Embedded devices are getting more and more pervasive, but not so much material is currently available regarding the exploitation of such devices, and in particular referring to the Linux/MIPS. Few vulnerabilities are published and even less regarding the possibility of executing arbitrary code, while exploits and shellcodes are nearly absent. Thorough security reviews are rarely performed and release of patches and fixes is usually lagging behind. Research has focused mostly on the security of the wireless communications and the related implementation, or techniques for attacking devices with private addressing, while not much has been published regarding the actual exploitation, that may, in some cases, be non-trivial due to specific challenges discussed in the presentation.In this talk remote arbitrary code execution on Access Points, with specific reference to Linux/MIPS platform, will be demonstrated by leveraging vulnerabilities discovered by the author. Devices from major manufacturers, all loaded with their stock firmware will be targeted, multiple exploitation demos will be performed and a remote root shell will be gained on each target. Different kind of flaws bring different opportunities, depending on the attack range (eg: can be carried over the Internet or from internal LAN) or the need for authentication: the proposed vulnerabilities and demos have been chosen and designed for providing sample of different attacks, scenarios and attack opportunities. A "no-auth remote blind" attack will be also demonstrated, providing the first known example of an attacker gaining a remote root shell over an embedded device, by using a smartphone as a "reflector" and leveraging it for the actual exploitation.Outline:u5d4cu5165u5f0fu5100u5668u8d8au4f86u8d8au666eu904duff0cu4f46u76eeu524du4e26u6c92u6709u90a3u9ebcu591au95dcu65bcu653bu64cau9019u4e9bu5100u5668u7684u8cc7u6599uff0cu7279u5225u662fu91ddu5c0dLinux/MIPSu7684u90e8u4efdu3002u53eau6709u5c11u6578u7684u5f31u9edeu88abu767cu8868uff0cu800cu4efbu610fu57f7u884cu4ee3u78bcu7684u53efu80fdu6027u5247u66f4u5c11u88abu767cu8868uff0cu518du4f86u653bu64cau548cshellcodes u66f4u662fu5e7eu4e4eu6c92u6709u3002u5fb9u5e95u7684u5b89u5168u6027u6aa2u9a57u9baeu5c11u88abu57f7u884cuff0cu88dcu6551u6216u4feeu5fa9u7684u767cu4f48u66f4u662fu7d93u5e38u843du5f8cu3002u7814u7a76u8005u7684u91cdu9edeu901au5e38u90fdu653eu5728u7121u7ddau901au4fe1u7684u5b89u5168u6027u548cu5176u76f8u95dcu7684u57f7u884cu4f5cu696duff0cu6216u662fu653bu64cau64c1u6709u79c1u4ebau4f4du7f6eu5100u5668u7684u624bu6cd5uff0cu5f88u5c11u767cu8868u95dcu65bcu5be6u969bu7684uff0cu4e14u5728u4e00u4e9bu6848u4f8bu4e2duff0cu53efu80fdu56e0u9019u6b21u5831u544au4e2du6240u8a0eu8ad6u5230u7684u7279u6b8au6311u6230u800cu4e26u975eu662fu4e0du91cdu8981u7684u653bu64cau3002u8a0eu8ad6u7684u904eu7a0bu4e2duff0cu5728u7121u7ddau57fau5730u53f0u9060u7aefu4efbu610fu57f7u884cu4ee3u78bcuff0cu7279u5225u91ddu5c0dLinux/MIPS u5e73u53f0u7684u90e8u4efduff0cu5c07u6703u900fu904eu5229u7528u4f5cu8005u6240u767cu73feu7684u5f31u9edeu4f86u5448u73feu3002u76eeu6a19u662fu4e3bu8981u88fdu9020u5ee0u5df2u7d93u704cu5165u8edfu4ef6u7684u5100u5668u8a2du5099uff0cu5448u73feu51fau591au7a2eu653bu64cau985eu578buff0cu9060u7aefroot shellu6703u88abu7f6eu5165u6bcfu500bu76eeu6a19u3002u4f9du7167u4e0du540cu7684u653bu64cau7bc4u570d(u4f8b: u53efu900fu904eu7db2u969bu7db2u8defu50b3u905eu6216u662fu5f9eu5167u90e8u5340u57dfu7db2u8def)uff0cu6216u662fu8a8du8b49u7684u9700u6c42uff0cu4e0du540cu7684u7f3au9677u6703u5e36u4f86u4e0du540cu7684u6a5fu6703uff1au9019u908au63d0u51fau7684u5f31u9edeu548cu5448u73feu662fu70bau4e86u63d0u4f9bu4e0du540cu653bu64cau3001u60c5u5883u548cu653bu64cau6a5fu6703u800cu88abu8a2du8a08u548cu6311u9078u51fau4f86u7684u3002u4e5fu6703u5c55u793au4e00u500bu201dno-auth remote blindu201du7684u653bu64cauff0cu63d0u4f9bu4e00u500bu7b2cu4e00u4ef6u653bu64cau8005u5728u5d4cu5165u5f0fu5100u5668u5f97u5230u9060u7aefroot shellu7684u767cu73feu6848u4f8buff0cu5448u73feu7684u65b9u6cd5u6703u4f7fu7528u667au6167u578bu624bu6a5fuff0cu4e26u5229u7528u5b83u4f5cu5be6u969bu7684u653bu64cau3002u67b6u69cb: