TCP/32764 backdoor Or how linksys saved Christmas!

Who? • • • •

Eloi Vanderbeken @elvanderb https://github.com/elvanderb eloi . vanderbeken @ gmail . com

• Interested in reverse and crypto. • Don’t like to write reports :D – Angrish is hard!

• Certified Ethical Dauber |Microsoft Paint MVP

When? Christmas!!!

(1Mb/s) / (10 users * 68dB) =

IDEA !

But… few years ago… /me now

WAG 200G

/me then

Very long and complex

For the record… NOTHING NOTHING NOTHING wheat

FAAAAR away, the DSLAM

REALLY NOTHING cow

Mothership corn

NOTHING NOTHING

NOTHING (or a cow)

sugar beet

NOTHING

A little bit of nothing

Challenge: • No access to the http[s] administration tool. • No admin password anyway… • NEED DA INTERNET!

Nmap • Few interesting ports: – ReAIM (http://reaim.sourceforge.net/) • Possibly vuln…

– Unkown service listening on TCP/32764 • Responds ScMM\xFF\xFF\xFF\xFF\x00\x00\x00\x00 to any requests.

GO-GO-GADGET GOOGLE

Mister Guessing 2010!

Let’s get the firmware! http://support.linksys.com/en-us/support/gateways/WAG200G/download

-> FU linksys!

http://community.linksys.com/t5/Cable-and-DSL/WAG200G-FR-firmwareupgrade/m-p/233170

-> Thks users!

http://download.modem-help.co.uk/mfcsL/LinkSys/WAG200G/Firmware/v1/

-> Thks modem-help & google!

WHER IZ U ƦᴓФŦ-Ƒ$?!

WHER IZ U ƦᴓФŦ-Ƒ$?! Cont’d

ftp://ftp.linksys.com/opensourcecode is now down 

Chainsaw time! • Get LZMA SDK 4.65 • Modify squashfs-tools’ Makefile: • Use your chainsaw on source code:

Found you!

Where’s Waldo^wthe service? FU, maybe it’s in little endian… FU!!! Let’s get dirty!

Just use grep and IDA to find the good one 

First steps • No symbols, MIPS: – We’ll have to reverse  – I love reversing and MIPS is easy so it’s OK :D

• Very simple binary protocol: – Header (0xC bytes) followed by a payload

• Header structure:

Easy protocol, isn’t it?

Heap based buffer overflow

Messages…

Let’s bruteforce them!

WTF?!

WTFFFFFFUUUUU?! • NO MOAR INTERNETZ?!

• When we restart the script :

Configuration is reset?!?!!!

Quick messages’ reverse… 1. Dump configuration (nvram) 2. Get configuration var –

possible stack based buffer overflow (if variable is controlled by the user)

3. Set configuration var –

stack based buffer overflow, output buffer (size ≈ 0x10000) is on the stack.

4. Commit nvram –

set nvram (/dev/mtdblock/3) from /tmp/nvram ; check CRC

5. Set bridge mode ON (not sure, I didn’t have the time to test it) – – – – – – – – –

nvram_set(“wan_mode”, bridgedonly) nvram_set(“wan_encap”, 0) nvram_set(“wan_vpi”, 8) nvram_set(“wan_vci”, 81) system(“/usr/bin/killall br2684ctl”) system(“/usr/bin/killall udhcpd”) system(“/usr/bin/killall -9 atm_monitor”) system(“/usr/sbin/rc wan stop >/dev/null 2>&1”) system(“/usr/sbin/atm_monitor&”)

6. Show measured internet speed (download/upload)

Quick messages’ reverse… cont’d 7. cmd (yep, it’s a shell…) –

special commands : • •



exit, bye, quit -> quit... (alive = 0) cd : change directory

other commands : •

buffer overflow on cmd output (same buffer again)…

8. write file – – –

file name in payload root dir = /tmp directory traversal might be possible (not tested but it’s an open(sprintf(“/tmp/%s”, payload))… )

9. return version 10. return modem router ip –

nvram_get(“lan_ipaddr”)

11. restore default settings – –

nvram_set(“restore_default”, 1) nvram_commit)

12. read /dev/mtdblock/0 [-4:-2] –

dunno what it is, I didn’t have the time to test it

13. dump nvram on disk (/tmp/nvram) and commit

So if you need an access to the admin panel….

Thank you Linksys!!! You saved my Christmas 

Some more lolz… • I only had 1 day to test my codes/assumptions so the following slides are just some random thoughts/observations…

• It wasn’t tested but it’s probably interesting 

In setup.cgi 

A little bit further in setup.cgi…

get_rand_key ???

Generate the key used to encrypt Routercfg.cfg (if I’m right)

libtea.so

Again in setup.cgi Not sure but I think we control this 

mini_httpd

Hardcoded 1024bit RSA private key  May I show Doge… again?

To be continued… Backdoor is only confirmed on WAG200G, if you know/find other concerned hardware, let me know 

TCP/32764 backdoor - GitHub

ReAIM (http://reaim.sourceforge.net/). • Possibly vuln… – Unkown service listening on TCP/32764. • Responds ScMM\xFF\xFF\xFF\xFF\x00\x00\x00\x00 to any.
Download PDF
1MB Sizes 6 Downloads 251 Views
Report

Recommend Documents

Nedir Bu BackDoor? - Exploit-DB
Gelen verileri almak ve kullanma için handleryazılımını kullanabilirsiniz. Veil Kullanarak Backdoor Oluşturmak. Bir Framework olan Veil sızma testleri içinde kullanılabilir bir araçtır. Çok yönlüdür ve gerçekten iş görüyor. GitHubs
backdoor to hollywood 11.pdf
There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item. backdoor to ...
Hack & Beers Vol3 - SQLi y Backdoor para Script Kiddies.pdf ...
There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item. Hack & Beers ...
GitHub
domain = meq.domain(10,20,0,10); cells = meq.cells(domain,num_freq=200, num_time=100); ...... This is now contaminator-free. – Observe the ghosts. Optional ...
GitHub
data can only be “corrected” for a single point on the sky. ... sufficient to predict it at the phase center (shifting ... errors (well this is actually good news, isn't it?)
Torsten - GitHub
Metrum Research Group has developed a prototype Pharmacokinetic/Pharmacodynamic (PKPD) model library for use in Stan 2.12. ... Torsten uses a development version of Stan, that follows the 2.12 release, in order to implement the matrix exponential fun
Untitled - GitHub
The next section reviews some approaches adopted for this problem, in astronomy and in computer vision gener- ... cussed below), we would question the sensitivity of a. Delaunay triangulation alone for capturing the .... computation to be improved fr
ECf000172411 - GitHub
Robert. Spec Sr Trading Supt. ENA West Power Fundamental Analysis. Timothy A Heizenrader. 1400 Smith St, Houston, Tx. Yes. Yes. Arnold. John. VP Trading.
Untitled - GitHub
Iwip a man in the middle implementation. TOR. Andrea Marcelli prof. Fulvio Risso. 1859. Page 3. from packets. PEX. CethernetDipo topo data. Private. Execution. Environment to the awareness of a connection. FROG develpment. Cethernet DipD tcpD data. P
BOOM - GitHub
Dec 4, 2016 - 3.2.3 Managing the Global History Register . ..... Put another way, instructions don't need to spend N cycles moving their way through the fetch ...
Supervisor - GitHub
When given an integer, the supervisor terminates the child process using. Process.exit(child, :shutdown) and waits for an exist signal within the time.
robtarr - GitHub
http://globalmoxie.com/blog/making-of-people-mobile.shtml. Saturday, October ... http://24ways.org/2011/conditional-loading-for-responsive-designs. Saturday ...
MY9221 - GitHub
The MY9221, 12-channels (R/G/B x 4) c o n s t a n t current APDM (Adaptive Pulse Density. Modulation) LED driver, operates over a 3V ~ 5.5V input voltage ...
fpYlll - GitHub
Jul 6, 2017 - fpylll is a Python (2 and 3) library for performing lattice reduction on ... expressiveness and ease-of-use beat raw performance.1. 1Okay, to ... py.test for testing Python. .... GSO complete API for plain Gram-Schmidt objects, all.
article - GitHub
2 Universidad Nacional de Tres de Febrero, Caseros, Argentina. ..... www-nlpir.nist.gov/projects/duc/guidelines/2002.html. 6. .... http://singhal.info/ieee2001.pdf.
PyBioMed - GitHub
calculate ten types of molecular descriptors to represent small molecules, including constitutional descriptors ... charge descriptors, molecular properties, kappa shape indices, MOE-type descriptors, and molecular ... The molecular weight (MW) is th
MOC3063 - GitHub
IF lies between max IFT (15mA for MOC3061M, 10mA for MOC3062M ..... Dual Cool™ ... Fairchild's Anti-Counterfeiting Policy is also stated on ourexternal website, ... Datasheet contains the design specifications for product development.
MLX90615 - GitHub
Nov 8, 2013 - of 0.02°C or via a 10-bit PWM (Pulse Width Modulated) signal from the device. ...... The chip supports a 2 wires serial protocol, build with pins SDA and SCL. ...... measure the temperature profile of the top of the can and keep the pe
Untitled - GitHub
Page 1.
Covarep - GitHub
Apr 23, 2014 - Gilles Degottex1, John Kane2, Thomas Drugman3, Tuomo Raitio4, Stefan .... Compile the Covarep.pdf document if Covarep.tex changed.
SeparableFilter11 - GitHub
1. SeparableFilter11. AMD Developer Relations. Overview ... Load the center sample(s) int2 i2KernelCenter ... Macro defines what happens at the kernel center.