Posts

Showing posts from May, 2017

//////ZTE MF65 -- EFS acess method / partial Fs dump

In the last mf65 post  we covered the local file listing method  and briefly touched on the changes to the config file  for constant file listing for the sd card functions i managed to soft brick my device by directory transversal on the sd card base path basically the router would try and load the httpshare page, get to the share path and sd base path, ultimately just reading /mmc2/../ and it would just freak out and not load so it sat around for a while. Now im back and have a solution that,  fixes my problem and gives us access to the internal files we will need a windows machine (xp++)  QPST, the modem drivers and putty  (ZTE WCDMA technologies MSM issue ??) (if you cannot find the drivers keep looking they are around try dcunlocker support files(i had to try several drivers before my machine acknowledged them)) using :   /goform/goform_process?goformId=MODE_SWITCH&switchCmd=FACTORY  we get these devices ZTE Diagn

iiNet Budii(1031) Local File Listing (USBwebserver)

Image
This is a method to list the local files on the router via wftp (USBwebsever) : Requires login and usb inserted into the aux usbports(fat/nfts)(*1) Either goto:   http://10.1.1.1/usb_wftp_server.html       Or  http://10.1.1.1/websrv_cfg.cmd?action=save&wftp_enable=1&wftp_remote=0&port=8000&path=*&partitionindex=1&disk_index=0&disk_name=sdb (you may need to use Ui to turn this on)  To turn on the fileserver, now point your browser here:        http://10.1.1.1/usb_wftp_tree.cmd?diskname=..%2f..%2f    (notice the URLencode because the straight transversal is rejected by the websever not even making its way to the app  but with encoded slashes we beat the checks)   and click save  now we goto: http://10.1.1.1:8000  And we see our routers internal files. we can wget out a copy of the systems memory with this enabled and scrape/view many of the files including the passwd file in the web browser:

iiNet Budii(1031) (UART based privesc attacks)

Image
Opening the case we find a internal usb, we can also see a altera max jtag breakout, a large set of gpio pins and a UART breakout. connecting to the uart and booting we can see the modem is running a broadcom firmware  [bootlog.samp] CFE version 1.0.38-112.118 for BCM96362 (32bit,SP,BE) Build Date: Fri Dec 6 11:09:42 CST 2013 (root@Ayecom) Copyright (C) 2000-2011 Broadcom Corporation.  ** Chip ID: BCM6362B0, MIPS: 400MHz, DDR: 333MHz, Bus: 166MHz  ** Total Memory: 134217728 bytes (128MB) Default host run file name : vmlinux Default host flash file name : bcm963xx_fs_kernel [/bootlog.samp] the user names available to us are: (user:admin/password:admin) (user:user/password:user)    upon logging in we are brought into a console(d), the commands available to admin are : [?.samp] help           logout      exit       quit     reboot       adsl