no one is safe ...

Shell

Using the discovered OS Command Injection vulnerability in Linksys WRT54GL within a pentest

After releasing the OS command execution vulnerability in the WRT54GL router from Linksys last week there were some requests about how could we use this vulnerability for getting a remote shell.

First off all we have to analyze the firmware a bit. For this it is best to download the original firmware from the vendor and use the firmware-modification-kit or binwalk created by Craig Heffner and Jeremy Collake. Awesome toolkit from awesome guys.

So let’s extract and analyse the firmware a bit:

root@bt:~/images/firmware_mod_kit/firmware-mod-kit-read-only# ./extract-ng.sh /root/images/FW_WRT54GL_4.30.15.002_US_20101208_code.bin linksyswrt54gl
Firmware Mod Kit (build-ng) 0.78 beta, (c)2011-2012 Craig Heffner, Jeremy Collake
http://www.bitsum.com
Scanning firmware...
DECIMAL   HEX       DESCRIPTION
-------------------------------------------------------------------------
32        0x20      TRX firmware header, little endian, header size: 28 bytes,  image size: 3362816 bytes, CRC32: 0xB5C3AB6E flags/version: 0x10000
700656    0xAB0F0   Squashfs filesystem, little endian, version 2.0, size: 2655384 bytes, 502 inodes, blocksize: 65536 bytes, created: Wed Dec  8 05:06:27 2010

root@bt:~/images/firmware_mod_kit/firmware-mod-kit-read-only/linksys-wrt54gl/rootfs# find . -iname wget
./usr/bin/wget