Here are the slides for my SyScan PocketPC MMS-attack talk. Basically the same as before, I just added some slides about WinCE 5.x and self defense.
MMS Exploit Signature
Now there even is a F-Secure Malware Information Page for MMS.A. Of course I provided the patterns myself :-)
23c3 Release
PoC MMS SMIL Exploit for PocketPC 4.2x pocketpcmmssmilexploit.tar.gz
Advanced Attacks Against PocketPC Phones (23c3 version)
mmslib-0.97_crm1.tar.gz MMSLib fuzzing edition (based on MMSLib by Stefan Hellkvist)
The original advisory.
Defcon-14 stuff
Slides for Advanced Attacks Against PocketPC Phones or getting 0wnd by MMS
PoC NotiFlood DoS tool NotiFlood
-
Here is a short video of NotiFlood killing a WinCE 5.x device notiflood_wm5_dos.avi, local copy (80MB).
Video is made by Lutz Schildmann
Here are some screenshots from the mms exploit in action, as you see you can actually quit the view window and the shellcode/popup still runs ontop of the message inbox/list:
WhatTheHack! stuff
Here is just some stuff I used for my talk Exploiting PocketPC at What The Hack! in July 2005.
The slides Exploiting PocketPC
GetFuncAddr
-
is just a tiny helper to dump function addresses to create jump or import tables. The executable file together with
the config file (GetFuncAddr.in) needs to be placed in the / (root) directory of the PocketPC device. Just run it
and press OK on the popup window. If you don't get an error you now have GetFuncAddr.out in the root directory.
Sources: getfuncaddr_src.zip
Sample out files from iPAQ h6315 and i-mate PDA2k
Seth Fogie kindly provided me with the dump from his Cingular 8125 (Axim hardware) Cingular/Axim 8125 (this is WinCE 5.1) the function addresses are the same for the Axim x50v and newer x51v.
Seth also provided an input file for GetFuncAddr with all functions exported by coredll.dll coredll.
Links
-
Microsoft's Mobile and Embedded Developer Site msdn.microsoft.com/mobility
PocketPC Reverse Engineering www.ka0s.net
PocketPC Abuse by Seth Fogie, DEFCON-12, July 2004 www.airscanner.com
ARM Instruction Set Quick Reference www.arm.com/documentation/Instruction_Set
IDA Pro The Disassembler www.datarescue.com/idabase/
WinCE4.Dust Virus www.informit.com/articles/article.asp?p=337069
Smart Phone Security page of the Reliable Software Group, UC Santa Barbara www.cs.ucsb.edu/~seclab/projects/smartphones/
More Links ... stuff NOT used for the talk
-
Hacking Windows CE - Phrack 63 www.phrack.org/show.php?p=63&a=6
PocketPC Security at itsx
Tim Hurman's WinCE shellcode stuff at pentest.co.uk
Get everything here.