Sbloccare i modem Alice senza cacciaviti, seriali o ponticelli

Questo articolo è dedicato allo sblocco dei modelli AGA/AGB/AG2P-AG3/AGPV-AGPF dei modem Alice mediante backdoor.

se volete essere seguiti passo per passo o volete la soluzione pronta contattatemi via mail (la trovate nella Home) e cercherò di aiutarvi.

Io e drPepperOne abbiamo scoperto una backdoor nei modem Alice a base Broadcom che permette in un solo colpo da LAN di abilitare telnet, ftp, tftp e modalità web estesa. Ciò che molti non sanno è che nei modem c’è un vero e proprio Sistema Operativo e che telnet implementa in questi casi una vera e propria shell remota da cui controllare l’intero sistema. Inoltre le interfacce web estese (credo tutte) presentano una pagina per cambiare firmware senza troppe difficoltà

Per abilitare la backdoor è sufficiente inviare un pacchetto IP opportunamente formattato al modem su cui c’è un socket raw in ascolto.


Tale pacchetto deve avere le seguenti caratteristiche:
  • protocollo IP
  • Protocol Number 255
  • lunghezza 28 byte (8 byte di payload)
  • il payload è costituito dai primi 8 byte dell’md5 con salt del mac del device br0


in questi modelli di modem br0 ha lo stesso mac di eth0 ed è quindi facile da reperire. Esso si potrebbe anche ottenere dai mac di eth1 e wl0 che sono più o meno consecutivi a seconda dei modelli dei modem. Su AGA per esempio mac(eth1)=mac(eth0)+1 e mac(wl0)=mac(eth0)+4.


L’algoritmo di creazione del payload è il seguente:


Così com’è il programma prevede che venga passato come parametro un file di 6 byte contenente il mac di br0.Il file compilato su WinXP lo travate al seguente link:

saxdax & drPepperOne

/* Alice Backdoor Pwd creator by saxdax */
/* this code generates an 8 byte hash to use as the paylod of the ip packet */
/* the mac must be in an hex file and has to be passed as argument to the program */

#include
#include
#include
#include “md5.h”

/*
* RFC 1321 compliant MD5 implementation
*
* Copyright (C) 2001-2003 Christophe Devine
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/

#define GET_UINT32(n,b,i) \
{ \
(n) = ( (uint32) (b)[(i) ] ) \
| ( (uint32) (b)[(i) + 1] << 8 ) \
| ( (uint32) (b)[(i) + 2] << 16 ) \
| ( (uint32) (b)[(i) + 3] << 24 ); \
}

#define PUT_UINT32(n,b,i) \
{ \
(b)[(i) ] = (uint8) ( (n) ); \
(b)[(i) + 1] = (uint8) ( (n) >> 8 ); \
(b)[(i) + 2] = (uint8) ( (n) >> 16 ); \
(b)[(i) + 3] = (uint8) ( (n) >> 24 ); \
}

void md5_starts( md5_context *ctx )
{
ctx->total[0] = 0;
ctx->total[1] = 0;

ctx->state[0] = 0x67452301;
ctx->state[1] = 0xEFCDAB89;
ctx->state[2] = 0x98BADCFE;
ctx->state[3] = 0x10325476;
}

void md5_process( md5_context *ctx, uint8 data[64] )
{
uint32 X[16], A, B, C, D;

GET_UINT32( X[0], data, 0 );
GET_UINT32( X[1], data, 4 );
GET_UINT32( X[2], data, 8 );
GET_UINT32( X[3], data, 12 );
GET_UINT32( X[4], data, 16 );
GET_UINT32( X[5], data, 20 );
GET_UINT32( X[6], data, 24 );
GET_UINT32( X[7], data, 28 );
GET_UINT32( X[8], data, 32 );
GET_UINT32( X[9], data, 36 );
GET_UINT32( X[10], data, 40 );
GET_UINT32( X[11], data, 44 );
GET_UINT32( X[12], data, 48 );
GET_UINT32( X[13], data, 52 );
GET_UINT32( X[14], data, 56 );
GET_UINT32( X[15], data, 60 );

#define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 – n)))

#define P(a,b,c,d,k,s,t) \
{ \
a += F(b,c,d) + X[k] + t; a = S(a,s) + b; \
}

A = ctx->state[0];
B = ctx->state[1];
C = ctx->state[2];
D = ctx->state[3];

#define F(x,y,z) (z ^ (x & (y ^ z)))

P( A, B, C, D, 0, 7, 0xD76AA478 );
P( D, A, B, C, 1, 12, 0xE8C7B756 );
P( C, D, A, B, 2, 17, 0x242070DB );
P( B, C, D, A, 3, 22, 0xC1BDCEEE );
P( A, B, C, D, 4, 7, 0xF57C0FAF );
P( D, A, B, C, 5, 12, 0x4787C62A );
P( C, D, A, B, 6, 17, 0xA8304613 );
P( B, C, D, A, 7, 22, 0xFD469501 );
P( A, B, C, D, 8, 7, 0x698098D8 );
P( D, A, B, C, 9, 12, 0x8B44F7AF );
P( C, D, A, B, 10, 17, 0xFFFF5BB1 );
P( B, C, D, A, 11, 22, 0x895CD7BE );
P( A, B, C, D, 12, 7, 0x6B901122 );
P( D, A, B, C, 13, 12, 0xFD987193 );
P( C, D, A, B, 14, 17, 0xA679438E );
P( B, C, D, A, 15, 22, 0x49B40821 );

#undef F

#define F(x,y,z) (y ^ (z & (x ^ y)))

P( A, B, C, D, 1, 5, 0xF61E2562 );
P( D, A, B, C, 6, 9, 0xC040B340 );
P( C, D, A, B, 11, 14, 0x265E5A51 );
P( B, C, D, A, 0, 20, 0xE9B6C7AA );
P( A, B, C, D, 5, 5, 0xD62F105D );
P( D, A, B, C, 10, 9, 0x02441453 );
P( C, D, A, B, 15, 14, 0xD8A1E681 );
P( B, C, D, A, 4, 20, 0xE7D3FBC8 );
P( A, B, C, D, 9, 5, 0x21E1CDE6 );
P( D, A, B, C, 14, 9, 0xC33707D6 );
P( C, D, A, B, 3, 14, 0xF4D50D87 );
P( B, C, D, A, 8, 20, 0x455A14ED );
P( A, B, C, D, 13, 5, 0xA9E3E905 );
P( D, A, B, C, 2, 9, 0xFCEFA3F8 );
P( C, D, A, B, 7, 14, 0x676F02D9 );
P( B, C, D, A, 12, 20, 0x8D2A4C8A );

#undef F

#define F(x,y,z) (x ^ y ^ z)

P( A, B, C, D, 5, 4, 0xFFFA3942 );
P( D, A, B, C, 8, 11, 0x8771F681 );
P( C, D, A, B, 11, 16, 0x6D9D6122 );
P( B, C, D, A, 14, 23, 0xFDE5380C );
P( A, B, C, D, 1, 4, 0xA4BEEA44 );
P( D, A, B, C, 4, 11, 0x4BDECFA9 );
P( C, D, A, B, 7, 16, 0xF6BB4B60 );
P( B, C, D, A, 10, 23, 0xBEBFBC70 );
P( A, B, C, D, 13, 4, 0x289B7EC6 );
P( D, A, B, C, 0, 11, 0xEAA127FA );
P( C, D, A, B, 3, 16, 0xD4EF3085 );
P( B, C, D, A, 6, 23, 0x04881D05 );
P( A, B, C, D, 9, 4, 0xD9D4D039 );
P( D, A, B, C, 12, 11, 0xE6DB99E5 );
P( C, D, A, B, 15, 16, 0x1FA27CF8 );
P( B, C, D, A, 2, 23, 0xC4AC5665 );

#undef F

#define F(x,y,z) (y ^ (x | ~z))

P( A, B, C, D, 0, 6, 0xF4292244 );
P( D, A, B, C, 7, 10, 0x432AFF97 );
P( C, D, A, B, 14, 15, 0xAB9423A7 );
P( B, C, D, A, 5, 21, 0xFC93A039 );
P( A, B, C, D, 12, 6, 0x655B59C3 );
P( D, A, B, C, 3, 10, 0x8F0CCC92 );
P( C, D, A, B, 10, 15, 0xFFEFF47D );
P( B, C, D, A, 1, 21, 0x85845DD1 );
P( A, B, C, D, 8, 6, 0x6FA87E4F );
P( D, A, B, C, 15, 10, 0xFE2CE6E0 );
P( C, D, A, B, 6, 15, 0xA3014314 );
P( B, C, D, A, 13, 21, 0x4E0811A1 );
P( A, B, C, D, 4, 6, 0xF7537E82 );
P( D, A, B, C, 11, 10, 0xBD3AF235 );
P( C, D, A, B, 2, 15, 0x2AD7D2BB );
P( B, C, D, A, 9, 21, 0xEB86D391 );

#undef F

ctx->state[0] += A;
ctx->state[1] += B;
ctx->state[2] += C;
ctx->state[3] += D;
}

void md5_update( md5_context *ctx, uint8 *input, uint32 length )
{
uint32 left, fill;

if( ! length ) return;

left = ctx->total[0] & 0x3F;
fill = 64 – left;

ctx->total[0] += length;
ctx->total[0] &= 0xFFFFFFFF;

if( ctx->total[0] < length )
ctx->total[1]++;

if( left && length >= fill )
{
memcpy( (void *) (ctx->buffer + left),
(void *) input, fill );
md5_process( ctx, ctx->buffer );
length -= fill;
input += fill;
left = 0;
}

while( length >= 64 )
{
md5_process( ctx, input );
length -= 64;
input += 64;
}

if( length )
{
memcpy( (void *) (ctx->buffer + left),
(void *) input, length );
}
}

static uint8 md5_padding[64] =
{
0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
};

void md5_finish( md5_context *ctx, uint8 digest[16] )
{
uint32 last, padn;
uint32 high, low;
uint8 msglen[8];

high = ( ctx->total[0] >> 29 )
| ( ctx->total[1] << 3 );
low = ( ctx->total[0] << 3 );

PUT_UINT32( low, msglen, 0 );
PUT_UINT32( high, msglen, 4 );

//for(int i=0;i<8;i++) printf(“length %d\n”,msglen[i]);

last = ctx->total[0] & 0x3F;
padn = ( last < 56 ) ? ( 56 – last ) : ( 120 – last );

md5_update( ctx, md5_padding, padn );
md5_update( ctx, msglen, 8 );

PUT_UINT32( ctx->state[0], digest, 0 );
PUT_UINT32( ctx->state[1], digest, 4 );
PUT_UINT32( ctx->state[2], digest, 8 );
PUT_UINT32( ctx->state[3], digest, 12 );
}

//#ifdef TEST

/*
* those are the standard RFC 1321 test vectors
*/

static char *msg[] =
{
“”,
“a”,
“abc”,
“message digest”,
“abcdefghijklmnopqrstuvwxyz”,
“ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789”,
“12345678901234567890123456789012345678901234567890123456789012” \
“345678901234567890”
};

static char *val[] =
{
“d41d8cd98f00b204e9800998ecf8427e”,
“0cc175b9c0f1b6a831c399e269772661”,
“900150983cd24fb0d6963f7d28e17f72”,
“f96b697d7cb7938d525a2f31aaf161d0”,
“c3fcd3d76192e4007dfb496cca67e13b”,
“d174ab98d277d9f5a5611c2c9f419d9f”,
“57edf4a22be3c955ac49da2e2107b67a”
};

//Salt per AGA/AGB/AG3(Vela)
static char saltOrig[] =
{0x04, 0x07, 0x67, 0x10, 0x02, 0x81, 0xFA, 0x66, 0x11, 0x41, 0x68, 0x11, 0x17, 0x01, 0x05, 0x22, 0x71, 0x04, 0x10, 0x33};
//Salt per AGPV/AGPF
//static char saltOrig[] =
//{0x43, 0x22, 0x11, 0x11, 0x22, 0x81, 0xFA, 0x65, 0x11, 0x41, 0x54, 0x11, 0x17, 0x12, 0x15, 0x22, 0x72, 0x03, 0x10, 0x66};

int main( int argc, char *argv[] )
{
FILE *f;
int i, j;
char output[33];
md5_context ctx;
unsigned char buf[1000];
unsigned char md5sum[16];
unsigned char salt[20];

printf( “****************************\n”);
printf( “Alice BackDoor hash creator \n”);
printf( “by saxdax and drPepperOne \n”);
printf( “****************************\n\n”);

if( argc < 2 )
{
printf( “\n Usage: %s pathfileMAC\n\n”, argv[0] );
return 0;
}

if( ! ( f = fopen( argv[1], “rb” ) ) )
{
perror( “fopen” );
return( 1 );
}

md5_starts( &ctx );

while( ( i = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
{
md5_update( &ctx, buf, i );
}

memcpy(salt, saltOrig, 20);

md5_update( &ctx, salt, 20 );

md5_finish( &ctx, md5sum );

printf(“Payload is: “);
for( j = 0; j < 8; j++ )
{
printf( “%02x”, md5sum[j] );
}

return( 0 );
}

 

AGA/AGB/AG3 http://rapidshare.com/files/153439269/AliceBDhashCreator.zip.html
AGPV/AGPF http://rapidshare.com/files/156053651/md5_AGPV_AGPF.exe.html

Tali programmi sono validi fino alle seguenti versioni di firmware:

AG2P: 3.1.0
AG3: 3.2.4
AGA: 3.2.4
AGB: 3.2.4
AGPF: AGPF_4.3.4.0001 (e la 4.4.0)
AGPV: 4.3.1

Il programma deve essere lanciato da linea di comando e restituisce a video gli 8 byte del payload.

A questo punto potete utilizzare qualsiasi strumento di injection preferiate.

Io ho utilizzato Colasoft Packet Builder, generatore visuale con GUI su Windows.

Allego il template di un pacchetto già pronto in cui cambiare solo IP del modem e del pc, mac del modem e del pc e payload (nalla parte in basso a sinistra esadecimale di colasoft PB):

http://www.megaupload.com/?d=8OH6NFX1

posizione payload
posizione payload

drPepperOne ha utilizzato Nemesis da linea di comando, disponibile per Linux e Windows.

Una volta creato un file di 8 byte con un editor esadecimale, con nome per es. hash.hex, la sintassi da usare con Nemesys è:

Code: nemesis ip -D 192.168.1.1 -p 255 -P hash.hex

Se il pacchetto è corretto il router risponderà con un pacchetto ICMP con codici 3 e 2 (protocol unreachable).

A questo punto potete collegarvi a telnet, ftp e tftp ed utilizzare l’interfaccia web estesa senza aver aperto il modem!

Buon divertimento.

Next Entries Alice Gate 3.46 - Cambio Password FTP

348 thoughts on “Sbloccare i modem Alice senza cacciaviti, seriali o ponticelli

  1. Pingback: Marcus

  2. Pingback: Mathew

  3. Pingback: sergio

  4. Pingback: Maurice

  5. Pingback: william

  6. Pingback: Nicholas

  7. Pingback: derrick

  8. Pingback: Doug

  9. Pingback: Eugene

  10. Pingback: marshall

  11. Pingback: Kenneth

  12. Pingback: martin

  13. Pingback: warren

  14. Pingback: Sergio

  15. Pingback: alex

  16. Pingback: Enrique

  17. Pingback: Fred

  18. Pingback: Jay

  19. Pingback: Jeremy

  20. Pingback: Brad

  21. Pingback: Barry

  22. Pingback: Byron

  23. Pingback: rodney

  24. Pingback: brian

  25. Pingback: jacob

  26. Pingback: Nicholas

  27. Pingback: Albert

  28. Pingback: Glenn

  29. Pingback: Tim

  30. Pingback: robert

  31. Pingback: Charles

  32. Pingback: Jim

  33. Pingback: Dave

  34. Pingback: jordan

  35. Pingback: juan

  36. Pingback: bernard

  37. Pingback: Alejandro

  38. Pingback: mario

  39. Pingback: Claude

  40. Pingback: corey

  41. Pingback: Nicholas

  42. Pingback: Tommy

  43. Pingback: pedro

  44. Pingback: dwayne

  45. Pingback: ricardo

  46. Pingback: Hubert

  47. Pingback: Leroy

  48. Pingback: stuart

  49. Pingback: johnny

  50. Pingback: Leslie

Comments are closed.