Writing Exploits for IoT N-Days?? Zyxel CVE-2023-35138
Vložit
- čas přidán 27. 08. 2024
- 🔥 Firmware Reverse Engineering and CVE-2023-35138 - Zyxel Command Injection
👨💻 Buy Our Courses: guidedhacking....
💰 Donate on Patreon: / guidedhacking
❤️ Follow us on Social Media: linktr.ee/guid...
🔗Read More: guidedhacking....
Video Creator: stigward
guidedhacking....
📜 Video Description:
Introduction to CVE Exploitation
Today, we'll be analyzing some CVEs listed in an advisory published by Zyxel. It showcases a series of command injection vulnerabilities for one of their NAS drives . We'll be doing some CVE analysis and then crafting an exploit for one of these Zyxel network attach storage devices. Our goal is to reverse engineer the firmware & pin point the root cause of the vulnerability, then craft an exploit.
When it comes to picking a CVE to research, we typically scour through recent releases, looking for those fitting our skill set and interests. For this tutorial, we've selected a CVE that stands out due to its detailed description and critical impact, which could provide us a fun learning opportunity. The CVE we're looking at specifically is CVE-2023-35138.
Acquiring and Analyzing Firmware
The first step is acquiring the firmware of the vulnerable Zyxel NAS device. Firmware is essentially the low-level instructions which instruct the device's operating system how to carry out it's tasks. In our case, we've chosen a CVE with available firmware downloads, bypassing the need for hardware hacking or intercepting update traffic. This let's us jump straight into the fun.
We use tools like Binwalk, designed for interacting with and extracting firmware images. Running Binwalk with the extract flag, we dissect the firmware, revealing its contents piece by piece. This process is like digital archaeology, sifting through layers of data to uncover the secrets hidden within.
Python Disassembler: github.com/zra...
BinWalk: github.com/ReF...
📝 Timestamps:
0:00 Introduction to CVE Exploitation
0:27 Selecting a CVE
1:00 Analyzing CVE Details
2:04 Downloading Firmware
2:47 Unzipping and Analyzing Files
3:03 Using Binwalk for Extraction
4:04 Exploring Extracted File System
5:01 Combining File Systems
6:49 Searching for Vulnerable Function
8:02 Analyzing Function References
9:00 Tracing the Vulnerability in Code
Music Credit Epidemic Sound:
www.epidemicso...
www.epidemicso...
✏️ Tags:
#exploitdevelopment #reverseengineering #cybersecurity
Zyxel CVE-2023-35138
exploit development
vuln research
Zyxel Command Injection Vulnerabilities
CVE-2023-35137
vulnerability research
guidedhacking
command injection vulnerability
Zyxel CVE-2023-35138
exploit development
vuln research
Zyxel Command Injection Vulnerabilities
CVE-2023-35137
vulnerability research
remote code execution
zyxel vulns
reverse engineering
zyxel exploit
command injection vulnerabilities
zyxel exploits
command injection vuln
IoT N-days
Internet of Things Hacking
IoT Exploits
IoT Exploitation
Internet Of Things Exploitation
