In this article i’d like to share a windbg script that will let us to load a shellcode from a file to kernel memory and create a kernel thread to execute it. I have not played a lot with the script yet, if you find some bug please tell me.
It is well known by all the poor security of SOHO routers distributed by ISPs. Vulnerabilities, default passwords,… These routers expose inexperienced users to be hacked.
I want to share here a method which I have been playing that would let us to configure some router models when a user clicks a link created by us. I have not read about this method on the internet, sorry if I am wrong and it’s not new. The method is quite simple. It is usual to find routers with default passwords. And these devices usually offers a HTTP based interface to configure them. And some models accept configuration parameters through the URL.
BusyBox, called the swiss army knife of embbeded linux, is a software application that combines tiny versions of common unix utilities into a single small executable, as we can read in the busyBox project page. It is widely used in embedded devices, specially in modem/routers, thought it is used too in other type of devices like music systems, ebooks (i.e. kindle), phones, etc…
BusyBox is single binary. It is implemented having in mind size-optimizations and limited resources environments. It implements a lot of common unix commands. To use each command, you should call BusyBox giving the command as parameter, i.e.: /bin/busybox ls. Usually, commands that are implemented by busybox have fewer options than the original full-featured command. BusyBox uses ash shell (/bin/busybox sh).
As we said, a lot of router devices are using BusyBox. It is quite probably that a router shows to you a limited command line interface to manage it, for example when you connect via telnet. However, these limited shells use BusyBox for executing some of the commands that they offer, and it is common to find devices that are vulnerable to command injection attacks that would let us to use directly the busybox ash shell.