Michael Coppola
-
Table of Contents Introduction Tracing the Vulnerable Code Path Exploitation Obstacles Achieving Local Privilege Escalation Proof of Concept Other Writeups Introduction CSAW CTF 2015 was this past weekend, and like previous years I fielded a Linux kernel exploitation challenge for finalists in NYC. This year, I wrote the challenge “StringIPC.” Three of the 15 teams…
-
Table of Contents Introduction About the Device Inter-Device Communication Reversing the Android App Reversing the Hardware Dumping the EEPROM Decapping Proprietary Chips SEM Imaging of Decapped Chips Introduction This past semester I’ve been working on a directed study at my university with Prof. Wil Robertson reverse engineering embedded devices. After a couple of months looking…
-
Table of Contents Introduction Understanding the Code Tracing the Vulnerable Code Path Leveraging the Vulnerability Circumventing Additional Obstacles Achieving Local Privilege Escalation Exploit Proof of Concept Bonus Points Introduction CSAW CTF 2013 was last weekend, and this year I was lucky enough to be named a judge for the competition. I decided to bring back…
-
This past weekend I presented Weighing in on Issues with “Cloud Scale” at Summercon 2013 (the title is totally a joke, btw). In the presentation, I talked about my experience reverse engineering and hacking the Withings WS-30 WiFi-enabled bathroom scale, a fun little embedded device running Thumb-2 code. As mentioned during the talk, I’ve uploaded…
-
Table of Contents Introduction Function Hooking in Suterusu Function Hooking on x86 Write Protection Function Hooking on ARM Instruction Caching Pros and Cons of Inline Hooking Hiding Processes, Files, and Directories Introduction A number of months ago, I added a new project to the redmine tracker github showcasing some code I worked on over the summer…
-
This past weekend, I led team ” ” in the 2012 MIT Lincoln Lab CTF where we captured the flag for being the most offensive team, specifically, performing the most unique compromises of team + service. No, literally, we won the flag: One of the services we were tasked to install was a client-facing WordPress widget…
-
Last post, we identified a stack-based overflow in 3S CoDeSys CmpWebServer and traced the steps necessary to obtain control over EIP. In order to do so, we needed to first circumvent stack cookies, which was achieved by abusing a call to memcpy() and overwriting the function call’s own return pointer. This post, we’ll pick up…
-
By the way, I will be presenting “Owning the Network: Adventures in Router Rootkits” this Sunday, 12 noon at DEF CON 20. If you enjoy ownage, networks, adventures, routers, and rootkits, this talk is for you. I’ll be releasing my firmware generation/manipulation framework at the talk, which will be made available on the site shortly…
-
Last month I posted a portion of a ridiculous conversation with NETGEAR over source code it withheld to unpack the filesystem on one of its routers. I would like to announce that against all expectations, NETGEAR actually pulled through and sent me the source code I was looking for! As mentioned previously, I posted a…
-
For the past 8 months or so, I’ve been heading a project on reverse engineering router firmware with the end goal of developing a generalized, repeatable, effective technique to backdoor router firmwares images (and ultimately the devices they are flashed upon). While I have much to share about my research and progress so far, it…
Michael Coppola 