Tuesday, May 2, 2017
6 - Setting a bindshell backdoor at a D-LINK router firmware
SETTING A BINDSHELL BACKDOOR AT A D-LINK ROUTER FIRMWARE
- Layout for this exercise:
1 - Introduction
- Firmware Modification Kit (FMK) allows to make changes to a firmware image without recompiling the firmware sources.
- First, It extracts the firmware into its component parts, and then extracts the file system image.
- The user can make modifications to the extracted file system, and finally rebuilding or recompiling the new firmware image.
- To download FMK:
- For further information:
- The goal of this exercise will be to modify a given firmware so that a malicious script is added at the boot up process.
- Once the firmware is modified, it will be rebuilt and run (emulated with FAT) as if it were the original firmware.
- The malicious script is of a bindshell type, and it will be executed as soon as the firmware is booted, allowing to have a remote connection (using netcat) with the firmware.
2 - Extracting the firmware with FMK
- Based on previous exercises, let's use again firmware from the router D-LINK dir-300b:
- Extracting the firmware with the FMK command ./extract-firmware.sh, the look of the output is similar to Binwalk, because both tools are closely related:
- A new folder is created:
- Going into the subfolder rootfs, the whole root file system is available:
3 - Inserting a malicious script at the initial boot up process
- Because the goal of the exercise is that a malicious script runs at the boot up process, it would be interesting to place it where initial scripts are usually located, for instance the /etc/init.d folder:
- We find that /etc/init.d/S10system.sh is redirected to /etc/scripts/system.sh
- Opening system.sh, there are all different scripts that are automatically triggered when the firmware is booted up:
- Now, let's insert a call to a new script called bindshell (for now it is empty, it will be written at the next point of this exercise) in any startup location, for instance at /etc/templates:
- Confirming that the call to the script /etc/templates/bindshell has been correctly added at any place of /etc/scripts/system.sh:
4 - Bindshell
- In this exercise it will be used the program BindShell.c written by Osanda Malith, what is available here:
- This program binds a shell to a connection at port 9999:
- The port is defined as a constant: 9999
5 - Compiling BindShell.c
- Because the router D-LINK dir-300b works with MIPS architecture, the program must be cross-compiled by a MIPS compiler:
- The MIPS cross-compiler is available here:
- Once extracted and decompressed as usually (unzip + tar), this is the option used to cross compile programs written in C to the MIPS architecture:
- Putting BindShell.c in the same folder that the compiler:
- Compiling, and naming the resulting file bindshell:
- Copying bindshell to /etc/templates:
- Now, the script bindshell is ready to be launched as soon as the firmware boots up:
- Checking that bindshell is executable for the MIPS architecture:
6 - Building the new firmware
- So far, we have modified the original firmware by inserting a bindshell program as an initial script, to be launched when the firmware is booted up.
- To be effective that modification, the new firmware must be recompiled by using the command build-firmware.sh of FMK:
- Launching ./build-firmware over dir300b_v2.05 (now modified):
- Previous ERROR messages must be ignored because the firmware is correctly rebuilt.
- The resulting oputput is a file named new-firmware.bin, which is identical to the original one with the exception of the addition of the initial script bindshell.c:
7 - Emulating the modified firmware with FAT
- Now, it is time to emulate new-firmware.bin with FAT, as done in previous exercises:
- Launching fat.py and providing passwords (firmadyne):
- Browsing to 192.168.0.1 the emulated new firmware is available, apparently identical to the orginal one:
8 - Connecting with NETCAT
- However, now there is a very important difference with the original one, because a hidden script (bindshell) was launched when the firmware was booting up.
- Connecting with nc to 192.168.9.1 at port 9999, there is a remote shell allowing the user to see the whole content of the firmware:
- It is interesting to notice that the type of CPU is of MIPS architecture, although it is running on an emulated firmware of x86 architecture: