Posted: Sat Apr 19, 2008 5:35 Post subject: WRT600N tracert exploit with stock Linksys firmware
A lot of folks are stuck with the stock Linksys firmware on their unflashable WRT600N (1.01.35 build 5). My goal is to help them gain shell access.
I am running 1.01.35 build 3 on my WRT600N (which is flashable), but I think they are similar enough that my tests are valid.
After some poking around, I've found that Tracert on the Diagnostics page only does client-side validation. What this means is we have an opportunity to bypass the validation and execute commands on the router.
Be warned that downgrading may cause you to lose the functionality of your wired ethernet ports. In that case, you'll only be able to access your router via wireless. A newer build (1.01.36 build 3) is available at the bottom of page 7.
Last edited by Transient on Tue Apr 29, 2008 4:45; edited 3 times in total
This assumes your router's IP address is 192.168.1.1 but after running this code you can enter any value in the traceroute test textbox and have it execute on your router!
Last edited by Transient on Sat Apr 19, 2008 6:11; edited 1 time in total
Then paste the above javascript call into the Address bar of Internet Explorer 7 (perhaps other browsers will work as well) and press Enter.
A new window called Tracert should open (make sure your popup blocker is off) and instead of a tracert you'll actually see the output of your ls command!
For more convenience, I add the javascript code to a button on my Links bar. Then I can simply press this button instead of having to paste it in the Address bar each time.
Be warned though, that putting in a command that fails seems to hang the httpd process. Rebooting the router seems to fix this, but I accept no responsibility if you damage your router! Try at your own risk!
That said, let's see if we can find a way to install telnetd!
That said, let's see if we can find a way to install telnetd!
Well, you could do that, or you could just do a simple wget and then an mtd command. That might be easier.
Good job finding this.
the trik work fine :)
i have the bad build 5 firmware :(
i have used the command mount and i see that i can see the usb disk ... i have copied the firmware build 3 under the root of the usb disk...
/dev/root on / type squashfs (ro)
none on /dev type devfs (rw)
proc on /proc type proc (rw)
ramfs on /tmp type ramfs (rw)
none on /proc/bus/usb type usbfs (rw)
/dev/scsi/host0/bus0/target0/lun0/part1 on /tmp/memstick/host0_part1 type ufsd (rw)
/dev/scsi/host0/bus0/target0/lun0/part1 on /tmp/ftproot/root type ufsd (rw)
But now how can i upgrade the firmware to versione 3 ?
So maybe the reason they won't flash is that it doesn't have mtd. I guess you could wget mtd from a somewhere and then chmod +x on it. Then it might work. I'll upload mtd to my server when I get a chance.
EDIT: Does it have the 'write' command? If so you could do it using that. _________________ WRT54G v3 - v24 r14471M NEWD Eko - AP
WRT350N v1.0
WRT600N v1.1 - halfway there!
Se7en is Darker...
So maybe the reason they won't flash is that it doesn't have mtd. I guess you could wget mtd from a somewhere and then chmod +x on it. Then it might work. I'll upload mtd to my server when I get a chance.
EDIT: Does it have the 'write' command? If so you could do it using that.
sorry i m not expert with linux, but if i have mouted my usb disk, wy i need to use wget ? why i can not copy the file(s) that i need from the usb disk ?
can you send to my email the program that you have talked (mtd)?
So maybe the reason they won't flash is that it doesn't have mtd. I guess you could wget mtd from a somewhere and then chmod +x on it. Then it might work. I'll upload mtd to my server when I get a chance.
EDIT: Does it have the 'write' command? If so you could do it using that.
sorry i m not expert with linux, but if i have mouted my usb disk, wy i need to use wget ? why i can not copy the file(s) that i need from the usb disk ?
can you send to my email the program that you have talked (mtd)?
Thanks
I was speaking in general. You should be able to get it off the usb disk. Try this (make sure to replace [FIRMARE_FILENAME] with the name of the .bin you want to use):
Quote:
write /tmp/memstick/host0_part1/[FIRMWARE_FILENAME] linux
_________________ WRT54G v3 - v24 r14471M NEWD Eko - AP
WRT350N v1.0
WRT600N v1.1 - halfway there!
Se7en is Darker...
So maybe the reason they won't flash is that it doesn't have mtd. I guess you could wget mtd from a somewhere and then chmod +x on it. Then it might work. I'll upload mtd to my server when I get a chance.
EDIT: Does it have the 'write' command? If so you could do it using that.
sorry i m not expert with linux, but if i have mouted my usb disk, wy i need to use wget ? why i can not copy the file(s) that i need from the usb disk ?
can you send to my email the program that you have talked (mtd)?
Thanks
I was speaking in general. You should be able to get it off the usb disk. Try this (make sure to replace [FIRMARE_FILENAME] with the name of the .bin you want to use):
Quote:
write /tmp/memstick/host0_part1/[FIRMWARE_FILENAME] linux
i can not solve :(
i have only 30 char for put the command and i can not write the full command
So maybe the reason they won't flash is that it doesn't have mtd. I guess you could wget mtd from a somewhere and then chmod +x on it. Then it might work. I'll upload mtd to my server when I get a chance.
EDIT: Does it have the 'write' command? If so you could do it using that.
sorry i m not expert with linux, but if i have mouted my usb disk, wy i need to use wget ? why i can not copy the file(s) that i need from the usb disk ?
can you send to my email the program that you have talked (mtd)?
Thanks
I was speaking in general. You should be able to get it off the usb disk. Try this (make sure to replace [FIRMARE_FILENAME] with the name of the .bin you want to use):
Quote:
write /tmp/memstick/host0_part1/[FIRMWARE_FILENAME] linux
i can not solve :(
i have only 30 char for put the command and i can not write the full command
"|cd /tmp/ftproot/root|write w.b linux"
I can only write "|cd /tmp/ftproot/root|write w."
how can i solve ?
thanks
Type
"|cp /tmp/ftproot/root/w.b /tmp"
then
"|cd /tmp|write w.b linux"
That should work. _________________ WRT54G v3 - v24 r14471M NEWD Eko - AP
WRT350N v1.0
WRT600N v1.1 - halfway there!
Se7en is Darker...