6

D-Link路由器后门注记

 3 years ago
source link: http://maskray.me/blog/2013-11-30-dlink-backdoor
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

D-Link路由器后门注记

这是学习 http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor 动手实践时做的一些记录。

下载 ftp://ftp.dlink.eu/Products/dir/dir-100/driver_software/DIR-100_fw_reva_113_ALL_en_20110915.zip

% binwalk -e DIR100_v5.0.0EUb3_patch02.bix
DECIMAL HEX DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
4 0x4 Realtek firmware header (ROME bootloader) image type: RUN, header version: 1, created: 9/17/2011, image size: 1690484 bytes, body checksum: 0xA, header checksum: 0x67
13046 0x32F6 mcrypt 2.2 encrypted data, algorithm: blowfish-256, mode: CBC, keymode: 8bit
403343 0x6278F gzip compressed data, has CRC, extra field, last modified: Tue Jun 6 18:51:20 2028
646032 0x9DB90 Squashfs filesystem, big endian, version 2.0, size: 1041011 bytes, 528 inodes, blocksize: 65536 bytes, created: Thu Sep 15 17:11:28 2011

得到squashfs文件系统9DB90.squashfs。留着这个文件不动,还要准备另一个工具。

git clone https://code.google.com/p/firmware-mod-kit/ 后修改下面这个文件:

diff --git i/src/lzma/C/7zip/Compress/LZMA_Lib/ZLib.cpp w/src/lzma/C/7zip/Compress/LZMA_Lib/ZLib.cpp
index cb89b54..12b5b35 100644
--- i/src/lzma/C/7zip/Compress/LZMA_Lib/ZLib.cpp
+++ w/src/lzma/C/7zip/Compress/LZMA_Lib/ZLib.cpp
@@ -180,7 +180,7 @@ protected:
UInt64 m_offset;
-ZEXTERN int ZEXPORT compress2 OF((Bytef *dest, uLongf *destLen,
+ZEXTERN int ZEXPORT compress2 _Z_OF((Bytef *dest, uLongf *destLen,^M
const Bytef *source, uLong sourceLen,
int level))
@@ -243,7 +243,7 @@ ZEXTERN int ZEXPORT compress2 OF((Bytef *dest, uLongf *destLen,
return Z_OK;
-ZEXTERN int ZEXPORT uncompress OF((Bytef *dest, uLongf *destLen,
+ZEXTERN int ZEXPORT uncompress _Z_OF((Bytef *dest, uLongf *destLen,^M
const Bytef *source, uLong sourceLen))
/* CJH: 7zip ID implemented by some LZMA implementations */

编译squashfs-2.1-r2

make -C src/squashfs-2.1-r2

可以使用firmware-mod-kit里的unsquashfs_all.sh脚本解压缩得到rootfs:

% unsquashfs_all.sh _DIR100_v5.0.0EUb3_patch02.bix.extracted/9DB90.squashfs rootfs

可以执行strings rootfs/bin/webs看到作为后门的User-Agent。

Share Comments

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK