-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathproblem.txt
More file actions
43 lines (38 loc) · 2.18 KB
/
problem.txt
File metadata and controls
43 lines (38 loc) · 2.18 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
whilst server running, connecting returns an auth page, where default credentials (which happen to be in
squashfs_root_bb/etc/config/users) don't work.
IDEA: try to find out when/where it reads from that file:
squashfs_root_bb/usr/lib/opkg/info/dni-base-files.list:/etc/config/users - for one
appears to be a dead end
Perhaps default creds are no longer applicable?
IDEA: SRE in ghidra
have finished a python script, this helped find the main handler, it now appears that the web server relies on libconfig.so, which resloves config from a localhost socket 127.0.0.1:2313
IDEA: what serves on localhost:2313?
turns out after grepping for the same instructions that populated param1 (r0) with 0x0909 for port 2313 and with 7f000001 for the ip, there's only 1 other binary than libconfig.so: datalib
sudo env CHROOTENV=FHACKS_NOISE=1 ./run_args.sh datalib Base
fw_hacks: __libc_start_main()
fw_hacks: Injecting mandatory funcs.
fw_hacks: Injection sucess on datalib
fw_hacks: Injecting optional.
fw_hacks: argument: datalib
fw_hacks: argument: Base
fw_hacks: MAKING LOUD NOISES!
fw_hacks: intercepted open(/tmp/cache/config_part,...) called by datalib
fw_hacks: errno: 2 - No such file or directory
fw_hacks: __libc_start_main()
fw_hacks: Injecting mandatory funcs.
fw_hacks: Injection sucess on /usr/sbin/part_dev
fw_hacks: Injecting optional.
fw_hacks: argument: /usr/sbin/part_dev
fw_hacks: argument: config
fw_hacks: MAKING LOUD NOISES!
fw_hacks: intercepted fopen(/flash_type, r) called by /usr/sbin/part_dev
fw_hacks: intercepted fopen(/proc/mtd, r) called by /usr/sbin/part_dev
fw_hacks: SANITIZE_PATH: /proc/mtd -> /mtd
fw_hacks: intercepted fopen(/sys/block/mmcblk0/mmcblk0p1/uevent, r) called by /usr/sbin/part_dev
fw_hacks: intercepted dni_strcmp_s(caller=get_device_by_name_emmc, call_lineno=99, dest='config', dmax=32, src='config') called by /usr/sbin/part_dev
fw_hacks: intercepted fopen(/tmp/cache/config_part, r) called by datalib
fw_hacks: intercepted fopen(/dev/console, a) called by datalib
fw_hacks: intercepted fopen(/flash_type, r) called by datalib
fw_hacks: intercepted open(/dev/,...) called by datalib
mtd: error!: "/dev/" is not a character device
mtd: error!: mtd_get_dev_info failed