- April 18, 2021 at 10:25 pm #384658
I’m currently writing my Bachelor Thesis and I’m stuck in one problem.First a bit of context: The aim of my thesis is to find vulnerabilities in IoT web interfaces automatically.My first step is reading the init file and find how the web server gets started, what are the configuration files used and what directories are used. I know there are some firmwares that the init file is a simple bash script, but some of them are compiled code.
Here is the information I have of one of the init files after using the file command:
ELF 32-bit LSB executable, MIPS, MIPS32 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped
ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped
Here are the things I’ve tried so far:
– Look at source code of
→ Firmadyne, FirmAE, FirmAFL and Firmfuzz
→ Try and find the code that parses the init from the firmwares in order to apply it to finding how to start httpd daemon
– Try and understand directly the init file
→ All of the init files are a ELF executable (either ARM or MIPS)
→ Utilities used to try and read the init file
⇒ strings, readelf, dumpelf
• Found some interesting functions that start/stop the httpd daemon
• Reverse engineered the init file
• Found a start_httpd function, but I’m not experienced enough to understand the reverse engeneered code
– Looked at rc.d scripts
→ rc.thttpd: There is a start and stop function
⇒ The directories and config files aren’t where the script searches. Probably directories created after init executes
(These are my notes so sorry for the formatting)
I’m not sure if I’m taking a wrong approach for emulating the web interface, but I’m really stuck and can’t continue on without this. So any resource or any little help will be appreciated.
PS: if there is another subreddit where I should post this I can definitively post it there 🙂
You must be logged in to reply to this topic.