Fuzzing IoT devices for Memory corruption 0' Days.

Posted On // Leave a Comment



This article is about discovering the memory corruption vulnerabilities in IoT Device, Upon reading this article you will understand from setting up device for fuzzing to developing a complete working exploit. what we called it Zero to hero kind of stuff also you can expect a lot of memes and some extra ज्ञान..  


Before we start I would like to give some basics about the post and terms which we are using here.

IoT Devices

Iot Iot everywhere - Tseverywhere | Meme Generator

IoT Devices generally consist of RISC mechanism those who are not able to recollect this you can remember your old days of engineering where you might have broke your head for understanding the  working of 8041/8051 micro-controllers. so RISC stands for Reduced Instruction Set Computer and below are the list of processor which you can see widely used in IoT.
  • MIPS.
  • ARM.
  • ST Micro-controller.
  • MediaTek MT3620.
  • Quectel BG96.
There are plenty of resources available on internet to read/explore about this stuff. so suggest have a look at datasheets of the processors to understand few bits of it in this example we are taking a device which is running on MIPS. 

 Below is the short view on MIPS Registers, Taken from http://www.cs.uwm.edu/classes/cs315/Bacon/Lecture/HTML/ch05s03.html I generally have a printout of this on my desk.

Register NumberConventional NameUsage
$0$zeroHard-wired to 0
$1$atReserved for pseudo-instructions
$2 - $3$v0, $v1Return values from functions
$4 - $7$a0 - $a3Arguments to functions - not preserved by subprograms
$8 - $15$t0 - $t7Temporary data, not preserved by subprograms
$16 - $23$s0 - $s7Saved registers, preserved by subprograms
$24 - $25$t8 - $t9More temporary registers, not preserved by subprograms
$26 - $27$k0 - $k1Reserved for kernel. Do not use.
$28$gpGlobal Area Pointer (base of global data segment)
$29$spStack Pointer
$30$fpFrame Pointer
$31$raReturn Address
$f0 - $f3-Floating point return values
$f4 - $f10-Temporary registers, not preserved by subprograms
$f12 - $f14-First two arguments to subprograms, not preserved by subprograms
$f16 - $f18-More temporary registers, not preserved by subprograms
$f20 - $f31-Saved registers, preserved by subprograms


The GNU Debugger is a portable debugger that runs on many Unix-like systems and works for many programming languages, including Ada, C, C++, Objective-C, Free Pascal, Fortran, Go, and partially


BusyBox is a software suite that provides several Unix utilities in a single executable file. It runs in a variety of POSIX environments such as Linux, Android, and FreeBSD, although many of the tools it provides are designed to work with interfaces provided by the Linux kernel

Also assuming that readers are familiar with Burp Suite, A = x41,B = x42, Metasploit.  

Setting Up Device. 

The device which is used in example, I manage to get the ssh credentials for device by reversing firmware and few binaries, Some guys might be thinking if you got a root or a shell then why to dig further and the reason is we are researchers we just don't have to hack a device for once, We have to find out all the possible way to hack the device so that we can save it from attackers. so once i got the shell i generally check for the busybox and available commands from busybox in device. so below was the output of busybox command which shows that device don't have netcat with listener mode and and not so common to for transferring files to device or from device to linux.

Getting right Busybox.


 So the first challenge was to get my full busy box to the device and install it.  after lil more analysis i found the command called ftpget which allow to download the file to device via ftp, So the next step was very simple i setup vsftpd on my machine host the right busybox o my /srv and then download it to device below was the flow for installation of busybox.
  • cd /tmp --> as / was not writable
  • ftpget busybox busybox-mips. --> downloading busybox.
  • mkdir ./bin --> create directory for installing busybox.
  • ./busybox --install -s ./bin  --> to install busybox.
  • PATH=/tmp/bin:$PATH  --> adding this path to real path.
And here we go upon this we get the complete busybox. 

Getting Fuzz Ready.

For fuzzing we need the access to core dumps in order to see how device is getting crash and to develop an exploit we need core dumps. so we have to do the two things in order to get device fuzz ready first enable the core dump and then restart the webserver as we are fuzzing web application here.In embedded devices application,application logic are embedded inside the web-server for memory concerns. so below are the step by step instructions to do it.

  • Enable core dump.
    • echo -n '/tmp/core.%p' > /proc/sys/kernel/core_pattern
  • Setiing ulimit to max
    • ulimit -c 99999999999
  • Now restart the webserver. 
    • pkill -9 boa
  • generally it gets automatically started as there are watchdogs are running but in case if it now get started then we can manually start with device specific commands e.g in my case it was
    • /userfs/bin/boa -c /boaroot -d &
This will enable core dump and make device fuzz ready. 


While doing red team or bug bounty I generally get pissed of with authenticated exploits I mean why even if the Auth-RCE is there its useless because you cant demonstrate it. so my focus is more on discovering  Unauthenticated Remote Code Execution, so I try to fuzz every parameter in login request and every unauthenticated page so if you got the real bug I mean RCE that to unauthenticated  then it gives the hacker wala feeling  so my focus is always on discovering Pre-Auth RCE. 

So I intercepted the login request and setup my fuzz list in intruder and fired it. which looks like below.

Request with Fuzz-list.  

And wait to finish it.

Payload configuration  and finished.

Now the obvious thing which I expect is Crashes 

Car accident Memes - Imgflip
Crash,Crash,crash Everywhere.
So here you can see few crashesh. with SIGSEGV. ;)

SIGSEGV everywhere

 UGhHHHH THose Offsets.

You Might get the crash but the first thing is to identify at which point it gets crash, So in our case here device was getting when the payload is set to 5000 A 

Crash at 5000 A
As we can see here after sending A 5000 at password  parameter its crashing the web server.  so now we are sure that we got the crash its time to reproduce it multiple times to double ensure it.

D-Bug DeBug D-Bugger 

so the next important task is how can we debug this initially it sounds very tough but later you get used to with it. So the approach here is we will install gdb server on device and then we connect our pwngdb client it. so the first step is to find the proper gdb server  you can download the gdbserver for multiple architecture from below URL.

As we have full busybox now we can simply host the gdbserver to our web server and we can do the wget 

Downloading the gdb
And then we have to attach the process and then connect our gdb client to gdbserver.

  • get the pid with ps of boa 
  • ./gdbserver --attach 1356    --> pid.
  •  gdb-multiarch                                ==> Start the gdb-client 
  •  target remote    ==> this will connect to gdbserver
  • ir                                                    ==> to see the state of register 


Reproducing the crash with debug enable.

as we learned to enabled the debug now follow the below steps

  • Start boa and get the pid.
  • attached the PID with gdbserver
  • Connect system to device with gdb multi arch 
  • fire the crash 
  • see the states of register.

which looks like below.

Boom BooM x41 everywhere

Now we have to find the correct offsets so generate the pattern with msf and paste it as a payload   and then fire the payload, again you have to see the register values and look for the offsets of the register values to identify the control over register.

Offset matching
As we can see here we have access of below registers at particular addresses 
  •  T4 and T7 at 1000,1004 
  •  T6 at  1024
  • S0 to S3 at 1028 to 1044
  •  pc at 1044.


Once you have this much of data one can easily develop an simple POC exploit which looks like below.to demonstrate the control over register in order to achieve the code execution in MIPS we have to use some technique like ROP, but still below exploit is sufficient to demonstrate the power.  


Hope you have enjoy the reading.


[Read more]

The Story of Blind SSRF leads to internal Host discovery.

Posted On // 4 comments


After reading a Lots of tweets on SSRF, I have decided to test for only SSRF for bug bounty. Generally I work on Synack platform due to precise scope and response time.  I Love Hackerone also  but due to limited resource and lack of automation I fails/hate to to do lots of discovery stuff. whether its a content discovery or assets discovery I hate both lol.  Because sometimes it take too long on my  intel Core i5 with 16 GB and 20MBPS connection just to discover a assest/content, Hence I prefer to have a defined scope for testing so that I can spend more time on  or sharpening the my testing skills than Discovery skills. 


Since on this platform also there are many targets and many skilled researcher hence you have to be very specific while selecting targets, its really hard to believe that the bug submitted after 20 Mins of target getting Live can be dup and the bug identifier says your  bug id is targetname-13 

I mean what..! 13 Bugs in 20 Mins, How can someone even open burp setup the target in 20 mins

     So that's different pain altogether. Also when selecting target on Synack you have to keep few things in mind which hurts a lot to  bug bounty hunters later you get used to it.. 
  •  " PoC || GTFO " if you use words like potential or which can be used, or attacker can later, this means your bug is rejected. 
  •  "Out Of Scope"  is much wider than that acceptance criteria.
  •  Low hanging fruits a best describe in one picture..

  • Don't get surprise if  bugs which pays nice $$$ on other platform gets rejected
  • Technology stack is extremely out of box... some times it takes too long to understand.
  • Scope... You have to be in scope. it doesn't matter whether you get RCE is on other subdomain or OOS endpoint ;)   

OOS Means OOS even if its RCE on diff endpoint 
So keeping all above things in mind I am almost sure every time that either I have to find out of box  or something  obvious which is missed by the our highly skilled Synack Red Team members.  

keeping  everything in mind,I always select target which is having Blitz 

because as you know you are going on war, where you are not sure that whether you can return or not then choose the toughest target to defeat.


So i have selected the target which has blitz and the last vulnerability reported to that was 3 Month ago so I took this as a good luck and started. After  application mapping,content discovery, and complete enumeration of target i started fuzzing every parameter for SSRF sounds silly but yes only SSRF.  

  • First approach was SSRF via XXE  via File upload 
On this target there was an excel parsing so first thing came in mind is to achieve SSRF via XXE via file upload  so created a xls file with basic payload and uploaded to application and waited for few times but no luck, then multiple manipulated payloads was loaded and uploaded but still no luck..


Then gave up on this option.

  • second with irrespective of parameter and its purpose I started shooting  SSRF payload to every parameter i.e monkey testing

This also dint works as all the parameter were nicely sanitize.

Wait.. Something is there..

So when I was fuzzing the application with some not obvious values like -10. it was making a call to  /api/sentry.
 Hmmmm  lots and lots of parameters are here.. and smells something good here so request was looking like this.i have changed the parameter filename with my burp colab client id.

And i was Hopelessly looking at my colab client and what its unbelievable I saw the request from xxx.xxx.xx.xx to my colab clinet

so took the request in repeater and again played it but no luck then took again took many of the recent request to the repeater and tried to play again but no luck     

  • first  I though may be a sequence of request might be matter like first it was making OPTION request to /api/sentry and then it was doing post request so tried that but no luck
  • Then I think, Out of many sentry request  only few  request might have power to make SSRF, so again started from scratch and again i am able to see one request only after repeater again there is no SSRF.
  • Then i started comparing bit-by-bit in 2,3 requests  

And come to know that all request was being track by  "event_id"The moment i changed the character from event_id It again hit my colab client 

Setting the attack

I have sent the below request to Intruder.

Getting the Payloads

 Now click on burp and burp collaborator client it will open the collaborator window Click on number to generate change it to 50 and click on copy to clip board.

Final Attack setup

Now navigate to our attack and select position window here select the two position one is filename parameter and second is event_id parameter. now it will looks like below

And now move to payload window in payload set 1 select payload type simple list and paste the URLS which we got from collaborator client and in payload set 2 select bruteforcer in that Change minimum length from 4 to 32 and max length to 32

Payload For Filename Parameter

payload For event ID

And Now start The attack....

Love for 200OK

Boom Boom...

As soon as I did started the attack I got many request on my client

 After final analysis i came up with 25 Internal amazon IP address so from where the request was made.

So Looks nice I go ahead and reported this Bug to the platform, And Guess what this is declared as As OOS.

Then we have some small conversation over this is valid bug blah blah provided some references

But Finally Platform wins they categorize this into two part 
    1. Info disclose which is internal IP that was  low-impact 
   2. if we fires millions of request towards any target then its DDOS which is OOS.

SO then 

During the same time old report 3 Bugs which is having CVSS 9/10 got dups.. and then decided to stop hunting for a while and do other stuff. 

Happy hunting guys

Hope you love reading this....


[Read more]

How to get Severity and CVSS Score on command line.

Posted On // Leave a Comment


HI All,

While working on some project, i face a challenge for obtaining CVSS score and severity for multiple CVE ID's.

So one thought was to obtain the same using lame method visiting mitre page and noting in excel but in future may be i have to perform this activity again. 

so I gave a try to write a script which will fetch the CVSS 2 and CVSS 3 score from the mitre and give it to terminal.

so here the journey began.  for cve2rating. 

Birth of cve2rating.py

  • cve2rating.py
A simple python script which shows the CVSS 2 and CVSS 3 Score on command line interface


python cve2rating.py  CVE-2017-1337

('CVE Details for', 'CVE-2017-1337')
CVSS Score 3 for CVE-2017-1337
CVE score is: 
Severity for is: High
 CVSS Score 2 for CVE-2017-1337
CVE score is: 
Severity for is: MEDIUM

I am Looking for contribution for this tool,concept is pass the list of CVE ID's to the scirpt, like we pass ip list to nmap using iL flag. and expected output is below.

|CVE Details  | CVSS Score3 Score.   | CVSS Score2 Score     |
|  |                   |        |
|CVE-2017-1337  |   Severity |  CVSS Score   | Severity | CVSS Score |
|  |     High   | 8.1      | Medium   |      4.3   |           
  • cve2rating.sh Wrapper for cve2rating.py for running tool on multiple cves and obtaining the CVSS2 7 3 score
usage: ./cve2rating.sh cves.txt
Output: cat result.txt 
('CVE Details for', 'CVE-2016-1337')
CVSS Score 3 for CVE-2016-1337
CVE score is: 
Severity for is: High
 CVSS Score 2 for CVE-2016-1337
CVE score is: 
Severity for is: MEDIUM
('CVE Details for', 'CVE-2016-1338')
CVSS Score 3 for CVE-2016-1338
CVE score is: 
Severity for is: Medium
 CVSS Score 2 for CVE-2016-1338
CVE score is: 
Severity for is: HIGH
('CVE Details for', 'CVE-2016-1339')
CVSS Score 3 for CVE-2016-1339
CVE score is: 
Severity for is: High
 CVSS Score 2 for CVE-2016-1339
CVE score is: 
Severity for is: HIGH
('CVE Details for', 'CVE-2016-1340')
CVSS Score 3 for CVE-2016-1340
CVE score is: 
Severity for is: High
 CVSS Score 2 for CVE-2016-1340
CVE score is: 
Severity for is: HIGH
('CVE Details for', 'CVE-2016-1341')
CVSS Score 3 for CVE-2016-1341
CVE score is: 
Severity for is: Critical
 CVSS Score 2 for CVE-2016-1341
CVE score is: 
Severity for is: MEDIUM

root@B3astPad:/data/tools/cve2rating# cat cves.txt 
[Read more]

NullCON #ackIm CTF 2017 Write-UP(Web-1)

Posted On // 1 comment

we are always excited for #ackIm CTF.

I was palying this CTF from 2k12. and This is the one of the best CTF I ever play.so lets not waste time and start the Journey.

When you login to Portal you find the below details.

Obliviously the first step Is to Hit the WEB challenge coz I assume that it will be easy but that assumption got killed bruatally.

So the challange was

Chris Martin wants to go home. Can you help him get there as soon as possible?
And the URL which ask for the username password.

after looking source code I notice that my scroll bar is too long

In The End i think I Found the Flag

And i think its easy but, it wasnt a flag.

it was base64  sting which gives the md5 hash

Base64 -->; MD5 -->; Coldplayparadise.

This Time I was sure that this must be username/password.

When i put this as username password.

It Gives me

Mismatch in host table! Please contact your administrator for access. IP logged.

A quick idea to add X-Forwded-For: will give you the first flag.

And The Flag is

The flag is: 4f9361b0302d4c2f2eb1fc308587dfd6

Yay so Finally we did it. 

hope you understand that how my first assumption got brutally Killed.

[Read more]

diff alternative for window

Posted On // 1 comment
Dear all

Background :- you must wondering why i am writing this but believe me when you have only windows environment without internet access its hell lot of difficult to find the difference.

Scenario :- you have two csv/text/xls  that having more than 10k Lines and you need to find out the difference in between. condition is that you have only windows machine that too without internet access.

...So after googling on my cellphone i come up with command call fc which save my life ;) from performing too many manual check to automating whole task.

Example:-  We have two file with below data

                     File 1                                                                          File 2 

This data is same                                                                   This data is same
This data is missing

Now See how fc find the difference

Note :- White space make's hell lot of difference in result.

[Read more]

How to get registry value using cmd

Posted On // 3 comments

While I was working on automation somewhere, I came across situation where I need registry value to validate in script. so hunt began guess simply typing reg command in cmd and wow the command return valid.

Reg /?

So after looking help I understand  that either export will help me or query

Task was to get the firewall setting firewall state of windows, so after googling  I got the below path


Then running reg query path-to-query  got expected out output

C:\>reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\Dom

    DisplayNotification    REG_DWORD    0x1
    DefaultInboundAction    REG_DWORD    0x1
    AllowLocalIPsecPolicyMerge    REG_DWORD    0x1
    AllowLocalPolicyMerge    REG_DWORD    0x1
    DefaultOutboundAction    REG_DWORD    0x0
    EnableFirewall    REG_DWORD    0x0

Simply using findstr will give us expected output 

C:\>reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\Dom
ainProfile\ | findstr /i "Enable"

    EnableFirewall    REG_DWORD    0x0

So using reg query you can query any registry key  and using reg export you can export the key into specific files

Below is the quick powershell  script which checks  verify the key value


Sample Output:


[Read more]

How to verify Windows credential using command line

Posted On // 1 comment
HI All,

We were working on some assignment where we had requirement to verify the credential using command line

After fighting a lot with net command I came to conclusion that we can map a domain default share using net use command.

So simple script which try to authenticate with given credential to domain using net use.


Note :- password is not masked in script.

Sample Output :-


[Read more]

How To Get Windows Audit Policy Using Command Line

Posted On // 3 comments
Hi All

A quick tip for windows cmd lovers

fetching audit policy is always a pain, many of us are not aware of the small utility by windows called as command auditpol.


Auditpol is the simple command line utility which  give us the audit policy in windows 



Auditpol give us complete detailed view of audit policy it follows the below syntax 

Auditpol command (get/set/list/backup/restore/clear/remove) Optional(user/domain)category, subcategory   

As the first time user we are not aware of category so first task is to find category 

auditpol /list /category  : This will give us the category present in server 
Account Logon
Account Management
Detailed Tracking
DS Access
Object Access
Policy Change
Privilege Use

Same way we can list the subcategory 

auditpol /list /subcategory:"Account Logon"

Now we will see how it will fetch the values of policy using auditpol 

Auditpol /get /category:"Account Logon","Logon /Logoff" 

Note :- You can list one or more categories using comma separated values 

Happy Auditing.. :)
[Read more]

OverTheWire Natas Solution Level 1-10

Posted On // 11 comments
After completing bandit I can not stop myself from playing NATAS. this is again beautiful game. so here we go.

Natas Level 0

Given :- 

Username: natas0 
Password: natas0 
URL: http://natas0.natas.labs.overthewire.org

After Login to this page  you will get this 

Simply viewing the source you will get the password for next level

Password for natas 1 is gtVrDuiDfck831PqWsLEZy5gyDz1clto

Natas Level 1

Given :

Username: natas1
URL:      http://natas1.natas.labs.overthewire.org


After logging Here it show's right click is disable, as I don't use mouse i just click CTRL+U  

It give us password.

key is :- ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi 

Natas Level 2


Username: natas2
URL:      http://natas2.natas.labs.overthewire.org


After logging here it says Nothing is here, Next step is to view Code. 

hmm here I found something suspicious in /files/pixel i just list the contain in /files 
User.txt gives us the password.
NATAS Level 3

Username: natas3
URL:      http://natas3.natas.labs.overthewire.org

After login here It Says nothing. 

After viewing Source code it shows Even google cant find This First thing Click on my mind is robot.txt and its a correct guess

here You will get the path to key 

And the Key is here
key :- Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ


Username: natas4
URL:      http://natas4.natas.labs.overthewire.org

This level is fairly easy when you logged in with credential you will get this 
This clearly tells us to change the referrer to given url once you change the header you will get the key

key :-iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq


Username: natas5
URL:      http://natas5.natas.labs.overthewire.org

In this level once you logged in with credential It Says you are not Logged in.
with little bit knowledge of webapp first thought came in mind is to check cookie and pointed it to right direction > ctrl+shift+i > alert(document.cookie) shows loggedin=0 simply changing this to 1 gives the key

key :- aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

NATAS Level 6
Username: natas6
URL:      http://natas6.natas.labs.overthewire.org


As level is getting high game is becoming more and more interested After logging in it ask to enter secret and the option which says view source code i clicked on that i got clue.

Source code clearly state that Secret is in includes/secret.inc

Entering that secret will give us key for next Level

Key :- 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9


Username: natas7
URL:      http://natas7.natas.labs.overthewire.org

This level also follow same pattern but with Directory trivial Logging shows nothing
Then Source Code Gives the path to files 
Navigating to path Gives us key to next Level

key :- DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe


Username: natas8
URL:      http://natas8.natas.labs.overthewire.org

From here they Start making game lil bit tough  After logging the ask to enter the Secret 
When we glance on code it shows that secret is getting encode using php script so next step is to decode the same using same function copying that code and changing encode to decode will give us secret 
And that secret give key to LEVEL 9 

Key is :- W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl

Natas 9

Username: natas9
URL:      http://natas9.natas.labs.overthewire.org

The Real game begin here first hard task start here. it ask for find word contain  

looking at the code what we understand that Linux command execute without any Sanity  so lets make out hands dirty by rce simply entering keyword; ls /etc/ gives /etc/natas_webpass/

Further cat /etc/natas_webpass/natas10 gives us the key for next level

Key :- nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

Natas 10

Username: natas10
URL:      http://natas10.natas.labs.overthewire.org

This time they add some sanity but the way is also cool to solve this

Code shows that it will not allow & and ; but here we got that it use preg_match so lets try searching this .* /etc/natas_webpass/natas11 and hurry we get key

Here is the key

Key  :- U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK


Enough for today now will write remaining tomorrow....

Stay tuned

[Read more]