AdSense

Tuesday, May 2, 2017

6 - Setting a bindshell backdoor at a D-LINK router firmware


SETTING A BINDSHELL BACKDOOR AT A D-LINK ROUTER FIRMWARE

 - Layout for this exercise:


1 - Introduction 

 - Firmware Modification Kit (FMK) allows to make changes to a firmware image without recompiling the firmware sources.

 - First, It extracts the firmware into its component parts, and then extracts the file system image. 

 - The user can make modifications to the extracted file system, and finally rebuilding or recompiling the new firmware image.

 - To download FMK:

 https://github.com/mirror/firmware-mod-kit

 - For further information:

 https://bitsum.com/firmware_mod_kit.htm

 - The goal of this exercise will be to modify a given firmware so that a malicious script is added at the boot up process. 

 - Once the firmware is modified, it will be rebuilt and run (emulated with FAT) as if it were the original firmware.

 - The malicious script is of a bindshell type, and it will be executed as soon as the firmware is booted, allowing to have a remote connection (using netcat) with the firmware.
2 - Extracting the firmware with FMK

 - Based on previous exercises, let's use again firmware from the router D-LINK dir-300b:


- Extracting the firmware with the FMK command ./extract-firmware.shthe look of the output is similar to Binwalk, because both tools are closely related:


- A new folder is created:




- Going into the subfolder rootfs, the whole root file system is available:


3 - Inserting a malicious script at the initial boot up process

 - Because the goal of the exercise is that a malicious script runs at the boot up process, it would be interesting to place it where initial scripts are usually located, for instance the /etc/init.d folder:
 



- We find that /etc/init.d/S10system.sh is redirected to /etc/scripts/system.sh

 - Opening system.sh, there are all different scripts that are automatically triggered when the firmware is booted up:


- Now, let's insert a call to a new script called bindshell (for now it is empty, it will be written at the next point of this exercise) in any startup location, for instance at /etc/templates:

  


- Confirming that the call to the script /etc/templates/bindshell has been correctly added at any place of /etc/scripts/system.sh:


 

4 - Bindshell

 - In this exercise it will be used the program BindShell.c written by Osanda Malith, what is available here:

 https://gist.github.com/OsandaMalith/a3b213b5e7582cf9aac3
- This program binds a shell to a connection at port 9999:

- The port is defined as a constant: 9999



5 - Compiling BindShell.c

- Because the router D-LINK dir-300b works with MIPS architecture, the program must be cross-compiled by a MIPS compiler:

 - The MIPS cross-compiler is available here:

 https://buildroot.org/downloads/

- Once extracted and decompressed as usually (unzip + tar), this is the option used to cross compile programs written in C to the MIPS architecture:



- Putting BindShell.c in the same folder that the compiler:

- Compiling, and naming the resulting file bindshell:





- Copying bindshell to /etc/templates:


- Now, the script bindshell is ready to be launched as soon as the firmware boots up:



- Checking that bindshell is executable for the MIPS architecture:



6 - Building the new firmware

- So far, we have modified the original firmware by inserting a bindshell program as an initial script, to be launched when the firmware is booted up.

 - To be effective that modification, the new firmware must be recompiled by using the command build-firmware.sh of FMK:

- Launching ./build-firmware over dir300b_v2.05 (now modified):






- Previous ERROR messages must be ignored because the firmware is correctly rebuilt.

- The resulting oputput is a file named new-firmware.bin, which is identical to the original one with the exception of the addition of the initial script bindshell.c:



7 - Emulating the modified firmware with FAT

 - Now, it is time to emulate new-firmware.bin with FAT, as done in previous exercises:



- Launching fat.py and providing passwords (firmadyne):





- Browsing to 192.168.0.1 the emulated new firmware is available, apparently identical to the orginal one:




8 - Connecting with NETCAT

 - However, now there is a very important difference with the original one, because a hidden script (bindshell) was launched when the firmware was booting up.

- Connecting with nc to 192.168.9.1 at port 9999, there is a remote shell allowing the user to see the whole content of the firmware:







- It is interesting to notice that the type of CPU is of MIPS architecture, although it is running on an emulated firmware of x86 architecture:
Posted by at
Labels:

5 - Analyzing, emulating and searching for Telnet credentials at a D-LINK router firmware



ANALYZING D-LINK ROUTER FIRMWARE AND SEARCHING FOR TELNET CREDENTIALS

 - Layout for this exercise:


1 - Downloading the firmware

 - The firmware corresponding to the router D-LINK DIR-300 is downloaded from the support web page: 




- Once the firmware is downloaded:


2 - Analyzing the firmware

 - Binwalk helps to analyze the firmware. For instance, the firmware is intended to be run under a MIPS architecture. Also, it is compressed with the LZMA algorithm:


 - The section of the firmware where the squashfs filesystem is located starts at 917632:
- The command dd converts the file skipping all the content up where the squashfs section starts, creating a new file called fylesystem_dlink:


- The new file:


- It is a data file type:




- Applying again binwalk, we check that now the content of the new file consists of only the squashfs section:



3 - Extracting the root file system

- Extracting the firmware with binwalk -e:



- Some files and directories are created, including the root file system at folder squashfs-root:



- The whole root file system is available at squashfs-root:



4 - Searching for the Telnet credentials

- Let's try to find any string related with the Telnet protocol using grep (-i=ignoring case distinctions, -R=reading recursively  -n=line numbering  ):



- Line number 8 inside /etc/scripts/misc/telnetd.sh yields interesting information about the Telnet credentials:



- Going to the file /etc/scripts/misc/telnetd.sh:



- While username (-u) is Alphanetworks, the password seems to be stored at the variable $image_sign:




- Also, the file says where the value of the variable $image_sign is stored:


- Eventually the password is available, opening /etc/config/image_sign:


- By the way, the password can be detected with the command hexdump (see first line): 




- Also, using the command strings, the first string corresponds to the Telnet password:




5 - Emulating the firmware with FAT (Firmware Analysis Toolkit)

 - Launching the script ./fat.py, and introducing the name of the firmware (dir300b_v2.05) and the brand DLINK:


- The password "firmadyne" is entered for going ahead with the emulation:
- The final step for setting the network interface lasts for exactly 60 seconds, time allotted to the firmware to boot up:



- Finally, browsing to 192.168.0.1 the firmware is available as if it were a real physical device:

- The emulation can be destroyed just pressing any key:


Posted by at
Labels:
Subscribe to: Posts (Atom)