Backdoor a GL.Inet mini router.

A malicious actor opens up a package found on your doorstep and see a brand new GL.INet. Lets take for granted they have the tools to open a package then reapply the shrink rap and put everything as expected. This is a post about what they could do to that device to compromise your home network.

First, take the shell of the mini router and remove the guts. Locate the header pins and connect your UART to USB device.

Figure 1 – UART to USB connected to the routers TX,RX and GRD pins.

Check dmesg and note the tty instance.

Figure 2 – Output of dmesg.

Connecting with the following command will drop directly into a root shell.
sudo screen /dev/ttyUSB0 115200.

Figure 3 – remote OpenWrt root shell on the MT300N-V2

There is no password protection here etc, providing the router isn’t factory reset before legitimate use then we can place a file to call a reverse shell at every boot. This is possible due t o the GL.Inet router shipping with NC (netcat) pre-installed, for some reason?

To do this, navigate to /bin/ and make an executable file, this will need to be executable for everyone with open permissions. We will use Cron to run this file at boot, then every minute after. To create a new cronjob use the following command:

crontab -e

To describe the job to run, use the following:

0,10,20,30,40,50 * * * * /bin/backdoor

Check that the crontab service is running and the cron entry has been created with:

crontab -l

The following command will enable all cronjobs at boot:

service cron enable

Here I am using a local IP for the sake of proof of concept, but this could just as easily call a shady online VPS, droplet C2 or whatever.

Figure 4 – Shows the cronjob returning a reverse shell before the device has finished its boot sequence.
Figure 5 – Finished and unsuspecting backdoored mini router.