Backdoor Modules for Netgear, Linksys, and Other Routers

11 minute read Jan 13, 2014 Comments
A week or so ago, I read the news of a new backdoor on several devices, including those made by Belkin, Cisco, NetGear, Linksys, and several others. A list of what seems to be affected devices can be found here. Eloi Vanderbeken, who posted his findings on GitHub made the original discovery. He also wrote a useful python proof-of-concept exploit, which allowed command injection, but I wanted Metasploit integration. After playing with the proof-of-concept, I realized how powerful this backdoor could be.

OverTheWire Monxla Part 3

7 minute read Nov 26, 2012 Comments
Continuing from the last post, we are now logged in as a user. The next step on the PDF from the agent, that we can access, is the Notes Service. I started analyzing the source code, and noticed that the text that says “yes” or “no” in the table is actually an image being rendered from the hasnotes.php file. I started tinkering with that file, and found that it was vulnerable to SQL injection.

OverTheWire Monxla Part 2

3 minute read Nov 25, 2012 Comments
In the previous post, I showed how to get the PDF that outlines the services running on the Monxla VM image. This article will continue where that one left off. Firstly, the PDF explains that there are 2 virtual hosts enabled on the machine. To configure my machine for these virtual hosts, I added these lines to my /etc/hosts file: 192.168.188.134 nasenko.otw 192.168.188.134 honeylink.otw There are 2 sites immediately available to you:

OverTheWire Monxla Part 1

2 minute read Nov 24, 2012 Comments
I had a twitter follower recently inform me that OverTheWire had a new wargame up and running. I was immediately excited and downloaded it. Several days later, I actually was able to start tinkering with it. I booted up the image, and proceeded to do some preliminary nmap scans. I found a few services runinng: mandreko$ nmap -sV -p1-65535 -T4 192.168.188.134 Starting Nmap 6.01 ( http://nmap.org ) at 2012-11-15 10:28 EST Nmap scan report for 192.

Exploit Exercises - Fusion 01

7 minute read Jul 3, 2012 Comments
It’s been a while since I last did a write-up about Exploit Exercises. I’m starting to look back at it now, since I have some more free time again. I’ve now, as I’m sure you can guess by the title of this post, solved level 01. So this level is very similar to the first, except that it has ASLR and doesn’t tell us where the buffer is on every execution.

Exploit Exercises - Fusion 00

5 minute read Apr 9, 2012 Comments
I was very excited to see the announcement on twitter, that Fusion was going to be released, even if it’s just the first 10 levels. I was a bit bummed, as I didn’t think I’d get to work on it much, until I complete PWB, but I managed to find a little time to at least start it. I pulled up level 00, which looks to be a basic stack overflow in an http server.

Kioptrix 4

25 minute read Feb 12, 2012 Comments
I know there are a few different methods to the new Kioptrix 4 boot2root. Unfortunately, I could not find the remote root exploit that is mentioned, but my method used several tools, and privilege escalation. Tools used: Backtrack 5 VM Nmap SqlMap To start out, I had to find the machine on the network. I booted up my Backtrack VM and Kioptrix VM both using a NAT connection in my VMWare.

Exploit Exercises - Protostar Net 3

5 minute read Feb 11, 2012 Comments
The last in the Net series of Protostar is Net 3. It was of course the most difficult of all of them. However, it still wasn’t too bad. First, we’re given the following code: #include "../common/common.c" #define NAME "net3" #define UID 996 #define GID 996 #define PORT 2996 /* * Extract a null terminated string from the buffer */ int get_string(char **result, unsigned char *buffer, u_int16_t len) { unsigned char byte; byte = *buffer; if(byte > len) errx(1, "badly formed packet"); *result = malloc(byte); strcpy(*result, buffer + 1); return byte + 1; } /* * Check to see if we can log into the host */ int login(unsigned char *buffer, u_int16_t len) { char *resource, *username, *password; int deduct; int success; if(len < 3) errx(1, "invalid login packet length"); resource = username = password = NULL; deduct = get_string(&resource, buffer, len); deduct += get_string(&username, buffer+deduct, len-deduct); deduct += get_string(&password, buffer+deduct, len-deduct); success = 0; success |= strcmp(resource, "net3"); success |= strcmp(username, "awesomesauce"); success |= strcmp(password, "password"); free(resource); free(username); free(password); return !

Exploit Exercises - Protostar Net 2

2 minute read Feb 10, 2012 Comments
So far, these Net challenges in Protostar have been pretty easy. This challenge, Net 2 got a small bit tougher. We are given the following code: #include "../common/common.c" #define NAME "net2" #define UID 997 #define GID 997 #define PORT 2997 void run() { unsigned int quad[4]; int i; unsigned int result, wanted; result = 0; for(i = 0; i < 4; i++) { quad[i] = random(); result += quad[i]; if(write(0, &(quad[i]), sizeof(result)) !

Exploit Exercises - Protostar Net 1

2 minute read Feb 9, 2012 Comments
Continuing with the “Net” series of Protostar, is Net 1. We are given the following code: #include "../common/common.c" #define NAME "net1" #define UID 998 #define GID 998 #define PORT 2998 void run() { char buf[12]; char fub[12]; char *q; unsigned int wanted; wanted = random(); sprintf(fub, "%d", wanted); if(write(0, &wanted, sizeof(wanted)) != sizeof(wanted)) { errx(1, ":(\n"); } if(fgets(buf, sizeof(buf)-1, stdin) == NULL) { errx(1, ":(\n"); } q = strchr(buf, '\r'); if(q) *q = 0; q = strchr(buf, '\n'); if(q) *q = 0; if(strcmp(fub, buf) == 0) { printf("you correctly sent the data\n"); } else { printf("you didn't send the data properly\n"); } } int main(int argc, char **argv, char **envp) { int fd; char *username; /* Run the process as a daemon */ background_process(NAME, UID, GID); /* Wait for socket activity and return */ fd = serve_forever(PORT); /* Set the client socket to STDIN, STDOUT, and STDERR */ set_io(fd); /* Don't do this :> */ srandom(time(NULL)); run(); } Similar to Net 0, it looks like this is another network daemon, this time running on port 2998.
Page 1 of 4 1 2 3 4