Skip to main content

Wireless Hacking - Part11

Firmware emulation

What is emulation?

 Let’s understand the meaning of emulation in simple words. Suppose you get a firmware file (bin/img) from any source, like their official website, and you want to run the firmware file, i.e. img/bin file. How can you run it? There are two ways:

    1. Hardware Emulation – In this, you get a hardware device, like a router, and you upload the              firmware file onto the router and interact with the firmware via an interface. The issue with this          method is you always need a hardware device to run the firmware.
    2. Software Emulation – In this, we use software instead of hardware. The software mounts the            firmware and you interact with the firmware. The biggest advantage using this method is you             don’t need any hardware and you can run as much as firmware you wish to.

Let’s start Firmware Emulation using the software emulation method.

Tools

 We can make use of the following tools for Software Emulation

    1. QEMU– QEMU is the emulator used for emulating firmware. More info on QEMU can be                obtained here – QEMU-INFO. For setting up QEMU please refer to – QEMU-SETUP and for            firmware emulation demo – QEMU-DEMO
    2. Firmware Analysis Toolkit (FAT) – FAT is the toolkit used for firmware emulation. It uses tools          such as Firmadyne, Binwalk, Firmware Mod Kit, MITM Proxy and Firmwalker for emulation.            Please refer to FAT for setting up FAT on your system. We will use this tool for exploiting blind          command injection.

 Please download Netgear Firmware for the demo.

Step by step procedure for firmware Emulation along with the screenshots:

Step 1 – Copy Netgear Firmware in Firmadyne folder as shown:



Now you should have firmware file WNAP 320.zip and fat.py in the same folder. fat.py is the Python script which will help us in emulating the firmware.

Step 2 – Run fat.py script and enter following information as highlighted:


















After pressing enter, it will ask you for your password two or three times. Enter the same password you have used for setting up firmadyne. In my case, the password is firmadyne, and after entering the password, wait for two minutes and it will give you the IP address of the firmware as shown below:



















Step 3 Accessing via Browser – Enter the IP address obtained in step 2. It may happen that you may not be able to access the firmware in your 1st attempt. Try it four or five times and you will surely get access to the firmware login page.


















Step 4 Login with username/password – admin/password and you should be logged in as shown:




















Exploiting command Injection

We have emulated the firmware and now we will exploit Blind Command Injection vulnerability present in the firmware.

Here are the steps we will follow:

     1. Extract the firmware for viewing the source code of the file present in the firmware.
    2. Inspect source code for Blind Command Injection exploitation.
    3. Request the file via Browser.
    4. Intercept the HTTP request of the file via Proxy Tool (Burp Suite, Paros, etc.) and change the              parameters.
    5. Exploit Blind Command Injection.
Let’s start.

Extract the firmware using binwalk -e option (I have presented the whole process on my blog post called Reversing Firmware for Extracting Hard-Coded Telnet Credentials) and follow the steps as highlighted in the screenshot:


















We are in the _rootfs.squashfs.extracted folder which contains all the files present in the firmware. Now we need to find php files present in the firmware and it can be done using the command find . -name “*.php”

Command Explanation

 find – name of the command

. – starting from current directory

*.php – any file ending with .php extension

This command will list all the php files present in the firmware as shown:




















A file exists called boardDataWW.php that asks for MAC Address as shown below. File boardDataWW.php is present in home/www/ folder.




















Let’s see the source code of the boardDataWW.php file.





















As highlighted, parameter macAddress is passed to exec command (2nd highlighted part) and the input is not filtered (1st highlighted). exec is the function in php used for executing OS commands. The input is taken as is, thus we can pass OS commands as well with the macAddress parameter.

Intercept all the request responses in the Firefox browser. You can use Burp Suite, Paros, OWASP ZAP, etc. I am using Burp Suite and the process for intercepting in Firefox can be found here – Burp-For-Firefox.

Intercept the Firefox request as shown:
















Send this request to repeater tab by right clicking on it and selecting repeater option. Now we can enter any command in the macAddress field and check the response. Let’s enter 001122334455 -c ; ls # in the macAddress field.

Command Explanation:

 ; – Terminate the first input.
# – Whatever comes after # will be treated as comment.

So we are asking exec function to execute mac_address_value -c ; our_command.
















As seen, the response is Update Success! We were expecting a list of directories in the response since we have passed ls command but we received Update Success in response. What does it mean? It means our command was executed successfully but it did not return the result of our command, i.e list of directories on browser. This is a typical example of Blind Command Injection.

Let’s exploit Blind Command Injection by outputting the result of ls command in a file as shown:















Now let’s access demo.txt from browser and see the output:





















It returns a list of all the files present in the firmware. Similarly, we can execute any OS command and get the output in demo.txt file.

Popular posts from this blog

Haking On Demand_WireShark - Part 5

Detect/Analyze Scanning Traffic Using Wireshark “Wireshark”, the world’s most popular Network Protocol Analyzer is a multipurpose tool. It can be used as a Packet Sniffer, Network Analyser, Protocol Analyser & Forensic tool. Through this article my focus is on how to use Wireshark to detect/analyze any scanning & suspect traffic. Let’s start with Scanning first. As a thief studies surroundings before stealing something from a target, similarly attackers or hackers also perform foot printing and scanning before the actual attack. In this phase, they want to collect all possible information about the target so that they can plan their attack accordingly. If we talk about scanning here they want to collect details like: • Which IP addresses are in use? • Which port/services are active on those IPs? • Which platform (Operating System) is in use? • What are the vulnerabilities & other similar kinds of information. • Now moving to some popular scan methods and ho
Read more

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes:  •Override existing hardcoded HTTP parameters  •Modify the application behaviors   •Access and potentially exploit uncontrollable variables  • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP   WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the payload in the server.  Let’s e
Read more

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was
Read more