Tuesday, July 14, 2015

Controlling BusyBox based routers with Metasploit

BusyBox, called the swiss army knife of embbeded linux, is a software application that combines tiny versions of common unix utilities into a single small executable, as we can read in the busyBox project page. It is widely used in embedded devices, specially in modem/routers, thought it is used too in other type of devices like music systems, ebooks (i.e. kindle), phones, etc…


BusyBox is single binary. It is implemented having in mind size-optimizations and limited resources environments. It implements a lot of common unix commands. To use each command, you should call BusyBox giving the command as parameter, i.e.: /bin/busybox ls. Usually, commands that are implemented by busybox have fewer options than the original full-featured command. BusyBox uses ash shell (/bin/busybox sh).

As we said, a lot of router devices are using BusyBox. It is quite probably that a router shows to you a limited command line interface to manage it, for example when you connect via telnet. However, these limited shells use BusyBox for executing some of the commands that they offer, and it is common to find devices that are vulnerable to command injection attacks that would let us to use directly the busybox ash shell.

Metasploit scripts


I decided to implement a set of metasploit scripts to help to control this type of BusyBox based routers. You can find them here:
If you would like to use them, you should copy them to the proper metasploit subdirectory:
  • busybox_control.rb – <metasploit directory>\apps\pro\msf3\modules\post\linux\manage\busybox_control.rb
  • busybox_jailbreak.rb – <metasploit_directory>\apps\pro\msf3\modules\post\linux\manage\busybox_jailbreak.rb
  • auto_brute.rc – <metasploit directory>\apps\pro\msf3\scripts\resource\auto_brute.rc
  • busybox_control.sh – <metasploit directory>\apps\pro\msf3\data\post\busybox_control.sh
First, you need to connect the device shell.

Depending of the target router, there are vulnerabilities and exploits (against http interface for example) to get a shell into the device.

It is common too to find these type of devices with telnet access enabled and default login/password configured. I am not sure how it is in other countries, but usually, here, in Spain, you can go to a bar to take a beer and connect the bar’s open wifi or ask for the wifi password to connect your laptod or mobile. Almost all the times that i connected to a wifi in a bar, i found default logins/passwords configured for telnet or http router’s services (imagine for example that you change the dns address that the bar’s router gives to the clients via dhcp with your fake dns address).

When you connect by telnet, the router usually shows a limited shell with specific commands to configure this specific router. Lot of times, this limited interface are vulnerable to command injection attacks. Busybox_jailbreak.rb is a POST metasploit ruby script that will try some common command injection attacks against a session connected to a router limited shell. For example, lof of comtrend routers that have been widely used by spanish internet service providers (comtrend ar-5387 un, comtrend vr-3025 un, comtrend 5381 u, comtrend 5361,…) are vulnerable: in this routers’s limited shell you only need to execute cat xx || sh to get the busybox ash shell.

Busybox_control.rb is another POST metasploit ruby script that can be used when you have a session connected to a BusyBox shell. This ruby script will send a ash script (the script it is the file busybox_control.sh file) to the connected shell, to help to control the target embedded device (sometimes it will depend on the target device model that things are done in a different way: different files must be modified, or different commands must be executed. I would like to update this script often, to implement new commands that work with the most number of devices).

Here you can see the commands that I have currently implemented (i will update it with new commands in the future):



Later we will see an example to use this.

Finally, i added a metasploit resource script to automatize the process of doing telnet to a device, trying to jailbreak the limited shell, sending the busybox_control.sh script to the BusyBox shell, and connecting to the session interatively to manage the remote device.

Example


Let’s use this scripts against my home router, a comtrend ar-5387un.

We open a metasploit console. Telnet access is enabled for this router. We could try to bruteforce the target router (192.168.2.1) with the metasploit module auxiliary/scanner/telnet/telnet_login and some wordlist. But i found some problems bruteforcing telnet with this module. Anyway, if you search the model’s default credentials in google you find fastly it is admin/admin.

We will use telnet_login to connect to telnet service:




After doing this, we have a connected session, the session 1. Now we will use post/linux/manage/busybox_jailbreak to get the BusyBox shell and post/linux/manage/busybox_control to send the shell script.










After doing this, we only need to execute sessions -i 1, to interact with the shell script and execute the commands that we saw previously.

We can automatize this process by using the metasploit resource that i coded:





Conclusion


Nowadays modem/routers are a weak points of local networks. They usually have default credentials and they usually have bugs that lets you a total control of the device. You can control the entire network, you can give a fake dns through dhcp to the network machines, you can see the hosts of the network and you can see the established connections of all the hosts of the network, etc…

The purpose of the scripts that i showed in this article is to help to take advantage of these weak points. I hope you enjoyed it.

No comments:

Post a Comment