In a previous article, we introduced a firmware analysis and extraction of the file system method. In this article we will further introduce how to in-depth analysis of firmware binaries, and then use its common security vulnerabilities. In this paper, we will relate to the following as shown in the two firmware: 1. kkeps. bin（kankun smart socket firmware-The its download address is http://homedash. org/2014/09/21/firmware-downloads/ on. 2. DVRF_0. 3. bin by@ b1ack0wl provide the Damn Vulnerable Router Firmware the firmware-a It is the download address for the https://github.com/praetorian-inc/DVRF the. In the acquisition Kankun firmware after that, the first thing we do is to use binwalk from the firmware extracted file system. 1 binwalk-e kkeps. bin ! Now, binwalk has to extract the firmware; we can examine the file system to see whether we are interested in the binaries, as our analysis object. As we have seen, in the sbin /folder, there are some binary file looks like custom development, because their name is in the string kkeps at the beginning. ! Runs for different architectures of the firmware binary code Now, in order to with these binaries interact with us either through the device's shell to run the appropriate binary file we will in later articles, or by identifying the binary file of the target architecture to be simulated. To this end, we can use the readelf program. ! From the screenshot above we can see that the binary code is for MIPS architecture. We need to find the corresponding qemu program, in order for the MIPS architecture binary code for simulation. qemu installation the article does not do, because there are already many online resources for this detailed explanation. Once on the system successfully installed qemu, the next step is the qemu-mips-static binary to copy to the firmware's root folder. Let us first run located in the bin folder of busybox and see if work properly. ! Since the binary file busybox is in a schema compiler, not in our x86 machine running, so there will be an Exec format error. Now, let's try again, this time using qemu-mips-static and chroot in: 1 sudo chroot. ./ qemu-mips-static bin/busybox ! As we have seen, by using the Qemu emulation of specific architectures, has been able to successfully run these binaries. Now, let us try to use qemu-mips emulation run is located in the sbin folder in the kkeps_seekwifi binary code, where the same will use a chroot, specifically as follows: 1 sudo chroot . ./ qemu-mips-static sbin/kkeps_seekwifi ! Since the binary file's name is seekwifi, so it likely is used to find the connection to the device when it is running on the device when. Let us check, whether it has been in our port on start up some kind of listener. To this end, we will use netstat, the specific command is shown below. ! Right on cue! It has been in the port 50000 on the To start a listener. Let's see if you can connect to this port, and then send some data, look at the listener will receive. ! If you then see another terminal window, we will find that this operation of the binary code has been received by the telnet send data to it. Therefore, we can to the firmware for different architectures the binary files for the corresponding simulation process, even with the running of the binary code to interact. This is actually for penetration testers opens up vast possibilities. In fact, this means that as long as you can get the firmware of the device, we can even on them to attack, and verify our whether the attack worked, and all this simply without the physical device to the actual participation. The use of MIPS architecture on stack overflow vulnerability Here we begin to try to use the MIPS platform binary code stack overflow vulnerability. Here, we assume that the reader has mastered the stack overflow vulnerability of the basic concepts. For this exercise, we will be Damn Vulnerable Router Firmware as an example. The first step, with all the firmware process the same way, use binwalk to extract the file system. Once through binwalk to extract the DVRF file system in squashfs-root/pwnable/Intro folder found in the corresponding challenge tasks. We want to challenge the object is stack_bof_01 it. In the use of this binary file vulnerability before, you first need to use IDA to disassembly. Of course, you can also use radare2 or radare2 to complete this work, the specific use which kinds of tools, depends entirely on your personal preferences. In this series of articles, we will use IDA as our anti-assembler. In addition, when in IDA load the binary code, it is important to ensure that the MIPS architecture type to little endian in. !