BSNL router hacking and possibility of running custom code over it


Hi all,
I am sorry I have been inactive due to my job, i actually got free this weekend and there we go, i was at home. At home I am having BSNL connection, and for those who dont know what BSNL is, its the AT&T of India, bad service , too much blank spots and connections which flap/drop/disconnect like there is no tomorrow. Worst, I was on my android, trying to get the latest of cyanogen nightlies .  I was frustrated by the services of BSNL. Hence I decided to mess with the router itself. 

BSNL router on closer inspection is manufactured by SemIndia and distributed by ITI. It follows the tracks of using firmware of different routers (Broadcom to be specific, BCM6338 stands for Broadcom router firmware version 96338, deployed in US robotics ones and some other popular routers). mine is DNA-A211-1 , one of most popular ones in India.



and then its just configured accordingly wrt ISP. This time, I left the network part, as i do it all the time in my office with Cisco, focused more on the router and firmware itself.


Warning : 
I am not responsible for getting your router trashed, getting wings and trying to kill you. try on your own risk, I am not responsible for your stupidity.


I didn't had a PC (trashed due to burnt ram), so I have to do everything on my android, so pardon for small screen area, understand my plight. T-netted into Router
(PS : screencaps of android may be a bit distorted as shootme app was not working properly over nightly #120)




the first step was to know what was into it, so typed the usual help.



lots of commands :) ran swversion to get the version and see what was this upto. 
With some hunting , i came to know that "sh" command runs over my router , ran it and voila, familiar interface of busybox snaps in.



great..now thats worth something. My android has it too :)) seeing the version made me tick , it was running an older version of busybox. For those who don't know hat busybox is, its a multicall binary. Tried ls, but it didnt worked, hence tried echo *, listed everything :)



bingo..tried cat /etc/passwd and there we go again.




after that, i thought why not to check what other directories have. got into CVS and got information regarding CVS and pserver, noteworthy one is the credentials of pserver



pserver:sunila@192.168.128.19:/home/cvsroot

not much of an interest as they are of a private LAN, googled to find it was configured by Sunil A, employee at SIEMIndia. Again,opened Repository



SemIndia/Engineering/Products/ADSL2Plus/Integ_Source/targets/fs.src

maybe a private repo at SIEM. neverthless..

moved on to /etc



lots of directories here..as a rule of thumb I opened default.cfg



Generic stuff, but what caught my eye was this 

<ppp_conId1 userName="multiplay" password="bXVsdGlwbGF5"

This might come in handy (use your creativity :)) ) . But then I thought that why not to access the router from web interface. I did it.
Went to management and downloaded the backupsettings.conf file, 




opened it and there we go,



I was not able to find the above credentials in it, hence I came to a conclusion that they must be somewhat of higher privilege level.
Moving on..I thought why not to try to create an arbitrary file . Tried
echo ‘rishrockz’ >> rdx

on every directory (I was not able to determine the file permissions as the version of busybox doesn’t has ls or stat ) Finally came to know that /var is writable. Tried creating a file there
echo ‘rishrockz’ >> rdx
file was created : )))))
and then
cat /var/rdx

: ))))
Congrats, you have run/done it :) )
Now I thought why not to upgrade busybox/upgrade firmware/upload scripts over the router, tried tftp

didn’t worked. Then I checked if the tftp daemon was running as a service, it was. yet somehow I was not able to run it. :(

Strange. I thought forget it (small screen keyboard and android research limitation -> frustration) . Well.. next time I will be thinking of going to compile programs (http://people.debian.org/~debacle/cross/ and copying over them using echo (once I get a PC) , I have got some nice ideas and will be deploying them .
In the mean time, for those who are wondering what this machine has, here is the bootup log.

  1. Observation 1 #  - code can be run over the router , but files must be copied using echo (-ne with append option)  or tftp.  Since busybox is there, we can easily insert a kernel module to be run.
  2. Observation 2# -  the webs directory has a lot of html files, maybe manipulated for xss attacks (i didnt covered it as its not my domain, some better guys can do it)
  3. Observation 3# - private CVS credentials of Siemindia pserver. insider attack ? :D kidding. pserver is already much insecure, but since i have seen a lot of organisations using stock/easily guessable passwords for their outer router/firewalls/vpn servers, its not a tough nut to crack.
  4. Observation 4# (most important) - BSNL SUCKS !


Till then .. Stay Gold

-
Rishabh Dangwal


19 comments:

  1. Hello, Rishabh,
    Very Nice to see that somebody else too figured it out. :)
    I tried it once on ZXDSL 531B router. DNA model is quite rare now-a-days.
    There ain't CVS dir in that model but nonetheless I was able to override services like dnsspoof, upnp, etc. and do crazy stuff with openssl (Got an error), kill, etc.

    Bytheway, its SVW is TJM55002.

    ReplyDelete
  2. amazing :) I guess we can share the research . There is lot I need to document , but cant as i dont have a aPC/laptop with me.

    ReplyDelete
  3. Sir, Amazing article, but being quite enthusiatic, can you tell me that how you connected your android to the Router. I mean that bloack interface was on you android. How you did it interfacing with router in Linux Like Terminal ? 

    ReplyDelete
  4. Sure. Well I'm amazed you researched so deep in just frustration. Haha. Kudos to you.
    Anyway, the 'mnt' too has write access. So what I did was, invoked the busybox shell:
    /mnt/lg/user/bin/busybox ash
    I tried to upgrade version from debian repository (static busybox, As I was just checking if we can upgrade or degrade the versions. )

    Created the mkln.sh for the statics version. xD and ran it to extract all the files. I don't remember if i entered debug or something like that. Let me know if that ticks to you.
    You stay Gold! :)

    ReplyDelete
  5. Superb yar !!!

    ReplyDelete
  6. wow..i actually tried creating a kernel module to load it using a echo-ne perl script, the method works and it can be used to run code over my router. Regarding /mnt, i will try it and revert back to you with some results,.

    PS : did you tried running custom firmware over your router ? (DD WRT/Tomato?)

    Regarding frustration, well, try using an internet connection that disconnects every 15 seconds, while you are downloading firmware for your phone , try contacting a customer care that hasnt responded in last 5 days, and on the IVR, it has looping options that lead to no where (http://theoatmeal.com/comics/customer_service) 
    :D I guess you can understand my pain :).

    ReplyDelete
  7. simple, its a wifi router, i connected to it using wifi and then t-netted the gateway.

    ReplyDelete
  8. Good experiences to sharing about the bsnl router hacking and possibility ,thanks for great sharing.blog hosting review

    ReplyDelete
  9. So I see the problem. Are you using DNA model for 6+ months? I assume you're a heavy user (so am I) and trust me DNA II is the best model BSNL provides (In terms of wifi network and performance). However, it will not survive more than 7-8 months of usage (sounds omniscient, right? But I had two of them, none of which survived more that 7 months). They began to restart automatically, packet loss transition (courtosy : Wireshark Analysis) and other DMZ related problems (if you configure that).
    Its time to change that router, but get DNA again, if you can get one.

    I want AutoAP installed on my router, but basic firmware won't allow that. Moreover, I think some of WRT54 based firmwares will work.
    And about the firmware part, I first thought that without flashing it won't work, but then I had some success with hexing thingy. (Didn't try hard enough, though). Let me know what works, and bytheway, you stay gold.

    P.S : I'm already an Oatmeal fan. :)

    ReplyDelete
  10.  hacking karna ankit fadia se seekho,he is baap of all hackers

    ReplyDelete
  11. Kidding ..right?

    -sent from my android-

    ReplyDelete
  12. hey man ur just awesome !!! tho im a kid in hacking and din understand three fourth of ur doc ,it just gave me a feeling ur gr8 !! well act i really want to get into these geeky stuffs of hacking( basic) ..please can u guide me with some books etc..i kno programming the languages but not scripting :(

    ReplyDelete
  13. hello bro
    i want to hack tatadocomo's 3g
    @ present i'm using 2g plans on 3g's network my mobile is c6-00, i'm gettting better connectivity but not speed i get only 15-20kbps hw i cn get full speed from 2g's plzn plz tell me. How to learn it and apply it.
    Thanks
    Nikhil D Princehello bro
    i want to hack tatadocomo's 3g
    @ present i'm using 2g plans on 3g's network my mobile is c6-00, i'm gettting better connectivity but not speed i get only 15-20kbps hw i cn get full speed from 2g's plzn plz tell me. How to learn it and apply it.
    Thanks
    Nikhil D Prince

    ReplyDelete
  14. Every ISP in India Sucks!!

    ReplyDelete
  15. this one is awesome... thanks.. it worked :-)

    ReplyDelete
  16.  Thank you Rishabh for this great article. Please tell me that how did you found busybox was running inside the router.

    ReplyDelete
  17. Please don't call this hacking, you were discovering things, that it. 
    Btw, most routers ship with busybox.

    ReplyDelete

Need to say something ? Spell it out :)