Void do_upgrade_post ( void * param_1, BIO * param_2, int param_3 ) > revshell would take a very long time and I didn’t want to go down that path.Īt this point in time, I realized that wget is present on the device! However, with great help of Ghidra’s decompiler, although a bit inaccurate, I concluded that what the function does isĮventually call a function named _eval like so. Worth mentioning that none of the binaries that were present within the firmware had any debug symbols, and that they were stripped. I opened up Ghidra, filtered the symbol tree to “ping” and found a function called ping_server. I now realized that sooner or later I’d have to reverse the HTTP daemon that is running on the router in order to see how it handles the requests. Generally, the sole job of the web application is to pass parameters to the httpd which actually does the heavy lifting. The only matches are from the web application with elements and the httpd. It took me a few minutes to realize that the web application isn’t the one that is doing the ping itself as I imagined it would with something likeĬonsequently, when searching for /apply.cgi which is where all the HTTP requests are being sent to,
asp pages served through the httpd that is running.įirst thing I did was inspect Ping.asp in order to see how the ping invocation is done since I wanted to know what failed my shell injection.
#Linksys hacked firmware code
Intuitively, I started auditing the source code of the web application, because that’s what I could access directly as an attacker.īackup_Restore.asp Fail.asp Forward.asp PortTriggerTable.asp SingleForward.asp Success_u_s.asp WEP.asp WanMAC.asp dyndns.asp image it_help tzo.aspĬysaja.asp Fail_s.asp .asp Port_Services.asp Status_Lan.asp SysInfo.htm WL_ActiveTable.asp Wireless_Advanced.asp en_help index.asp it_lang_pack wlaninfo.htmĭDNS.asp Fail_u_s.asp Log.asp QoS.asp Status_Router.asp SysInfo1.htm WL_FilterTable.asp Wireless_Basic.asp en_lang_pack index_heartbeat.asp sp_helpĭHCPTable.asp FilterIPMAC.asp Log_incoming.asp Radius.asp Status_Router1.asp Traceroute.asp WL_WPATable.asp Wireless_MAC.asp fr_help index_l2tp.asp sp_lang_packĭMZ.asp FilterSummary.asp Log_outgoing.asp RouteTable.asp Status_Wireless.asp Triggering.asp WPA.asp common.js fr_lang_pack index_pppoe.asp style.cssĭiagnostics.asp Filters.asp Management.asp Routing.asp Success.asp Upgrade.asp WPA_Preshared.asp de_help google_redirect1.asp index_pptp.asp sw_helpįactory_Defaults.asp Firewall.asp Ping.asp SES_Status.asp Success_s.asp VPN.asp WPA_Radius.asp de_lang_pack google_redirect2.asp index_static.asp sw_lang_packīasically the web application is a bunch of. ➜ linksys-wrt54g ls _FW_WRT54Gv4_4.21.5.000_/squashfs-rootīin dev etc lib mnt proc sbin tmp usr var www ➜ linksys-wrt54g binwalk -e FW_WRT54Gv4_4.21.5.000_20120220.binĠ 0x0 BIN-Header, board ID: W54G, hardware version: 4702, firmware version: 4.21.21, build date: ģ2 0x20 TRX firmware header, little endian, image size: 3362816 bytes, CRC32: 0圎3ABE901, flags: 0x0, version: 1, header size: 28 bytes, loader offset: 0x1C, linux kernel offset: 0xAB0D4, rootfs offset: 0x0Ħ0 0x3C gzip compressed data, maximum compression, has original file name: "piggy", from Unix, last modified: 03:40:02ħ00660 0xAB0F4 Squashfs filesystem, little endian, version 2.0, size: 2654572 bytes, 502 inodes, blocksize: 65536 bytes, created: 03:43:28
#Linksys hacked firmware download
I decided to download the firmware, extract the file system, and begin messing around with what’s available on the router. Getting The FirmwareĪt this point I was done with doing Blackbox attack variations, mostly because I had no reason to. Needless to say that I also attempted the same on the Traceroute Test interface and many other places but without any luck. Sadly, it seemed to have no effect at all on the ping request. In order to overcome it, I intercepted the request using a proxy. Unfortunately, client-side validation was applied. I thought it could be a good place to apply the oldest blackbox technique in the book - Shell Injection. Initially, I searched for potential inputs from the client when I came across the Diagnostics page. To which I authenticate with the default credentials,Īnd shortly afterwards I’m introduced to the following control and management page. Off we go then.īrowsing to the router’s website presents a login prompt, Unsurprisingly, looks like all we got to work with is the web server. Nmap done: 1 IP address (1 host up ) scanned in 18.20 seconds
0 kommentar(er)
