AdSense

Tuesday, May 2, 2017

6 - Setting a bindshell backdoor at a D-LINK router firmware


SETTING A BINDSHELL BACKDOOR AT A D-LINK ROUTER FIRMWARE

 - Layout for this exercise:


1 - Introduction 

 - Firmware Modification Kit (FMK) allows to make changes to a firmware image without recompiling the firmware sources.

 - First, It extracts the firmware into its component parts, and then extracts the file system image. 

 - The user can make modifications to the extracted file system, and finally rebuilding or recompiling the new firmware image.

 - To download FMK:

 https://github.com/mirror/firmware-mod-kit

 - For further information:

 https://bitsum.com/firmware_mod_kit.htm

 - The goal of this exercise will be to modify a given firmware so that a malicious script is added at the boot up process. 

 - Once the firmware is modified, it will be rebuilt and run (emulated with FAT) as if it were the original firmware.

 - The malicious script is of a bindshell type, and it will be executed as soon as the firmware is booted, allowing to have a remote connection (using netcat) with the firmware.
2 - Extracting the firmware with FMK

 - Based on previous exercises, let's use again firmware from the router D-LINK dir-300b:


- Extracting the firmware with the FMK command ./extract-firmware.shthe look of the output is similar to Binwalk, because both tools are closely related:


- A new folder is created:




- Going into the subfolder rootfs, the whole root file system is available:


3 - Inserting a malicious script at the initial boot up process

 - Because the goal of the exercise is that a malicious script runs at the boot up process, it would be interesting to place it where initial scripts are usually located, for instance the /etc/init.d folder:
 



- We find that /etc/init.d/S10system.sh is redirected to /etc/scripts/system.sh

 - Opening system.sh, there are all different scripts that are automatically triggered when the firmware is booted up:


- Now, let's insert a call to a new script called bindshell (for now it is empty, it will be written at the next point of this exercise) in any startup location, for instance at /etc/templates:

  


- Confirming that the call to the script /etc/templates/bindshell has been correctly added at any place of /etc/scripts/system.sh:


 

4 - Bindshell

 - In this exercise it will be used the program BindShell.c written by Osanda Malith, what is available here:

 https://gist.github.com/OsandaMalith/a3b213b5e7582cf9aac3
- This program binds a shell to a connection at port 9999:

- The port is defined as a constant: 9999



5 - Compiling BindShell.c

- Because the router D-LINK dir-300b works with MIPS architecture, the program must be cross-compiled by a MIPS compiler:

 - The MIPS cross-compiler is available here:

 https://buildroot.org/downloads/

- Once extracted and decompressed as usually (unzip + tar), this is the option used to cross compile programs written in C to the MIPS architecture:



- Putting BindShell.c in the same folder that the compiler:

- Compiling, and naming the resulting file bindshell:





- Copying bindshell to /etc/templates:


- Now, the script bindshell is ready to be launched as soon as the firmware boots up:



- Checking that bindshell is executable for the MIPS architecture:



6 - Building the new firmware

- So far, we have modified the original firmware by inserting a bindshell program as an initial script, to be launched when the firmware is booted up.

 - To be effective that modification, the new firmware must be recompiled by using the command build-firmware.sh of FMK:

- Launching ./build-firmware over dir300b_v2.05 (now modified):






- Previous ERROR messages must be ignored because the firmware is correctly rebuilt.

- The resulting oputput is a file named new-firmware.bin, which is identical to the original one with the exception of the addition of the initial script bindshell.c:



7 - Emulating the modified firmware with FAT

 - Now, it is time to emulate new-firmware.bin with FAT, as done in previous exercises:



- Launching fat.py and providing passwords (firmadyne):





- Browsing to 192.168.0.1 the emulated new firmware is available, apparently identical to the orginal one:




8 - Connecting with NETCAT

 - However, now there is a very important difference with the original one, because a hidden script (bindshell) was launched when the firmware was booting up.

- Connecting with nc to 192.168.9.1 at port 9999, there is a remote shell allowing the user to see the whole content of the firmware:







- It is interesting to notice that the type of CPU is of MIPS architecture, although it is running on an emulated firmware of x86 architecture:
Posted by at
Labels: