Two ways to dump the firmware of the ZTE ZXHN routers part 1

I have been using a ZTE ZXHN router for several years because it is the router provided by the ISP IPlan in Argentina. Since I generally like to analyze and pwn the things I use in my free time —literally breaking them— I started investigating. This ISP provides at least the following versions of this model for households: F670, F680, and F6600, of which I have used the latter two to develop this research. Nevertheless, this method will likely work for many other versions of the ZTE ZXHN model, or even other devices that meet the conditions that will be outlined in this post.

There are many ways to obtain the firmware. In this post, I will document two methods that I have not read about —although there is surely information available— for hot firmware extraction through a vulnerability in the SAMBA service configuration and via UART, but with a slightly different twist.

Code execution part 1: from exit to system

After a long break from reversing and pwning, I’m getting back into the groove. My mind is gradually getting used to the hustle, and I’m starting to enjoy it. I fondly remember the good times when I played CTF every weekend with the amn3s1a team. Although I barely solved any challenges at the beginning, I enjoyed it and learned that my mind became “quicker” each weekend I played. Many things have changed since 2013 when I played with my team, especially since I spent years professionally exploiting the Windows kernel. Now, I’m attempting to shift my focus to Linux/*os. Therefore, I will try to learn the techniques currently in use, even if they have been known for decades, and this is one of them.

Rakion: Entities and editing cell creatures

Part I: Gamehacking: Rakion, the begining
Parte II: Rakion: Entities and editing cell creatures

A principle in the gamehacking is that if a value changed we can scan the memory, get its address, and modify the value arbitrarily. For example, if player’s health has 64 or 0x100 as max value and receives one of damage, that value will decrease one, allowing us to scan the memory, obtain a group of results, and on that group keep scanning everytime that health value is modified to reduce the result group to a few addresses until getting the health player address with the purpose of modifying that value at our whim.

Of course there are variants, and it isn’t the only way, but it’s a good first step.

Identifying vftables through MS's C++ RTTI

Run-Time Type Information or RTTI, is a mechanism that exposes object types information at runtime, used to do safe typecast, using dynamic_cast<> and to manipulate type information using typeid operator and std::type_info class at runtime.

There are some RTTI data structures, but in this post we will see two of them, almost some fields are importants to know class C++ inherintance relationship, class name, and polymorphism but they probably will be treated in a future post. To clarity, I’d like to mention that MSVC 64-bit compiler has definied _RTTI_RELATIVE_TYPEINFO by default. In addition, Visual Studio has /GR compiler option enabled by default to add run-time type information.

Bluefrost windows exploitation challenge for Ekoparty 2022

This challenge was made by @NicolasEconomou for Ekoparty 2022, and I really enjoyed trying to solve that challenge. The challenge is a vulnerable server allowing us to send it data and control the server buffer size leading to a stack buffer overflow. There are some trivial bugs, but they only are a bait for the real way to exploit it, crafted a stack layout for the iret instruction.