Basic Binary Strings Research

2 minute read

Begin

If you are familiar with web vulnerabilities and you want to analyze the administrative panel of your network device you can easily start from.. basic binary string research! This simple trick will help you discover which headers are used by HTTPD Server to communicate with. It will allow you to save time by not using unavailable headers during your penetration requests 😉

Let’s jump into your device vendor’s website, download firmware and try to extract it via the Binwalk tool (using extract binary parameter -e). Once we have our binary extracted to analyse (in our case it will be a HTTPD server) we can start to scrap every readable string from it:

λ  ~  strings research/wr840v3/httpd > dump.txt

Now it’s time to check which web header is available in our binary. I’ve prepared very simple script in Python to do it:

# List from: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
#
headers = [
  "Accept-CH-Lifetime",
  "Accept-CH",
  "Accept-Charset",
  "Accept-Encoding",
  "Accept-Language",
  "Accept-Patch",
  "Accept-Post",
  "Accept-Ranges",
  "Accept",
  "Access-Control-Allow-Credentials",
  "Access-Control-Allow-Headers",
  "Access-Control-Allow-Methods",
  "Access-Control-Allow-Origin",
  "Access-Control-Expose-Headers",
  "Access-Control-Max-Age",
  "Access-Control-Request-Headers",
  "Access-Control-Request-Method",
  "Age",
  "Allow",
  "Alt-Svc",
  "Authorization",
  "Cache-Control",
  "Clear-Site-Data",
  "Connection",
  "Content-Disposition",
  "Content-Encoding",
  "Content-Language",
  "Content-Length",
  "Content-Location",
  "Content-Range",
  "Content-Security-Policy-Report-Only",
  "Content-Security-Policy",
  "Content-Type",
  "Cookie",
  "Cookie2",
  "Cross-Origin-Embedder-Policy",
  "Cross-Origin-Opener-Policy",
  "Cross-Origin-Resource-Policy",
  "Date",
  "Device-Memory",
  "Digest",
  "DNT",
  "DPR",
  "Early-Data",
  "ETag",
  "Expect-CT",
  "Expect",
  "Expires",
  "Feature-Policy",
  "Forwarded",
  "From",
  "Host",
  "If-Match",
  "If-Modified-Since",
  "If-None-Match",
  "If-Range",
  "If-Unmodified-Since",
  "Index",
  "Keep-Alive",
  "Large-Allocation",
  "Last-Modified",
  "Link",
  "Location",
  "NEL",
  "Origin",
  "Pragma",
  "Proxy-Authenticate",
  "Proxy-Authorization",
  "Public-Key-Pins-Report-Only",
  "Public-Key-Pins",
  "Range",
  "Referer",
  "Referrer-Policy",
  "Retry-After",
  "Save-Data",
  "Sec-Fetch-Dest",
  "Sec-Fetch-Mode",
  "Sec-Fetch-Site",
  "Sec-Fetch-User",
  "Sec-WebSocket-Accept",
  "Server-Timing",
  "Server",
  "Set-Cookie",
  "Set-Cookie2",
  "SourceMap",
  "Strict-Transport-Security",
  "Timing-Allow-Origin",
  "Trailer",
  "Transfer-Encoding",
  "Upgrade-Insecure-Requests",
  "Upgrade",
  "User-Agent",
  "Vary",
  "Via",
  "Want-Digest",
  "Warning",
  "WWW-Authenticate",
  "X-Content-Type-Options",
  "X-DNS-Prefetch-Control",
  "X-Forwarded-For",
  "X-Forwarded-Host",
  "X-Forwarded-Proto",
  "X-Frame-Options",
  "X-XSS-Protection"
]

import sys

if len(sys.argv) != 2:
  print("""Httpd Binary Parser v1.0

Usage:
~$ strings <binary> > dump.txt
~$ python3 httpd_headers_parser.py dump.txt
""")
  quit()

with open(str(sys.argv[1])) as reader:
  cnt = 1
  for line in reader.readlines():
    line = line.rstrip()

    for header in headers:
      if line.find(header) > 0:
        print("[FOUND! #{} header: {}] {}".format(cnt, header, line))

    cnt = cnt + 1

Ok, so now let’s run our code with the HTTPD server and see the results:

λ  ~  python3 httpd_headers_parser.py dump.txt
...
[FOUND! #2790 header: Referer] httpMimeReferer
...

The Referer header helped me to execute a Local File Include && Os Command Injection bugs in the WR840N router (in the last few days) and of course – the Referer header is a sample but this scan will be more profitable with less common headers included in HTTPD server.

This little, silly script above returns a couple of false positives but despite that parsing binary strings allow you to find some interesting web-data a little bit faster 😉

Happy hunting!