View
1.790
Download
1
Category
Preview:
Citation preview
HACKING THE GATEWAYS
Onur ALANBELTaintAll
whoamiOnur ALANBEL
• Computer Engineer (IZTECH)
• MSc student (EU)
• Application Security Researcher @TaintAll
• onuralanbel.pro
• @onuralanbel
• https://packetstormsecurity.com/search/?q=onur+alanbel
Purpose
• Gathering a variety of valuable information in an effective way.
PurposeMotivation of an APT is obtaining highly valuable
information from one target. In contrast, motivation ofa mass attack is obtaining valuable information from
multiple targets.
Purpose
Purpose
The Plan
• Deciding targets
The Plan
• Deciding targets
• Finding a vulnerability
The Plan
• Deciding targets
• Finding a vulnerability
• Writing (weaponising) the exploit
The Plan
• Deciding targets
• Finding a vulnerability
• Writing (weaponising) the exploit
• Writing mass exploitation scripts
The Plan
• Deciding targets
• Finding a vulnerability
• Writing (weaponising) the exploit
• Writing mass exploitation scripts
• Running the attack
The Plan• Deciding targets
• Finding a vulnerability
• Writing (weaponising) the exploit
• Writing mass exploitation scripts
• Running the attack
• Analysing results
Attractive Target: Routers
• Directly accessible from the internet.
Attractive Target: Routers
• Directly accessible from the internet.
• Once you own a SOHO router, you can control the whole traffic.
Attractive Target: Routers
• Directly accessible from the internet.
• Once you own a SOHO router, you can control the whole traffic.
• No log, stealth. (it’s really hard for an investigator to find out what is going on.)
Attractive Target: Routers
• Directly accessible from the internet.
• Once you own a SOHO router, you can control the whole traffic.
• No log, it’s really hard to find out what is going on (very hard)
• Have a long (long long) update interval.
Easy Target
• Does It have known vulnerabilities?
Easy Target
• Does It have known vulnerabilities?
• Does the Vendor have published any security advisory?
Easy Target
• Does It have known vulnerabilities?
• Does the Vendor have published any security advisory?
• Are there any third party product/device to mitigate exploitation.
AirTies
• Web interface?
AirTies
• Web interface?
• TR-069
AirTies
• Web interface?
• TR-069
• MiniUPNP (CVE-2013-0230
Targets From Turkey
PreScan
• masscan / zmap
• +
PreScan
• masscan
• +
• python multiprocessing
• =
The Vulnerability• Stack overflow, may cause to RCE.
• MiniUPNPd runs on WAN interface.
Writing the Exploit• MIPS assembly
• CPU has different data and code caches; so, can’t jump to stack directly.
• Can’t jump into middle of instructions, this reduces the number of alternative gadgets while creating a ROP chain.
• MiniUPNPd process restarts if it crashes or hangs.
Writing the Exploit
• MIPS is far easier than x86
Writing the Exploit
• MIPS is far easier than x86
• sleep function may be called to flush caches.
Writing the Exploit
• MIPS is far easier than x86
• sleep function may be called to flush caches.
• No ASLR, ROP chains could be used.
Writing the Exploit
• MIPS is far easier than x86
• sleep function may be called to flush caches.
• No ASLR, ROP chains could be used.
• ?
Writing the Exploit
• miniupnpd … -P /var/run/miniupnpd.pid
Writing the Exploit
• rm /var/run/miniupnpd.pid
Writing the Exploit
• rm /var/run/miniupnpd.pid
• kill mngr
Writing t
• rm /var/run/miniupnpd.pid
• kill mngr
• fork and execve
Writing t
• rm /var/run/miniupnpd.pid
• kill mngr
• fork and execve
• Details: Developing MIPS Exploits to Hack Routers
• Exploit: AirTies RT Series (MIPS)
Bonus Trick
• Chain remote-mgmt-input (1 references)target prot opt source destinationDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 DROP
Bonus Trick
• iptables -A remote-mgmt-input -p tcp -m multiport —dports 23,
Bonus Trick• cat /etc/passwd
• crypt function
• john rootpass.txt
What Have We
• Free Wifi :)
What Have We
• Free Wifi :)
• Botnet army?
What Have We
• Free Wifi :)
• Botnet army?
• Internet traffic (DNS, GW)
What Have We
• Free Wifi :)
• Botnet army?
• Internet traffic (DNS, GW)
• A big chance to infect connected clients (MITMf)
Next Step
• 0day
Next Step
• 0day
• +
• Persistency
Questions
Recommended