Background Someone I know once told me about a device they purchased at a county fair. It’s a small box that you plug into your TV and hook up to your Internet connection. It’s basically a digital content streaming box (like a Roku), except the seller claimed that you could get any movie or TV show you wanted for free. This supposedly included live television and films that were still in theaters.

CVE-2023-40477 I’ve recently been looking at N-day vulnerabilities in Windows software in an attempt to hone my reverse engineering and exploit development skills. Last month, I read about an interesting bug in WinRAR version 6.22 and below which could result in remote code execution. This bug was assigned CVE-2023-40477. It was discovered by Zero Day Initiative. When I started, all the information I had to go on came from the ZDI page:

Intro After recently finishing the Offensive Security OSEE exam, I wanted to start looking at some real-world vulnerabilities in Windows. I had hoped I might find a recently patched vulnerability with an available PoC that could simply trigger the bug. If a PoC wasn’t available, then maybe a blog post somewhere doing a root cause analysis so I could build my own PoC to trigger the bug, and then later attempt to weaponize it.

Background Check Point Research recently disclosed three security bugs in the Microsoft Windows MSMQ service. The most critical bug disclosed was CVE-2023-21554. They’ve named this bug QueueJumper and claim that it can result in unauthenticated remote code execution. Recently, a few coworkers discovered some vulnerable systems on their network penetration tests and were trying to find public exploits for this bug. The best they were able to find was this PoC on Github.

Aha! I think I figured something out. I did some web searching to see if I could figure out how to identify the firmware entry point address. I found a StackExchange post that mentioned something called a “reset vector”. It sounds like a reset vector is a pointer that the CPU looks at to tell it where to begin program execution. The reset vector location is CPU-specific. I went back to the Motorola datasheet and searched for information about reset vectors.

After having dumped the firmware for my Kantronics KPC 9612+ TNC, my next thought was to try and disassemble this code with IDA Pro, however it turns out IDA Pro free edition doesn’t support this architecture. I’m not excited enough about this project to go spend the money on a professional license. Next I tried Ghidra. I hadn’t used Ghidra before, but it seemed like a good time to test it out.

After working on my WinAPRS exploits, I had a thought that my ham radio TNC (radio modem) could have vulnerabilities built right into the TNC itself. I have a Kantronics KPC 9612+ TNC. I think it originally was released sometime in the 1990’s and was finally discontinued in 2020 for a newer model. Mine still works just fine, though. The TNC runs its own little operating system that supports decoding different kinds of packet data.

In early 2021 I took an Offensive Security course to earn my Offensive Security Exploit Developer certification. This course taught me a lot about exploiting memory corruption vulnerabilities in Windows 32-bit programs. It was also a lot of fun. Aside from security things, I also dabble in ham radio. Most of my experience with ham radio has been through the use of packet radio and other digital modes. Rather than talking to people over the air using voice, I’m sending and receiving data through a computer over the airwaves.