Posts

Decrypt TP-Link config.bin Configuration Backup File

Image
Configuration backup file can be downloaded from certain TP-Link devices by clicking  Backup button on System Tools > Backup & Restore page. The downloaded configuration file, config.bin is encrypted. To decrypt the config.bin  file, use key 478DA50BF9E3D2CF. openssl enc -d -des-ecb -nopad -K 478DA50BF9E3D2CF -in config.bin -out dec_config.bin First 16 bytes of the output file, dec_config.bin is the MD5 hash of configuration text file. Decrypted file may also contain null byte padding at the end. In this case there are 4 null bytes at the end of file. To extract configuration text file, remove MD5 hash (First 16 bytes) and padding (Last 4 bytes).  dd if=dec_config.bin of=config.txt bs=1 skip=16 truncate -s -4 config.txt Output file, config.txt contains the configurations. Its MD5 hash should match the MD5 given in dec_config.bin. Demo

Decrypting D-Link XOR Encrypted Firmware

Image
  Firmware DIR850LB1_FW207WWb05.bin is encrypted with XOR cipher. Original firmware is XORed with two keys. First key is wrgac25_dlink.2013gui_dir850l Second key is numbers from 1 to 251. Python program to decrypt the firmware is given below: import itertools import sys key1 = itertools.cycle(b'wrgac25_dlink.2013gui_dir850l') key2 = itertools.cycle(range(1, 252)) with open(sys.argv[1], 'rb') as f:     fw = f.read() with open(sys.argv[2], 'wb') as f:     for i in range(0, len(fw)):         f.write(bytes([fw[i] ^ next(key1) ^ next(key2)])) Demo

Extract JFFS2 Filesystem from Ubuntu 20.04

Image
  1. Install required packages: sudo apt install python3-pip git python3-lzo sudo pip3 install cstruct git clone https://github.com/sviehb/jefferson.git cd jefferson sudo python3 setup.py install 2. Extract filesystem: jefferson rootfs This will extract the filesystem contents to directory jffs2-root. Demo

Unauthenticated Credential Disclosure through Decompilation of D-Link Firmware (CVE-2020-29321)

Image
Introduction Telnet credentials can be extracted from firmware of vulnerable D-Link devices like: DIR-868L Rev. C1 - FW v3.01 (CVE-2020-29321) DIR-880L Rev. Ax - FW v1.07 (CVE-2020-29322) DIR-885L Rev. Ax - FW v1.15b02 (CVE-2020-29323) DIR-895L Rev. Ax - FW v1.21b05 (CVE-2020-29324) Analysis 1. Extract filesystem from firmware: binwalk -eM DIR868LC1_FW301b08.bin 2. Obtain username from file squashfs-root/etc/init0.d/S80telnetd.sh . Username can be seen as Alphanetworks.  3. Get password from file squashfs-root/etc/config/image_sign . In case of DIR-868L password is wrgac35_dlink.2013gui_dir868lc. Demo

D-Link DVG-3104MS Hardcoded Credentials Vulnerability Analysis (CVE-2021-39613)

Image
Introduction D-Link DVG-3104MS version 1.0.2.0.3, 1.0.2.0.4, and 1.0.2.0.4E contains hard-coded credentials for undocumented user accounts in the '/etc/passwd' file. Passwords can be easily recovered using john. D-Link DVX-2000MS also has similar vulnerability (CVE-2021-39614). Analysis 1. Extract filesystem from the firmware using binwalk :  binwalk -eM DVG-3104MS_010204.flash 2. Extract etc.tgz file in _DVG-3104MS_010204.flash.extracted/squashfs-root/etc/ directory. Two different types of hashes can be found in passwd file.  3.Separate them and crack the hashes using john . john passwd_type1.txt john passwd_type2.txt 4. Following credentials will be obtained after successful crack: root:brecis:0:0:root:/root:/bin/sh CLI:brecis:0:0:root:/root:/bin/sh demo:demo:5000:5000:Demo User:/home/demo:/bin/bash maintain:blip:6000:6000:maintainer:/var:/bin/sh cloudraker:brecis:32770:32770:Linux User,,,:/home/cloudraker:/bin/sh pmc:pmc123:32771:32771:Linux User,,,:/home/pmc:/bin/sh  Dem

Analysis of TP-Link Firmware with Header Version 1

Image
Introduction Analysis of TP-Link firmware file wr841nv11_wr841ndv11_en_3_16_9_up_boot(150616).bin with header version 1. Header Structure Offset Size (Bytes) Item Value 0 4 Version 0x01000000 4 24 Vendor Name TP-Link Technologies 0x1C 36 FW Version Ver. 1.0 0x40 4 HW ID 0x08410011 0x44 4 HW Revision 0x00000001 0x48 4 Unused 0 0x4C 16 Image MD5SUM 0xBF...65 0x5C 4 Unused 0 0x60 16 MD5SUM2 0x23...F0 0x70 4 Unused 0 0x74 4 Kernel Load Address 0x80002000 0x78 4 Kernel Entry Point 0x801CDB90 0x7C 4 FW Length 0x003E0200 0x80 4 Kernel Data Offset 0x00000200 0x84 4 Kernel Data Length

Analysis of Asus TRX firmware

Image
Introduction  Analysis of file  FW_RT_N53_30043763754.trx   corresponding to firmware of Asus RT N53. Header Structure Offset Size (Bytes) Item Value (FW_RT_N53_30043763754.trx) 0 4 Magic Bytes HDR0 4 4 Length (including header) 0x00707000 8 4 CRC32 (for data from offset 0xC) 0x512E08B5 0xC 2 Flags 0 0x0E 2 Version 0x0001 0x10 4 Loader Offset 0x0000001C 0x14 4 Kernel Offset 0x00000A8C 0x18 4 Rootfs Offset 0x001299EC Analysis If the magic bytes is HDR0 firmware is little endian. 1. Verify size of file is same as that in header, ie. 0x707000 or 7368704 bytes. 2. To calculate CRC32 extract data from offset 0xC. dd iflag=skip_bytes if=fw.trx skip=$((0xC)) of=crc_data Calculate CRC32: crc32 crc_data Convert result  obtained, 0xaed1f74a to signed value an