DNS Remote Code Execution: Finding the Vulnerability 👾 (Part 1)
Рет қаралды 284,529
Күн бұрынLearn tricks and techniques like these, with us, in our amazing training courses!
flashback.sh/training
In 2019 and 2020, we DOMINATED the router Wide Area Network or WAN category in the Pwn2Own hacker competition. In this category, hackers attack network devices with previously unknown vulnerabilities, from external networks such as the Internet.
Unfortunately, by 2021 our competitors reversed engineered our techniques, and the game was up.
Today, we are starting a video series where we will show you our tips, tricks and techniques to find and exploit WAN vulnerabilities in network devices. And we're starting with a beautiful DNS exploit that got us $20,000 in prizes.
Let's get ready to PWN!
In this video, we will tell you the story of how we found CVE-2020-10881 in the Pwn2Own Tokyo 2019 hacking competition and present our Game Plan for exploiting it :-)
00:00 - Intro
00:50 - WAN vs LAN
03:12 - Target Introduction and Recon
05:23 - Finding an Open Port and Fuzzing It
07:48 - Quick Look in Ghidra for Crash Investigation
10:38 - What is conn-indicator Doing?
12:30 - DNS Protocol
17:50 - A Deeper Look in Ghidra
20:33 - DNS Packet Parsing and the Vulnerability
24:51 - Radek's Evil Game Plan
28:03 - Our Training
Did you enjoy this video? Then follow us on Twitter, and subscribe to our channel for more awesome hacking videos.
~ Flashback Team
flashback.sh
/ flashbackpwn
Background track: "Hackers" by Karl Casey @WhiteBatAudio
@aetheralldev Жыл бұрын
I love how this video starts by explaining what LAN is, and 2 minutes later it's binary reverse eng
@xephael3485 8 ай бұрын
Yeah it goes from basic concepts to insanity and no time at all
@spookycode 5 ай бұрын
0-100 really fast
@lexolexoh Ай бұрын
A fun roller coaster indeed
@user-mj8bg3fw8w 20 сағат бұрын
Its a video about finding vulnerabilities. You can't find vulnerabilities without reverse engineering and looking at the underlying code/machine instructions. Otherwise you are just a noob who uses templates based on other peoples work.
@thisisreallyme3130 11 ай бұрын
Great format. This is so clearly described and spoken that I listened to it a SECOND time, as a “podcast”. Thanks for going that extra “kilometer” and describing what’s on-screen.
@adama7752 Жыл бұрын
Excellent documentation and walk through. I love your stuff.
@user-pv5fc7dq9x Жыл бұрын
Can't wait to see the detailed analysis of Part2.
@twitchtwitch9006 Жыл бұрын
keep up the great work. sometimes people feel like so many things are common sense and dont explain the things that help people understand stuff. thank you for such a detailed video
@swaggington Жыл бұрын
Waiting for part 2! Amazing work!
@DasIllu Жыл бұрын
When you showed your "Fuzzer" i totally lost it. Haven't had such a good laugh in years in this topic. But if i think about it some more, it is just about perfect. Easily accessible (but not perfect) entropy to cause spasms in badly written code. Being more or less available on any machine with and OS (no, Windows is not an OS, it's malware) means you can do preliminary tests even in absence of your "fav tools".
@antiquark6253 Жыл бұрын
I didn't get the joke :( was the netstar + grep somehow the fuzzer? Bc it looks it's only returning a specific line of Info from the previous, full, netstat cmd. Not seeing the usefulness unless 'conn' is supposed to be significant and understood as the grep string prior to beginning
@DasIllu Жыл бұрын
@@antiquark6253 piping /dev/urandom into a program was the fuzzer iirc. Urandom generates a never ending stream of random bytes. And like a thousand monkeys with a thousand typewriters, it will eventually come up with a sequence that breaks the program under test.
@antiquark6253 Жыл бұрын
@@DasIllu oh I see now, the multi tiled terminals had me confused to what he was referring to, but I never thought to use nc that way. Very cool trick thx for illuminating that
@0x0456 Жыл бұрын
Glad to see you back :)
@-Ncrypt Жыл бұрын
Incredible work. I'm blown away to see this entire research from start to finish, including the thought process. Well done. I hope to one day be able to do what you do!
@silfvro1963 Жыл бұрын
Awesome stuff! waiting for the 2nd video.
@jaopredoramires Жыл бұрын
Hyped for the second part, hope it comes soon!
@soaphornseuo8630 Жыл бұрын
This is what I have been waiting for a long time
@snowdaysrule Жыл бұрын
I don't think I've ever said "Oh my God you can do that?!" so many times while watching a video haha. Amazing stuff
@Mr_Magnetar_ Жыл бұрын
w8 for second part. Thanks!
@Thomas0x00 Жыл бұрын
So awesome that you guys share this knowledge, really, keep up the great work!
@blvckgames3381 Жыл бұрын
hell I really appreciate what this guys are doing, because I don't understand 70% of what they are talking about. There is soooo much to learn and it seems scary 🤯
@dineshvlog369 Жыл бұрын
Excellent documentation we want 2part😊
@0xdefensive Жыл бұрын
This is what we are looking for, nice job . Keep it up. Happy hacking
@XYZ56771 Жыл бұрын
Love your voice, is so soothing for teaching/learning. Thanks!
@hassan.canada Жыл бұрын
I appreciate every video in this channel, This is very useful. Thank you, guys.
@yourlinuxguy 10 ай бұрын
Nice video, added this to my watch list, will comeback and share my thoughts, for the time being its time to work.
@PwnySlaystation01 Жыл бұрын
Awaiting part 2!
@Gabriel-kz8ns Жыл бұрын
Amazing work... !
@RealCyberCrime Жыл бұрын
I’m thinking about making a similar video but mine are done in documentary format‼️
@zeekertron 2 ай бұрын
Amazing video. Subscribed
Жыл бұрын
Waiting for part 2!
@zhykollJ Жыл бұрын
Thanks so much, we are learning! 😍
@flrn84791 Жыл бұрын
Can't wait for part 2! :)
@FlashbackTeam Жыл бұрын
It should be out very soon. We are on the last stretch in recording.
@comosaycomosah 11 ай бұрын
lmao i love these videos you two are relatable yet much smarter...ive learned quite abit watching you guys thanks💯
@zhengren8461 Жыл бұрын
This is the most realistic and valuable hacker video I have ever seen
@dpk3090 Жыл бұрын
Best hackers from pwn2own 😊
@memy4460 Жыл бұрын
After the first 30 seconds, I subed and liked the vid.
@tabycatkitty4126 Жыл бұрын
Crazy ammount of research, good job
@siolagetsirave2311 Жыл бұрын
Hi. I’m Japanese, and I could understand your video because of your very smart and cool presentation. Thank you for uploading this video! (I’m sorry about being not good at English.)
@bnk28zfp Жыл бұрын
thank you for your hard work!!!!
@hacorial Жыл бұрын
You are a legend people. Proud of taking your courses.
@FlashbackTeam Жыл бұрын
We're not affiliated with TryHackMe and have not developed any courses or tutorials for them :-) Our courses are developed and taught by us privately, check flashback.sh/training
@johnybonny8262 Жыл бұрын
Best series ✨
@Thattipp Жыл бұрын
Smart fridge 😂 01:32
@khanhtaquang5204 Жыл бұрын
Very appreciate your sharing
@brotatobrosaurus5411 Жыл бұрын
Regardless of the exploit, it's pretty disturbing that stock router firmware is spamming DNS requests to arbitrary commercial domains, just to blink an LED light...
@g4t375 Жыл бұрын
LETS GOOOOOOOOOOOOOOO i love yall
@IIIw2 Жыл бұрын
i have been trying to get into this for the long time. i feel like i don't understand programming which makes hacking so difficult. i love your moto at the end. i love the training at the end you talked about. i need to spend a lot more time getting a better understanding of programming so i can understand how to do what your trying and make money ethical hacking.
@M4D4F4K4. Жыл бұрын
The chances are slim to none unless you get a degree lol although they hire people who don’t have one, they are talented ones who just moves to action when others thinking how to get into this 😂
@IIIw2 Жыл бұрын
@@M4D4F4K4. i am hopeless. i will figure something out.
@Ghx0st- Жыл бұрын
Can't wait until the second part pops out. I really want to hit the ground running with this kind of exploitation
@MykolaTheVaultDweller Жыл бұрын
Wooowww amazing!!!! But how did you run MIPS executable on PC? Or you we're was on target via ssh?
@alvinrock7190 2 ай бұрын
Thanks a lot!
@tonycamposmejia7024 Жыл бұрын
Thanks for sharing
@alimustafa2682 Жыл бұрын
Amazing !!
@olivierlasne2346 Жыл бұрын
Thank you for this
@harbibo Жыл бұрын
what a nice research
@RandomGeometryDashStuff Жыл бұрын
16:59 does offset to name point to start of length+string or can if point to another compression mode?
@davidsantos1630 Жыл бұрын
The best Pedro.
@squid13579 Жыл бұрын
Vamos 🔥🔥🎉
@vaisakhkm783 Жыл бұрын
Your thumbnail is shokingly un clickbaity for sucha good video...
@jboss1073 Жыл бұрын
If the CPU used by a server had as its lowest-level language a managed language, say for instance a Lips CPU, where there is no memcpy and other such potentially bug-infested C code behind the Lisp code, then how would you find a vulnerability?
@devanshujain3222 Жыл бұрын
Found Your channel from @liveoverflow Great Content 🙌🙌
@duntarigaming7624 Жыл бұрын
Thats another lvl...
@kopuz.co.uk. Жыл бұрын
just wondering, what firmware and version did the router have installed?
@onlyplaysveigar7241 Жыл бұрын
Can you link the video you recommended that we watch on the beginning of the video?
@matthewbascom Жыл бұрын
Nice presentation. You touched on a couple points that are just outside my full understanding. Specifically, at the segmentation fault, what makes a memory address "unmapped". Is it unmapped because it is outside the allocated stack frame? Anyway, really nice work! Thank you.
@FlashbackTeam Жыл бұрын
Hi Matthew, glad you liked the video! You are correct. When a program starts, it allocates ("maps") memory ranges for the stack, the heap, libraries, the executable code, etc. These regions are not contiguous in memory. For example let's say a stack of 0x1000 in size, mapped in memory starting from 0x10000, which means its range is 0x10000 to 0x11000. Then we have a heap of size 0x1000, which is mapped at 0x12000 to 0x13000. In this example, if we try to access memory at 0x11001, it will cause a segmentation fault, as that memory is not mapped to either the heap or the stack. This was exactly what happened in the example in the video, albeit with different (more realistic) addresses.
@fullpower8382 11 ай бұрын
I have a Question for Experts what I can not extract from that what is. My Provider had a Damage in a Knot where a Car crashed in.... first the internetconnection was lost, a few Minutes....after That it was ok for a few Minutes.... then it crashed again and was a longer Time out of Order. Since that I can not connect my Handy and my TV but every other Device works as usual. One Thing is that my Handy and the TV dont find the Port anymore... How is that possible?
@augusto256 Жыл бұрын
This is 💎
@noredine Жыл бұрын
Seeing my exact router in this vid is funny and terrifying
@user-ju8km5hl8e Жыл бұрын
The best
@Dropshock20XX Жыл бұрын
The jump scare at 1:21
@nickmalone3143 Жыл бұрын
What toolsets(s) are you using ie caller??
@maxxxb4uh4us80 Жыл бұрын
Isso sim é qualidade parabéns
@jheimissantos8682 Жыл бұрын
verdade
@learnprogrammingwithsam5080 Жыл бұрын
this is cool. what O.S are you using though
@sas408 Жыл бұрын
TP-Link be like: - Unit testing? Nah bro, we in China trust each other
@kurtlester7613 Жыл бұрын
Thanks this was very helpful! I wonder why they used DNS instead of ICMP? Surely DNS was never intended for such things?
@khatharrmalkavian3306 Жыл бұрын
More and more places blocking ICMP these days. Moreover, even if they wanted to ping a well known CNAME, it would still require a DNS query, so just doing the query is more efficient, since it's only checking for connectivity.
@lookitsahorner Жыл бұрын
It's shocking how it's making unsolicited DNS queries for random domains for completely unrelated companies. Concerning. If I was watching the WAN and saw these random requests coming from a router, I'd be concerned it was compromised in some way, not operating normally with stock firmware...
@lukasandresson3990 Жыл бұрын
Ghidra makes it easy to reverse engineer. You would think there would be standard practices on operational flow that prevents the behaviour. Standard Libraries for dns handling.
@FlashbackTeam Жыл бұрын
conn-indicator needs to know when it has network connectivity, and the programmers chose this way to verify it. This is normal, and in this specific case quite benign in our opinion, as the DNS domains it is trying to query are well known. The mistake here was to make their own DNS parser (why TP-Link? WHY???). They could have used a shell script and standard utilities for checking connectivity, and a separate binary for controlling the LED lights! If this makes you worried, then have a look at what your phone, Windows or MacOS computer is doing for the same connectivity checks, without any user program running or any kind of user interaction, you will be VERY surprised 🙈
@friedrichhayek4862 11 ай бұрын
@@FlashbackTeam As a Linux user, no idea how it does the check, likely it will not be google.
@thecloudterminal Жыл бұрын
This is so cool and amazing !
@cleatus232 Жыл бұрын
It seems almost impossible for a regular person to be able to protect themselves over someone accessing their computer or phone. After having all of my data stolen from a big tech company it has been so difficult to feel safe.
@sanfordfloridarepairs9668 Жыл бұрын
I have no clue wtf your saying half the time but, I still watch hoping something will stick. something better than nothing, right? I love hearing the actual thought process of the hack as if you're going threw it for the first time. I like this very much.
@JontheRippa Жыл бұрын
Wow 😮👍👍👍❤️🔥
@antiquark6253 Жыл бұрын
At 6:50 you mention that you're using gdb while having a laugh for your buddy who uses a 'lame java's one, were you referring to ghidra? Lol
@Byteswap Жыл бұрын
Anybody knows which code editor he is using there?
@sinancetinkaya Жыл бұрын
Vendor-supplied router firmwares that use ancient kernel and code is commonly recognized to be insecure. This is why I always use OpenWRT
@georgewbushcenterforintell147 Жыл бұрын
Why KZbin am recommended video this me not know but watch interesting brain capacity limited open to expansion thank you I will sub
@Brather2 Жыл бұрын
I won the last 3 years WASP competition, but my method for doing this cannot be disclosed because of the damage it will cause, here is a sample of what i know: bluetooth follows the standard made by cisco on their routers where you make one the master the rest just follow. the same applies in Bluetooth yet here the clients that connect allow you root access to them as the technology defined.
@antiquark6253 Жыл бұрын
I feel like $20k is a paltry sum to pay hackers for a hardware (firmware?) Bug on a device sold to hundreds of thousands of people
@Ivo-- Жыл бұрын
Part 2 when? :D
@RandomGeometryDashStuff Жыл бұрын
why does conn-indicator need to parse dns response? can't it just receive response, ignore contents, turn on LED?
@FlashbackTeam Жыл бұрын
How would it know it received a valid response to its request if it doesn't parse it?
@Dahlah.FightMe Жыл бұрын
Mantap :D
@man0warable Жыл бұрын
It didn't occur to me until watching this video, but AI would be amazing at reverse-engineering like this. Renaming functions and variables and creating comments based on context is already so close to how AI models interpret code.
@skeeberk.h.4396 Жыл бұрын
Catch up, Ppl been doing this ever sense chatgpt hit the streets
@maktiki Жыл бұрын
AI has not catched up to thinking like this.
@skeeberk.h.4396 Жыл бұрын
@@maktiki Lol , Yes it did, There plenty of Plugins that do just That Already
@azurescenss Жыл бұрын
I feel like half of the hacking attempts at this point are *most likely* made by AI botnets that are programmed to execute these types of attacks using rogue / zombie ip's that operate on virtual machines that can't be traced.
@skeeberk.h.4396 Жыл бұрын
@@azurescenss 💀🧢
@azizamanaaa6006 Жыл бұрын
Please release a course in hacking please i want to learn or atleast link a good course that is useful to learn deep hacking please!!
@1337BR3AK Жыл бұрын
🖤
@ChuckNorris-lf6vo Жыл бұрын
Samsung Qualcomm mobile dead boot unbrick, can you 'hack' it ?
@IIIw2 Жыл бұрын
i watched the video, but i feel sad i am understanding very little. i didn't know you had a real world hacker course.
@FromRootsToRadicals_INTP Жыл бұрын
Excellent on how to also think it up. Not just run some tools.
@NIKHIL-yl1ws Жыл бұрын
Which OS you are using?
@FlashbackTeam Жыл бұрын
Pedro prefers Debian, and Radek likes Ubuntu more.
@zakariahmimssaelfakir3325 Жыл бұрын
What knowledge should i have to understand this video ??!!
@zeeshawnali4078 Жыл бұрын
Where is part 2?
@eyesoffloraandfauna8728 Жыл бұрын
Is it possible to hack any website without getting caught?
@draxler.a Жыл бұрын
we're waiting for the part 2 for 2 week 😭😭
@huskytail Жыл бұрын
Just came here to find it but I will have to join the queue waiting for part 2 😅
@draxler.a Жыл бұрын
@@huskytail 3month of waiting im not interested anymore i well unsubscribe they don't respect us ....
@huskytail Жыл бұрын
@@draxler.a I must confess I had even forgotten about it.
@mouncleispronameAchrafyemlahi Жыл бұрын
DAYRIIN FIHA KHOBARAAAAA2 WLA
@abdelhamidnaceri9431 Жыл бұрын
WAYLI LA RAHOM MACHI KHOBARA2
@LifeChanger_._ Жыл бұрын
I do not understand, so you need to hack the router physically before you can do all this right? If true, how when you don't have access to routers in other places.
@khatharrmalkavian3306 Жыл бұрын
This is not the attack. This is the research for the attack.
@_wanteed8618 Жыл бұрын
looks like dns reading memory overflow
@markc6714 Жыл бұрын
Just another example of cops thinking they're above those they're supposed to serve
@wasekaug Жыл бұрын
Watching this makes me feel mad and dumb. This is like an art that I just can't seem to get. How do you learn all of this?!
@FlashbackTeam Жыл бұрын
In our course :D But honestly, if you don't know the basics of assembly, scripting and Linux command line, you will get lost. The best book to learn reverse engineering ("Reverse Engineering for Beginners") is completely FREE: beginners.re/ Once you master the basics, come to our course and we will teach you how to find and exploit vulnerabilities in real embedded devices!
@wasekaug Жыл бұрын
@@FlashbackTeam thanks for this, I will definitely check it out
@53buahapel Жыл бұрын
🤓🤓🤓🤓
SmashCrush! Arabic
Рет қаралды 36 МЛН
BSides Prishtina
Рет қаралды 189 М.
DEFCONConference
Рет қаралды 315 М.
Technically Unsure
Рет қаралды 76 М.
ГЛАЗУРЬ СТЕКЛО для iPhone и аксессуары OTU
Рет қаралды 6 МЛН
ProTech
Рет қаралды 45 М.