Saumil Shah: The ARM IoT Exploit Laboratory

Presented By: Saumil Shah

ARM has emerged as the leading architecture in the Internet of Things (IoT) world. The all new ARM IoT Exploit Laboratory is a fast paced 3-day intermediate level class intended for students who want to take their exploit writing skills to the ARM platform. The class covers everything from an introduction to ARM assembly all the way to Return Oriented Programming (ROP) on ARM architectures. Our lab environment features hardware and virtual platforms for exploring exploit writing on ARM based Linux systems and IoT devices.

The class concludes with an end-to-end “Firmware-To-Shell” hack, where we extract the firmware from a popular SoHo router, build a virtual environment to emulate and debug it, and then use the exploit to gain a shell on the actual hardware device.

The 3 day course will take place on the 11, 12th & 13th September 2017 at etc venues Marble Arch.

Cost is £ 1,950 (inc VAT). Buy your place in our shop now.

Learning Objectives

  • Introduction to the ARM CPU architecture
  • Exploring ARM assembly language
  • Debugging on ARM systems
  • Understanding how functions work in ARM
  • Exploiting Stack Overflows on ARM
  •  Writing ARM Shellcode from the ground up
  •  Introduction to Exploit Mitigation Techniques (XN/DEP and ASLR)
  • Introduction to Return Oriented Programming
  • Bypassing exploit mitigation on ARM using ROP
  • Practical ROP Chains on ARM
  • An Introduction to firmware extracting
  • Emulating and debugging a SoHo router’s firmware in a virtual environment
  • “Firmware-To-Shell” – exploiting an actual SoHo router
  • The Lab environment is a mixture of physical ARM hardware and ARM virtual machines.

Course Outline

Day 1:

  • Introduction to the ARM CPU and ARM assembly language
  •  Debugging on ARM systems
  • Understanding how functions work in ARM
  • Exploiting Stack Overflows on ARM
  • EXERCISE – ARM Stack Overflows
  • Writing ARM Reverse Shell shellcode from the ground up
  • Shellcode optimization and avoiding NULL bytes
  • EXERCISE – Embedded Web Server exploit

Day 2:

  •  Introduction to Exploit Mitigation Techniques (XN/DEP and ASLR)
  • Introduction to ARM Return Oriented Programming
  •  Bypassing exploit mitigation on ARM using ROP
  • ARM ROP Tool
  •  Practical ROP Chains on ARM
  • EXERCISE – Exploit featuring ARM ROP Chains
  • Bypassing ASLR
  •  EXERCISE – End to end exploit with ASLR and XN/DEP bypass

Day 3:

  •  An Introduction to extracting firmware
  • Emulating and debugging a SoHo router’s firmware in a virtual environment
  • “Firmware-To-Shell” – exploiting an actual SoHo route
  •  EXERCISE – Working SoHo Router exploit in an emulated environment
  • EXERCISE – Attacking a DLINK DIR-880L ARM Router – from firmware to shell

Target Audience

  • Past Exploit Laboratory students who want to take their elite exploitation skills to the ARM platform.
  • Pentesters working on ARM embedded environments. (SoCs, IoT, etc)
  •  Red Team members, who want to pen-test custom binaries and exploit custom built applications.
  • Bug Hunters, who want to write exploits for all the crashes they find.
  • Members of military or government cyberwarfare units.
  • Members of reverse engineering research teams.
  • People frustrated at software to the point they want to break it!

Student Requirements

  • A conceptual understanding of how functions work in C programming
  • Knowledge of how a stack works, basic stack operations
  • Familiarity with debuggers (gdb, WinDBG, OllyDBG or equivalent)
  • Not be allergic to command line tools.
  • Have a working knowledge of operating systems, Win32 and Unix.
  • Have a working knowledge of shell scripts, cmd scripts or Perl.
  • If none of the above apply, then enough patience to go through the pre-class tutorials.
  • SKILL LEVEL: INTERMEDIATE (leaning towards advanced)Pre-Class Tutorials

Pre-Class Tutorials:

The following tutorials have been specially prepared to get students up to speed on essential concepts before coming to class:

a) Operating Systems – A Primer
http://www.slideshare.net/saumilshah/operating-systems-a-primer

b) How Functions Work
http://www.slideshare.net/saumilshah/how-functions-work-7776073

c) Introduction to Debuggers
http://www.slideshare.net/saumilshah/introduction-to-debuggers

What to Bring

  • A working laptop (no Netbooks, no Tablets, no iPads)
  • Intel Core i3 (equivalent or superior) required
  • 8GB RAM required, at a minimum
  • Wireless network card
  • 40 GB free Hard disk space
  • If you’re using a new Macbook or Macbook Pro, please bring your dongle-kit

Software Requirements

  • Linux / Windows / Mac OS X desktop operating systems
  • VMWare Player / VMWare Workstation / VMWare Fusion MANDATORY
  • Administrator / root access MANDATORY

Students will be provided with

Students will be provided with all the lab images used in the class. The ARM IoT Exploit Laboratory uses a “Live Notes” system that provides a running transcript of the instructor’s system to all the students. Our lab environment, plus about 700MB of curated reading material, will be made available to all attendees to take with them and continue learning after the training ends.

About the Trainer

Saumil Shah is the founder and CEO of Net-Square, providing cutting edge information security services to clients around the globe. Saumil is an internationally recognized speaker and instructor, having regularly presented at conferences like Blackhat, RSA, CanSecWest, PacSec, EUSecWest, Hack.lu, Hack-in-the-box and others. He has authored two books titled “Web Hacking: Attacks and Defense” and “The Anti-Virus Book”.

Saumil graduated with an M.S. in Computer Science from Purdue University, USA and a B.E. in Computer Engineering from Gujarat University. He spends his leisure time breaking software, flying kites, travelling around the world and taking pictures.

Instructor’s Contact Info:
Saumil Udayan Shah
CEO, Net-Square Solutions Pvt. Ltd.
saumil@net-square.com
Twitter: @therealsaumil

Book your 44CON 2017 training course now!