Sagemcom Fast 3890 exploit

This exploit uses the Cable Haunt vulnerability to pop a shell on the Sagemcom F@ST 3890 (50.10.19*) cable modem, from local network access. Firmware version 50.10.21 or newer should be secure against Cable Haunt. This Proof of concept has specifically been designed to only work locally to limit the potential for malicious purposes. Another POC that creates a reverse shell to an external connection for the Technicolor TC7230 is available here.

A list of known vulnerable modems can be found on https://cablehaunt.com/#faq-am-i-affected.

How it works

The exploit.py serves a website, that when visited, sends a malicious WebSocket request to the cable modem. This request overflows the return address and accompanying registers in the Spectrum Analyzer of the cable modem, and uses a ROP-chain to start listening for a TCP connection on port 1337. The ROP-chain is constructed and commented in static/exploitSagemcom.js. The exploit.py server then sends the exploit.raw file over this TCP connection which will then be executed by the modem. The exploit.raw file is reverseshell.c compiled to MIPS architecture (see below how). Reverseshell.c is a shell written explicitly for this modem. The shell listens for commands to be run in the eCos shell on the cable modem and redirect STDOUT to the TCP connection.

You can find a video explaining the exploit here: https://www.youtube.com/watch?v=5FM9mS5ck3Y

Running the exploit

Note: Windows 10 is not currently supported, you must use a Linux based OS

Install pwntools and flask for python3 and run python exploit.py. Now go to http://127.0.0.1:8080 in your browser, to exploit the modem. Firefox will not work for this, as the WebSocket version used is not compatible.

Now an interactive shell should pop in your terminal running the python script. If you exit the shell, the modem needs to be rebooted to start a new shell.

Building your own payload

If you want to compile your own payload you can grab the toolchain from aeolus and run the following command:

/<toolchain Path>/gnutools/mipsisa32-elf/bin/mipsisa32-elf-gcc -O3 -c ./reverseshell.c -o ./reverseshell.o && /<toolchain Path>/toolchains/gnutools/mipsisa32-elf/bin/mipsisa32-elf-objcopy -O binary reverseshell.o exploit.raw

Exploiting other modems

You can build and exploit any modem vulnerable to Cable Haunt using this technique. We recommend reading the techincal report before trying to write your own ROP-chain. Go to Cable Haunt for a list of known vulnerable cable modems.

Building the ROP chain

First, you will need the firmware for the cable modem you're going to exploit. Then, reverse engineer the firmware to find the addresses of the relevant function for building the exploit such as socket(), bind(), accept(), listen(), recv() and connect() for a shell. Then Ropper can be used to find gadgets using the following command:

python Ropper.py --type all --all --badbytes 00c0c1f5f6f7f8f9fafbfcfdfeff2c -r -a MIPSBE -I 0x80004000 --console -f <firmware path>

Unreachable gadgets

Not all gadgets can be reached, as gadgets are just addresses sent as raw bytes and not all bytes can be sent as a WebSocket request with text frames. For instance, the address 0x8080a864 can not directly be inserted in a WebSocket text frame, as it is not a valid UTF-8 character. The address 0xf28080a864 can however be inserted, as 0xf2 means start new UTF-8 symbol with 0x8080a864 as the trailing bytes. The following bytes cannot be present in any address used because of the utf-8 specification: 0x00, 0xc0,0xc1,0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff, 0x2c. Other restrictions also exists which will soon be explained further in our report. For now, you can read and use utf8TestScript.py to test if an address if reachable.

Custom payload

You can use the process described above to compile your own payload for new cable modem but remember that the payload must not return! If it returns, the process will look for a return address on the smashed stack and crash.

Extracting firmware from Cable Modems

For most modems, you will need a way to access the eCos shell to extract the firmware or extracting it directly from the flash chip. These firmwares are usually packed in a format called ProgramStore If the serial console is not working try running: (might only work if coax cable is disconnected or not provisioned)

snmpset -v2c -c private 192.168.0.1 1.3.6.1.4.1.4413.2.2.2.1.9.1.2.1.0 i 2
snmpset -v2c -c private 192.168.0.1 1.3.6.1.4.1.4413.2.2.2.1.9.1.2.1.0 i 0
snmpset -v2c -c private 192.168.0.1 1.3.6.1.4.1.4413.2.2.2.1.9.1.2.1.0 i 2

Then the shell should be accessible, and bcm2-utils can make it easy to extract it using this shell. When reversing the extracted firmware the load/base address is (as far as we have seen) always 0x80004000.