Tuesday, May 2, 2017

6 - Setting a bindshell backdoor at a D-LINK router firmware


- Layout for this exercise:

1 - Introduction

- Firmware Modification Kit (FMK) allows to make changes to a firmware image without recompiling the firmware sources.

- First, It extracts the firmware into its component parts, and then extracts the file system image. 

- The user can make modifications to the extracted file system, and finally rebuilding or recompiling the new firmware image.

- To download FMK:


- For further information:


- The goal of this exercise will be to modify a given firmware so that a malicious script is added at the boot up process. 

- Once the firmware is modified, it will be rebuilt and run (emulated with FAT) as if it were the original firmware.

- The malicious script is of a bindshell type, and it will be executed as soon as the firmware is booted, allowing to have a remote connection (using netcat) with the firmware.

2 - Extracting the firmware with FMK

- Based on previous exercises, let's use again firmware from the router D-LINK dir-300b:

- Extracting the firmware with the FMK command ./extract-firmware.shthe look of the output is similar to Binwalk, because both tools are closely related:

- A new folder is created:

- Going into the subfolder rootfs, the whole root file system is available:

3 - Inserting a malicious script at the initial boot up process

- Because the goal of the exercise is that a malicious script runs at the boot up process, it would be interesting to place it where initial scripts are usually located, for instance the /etc/init.d folder:

- We find that /etc/init.d/S10system.sh is redirected to /etc/scripts/system.sh

- Opening system.sh, there are all different scripts that are automatically triggered when the firmware is booted up:

- Now, let's insert a call to a new script called bindshell (for now it is empty, it will be written at the next point of this exercise) in any startup location, for instance at /etc/templates:


- Confirming that the call to the script /etc/templates/bindshell has been correctly added at any place of /etc/scripts/system.sh:


4 - Bindshell

- In this exercise it will be used the program BindShell.c written by Osanda Malith, what is available here:


- This program binds a shell to a connection at port 9999:

- The port is defined as a constant: 9999

5 - Compiling BindShell.c

- Because the router D-LINK dir-300b works with MIPS architecture, the program must be cross-compiled by a MIPS compiler:

- The MIPS cross-compiler is available here:


- Once extracted and decompressed as usually (unzip + tar), this is the option used to cross compile programs written in C to the MIPS architecture:

- Putting BindShell.c in the same folder that the compiler:

- Compiling, and naming the resulting file bindshell:

- Copying bindshell to /etc/templates:

- Now, the script bindshell is ready to be launched as soon as the firmware boots up:

- Checking that bindshell is executable for the MIPS architecture:

6 - Building the new firmware

- So far, we have modified the original firmware by inserting a bindshell program as an initial script, to be launched when the firmware is booted up.

- To be effective that modification, the new firmware must be recompiled by using the command build-firmware.sh of FMK:

- Launching ./build-firmware over dir300b_v2.05 (now modified):

- Previous ERROR messages must be ignored because the firmware is correctly rebuilt.

- The resulting oputput is a file named new-firmware.bin, which is identical to the original one with the exception of the addition of the initial script bindshell.c:

7 - Emulating the modified firmware with FAT

- Now, it is time to emulate new-firmware.bin with FAT, as done in previous exercises:

- Launching fat.py and providing passwords (firmadyne):

- Browsing to the emulated new firmware is available, apparently identical to the orginal one:

8 - Connecting with NETCAT

- However, now there is a very important difference with the original one, because a hidden script (bindshell) was launched when the firmware was booting up.

- Connecting with nc to at port 9999, there is a remote shell allowing the user to see the whole content of the firmware:

- It is interesting to notice that the type of CPU is of MIPS architecture, although it is running on an emulated firmware of x86 architecture: