no one is safe ...

Getting a full Shell on D-Link DSL-320B

This time not a big thing ... more a nice detail on getting a shell on the DSL-320B device.

If you are doing a portscan on your local network with Nmap you will see the following output:

PORT   STATE SERVICE    VERSION
21/tcp open  ftp        D-Link or USRobotics ADSL router firmware update ftpd
22/tcp open  tcpwrapped
23/tcp open  telnet     D-Link DSL-2542B ADSL router telnetd
80/tcp open  http?

You could login with the credentials from the webinterface and you get a stripped access:

root@bt:~# telnet 192.168.178.111
Trying 192.168.178.111...
Connected to 192.168.178.111.
Escape character is '^]'.
TESTING MODEL ADSL Router
Login: admin
Password:
> help

?
help
logout
reboot
adsl
atm
brctl
cat
df
dumpcfg
echo
ifconfig
kill
arp
defaultgateway
dhcpserver
dns
lan
passwd
ppp
remoteaccess
restoredefault
route
save
swversion
wan
virtualserver
ping
ps
pwd
sntp
sysinfo
tftp

To get a full shell just type sh ;)

> sh
app: sh

BusyBox v1.00 (2010.12.28-10:26+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

# cat /proc/cpuinfo
system type             : 96332CG
processor               : 0
cpu model               : BCM6338 V1.0
BogoMIPS                : 239.20
wait instruction        : no
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : yes
hardware watchpoint     : no
unaligned access                : 190140
VCED exceptions         : not available
VCEI exceptions         : not available

More stuff is coming soon ;)

have phun
mIke