Título: Vulnerar sistema de router ZTE y subirle archivos Publicado por: vk496 en 29 Mayo 2014, 17:12 pm Buenas a todos. Actualmente me encuentro en el desarrollo de OpenWRT para darle soporte a este dispositivo: ZTE MF10
Se trata de una base wifi, que a mi parecer, puede tener mucho mas potencial del que le otorgan las compañías. Unas fotos: (http://i01.i.aliimg.com/img/pb/024/639/424/424639024_465.jpg) (http://www.gsmspain.com/foros/attach/23/238445.jpg) El router tiene una memoria Flash de 4 Mb y una RAM de 16Mb. No es que sea potente, pero puede ser muy interesante tener uno de estos con OpenWRT por su puerto USB, ya que es posible utilizar una memoria como parte del sistema. Las vistas por dentro del dispositivo son estas: (http://img.tapatalk.com/d/14/04/14/9a5equgu.jpg) (http://img.tapatalk.com/d/14/04/14/yhyzymyp.jpg) Vayamos al grano... La carga del dispositivo (bootlog): Código: U-Boot 1.1.3 (Feb 26 2009 - 13:21:58) Board: Ralink APSoC DRAM: 16 MB relocate_code Pointer at: 80fac000 mips_cpu_feq=320000000 flash_protect ON: from 0xBF000000 to 0xBF0202E3 protect on 0 protect on 1 protect on 2 protect on 3 protect on 4 protect on 5 protect on 6 protect on 7 protect on 8 protect on 9 flash_protect ON: from 0xBF030000 to 0xBF03FFFF protect on 10 *** Warning - bad CRC, using default environment ============================================ ZTE UBoot Version: 1.0.1 -------------------------------------------- ASIC 3052_MP2 (Port5<->None) DRAM COMPONENT: 128Mbits DRAM BUS: 16BIT Total memory: 16 MBytes Date:Feb 26 2009 Time:13:21:58 ============================================ icache: sets:256, ways:4, linesz:32 ,total:32768 dcache: sets:128, ways:4, linesz:32 ,total:16384 freq = 320000000 MHZ ##### The CPU freq = 320 MHZ #### SDRAM bus set to 16 bit SDRAM size =16 Mbytes PHY0 and PHY1 are used ,and other PHYS are powered down Please choose the operation: 1: Load system code to SDRAM via TFTP. 2: Load system code then write to Flash via TFTP. 3: Boot system code via Flash (default). 4: Entr boot command line interface. 9: Load Boot Loader code then write to Flash via TFTP. 0 3: System Boot system code via Flash. ## Booting image at bf050000 ... Image Name: Linux Kernel Image Created: 2009-12-10 13:52:52 UTC System Control Status = 0x00400000 Image Type: MIPS Linux Kernel Image (lzma compressed) Data Size: 3104704 Bytes = 3 MB Load Address: 80000000 Entry Point: 802d5000 Verifying Checksum ... OK Uncompressing Kernel Image ... OK No initrd ## Transferring control to Linux (at address 802d5000) ... ## Giving linux memsize in MB, 16 Starting kernel ... LINUX started... THIS IS ASIC Linux version 2.6.21 (root@localhost.localdomain) (gcc version 3.4.2) #57 Thu Dec 10 08:52:33 EST 2009 The CPU feqenuce set to 320 MHz CPU revision is: 0001964c Determined physical RAM map: memory: 01000000 @ 00000000 (usable) Built 1 zonelists. Total pages: 4064 Kernel command line: console=ttyS1,115200n8 root=/dev/mtdblock4 Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes. Primary data cache 16kB, 4-way, linesize 32 bytes. Synthesized TLB refill handler (20 instructions). Synthesized TLB load handler fastpath (32 instructions). Synthesized TLB store handler fastpath (32 instructions). Synthesized TLB modify handler fastpath (31 instructions). Cache parity protection disabled cause = 9080000c, status = 1100ff00 PID hash table entries: 64 (order: 6, 256 bytes) calculating r4koff... 00138800(1280000) CPU frequency 320.00 MHz Using 160.000 MHz high precision timer. Dentry cache hash table entries: 2048 (order: 1, 8192 bytes) Inode-cache hash table entries: 1024 (order: 0, 4096 bytes) Memory: 13116k/16384k available (2413k kernel code, 3268k reserved, 483k data, 120k init, 0k highmem) Mount-cache hash table entries: 512 NET: Registered protocol family 16 SCSI subsystem initialized usbcore: registered new interface driver usbfs usbcore: registered new interface driver hub usbcore: registered new device driver usb Time: MIPS clocksource has been installed. NET: Registered protocol family 2 IP route cache hash table entries: 1024 (order: 0, 4096 bytes) TCP established hash table entries: 512 (order: 0, 4096 bytes) TCP bind hash table entries: 512 (order: -1, 2048 bytes) TCP: Hash tables configured (established 512 bind 512) TCP reno registered squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher squashfs: LZMA suppport for slax.org by jro io scheduler noop registered (default) FLASH_API: MAN_ID=C2 DEV_ID=22CB SIZE=8MB Ralink gpio driver initialized spidrv_major = 217 HDLC line discipline: version $Revision: 1.1.1.1 $, maxframe=4096 N_HDLC line discipline registered. Serial: 8250/16550 driver $Revision: 1.3 $ 2 ports, IRQ sharing disabled serial8250: ttyS0 at I/O 0xb0000500 (irq = 37) is a 16550A serial8250: ttyS1 at I/O 0xb0000c00 (irq = 12) is a 16550A loop: loaded (max 8 devices) rdm_major = 254 GDMA1_MAC_ADRH -- : 0x00000000 GDMA1_MAC_ADRL -- : 0x00000000 Ralink APSoC Ethernet Driver Initilization. v1.60 64 rx/tx descriptors allocated, mtu = 1500! GDMA1_MAC_ADRH -- : 0x00000016 GDMA1_MAC_ADRL -- : 0x0026ed2b PROC INIT OK! PPP generic driver version 2.4.2 PPP BSD Compression module registered NET: Registered protocol family 24 ralink flash device: 0x1000000 at 0xbf000000 Ralink SoC physically mapped flash: Found 1 x16 devices at 0x0 in 16-bit bank Amd/Fujitsu Extended Query Table at 0x0040 number of CFI chips: 1 cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness. Creating 5 MTD partitions on "Ralink SoC physically mapped flash": 0x00000000-0x00030000 : "Bootloader" 0x00030000-0x00040000 : "Config" 0x00040000-0x00050000 : "Factory" 0x00050000-0x00140000 : "Kernel" 0x00140000-0x00800000 : "RootFS" block2mtd: version $Revision: 1.1.1.1 $ Initializing USB Mass Storage driver... usbcore: registered new interface driver usb-storage USB Mass Storage support registered. usbcore: registered new interface driver usbserial drivers/usb/serial/usb-serial.c: USB Serial support registered for generic usbcore: registered new interface driver usbserial_generic drivers/usb/serial/usb-serial.c: USB Serial Driver core drivers/usb/serial/usb-serial.c: USB Serial support registered for GSM modem (1-port) usbcore: registered new interface driver option drivers/usb/serial/option.c: USB Driver for GSM modems: v0.7.1 usbcore: registered new interface driver usb-pcm drivers/usb/serial/usb-pcm.c: usb to pcm Driver: V2.4.20_uC0_1B12 nf_conntrack version 0.5.0 (128 buckets, 1024 max) GRE over IPv4 tunneling driver ip_tables: (C) 2000-2006 Netfilter Core Team, Type=Restricted Cone TCP cubic registered NET: Registered protocol family 1 NET: Registered protocol family 10 NET: Registered protocol family 17 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com> All bugs added by David S. Miller <davem@redhat.com> drivers/flash/flash_ioctl.c 538 drivers/flash/flash_ioctl.c 390 drivers/flash/flash_ioctl.c 396 drivers/flash/flash_ioctl.c 401 drivers/flash/flash_ioctl.c 415 DDNSPassword=simcard_roam=HT_MpduDensity=5PktAggregate=1CountryRegion=5wan_l2tp_user=l2tp_user 44444e5350617373776f72643d0073696d636172645f726f616d3d0048545f4d70647544656e736974793d3500506b744167677265676174653d3100436f756e747279526567696f6e3d350077616e5f6c3274705f757365723d6c3274705f7573657200 drivers/flash/flash_ioctl.c 440 drivers/flash/flash_ioctl.c 390 drivers/flash/flash_ioctl.c 396 drivers/flash/flash_ioctl.c 401 the [first:ff].[second:ff].[the last but one:ff].[last:ff], return drivers/flash/flash_ioctl.c 390 drivers/flash/flash_ioctl.c 396 drivers/flash/flash_ioctl.c 401 the [first:ff].[second:ff].[the last but one:ff].[last:ff], return drivers/flash/flash_ioctl.c 540 VFS: Mounted root (squashfs filesystem) readonly. Freeing unused kernel memory: 120k freed init started: BusyBox v1.12.1 (2009-12-10 08:42:55 EST) starting pid 602, tty '': '/etc_ro/rcS' Algorithmics/MIPS FPU Emulator v1.5 devpts: called with bogus options mount: mounting none on /proc/bus/usb failed: No such file or directory * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ralink_gpio SETPID_CDZERO ralink_gpio statedect_pid.pid=612 ralink_gpio statedect_pid.use=1 RALINK_GPIO_SET_DIR_OUT cpu_to_le32(tmp)=dfbefe internet.sh Password for 'admin' changed /sbin/internet.sh: line 257: wc: not found [: 0: unknown operand lm: no version for "struct_module" found: kernel tainted. config usb otg dwc_otg: version 2.72a 24-JUN-2008 DWC_otg: Core Release: 2.66a DWC_otg: Periodic Transfer Interrupt Enhancement - disabled DWC_otg: Multiprocessor Interrupt Enhancement - disabled DWC_otg: Using DMA mode DWC_otg: Device using Buffer DMA mode dwc_otg lm0: DWC OTG Controller dwc_otg lm0: new USB bus registered, assigned bus number 1 dwc_otg lm0: irq 18, io mem 0x00000000 DWC_otg: Init: Port Power? op_state=1 DWC_otg: Init: Power Port (0) usb usb1: configuration #1 chosen from 1 choice hub 1-0:1.0: USB hub found hub 1-0:1.0: 1 port detected insmod: bridge.ko: module not found insmod: mii.ko: module not found insmod: raeth.ko: module not found phy_tx_ring = 0x009e6000, tx_ring = 0xa09e6000, size: 16 bytes phy_rx_ring = 0x009e7000, rx_ring = 0xa09e7000, size: 16 bytes GDMA1_FWD_CFG = 10000 ifconfig: ioctl 0x8913 failed: No such device ifconfig: ioctl 0x8913 failed: No such device ifconfig: ioctl 0x8913 failed: No such device ifconfig: ioctl 0x8913 failed: No such device ifconfig: ioctl 0x8913 failed: No such device ifconfig: ioctl 0x8913 failed: No such device ifconfig: ioctl 0x8913 failed: No such device ifconfig: ioctl 0x8913 failed: No such device ifconfig: ioctl 0x8913 failed: No such device ifconfig: ioctl 0x8913 failed: No such device ifconfig: ioctl 0x8913 failed: No such device ifconfig: ioctl 0x8913 failed: No such device ifconfig: ioctl 0x8913 failed: No such device rmmod: rt2860v2_ap: No such file or directory rmmod: rt2860v2_sta: No such file or directory rt2860v2_ap: module license 'unspecified' taints kernel. 2860 version : 2.0.0.0 (Dec 10 2009) === pAd = c11f8000, size = 84120 === rmmod: nf_nat_pptp: No such file or directory rmmod: nf_conntrack_pptp: No such file or directory rmmod: nf_nat_proto_gre: No such file or directory rmmod: nf_conntrack_proto_gre: No such file or directory RX DESC a0b76000 size = 1024 1. Phy Mode = 9 2. Phy Mode = 9 3. Phy Mode = 9 MCS Set = ff 00 00 00 01 The primary RSNIE: c11fbcea, len = 22 0x0000 : 00 50 f2 01 01 00 00 50 f2 02 01 00 00 50 f2 02 0x0010 : 01 00 00 50 f2 02 zhaoyong isRadioOff==0 Main bssid = 00:26:ed:2b:40:24 The UUID Hex string is:2880288028801880a8800026ed2b4024 The UUID ASCII string is:28802880-2880-1880-a880-0026ed2b4024! 0x1300 = 00064380 insmod: 8021q.ko: module not found BusyBox v1.12.1 (2009-12-10 08:42:55 EST) multi-call binary Usage: ifconfig [-a] interface [address] ifconfig: ioctl 0x8913 failed: No such device brctl: bridge br0: No such device or address iptables v1.4.0rc1: can't initialize iptables table `mangle': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. device ra0 entered promiscuous mode ##### restore RT3052 to dump switch ##### switch reg write offset=14, value=5555 switch reg write offset=40, value=1001 switch reg write offset=44, value=1001 switch reg write offset=48, value=1001 switch reg write offset=4c, value=1 switch reg write offset=50, value=2001 switch reg write offset=70, value=ffffffff switch reg write offset=98, value=7f7f switch reg write offset=e4, value=0 device eth2 entered promiscuous mode br0: port 2(eth2) entering learning state br0: port 1(ra0) entering learning state route: ioctl 0x890c failed: No such process route: ioctl 0x890b failed: Invalid argument br0: port 2(eth2) entering disabled state br0: port 1(ra0) entering disabled state br0: port 2(eth2) entering learning state br0: port 1(ra0) entering learning state ifconfig: ioctl 0x8914 failed: Cannot assign requested address ifconfig: ioctl 0x8914 failed: Cannot assign requested address /sbin/lan.sh: line 63: hostname: not found Set: phy[0].reg[0] = 3900 Set: phy[0].reg[0] = 3100 Set: phy[1].reg[0] = 3900 Set: phy[1].reg[0] = 3100 Warning in PHY reset script Warning in PHY reset script Warning in PHY reset script ifconfig: ioctl 0x8913 failed: No such device killall rt2860apd 1>/dev/null 2>&1 iptables -F -t filter 1>/dev/null 2>&1 iptables -D FORWARD -j macipport_filter 1>/dev/null 2>&1 iptables -F macipport_filter 1>/dev/null 2>&1 iptables -D FORWARD -j web_filter 1>/dev/null 2>&1 iptables -F web_filter 1>/dev/null 2>&1 iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -t filter -N web_filter 1>/dev/null 2>&1 iptables -t filter -N macipport_filter 1>/dev/null 2>&1 iptables -t filter -A FORWARD -j web_filter 1>/dev/null 2>&1 iptables -t filter -A FORWARD -j macipport_filter 1>/dev/null 2>&1 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 1>/dev/null 2>&1 iptables -t filter -F INPUT iptables -t filter -A INPUT -i ppp0 -p tcp --dport 80 -j DROP iptables -t filter -A INPUT -i ppp0 -p icmp -j DROP save index:0 iptables -t nat -D PREROUTING -j port_forward 1>/dev/null 2>&1 iptables -t nat -F port_forward 1>/dev/null 2>&1; iptables -t nat -X port_forward 1>/dev/null 2>&1 iptables -t nat -D PREROUTING -j DMZ 1>/dev/null 2>&1 iptables -t nat -F DMZ 1>/dev/null 2>&1; iptables -t nat -X DMZ 1>/dev/null 2>&1 iptables -t nat -N port_forward 1>/dev/null 2>&1; iptables -t nat -I PREROUTING 1 -j port_forward 1>/dev/null 2>&1 iptables -t nat -N DMZ 1>/dev/null 2>&1; iptables -t nat -I PREROUTING 2 -j DMZ 1>/dev/null 2>&1 iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE ip_table: set wan_name=ppp0 echo 1 > /proc/sys/net/ipv4/ip_forward ntp.sh greenap.sh init ddns.sh route delete 239.255.255.250 1>/dev/null 2>&1 killall wscd 1>/dev/null 2>&1 killall -9 wscd 1>/dev/null 2>&1 iwpriv ra0 set WscConfMode=0 1>/dev/null 2>&1 iwpriv ra0 set WscConfMode=0 1>/dev/null 2>&1 killall -q klogd killall -q syslogd syslogd -C8 1>/dev/null 2>&1 klogd 1>/dev/null 2>&1 killall -q zebra killall -q ripd webs: Listening for HTTP requests at address 192.168.0.1 SG device open error, it is not a auto setup modem. br0: topology change detected, propagating br0: port 2(eth2) entering forwarding state br0: topology change detected, propagating br0: port 1(ra0) entering forwarding state starting pid 1253, tty '/dev/ttyS1': '/bin/sh' BusyBox v1.12.1 (2009-12-10 08:42:55 EST) built-in shell (ash) Enter 'help' for a list of built-in commands. -> filename:options,path:/var/ppp/options uaUserNameSvr:vodafone,uaPassWordLoc:vodafone filename:wcdma_chat,path:/var/ppp/wcdma_chat uaUserNameSvr:vodafone,uaPassWordLoc:vodafone filename:pap-secrets,path:/var/ppp/pap-secrets uaUserNameSvr:vodafone,uaPassWordLoc:vodafone filename:chap-secrets,path:/var/ppp/chap-secrets uaUserNameSvr:vodafone,uaPassWordLoc:vodafone CreateSoftTimer index 0 success: usTimerID = 4, ucFlag = 1, ulCurInterval = 25, ulNextInterval = 25, procCallBack = 0x00000000, args = 0x00000000. CreateSoftTimer index 1 success: usTimerID = 1, ucFlag = 1, ulCurInterval = 25, ulNextInterval = 25, procCallBack = 0x00000000, args = 0x00000000. fac Server start wait... start accept...... mkdir: cannot create directory '/var/lock': File exists mkdir: cannot create directory '/var/log': File exists Un primer analisis del dispositivo me revela un backdoor en el puerto 4719 (telnet, acceso por defecto con admin.): Código: Starting Nmap 6.46 ( http://nmap.org ) at 2014-05-08 21:10 CEST NSE: Loaded 118 scripts for scanning. NSE: Script Pre-scanning. Initiating ARP Ping Scan at 21:10 Scanning 192.168.0.1 [1 port] Completed ARP Ping Scan at 21:10, 0.01s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 21:10 Completed Parallel DNS resolution of 1 host. at 21:10, 13.00s elapsed Initiating SYN Stealth Scan at 21:10 Scanning 192.168.0.1 [65535 ports] Discovered open port 80/tcp on 192.168.0.1 Discovered open port 4719/tcp on 192.168.0.1 Discovered open port 3535/tcp on 192.168.0.1 Completed SYN Stealth Scan at 21:10, 16.85s elapsed (65535 total ports) Initiating Service scan at 21:10 Scanning 3 services on 192.168.0.1 Completed Service scan at 21:12, 126.17s elapsed (3 services on 1 host) Initiating OS detection (try #1) against 192.168.0.1 NSE: Script scanning 192.168.0.1. Initiating NSE at 21:12 Completed NSE at 21:13, 30.11s elapsed Nmap scan report for 192.168.0.1 Host is up (0.0012s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 80/tcp open http GoAhead httpd (WAP http config) |_http-favicon: Unknown favicon MD5: F0990331A8F325ED616BEE55FFD6359D |_http-methods: No Allow or Public header in OPTIONS response (status code 400) |_http-title: Wireless Broadband Router 3535/tcp open unknown 4719/tcp open telnet BusyBox telnetd MAC Address: 00:26:ED:2B:40:24 (zte) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.13 - 2.6.32 Uptime guess: 0.005 days (since Thu May 8 21:05:45 2014) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=195 (Good luck!) IP ID Sequence Generation: All zeros Service Info: Device: WAP TRACEROUTE HOP RTT ADDRESS 1 1.23 ms 192.168.0.1 NSE: Script Post-scanning. Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 192.67 seconds Raw packets sent: 65555 (2.885MB) | Rcvd: 65551 (2.623MB) Estando dentro del dispositivo, puedo ver que usa BusyBox, lo que me limita el manejo del dispositivo. Los datos mas relevantes: Todos los comandos existentes Código: [ ethtool lan.sh ripd [[ expr lld2d rm ash facSvr logger rmmod at firewall.sh login route at-server flash logread rt2860apd ated free ls sed automount.sh global.sh lsmod sh brctl goahead macgo sigmon busybox gpio mainControl sleep cat greenap.sh mii_mgr startpppd cdzero grep mkdir statedect cfg halt mount switch chat ifconfig mtd_write syslogd chkSvr igmpproxy nat.sh telnetd chpasswd igmpproxy.sh net2tty_dload.sh test chpasswd.sh inadyn net2tty_qxdm.sh touch close init ntp.sh ttyswitch comgt insmod ntpclient udhcpc config-3g-ppp.sh internet.sh nvram_daemon udhcpc.sh config-dns.sh iptables nvram_get udhcpd config-igmpproxy.sh ipupdown nvram_set upnp_xml.sh config-l2tp.sh iwconfig ping upnpd config-pppoe.sh iwevent poweroff uptime config-pptp.sh iwgetid pppd vconfig config-udhcpd.sh iwlist pptp vi config-vlan.sh iwpriv pptp.sh vpn-passthru.sh config.sh iwspy ps wan.sh cp kill qos_run wifi_unload.sh daemon_zte killall radvd wscd date klogd ralink_init zebra ddns.sh l2tp-control reboot zte_wlan.sh dnsmasq l2tp.sh reg echo l2tpd remserial mount output: Código: -> mount rootfs on / type rootfs (rw) /dev/root on / type squashfs (ro) proc on /proc type proc (rw) none on /var type ramfs (rw) none on /etc type ramfs (rw) none on /tmp type ramfs (rw) none on /media type ramfs (rw) none on /sys type sysfs (rw) none on /dev/pts type devpts (rw) Free output: Código: -> free total used free shared buffers Mem: 13236 12304 932 0 1124 Swap: 0 0 0 Total: 13236 12304 932 /dev: Código: video0 ttyUSB0 random ptyp0 mtdblock3 mtd3 mem flash0 urandom ttyS1 ram3 pts mtdblock2 mtd2ro kmem console ttyp1 ttyS0 ram2 ptmx mtdblock1 mtd2 i2cM0 acl0 ttyp0 swnat0 ram1 ppp mtdblock0 mtd1ro hwnat0 ac0 ttyUSB3 spiS0 ram0 null mtd4ro mtd1 gpio PCM ttyUSB2 sg0 ram mtr0 mtd4 mtd0ro flash2 I2S ttyUSB1 rdm0 ptyp1 mtdblock4 mtd3ro mtd0 flash1 Si nos fijamos en el bootlog, podemos ver que tiene 5 particiones: Citar Creating 5 MTD partitions on "Ralink SoC physically mapped flash": 0x00000000-0x00030000 : "Bootloader" 0x00030000-0x00040000 : "Config" 0x00040000-0x00050000 : "Factory" 0x00050000-0x00140000 : "Kernel" 0x00140000-0x00800000 : "RootFS" Para hacer el backup de estas particiones he utilizado el comando mount en la carpeta /dev Código: mount --bind /dev /etc_ro/web/ Y posteriormente las he descargado accediendo a cada archivo desde la ip del router. Por ejemplo: Código: http://192.168.0.1/mtd2 Esto me ha servido para "engañar" al servidor web y cambiar las rutas para mi beneficio (en este caso bajar archivos que me interesan). El problema que se me plantea ahora es conseguir subir archivos al router. Como habréis visto, solo tiene telnet, un protocolo que no permite transferencia de archivos. El USB que tiene no puede ser usado, porque al parecer no tiene los módulos del kernel necesarios para detectar y montar unidades USB (o eso parece). Lo que necesito es subirle el firmware OpenWRT (que ya he compilado) y utilizar el comando mtd_write (que ya viene incluido), pero no sé como subir el archivo. Alguna idea? Salu2 Título: Re: Vulnerar sistema de router ZTE y subirle archivos Publicado por: Gh057 en 29 Mayo 2014, 17:36 pm hola vk496 , así on the fly... si ya accedes por telnet, accedes al panel de control, no? podrías habilitar el servidor ftp... el uso o no del puerto usb etc... quedaría el tema de permisos... saludos
Título: Re: Vulnerar sistema de router ZTE y subirle archivos Publicado por: vk496 en 29 Mayo 2014, 17:54 pm No tiene ni servidor FTP ni soporte para dispositivos de almacenamiento USB (no tiene los modulos del kernel). "Supuestamente" tampoco tiene telnet (cosa que resulta que si, pero como backdoor ;D :rolleyes: )
Salu2 Título: Re: Vulnerar sistema de router ZTE y subirle archivos Publicado por: Gh057 en 29 Mayo 2014, 18:08 pm sep... y por ahí puede SETearse y GETearse los datos que hay en la ram... para el panel, si mal no recuerdo XD
mirate algo por aqui, seguro sacas algo interesante -> http://zte.by/manuals/59xx%28v4.8.22%29/Basic%20Configuration%20Volume%20I.pdf (agrego) este debe ser el de fábrica para el dispositivo ->http://www.three.co.uk/static/user_guides/ZTE_MF10_adapter_UG.pdf no dice casi nada... XD pero, fíjate por otra fuente la opciones de busybox. saludos! Título: Re: Vulnerar sistema de router ZTE y subirle archivos Publicado por: r32 en 29 Mayo 2014, 18:39 pm Hola, no se si podrías atacar el panel de administración, según veo en la imágen del manual de usuario usa Goahead Webserver. Encontré estos bugs relacionados, aunque a ti no creo te afecten algunas, según tu versión ya están corregidos:
http://www.cvedetails.com/vulnerability-list/vendor_id-1641/product_id-2833/Goahead-Goahead-Webserver.html No se si te servirá, un saludo. Título: Re: Vulnerar sistema de router ZTE y subirle archivos Publicado por: *dudux en 21 Julio 2014, 01:20 am Yo tengo un miniAP de esos por casa. Has leido la SPI flash? Tenemos firmware descargado?
Título: Re: Publicado por: vk496 en 21 Julio 2014, 02:12 am He obtenido las particiones del firmware, pero no sé si se puede crear un firmware a partir de ellas...
http://foro.seguridadwireless.net/index.php?topic=55869.0 [Desarrollo] OpenWRT en routers ZTE MF10 Salu2 Título: Re: Vulnerar sistema de router ZTE y subirle archivos Publicado por: colliers en 6 Noviembre 2014, 00:17 am Hola, soy novato en estos temas.
Disculpad si éste hilo, no es el lugar. Resulta que tengo un cacharrito de estos en casa, y aprovechando me gustaría comenzar a "trastearle". El primer inconveniente es saber donde buscarle el puerto serie. En este caso que ya lo tenéis localizado, donde está? Y cual sería la forma de ir probando sin fundir el cacharrito. Muchas gracias!!! Título: Re: Vulnerar sistema de router ZTE y subirle archivos Publicado por: ANELKAOS en 21 Noviembre 2014, 05:42 am Hola vk496 :) el listado de comandos que muestras está incompleto.
Tal y como has detallado, dispone de scripts *.sh por lo que tienes una Bourne shell. Sólo debes tomar el control de una shell con los permisos necesarios y podras subir y bajar ficheros. Te doy una pista ;) de los que se me ocurren en uno que acabo de entrar (vamos, te los marco en amarillo): (http://i60.tinypic.com/wl1u82.png) Para descargar un fichero mediante tftp: tftp -g -r <FICHERO> <host> Para subir un fichero mediante tftp: tftp -p -l <FICHERO> <host> Usage: tftp [OPTION]... tftp_server_ip Update firmware image and configuration data from OR backup configuration data to a tftp server. Options: -g Get file. (Update image/configuration data) -p Put file. (backup configuration data) -f remote file name. -t i for image and c for configuration data. |