This document outlines a plan to hack routers by exploiting vulnerabilities. The plan involves deciding targets, finding vulnerabilities in routers like the AirTies RT series, writing exploits in MIPS assembly to achieve remote code execution, writing scripts for mass exploitation, running attacks on targets in Turkey, and analyzing results. Routers are attractive targets because they are directly internet accessible, can control all traffic once compromised, have limited logging capabilities, and rarely receive security updates.

1. HACKING THE
GATEWAYS
Onur ALANBEL
TaintAll

2. whoami
Onur ALANBEL
• Computer Engineer (IZTECH)
• MSc student (EU)
• Application Security Researcher @TaintAll
• onuralanbel.pro
• @onuralanbel
• https://packetstormsecurity.com/search/?q=onur+alanbel

3. Purpose
• Gathering a variety of valuable information in an
effective way.

4. Purpose
Motivation of an APT is obtaining highly valuable
information from one target. In contrast, motivation of
a mass attack is obtaining valuable information from
multiple targets.

5. Purpose

6. Purpose

7. The Plan
• Deciding targets

8. The Plan
• Deciding targets
• Finding a vulnerability

9. The Plan
• Deciding targets
• Finding a vulnerability
• Writing (weaponising) the exploit

10. The Plan
• Deciding targets
• Finding a vulnerability
• Writing (weaponising) the exploit
• Writing mass exploitation scripts

11. The Plan
• Deciding targets
• Finding a vulnerability
• Writing (weaponising) the exploit
• Writing mass exploitation scripts
• Running the attack

12. The Plan
• Deciding targets
• Finding a vulnerability
• Writing (weaponising) the exploit
• Writing mass exploitation scripts
• Running the attack
• Analysing results

13. Attractive Target: Routers
• Directly accessible from the internet.

14. Attractive Target: Routers
• Directly accessible from the internet.
• Once you own a SOHO router, you can control the
whole traffic.

15. Attractive Target: Routers
• Directly accessible from the internet.
• Once you own a SOHO router, you can control the
whole traffic.
• No log, stealth. (it’s really hard for an investigator
to find out what is going on.)

16. Attractive Target: Routers
• Directly accessible from the internet.
• Once you own a SOHO router, you can control the
whole traffic.
• No log, it’s really hard to find out what is going on
(very hard)
• Have a long (long long) update interval.

17. Easy Target
• Does It have known vulnerabilities?

18. Easy Target
• Does It have known vulnerabilities?
• Does the Vendor have published any security
advisory?

19. Easy Target
• Does It have known vulnerabilities?
• Does the Vendor have published any security
advisory?
• Are there any third party product/device to
mitigate exploitation.

20. AirTies
• Web interface?

21. AirTies
• Web interface?
• TR-069

22. AirTies
• Web interface?
• TR-069
• MiniUPNP (CVE-2013-0230

23. Targets From Turkey

24. Targets From Turkey
• http://ip:5555/rootDesc.xml

25. PreScan
• masscan / zmap
• +

26. PreScan
• masscan
• +
• python multiprocessing
• =

28. The Vulnerability
• Stack overflow, may cause to RCE.
• MiniUPNPd runs on WAN interface.

29. Writing the Exploit
• MIPS assembly
• CPU has different data and code caches; so, can’t
jump to stack directly.
• Can’t jump into middle of instructions, this reduces
the number of alternative gadgets while creating a
ROP chain.
• MiniUPNPd process restarts if it crashes or hangs.

30. Writing the Exploit
• MIPS is far easier than x86

31. Writing the Exploit
• MIPS is far easier than x86
• sleep function may be called to flush caches.

32. Writing the Exploit
• MIPS is far easier than x86
• sleep function may be called to flush caches.
• No ASLR, ROP chains could be used.

33. Writing the Exploit
• MIPS is far easier than x86
• sleep function may be called to flush caches.
• No ASLR, ROP chains could be used.
• ?

34. Writing the Exploit
• miniupnpd … -P /var/run/miniupnpd.pid

35. Writing the Exploit
• rm /var/run/miniupnpd.pid

36. Writing the Exploit
• rm /var/run/miniupnpd.pid
• kill mngr

37. Writing t
• rm /var/run/miniupnpd.pid
• kill mngr
• fork and execve

38. Writing t
• rm /var/run/miniupnpd.pid
• kill mngr
• fork and execve
• Details: Developing MIPS Exploits to Hack Routers
• Exploit:
AirTies RT Series (MIPS)

39. Bonus Trick
• Chain remote-mgmt-input (1 references)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
DROP

40. Bonus Trick
• iptables -A remote-mgmt-input -p tcp -m multiport
—dports 23,

41. Bonus Trick
• cat /etc/passwd
• crypt function
• john rootpass.txt

42. What Have We
• Free Wifi :)

43. What Have We
• Free Wifi :)
• Botnet army?

44. What Have We
• Free Wifi :)
• Botnet army?
• Internet traffic (DNS, GW)

45. What Have We
• Free Wifi :)
• Botnet army?
• Internet traffic (DNS, GW)
• A big chance to infect connected clients (MITMf)

46. Next Step
• 0day

47. Next Step
• 0day
• +
• Persistency

48. Questions