Will Tiger router a large number of high-risk vulnerability analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201678402
Type myhack58
Reporter 佚名
Modified 2016-08-25T00:00:00


Foreword This thing from a few months ago to start. There is one called Tao Sauvage foreigners happy to come to China to travel. Want to have a little China Souvenirs go back, preferably for a long time, select a section called The must Tiger the wireless router. ! Look at this ultra low price and perfect workmanship, this foreigner feel yourself to earn big, is simply a heaven-sent gift! 2 4 9 a! Buy can't lose! 2 4 9 a! Buy don't be fooled it! Will Tiger English translation called“the Tiger Will Power”, I RUB! Diao fried days the name! Tiger force router! Feel the body is hollowed out with! But because it is a domestic Router, the Google translation is not accurate, he also does not understand Chinese. ! What do I do? The router open look at look at right now! Orange where you can insert a SD card, and the Red where are the UART pins. Story of vulnerability, that is, Start from here, then the following“he”will be the first person to the narrative. ! Extracting router firmware Nonsense not say, directly holding the BusPirate is connected on these pins to say! ! Turn on the device after viewing the own terminal, returns the following information. ! It says press any key to continue. Okay, this I just press the button, and then saw the Menu Settings.


BHU Device bootloader menu #


[1(t)] Upgrade firmware with tftp //tftp for firmware upgrade [2(h)] Upgrade firmware with httpd //httpd firmware upgrade [3(a)] Config device aerver IP Address //set the device server's IP address [4(i)] Print device infomation //print the device information [5(d)] Device test //device testing [6(l)] License manager //license management [0(r)] Redevice //Controller [ (c)] Enter to commad line (2) //Press c to view the other commands First press C to find it with U-boot, then its bootargs parameter to be set, so that you are no longer limited to the init program. Please input cmd key: CMD> printenv bootargs bootargs=board=Urouter console=ttyS0,1 1 5 2 0 0 root=3 1:0 3 rootfstype=squashfs,jffs2 init=/sbin/init(3) mtdparts=ath-nor0:256k(u-boot),64k(u-boot-env),1408k(kernel),8448k(rootfs),1408k(kernel2),1664k(rescure),2944kr),64k(cfg),64k(oem),64k(ART) CMD> setenv bootargs board=Urouter console=ttyS0,1 1 5 2 0 0 rw rootfstype=squashfs,jffs2 init=/bin/sh(4) mtdparts=ath-nor0:256k(u-boot),64k(u-boot-env),1408k(kernel),8448k(rootfs),1408k(kernel2),1664k(rescure),2944kr),64k(cfg),64k(oem),64k(ART) CMD> boot Then use the printenv command to view the U-boot the basic settings, and then found that as long as the boot sequence is completed, it will run“/sbin/init”, and this binary file is mainly responsible for the initialization of the router to the Linux system. We use the setenv command to‘/sbin/init’ and ‘/bin/sh’to replace it, or else there is no way to access system files. Then use the boot command to continue just boot. The above steps completed, we successfully entered the shell command interface, as shown below. BusyBox v1. 1 9. 4 (2015-09-05 1 2:0 1:4 5 CST) built-in shell (ash) Enter 'help' for a list of built-in commands.


version upgrade sbin proc mnt init dev var tmp root overlay linuxrc home bin usr sys rom opt lib etc ! Worked extremely hard, and now I have to be by the shell command to access the router, and extract the firmware. Then I can analysis The must Tiger the router's common gateway interface and WEB interface. Of course, there are many ways you can extract the router firmware, I used is to modify U-Boot parameters on the network, put all the files copied to My Computer. Interested friends can look at this article: the LinuxBootArgs of A reverse analysis Now I need these files for finishing. First, I need to know which files belong to the web Management Interface, and below this is the router's initial settings.

cat /etc/rc. d/the rc. local

/ [omitted] / mongoose-listening_ports 8 0 & / [omitted] / This Mongoose program open 8 0 port familiar port! Estimate this app is a must-Tiger-routerWEB serverprogram. Hard work pays off, I still found this WEB App of the relevant documents: the mongoose action. According to the document shown, the Mongoose will put the WEB directory all of the file parsing to. cgi suffix. As shown below.

[1] [2] [3] [4] [5] [6] [7] [8] [9] [1 0] next