21-04-2019, 07:02 AM
(12-04-2019, 07:27 PM)emantec Wrote: Adding to elbarto's post on enabling telnet you can do the following to bypass the pwod by setting the 'client' password (assuming the client is actually Virgin Media in this case).
In /nvram/6/1 set the following at address 0x1F7
BC AE 6A 68 38 32 4B 18
This will set the password to 'pwned' giving you access to the higher privileged shell (still need to work out how to break into busybox).
(16-04-2019, 12:07 PM)emantec Wrote: Upon some further research it seems their shell is very locked down and there's no way to break out of it. With that said I did find a extremely easy command injection exploit.can you please confirm that the pass word is "pwned" as i have tryed but not letting me in. the script working as i see the following in serial console at boot
Although it was helpful it's not actually needed to unlock the system, you can do that simply from the NVRAM.
On boot it checks for the script /nvram/0/sys_setup.sh and runs if it exists, I put together a script that runs some code I compiled to enable telnet on every boot, set the client password and set the permissions to the maximum level so you can access all the restricted commands from the restricted shell. You can access pretty much everything from there, even the Intel cpu:
Code:[ 6] Atom> help
help
Directory Commands ->
manuf : <DIR> Manuf
status : Show Modem Status
!reset : Reset Modem
system : Run shell command
help : Display commands
!logout : Disconnect telnet/SSH
quit : Quit the Atom CLI
Type '<cmd> ?' for available help.
Return Status: 0
[ 7] Atom> manuf
manuf
[ 8] Manuf> help
help
Directory Commands ->
ccTest : Dummy Cable Card Test
boottimeout : Set CEFDK boot timeout
macset : Set Atom MAC address
loadFromUSB : Load Inactive Bank from USB
sectorInfo : Show sector info
status : Show Modem Status
!reset : Reset Modem
system : Run shell command
help : Display commands
!logout : Disconnect telnet/SSH
quit : Quit the Atom CLI
Type '<cmd> ?' for available help.
Return Status: 0
[ 9] Manuf>
I've uploaded my script, source and binary here if people want to use it, enjoy.
https://mega.nz/#!g8lTiSbD!mC4J8cFBo38Vv...NZRwaLrq6s-
Code:
vm_printf("********** Initializing Telnet **********\n");
vm_printf("******* Disabling Telnet timeout ********\n");
vm_printf("******* Setting Client Password ********\n");
clientpass[8] = { 0xBC, 0xAE, 0x6A, 0x68, 0x38, 0x32, 0x4B, 0x18 };
vm_printf("******* Setting Max Priviledges ********\n");