iiNet Budii(1031) (Telnet Access)
so telnet was always another open port available to us from the network,
although it never responded to any login attempts even if we 100% knew the password and user was correct;
This was solvable by one of two approaches.
(1)
The easiest by far was to simply grab the consumer release of the firmware,
inside its folders is a compilable c file for telnet (they've named it telnetc)
Budii1016_consumer_release/bcm963xx_4.12L.01_consumer
/userspace/gpl/apps/telnetc
this is a pretty basic busybox telnet file
a few modifications have been made over the years
one includes this little function
telnet_data_set_autheninfo(&g_telnet_data, "iismshamswii", "i20U18r4E3");
addr.s_addr = inet_addr("10.1.1.1");
telnet_data_set_serverinfo(&g_telnet_data, &addr, 23);
meaning that iismshamswii will work as the username
with i20U18r4E3 as the password
so we have logged in now we use iinet@sh to break the cli and we have full access to the router
(2)
searching the strings of the telnetc file on the router obtained by any earlier method will have provided those two pieces of information as they are hard coded into all of the routers using that firmware without that part being patched or otherwise dropping the telnet packets
(extra note)
iiNetBoB
^^^can be password changed by admin with a external mips passwd program[usb], but only until restart.
^^^can be password changed by admin with a external mips passwd program[usb], but only until restart.
No comments:
Post a Comment