Miscellaneous

1. Reclaim memory space

We can attempt to reclaim memory space on the router by killing some of the unneccessary processes

View current processes:

UART console

# ps
...
264 root       3332 S   resetbutton
329 root       2440 S   tftpd -s /tmp -c -l -P E150
330 root       2168 S   cron
333 root       3864 S   httpd
336 root       3864 S   /tmp/gn-httpd -p 51000 -G
340 root       2272 S   dnsmasq -R -h -i br1 -i br0 -c 0 -r /tmp/resolv.conf
345 root       1024 S   cesmDNS -o /tmp/.mdns_host_info -d -h CISCO007 -l 192
347 root       6936 S   /tmp/gn-dhcpd -cf /tmp/dhcpd-br1.conf -lf /tmp/dhcpd-
349 root       6936 S   dhcpd -cf /tmp/dhcpd-br0.conf -lf /tmp/dhcpd.leases -
354 root       3164 S   upnp -D -W vlan2
385 root       2180 S   /bin/eapd
388 root       2576 S   nas
392 root       3764 S   /bin/wps_monitor
394 root       2156 S   netbios /tmp/samba/lib/netbios.conf
419 root       1436 S   /usr/sbin/lld2d br0
473 root       2804 S   /sbin/monitor_cable
536 root       1772 S   /bin/sh

View more information about a particular process:

# cat /proc/<PID>/status
# cat /proc/<PID>/statm

#!eg. 
# cat /proc/264/status
# cat /proc/264/statm

Kill the process

# killall <PID>

• From the known running processes, we can consider killing the following:

# network services 
329 tftpd
340 dnsmasq
345 cesmDNS
347 gn-dhcpd
349 dhcpd
354 upnp
394 netbios
419 lld2d

• May lose DHCP/DNS name resolution

• UART access and /tmp/gn-httpd unaffected

385 eapd
388 nas
392 wps_monitor

• Lose wifi capabilities

• Ethernet + UART unaffected

330 cron
264 resetbutton

• Other processes that are safe to kill

DO NOT KILL THE FOLLOWING

333 httpd
336 /tmp/gn-httpd
536 /bin/sh

Verify newly reclaimed memory:

# free

2. Transfer binary from host to device

Remember to always check the available memory space available on the device, before transferring files

Before we continue, let's install the busybox binary on the device (via UART), which provides us with a more comprehensive set of tools

BusyBoxwww.busybox.net

Host:

$ wget https://busybox.net/downloads/binaries/1.21.1/busybox-mipsel

# host "busybox-mipsel" binary with a python3 server
$ python3 -m http.server <port>

Device (UART console):

UART console

# wget http://<HOST_IP>:<port>/busybox-mipsel -O /tmp/busybox-mipsel

#! use the newly retrieved "busybox-mipsel" binary
# /tmp/busybox-mipsel --help

3. Transfer binary from device to host

3.1 tftp

Host:

• Enable tftp server

$ sudo apt install tftpd-hpa
$ sudo systemctl start tftpd-hpa

# tftp server may be ran with the --secure option
$ sudo systemctl status tftpd-hpa

# ensure the file exists beforehand with the right permissions
$ sudo touch /srv/tftp/gn-httpd
$ sudo chown tftp:tftp /srv/tftp/gn-httpd
$ sudo chmod 666 /srv/tftp/gn-httpd

Device (UART console):

# tftp -p -l /tmp/gn-httpd -r gn-httpd <host_IP> 

3.2 Netcat (busybox)

Device (UART console):

UART console

# /tmp/busybox-mipsel nc <router_ip> <port> < /tmp/gn-httpd

Host:

$ nc -lvp <port> > /path/to/gn-httpd

• We can now access the vulnerable binary from /path/to/gn-httpd on the host machine

4. Connect to a remote shell on the device via dropbear

4.1 Existing binaries

There exists a few compiled dropbear binaries on the internet, with issues that prevents us from using them on our device:

1. https://github.com/darkerego/mips-binaries

• Compiled for MIPS (big-endian) instead of MIPSEL (little-endian)

1. https://github.com/rabilrbl/dropbear-mipsel/releases

• Non-statically compiled

4.2 Compile manually

• We will compile a static dropbear and dropbearkey binary for the MIPSEL architecture

1. Cross-compile dropbear for MIPSEL:

$ wget https://musl.cc/mipsel-linux-musl-cross.tgz
$ tar xf mipsel-linux-musl-cross.tgz
$ export PATH=<path>/mipsel-linux-musl-cross/bin:$PATH
$ which mipsel-linux-musl-gcc
<path>/mipsel-linux-musl-cross/bin/which mipsel-linux-musl-gcc

$ wget https://matt.ucc.asn.au/dropbear/dropbear-2025.89.tar.bz2
$ tar xf dropbear-2025.89.tar.bx2
$ export CC=mipsel-linux-musl-gcc # PATH must be set 
$ ./configure \
  --host=mipsel-linux-musl \
  --disable-zlib  \
  --enable-static  \ 
  --disable-syslog
$ make PROGRAMS="dropbear dropbearkey" STATIC=1 # specify "STATIC" option

# binaries created: dropbear, dropbearkey
$ ls
dropbear dropbearkey

• /tmp/dropbear-bin is a binary file, while /tmp/dropbear is the directory which stores the dropbear RSA host key

UART console

# mkdir -p /tmp/dropbear
# /tmp/dropbearkey -t rsa -f /tmp/dropbear/dropbear_rsa_host_key

# /tmp/dropbear-bin -F -B -r /tmp/dropbear/dropbear_rsa_host_key

• The device will now be listening on default SSH port 22 for the current user (root)

• Important options for dropbear-bin:

  • -B: allow blank passwords

1. Connect to the device via SSH

$ ssh \
-o PreferredAuthentications=password \
-o PubkeyAuthentication=no \
root@<router>

BusyBox v1.7.2 (2012-02-15 20:23:46 CST) built-in shell (msh)
Enter 'help' for a list of built-in commands.

# 

• The -o StrictHostKeyChecking=no can be added to disable strict checking (if required)

5. Useful scripts

I have created a few Bash scripts to improve the overall workflow of exploit development. This includes:

1. Device:

• Loading necessary binaries from host machine

• Configuration and hosting of SSH server with dropbear

• Retrieval and running of a patched (with custom instruction) httpd binary, before starting a gdbserver instance attached to the newly started process PID

1. Host:

• Patch httpd binary

• Hosting binary for device to retrieve

5.1 device__load-bins.sh

device__load-bins.sh

#!/bin/sh

# OVERVIEW
# To be executed on the device (linksys e1200 v2 router):
# 1. Load neccessary binaries

# USAGE:
# <script>.sh <sender-address> <sender-port>


if [ $# -ne 2 ]; then

    echo "Usage: $0 <sender-address> <sender-port>"
    exit 1
fi


ADDR="$1"
PORT="$2"

files="gdbserver busybox-mipsel"

for file in $files; do
        TMP_FILE=/tmp/"$file"
        wget http://"$ADDR":"$PORT"/"$file" -O "$TMP_FILE"
        chmod +x "$TMP_FILE"
done

5.2 device__start-dropbear.sh

device__start-dropbear.sh

#!/bin/sh

# OVERVIEW
# To be executed on the device (linksys e1200 v2 router):
# 1. Retrieve dropbear (stored as dropbear-bin) and dropbearkey binaries
# 2. Create SSH RSA key (dropbearkey)
# 3. Start SSH server (dropbear-bin)

# USAGE:
# ./<script>.sh <dropbear-bins-sender-address> <sender-port>

if [ $# -ne 2 ]; then

    echo "Usage: $0 <dropbear-bins-sender-address> <sender-port>"
    exit 1
fi

SENDER_ADDR="$1"
SENDER_PORT="$2"

echo "[#] Retrieving binary \"dropbear\""
wget http://"$SENDER_ADDR":"$SENDER_PORT"/dropbear -O /tmp/dropbear-bin || {
    echo "[!] wget dropbear-bin failed"
    exit 1
}

echo ""
echo "[#] Retrieving binary \"dropbearkey\""
wget http://"$SENDER_ADDR":"$SENDER_PORT"/dropbearkey -O /tmp/dropbearkey || {
    echo "[!] wget dropbearkey failed"
    exit 1
}


mkdir -p /tmp/dropbear

echo ""
echo "[#] Creating SSH RSA key"
chmod +x /tmp/dropbearkey
/tmp/dropbearkey -t rsa -f /tmp/dropbear/dropbear_rsa_host_key

echo ""
echo "[#] Starting dropbear SSH server"
chmod +x /tmp/dropbear-bin
/tmp/dropbear-bin -F -B -r /tmp/dropbear/dropbear_rsa_host_key

5.3 device__retrieve-httpd-and-start-gdbserver.sh

device__retrieve-httpd-and-start-gdbserver.sh

#!/bin/sh

# OVERVIEW
# To be executed on device (linksys e1200 v2 router):
# 1. Stop current httpd process
# 2. Fetch new httpd binary (store in /tmp/httpd)
# 3. Start /tmp/httpd
# 4. Attach gdbserver to PID of current running /tmp/httpd


# ASSUMPTIONS
# 1. busybox-mipsel is found at location "/tmp/busybox-mipsel"
#
# 2. busybox-mipsel contains:
# 2.1 pidof
#
# 3. gdbserver is found at location "/tmp/gdbserver"


# USAGE:
# ./<script>.sh <sender-address> <sender-port> <httpd-bin-name-on-sender> <gdbserver-listen-address>
# Example:
# ./<script>.sh 192.168.1.1 9999 httpd-42b22


ADDR="$1"
PORT="$2"
BIN="$3"
GDBSERVER_LISTEN_ADDR="$4"

if [ $# -ne 4 ]; then

    echo "Usage: $0 <sender-address> <sender-port> <httpd-bin-name-on-sender> <gdbserver-listen-address>"
    exit 1
fi

BUSYBOX=/tmp/busybox-mipsel
GDBSERVER=/tmp/gdbserver
HTTPD_PATH=/tmp/httpd

echo ""
echo "[#] Stopping existing httpd"
killall httpd

echo ""
echo "[#] Fetching new httpd binary"
rm "$HTTPD_PATH"
wget "http://$ADDR:$PORT/$BIN" -O "$HTTPD_PATH" || {
    echo "[!] wget failed"
    exit 1
}

chmod +x "$HTTPD_PATH"

echo  ""
echo "[#] Starting httpd"
"$HTTPD_PATH" &
sleep 2

pid=`$BUSYBOX pidof httpd`
if [ -z "$pid" ]; then
    echo "[!] Failed to get PID of httpd"
    echo "[!] Possible reasons:"
    echo "(1) httpd failed to start"
    echo "(2) /tmp/busybox-mipsel does not exist"

    exit 1
fi

echo "[INFO] httpd PID = $pid"

LISTEN_PORT=9999

echo ""
echo "[#] Attaching gdbserver on $GDBSERVER_LISTEN_ADDR:$LISTEN_PORT"
"$GDBSERVER" "$GDBSERVER_LISTEN_ADDR:$LISTEN_PORT" --attach "$pid"

5.4 host__patch-and-host-httpd.sh

#!/bin/bash

# OVERVIEW:
# To be executed on the host machine (not the device)
# 1. Transfer default httpd binary to named binary in /tmp (eg. httpd-1234)
# 2. Patch named httpd binary (eg. /tmp/httpd-1234) with break instruction at specified address
# 3. Change to /tmp directory, and host the httpd binary

# USAGE:
# ./<script>.sh <default-httpd-dir> <patch-address> <httpd-bin-name>
# Example:
# ./<script>.sh $PWD 21b22 httpd-21b22


if [ $# -ne 3 ]; then

    echo "Usage: $0 <default-httpd-dir> <patch-address> <httpd-bin-name>"
    exit 1
fi

DEFAULT_HTTP_DIR="$1"
PATCH_ADDRESS="$2"
HTTPD_BIN_NAME="$3"
HTTPD_BIN_NAME_TMP_DIR=/tmp/"$HTTPD_BIN_NAME"

echo "[#] Copying default httpd binary to $HTTPD_BIN_NAME_TMP_DIR"
cp "$DEFAULT_HTTP_DIR"/httpd "$HTTPD_BIN_NAME_TMP_DIR"

printf "\n"
echo "[#] Patching $HTTP_BIN_NAME_TMP_DIR with break at address 0x$PATCH_ADDRESS"
printf '\x0d\x00\x00\x00' | dd of="$HTTPD_BIN_NAME_TMP_DIR" bs=1 seek=$(("0x$PATCH_ADDRESS")) conv=notrunc

PORT=9999
printf "\n"
echo "[#] Hosting files from directory /tmp on port $PORT"
cd /tmp
python3 -m http.server "$PORT"