Just a quick one, after opening the httpd up in IDA, we can see the following:
This function I’ve named
unlock_cli_func echo’s 1 to
And is called when the save button is pressed on the
accesscntr.html page however access is not granted on this page, we just see white.
That’s cool, but where’s my shell?
Cool indeed, unlockcli sounds pretty cool, but what can we do with it? Well!
So loading the file
/lib/private/lib_cms_cli.so into IDA and pouring over some functions, we find
cli_processHiddenCmd sounds, interesting right?
The first highlighted text is the command passed to the shell,
fastsh interesting.. so this is the
cli_processHiddenCmd this command allows you to get a full shell!
Its not all sunshine and daises as just running the command results in ‘Plesae input the shell password’ (Yes ‘Plesae’) being spat out. Lets take a closer look at the control flow of this function:
Lets name the function that spawns /bin/sh
What this flow shows us, is jump to
shell4u if /var/unlockcli exists else ask for a ‘Shell Password’ (Call the access function, jump if the $v0 register is 0 / Jumps if the access function returned 0) So really, I think its just checking if the file exists, not what’s in it.
So the process is really quite simple,
- Use the command injection technique in the last post to echo 1 into /var/unlockcli (
ping & echo 1 > /var/unlockcli)
- Enter UART mode
fastshat the console and you’ll get dropped right into a full shell
Looking at refs to our /var/unlockcli we can actually see other functions that would be enabled if the file exists:
I would have a nice screenshot of the end result, however whilst trying to enable JTAG I shorted the wrong pins and bricked my device, please do be careful when soldering!
Also quick shout out to Revs Per Min from Whirlpool for helping me test other entries/methods to unlock this device!
I’ve ordered a new
TP-Link Archer D7 AC1750 so stay tuned for more updates on that!