Exploit Development for MIPS

The course introduces students to exploit development in MIPS processor architecture. Exploit development on MIPS processor hasn’t seen the attention that other architectures such as x86 and ARM got. With the growing IoT devices, we have been seeing many embedded devices with MIPS architecture along side ARM. Exploit development is getting harder and harder with exploit mitigation techniques in place. But, the good news is that it is not impossible to write working exploits as exploit mitigation techniques do not fix the underlying problem in the vulnerable source code. This practical training starts with the basics of MIPS Architecture and slowly moves towards writing own shell code and creating working exploits using Return Oriented Programming for a given target binary. To give a sense of real exploitation, real world examples will be discussed with proof of concept exploits. By the end of this training, students will be able to write Memory corruption exploits for MIPS architecture, understand how Return Oriented Programming can be used in MIPS for modern day exploit development and bypass some of the most common exploit mitigation techniques such as ASLR.

Who Should Attend This Training:

1. Red and Blue Team members, pentesters
2. Anyone interested in MIPS exploitation
3. Anyone interested in IoT and embedded device security
4. Anyone with knowledge in x86 and/or ARM to take it to the next level

Prerequisites and Requirements:

1. Familiarity with debuggers (gdb, WinDBG, OllyDBG or equivalent) is recommended to have but not a must
2. Familiarity with command line tools
3. Working knowledge of Python or Perl
4. A laptop with VMWare Player/Workstation/Fusion installed
5. 8GB RAM required at a minimum
6. Wireless network card
7. 40GB free Hard Disk space

This two day course is divided into 4 high level parts.

1. Fundamentals of MIPS covering its assembly language, calling conventions etc.
2. Writing MIPS shell code, which can be used later in the training. We will write several different shell code (exit, write, execve, reverse tcp etc) and fine tune them to avoid bad characters such as null bytes.
3. Basics of Stack Based Buffer overflows and exploiting them in MIPS.
4. Bypassing exploit mitigation techniques using ROP gadget chaining and avoiding commonly seen problems such as cache in coherency. Finally an Introduction to heap based vulnerabilities.

Day 1:

1. Introduction to MIPS Architecture
   This section covers the fundamentals of MIPS Architecture, covering calling conventions, instruction formats, CPU Registers etc.
2. An overview of QEMU MIPS setup
   This section covers how the lab set up is done and explains how students can setup their own setup to debug MIPS applications. This section also covers cross compiling and MIPS binary emulation on x86 for debugging.
3. MIPS compared to x86 and ARM
   This section covers how MIPS is different from other processor architectures such as x86 and ARM. We will also discuss the similarities with other architectures. Eg. Both ARM and MIPS have 32 bit length instructions(excluding thumb mode instructions). Similarly, we will compare how MIPS is harder to avoid bad characters compared to ARM.
4. Basics of GDB
5. Basics of MIPS assembly language
   The above two sections let the students run through MIPS assembly programs and students will debug the programs using GDB. This will give them the details of MIPS assembly as well as the taste of GDB if they never used GDB.
6. Introduction to Memory corruption attacks
   This section covers the fundamentals required to understand memory corruption attacks such as Buffer Overflows. This will provide generic details of buffer overflows, which will be practically used in the next section. This section also gives a high level overview of commonly seen challenges specific to MIPS.
7. Debugging MIPS Binaries
   This section lets the students to run through steps such as crashing the applications, getting control over the return address, executing shellcode taken from the internet. This will also give a taste of analyzing core dumps to perform crash dump analysis.
8. Writing MIPS shell code
   This section discusses the details of how one can write MIPS shellcode from the scratch.Students will write different varieties of shellcode (execve, reversetcp)that works. To provide proper understanding of concepts such as syscalls, we will begin with simple shellcode such as exit and write. We will then move towards writing shellcode that can be used in exploits.
9. Avoiding Bad characters
   This section discusses how bad characters can break shellcode and techniques to avoid bad characters while writing shellcode in MIPS.

Day 2:

1. Stack based Buffer Overflows in MIPS
   This section re-visits stack based buffer overflows with the new shellcode students have written. We will enable memory protections to demonstrate that existing exploit will fail and then proceed to the next sections of the training.
2. Ret2Libc in MIPS
   This section discusses how Ret2libc can be used to invoke system() function and obtain a shell.
3. Dealing with MIPS cache coherency
   This section talks about cache coherency which usually breaks the exploits in MIPS. we will discuss techniques such as flushing the cache using return oriented programming. We will discuss the basics here and put it to use in Return Oriented Programming section.
4. Exploit Mitigation techniques
5. Return Oriented Programming
6. Bypassing ASLR
   The above three sections discuss various memory protection techniques and how they work. We will then discuss the loop holes in memory protection techniques and why they are not foolproof. We will discuss some of the techniques to bypass ASLR such as ROP, brute forcing and memory leaks.
7. Introduction to Heap overflows in MIPS
   This section of the training only provides an introduction to Heap overflows by solving a simple crack me.