search

Linksys E1200(V2)

Project started on 4 Dec 2025

hashtag
Learning outcomes

  1. Techniques to gather information on a hardware without physical access to the device itself

  • Google dork

    • Release notes, firmware download

    • Known CVEs

    • PoCs for found CVEs

  • FCC

    • Internal photos

    • Identifying presence of UART interfaces

  1. Hardware interactions

  • Identifying UART and potential GND points (visual inspection)

  • Using the digital multimeter:

    • Identify GND points

    • Identify specific UART pins

  1. Interacting with basic networking services on the device

  • DHCP

  • Nmap scan

  • cURL, Netcat, etc.

  1. How to gain a shell console from the UART interface + system enumeration

  • Boot logs

  • Firmware and OS versions, along with other useful information

  • Information gathering on a vulnerable binary

  1. Techniques to interact with the device

  • Simple techniques to reclaim memory space on the device

  • Transfer files between device and host

  1. Research of a vulnerable binary (from a known CVE)

  • Understand the vulnerability from the CVE description

  • Perform source code and HTTP traffic analysis

  • Perform fuzzing, and analysis of the results to aid us in finding the entry point of the vulnerability

  1. Understand constraints and limitations of working with embedded devices, and explore workarounds to develop a working setup for reverse engineering + binary exploitation

  • Patch the binary with custom instructions to control the program flow (breakpoints, infinite loops, etc.)

  • Manual SIGSTOP signal to force a "pause"

  1. Understand the MIPS architecture & assembly + reverse engineering and stack-based buffer overflow research

  • Work with exploit tools and techniques: pwn, Ghidra, GDB + gdbserver, objdump, etc.

  • Utilize our understanding of the MIPS architecture/assembly to analyse register, memory contents, and many more important concepts

  • Demonstration of the steps taken to generate the final working payload (exploiting the stack-based buffer overflow vulnerability) for remote-code execution

  1. Hands on experience working with well-known industry-standard application and tools that covers a wide range of tasks in a typical pentesting workflow

  • nmap, nc, cURL,wget, gdb/gdbserver, dd, etc.

  • Ghidra, Wireshark

  1. Bonus section: persistence techniques from a real-world perspective

  • "backdoor" access that can be remotely accessed

Last updated