Simplifies D-Link DCS-932L firmware emulation with pre-patched components and includes a Proof-of-Concept exploit for CVE-2024-37606."# Make Emulating Easy Again
Welcome! This repository provides tools and an environment to emulate the D-Link DCS-932L firmware and demonstrate the **CVE-2024-37606** vulnerability. It includes pre-patched binaries and necessary libraries, simplifying the emulation setup so you don't need to perform manual patching with tools like Ghidra.
## CVE-2024-37606
This project includes a proof-of-concept exploit (`CVE-2024-37606-DCS932L.py`) for CVE-2024-37606. This vulnerability involves a buffer overflow in the alphapd service. Please use this responsibly and for educational purposes only.
Click on the photo to see the video
[](https://vimeo.com/1077361116)
## Modifications for Emulation
Several modifications have been made to enhance the functionality and usability of the firmware emulation environment:
1. **Startup Script:** Added a startup script (`startup.sh`) to simplify emulation.
2. **Libnvram.so Adjustment:** Removed lines 338 to 342 from the original `libnvram.so` to ensure proper functioning of the NVRAM emulator. The modified file (`firmadyne/libnvram.so`) is included.
3. **Firmadyne Integration:** Added the Firmadyne folder to facilitate firmware emulation.
4. **Alphapd Patch:** Patched the `alphapd` binary using Ghidra to resolve an error preventing IP retrieval from `sysinfo` during emulation.
5. **Qemu-mipsel-static Addition:** Included `qemu-mipsel-static` for MIPS Little Endian emulation.
## Setup and Usage
Follow these steps to set up the emulation environment and run the exploit.
### 1. Prerequisites
* A Linux environment (tested on Ubuntu/Debian-based systems).
* `git`
* `qemu-user-static`
* `python3` and `pip`
### 2. Clone the Repository
```bash
git clone https://github.com/itwizardo/DCS932L-Emulation-CVE-2024-37606-Attack DCS932L-CVE
cd DCS932L-CVE
```
### 3. Install QEMU User Emulation Tools
* **On Linux (Debian/Ubuntu):**
```bash
sudo apt update
sudo apt install qemu-user-static
```
* **On macOS (using Homebrew):**
```bash
brew install qemu
# QEMU installation via Homebrew includes user-mode static binaries.
```
* **On Windows (using Chocolatey or Manual Install):**
* Using Chocolatey (requires Chocolatey installed):
```powershell
choco install qemu
```
* Manual Install: Download the QEMU installer from the [official QEMU website](https://www.qemu.org/download/#windows) and ensure the installation directory is added to your system's PATH.
### 4. Prepare Firmware Filesystem
Copy the QEMU static binary into the firmware's filesystem:
```bash
sudo cp /usr/bin/qemu-mipsel-static ./usr/bin/
```
Set the immutable attribute on the web directory. This prevents modification of critical web server files needed for the emulation and exploit to function correctly:
* **On Linux:**
```bash
sudo chattr +i etc_ro/web/
```
* **On Windows (PowerShell - Sets Read-Only attribute):**
```powershell
Set-ItemProperty -Path ./etc_ro/web -Name IsReadOnly -Value $true
# Note: This sets the directory as Read-Only, preventing accidental changes.
# To make contents read-only too, add -Recurse to Get-ChildItem:
# Get-ChildItem -Path ./etc_ro/web -Recurse | Set-ItemProperty -Name IsReadOnly -Value $true
```
* **On macOS:**
```bash
sudo chflags schg etc_ro/web/
```
### 5. Start the Emulation Environment
Enter the chroot environment using the MIPS Little Endian QEMU binary:
```bash
sudo chroot . /usr/bin/qemu-mipsel-static /bin/sh
```
Inside the chroot shell, run the startup script and start the web server:
```bash
# Execute startup tasks (network setup, etc.)
./startup.sh
# Set environment variables for nvram emulation
export LD_PRELOAD=/firmadyne/libnvram.so
export HOME=.
export RANDFILE=$HOME/.rnd
# Start the vulnerable web server (binds to 0.0.0.0, may take 1-2 mins to fully initialize)
alphapd
```
Leave this terminal running. The emulated device's services will be accessible via the host machine using the IP address configured by `startup.sh` (often `192.168.0.1`).
### 6. Run the Exploit
Open a **new terminal window** on your host machine (outside the chroot environment).
Open in new terminal:
```bash
cd /path/to/DCS932L # Adjust path if necessary
```
(Optional) Install required Python packages if the script needs them (e.g., `requests`):
```bash
# pip3 install requests # Uncomment if needed
```
Execute the exploit script. It automatically targets the local emulated environment (`192.168.0.1` set up by `startup.sh`):
```bash
python3 CVE-2024-37606-DCS932L.py
```
To target a different IP address, use the `--ip` argument:
```bash
# Example: python3 CVE-2024-37606-DCS932L.py --ip <target_ip>
```
Follow the output of the script to see the exploit in action.
### ⚠️ Notes
* This firmware is **MIPS Little Endian**. You **must** use `qemu-mipsel-static`.
* Using `qemu-mips-static` (Big Endian) will result in `Invalid ELF image` errors.
* The `alphapd` service binds to `0.0.0.0` inside the chroot environment and may take **1-2 minutes** to become fully responsive after execution.
* The `startup.sh` script likely sets up a network interface (e.g., `tap0`) with IP `192.168.0.1`. Verify this if the exploit fails to connect.
* Ensure that required libraries (like `/lib/ld-uClibc.so.0`) are present in the chroot environment's `/lib` directory.
## Disclaimer
This project is for educational and research purposes only. It demonstrates a known vulnerability (CVE-2024-37606). The authors are not responsible for any misuse of this information or code. Use this environment and exploit responsibly and ethically.
This was developed as part of a school project for Novi Hogeschool.
## Author
Georgio T. - [itwizardo](https://github.com/itwizardo)
Feel free to contribute to this project and improve the tools for firmware reverse engineering and security analysis!
[4.0K] /data/pocs/cf45cec9e56045db89d459ea8b4d3c105de5e537
├── [4.0K] bin
│ ├── [528K] alphapd
│ ├── [344K] ash
│ ├── [9.7K] ated
│ ├── [ 12K] audiopush
│ ├── [344K] busybox
│ ├── [344K] cat
│ ├── [344K] chmod
│ ├── [344K] cp
│ ├── [344K] date
│ ├── [ 42K] disablebonjour
│ ├── [344K] echo
│ ├── [ 33K] gpio
│ ├── [344K] grep
│ ├── [ 14K] htmlunpack
│ ├── [ 11K] i2c
│ ├── [ 45K] imagetp
│ ├── [ 42K] inadyn
│ ├── [145K] iperf
│ ├── [ 56K] ipush
│ ├── [ 35K] iwpriv
│ ├── [344K] kill
│ ├── [134K] lanconfig
│ ├── [ 73K] lld2d
│ ├── [344K] login
│ ├── [344K] ls
│ ├── [ 18K] mail
│ ├── [ 10K] mdb
│ ├── [194K] mDNSResponder
│ ├── [5.1K] mii_mgr
│ ├── [344K] mkdir
│ ├── [344K] mknod
│ ├── [344K] mount
│ ├── [133K] msmtp
│ ├── [ 12K] mtd_write
│ ├── [ 20K] mydlinkevent
│ ├── [ 42K] notifystream
│ ├── [ 31K] ntpclient
│ ├── [ 25K] nvram_daemon
│ ├── [ 14K] nvram_get
│ ├── [ 14K] nvram_set
│ ├── [386K] openssl
│ ├── [ 12K] ov7740
│ ├── [ 32K] pcmcmd
│ ├── [344K] ping
│ ├── [151K] pppoecd
│ ├── [344K] ps
│ ├── [344K] pwd
│ ├── [ 14K] ralink_init
│ ├── [6.7K] reg
│ ├── [344K] rm
│ ├── [ 53K] schedule
│ ├── [344K] sed
│ ├── [344K] sh
│ ├── [344K] sleep
│ ├── [8.0K] sounddb
│ ├── [3.5K] swing
│ ├── [ 16K] switch
│ ├── [344K] sync
│ ├── [344K] touch
│ ├── [344K] umount
│ ├── [ 46K] upgradefw
│ └── [ 29K] uvc_stream
├── [6.3K] CVE-2024-37606-DCS932L.py
├── [4.0K] etc
│ └── [ 424] fstab
├── [4.0K] etc_ro
│ ├── [ 11] build
│ ├── [ 658] gensslkey.sh
│ ├── [9.4K] icon.ico
│ ├── [9.4K] icon.large.ico
│ ├── [ 72] inittab
│ ├── [ 79] lld2d.conf
│ ├── [ 326] motd
│ ├── [9.2K] openssl.cnf
│ ├── [1.5K] rcS
│ ├── [ 11] release
│ ├── [1.1K] servercert.pem
│ ├── [ 887] serverkey.pem
│ ├── [4.0K] web
│ │ ├── [3.0K] account.htm
│ │ ├── [ 13K] advanced.htm
│ │ ├── [4.0K] api
│ │ │ ├── [ 32K] aplug.jar
│ │ │ └── [261K] aplugLiteDL.cab
│ │ ├── [4.5K] aplist.htm
│ │ ├── [8.2K] audio.htm
│ │ ├── [9.7K] aview.htm
│ │ ├── [ 821] bootver.htm
│ │ ├── [4.0K] cgi
│ │ │ ├── [ 64] audiocfg.cgi
│ │ │ ├── [ 30] cgiversion.cgi
│ │ │ ├── [ 429] common.cgi
│ │ │ ├── [ 538] datetime.cgi
│ │ │ ├── [ 734] daynight.cgi
│ │ │ ├── [ 36] dbglevel.cgi
│ │ │ ├── [ 714] email.cgi
│ │ │ ├── [ 25] iactiveuser.cgi
│ │ │ ├── [ 113] iaudio.cgi
│ │ │ ├── [ 238] iimage.cgi
│ │ │ ├── [ 366] image.cgi
│ │ │ ├── [ 512] inetwork.cgi
│ │ │ ├── [ 420] isysdevice.cgi
│ │ │ ├── [ 359] isystem.cgi
│ │ │ ├── [ 308] iwireless.cgi
│ │ │ ├── [ 442] motion.cgi
│ │ │ ├── [ 670] network.cgi
│ │ │ ├── [ 21] sitesurvey.cgi
│ │ │ ├── [ 264] strminfo.cgi
│ │ │ ├── [ 204] system.cgi
│ │ │ ├── [ 35] upgradestatus.cgi
│ │ │ ├── [ 860] upload.cgi
│ │ │ ├── [ 48] user.cgi
│ │ │ ├── [ 19] userlist.cgi
│ │ │ ├── [ 73] usermod.cgi
│ │ │ └── [ 492] wireless.cgi
│ │ ├── [ 215] crossdomain.xml
│ │ ├── [ 10K] ddns.htm
│ │ ├── [ 12K] deployjava.js
│ │ ├── [2.2K] devmodel.jpg
│ │ ├── [ 11K] dlink.css
│ │ ├── [5.4K] dloadbar.gif
│ │ ├── [ 756] edit.jpg
│ │ ├── [ 18K] email.htm
│ │ ├── [5.0K] errmsg.htm
│ │ ├── [4.2K] errradv.htm
│ │ ├── [5.1K] errraud.htm
│ │ ├── [5.1K] errrcam.htm
│ │ ├── [5.1K] errrdate.htm
│ │ ├── [5.1K] errrdns.htm
│ │ ├── [5.1K] errreml.htm
│ │ ├── [5.1K] errrftp.htm
│ │ ├── [5.1K] errrimg.htm
│ │ ├── [5.1K] errrnet.htm
│ │ ├── [5.1K] errrnght.htm
│ │ ├── [ 723] errrvdo.htm
│ │ ├── [5.1K] errrwlan.htm
│ │ ├── [5.9K] factory.htm
│ │ ├── [9.4K] favicon.ico
│ │ ├── [6.8K] file.htm
│ │ ├── [ 828] frmsize.htm
│ │ ├── [ 36K] function.js
│ │ ├── [ 20K] helpadva.htm
│ │ ├── [5.2K] helphome.htm
│ │ ├── [4.8K] helpstat.htm
│ │ ├── [6.3K] helptool.htm
│ │ ├── [1.1K] home.htm
│ │ ├── [1.8K] html.htm
│ │ ├── [ 11K] image.htm
│ │ ├── [ 257] imode.htm
│ │ ├── [ 876] iphone.htm
│ │ ├── [ 11K] jview.htm
│ │ ├── [1.3K] logout.htm
│ │ ├── [1.2K] lphone.htm
│ │ ├── [1.7K] mobile.htm
│ │ ├── [ 15K] motion.htm
│ │ ├── [2.3K] mvideo.htm
│ │ ├── [ 18K] network.htm
│ │ ├── [ 13K] night.htm
│ │ ├── [4.0K] pack
│ │ │ ├── [ 46K] cht.lzma
│ │ │ ├── [ 931] dbgulf.lzma
│ │ │ ├── [ 47K] eng.lzma
│ │ │ ├── [ 49K] frh.lzma
│ │ │ ├── [ 49K] grm.lzma
│ │ │ ├── [ 48K] itn.lzma
│ │ │ ├── [ 48K] kor.lzma
│ │ │ ├── [ 48K] sph.lzma
│ │ │ └── [ 46K] twn.lzma
│ │ ├── [ 194] radiooff.gif
│ │ ├── [ 302] radioon.gif
│ │ ├── [5.8K] reboot.htm
│ │ ├── [1.7K] region.htm
│ │ ├── [5.9K] replyd.htm
│ │ ├── [4.2K] replyf.htm
│ │ ├── [4.2K] replyk.htm
│ │ ├── [5.1K] replym.htm
│ │ ├── [5.1K] replyu.htm
│ │ ├── [5.9K] restore.htm
│ │ ├── [ 646] security.gif
│ │ ├── [6.8K] setvdo.htm
│ │ ├── [1.7K] sharp.htm
│ │ ├── [3.3K] showmsg.js
│ │ ├── [8.1K] stsdev.htm
│ │ ├── [4.8K] stssys.htm
│ │ ├── [5.3K] stsuser.htm
│ │ ├── [5.9K] support.htm
│ │ ├── [ 33K] time.htm
│ │ ├── [ 36K] title.gif
│ │ ├── [6.2K] top.htm
│ │ ├── [ 809] trash.jpg
│ │ ├── [6.7K] upgrade.htm
│ │ ├── [ 22K] upload.htm
│ │ ├── [ 936] vaview.htm
│ │ ├── [ 768] version.htm
│ │ ├── [ 11K] video.htm
│ │ ├── [ 751] vjview.htm
│ │ ├── [3.6K] waitscan.htm
│ │ ├── [ 24K] wireless.htm
│ │ ├── [6.2K] wizard.htm
│ │ ├── [ 38K] wizsetup.htm
│ │ └── [ 794] wps.htm
│ ├── [4.0K] Wireless
│ │ └── [4.0K] RT2860AP
│ │ ├── [3.0K] RT2860_default_novlan
│ │ └── [8.2K] RT2860_default_vlan
│ ├── [4.0K] wlan
│ │ └── [ 512] RT3050_AP_1T1R_V1_0.bin
│ └── [4.0K] xml
│ ├── [1.1K] WFADeviceDesc.xml
│ └── [4.9K] WFAWLANConfigSCPD.xml
├── [4.0K] firmadyne
│ └── [ 30K] libnvram.so
├── [4.0K] home
│ └── [528K] hecc
├── [344K] init
├── [4.0K] lib
│ ├── [ 26K] ld-uClibc-0.9.28.so
│ ├── [ 26K] ld-uClibc.so.0
│ ├── [ 13K] libcrypt-0.9.28.so
│ ├── [1.5M] libcrypto.so
│ ├── [1.5M] libcrypto.so.0.9.8
│ ├── [ 13K] libcrypt.so
│ ├── [ 13K] libcrypt.so.0
│ ├── [655K] libc.so
│ ├── [655K] libc.so.0
│ ├── [9.2K] libdl-0.9.28.so
│ ├── [9.2K] libdl.so
│ ├── [9.2K] libdl.so.0
│ ├── [5.0K] libintl-0.9.28.so
│ ├── [5.0K] libintl.so
│ ├── [5.0K] libintl.so.0
│ ├── [ 30K] libm-0.9.28.so
│ ├── [ 30K] libm.so
│ ├── [ 30K] libm.so.0
│ ├── [4.6K] libnsl-0.9.28.so
│ ├── [4.6K] libnsl.so
│ ├── [4.6K] libnsl.so.0
│ ├── [ 41K] libnvram-0.9.28.so
│ ├── [ 41K] libnvram.so
│ ├── [ 41K] libnvram.so.0
│ ├── [ 95K] libpthread-0.9.28.so
│ ├── [ 95K] libpthread.so
│ ├── [ 95K] libpthread.so.0
│ ├── [157K] libsalsa.so
│ ├── [157K] libsalsa.so.0
│ ├── [157K] libsalsa.so.0.0.1
│ ├── [189K] libspeexdsp.so
│ ├── [189K] libspeexdsp.so.1
│ ├── [189K] libspeexdsp.so.1.5.0
│ ├── [300K] libssl.so
│ ├── [300K] libssl.so.0.9.8
│ ├── [655K] libuClibc-0.9.28.so
│ ├── [4.9K] libutil-0.9.28.so
│ ├── [4.9K] libutil.so
│ └── [4.9K] libutil.so.0
├── [ 30K] libnvram.so
├── [4.0K] mydlink
│ ├── [105K] dcp
│ ├── [ 11K] factoryReset
│ ├── [7.0K] httpd_check
│ ├── [8.0K] mydlink-watch-dog.sh
│ ├── [1.2K] opt.local
│ ├── [3.4K] pub.crt
│ ├── [203K] signalc
│ ├── [ 40K] tdb
│ ├── [121K] tsa
│ ├── [141K] upnpc-ddns
│ └── [ 18] version
├── [8.5M] qemu-mipsel-static
├── [5.9K] README.md
├── [4.0K] sbin
│ ├── [ 671] acodec
│ ├── [344K] arp
│ ├── [ 718] automount_boot.sh
│ ├── [ 977] automount.sh
│ ├── [ 357] cameraname.sh
│ ├── [ 302] chpasswd.sh
│ ├── [ 507] config-dns.sh
│ ├── [ 251] config-igmpproxy.sh
│ ├── [6.6K] config.sh
│ ├── [5.1K] config-udhcpd.sh
│ ├── [ 460] cpubusy.sh
│ ├── [1.5K] ddns.sh
│ ├── [ 444] dhcp.sh
│ ├── [ 126] focus.sh
│ ├── [344K] halt
│ ├── [344K] ifconfig
│ ├── [344K] init
│ ├── [2.1K] internet.sh
│ ├── [2.2K] lan.sh
│ ├── [344K] mdev
│ ├── [ 657] ntp.sh
│ ├── [344K] poweroff
│ ├── [1.5K] pppoe.sh
│ ├── [344K] reboot
│ ├── [344K] route
│ ├── [ 281] snort.sh
│ ├── [152K] ucp
│ ├── [160K] udev
│ ├── [344K] udhcpc
│ ├── [3.2K] udhcpc.sh
│ ├── [ 146] video.sh
│ ├── [ 845] vpn-passthru.sh
│ ├── [ 66] web.sh
│ ├── [ 433] wlan.sh
│ ├── [344K] zcip
│ └── [ 849] zcip.sh
├── [ 88] startup.sh
├── [2.4M] thumb.png
├── [4.0K] usr
│ ├── [4.0K] bin
│ │ ├── [344K] [
│ │ ├── [344K] [[
│ │ ├── [344K] arping
│ │ ├── [344K] expr
│ │ ├── [344K] free
│ │ ├── [344K] ftpd
│ │ ├── [344K] ftpputimage
│ │ ├── [344K] killall
│ │ ├── [344K] printf
│ │ ├── [344K] test
│ │ ├── [344K] top
│ │ ├── [344K] tr
│ │ └── [344K] uptime
│ ├── [4.0K] local
│ │ └── [4.0K] ssl
│ │ └── [9.2K] openssl.cnf
│ └── [4.0K] sbin
│ ├── [344K] brctl
│ ├── [344K] chpasswd
│ ├── [344K] inetd
│ └── [344K] telnetd
└── [4.0K] var
└── [4.0K] run
├── [ 4] alphapd.pid
└── [ 0] nvramd.pid
23 directories, 314 files