Hack the Firmware
(Continued from post on day 4)
We just used binwalk to extract the filesystem from the WiFi router’s publicly available firmware, now let’s navigate to the folder we just extracted. (your extracted folder should look something like this)
If you poke around this folder, you will easily find the following directory
home —> www —> boardDataWW.php
Use a tool to open this php file and we will find,
In the highlighted line, we could notice that there seem to be a command injection vulnerability in the macAddress parameter
Definition of Command Injection Vulnerability
Command injection is a type of web vulnerability that allows attackers to execute arbitrary operating system commands on the server, where the application is running. Command injection vulnerabilities occur when the applications make use of shell commands or scripts that execute shell commands in the background.
Now that we know there could be a command injection vulnerability, let’s emulate the firmware using open-source software since we do not have the hardware to run the firmware. For this purpose, we will need to install Firmadyne.
However, for simplicity, there is a Firmadyne package that has already included all other tools needed, we will install this package instead,
(credit to attify for their software)
Follow the steps shown on the Readme to setup and configure the environment and then run,
python fat.py <firmware>
This command will automatically emulate the firmware and reply with a IP address which we will need for later use.
Command Injection Attack
Open your web browser and navigate to the URL given, in this case 192.168.0.100/boardDataWW.php
Then key in our injection code to test if the vulnerability exist,
“001122334455 ; ping -c 20 127.0.0.1 # “
Now key in the actual attack code
"AA:BB:CC:DD:EE:FF ; cp /etc/passwd . #"
Then navigate to 192.168.0.100/passwd and you will see what we have been wanting to get,
With this, we have successfully exploit the firmware!
Hope you enjoy this! and remember, technique shown here are only for educational purpose, firmware vulnerability are already commonly known to the public.