Reversing the Smarter Coffee IoT Machine Protocol to Make Coffee Using the Terminal.

I love coffee, that’s a fact, and I drink liters of it during the week … I also am a nerd and a hacker, so a few days ago I bought a Smarter Coffee machine on Amazon, basically a coffee machine that you can control over your home wifi network using a mobile application ( both for Android and iOS ).
The app is really nice: you can set the amount of cups you want, the strength of the coffee, etc, then you only need to press a button and wait for your delicious coffee to be brewed.

Since I work from home, most of the times I’m using the computer keyboard, not a smartphone, therefore I wanted/needed a console client for it, something that the vendor never released, so I started reversing the Android application in order to understand the communication protocol and write my own client implementation … guess what? :D

Yep, i can make coffee using the terminal now :D


Read More

Autopwn Every Android < 4.2 Device on Your Network Using BetterCap and the addJavascriptInterface Vulnerability.

Recently I’ve been playing with Android’s WebView based vulnerabilities, focusing on how to exploit them using a MITM attack.
One of the most interesting ones is the addJavascriptInterface vulnerability ( CVE-2012-6636 ) which affects every device running a version older than Android 4.2.

Read More

Using ARM Inline Assembly and Naked Functions to Fool Disassemblers

On this post I want to share a simple trick I learned a while ago, it’s nothing special but if you think about it, it’s quite nice :)

Sometimes we want to obfuscate/hide strings in our program to make reversing more difficult and the more common approach is to encrypt them somehow and put them inside binary buffers instead of plain ASCII strings.
One downside of this naive approach is of course, once decompiled, the access to these binary buffers will easily be noticed by a seasoned reverser, he would assume some sort of obfuscation/encryption/whatever and start reversing the algorithm to unobfuscate the strings in a matter of minutes.

One thing you can do to make his/her life harder ( but not impossible ) is embedding your encrypted data as code … how?

Read More

RuberTooth - a Complete Ruby Porting of the Ubertooth Libraries and Utilities.

Today, finally my ubertooth arrived and I immediately started hacking with it.


I installed its libraries and tools both on OS X and on my Linux virtual machine, and after a while I noticed a few things:

  • The compilation process is not well documented for newer versions of OS X, thus manual code patching here and there is required.
  • Some of the tools are only available for GNU/Linux.
  • Some of the tools are unstable.
  • There’s no way to create my own UberTooth scripts without using C.

Regarding the last point, there is a Python porting which is incomplete, it lacks most of the features that the native libraries have, so ubertooth is definitely not a scriptable device … or maybe not :)

I studied the USB communication protocol implemented inside libubertooth and found out that is very easy and well implemented, so I started to write some Ruby code ( I hate Python! ) using the libusb gem and a new project was born :)

Read More

Back From the Grave: ELF32 Universal Command Injector

Just a post about a small software I wrote years ago, I don’t want it to be lost.
The concept itself was quite simple, you give to it any ELF executable as input and the software will search for space to inject a shellcode of its own, which will execute a custom command.
The resulting executable will continue to work as expected, but it will spawn the command wit an execl call.

Read More

How to Hook Win32 API With Kernel Patching

This post is about SSDT patching to perform API hooking within the kernel instead of the classic user mode hooking using remote threads and things like that.
SSDT hooking is as far as I know the lowest level technique to replace/hook/intercept/whatever API and for this reason has been used for years both by malwares writers and AV vendors.
I’m using the past tence due to the fact that on 2005 Microsoft introduced a Kernel Patching Protection ( also known as “PatchGuard” ) for 64 bit systems, making this technique uneffective in the worst case or quite harder to perform in the average case.

Read More