Comments on: Router Hacking Challenge

By: Aubade

Aubade — Fri, 06 Jun 2008 18:12:07 +0000

Hi. Your homepage is very nice! I have an MSI RG60SE wireless router. Unfortunately i can’t find the the config file, which contains the auth password. :( I tried in the /cgi-bin/ dir, (like D-link Routers) but i don’t know the cfg file name.

Have anybody hacked MSI router? If i would get a document file like http://kinqpinz.info/lib/wrt54g/own.txt , it would be great! Maybe there isn’t exist info file like this for the MSI’s stuff?

Thx

By: defcon

defcon — Wed, 04 Jun 2008 04:58:27 +0000

ive been messing around with my WRT150N, anyone have any luck hacking this?

By: frodo

frodo — Sun, 01 Jun 2008 09:18:50 +0000

That’s great peeps but I don’t see anybody hacking into netgear server 198.168.0.1 CG814WG could it be impossible?

And its not comcast/1234, or superuser/password or admin admin, need specifically the one to change advanced settings like the bluddy SPI firwall setting in order to play multiplayer in battlefield 2 ! make yoursleves useful wilya :)

sorry i got carried away

By: pdp

pdp — Mon, 12 May 2008 15:06:12 +0000

this is definitely not the place where you should ask these types of questions.

By: john

john — Sun, 11 May 2008 21:23:53 +0000

how to hack netgear administrator password

By: Kcir~

Kcir~ — Fri, 25 Apr 2008 18:34:42 +0000

I Have a config.bin for decrypt password. so possible? http://rapidshare.com/files/11.....g.bin.html

Tks.. ;)

By: jigar

jigar — Sun, 13 Apr 2008 06:17:42 +0000

hello
is it possible to hack router enable password.?

I have router but i can’t logging enable mode.
so give me tips how can i loging enable mode.
without rommon mode.

By: Adrian Pastor

Adrian Pastor — Thu, 03 Apr 2008 09:35:57 +0000

Regarding the DI-624 issue: yes, it could be a memory corruption bug (i.e: buffer overflow) but we shouldn’t ignore the possibility of a resource exhaustion issue, since the hardware of some embedded devices is very limited.

By: Adrian Pastor

Adrian Pastor — Thu, 03 Apr 2008 09:31:26 +0000

bug: once you have a XSS vulnerability on the router, all you have to do is use the XMLHttpRequest() function in the JavaScript which is executed in the XSS attack:
http://www.quirksmode.org/js/xmlhttp.html

Check out exploit #2 for the BT Home Hub for a real example on how to do this: http://www.gnucitizen.org/blog.....ome-hub-4/

By: klo

klo — Wed, 26 Mar 2008 10:27:34 +0000

“…it is not very clear from your post but are you saying that the payload has to be 298+ characters long?”

Yeah, for example, a 299 characters long username, or 149 char. long username with 150 char. password. All characters were in the ASCII range.

I basically came across this “http://secunia.com/advisories/29366/” and wanted to see if the DI-624 is also affected.

I forgot to mention the hardware revision is C3.

It seems like the source code for the device is available at “ftp://ftp.dlink.co.uk/GPL/DI-624_E1_GPL.tgz” but I haven’t had time to look over it yet…

By: pdp

pdp — Wed, 26 Mar 2008 07:45:15 +0000

what I believe it was happening is that you have crashed the a CGI script or the actual HTTP server which upon exit informed the system to reboot. this is a very common behavior among embedded devices. when you see an embedded device rebooting it is definitely because you caused something to do what it was not supposed/designed to - mostly stack, heap overflows. it is not very clear from your post but are you saying that the payload has to be 298+ characters long?

exploiting buffer overflows for these devices is as trivial as it can get but the only thing that is a problem is to either login into the device and observe any strange messages appearing in the log files which could indicate what the problem is, or attach yourself directly to the device motherboard via JTAG. the second is a bit more complicated. Once we have this information we can verify the exploitability of the problem by mangling with the address space and if passes all test we can sit down and spend time writing payload/shellcode for the affected architecture if there isn’t one yet.

By: klo

klo — Wed, 26 Mar 2008 04:12:29 +0000

I can confirm I can make the DI-624 reboot by supplying a username / password string of >298 characters long,
or a combination of the two that adds up to >298 characters, from the authentication dialogue box.

By: Voice of VOIPSA » Blog Archive » Hacking ZyXEL Gateways

Voice of VOIPSA » Blog Archive » Hacking ZyXEL Gateways — Mon, 24 Mar 2008 18:01:36 +0000

[...] “So what” you might say about the security of these types of devices? Well, SANS diary notes some strange things afoot at the Circle K with Dlink and the recent BT Home Hub CVE-2008-1334 router vulnerability. More routers and details at GNU Citizen. [...]

By: rebecca

rebecca — Sat, 15 Mar 2008 12:21:03 +0000

i dont have a wireless router all i want to do is hack my neighbours router i need the password to his router

By: pdp

pdp — Sat, 15 Mar 2008 07:49:09 +0000

excellent news, glad that this has been resolved.

By: nex

nex — Sat, 15 Mar 2008 00:11:44 +0000

woot. my name has been added into credits. i guess i won.

By: pdp

pdp — Fri, 14 Mar 2008 14:02:38 +0000

it really depends what your intentions are :)

By: nex

nex — Fri, 14 Mar 2008 13:50:06 +0000

i can prove it. i send an email to USCERT / Securityfocus / him. waiting for news.. thats why i’m never publishing 0days, ppl ripping credits. hehe.

By: pdp

pdp — Fri, 14 Mar 2008 13:44:07 +0000

that kind of sux, can you prove it. you could either send a response to his email or leave it be as you might not find it worthed to fight things like that.

By: nex

nex — Fri, 14 Mar 2008 12:44:55 +0000

be really careful when you report a vulnerability, there’s a chance that someone else steal your credit by reporting it to SecurityFocus… Arthur Lashin just stole mine.

http://www.securityfocus.com/bid/28122/info
http://www.kb.cert.org/vuls/id/248372

The vendor is aware since 2007-10-15 and issued me a ticketnumber.