Saturday, January 25, 2014

32764/TCP Backdoor Scanning with NINJA PingU

Recently, it was discovered a backdoor that affects several routers. This backdoor, grants remote root shell access without authentication, an exploiting it is as easy as establishing a TCP connection against this port.

I released a new NINJA PingU plugin, called 32764Backdoor, that is aimed at scanning and identifying hosts affected by the 32764/TCP backdoor.

The plugin is already documented in its web page and the code has already been checked in its repository. NINJA PingU is a framework designed for easy plugin development. As we can see below, the logic of the plugin is only about 20 lines, most of the work is carried out by the framework.

// looks for 0x53634D4D and 0x4D4D6353
char *payload="ScMM"; 

// const for the results
const char *vuln = "vulnerable";
const char *patched = "patched";

void onInitPlugin()
{
    openServiceFile();
}

void onStopPlugin()
{
    closeServFile();
}

void getServiceInput(int port, char *msg)
{
    strncpy(msg, "randomdata\r\n\r\n", 22);
}

void provideOutput(char *host, int port, char *msg)
{
    if (strstr(msg, payload) != NULL && synScan == FALSE)
    {
        persistServ(host, port, vuln);
    } else {
        persistServ(host, port, patched);
    }
}

I have also modified the Makefile to build the plugin automatically in each execution. All the commands are paramatrized, to compile a new plugin you just need to modify the first line of the Makefile and include the name of the plugin as follows.

PLUGINS=Simple Service Backdoor32764

Running this plugin within NINJA PingU is very easy, you just need to specify the name of the plugin in the -m (module) flag as follows:

# ./bin/npingu -t 2 -p 32764 1.1.1.1-255.0.0.0 -m Backdoor32764

This will immediately start the scan. A screenshot of the UI running the plugin is shown in Figure 1.

Figure 1. 32764/TCP Backdoor scan.

An analysis was carried out where 11955970 hosts where scanned.  Among those, 7090 hosts where listening to the port 32764 and 61 vulnerable hosts where found. The analysis took about 15 minutes in a 100mbps dsl line. In Figure 2, we show the plot of this data.

Figure 2. Analysis Results.


No comments:

Post a Comment