Within the network roaming of how to use JavaScript on the router to execute arbitrary code-a vulnerability warning-the black bar safety net

! [](/Article/UploadPic/2017-3/20173271539552. png? www. myhack58. com)
First of all, let us understand the relevant technical background.
We all know NAT（network address translation technology, the router is widely used. When you use a NAT router, it will be to your machine automatically assign a WAN IP, in order to keep your machine on the Internet unique and can be identified. At the same time, in your local LAN, it will also randomly to you to assign a LAN IP.
Thus, whenever from the local LAN device to the public network initiates a request, the router will be a detailed record of the request is a request by a local area network, which device to which the service initiation request. Then, when it successfully from the target server to get a response, it will be forwarded back to the local LAN IP of the corresponding device. This also means that, in most settings, pointing to the router of the unsolicited data packet will be discarded.
NAT methods there are many. As shown in Figure:
! [](/Article/UploadPic/2017-3/20173271539937. png? www. myhack58. com)
Here, the NAT router in the strict sense is not an active firewall, but the functional design is similar to a firewall. The local network of the computer does not have a WAN IP, not from the Internet direct route, and therefore it is difficult to directly orientation. This is also most home networks and many small business network, closest to the firewall stuff.
Interesting local area network JavaScript
We usually through the browser, to access the Internet on a variety ofWeb server. In addition, it can access your local LAN on the routerthe Web server. The attacker usually can’t from the WAN direct access to the Web interface, but since the page has interactivity, although in a limited way, due to the same origin policy constraints, and thus run in the browser of the Web, can also be in the local networkWeb serverto initiate the request. If theseWeb serverthere are security vulnerabilities, then we simply run in the browser the appropriate code, you can take advantage of these vulnerabilities.
When the localWeb serverthe lack of a robust CSRF（cross-site request forgery protection, the router will receive and process from its outside the control of the illegal request. This means that an attacker can construct a carefully crafted malicious link or cross-site code to trick the target user to click, can be positioned directly to the router vulnerability the page, and force the hijacked browser to execute our malicious js code.
In fact, in addition to the js script, there are many other web language you can also perform the attack operation. But I think that JavaScript is the best attack script.
In the past few years, we found that the JavaScript driving the CSRF exploit kits, the use of a router to domain spoofing( Pharming), which by modifying the router’s DNS settings, trying to direct users to fake websites, and convincing the user to the phishing site to enter your own login credentials, steal user privacy data. In a recent case, we found that part of the JavaScript exploit code is a direct steganography and encryption confusion in the malicious Image File comments field. Then at runtime it is decrypted to perform, and using the known vulnerability, change the local router’s DNS server. In addition, other cases show, the malicious DNS server will force the user to download free of malicious software of Chrome installer.
By the end of 2016, some of the Netgear router was traced to the presence of a remote command injection Vulnerability CVE-2016-6277-in. Although many of the affected devices are belong to high-end models, but from here we can see that the Web interface of the security is negligible. Although they implemented a CSRF protection, but this also failed to avoid the Netgear is the attack of the doom – about the vulnerabilities, the main problem is that the cgi-bin URI is just a simple cross-processed by the server, the 并且 大意 地 将 分号 和 命令 附加 到 routerlogin.net/cgi-bin/ the URI will result in arbitrary code execution.
In order to better understand the vulnerabilities of the works, the following I will to my recent purchase and study the GL Innovations 2.24 firmware, for example.
The case – GL Innovations firmware v2. 24 – the use of profiling
GLi series router is a small customizable router, mainly for those who want to on their Wi-Fi devices for additional control, but don’t want to spend too much money of the user. At the same time, their material is also on the router security explained, showing them the router can“avoid hackers invasion”.
So, I bought a look. After a period of research, I found out the router there is two issues: authentication bypass and verify the code execution.
Below I will take you on a detailed understanding of how to Use JavaScript for this router to write a full exploit it. Full use of the code in https://github. com/tests00/gli-js-driveby/find.
GLi router default login IP is 192. 168. 8. 1, and assign the standard/24 range of IP address. Here we need to note that the router’s default IP and DHCP can be easily modified, and therefore can not be guaranteed in 192. 168. 8. 1 can certainly find GLi router.
Therefore, our next step is to get our code to run the machine’s local IP address. Here we use webRTC to help us get the local IP. In some cases, this technique may not be able to get to precisely the local IP, but normally it can get to the IP of the first three bytes, which for us is actually already enough, we just need simple scanning, we can determine the/24 range of the exact local IP.
Use webRTC to find the host’s local IP, some modification of:
! [](/Article/UploadPic/2017-3/20173271539911. png? www. myhack58. com)
Although by the above method we can find the router’s IP, but we cannot guarantee that the IP address is always the same. Therefore, we need a certain degree of certainty approach to solve this problem.
Homology issues
Here are some of the issues. Due to the same origin policy of our limitations, we can’t just pop the iframe and check for any page to load the content. So to break this limit, we can try to load the GLi Web server

[1] [2] next