getROSbin.py not support npk 5 version?

[skysider]

R.T.
I try to use the function get_binary in the script to extract npk file from http://files.shelbybb.com/mikrotik/5.19/ and it doesn't work.

[BigNerd95]

Since chimay red doesn't support 5.x I made getROSbin for 6.x only

[BigNerd95]

Then I made getROSbin to speed up the process only.
If you want to audit other versions you can use binwalk

[skysider]

Indeed, I test two 5.x version firmware with poc of dos mode, it works.

[BigNerd95]

If something crashes doesnt mean it is exploitable
I didnt tested 5.x but another researcher told me that www on 5.x is not multithreaded so the exploit must rewritten

[11ume]

@skysider

I try to use the function get_binary in the script to extract npk file from http://files.shelbybb.com/mikrotik/5.19/ and it doesn't work.

get_binary() use Squashfs 4.0 decompressor.
5.x .npk files use Zlib compression

binwalk 5x.npk: Zlib compressed data, default compression

You can see how decompression is done in this part,
then you just have to extract the path /nova/bin/www
https://github.com/kost/mikrotik-npk/blob/d54e97caac9ea447e29939ca4176d17eeff856a9/unpacknpk.py#L90

[skysider]

@hume3 thanks, I will have a look.

[dd404x]

@hume3 thanks,I used your method to successfully unzip the npk file。But after this I don't know how to operate？

[11ume]

1. You are using the binaries for the RouterOS PowerPC architecture with StackClash_x86.py for "x86" arch.
2. The exploit for PPC has not been performed @BigNerd95 does not have a physical device.
3. Maybe the exploit for ROS 5.x should be rewritten for mipsbe and x86.

[dd404x]

thanks~