Exploiting a Stack Buffer Overflow on the NETGEAR R6700v3 (CVE-2022-27646) with the Help of Symbolic Execution
This repository is intended to demonstrate some functionalities of Morion, a proof-of-concept (PoC) tool to experiment with symbolic execution on real-world (ARMv7) binaries. We show some of Morion's capabilities by giving a concrete example, namely, how it can assist during the process of creating a working exploit for CVE-2022-27646 - a stack buffer overflow vulnerability in NETGEAR R6700v3 routers (affected version 1.0.4.120_10.0.91, fixed in later versions).
The repository contains all files (under firmware, libcircled, morion and server) needed to follow along (e.g. scripts to emulate the vulnerable ARMv7 binary) and reproduce the discussed steps of how to use Morion. The documentation (under docs and logs), to demonstrate Morion's workings, contains the following chapters:
- Setup - Explains how to setup analysis (running Morion) and target systems (running target binary circled).
- Emulation - Explains how to emulate the vulnerable target binary.
- Tracing - Explains how to record a concrete execution trace of the target binary using Morion.
- Symbolic Execution - Explains how to use Morion for analyzing the recorded trace symbolically.
- Vulnerability CVE-2022-27646 - Provides some background information to the targeted vulnerability.
- Exploitation - Explains how Morion can assist during the process of crafting an exploit.
- Morion PoC Tool:
- Defeating the NETGEAR R6700v3:
- Emulating, Debugging and Exploiting NETGEAR R6700v3 cicled Binary:
- https://medium.com/@INTfinity/1-1-emulating-netgear-r6700v3-circled-binary-cve-2022-27644-cve-2022-27646-part-1-5bab391c91f2
- https://medium.com/@INTfinity/1-2-emulating-netgear-r6700v3-circled-binary-cve-2022-27644-cve-2022-27646-part-2-cf1571493117
- https://medium.com/@INTfinity/1-3-exploiting-and-debugging-netgear-r6700v3-circled-binary-cve-2022-27644-cve-2022-27646-a80dbaf1245d
- NVRAM Emulator:
- Ready-to-Use Cross-Compilation Toolchains:
- Other Tools: