Emulate it until you make it! Pwning a DrayTek Router before getting it out of the box
Hacking routers is a well covered topic, but what about finding an RCE without even having the device itself?
Through a mix of static reversing, function emulation and full firmware emulation, I defeated many layers of compression, encryption and weird abstraction to eventually find a pre-auth RCE affecting hundreds of thousands of routers from DrayTek.
Using the proprietary DrayOS operating system, these devices are commonly found in small to medium sized businesses. In the last couple of years, some other models have also been known to be the target of exploits in the wild.
If you’re curious about how to approach these devices, come to this talk where I’ll share the process and techniques used to unpack the firmware, emulate the useful bits, and write an exploit that resulted in the remote & unauthenticated take over of a device purchased for the occasion.
Philippe Laulheret is a Senior Security Researcher on the Trellix vulnerability research team. With a focus on Reverse Engineering and Vulnerability Research, Philippe uses his background in Embedded Security and Software Engineering to poke at complex systems and get them behave in interesting ways. Philippe presented multiple projects covering hardware hacking, reverse engineering and exploitation at DEF CON, Hardwear.io, Eko Party, Recon, and more. In his spare time, Philippe enjoys playing CTFs, immersing himself in the beauty of the Pacific Northwest, and exploring the realm of Creative Coding.
Philippe holds a MSc in Computer Science from Georgia Tech and a MSc in Electrical and Computer Engineering from Supélec (France).