Hacking and patching TP-LINK TD-W8901G router

Posted On // 1 comment
Recently a critical vulnerability has been found in TP-LINK routers and few other router devices. This particular vulnerability to which I am referring was described here. Basically it is so called ROM-0 attack. In short attacker by requesting ROM-0 through HTTP request (ie. http://192.168.1.1/ROM-0) can download all important and secret data stored in your router. This includes your ADSL login/password combination, WIFI password and basically all of your configuration data. Actually I was a bit pissed at TP-LINK for this crap so I have decided to patch the vulnerability by myself.

You can read the entire reversing journey here (blogger doesn't like assembly code :-)):
http://piotrbania.com/all/articles/tplink_patch/



In other news:
  • kon-boot v2.4 was released (now covers Windows 8/8.1 on-line account authorization bypass, so you can login into your box without knowing the password even if you have on-line MS account) 
  •  kon-boot for MAC OSX was updated to cover 10.9 Mavericks (both options available: password bypass and new root account)
Peace out!
[Read more]

This time of the year

Posted On // Leave a Comment
So Santa came early this year and this magnificent piece of information was released: http://www.cs.tau.ac.il/~tromer/acoustic/ -- yep it still blows my mind. If you haven't seen it already I suggest you to check it out.

In other news I added few charts to the Opcode Frequency Statistics table but unfortunately they are quite ugly but anyway here they are:
- http://piotrbania.com/all/articles/chart1.html
- http://piotrbania.com/all/articles/chart2.html
- http://piotrbania.com/all/articles/chart3.html
- http://piotrbania.com/all/articles/instr_stats.html


Probably the most important part (haha :-)) is that I had a while to play with codef engine (the nice thing that lets you to write hacktros/cracktros/intro in your browser using the html canvas element). You can see the simple effect by going to http://piotrbania.com and clicking the "KINDERSURPRISE" link (you need to use chrome to hear the chiptune). Additionally I have changed my entire website design so hopefully you will like it :)

One way or another I would like to wish you a Merry Christmas and Happy New Year!

Peace out.
[Read more]

Kon-Boot v2.3 with Windows 8.1 support

Posted On // Leave a Comment
yo,

As promised Kon-Boot v2.3 was released (your favourite remedy for forgotten windows/osx passwords :-)), it now includes support for Windows 8.1 plus some additional fixes for Windows 7.



You can get it from:
http://www.thelead82.com/products.html
http://piotrbania.com/all/kon-boot/


To stay up to date:
https://twitter.com/thelead82
https://twitter.com/piotrbania

And the quote of the day is: "It's better to burn out than to fade away." - The Kurgan
[Read more]

UEFI exploitation, DARPA and moving on

Posted On // Leave a Comment
Howdy, It has been a while since my last post. Seems like this has gotten into my bloodstream and became a bad habit, sigh. But last year was pretty busy for me and this includes various areas from the work field to the personal life (I will skip this part).

Lets start with work. I have spent last 11 months working on two separate projects for DARPA (Defense Advanced Research Projects Agency) Cyber FastTrack program. It was an amazing experience, I have learnt a lot and I'm very happy that was able to participate. I would like to thank everyone involved in this program, hopefully it will be resurrected one day. At this point I'm looking for a new job opportunities and contracts so feel free to contact me if you have something interesting in your sleeves :)

As for kon-boot fans new version is going to be released this month (with support for Windows 8.1 both x86 and x64 archs).


As for UEFI exploitation few months ago I was experimenting with some stuff and I found a little vulnerability that was pretty interesting. The bug itself was already patched in EDK2 sources. I believe more curious readers will find the one I'm referring to. The payload is designed to write some silly output to the serial port since writing to screen is kinda no-go. The cool fact about this bug is that it happens very early - before user can even enter UEFI setup. Same thing happens on my mac mini machine.

Bug itself is a heap corruption (heap overwrite) vulnerability. I wouldn't say exploitation is reliable. It heavily depends on the hardware devices installed and the memory layout -- even though I'm using only one hardcoded value which is stable among different VMware machines. Even though UEFI is the new standard custom vendors use custom UEFI implementations (AMI, PHOENIX, APPLE). Each implementation typically includes different set of drivers and different memory layout. Debugging this on real hardware is a mess. Anyway since the UEFI images can be relocated in memory I would suggest using the BIOS ROM memory (0xFFE00000) for some further exploitation voodoo (obviously still different vendor = different firmware but at least you have some stable memory address).

Since users do not really patch their firmware the same vulnerability still exists on Apple MAC computers (for example on my mac mini which I kinda bricked trying to debug this crap).

UEFI HEAP CORRUPTION EXPLOITATION ON VMWARE from Piotr Bania on Vimeo.




That is all people, GODSPEED!

I guess we are who we are
Headlights shining in the dark night I drive on.
[Read more]