In this write-up, I will detail my walkthrough on exploiting a vulnerable HTTP web server with a non-executable stack using the return-to-libc attack. In addition, the exploit will leverage the Return-Oriented Programming (ROP) technique to chain gadgets found in the libc to (1) invoke mprotect() to modify the stack permission to allow for read/write/execute and (2) execute our shellcode from the stack.

What is Return-to-libc?

If you have done buffer overflow exercises before, you would have known that the technique is to overflow the program with an excessive number of characters, such that your payload overflows the program counter and the contents within…


[Author’s note: SingTel rolled out the new patch (Dual_SIG_1.01.101) to Singapore users after working with Askey prior to this blog post.]

Foreword:

As part of my research, I was surprised to find that the Askey AP5100W Access Point (AP) in my home was vulnerable to WiFi Protected Setup (WPS) offline brute force attacks. This meant that an attacker, within a reasonable distance (up to approximately 50m if a strong device is being used), would be able to identify my WiFi’s WPA2 password, a passphrase consisting more than 12 characters and with reasonable complexity, in mere seconds!

In addition, the web portal…


TL; DR. Most of us today may have the perception that the use of Wi-Fi (IEEE 802.11) comes with an inherent risk; an attacker in close proximity could perform an attack which continuously disconnects a client from the Wi-Fi network. Such an attack is often termed as a non-persistent denial of service attack, as the victim device will regain access to the Wi-Fi network once the attacker stops the attack. However, do you know that the use of 802.11w or WPA3 standards can help to prevent such an attack from happening? …


[Disclaimer: The goal of this article is to bring academic insights to the functionalities of MCU chips and to shed light on how IoT devices can be susceptible to hardware implant attacks by malicious attackers. The insights shared are purely for learning purposes.

The author and CSG do not condone, encourage, nor intend for the lessons described below to be used for any purposes other than cybersecurity research. The entity and its product mentioned in this article, Pogo Plug, are known to be defunct as of the time of publication. …


[Disclaimer: The goal of this article is to bring academic insights to the functionalities of MCU chips and to shed light on how IoT devices can be susceptible to hardware implant attacks by malicious attackers. The insights shared are purely for learning purposes. The author and CSG do not condone, encourage, nor intend for the lessons described below to be used for any purposes other than cybersecurity research.

The entity and its product mentioned in this article, Pogo Plug, are known to be defunct as of the time of publication. …


TL;DR. If you have used a remote control to change your television’s channel, to power on or off your air conditioner or even your fan, you would have been a user of infrared radiation (also known as IR) technology. IR technology was made available to consumers as early as the mid-1950s. Over the past 70 years, its technology has vastly improved to match modern day digital requirements, which is to accommodate more features and controls for consumers. However, the lack of standardisation of IR technology has forced consumers to consider purchasing a universal remote because the original cannot control related…


TL;DR Disable WPS on your router or access point today! Otherwise, an attacker could gain a foothold into your network and plan for further attacks.

In my own research, I was surprised that my home router was vulnerable to WPS offline brute force attack. What that means was that an attacker within a reasonable distance (approximately up to ~50m if you a strong wireless capable device was in used), was able to extract out my WiFi’s WPA2/PSK of greater than 12 in length (with reasonable complexity) in just mere seconds!

I have disclosed the vulnerability to my Telco service provider…


Background:

The use of Internet-of-Thing (IoT) brings about myriad benefits and is increasingly transforming the way we live, making our life easier. Traditionally, the control of our home devices such as turning on or off the lights, boiling water in a kettle or cooling the house with an air conditioner requires manual human intervention. However, with the use of IoT, we can remotely control or even automate these operations in our home.

Imagine your alarm clock ringing in the morning, your room light brightness gets brighter every 2 minutes, your room’s blind is slowly letting sun in, your water heater…


Background

Zigbee is an IEEE 802.15.4-based specification for a suite of high-level communication protocols used to create personal area networks with small, low-power digital radios, such as for home automation. Hence, Zigbee is a low-power, low data rate, and close proximity (i.e., personal area) wireless ad hoc network.

ZigBee uses “profiles” to permit different device type created by different manufacturers to exchange control messages interoperability. The most common profile found in our homes/offices is the ZigBee Home Automation Public Application Profile (0x0104).

Image for post
Image for post
Home Automation Profile

The Home Automation profile states that manufacturer has to implement the standard interfaces and practices of this profile…

Keith Tay

Cyber-Enthusiast | IoT Specialist | Penetration Testing | Red Teaming

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store