New Belkin WeMo Module

On April 4th I posted a module to enable the telnet service on the Belkin WeMo Netcam.  It turns out that the WeMo Switch has the same vulnerability, but doesn’t have telnetd. Or chmod. Or a lot of other things that would help with exploitation. To make matters worse, the firmware is GPG encrypted so you can’t poke around to see what’s available.

I found a way around this: by downloading a MIPS ELF reverse shell using wget. The good folks at Rapid7 wrote about this strategy when the Linksys e1500 “apply.cgi” module was created.

One disadvantage when looking at my target is that chmod isn’t available. To skirt around this, I copied the iwpriv executable from the bin directory into the tmp directory using a random file name. I then overwrote that file so the payload assumes the same permissions (+x). This is a simple trick that I’ve used with success quite a bit in the past.

I wrote a new Metasploit module for this and it is available here.

I love the idea of getting a shell on a power outlet. It’s so cyperpunk — I’m sure Gibson and Stephenson would be proud. In the next post I’ll take a look at post exploition — IoT style.

Update: If anyone wants a public/private GPG key pair for the WeMo, I’ve taken the liberty of making Belkin’s available for download here.  You can download firmware images from http://fw.xbcs.net/wemo/switchsensor/ and decrypt them using the provided keys.  Once decrypted, Binwalk is your friend.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s