AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
192.168.1.1 Vodafone Nz3/22/2021
I would suggest you to try looking into the webui code back to the point where ddns configuration is saved and determine where the injection happens.They run a custom firmware which Ive been able to reverse engineer but not get code execution on It runs an ssh server behind iptables.Any help getting code execution here would be awesome to root these boxes get something open source running on them.We have a heap of these in our country going to waste and it would be awesome to be able to save them from going in the trash.
What options would you recommend trying Their is full source code of the web gui in lua in the mega Ill upload some screenshots now Ill look into the tr069.lp now. You cant get custom firmware to boot, you are limited to root access into that Homeware firmware. Check dropbear settings to determine ifpassword login is allowed and check if it is set by uci-defaults scripts. Second chance, do some evaluations on the VDF deployment in NZ: is it using cwmp over DHCP or PPPoE interface Does this device support ethernet wan connection in its default firmware state or is it limited to builtin dsl modem Depending on the answers, and default cwmp settings, tch-exploit or could be viable, otherwise it will require more advanced care to get something similar to work properly. ![]() It lets you provide a static IP Address on the WAN connection using ipoe. Are you thinking of impersonating an ACL to push out the firmware I wish I had a hub lying around it would make this a hell of a load easier. You may (it depends on configs) try doing the same as tch-exploit does to change the ACS URL of the router and then manage it via CWMP to push STS scripts. You could also piush firmwares but thats not a big deal as you can do it already ( edit: I just saw you already attached cwmpd settings above, that setup doesnt allow tch-exploit or similar ways in) You can try finding some other weakness of that custom webui to get command execution. I suggest you focus on the thing that you like the most and go that way. It replaces quotes with but otherwise seems like an entry point i think it gets passed off to openwrts ddns which is configured to use curl (possible command injection). In particular Im interested in knowing if creating a new dropbear instance would not need us to enable that firewall deny option you saw. You cant load patched firmware, everything in Secure Boot enabled devices is signed and verified on boot, you can read the wiki about that for more information if you like. Probably that link you posted is the correct one even if it is now returning access denied, this means I could already build torrents for all of them. I think I managed to break the ddns updater as I cant turn it on or off which makes me think that Ive corrupted it, Im resetting the firmware and trying to build an exploit. 192.168.1.1 Vodafone Nz How To Get IntoI think maybe what broke it was;sleep 30 in the username field but Im kind of scratching my head on how to get into it still. Has this older firmware got any exploits you can spot I could try to work with. Then, setting up a permanent ssh server is only a matter of configuring some settings which are now disabling it. This is the standard command block for opening up a local dropbear instance. All I know so far is putting the quotation marks in the username field breaks the module somehow- Id be happy to write a selenium function once we figure it out that we could put into the autoflashgui or have someone translate to the roboframework to automatically root these devices Thanks for the help and progress everyone.
0 Comments
Read More
Leave a Reply. |