On April 4th I posted a module to enable the telnet service on the Belkin WeMo Netcam. It turns out that the WeMo Switch has the same vulnerability, but doesn’t have
chmod. Or a lot of other things that would help with exploitation. To make matters worse, the firmware is GPG encrypted so you can’t poke around to see what’s available.
I found a way around this: by downloading a MIPS ELF reverse shell using
wget. The good folks at Rapid7 wrote about this strategy when the Linksys e1500 “
apply.cgi” module was created.
One disadvantage when looking at my target is that
chmod isn’t available. To skirt around this, I copied the iwpriv executable from the
bin directory into the
tmp directory using a random file name. I then overwrote that file so the payload assumes the same permissions (
+x). This is a simple trick that I’ve used with success quite a bit in the past.
I wrote a new Metasploit module for this and it is available here.
I love the idea of getting a shell on a power outlet. It’s so cyperpunk — I’m sure Gibson and Stephenson would be proud. In the next post I’ll take a look at post exploition — IoT style.
Update: If anyone wants a public/private GPG key pair for the WeMo, I’ve taken the liberty of making Belkin’s available for download here. You can download firmware images from http://fw.xbcs.net/wemo/switchsensor/ and decrypt them using the provided keys. Once decrypted, Binwalk is your friend.