This week only. Pastebin PRO Accounts Christmas Special! Don't miss out!Want more features on Pastebin? Sign Up, it's FREE!
Guest

Client for the DLink Backdoor, /bin/xmlsetc

By: a guest on Oct 13th, 2013  |  syntax: None  |  size: 3.55 KB  |  views: 4,969  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. Howdy y'all,
  2.  
  3. (These notes will probably be obsolete by the time you read them, but so it
  4. goes.  The TL;DR is that /bin/xmlsetc is the client for the D-Link backdoor.)
  5.  
  6. Craig exposed a new D-Link backdoor today, so I took a look at all images
  7. in my local copy of their FTP site.  His article describes the backdoor at
  8. the following URL explains how he found it and how to call it.  I have
  9. just a little to add.
  10. http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/
  11.  
  12. The backdoor seems specific to eight firmware images, which I extracted
  13. from .bix files using binwalk.  None of the .bin or .img files seem to contain
  14. the backdoor.
  15.  
  16. % grep roodkcab `find . -name webs`
  17. Binary file ./_DIR100_v5.0.0EUb3_patch02.bix.extracted/squashfs-root/bin/webs matches
  18. Binary file ./_TM-G5240-alpha-v4-0-0b20.bix.extracted/squashfs-root/bin/webs matches
  19. Binary file ./_di604UP_firmware_103_BETA.bix.extracted/squashfs-root/bin/webs matches
  20. Binary file ./_tm-g5240-alpha-v4-0-0b17.bix.extracted/squashfs-root/bin/webs matches
  21. Binary file ./_TM-G5240-b26_320k.bix.extracted/squashfs-root/bin/webs matches
  22. Binary file ./_TM-G5240-4.0.0b28.bix.extracted/squashfs-root/bin/webs matches
  23. Binary file ./_TM-G5240-alpha-v4.0.0b23.bix.extracted/squashfs-root/bin/webs matches
  24. Binary file ./_TM-G5240-v4-0-0b29.bix.extracted/squashfs-root/bin/webs matches
  25. %
  26.  
  27. In addition to /bin/webs containing the string "xmlset_roodkcableoj28840ybtide",
  28. it also appears in /bin/xmlsetc.  Of my eight images, there are only two unique
  29. versions of xmlsetc, while every one of the eight webs copies is distinct.
  30. % md5sum `find . -name xmlsetc` | sort
  31. 5c79f358a60280248098db10d6446528  ./_tm-g5240-alpha-v4-0-0b17.bix.extracted/squashfs-root/bin/xmlsetc
  32. 5c79f358a60280248098db10d6446528  ./_TM-G5240-alpha-v4-0-0b20.bix.extracted/squashfs-root/bin/xmlsetc
  33. 5c79f358a60280248098db10d6446528  ./_TM-G5240-alpha-v4.0.0b23.bix.extracted/squashfs-root/bin/xmlsetc
  34. a443b1455ae3db9a572a685da51fabec  ./_di604UP_firmware_103_BETA.bix.extracted/squashfs-root/bin/xmlsetc
  35. a443b1455ae3db9a572a685da51fabec  ./_DIR100_v5.0.0EUb3_patch02.bix.extracted/squashfs-root/bin/xmlsetc
  36. a443b1455ae3db9a572a685da51fabec  ./_TM-G5240-4.0.0b28.bix.extracted/squashfs-root/bin/xmlsetc
  37. a443b1455ae3db9a572a685da51fabec  ./_TM-G5240-b26_320k.bix.extracted/squashfs-root/bin/xmlsetc
  38. a443b1455ae3db9a572a685da51fabec  ./_TM-G5240-v4-0-0b29.bix.extracted/squashfs-root/bin/xmlsetc
  39. % md5sum `find . -name webs` | sort  
  40. 07abc2afebb8fb90fd650a30f1f0b789  ./_TM-G5240-alpha-v4-0-0b20.bix.extracted/squashfs-root/bin/webs
  41. 46637832adbd4056e97ab38aaaf31da4  ./_DIR100_v5.0.0EUb3_patch02.bix.extracted/squashfs-root/bin/webs
  42. 78da0913e50b2deb93bc9fe3a8a8d1cd  ./_TM-G5240-b26_320k.bix.extracted/squashfs-root/bin/webs
  43. 8fe0c80d230bf207bfaeb16b70ef8a45  ./_TM-G5240-v4-0-0b29.bix.extracted/squashfs-root/bin/webs
  44. 9318210953eb2dcd6895f091cdc847a1  ./_TM-G5240-alpha-v4.0.0b23.bix.extracted/squashfs-root/bin/webs
  45. 9e57fe42a4c1dad21460a13c22356096  ./_tm-g5240-alpha-v4-0-0b17.bix.extracted/squashfs-root/bin/webs
  46. e183a94c5f17bb186d663ac915fe71ff  ./_di604UP_firmware_103_BETA.bix.extracted/squashfs-root/bin/webs
  47. ecc427017d2fa3d88faf65fc26d0ab5f  ./_TM-G5240-4.0.0b28.bix.extracted/squashfs-root/bin/webs
  48. %
  49.  
  50. A quick glance at xmlsetc in IDA shows that it is sending the backdoor User-Agent with printf(),
  51. rather than receiving it.  Perhaps the backdoor serves some legitimate purpose, and
  52. Mystery Joel is only guilty of incompetence and not of malice?
  53.  
  54. I'm too busy to look further, but I hope you neighbors have fun.
  55.  
  56. Cheers from Philly,
  57. --TG
clone this paste RAW Paste Data