-
-
Example of RE Ghidra work on one of the TP-Link firmwares we were trying to crack.
Inspiration
In our Penetration Testing class, our professor, Dr. Bock, briefly mentioned a video about a random guy on YouTube reverse engineering and hacking a Temu router. Unfortunately, we didn't have time during class to watch the video, but that didn't stop us from watching the video after we got home from class. It was a really cool video, and we became fascinated with the idea of reverse engineering and exploiting routers ourselves. This inevitably led us to shell out our own money for a random cheap router from Temu and get to work on breaking it.
Challenges we ran into
What we thought would be an "easy 2-day hack" turned into one of the most tedious, grueling, and mind-numbingly difficult challenges of all time. Our router was nameless, no model number, no branding, the link we ordered it from closed, and the product was no longer sold. After hours of trying to reverse engineer and take advantage of two critical vulnerabilities we found on it, we resorted to a last-ditch effort. We tried to guess the firmware (actual source code) of the router, sent an update to it with the open source firmware we downloaded off a sketchy site, and bricked it.
Our router was destroyed.
Overcoming obstacles
But like true reverse engineers, we didn't give up.
We were routerless, but we found TP-Link firmwares online that could be emulated through firmadyne a router-emulator tool. We got to work trying to take public CVEs for firmwares and writing our own PoC (proof of concept) code to perform the exploit. Along the way, we actually found more potential CVEs in some of these firmwares, but by Saturday night, our progress on building a successful PoC exploit for the public CVEs and our own potential CVEs was minimal, and we were ready to throw in the towel. But in the last few hours of the night, Ashim called me up. He got an exploit working.
The exploit
It wasn't on the TP-Link router like we were originally looking at. Instead, he got an insane remote code execution exploit on a D-Link DIR-859 router. Rough estimates by Gemini and GPT say that hundreds of thousands to millions of these devices have been sold. We have good reason to believe that some chunk of this number runs firmware version 1.05 still, which is the firmware we tested this exploit on and got it to work on. CVE descriptions say that, in theory, this exploit should work for version 1.06B01 as well
The exploit we built allows any unauthorized user on a network to gain a near-instantaneous root shell on the D-Link DIR859 Router. That is, any unauthorized user on any random device on the network of the D-Link DIR859 Router, without any sort of credentials or knowledge of the credentials, can get into the router device itself (one level beyond just being able to log into the webpage as an admin).
How we built it
The exploit takes advantage of the poorly sanitized input in how it handles SSDP discovery to forge an HTTPU (HTTP over UDP packet with a malicious header) to target the poorly sanitized SSDP discovery function in the router. Our input forces the router to open a telnet service, which serves a root shell when accessed. As an unauthorized user, we are able to use this input and then connect to the telnet service to get a remote root shell on the router.
Accomplishments that we're proud of
We're proud of what we accomplished, and of what we were able to eventually come up with. But beyond the physical achievements of our exploits, we are most proud of our attitude. I (Meherzan) will be completely honest in saying that there was a point at which I gave up, and I was done trying to exploit a router. There are so many safety precautions, so many false positives for potential CVEs, and so much finickiness with router emulators that, at some point, it honestly gets hard to find the will to keep digging.
I'm incredibly proud of my teammate Ashim for pushing through and getting a working PoC exploit for the CVE when no prior public PoC of this CVE existed. He never gave up on the project, and his determination is what led us to finding this exploit.
What we learned
Beyond just learning that reverse engineering is a mindset and that there will be a lot of trial and error in trying to break into something, we learned a lot about various reverse engineering tools and techniques to crack routers.
First off, we learned how to emulate routers on firmadyne, which was a very difficult and tedious setup process.
We also got good practice binwalking firmwares to extract filesystems out of them, curling and netcat'ing to test inputs on servers, and analyzing the various features in Web Developer Tools to identify front-end injection vulnerabilities.
Finally, we got some good practice and learned a few things about the Ghidra tool for decompilation and reverse engineering code from a binary file (we had some beginner practice with Binary Ninja before, but none with Ghidra).
What's next for Hacking a Router
The sky's the limit with this exploit. Full, instantaneous, authorized, root user access to the router of a network, without any need for authentication, human error, or long, timing-based attacks. That is what we accomplished, and it is incredibly powerful. We could set up a man-in-the-middle attack to intercept packets if we wish to spy on an entire network. We could access the credentials and personal information of users on devices on the network. We could also take down devices on the network or the entire network itself. All of these tools could be useful in stopping cybercriminals, collecting intel on dangerous people, and/or discovering other criminals tied to the same network.
Log in or sign up for Devpost to join the conversation.