Chimay-Red icon indicating copy to clipboard operation
Chimay-Red copied to clipboard

Published 20 hours ago verified publisher icon BigNerd95

Can't add the backdoor to image

Open jinyu00 opened this issue 7 years ago • 6 comments

I use the RouterOS 6.38.4 . I can't insert the backdoor to the image.

I add the files accroding to your pdf, but can't get 23000 port open

I also don't know how to find the www binary..

jinyu00 avatar Jan 04 '18 03:01 jinyu00

S99own must be put in directory: etc/rc.d/run.d/

Just saw the PDF is incorrect, I'll fix it, sorry

BigNerd95 avatar Jan 04 '18 09:01 BigNerd95

The www binary is in front of you... Look inside /nova/bin/

BigNerd95 avatar Jan 04 '18 09:01 BigNerd95

How did you mount the image, and add file to it. I can't see the etc/rc.d/run.d/ and /nova/bin/ I mount /dev/sda2 on /tmp/d2

paste image

jinyu00 avatar Jan 04 '18 13:01 jinyu00

/nova/bin is inside sda1 (root partition, not flash partition).

You have to create the folders rc.d and run.d, they are not present by default.

BigNerd95 avatar Jan 04 '18 14:01 BigNerd95

I can debug it successful, thanks

jinyu00 avatar Jan 05 '18 07:01 jinyu00

How to debug mikrotik routeros ?

Please install routeros vm yourself, and add a ip address. (default: admin/<null>)

[admin@MikroTik] > interface print
[admin@MikroTik] > ip address add interface=ether1 address=172.168.176.100/24
[admin@MikroTik] > ip address print

Boot the routeros vm with Kali ISO (Live Mode).

root@kali:/tmp# mkdir sda1 sda2
root@kali:/tmp# mount /dev/sda1 sda1/
root@kali:/tmp# mount /dev/sda2 sda2/

root@kali:/tmp# ll /tmp/sda2/
total 11412
-rw------- 1 root root        0 Jan 30 04:01 CDINSTALL
-rw-r--r-- 1 root root        1 Jan 30 04:02 UPGRADEBOOTER
drwxr-xr-x 2 root root     4096 Jan 30 04:02 bin
drwxr-xr-x 2 root root     4096 Jan 30 04:01 boot
-rw-r--r-- 2 root root 11616638 Jan 30 04:01 bootimage
drw-r--r-- 2 root root     4096 Jan 30 04:01 dev
drwxr-xr-x 2 root root     4096 Jan 30 04:02 etc
drwx------ 2 root root    16384 Jan 30 04:01 lost+found
drwxr-xr-x 3 root root     4096 Jan 30 04:02 nova
drwxr-xr-x 9 root root     4096 Jan 31 07:34 rw
drwxr-xr-x 3 root root     4096 Jan 30 04:01 var

root@kali:/tmp# wget -c https://www.busybox.net/downloads/binaries/1.26.2-defconfig-multiarch/busybox-i686
root@kali:/tmp# wget -c https://github.com/rapid7/embedded-tools/raw/master/binaries/gdbserver/gdbserver.i686

root@kali:/tmp# cp gdbserver.i686 sda2/bin/
root@kali:/tmp# cp busybox-i686 sda2/bin/

root@kali:/tmp# chmod +x sda2/bin/busybox-i686
root@kali:/tmp# chmod +x sda2/bin/gdbserver.i686

root@kali:/tmp# mkdir -p sda2/etc/rc.d/run.d

root@kali:/tmp# cat sda2/etc/rc.d/run.d/S99own
#!/bin/bash
mkdir /ram/mybin
/flash/bin/busybox-i686 --install -s /ram/mybin
export PATH=/ram/mybin:$PATH
telnetd -p 23000 -l bash
#bash # uncomment this line to spawn a root shell in the login screen

root@kali:/tmp# chmod u+x sda2/etc/rc.d/run.d/S99own

Reboot mikrotik routeros vm, and telnetd is running on port 23000.

root@kali:/tmp# telnet 172.16.176.100 23000
Trying 172.16.176.100...
Connected to 172.16.176.100.
Escape character is '^]'.


MikroTik v6.27


BusyBox v1.00 (2015.02.04-13:37+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

# ls -l /flash/bin/
total 1736
-rwxr-xr-x    1 root     root        922936 Jan 31 12:49 busybox-i686
-rwxr-xr-x    1 root     root        744380 Jan 31 12:49 gdbserver.i686
-rwxr-xr-x    1 root     root         91816 Feb 11  2015 milo

# ls -l
total 4
drwxr-xr-x    2 root     root           435 Feb 11  2015 bin
drwxr-xr-x    2 root     root             3 Feb 11  2015 boot
drwxr-xr-x    4 root     root          7780 Jan 31 12:59 dev
lrwxrwxrwx    1 root     root            11 Feb 11  2015 dude -> /flash/dude
drwxr-xr-x    3 root     root           290 Feb 11  2015 etc
drwxr-xr-x   10 root     root          4096 Jan 30 04:02 flash
drwxr-xr-x    3 root     root            26 Feb 11  2015 home
drwxr-xr-x    2 root     root             3 Feb 11  2015 initrd
drwxr-xr-x    4 root     root           735 Feb 11  2015 lib
drwxr-xr-x    5 root     root            85 Feb 11  2015 nova
drwxr-xr-x    3 root     root            29 Feb 11  2015 old
lrwxrwxrwx    1 root     root             9 Feb 11  2015 pckg -> /ram/pckg
dr-xr-xr-x   68 root     root             0 Jan 31 12:59 proc
drwxrwxrwt    8 root     root           460 Jan 31 12:59 ram
lrwxrwxrwx    1 root     root             9 Feb 11  2015 rw -> /flash/rw
drwxr-xr-x    2 root     root           219 Feb 11  2015 sbin
drwxr-xr-x   11 root     root             0 Jan 31 12:59 sys
lrwxrwxrwx    1 root     root             7 Feb 11  2015 tmp -> /rw/tmp
drwxr-xr-x    4 root     root            38 Feb 11  2015 usr
drwxr-xr-x    5 root     root           111 Feb 11  2015 var


# cd /flash/bin/
# ./gdbserver.i686 host:5050 --attach $(pidof www)
Attached; pid = 220
Listening on port 5050

(gdb) target remote 172.16.176.100:5050
Remote debugging using 172.16.176.100:5050
warning: No executable has been specified and target does not support
determining executable automatically.  Try using the "file" command.
warning: Could not load vsyscall page because no executable was specified
0x7757af32 in ?? ()

References

  • https://wikileaks.org/ciav7p1/cms/page_16384604.html
  • https://github.com/BigNerd95/Chimay-Red/blob/master/docs/ChimayRed.pdf

nixawk avatar Jan 31 '18 13:01 nixawk