Escolar Documentos
Profissional Documentos
Cultura Documentos
2 / 18
Introduced by Sercomm Gives root shell, no authentication Dump entire configuration affected manufacturers !"isco, #in$sys, %etGear, Diamond& ' router models confirmed vulnerable ())) vulnerable routers on the Internet
!more info* https*++github,com+elvanderb+-"./0'1( &
% / 18
!t was -atc&ed
4 / 18
. / 18
'binwal$ /e' to e2tract the file system scfgmgr !the bac$door binary& is still present,,, 3ut it's now started with a new /l option
+ / 18
* / 18
4ait222 w&at,
8 / 18
5 / 18
wit& et&erty-e 7 088888 comin9 1rom t&e Et&ernet card or broadcasted :c&eck o1 t&e destination ;<( address=
.ac$et format
10 / 18
!1 -ayload 77 md.:"">?/1000""=222
11 / 18
system!''scfgmgr /f 7''&!!!
12 / 18
If you're on the #A% 5r if you're an Internet provider !if you're one/ hop away, you can craft Ethernet pac$ets& It's DE#I3E8A-E 9ou can also use the )2')) pac$et type to ping the router !it will respond with its :A" address& and )2')' to change its #A% I. address
1% / 18
14 / 18
9ou can now !among other things& ma$e the router #EDs flash with the 00, 0 and 0;th message *&
1. / 18
-he )2<<<< ethertype and pac$et structure is used in an old Sercomm update tool*
http*++wi$i,openwrt,org+=media+toh+netgear+dg<0 ,g,v +nftp,c
la@y 9#ys$ t&ey didn"t even code t&eir new backdoor 1rom scratc& A= It may be present in other hardware but hard to tell*
/o easy way to scan ;>. si9nat#re will certainly be di11erent as it"s based on t&e ro#ter commercial name
1+ / 18
>or DG%?))), simply use the .o" from your #A% >or other routers, the simplest way is to*
Bse "binwalk -e" to e8tract t&e 1ile system Searc& 1or "1t6tool" or 9re- -r "sc19m9r -1" Bse !>< to con1irm
1* / 18