AdSense

Tuesday, May 2, 2017

6 - Setting a bindshell backdoor at a D-LINK router firmware


SETTING A BINDSHELL BACKDOOR AT A D-LINK ROUTER FIRMWARE

- Layout for this exercise:




1 - Introduction
 

- Firmware Modification Kit (FMK) allows to make changes to a firmware image without recompiling the firmware sources.

- First, It extracts the firmware into its component parts, and then extracts the file system image. 


- The user can make modifications to the extracted file system, and finally rebuilding or recompiling the new firmware image.


- To download FMK:


https://github.com/mirror/firmware-mod-kit


- For further information:


https://bitsum.com/firmware_mod_kit.htm


- The goal of this exercise will be to modify a given firmware so that a malicious script is added at the boot up process. 

- Once the firmware is modified, it will be rebuilt and run (emulated with FAT) as if it were the original firmware.

- The malicious script is of a bindshell type, and it will be executed as soon as the firmware is booted, allowing to have a remote connection (using netcat) with the firmware.


2 - Extracting the firmware with FMK


- Based on previous exercises, let's use again firmware from the router D-LINK dir-300b:




- Extracting the firmware with the FMK command ./extract-firmware.shthe look of the output is similar to Binwalk, because both tools are closely related:




- A new folder is created:






- Going into the subfolder rootfs, the whole root file system is available:




3 - Inserting a malicious script at the initial boot up process


- Because the goal of the exercise is that a malicious script runs at the boot up process, it would be interesting to place it where initial scripts are usually located, for instance the /etc/init.d folder:
 



- We find that /etc/init.d/S10system.sh is redirected to /etc/scripts/system.sh

- Opening system.sh, there are all different scripts that are automatically triggered when the firmware is booted up:






- Now, let's insert a call to a new script called bindshell (for now it is empty, it will be written at the next point of this exercise) in any startup location, for instance at /etc/templates:

 


- Confirming that the call to the script /etc/templates/bindshell has been correctly added at any place of /etc/scripts/system.sh:







 

4 - Bindshell


- In this exercise it will be used the program BindShell.c written by Osanda Malith, what is available here:

https://gist.github.com/OsandaMalith/a3b213b5e7582cf9aac3




- This program binds a shell to a connection at port 9999:



- The port is defined as a constant: 9999





5 - Compiling BindShell.c

- Because the router D-LINK dir-300b works with MIPS architecture, the program must be cross-compiled by a MIPS compiler:

- The MIPS cross-compiler is available here:

https://buildroot.org/downloads/






- Once extracted and decompressed as usually (unzip + tar), this is the option used to cross compile programs written in C to the MIPS architecture:





- Putting BindShell.c in the same folder that the compiler:



- Compiling, and naming the resulting file bindshell:







- Copying bindshell to /etc/templates:




- Now, the script bindshell is ready to be launched as soon as the firmware boots up:




- Checking that bindshell is executable for the MIPS architecture:





6 - Building the new firmware


- So far, we have modified the original firmware by inserting a bindshell program as an initial script, to be launched when the firmware is booted up.

- To be effective that modification, the new firmware must be recompiled by using the command build-firmware.sh of FMK:



- Launching ./build-firmware over dir300b_v2.05 (now modified):








- Previous ERROR messages must be ignored because the firmware is correctly rebuilt.

- The resulting oputput is a file named new-firmware.bin, which is identical to the original one with the exception of the addition of the initial script bindshell.c:





7 - Emulating the modified firmware with FAT

- Now, it is time to emulate new-firmware.bin with FAT, as done in previous exercises:





- Launching fat.py and providing passwords (firmadyne):








- Browsing to 192.168.0.1 the emulated new firmware is available, apparently identical to the orginal one:




8 - Connecting with NETCAT

- However, now there is a very important difference with the original one, because a hidden script (bindshell) was launched when the firmware was booting up.

- Connecting with nc to 192.168.9.1 at port 9999, there is a remote shell allowing the user to see the whole content of the firmware:







- It is interesting to notice that the type of CPU is of MIPS architecture, although it is running on an emulated firmware of x86 architecture: