this SNMP variable the HTTP password for full access and once you got this the printer is more or less yours okay, next step is HTTP printers PGL PGL is supposed to be the printer job language and normally whenever you do something with a printer and you print something out you use this PGL this is quite cool you send out your stuff in there and you have some environment values you can use it for how many copies you want to print which paper tray you want to use and all this information this is quite easy and quite handy and you really often use it the whole security on even PGL for the environment variables is based on one single password which is actually a number between one and 65535 and easily you can remotely boot for this in within six hours and I mean what kind of security is this in here okay, let's go on, this is the PGL let's see what I want to go to PGL also allows you access to the file system of the printer itself I mean, it's a cool idea that the new printers thanks my fault anyway yeah, PGL itself gives you access to the file system of the printer and with that file system you will find lots of needful things like the firmware of the printer like the print jobs everything what's going on in the printer is actually based on that file system once you have access to it you can manipulate it in the way you like it and for example we have here should be coming now this is actually the one printer of the file system I mean it's a file system as you know it normally from every other system it's just file entries, files you can copy, you can download you can do whatever you want you can create software activities for your machine in order to get the PGL to fit much more handy for you guys we developed two kinds of tools the first tool we developed is a command line tool you use that for command line tool you can access the file system even the environment variables and all that stuff this is running from the same source through our windows and our linux it's really cool, it's really handy as you have seen earlier it's actually out of this tool and for all the guys who don't like any kind of command line tools and need something to click on we created the real hackers, yeah sure we created a really really nice looking tool that's called hijatter okay this is the basic interface I mean it's very complicated to use you have to type in an IP address in the right part which is more or less always the same just connect to the printer in the display for example right here you have the file system on the left hand side you have your local system and on the right hand side you have the system of the printer just to get sure that you know how to use this tool, okay and as you can see there you have the web server stuff the firmware stuff and everything you want to get on the second is just for setting environment variables and then there's the third dialogue for setting display messages one cool thing is we have done and we really scared people with their foreign idea just setting the environment variable for locking the printer panel so that nobody can go on the printer and switch and ready or something like that and change the display messages as a failure to insert coin, people get scared of that oh shit okay now I have to hurry up a bit another new feature of this HP printer which is ChaiVM ChaiVM is a java machine which is introduced by HP normally for printers but ChaiVM also and that's in statement quoted from HP and in the last sense the most interesting these appliances are powered by HP Chai embedded software that basically means HP is not going to do this only to supply printers with ChaiVM also other systems and that's where it comes interesting because ChaiVM allows you to insert new modules onto the system and run your own services on the printer in order to do this HP introduced one service that's called Disis.loader it's a nice and really cool security feature that all the all the new service you want to introduce has to be signed by HP but it wasn't that still as it should be so HP released a new loader, the easy loader is a signed jar packet so you can upload it to the printer but if you get this one running you don't need to get your new jar packet signed in some way you can just upload any kind of stuff you want to do that's the complicated way and the easiest way both of these loaders are actually nothing else doing nothing else than transforming the CS config file which is based on a file system once you have access to the file system you can just change this file load it in your app and you have uploaded your new new service I think I'm going to skip this one because we are a bit in a hurry anyway, as far as we have played with Chibion Chibion was very stable we had real promise with the development environment you can get the HP in the real world something that once in a time it not necessarily must run stable on the printer therefore very often to use the HP there is an IPv1 to reset the printer to get the child stuff up and running without going on the machine what you can do with Chibion what you can do with Chibion we have developed one port scanner which is actually running on the printer and it's getting from the printer the remote network you can put this on, wait a while come back and get results and that's more than funny I don't even have to be on site I'm using a printer the next thing is we decided that we don't want to spend power circuits on all our laptops we decided to use the printer for that we implemented a child cracker which is used to just break cryptic passwords and somehow the summarization of that is you get a job and you get running on the printer you can do with the printer this is fun isn't it the printer is not anymore printed it's actually a full powered machine you can play with this is actually a screenshot from the crypt cracker running on the printer the last thing I want to describe here is there are already lots of nice services with child in the wild the most interesting are two ones of them, the one is the notifier service the notifier service enables you to get a notification when something nice is going on on a printer, maybe your boss is printing something after six and you want to know what it is you get an email and you know what it is and the last service quite cool is the email service you can configure your printer to pull a certain pop account somewhere in the wild world and whenever you send an email to this pop account, the printer pulls it down and executes a command which is hidden in what does that mean to us we just jump on the network, pick up the printer implement that service and whatever you do with your firewall, I don't care as long as you let pop through going out of your network, I can play with your printer I don't need to be on site anymore okay that's it from my side currently all the stuff we have done you will find on finnary.hp you can download from there, you will find the command line tools some of the child services and even the hygiator as well now I have to hand over to TC FX anyway, different style, different area I want you to describe software vulnerabilities and have some fun with Cisco thanks FDR hey, hey, hey, don't waste my time software vulnerabilities I mean yeah just try to figure out how to spell our website and then put hp on it okay, software vulnerabilities well, embedded systems actually are just a bunch of code so, and the guys who code it are just a bunch of developers so they do the same thoughts like windows and unix coders do, which basically is like input validation, we all know that stuff format streams, especially in the logging code, it's real bad buffer overflows, well known stuff I mean, even some buffer overflows and embedded systems got published to bugtrek and yes, you can do crosshead scripting on it actually, the HP printers are one example you just go in, enter some additional information and it will show up on the website and of course, it's crosshead scriptable so, yeah, most embedded HTTP demons I played with died within five minutes and I never saw the rock-stable HTTP demon for embedded systems so, yeah, summary limited resources lead to the fact that the developers think, oh well, I skip that check, I skip that check and the user is gonna be nice buffer overflows, we have like four, just four starters CDL routers quite nice routers today a losing product actually pretty good routers they have an HTTP demon, you do a long get request, you crash the router I mean, it's so plain simple, browser network printer, same thing, but you don't actually have to do a long get request you just go to the brother printer to the web page, it asks you for the administrator password, you put several hundred characters in, click submit it dies HTTP, they did a cool switch pro-corp actually, that vulnerability is pretty neat because normally with SNMP right, you would really badly abuse the switch, no, you don't do that you just feel that variable over here with 85 characters and it doesn't die, no, it dies next time the admin tries to access the switch that's like awesome and of course even like cigarette box size devices and for the non-smokers this is how a cigarette box looks like little print service hanging off printers they actually have same vulnerabilities you go to the print service, it asks you for a password, guess what you do you put a bunch of ace in, you click submit it dies and it takes the printer with it that's actually how the device looks I mean, it's innocent, isn't it? yeah, common misconceptions stuff I always hear about exploiting embedded systems it's so hard, it's way harder than writing a hack for Windows I mean, you really have to reverse engineer the full firmware to find out how it is going and then you really need to know how the files work and how the libraries get in and all that basically the worst thing that can happen is the device crashes you know what? and yeah, for all the guys here, just don't know what to do after DefCon and to prove that wrong and make sure embedded system vendors actually understand that they should care about security and get some good coders we're going to do kind of tutorial on how write exploits for iOS so now we go to some heavy duty shit actually, yeah, the problem here is if you do something to a Cisco router it will crash I mean, honestly if it doesn't feel good, it will crash they have a bunch of platforms so we need something that is like widely used and of course we can't go to like iOS.sourceforge.net and check out how it works actually, this is from the Cisco TFTP advisory saying that the worst thing that can happen is that the Cisco crash let's see if that's true yeah according to Cisco, the biggest problem are memory corruptions actually 85% of all iOS bugs are memory corruptions now, if you put a bunch of As somewhere in and it dies and it is a memory corruption you can gas it as a heap exploit for at least a heap overflow let's see if we can explore that so, to research the vulnerability we actually found something with a TFTP server nobody uses it anyway but we needed some to research it it's just a lame bark I mean, you send a TFTP request with a long file name it crashes someone said yesterday to me that this was already published two years ago so if that's the case I'm sorry okay, taking it apart then, if we get like a crash dump on the console that's basically one part of it that's how it looks without doing all that IDA stuff on the iOS image we just do a correlation between the crash dump this kind of info and what we find out is this look, we have a block magic this is like, okay, I start here common sense the next thing is probably the process ID I can't think of anything else that needs a 2 in here then, we have a memory block that is later in the memory like higher up and also starts with the block magic so it's probably the next block and if something points lower in memory it might be the previous block and finally, we have the size over there with a quite funny most significant bit which we found out is used for is that block in use or not so again, going to Cisco's website there are all verbose about it we check which memory addresses are used just to make sense of it, we check these are the models we have in the lab so, and of course I'm just interested in the NVRAM because it stores the config so, putting it together that's basically how it looks oh, great, you don't even see the errors yeah, let's do some laser pointer magic here we have the magic block we have the PID, we have some addresses, I mean, that's like serious overhead we have the next pointer previous pointer, then we have size and usage I don't feel that's mostly one I don't really care about it but it's called RFCNT for me, that sounds like reference count and then we have redzone, that's basically a canary and make sure that iOS catches it when it overflows the buffer so okay, what we plan to do here is we have that host block with our legitimate data that's basically where we're sitting in that's why we call it the host block and what we try to do is we overflow it and the next block after that also has an header so we try to overflow it the way that we can influence that header here as intelligent as possible and hope that iOS makes some use of it and abuses it itself that's basically how it's planned to work so, what happens iOS frees the memory block we just overflow it basically they have a double linked list it's pointing back and forward, I mean everyone who knows how that goes it's just two pointers pointing to the next in the previous block and when it frees that it will try to take out this block of the linked list which is basically, that's the way it looks it's a pointer exchange operation that's what we looked for I'm actually burning the table here if they are, could you take care of that fire stuff over here thank you so yeah that's what we were looking for let's see if we can exploit that a bit but first we have to find out what iOS actually needs of that and it's quite funny because if you look that's right that's right but what is the other stuff for I mean you usually have to buy new memory if you put a new iOS image on the router now you know why okay so we have that magic block of course that's checked PID and these RAM addresses here are not checked at all I don't actually know what they are used for funny, the next pointer is not checked but the previous pointer has to be 100% correct and the size field shouldn't contain any bullshit so and of course the red zone is checked so it finds out if it shit all over himself but you know what did you notice something from here to here we know everything or we can put in bogus values and it will not care but one of the two pointers is used in a pointer operation let's take a Cisco we overflow it over here put some stuff that's like the red zone from the last block that's the magic beginning we put some stuff in here it doesn't really matter put the NVRAM address over here and on the 2500 the free this pointer exchange operation will then write this previous pointer right into the NVRAM the fun part is what happens the device notices oh fuck I fucked up my memory it's all toast so the safest thing to do reboot we got all used to that but it comes up and says config checks on wrong so what am I gonna do either I sit here and be a useless piece of shit or I go out on a network so so what we do obviously we send that stuff over here device shits all over itself asks for a config and of course we're the nice guys you know it's so hilarious you don't need any special knowledge about it bad part, ok here comes the review disadvantages it only works on the 2500 so that sucks and the attacker has to be on the same subnet or own the TFTP server that also sucks but the good part is you don't need to know shit I mean really you just send it over and provide the new config but let's see if it can get some more devices in order to do that we have to get around this annoying previous pointer check it took us really a while to figure that out but that's basically for the guys who know C that's basically how it looks like means the block we are sitting in the host block actually gets checked and iOS checks is that still ok and while checking the next pointer of the host block it sees if the place where it points to points back to the place where it got the address from in the first place it's pointing to FTR and someone is going to check if FTR is pointing back to me so how we get around that still have no stable solution for that but a pretty ok one which is overflowed once uncontrolled just a bunch of A's in there it reboots and this puts the device in a fairly predictable state because after the reboot you can pretty much tell how the memory looks like so that's basically how we get around to previous pointer issue now we have that size field iOS doesn't like it if you put in the size field that you overwrite you put in something like huge numbers all F it will notice it it will say no no no no that's bullshit I don't have so much memory I could use it but I don't have it and you can't do like normal values because we are doing a string overflow here so it sucks we can't just put no bytes in here funny if we put 7 and all F in here it works it's all happy about it I assume some developer decided to use 32 bit fields on iOS which is mostly running in 64 bit platform anyway and do the calculation that way and just by right shifting left shifting adding something makes sense again so this is the size field we are using but since the size field ok let's go back that one has a 7 over here which means the most significant bit is not set so what we do we take a look at free memory blocks because if the MSP is not set iOS thinks it's free so we need to look at free memory blocks again we take our crash dumps and our hex dumps and all that we are following out after all the overhead we already seen we got similar overhead another magic value over here padding more padding this is like 8 bytes just so you know where your memory goes some address and code space never used a pointer and yet another pointer and since they are only in free blocks and free next and free previous they basically have the same purpose they run yet another linked list I honestly never wanted to get full picture on iOS memory management and this information is probably also used when the block is freed to get two free blocks together to one big block it's all textbook free export and yeah we asked for it, we got it and the pointers are not checked so we can write any pointer to any address in the address space of iOS thanks that's basically what we do there is a pointer exchange going to take place here and it's all complicated like with the previous pointer points that gets the value that's in the next pointer and we also have plus 20 bytes for some offset yeah so we have something to write into memory but what do we do with that we can write one pointer that's pretty neat but where do we write it to there is if you do like a showman prog-alloc there is a place that's called process array it obviously is an array of addresses funny it's the same number of elements like the number of processes you are running so it might be that it has an entry for every process yeah it actually is that it points to a huge process record they have I don't know it's several hundred bytes of information for a process to run but the first thing in this process record actually points to yet another memory block which is the stack and the second one points inside that memory block so obviously it's a stack pointer so let's take it over we have like on the 1600 series we tested that and it's quite easy because the free operation actually can write into any one stack every process you want so you just pick one and process that's not running too often but it's kicked off like once a minute a good target I figured is load meter because it doesn't do anything useful anyway so yeah and if you look at the stack here that's like the save stack pointer and that's the saved return address so everyone who ever wrote an exploit knows that we now have like 5000 ways of exploiting that thing by either overriding the return address straight ahead over here overriding the stack pointer and providing our own stack with the new return address actually changing the stack pointer in that process array entry or just replace the whole process array entry and provide our own so yeah we got we used the first one because it's like it's obvious so next question buffer we need some buffer to store some code and here's the bad news if you overflow it and it thinks this is free and this one should be freed it will actually erase the memory and overwrite it by od od but actually since the block we overflow is a free memory block or yeah we made it a free memory block we don't care what it was before we can have our exploit code in there so let's write some share code we have an example based on the Cisco 1600 it has that funny Motorola processor which really got me because I never coded Motorola before the memory protection according to Motorola's manual is set in some base register we found that base register after some series wading through hex thumbs over here in that address luckily it has no zeros in it cool you can disable that by actually the second bit changing it from one protected memory to zero as in unprotected memory and yeah then write some invalid while you're into the NVRAM and get the device so that's what we do see that code is like not huge I mean that's the whole code that's all you need it's totally simple it takes the address of that protection base register does a right shift on it because the next bit is actually zero so it's nice to us we tricked the address of the NVRAM in here and then write some coffee-baked stuff in there so we got that NVRAM invalidated quite easily what we actually did here to show how to get around pointer exchange things that work right in your shell code this instruction over here you see this oh one oh one oh one oh one this is actually where the other pointer it's an exchange so yeah give and take as in you buy beer I buy beer so that's where the other pointer is stored you just put some innocent opcode in here get the data part overwritten all set yeah summary you overflow once to get the predictable previous pointer set all the stuff here fire it up and you have the same reaction like it asks for a config and that's how it looks like I took after the legal ally here yeah it has some error later on I don't care comes up asks for the config asks for another config yeah that's disco and then you got the device but you know it still sucks you still have to be on the same segment so let's go on we need some more info here which is iOS seems to use some kind of cooperative multitasking but honestly it more looks like a huge program that has tons of interrupt handlers to fire off important stuff so it's not really tasked I didn't find any task handler on it there is no scheduling service or anything I'm aware of maybe one of you guys work with Cisco and can tell me something I don't know but it's all interrupt driven so that really sucks the NVM actually contains a bit more than just the config it has a checksum, it has a feed for the size of the config it actually contains the stack traces and all the stuff that you would normally use to do forensics on a router so what's that? yeah and the config is actually like a wrong C string it's just a string with some line feeds in it you can do some funny shit with that anyone who gets bored with your Cisco and just play with the configs and long lines I don't have to tell you more and it's terminated by the end keyword and the normal 0 byte so it's basically a long C string so what we do is write a remote share code that one will have a minimum config in a backpack disable interrupts so we don't get interrupted unprotecting VRAM calculates the new checksum so iOS is all happy writes a 2D NVM and just to be nice there's a clean reset well you don't need any syscall you don't need any knowledge about iOS and the neat thing is that we run always because you don't use iOS you just kick it off we still have that problem with the 0 byte still string overflow no 0 bytes everyone knows that but that's like soft ages ago and we did it the same way you have a self modifying code that first sits there has no 0 bytes bootstrap code decodes the rest of it uses a different pattern like D5 instead of 5.5 because 5.5 would lead to colognes in the X word config and colognes are real bad and that particular overflow because they're used as delimiter between like file system name and file name so that's cruise to overflow took me about 3 days to find that out um gets decoded, gets executed and plainly works then we had another problem which was really nice the code worked, you're all happy it comes up, it says no config fucked up it worked like every 6 byte and it's a plain loop I mean it really writes every byte and you try it again and it writes every other 6 byte hey that's because the NVM chips are so fucking lame and slow like by design and according to the manual you're supposed to keep the address lines straight so don't do any instructions on like a1 to a9 um and pull the status register of that NVM thing I don't know where that is honestly in that huge memory area I don't know where that is so we just took some loops after every write we loop make the Cisco all happy and sweaty and yeah so we got around that problem and that's what you can download we call it ultima ratio go figure what that means the code isn't actually that big it has like the overflow the fake block the bootstrap code to decode all the other stuff XOR code to actually write a config has the config in the backpack so what you do is you have your command line utility that takes the IP address the previous pointer which we still need unfortunately and the config has like a file on your file system file it up, got root on the Cisco yeah that's how it looks like you see no crash info, no blah blah blah I'm not feeling happy just boot straight legal la la figures out of the sudden oops there's a new interface here because the config we upload didn't say anything about b0 so it just figured oh I'm a 1600 I'm all surprised about having a b interface and you just turn it to your router and well it's your config and it's your password that's basically how it looks like in detail I'm not expecting that everyone is going to get that right way but I mean the presentation is on a CD it's again the red block magic PID stuff stuff next pointer, previous pointer don't really matter that size field that funny size field here padding free magic more padding actually total crap over here yeah more padding next pointer, previous pointer this one is pointing to the code this one is pointing to the stack here we go and that's how the XOR code is that's what we use I mean if some guys here really know motorola coding you might come up with something more than that it's not too big and you don't need any knowledge about iris still put in a big emphasis on that one yeah work to do this is not like TISO SSH this doesn't really really work well if you don't have access to the syslog host or in the lab you do it with a console on and stuff you don't download it, fire it off that's not going to work but I hope we showed that it works and I hope that these heat exploits actually were basically a wake up call but anyway so what do we have to do we have to find differences if someone has a bug for 12.2 iOS just come over tell me I'll buy you a bunch of BS for it we have the problem of smaller buffers that buffer is just huge it's 1,400 bytes for the UDP packet we have to figure out how that works basically my idea is to send in the share code via CDP we have that previous pointer stack and stack addresses that's still a problem but we will come back to you and have a solution for that one in config we need some different share code but that's like the easy part on it we have to write to flash instead of MVRAM to take over GSRs we need some anti-forensics share code but actually after I had some people telling me how they do forensics on a Cisco I decided that's not going to be needed because nobody actually looks at MVRAM when doing forensics on Cisco but it would be need to have a share code that really does the same as ours but additionally deletes all traces from your exploitation and stuff like that so the forensics guy is all happy about it and of course real-time configuration modification code is like the next thing I'm going to do is a share code that goes over removes all access list bindings sets the passwords to something you might know and reboots the device so you don't have to figure out which interfaces it has and stuff like that come on yeah, summary for the 1000 it's local export like just invalidating MVRAM or remote export it's even simpler here you can actually write your return address right into the exception handler for memory problems that's pretty neat because as soon as it figures out that it screwed up the memory it will screw up even more the 1600 2600 basically same issue fun part on the 2600 if you want to test that TFTP stuff you have to be a bit more tricky because you have to fire up TFTP first with a valid request so the TFTP service gets loaded I was looking for the process entry of the TFTP service for ages before I figured out you have to fire it up once so it actually gets activated but basically it's the same the 2600 has a power PC processor so you're not going to use this shell code but the concept is still the same and 2500 so far we can't do remote export on it that's going to change and yeah, it's like the search sysco the script kitty sysco die thing so what for everyone who didn't get it yet this is how you do exploits on 85% of bugs in iOS so I hope someone is going to get a phone and call sysco and tell them to fix the shit you can do it like protocol based you can do it debug based you can actually do all kinds of stuff and I mean who actually expects you to take over a sysco so it's still unprotected I mean really and as I said then VRAM still contains stuff for the local exploitation actually it still contains the former config so after you got it you just turn it to it get the former config down which is a neat way to get around this no service password recovery you just exploit it you get the config down you get the passwords you get like tunnel keys IP addresses, net settings all kinds of stuff how to protect I guess some of you have that question right now basically in general do not rely on one type of device if all your protection and front line protection and firewall and IDS system says sysco on it you're screwed all says checkpoint on it you're screwed too so mix the two or better get some different technology in there consider all your networked equipment, vulnerable and exploitable to the fullest extent someone is going to be sick enough that's probably us to write a shell code for it believe me it is small, it is simple it doesn't even have an LED on it or something that doesn't mean that nobody is going to exploit it they will believe me if not I make them do it for the HPs basically use the features it has even if they suck assign an admin password change SNMP read and write community do the PGA protection even if it gives you some time make sure, I mean if you have a print server the printer should only be accessed from the print server really because nobody is going to print directly to the printer if you print to the print server like you have that loser windows network thing the only server that has to talk to the printer is the print server get rid of this.loader actually use one of our elite tools to get rid of it and consider being your printer behind fireworks if it is re-critical or really if it is finance department or something the PCs have LPD ports for some reason just connect it to the PC actually one thing I wanted to mention for this one be sure that your firewall does not allow outgoing connections from your printer to the internet because in the CS config file here you can actually put the location of the code not in like file system like okolon, backslash mycode.class but you can say like http colon, double slash my.evil.server slash mysuperevil.class for the Cisco's basically router hardening, textbook stuff other than that try to convince people to have no overflows in iOS then it's all no issue keep your iOS up to date I know it sucks but they really just fix the stuff on the 12 series mostly just 12.2 yeah, find out which software version is fixed which is kinda hard sometimes but try to find it out tell your ideas about it that's basically the signature if you really paid attention you will see that this is like the red zone from the block we're coming from this is the magic there is an undocumented thank you debug command that is debug sanity it doesn't debug anything it just makes iOS check it more often the memory it doesn't help you can still export it, but it gets it faster so if some loser tries it you will get him the hardware, config register 0, next time the thing boots it we'll sit in realm 1 if you do that, and you forget about it and you say reload, you have to get in your car yeah, and of course logging should be not like all visible your syslochost should actually be protected correctly so that people don't use your syslochost as an information based on how to get the pointer straight to exploit your syscos that's basically it thanks a lot and I hope you enjoyed it I hope to see you guys around