‘e’ – Responds with a pre-defined string, basically a ping test
The following actions correspond to the three accepted command bytes: Sendto(client_socket, tx_buf, tx_size, client_sock_addr, 16) Tx_size = call_shell(command_arg, tx_buf, 0x800) If(strstr(command_arg, "iwpriv") != NULL)
Medialink mwn wapr150n firmware code#
We can see that the thread is expecting a packet with the following structure:Ĭhar magic // 9 byte magic string ("w302r_mfg"), plus a NULL terminating byteĪs long as the received packet starts with the string “w302r_mfg”, the code then compares the specified command byte against three ASCII characters (’1′, ‘x’, and ‘e’):Ĭomparing command_byte to ’1′, ‘x’ and ‘e’įor simplicity, I’ve converted the remaining disassembly (at least the important bits) to the following C code: If(strcmp(rx_magic_string, "w302r_mfg") != 0) goto outer_receive_loop If magic string doesn't match, stop processing this packet and wait for another packet Memcpy(command_arg, rx_buf+12, rx_size-12) Now for the fun part the received UDP packet is then parsed by this block of code: Read packet from socket and check packet size It expects each received UDP packet to be at least 14 bytes in length: The thread then goes into a recvfrom loop, reading up to 128 bytes from the socket. The first thing MfgThread does is create a UDP socket and bind it to port 7329:
Hmmm…InitMfgTask and MfgThread? Related to manufacturing tasks perhaps? Iiiiiinteresting… Pthread_create(&var_10, 0, MfgThread, 0) Just before entering the HTTP receive loop, main calls InitMfgTask, which spawns the MfgThread function as a separate thread: Lest anyone think that D-Link is the only vendor who puts backdoors in their products, here’s one that can be exploited with a single UDP packet, courtesy of Tenda.Īfter extracting the latest firmware for Tenda’s W302R wireless router, I started looking at /bin/httpd, which turned out to be the GoAhead webserver:īut Tenda has made a lot of special modifications themselves.
0 kommentar(er)
