Neurohazard
暮雲煙月,皓首窮經;森羅萬象,如是我聞。

MikroTik RouterOS 的越狱 (JailBreak)

wpadmin~September 4, 2019 /InfoSec

Contents

MikroTik RouterOS 的越狱 (JailBreaks)

正文

https://github.com/0ki/mikrotik-tools/tree/master/exploit-backup

越狱过程

https://github.com/0ki/mikrotik-tools/tree/master/exploit-backup

这边是用 6.40.2 的 vmdk 构造的 虚拟机来测试的。
exploit-backup 理论上支持的版本范围是 2.9.8 到 6.41rc56 。

[root@blackloutus01 exploit-backup]# chmod +x exploit_full.sh
[root@blackloutus01 exploit-backup]# chmod +x exploit_b.py
[root@blackloutus01 exploit-backup]# ./exploit_full.sh 
* Not affiliated with Mikrotikls or Oracle *

Welcome to jailbreak tool v1.92 for MikroTik devices
                                    by PossibleSecurity.com

WARNING! THIS TOOL IS LIKELY TO BRICK YOUR DEVICE. USE AT YOUR OWN RISK.
AUTHORS OF THIS TOOL MAY NOT BE HOLD LIABLE FOR ANY DIRECT OR
INDIRECT DAMAGES CAUSED AS A RESULT OF USING THIS TOOL.

If <<brick>> happens, go for netinstall to recover.

 * * * * * * * * 
We'll need the IP address of the device, user and password.
IP [192.168.88.1]: 192.168.198.3
USER [admin]: admin
PASS []: admin

We got admin@192.168.198.3 with password 'admin'.
Is this correct? (y/N) y

Let's begin.
Verifying version...
Downloading current configuration...
Patching...
Uploading exploit...

 * * * * * * * * 
Congrats! Jailbreak was (likely) successfull. Device will now reboot.
 * * * * * * * * 
Linux mode can be accessed via telnet using user 'devel' with admin's password.

Device is now rebooting...
You may opt to install additional utilities to make using the shell easier.
Please note that this will enable telnet service on port 23/tcp, 
send YOUR PASSWORD AND USERNAME UNENCRYPTED over the network, and
   may REMOVE YOUR ABILITY TO UPDATE software on smaller devices.

Would you like some additional utilities with your jailbreak? (y/N) y
Waiting for device to reboot...
Waiting for device to become available...
Connecting...
Uploading binaries...
Enabling telnet...
Setting up...
Please be aware that telnet will stay enabled on 23/tcp!

Enjoy your new shell via telnet using user 'devel' with admin's password.

操作指南 (越狱后)

越狱后操作指南

# 越狱后可以从 telnet 使用 devel 用户登录,密码为 之前 admin 用户的密码
# 越狱后没有 ls 命令,可以用 echo * 替代
echo *
# 越狱之后如果想使用 RouterOS Shell 中的功能。
# 后面的参数即是 RouterOS Shell 中的命令
/nova/bin/info "/system package print"

参考资料

RTFM SigSegv1 – The state of MikroTik security An overview
https://www.youtube.com/watch?v=V1ylGeRDgmE

【Slides】RTFM SigSegv1 – The state of MikroTik security An overview
https://kirils.org/slides/2018-10-10_HackIt-MT_pub.pdf#page=31

MikroTik ChimayRed
https://github.com/BigNerd95/Chimay-Red/blob/master/docs/ChimayRed.pdf

Finding and exploiting CVE-2018–7445 (unauthenticated RCE in MikroTik’s RouterOS SMB)
https://medium.com/@maxi./finding-and-exploiting-cve-2018-7445-f3103f163cc1

【翻译】Finding and exploiting CVE-2018–7445 (unauthenticated RCE in MikroTik’s RouterOS SMB)
https://www.4hou.com/vulnerable/16701.html
https://xz.aliyun.com/t/4397

不太重要的参考资料

MikroTik RouterOS/ROS 备份与恢复,ROS怎么备份怎么恢复
http://www.roszj.com/45.html

Leave a Reply

Your email address will not be published. Required fields are marked *