Status update:
Seems like this won't be as easy as I thought...
I'm not sure if I talked about this already, but 1 image won't work for all the firmware version. This is because they have their global offset tables and writable/executable memory pages in different places.
I've spent the last 2 days downloading and going through each and every one of them, and categorizing them based on those two things. It seems like we'll have about ~20-30
different images if I'm planning to support everything from 5.3.0 to 5.13.3.
Once I finalized all the groups, I'll make a new post here about them and talk about which version interval each of them represent. I hope we can get enough people to test at least the most popular ones.
I've already made testing kits for some of the groups, but right now the only one that's confirmed to be working is 5.11.1 - 5.13.3.
Quote:
Originally Posted by melksnor
I am really impressed, would love to read a write up on how you got there!
|
Quote:
Originally Posted by NiMa
+1 there. I second melksnor's advice and I look forward to your write up, it seems really interesting!
|
I'm not sure what I'd write about because Yogev Bar-On's Medium post in the OP already explains how the exploit works. It only took this long to make because of my inexperience.
75% of the time I've spent on making this was basically studying stuff I didn't know. I had to learn IDA and Ghidra to reverse engineer the binaries/libraries. I had to deepen my knowledge on memory management. I also learned how to write shellcodes on different CPUs, how ELF files work, etc.
The other 25% was spent on reproducing what Yogev documented, and figuring out some of the details in the places where they - probably intentionally - left some things out.
Maybe I could write about that, but given how dangerous it could be if somebody made malicious images, - like the one Yogev demonstrated the exploit with - I think it's best if I keep quiet on that.