中尉
- 注册时间
- 2011-7-7
- 金币
- 479 个
- 威望
- 8 个
- 荣誉
- 0 个
尚未签到
|
发表于 2016-2-10 03:56
本帖最后由 510695678 于 2016-2-10 13:18 编辑
这个算不上高危的,下载配置文件的前提是你知道密码连上wifi,
更新一下:
(管理员密码是base64加密保存的,比如admin加密后是YWRtaW4=
可以轻松解密http://tool.chinaz.com/tools/base64.aspx)
上传上网记录应该是存在的,至于什么时候上传就不知道了。
这个路由使用nvram保存配置的,nvram show可以查看配置,
linux系统开机会先先执行 /sbin/init,一堆程序中会启动一个cathpkt的程序
# grep cathpkt /sbin/init
start_cathpkt
stop_cathpkt
insmod /lib/modules/cathpkt.ko
cathpkt &
killall cathpkt
# grep cat /sbin/dev_init.sh
mknod /dev/cathpkt c 206 0 -m 622
加载了/lib/modules/cathpkt.ko内核模块创建/dev/cathpkt设备
后台运行cathpkt
这是cathpkt这个程序的明文字符串
- .rodata:00404508 0000001E C %02d-%02d-%02d %02d:%02d:%02d
- .rodata:004044E8 0000001E C %02x:%02x:%02x:%02x:%02x:%02x
- .rodata:004041FC 0000000D C %Y%m%d%H%M%S
- .rodata:0040448C 00000024 C %[^:]:%[^:]:%[^:]:%[^:]:%[^:]:%[^:]
- .rodata:00404628 00000013 C %s error code: %d\n
- .rodata:004044B0 0000000D C %s%s%s%s%s%s
- .rodata:0040452C 0000000D C %s;;;%s;%s%s
- .rodata:0040485C 00000006 C %s=%s
- .rodata:004041C0 0000000B C %s[%u] %s\n
- .rodata:00404224 00000011 C %s_SN0000_%s.tar
- .rodata:00404350 00000011 C %s_SN9999_%s.tar
- .rodata:004042D8 00000012 C -->data file=[%s]
- .rodata:00404478 00000011 C -->file size=%ld
- .rodata:004041CC 0000000D C /dev/cathpkt
- .rodata:00404850 0000000B C /dev/nvram
- .rodata:004044D0 00000006 C /tmp/
- .rodata:004042D0 00000008 C /tmp/%s
- .rodata:0040420C 00000017 C /tmp/%s_SN0000_%s.data
- .rodata:00404460 0000000D C /tmp/cathpkt
- .rodata:00404408 0000000D C 001122334455
- .rodata:00404238 00000021 C 0123456789ABCDEF0123456789ABCDEF
- .rodata:00404744 00000005 C CWD
- .rodata:00404610 00000015 C Can not send message
- .rodata:004046E0 0000003D C Can not use PORT mode!Please use "mode" change to PASV mode.
- .rodata:00404664 00000020 C Can't connet to the ftp server!
- .rodata:0040480C 0000000F C Connect error!
- .rodata:00404780 00000018 C Creat data socket error
- .rodata:0040463C 00000013 C Creat socket error
- .rodata:0040481C 00000011 C Invalid address!
- .rodata:00404830 0000000E C Invalid port!
- .rodata:00404798 00000010 C Open file error
- .rodata:004045EC 00000006 C PASS
- .rodata:00404690 00000005 C PASV
- .rodata:00404698 00000017 C PORT %s,%s,%s,%s,%d,%d
- .rodata:00404600 00000010 C Password error!
- .rodata:0040473C 00000005 C QUIT
- .rodata:0040474C 00000006 C STOR
- .rodata:00404754 00000007 C TYPE I
- .rodata:004047C8 00000019 C The PORT mode won't work
- .rodata:004045E4 00000006 C USER
- .rodata:004045F4 0000000C C User error!
- .rodata:004045B8 0000000F C calc_file_size
- .rodata:004041E4 00000016 C can not find dev :%s\n
- .rodata:004045A0 00000015 C cathpkt_writePktinfo
- .rodata:00404380 0000002C C cd /tmp/ && rm *.tar *.data -rf && touch %s
- .rodata:0040425C 00000073 C cd /tmp/ && rm -rf *.tar && openssl enc -aes-128-cbc -in %s -out %s -k %s && tar -zcf %s %s && rm -rf %s %s *.data
- .rodata:00404550 0000001B C could not open tmp file %s
- .rodata:0040457C 00000010 C create_tar_file
- .rodata:0040475C 00000022 C error create new_sock in put port
- .rodata:00404364 0000001B C file upload will be empty!
- .rodata:0040453C 00000013 C file:%s not found.
- .rodata:00404348 00000008 C ftp bye
- .rodata:00404304 00000009 C ftp init
- .rodata:00404310 0000000A C ftp login
- .rodata:00404340 00000008 C ftp put
- .rodata:00404840 0000000A C ftp_close
- .rodata:004047F8 00000012 C ftp_srvname=[%s]\n
- .rodata:0040431C 00000022 C function[%s] line[%d] errno=[%d]\n
- .rodata:00404594 0000000C C get_wan_mac
- .rodata:004041DC 00000008 C len:%d\n
- .rodata:00404720 00000009 C listen()
- .rodata:004047A8 0000001E C local file %s doesn't exist!\n
- .rodata:004044C0 00000010 C mac string=[%s]
- .rodata:00404418 0000000E C mac_addr=[%s]
- .rodata:0040458C 00000005 C main
- .rodata:00404470 00000005 C null
- .rodata:004043EC 0000001C C nvram get et0macaddr error!
- .rodata:00404684 0000000B C send error
- .rodata:004046D4 0000000B C set socket
- .rodata:004046BC 00000018 C set socket %s errno:%d\n
- .rodata:00404650 00000011 C set socket error
- .rodata:004046B0 00000009 C socket()
- .rodata:004042EC 00000016 C target directory=[%s]
- .rodata:004044D8 0000000B C tmpcathpkt
- .rodata:004043AC 00000017 C upload filename error!
- .rodata:00404444 0000001A C upload time interval=[%d]
- .rodata:00404428 00000019 C upload time set default.
- .rodata:00404570 0000000C C upload_data
- .rodata:004045D0 00000012 C upload_ftp_passwd
- .rodata:004047E4 00000012 C upload_ftp_server
- .rodata:004043C4 00000019 C upload_ftp_time_interval
- .rodata:0040472C 00000010 C upload_ftp_user
- .rodata:004043E0 0000000B C wan_hwaddr
运行以后会创建/tmp/cathpkt 明文文件,用来保存上网记录,如果想查看直接cat /tmp/cathpkt
压缩前使用openssl 加密 (openssl enc -aes-128-cbc -in %s -out %s -k %s)
文件名 /tmp/时间戳_SN0000_MAC地址.tar
如果想查看压缩后的文件
先解压
tar zxf 20160114XXXXXX_SN0000_XXXXXXXXXXXX.tar
得到 20160114XXXXXX_SN0000_XXXXXXXXXXXX 继续解压
tar xf 20160114XXXXXX_SN0000_XXXXXXXXXXXX
得到20160114XXXXXX_SN0000_XXXXXXXXXXXX.data
使用openssl解密成222.txt
openssl aes-128-cbc -d -k 0123456789ABCDEF0123456789ABCDEF -in 20160114XXXXXX_SN0000_XXXXXXXXXXXX.data -out 222.txt
cat 222.txt可以查看
默认nvram配置包括ftp账号密码在/lib/libshared.so里面
初始化后保存在nvram里面
# nvram show | grep ftp
size: 12081 bytes (20687 left)
upload_ftp_server=soho.wifibase.ftp.phicomm.com
upload_ftp_user=ftpuser
alg_tftp_enable=1
upload_ftp_passwd=feixun*123
alg_ftp_enable=1
关闭cathpkt
killall cathpkt
删除cathpkt
rm /bin/cathpkt
卸载模块
rmmod /lib/modules/cathpkt.ko
这样可以临时关闭,但是系统采用的ramfs,重启就会恢复
暂时解决方法:
把nvram配置里的服务器、账号、密码改成错误或不存在的
nvram set upload_ftp_server=xxx.com
nvram set upload_ftp_user=xxx
nvram set upload_ftp_passwd=xxx
保存
nvram commit
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?注册
x
评分
-
2
查看全部评分
-
|
