PocketPC Security Research
Black Hat USA 2009
For our work on SMS security we also looked at Windows Mobile. The slides,
papers, and tools for it are available on my SMS security research page.
The advisory: HTC_TouchFlo_Manila2D_SMS_formatstring.txt.
According to HTC the format string vulnerability in TouchFLO (Manila2D.exe) is fixed in the ROM Build 1.00.19153530.00 for the HTC Touch 3G.
SyScan'07 Slides
Here are the slides for my SyScan PocketPC MMS-attack talk. Basically the same as before, I just added some slides
about WinCE 5.x and self defense.
MMS Exploit Signature
Now there even is a F-Secure Malware Information Page for MMS.A.
Of course I provided the patterns myself :-)
23c3 Release
PoC MMS SMIL Exploit for PocketPC 4.2x
pocketpcmmssmilexploit.tar.gz
Advanced Attacks Against PocketPC Phones (23c3 version)
mmslib-0.97_crm1.tar.gz MMSLib fuzzing edition (based on MMSLib by Stefan Hellkvist)
The original advisory.
Defcon-14 stuff
Slides for Advanced Attacks Against PocketPC Phones or getting 0wnd by MMS
PoC NotiFlood DoS tool NotiFlood
Here are some screenshots from the mms exploit in action, as you see you can actually quit the view window and
the shellcode/popup still runs ontop of the message inbox/list:
WhatTheHack! stuff
Here is just some stuff I used for my talk Exploiting PocketPC at What The Hack! in July 2005.
The slides Exploiting PocketPC
GetFuncAddr
is just a tiny helper to dump function addresses to create jump or import tables. The executable file together with
the config file (GetFuncAddr.in) needs to be placed in the / (root) directory of the PocketPC device. Just run it
and press OK on the popup window. If you don't get an error you now have GetFuncAddr.out in the root directory.
Sources: getfuncaddr_src.zip
Sample out files from iPAQ h6315 and i-mate PDA2k
Seth Fogie kindly provided me with the dump from his Cingular 8125 (Axim hardware) Cingular/Axim 8125
(this is WinCE 5.1) the function addresses are the same for the Axim x50v and newer x51v.
Seth also provided an input file for GetFuncAddr with all functions exported by coredll.dll coredll.
Links
More Links ... stuff NOT used for the talk
Get everything here.
updated:
Thu Aug 27 14:20:00 CEST 2009
-[ Home ]-[ Weblog ]-[ Bluetooth ]-[ Symbian ]-[ PalmOS ]-[ J2ME ]-[ Maemo ]-[ Security ]-[ iPhone ]-[ Android ]-[ NFC ]-[ Contact ]-