Hijacking NodeMCU Development Board-vulnerability warning-the black bar safety net

ID MYHACK58:62201680794
Type myhack58
Reporter 佚名
Modified 2016-11-02T00:00:00


Long before the want to play the Board, The do nothing poor and can't afford it. Just the school issued a NodeMCU, although it is a cheap Board, play play is also good. This Board also let me play for several days, a start is to build a good car, in teacher to a Scratch on the play for a moment, feeling slightly retarded. This kids play toy has failed to meet me.

OK, then play the point not a child play. Remember the flashcard when the teacher gave a few Lua files should we copy into it. Yes, the control that the Board code is to use the Lua language to write. Well, then go look at Lua the scripting language. http://www.runoob.com/lua/lua-tutorial.html

Looking for a few hours, learn about, and then look at the next flashcard in those Lua files of code, a bunch of Don't know where to jump out of the function. See under function name, The guess should be the development Board itself, the standard library API, and then find the next information http://bbs. nodemcu. com/t/nodemcu-api/2 8

Well, that's up to you!

Then you can start the chase:

According to intuition, the first little to grab a pack to see it.

Huh~ see is through the HTTP Protocol to transport command, and really loved it. Got the package just know a probably, the following look at the specific code. Earlier there are two ARP packet is not truncated, but the strange thing is the code didn't look to handle the ARP packet of the code, it may be a hardware standard library to handle the.

See the file name, init. lua this should be a start file, just a few lines of code, wherein the core is that these few lines:

Is sequentially loading several files, the equivalent of C/C++in the include command. And that several documents, the need to focus on watching only the network. lua and arest. lua both files. First look at the network. lua file:

The focus is on 6, 7 and 1 6 to 2 2 lines. 6, the line 7 is to generate a 0 to 2 5 5 random number as the post-processing of the password to see this evil laugh. See 1, Line 7, The first reflection should be a regular expression, find the following information on Lua regex library instead of the POSIX standard, it does not see, directly put the code to throw into the NodeMCU Studio in the analysis. do not throw into LuaLoader. the reason is that goods without the NodeMCU API

Download: http://bbs.nodemcu.com/t/nodemcu ... on-build20150111/6 4

Is this stock, had to tucao, really shit, like the IDE, I haven't seen such a shit IDE up!!)

In order to facilitate analysis, I put 1 6 to 2 2 lines of code in addition to get a specific file: test. lua, then add some debug output code, after running, the output result very clear. Mr. into a connectionpw 3 6 random number password, then use this password with the WIFI connection after the DHCP-assigned IP address in each location for the exclusive or processing, to obtain the binary and then into hexadecimal, according to the cycle to connect every time to obtain hexadecimal Digital network. lua in 1 7 to 1 9 line put connectionpw of hex digits as the last two bits of the network. lua of the 2 0 line interception of a string of string in the fifth to last one, get is 6 characters 2 1 row at last of the 6 characters, insert a space, which is usually connected to the WIFI after the screen display of 6-bit to Scratch the connection with the wireless device ID 2 2 rows, visible the Scratch is supporting the code develop a tool, presumably the wireless device ID is the role of ARP broadcasts when the identification code.

Slightly first, to summarize: get a wireless device ID and IP address of the first two address it's okay because the only interception of the back part, the last two are connectionpw of hexadecimal digits, the remaining four bits are the IP address and connectionpw exclusive or after conversion hexadecimal get.

arest. lua code close to the 2 0 0 line, it does not stick out, want to code your own open code control. Start following analysis: 2 to line 7 is the start of a monitor 8 0 port the sockets HTTP server, while the definition of a When the received HTTP request when the calling function. 2 0 row 3 row 4 is by the regular expression the request is a GET request for the address is divided, each level of the directory corresponding to a command, so that access to the directory, in fact, the Development Board does not exist. Then my concern is 3 4 the line: password=path[4]; Nani it?! Just bag see the address of no hex of the six-bit characters?

password is 3 6 of?? it!!!! See the following code, The first 3 of the 7 line to the 4 line 1, when the password is not equal to connectionpw, return 4 0 3 error, connection is closed, return is no longer to be under execution. Nani it?! I! Front of so many steps to generate the 6-digit wireless device ID are drakes, it is estimated that in the ARP broadcast time to use it once, let someone look this toy is very high-end look. (Satan: they just used a smoke and mirrors game! The last command Delivery verification is still using connectionpw it with this and with the wireless device ID of the security is about to, well, at least there is a certification, will not be a simple hijacking. Interestingly, when successfully validated, the data returned is actually standard json data packets, which may be for later development to write code. Well, here the target is clear, as long as the crack this 2 5 6 possible random number will be able to hijack the car. The amount of this validation is simply simple to not simple, so there is a big security issue. It is worth noting that this 2 5 6 is just a binary 8 bit, also just is the IP address of the a bit, as can be seen the choice of this number is also in order to simple and convenient.

The following will first do a validation of the crack: To crack the password, just find a command just fine, as long as the password is correct, access this command in the address can be returned in json format the code, such as: {"id": "1", "name": "esp8266"} In order not to let the movement is too large, choose a Parking command well, is the above screenshot of the car/0/stop/XX address. Note that the following only experimental operation, more trouble, but according to this operation writes an automated hijacking tool.

The first step, first with the Scan Tool, here I used nmap to scan the LAN open the 8 0 port of the host:

A little slow to scan the whole network with a 2 0 seconds, then found the trolley, the IP address is 1 9 2. 1 6 8. 1. 1 0 3, OK, open P! Below because of the restart, the address changed to 1 9 2. 1 6 8. 1. 1 0 0) With Burpsuite take a local proxy, the browser to set the local proxy, just use a password to access, intercept browser data packet, the data packet thrown into the Intruder module:

[1] [2] next