no one is safe ...

Exploit

Your Telnet Backdoor is waiting for you

Posted Tue, 2013-04-30 14:18 by m1k3

It is too bad if your device has a backdoor directly from the vendor. In some devices of the vendor D-Link you are able to find a nice telnet server listening on the internal network interface. The following output shows the results of a Nmap scan of three different D-Link DIR devices (DIR-300revA, DIR-300revB, DIR-600revB):


root@bt:~# nmap -sSV -p 23 192.168.178.133,144,222
Starting Nmap 6.01 ( http://nmap.org ) at 2013-04-30 13:42 CEST
Nmap scan report for 192.168.178.133
Host is up (0.0067s latency).
PORT STATE SERVICE VERSION

Getting a full Shell on D-Link DSL-320B

Posted Tue, 2013-03-19 11:54 by m1k3

This time not a big thing ... more a nice detail on getting a shell on the DSL-320B device.

If you are doing a portscan on your local network with Nmap you will see the following output:

PORT   STATE SERVICE    VERSION
21/tcp open  ftp        D-Link or USRobotics ADSL router firmware update ftpd
22/tcp open  tcpwrapped
23/tcp open  telnet     D-Link DSL-2542B ADSL router telnetd
80/tcp open  http?

You could login with the credentials from the webinterface and you get a stripped access:


root@bt:~# telnet 192.168.178.111
Trying 192.168.178.111...

The Home Network Horror days starting right now …

Posted Mon, 2013-02-04 09:05 by m1k3

Welcome to the following 2 crazy weeks with lots of vulnerabilities in more than 20 different home network devices. We have quite a high number of hopefully interesting vulnerabilities in devices from different vendors like Linksys, D'Link or Netgear for you.

Today we start with a short intro video which demonstrates unauthenticated execution of OS commands on two home routers of D-Link. The D-Link DIR-300 rev B and D-Link DIR-600 are still unpatched and an attacker is able to directly compromise these devices via the web interface. You will find the advisory here.

Multiple Vulnerabilities in D'Link DIR-600 and DIR-300 (rev B)

Posted Mon, 2013-02-04 09:04 by m1k3

Device Name: DIR-600 / DIR 300 - HW rev B1
Vendor: D-Link

============ Vulnerable Firmware Releases - DIR-300: ============

Firmware Version : 2.12 - 18.01.2012
Firmware Version : 2.13 - 07.11.2012

============ Vulnerable Firmware Releases - DIR-600: ============

Firmware-Version : 2.12b02 - 17/01/2012
Firmware-Version : 2.13b01 - 07/11/2012
Firmware-Version : 2.14b01 - 22/01/2013

============ Device Description: ============

Using the discovered OS Command Injection vulnerability in Linksys WRT54GL within a pentest

Posted Sun, 2013-01-20 14:10 by m1k3

After releasing the OS command execution vulnerability in the WRT54GL router from Linksys last week there were some requests about how could we use this vulnerability for getting a remote shell.

First off all we have to analyze the firmware a bit. For this it is best to download the original firmware from the vendor and use the firmware-modification-kit or binwalk created by Craig Heffner and Jeremy Collake. Awesome toolkit from awesome guys.

So let’s extract and analyse the firmware a bit:

root@bt:~/images/firmware_mod_kit/firmware-mod-kit-read-only# ./extract-ng.sh /root/images/FW_WRT54GL_4.30.15.002_US_20101208_code.bin linksyswrt54gl
Firmware Mod Kit (build-ng) 0.78 beta, (c)2011-2012 Craig Heffner, Jeremy Collake
http://www.bitsum.com
Scanning firmware...
DECIMAL   HEX       DESCRIPTION
-------------------------------------------------------------------------
32        0x20      TRX firmware header, little endian, header size: 28 bytes,  image size: 3362816 bytes, CRC32: 0xB5C3AB6E flags/version: 0x10000
700656    0xAB0F0   Squashfs filesystem, little endian, version 2.0, size: 2655384 bytes, 502 inodes, blocksize: 65536 bytes, created: Wed Dec  8 05:06:27 2010

root@bt:~/images/firmware_mod_kit/firmware-mod-kit-read-only/linksys-wrt54gl/rootfs# find . -iname wget
./usr/bin/wget