Miscellaneous

6.1 Reclaim memory space

We can attempt to reclaim memory space on the router by killing some of the unneccessary processes

View current processes:

UART console

# ps
...
264 root       3332 S   resetbutton
329 root       2440 S   tftpd -s /tmp -c -l -P E150
330 root       2168 S   cron
333 root       3864 S   httpd
336 root       3864 S   /tmp/gn-httpd -p 51000 -G
340 root       2272 S   dnsmasq -R -h -i br1 -i br0 -c 0 -r /tmp/resolv.conf
345 root       1024 S   cesmDNS -o /tmp/.mdns_host_info -d -h CISCO007 -l 192
347 root       6936 S   /tmp/gn-dhcpd -cf /tmp/dhcpd-br1.conf -lf /tmp/dhcpd-
349 root       6936 S   dhcpd -cf /tmp/dhcpd-br0.conf -lf /tmp/dhcpd.leases -
354 root       3164 S   upnp -D -W vlan2
385 root       2180 S   /bin/eapd
388 root       2576 S   nas
392 root       3764 S   /bin/wps_monitor
394 root       2156 S   netbios /tmp/samba/lib/netbios.conf
419 root       1436 S   /usr/sbin/lld2d br0
473 root       2804 S   /sbin/monitor_cable
536 root       1772 S   /bin/sh

View more information about a particular process:

# cat /proc/<PID>/status
# cat /proc/<PID>/statm

#!eg. 
# cat /proc/264/status
# cat /proc/264/statm

Kill the process

# killall <PID>

From the known running processes, we can consider killing the following:

# network services 
329 tftpd
340 dnsmasq
345 cesmDNS
347 gn-dhcpd
349 dhcpd
354 upnp
394 netbios
419 lld2d

May lose DHCP/DNS name resolution
UART access and /tmp/gn-httpd unaffected

385 eapd
388 nas
392 wps_monitor

Lose wifi capabilities
Ethernet + UART unaffected

330 cron
264 resetbutton

Other processes that are safe to kill

DO NOT KILL THE FOLLOWING

333 httpd
336 /tmp/gn-httpd
536 /bin/sh

Verify newly reclaimed memory:

# free

6.2 Transfer binary from host to device

Remember to always check the available memory space available on the device, before transferring files

Before we continue, let's install the busybox binary on the device (via UART), which provides us with a more comprehensive set of tools

BusyBoxwww.busybox.net

Host:

$ wget https://busybox.net/downloads/binaries/1.21.1/busybox-mipsel

# host "busybox-mipsel" binary with a python3 server
$ python3 -m http.server <port>

Device (UART console):

UART console

# wget http://<HOST_IP>:<port>/busybox-mipsel -O /tmp/busybox-mipsel

#! use the newly retrieved "busybox-mipsel" binary
# /tmp/busybox-mipsel --help

6.3 Transfer binary from device to host

6.3.1 tftp

Host:

Enable tftp server

$ sudo apt install tftpd-hpa
$ sudo systemctl start tftpd-hpa

# tftp server may be ran with the --secure option
$ sudo systemctl status tftpd-hpa

# ensure the file exists beforehand with the right permissions
$ sudo touch /srv/tftp/gn-httpd
$ sudo chown tftp:tftp /srv/tftp/gn-httpd
$ sudo chmod 666 /srv/tftp/gn-httpd

Device (UART console):

# tftp -p -l /tmp/gn-httpd -r gn-httpd <host_IP>

6.3.2 Netcat (busybox)

Device (UART console):

UART console

# /tmp/busybox-mipsel nc <router_ip> <port> < /tmp/gn-httpd

Host:

$ nc -lvp <port> > /path/to/gn-httpd

We can now access the vulnerable binary from /path/to/gn-httpd on the host machine

Previous6. Reverse engineering (exploit development)NextExploit research

Last updated 3 days ago

hashtag6.1 Reclaim memory space

hashtag6.2 Transfer binary from host to device

hashtag6.3 Transfer binary from device to host

hashtag6.3.1 tftp

hashtag6.3.2 Netcat (busybox)

6.1 Reclaim memory space

6.2 Transfer binary from host to device

6.3 Transfer binary from device to host

6.3.1 tftp

6.3.2 Netcat (busybox)