[angr] Inquiry on applying Angr to finding backdoor of some firmwares.

Yan zardus at gmail.com
Tue Mar 8 00:16:04 PST 2016


Hi Dongwoo!

Sorry for the laggy response; we've been a bit busy lately, but will try to
get back to you as soon as we have a chance to look at that firmware!

- Yan

On Wed, Mar 2, 2016 at 11:12 PM, Dongwoo Kim <freefreek at gmail.com> wrote:

> Hello,
>
> I'm writing to get some information about Angr.
>
> First of all, I'd like to say that you have made a great tool set for
> binary analysis. I'm especially interested in finding backdoor in firmwares
> like an example 'fauxware'. I have installed Angr and tested it with
> fauxware. It works fine, which makes me excited.
>
> However, I have faced some problems while applying it to some binaries
> that have already known backdoors. I know that it is because I don't
> understand how Angr works inside. I think I need some time to understand
> it.
>
> Before I dig into it,  I'd like to ask you how to use Angr to find
> backdoor of the attached binary which belongs to firmware of Access Point
> made by Chinese company. It was reported in 2014. (
> http://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/
> )
>
> I extracted the problematic binary from the firmware. You can easily find
> the backdoor "netcore" in call_mptlogin function, which allows for remote
> login.
>
> At first, I tried to apply Angr to this binary by using an example of
> fauxware but I failed. I've attached solve.py that I modified as well.
>
> I have browsed all the examples but I couldn't get information that I need
> right now. I hope you figure out what problem is. I will be a good
> practitioner and I will participate in developing some part of Angr if
> possible. :)
>
> I'm looking forward to seeing your reply.
> Thank you for your time.
>
> Dongwoo Kim
>
>
> _______________________________________________
> angr mailing list
> angr at lists.cs.ucsb.edu
> https://lists.cs.ucsb.edu/mailman/listinfo/angr
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cs.ucsb.edu/pipermail/angr/attachments/20160308/f8bbd779/attachment.html>


More information about the angr mailing list