Miscellaneous

1. Reclaim memory space

We can attempt to reclaim memory space on the router by killing some of the unneccessary processes

View current processes:

UART console

# ps
...
264 root       3332 S   resetbutton
329 root       2440 S   tftpd -s /tmp -c -l -P E150
330 root       2168 S   cron
333 root       3864 S   httpd
336 root       3864 S   /tmp/gn-httpd -p 51000 -G
340 root       2272 S   dnsmasq -R -h -i br1 -i br0 -c 0 -r /tmp/resolv.conf
345 root       1024 S   cesmDNS -o /tmp/.mdns_host_info -d -h CISCO007 -l 192
347 root       6936 S   /tmp/gn-dhcpd -cf /tmp/dhcpd-br1.conf -lf /tmp/dhcpd-
349 root       6936 S   dhcpd -cf /tmp/dhcpd-br0.conf -lf /tmp/dhcpd.leases -
354 root       3164 S   upnp -D -W vlan2
385 root       2180 S   /bin/eapd
388 root       2576 S   nas
392 root       3764 S   /bin/wps_monitor
394 root       2156 S   netbios /tmp/samba/lib/netbios.conf
419 root       1436 S   /usr/sbin/lld2d br0
473 root       2804 S   /sbin/monitor_cable
536 root       1772 S   /bin/sh

View more information about a particular process:

# cat /proc/<PID>/status
# cat /proc/<PID>/statm

#!eg. 
# cat /proc/264/status
# cat /proc/264/statm

Kill the process

# killall <PID>

From the known running processes, we can consider killing the following:

# network services 
329 tftpd
340 dnsmasq
345 cesmDNS
347 gn-dhcpd
349 dhcpd
354 upnp
394 netbios
419 lld2d

May lose DHCP/DNS name resolution
UART access and /tmp/gn-httpd unaffected

385 eapd
388 nas
392 wps_monitor

Lose wifi capabilities
Ethernet + UART unaffected

330 cron
264 resetbutton

Other processes that are safe to kill

DO NOT KILL THE FOLLOWING

333 httpd
336 /tmp/gn-httpd
536 /bin/sh

Verify newly reclaimed memory:

# free

2. Transfer binary from host to device

Remember to always check the available memory space available on the device, before transferring files

We can use the pre-installed wget binary on the device to transfer files from the host. For example let's install the busybox-mipsel binary on the device (via UART), which provides us with a more comprehensive set of tools for the MIPSEL architecture

BusyBoxwww.busybox.net

Host:

we can find the binaries here

$ wget https://busybox.net/downloads/binaries/1.21.1/busybox-mipsel

# host "busybox-mipsel" binary with a python3 server
$ python3 -m http.server <port>

Device (UART console):

UART console

# wget http://<HOST_IP>:<port>/busybox-mipsel -O /tmp/busybox-mipsel

#! use the newly retrieved "busybox-mipsel" binary
# /tmp/busybox-mipsel --help

3. Transfer binary from device to host

3.1 tftp

Host:

Enable tftp server

$ sudo apt install tftpd-hpa
$ sudo systemctl start tftpd-hpa

# tftp server may be ran with the --secure option
$ sudo systemctl status tftpd-hpa

# ensure the file exists beforehand with the right permissions
$ sudo touch /srv/tftp/gn-httpd
$ sudo chown tftp:tftp /srv/tftp/gn-httpd
$ sudo chmod 666 /srv/tftp/gn-httpd

Device (UART console):

# tftp -p -l /tmp/gn-httpd -r gn-httpd <host_IP>

3.2 Netcat (busybox)

Device (UART console):

UART console

# /tmp/busybox-mipsel nc <router_ip> <port> < /tmp/gn-httpd

Host:

$ nc -lvp <port> > /path/to/gn-httpd

We can now access the vulnerable binary from /path/to/gn-httpd on the host machine

4. Connect to a remote shell on the device via `dropbear`

4.1 Existing binaries

There exists a few compiled dropbear binaries on the internet, with issues that prevents us from using them on our device:

https://github.com/darkerego/mips-binaries

Compiled for MIPS (big-endian) instead of MIPSEL (little-endian)

https://github.com/rabilrbl/dropbear-mipsel/releases

Non-statically compiled

4.2 Compile manually

We will compile a static dropbear and dropbearkey binary for the MIPSEL architecture

Cross-compile dropbear for MIPSEL:

$ wget https://musl.cc/mipsel-linux-musl-cross.tgz
$ tar xf mipsel-linux-musl-cross.tgz
$ export PATH=<path>/mipsel-linux-musl-cross/bin:$PATH
$ which mipsel-linux-musl-gcc
<path>/mipsel-linux-musl-cross/bin/which mipsel-linux-musl-gcc

$ wget https://matt.ucc.asn.au/dropbear/dropbear-2025.89.tar.bz2
$ tar xf dropbear-2025.89.tar.bx2
$ export CC=mipsel-linux-musl-gcc # PATH must be set 
$ ./configure \
  --host=mipsel-linux-musl \
  --disable-zlib  \
  --enable-static  \ 
  --disable-syslog
$ make PROGRAMS="dropbear dropbearkey" STATIC=1 # specify "STATIC" option

# binaries created: dropbear, dropbearkey
$ ls
dropbear dropbearkey

/tmp/dropbear-bin is a binary file, while /tmp/dropbear is the directory which stores the dropbear RSA host key

UART console

# mkdir -p /tmp/dropbear
# /tmp/dropbearkey -t rsa -f /tmp/dropbear/dropbear_rsa_host_key

# /tmp/dropbear-bin -F -B -r /tmp/dropbear/dropbear_rsa_host_key

The device will now be listening on default SSH port 22 for the current user (root)
Important options for dropbear-bin:
- -B: allow blank passwords

Connect to the device via SSH

$ ssh \
-o PreferredAuthentications=password \
-o PubkeyAuthentication=no \
root@<router>

BusyBox v1.7.2 (2012-02-15 20:23:46 CST) built-in shell (msh)
Enter 'help' for a list of built-in commands.

#

The -o StrictHostKeyChecking=no can be added to disable strict checking (if required)

5. Useful scripts

I have created a few Bash scripts to improve the overall workflow of exploit development. This includes:

Device:

Loading necessary binaries from host machine
Configuration and hosting of SSH server with dropbear
Retrieval and running of a patched (with custom instruction) httpd binary, before starting a gdbserver instance attached to the newly started process PID

Host:

Patch httpd binary
Hosting binary for device to retrieve

5.1 device__load-bins.sh

device__load-bins.sh

#!/bin/sh

# OVERVIEW
# To be executed on the device (linksys e1200 v2 router):
# 1. Load neccessary binaries

# USAGE:
# <script>.sh <sender-address> <sender-port>


if [ $# -ne 2 ]; then

    echo "Usage: $0 <sender-address> <sender-port>"
    exit 1
fi


ADDR="$1"
PORT="$2"

files="gdbserver busybox-mipsel"

for file in $files; do
        TMP_FILE=/tmp/"$file"
        wget http://"$ADDR":"$PORT"/"$file" -O "$TMP_FILE"
        chmod +x "$TMP_FILE"
done

5.2 device__start-dropbear.sh

device__start-dropbear.sh

#!/bin/sh

# OVERVIEW
# To be executed on the device (linksys e1200 v2 router):
# 1. Retrieve dropbear (stored as dropbear-bin) and dropbearkey binaries
# 2. Create SSH RSA key (dropbearkey)
# 3. Start SSH server (dropbear-bin)

# USAGE:
# ./<script>.sh <dropbear-bins-sender-address> <sender-port>

if [ $# -ne 2 ]; then

    echo "Usage: $0 <dropbear-bins-sender-address> <sender-port>"
    exit 1
fi

SENDER_ADDR="$1"
SENDER_PORT="$2"

echo "[#] Retrieving binary \"dropbear\""
wget http://"$SENDER_ADDR":"$SENDER_PORT"/dropbear -O /tmp/dropbear-bin || {
    echo "[!] wget dropbear-bin failed"
    exit 1
}

echo ""
echo "[#] Retrieving binary \"dropbearkey\""
wget http://"$SENDER_ADDR":"$SENDER_PORT"/dropbearkey -O /tmp/dropbearkey || {
    echo "[!] wget dropbearkey failed"
    exit 1
}


mkdir -p /tmp/dropbear

echo ""
echo "[#] Creating SSH RSA key"
chmod +x /tmp/dropbearkey
/tmp/dropbearkey -t rsa -f /tmp/dropbear/dropbear_rsa_host_key

echo ""
echo "[#] Starting dropbear SSH server"
chmod +x /tmp/dropbear-bin
/tmp/dropbear-bin -F -B -r /tmp/dropbear/dropbear_rsa_host_key

5.3 device__retrieve-httpd-and-start-gdbserver.sh

device__retrieve-httpd-and-start-gdbserver.sh

#!/bin/sh

# OVERVIEW
# To be executed on device (linksys e1200 v2 router):
# 1. Stop current httpd process
# 2. Fetch new httpd binary (store in /tmp/httpd)
# 3. Start /tmp/httpd
# 4. Attach gdbserver to PID of current running /tmp/httpd


# ASSUMPTIONS
# 1. busybox-mipsel is found at location "/tmp/busybox-mipsel"
#
# 2. busybox-mipsel contains:
# 2.1 pidof
#
# 3. gdbserver is found at location "/tmp/gdbserver"


# USAGE:
# ./<script>.sh <sender-address> <sender-port> <httpd-bin-name-on-sender> <gdbserver-listen-address>
# Example:
# ./<script>.sh 192.168.1.1 9999 httpd-42b22


ADDR="$1"
PORT="$2"
BIN="$3"
GDBSERVER_LISTEN_ADDR="$4"

if [ $# -ne 4 ]; then

    echo "Usage: $0 <sender-address> <sender-port> <httpd-bin-name-on-sender> <gdbserver-listen-address>"
    exit 1
fi

BUSYBOX=/tmp/busybox-mipsel
GDBSERVER=/tmp/gdbserver
HTTPD_PATH=/tmp/httpd

echo ""
echo "[#] Stopping existing httpd"
killall httpd

echo ""
echo "[#] Fetching new httpd binary"
rm "$HTTPD_PATH"
wget "http://$ADDR:$PORT/$BIN" -O "$HTTPD_PATH" || {
    echo "[!] wget failed"
    exit 1
}

chmod +x "$HTTPD_PATH"

echo  ""
echo "[#] Starting httpd"
"$HTTPD_PATH" &
sleep 2

pid=`$BUSYBOX pidof httpd`
if [ -z "$pid" ]; then
    echo "[!] Failed to get PID of httpd"
    echo "[!] Possible reasons:"
    echo "(1) httpd failed to start"
    echo "(2) /tmp/busybox-mipsel does not exist"

    exit 1
fi

echo "[INFO] httpd PID = $pid"

LISTEN_PORT=9999

echo ""
echo "[#] Attaching gdbserver on $GDBSERVER_LISTEN_ADDR:$LISTEN_PORT"
"$GDBSERVER" "$GDBSERVER_LISTEN_ADDR:$LISTEN_PORT" --attach "$pid"

5.4 host__patch-and-host-httpd.sh

#!/bin/bash

# OVERVIEW:
# To be executed on the host machine (not the device)
# 1. Transfer default httpd binary to named binary in /tmp (eg. httpd-1234)
# 2. Patch named httpd binary (eg. /tmp/httpd-1234) with break instruction at specified address
# 3. Change to /tmp directory, and host the httpd binary

# USAGE:
# ./<script>.sh <default-httpd-dir> <patch-address> <httpd-bin-name>
# Example:
# ./<script>.sh $PWD 21b22 httpd-21b22


if [ $# -ne 3 ]; then

    echo "Usage: $0 <default-httpd-dir> <patch-address> <httpd-bin-name>"
    exit 1
fi

DEFAULT_HTTP_DIR="$1"
PATCH_ADDRESS="$2"
HTTPD_BIN_NAME="$3"
HTTPD_BIN_NAME_TMP_DIR=/tmp/"$HTTPD_BIN_NAME"

echo "[#] Copying default httpd binary to $HTTPD_BIN_NAME_TMP_DIR"
cp "$DEFAULT_HTTP_DIR"/httpd "$HTTPD_BIN_NAME_TMP_DIR"

printf "\n"
echo "[#] Patching $HTTP_BIN_NAME_TMP_DIR with break at address 0x$PATCH_ADDRESS"
printf '\x0d\x00\x00\x00' | dd of="$HTTPD_BIN_NAME_TMP_DIR" bs=1 seek=$(("0x$PATCH_ADDRESS")) conv=notrunc

PORT=9999
printf "\n"
echo "[#] Hosting files from directory /tmp on port $PORT"
cd /tmp
python3 -m http.server "$PORT"

5.5 host__patch-and-host-libc.sh

#!/bin/bash

# OVERVIEW:
# To be executed on the host machine (not the device)
# 1. Transfer default libc binary to named binary in /tmp (eg. libc-1234)
# 2. Patch named libc binary (eg. /tmp/libc-1234) with break instruction at specified address
# 3. Change to /tmp directory, and host the httpd binary

# USAGE:
# ./<script>.sh <default-libc-dir> <patch-address> <libc-bin-name>
# Example:
# ./<script>.sh $PWD 21b22 libc-21b22


if [ $# -ne 3 ]; then

    echo "Usage: $0 <default-libc-dir> <patch-address> <libc-bin-name>"
    exit 1
fi

DEFAULT_LIBC_DIR="$1"
PATCH_ADDRESS="$2"
LIBC_BIN_NAME="$3"
LIBC_BIN_NAME_TMP_DIR=/tmp/"$LIBC_BIN_NAME"

echo "[#] Copying default httpd binary to $LIBC_BIN_NAME_TMP_DIR"
cp "$DEFAULT_LIBC_DIR"/httpd "$LIBC_BIN_NAME_TMP_DIR"

printf "\n"
echo "[#] Patching $LIBC_BIN_NAME_TMP_DIR with break at address 0x$PATCH_ADDRESS"
printf '\x0d\x00\x00\x00' | dd of="$LIBC_BIN_NAME_TMP_DIR" bs=1 seek=$(("0x$PATCH_ADDRESS")) conv=notrunc

PORT=9999
printf "\n"
echo "[#] Hosting files from directory /tmp on port $PORT"
cd /tmp
python3 -m http.server "$PORT"

Last updated 3 days ago

hashtag1. Reclaim memory space

hashtag2. Transfer binary from host to device

hashtag3. Transfer binary from device to host

hashtag3.1 tftp

hashtag3.2 Netcat (busybox)

hashtag4. Connect to a remote shell on the device via dropbear

hashtag4.1 Existing binaries

hashtag4.2 Compile manually

hashtag5. Useful scripts

hashtag5.1 device__load-bins.sh

hashtag5.2 device__start-dropbear.sh

hashtag5.3 device__retrieve-httpd-and-start-gdbserver.sh

hashtag5.4 host__patch-and-host-httpd.sh

hashtag5.5 host__patch-and-host-libc.sh

1. Reclaim memory space

2. Transfer binary from host to device

3. Transfer binary from device to host

3.1 tftp

3.2 Netcat (busybox)

4. Connect to a remote shell on the device via `dropbear`

4.1 Existing binaries

4.2 Compile manually

5. Useful scripts

5.1 device__load-bins.sh

5.2 device__start-dropbear.sh

5.3 device__retrieve-httpd-and-start-gdbserver.sh

5.4 host__patch-and-host-httpd.sh

5.5 host__patch-and-host-libc.sh