Intro..
After exploring the winbox clientserver protocol, i wanted to find some ways to get rid of winbox service and winbox client…
This finding, has to do only with the mikrotik router, who has winbox service running (on port 8291 or in any other port)
On my try to make a test on the server, in order to cause a lot of traffic, i saw the service being unstable, causing various probs to whole router. The minimum prob was the 100% cpu load, but there are various probs depending on hardware and routeros version. The exploit’s logic is very simple, and the winbox protocol analysis is simple too.So it made me identify that vulnerability very easy. The vulnerability found while trying to download a DLL/plugin file from mikrotik router (just like winbox client does) and choose a big file, and request the 1st part of it many times.. That is what causes the DoS. The only file needed here is the .py script, and it is tested on python 2.4 and 2.7 versions.
More details, download and usage, are below.. :
Vulnerability Description
===========================
The denial of service, happens on mikrotik router’s winbox service when
the attacker is requesting continuesly a part of a .dll/plugin file, so the service
becomes unstable causing every remote clients (with winbox) to disconnect
and denies to accept any further connections. That happens for about 5 minutes. After
the 5 minutes, winbox is stable again, being able to accept new connections.
If you send the malicious packet in a loop (requesting part of a file right after
the service becoming available again) then you result in a 100% denial of winbox service.
While the winbox service is unstable and in a denial to serve state, it raises router’s CPU 100%
and other actions. The “other actions” depends on the router version and on the hardware.
For example on Mikrotik Router v3.30 there was a LAN corruption, BGP fail, whole router failure
=> Mikrotik Router v2.9.6 there was a BGP failure
=> Mikrotik Router v4.13 unstable wifi links
=> Mikrotik Router v5.14/5.15 rarely stacking
=>>> Behaviour may vary most times, but ALL will have CPU 100% . Most routers loose BGP after long time attack <<
The exploit
=============
This is a vulnerability in winbox service, exploiting the fact that winbox lets you download files/plugins
that winbox client needs to control the server, and generally lets you gain basic infos about the service BEFORE
user login!
Sending requests specially crafted for the winbox service, can cause a 100% denial of winbox service (router side).
This script, offers you the possibility to download any of the dlls that can be downloaded from the router one-by-one
or alltogether! (look usage for more info) .. The file must be contained in the router’s dll index.
The dlls downloaded, are in the format of the winbox service.. Meaning that they are compressed with gzip and they
have 0xFFFF bytes every 0x101 bytes (the format that winbox client is expecting the files)
These DLLs can be used by the “Winbox remote code execution” exploit script 😉
Download script here: mkDl
Usage
=======
Try running the script without arguments to see usage.. or
Use the script as described below:
1. You can download ALL the files of the router’s dll index using the following command:
python mkDl.py 10.0.0.1 * 1
the “1” in the end, is the speed.. “Speed” is a factor I added, so the script delays a bit while receiving
information from the server. It is a MUST for remote routers when they are in long distance (many hops) to use
a slower speed ( 9 for example ).
Also in the beginning of the dlls file list, script shows you the router’s version (provided by router’s index)
2. You can download a specific .dll file from the remote router.
python mkDl.py 10.67.162.1 roteros.dll 1
In this example i download roteros.dll (which is the biggest and main plugin) with a speed factor of 1 (very fast)
Because roteros and 1-2 other files are big, you have to request them in different part (parts of 64k each)
That is a restriction of winbox communication protocol.
If you don’t know which file to request, make a “*” request first (1st usage example), see the dlls list, and press ctrl-c
to stop the script.
3. You can cause a Denial Of Service to the remote router.. Means denial in winbox service or more (read above for more)
python mkDl.py 10.67.162.1 DoS
This command starts requesting from router’s winbox service the 1st part of roteros.dll looping the request
and causing DoS to the router. The script is requesting the file till the router stops responding to the port (8291).
Then it waits till the service is up again (using some exception handling), then it requests again till the remote service is down again etc etc… The requests lasts for about 2 seconds, and the router is not responding for about 5 minutes as far as i have seen from my tests in different routeros versions.
A PoC video with DoS and download files feature.. :
ErebusBat reported an error in python 2.7.1 on lion osx .. There was a weird behaviour in the DoS loop where there wasn’t flood with the “- Sending evil packet.. press CTRL-C to stop -” as expected and there was not DoS at all.. I’ll keep you updated when i check Lion myself 🙂
Btw works fine as tested on windows python 2.7 and backtrack 5..
Finaly the prob in mac lion was just the spacing of the file and specific in lines 205-211 make again in mac the spacing inside coda.. and it will be ok 😉
PoURaN~
This is confirmed fixed on my box now. Also for your list…. this absolutely kills the winbox service on my 493G/ROS 5.5 however I saw no depreciable change in traffic flow.
I tested my traffic flow by SCPing a large file from my laptop (LAN SIDE) to a server on the WAN side of the Mikrotik.
However you could lock admins out… I know plenty of people who would be lost without WinBox.
i Have problem about this, can someone explain to me …
what should i do ..
Traceback (most recent call last):
File “mkDl.py”, line 225, in
s.connect((mikrotikIP, 8291))
File “C:Python27libsocket.py”, line 224, in meth
return getattr(self._sock,name)(*args)
socket.error: [Errno 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed bec
ause connected host has failed to respond
@dleech
can you please tell us how do you run the script? Is the remote IP a mikrotik router?
What do I do in the files (( DLL ))
How do I see the information inside it ?!
@d4taps
you don’t need to.. they are the original DLLs as they are provided by mikrotik router v5.14.. If you wanna see them you have to remove the two 0xFF 0xFF bytes in every 0x101 bytes inside every DLL.. (that’s the format, that winbox wants to “see” the receiving file) if you see the script’s source you’ll find out.. 😉
how can i hack a Mikrotik Router?
i want to hack isp mikrotik and find user & pw of mikrotik.
connection reseted by server… 🙁
same problem..connection reseted by server…
i have problem with runnig the script
when I run this command: C:mkD1python mkD1.py
I receive this error:
File “mkD1.py”,line 75
print “[+] Index received!”
SyntaxError: invalid syntax
would you please help me with it?
@kambiz
Hey kambiz,
tell me exactly what you do.. I am just testing it again doing:
C:Python27>python mkD1.py 10.10.10.1 roteros.dll 1
and works fine… and also for DoS attack:
C:Python27>python mkD1.py 10.10.10.1 DoS
I’ve solved the problem.the problem occurred because the script syntax belongs to python version2 but the python I installed is version3.so I convert it to version3 by using 2to3.py in python.
now i have another problem. when i run this:
c:Python32>python mkDl.py (mikrotik ip) * 7
I receive this error:
[Winbox plugin downloader]
Traceback (most recent call last):
File “mkDl.py”, line 226, in
s.send(winboxStringIndex)
TypeError: ‘str’ dose not support the buffer interface.
would you please help me with it?
@kambiz
I can’t install python 32 atm to check it.. but i see in line 226 has s.send(winboxStartingIndex) and not s.send(winboxStringIndex)
yes I made a mistake while typing
as you said it is: s.send(winboxStartingIndex)
the problem is solved by installing python27.
I have another question.is there any way or any exploit to download the backup files from mikrotik?
@kambiz
No, only from winbox
HEY , ADMIN,
can I get users with this method?
It worked fine but still have a question.
isn’t their any way to get mikrotik password or those DLL file this script download contain router password.
no you can’t do it with this method.. and inside dll there is no info like that.. You can just grab the admin’s saved winbox passwords (if there are any) using the command execution exploit and a mac spoofing method BUT you must be in the same Lan as the victim OR you can social him, so you don’t need same lan and mac sppofing … 😛
what i want to do is exactly what u have just said “You can just grab
the admin’s saved winbox passwords (if there are any)” . iam on the
same lan . please can you explain it for me how to grab password for
admin from saved password and how can i make this “command execution
exploit and a mac spoofing method ” , please help me in this
@PoURaN
41.35.44.57
thanks PoURaN for this great info i don’t think that i will find it any where and i have 3 questions :
1st how can i get the backup of mikrotik or the other info like user name isn’t the dll files that we downloaded contain all the infos?
2nd how do i use the dll files to extract the info on it like ppp and any others.
3rd.what mac do i have to spoof the admin pc lan or the mikrotik or any one on who connected to the mikrotic.
@hi
Hello, concerning your questions:
1) no you can’t.. and no the DLLs don’t contain any infos about users/backups.. they just contain functions in order to make winbox.exe work for the specific mikrotik version.
2) you can’t.. look 1) :p
3) mac spoofing can be done where you are in the same LAN with your victim (in this case your victim is the mikrotik admin).. search more about mac spoofing..
thanks PoURaN again for ur answering
you said “You can just grab the admin’s saved winbox passwords (if there are any) using the command execution exploit and a mac spoofing method ”
i know how to spoof the mac address but what do u mean about command execution exploit what is this and can u tell me in details because it’s almost a year and iam trying how to hack the mikrotik to get the user and pass 🙂
at least can u tell me how to get the the command execution exploit do i need the a backtrack?
@hi
Hey man.. I was a bit busy that’s why I was late in reply.. So.. By saying remote code execution exploit, I mean this one.. http://www.133tsec.com/2012/04/27/0day-mikrotik-winbox-client-side-attack-a-remote-code-execution-exploit/
Watch and understand the video I made there.. To execute code to your victim, you have to do it 1) even by social.. (talk to him and ask him to connect to yor malicious mtik emulator) 2) by spoofing his router and force him to connect to you instead of his router (mac spoofing – same LAN)
For how to make a malicious emulator for mtik watch the vid of the exploit i told you earlier..
cya
thanks m8 i will
c u
I think is a goood ideea to write a script that is honeyspot for mikrotik to collect user/pass and the spoof router`s mac.
Not Working on 6.0rc6
root@kali:~/Desktop/mkDl# python mkDl.py 192.168.0.16 * 1
[Winbox plugin downloader]
Usage : mkDl.py
: [from 0 to 9] 1=faster, 9=slower but more reliable
after download all dll file so next what?
Hi there
I was wondering on how to create a custom dll that winbox would download and that it would show me the welcome screen for instance
as I was always fascinated on how routeros.dll for instance shapes the way winbox looks like for the fist test, just this would be enough: https://www.qtechsystem.com/wp-content/uploads/2019/05/winbox-Login-1024×616.png
but I am not realy sure how theese dlls are constructed, when opening them with ghidra for instance (awesome decompiler): https://ghidra-sre.org/
it is not able to identify anything not even DLLMain
so if you have already played around with that and maybe have some source for some example dll that winbox would load, let me know
Thanks for Anwsering and Best Regards