# Exploit Title: AirMaster3000m Multiple backdoors
# Date: 29/11/2018
# Exploit Author: Koorosh Ghorbani
# Vendor Homepage: http://mobinnet.ir/
# Firmware Version: V2.0.1B1053
Disassembled `GoAhead` binary shows multiple backdoors :
la $a1, aMMallocFailure # "m malloc failure"
la $t9, nvram_bufget
addiu $a1, (aLogin - 0x4F0000) # "Login"
jalr $t9 ; nvram_bufget
li $a0, 2
lw $gp, 0x48+var_38($sp)
move $s4, $v0
la $v0, aMMallocFailure # "m malloc failure"
la $t9, nvram_bufget
li $a0, 2
jalr $t9 ; nvram_bufget
addiu $a1, $v0, (aAccessDeniedWr+0x14 - 0x4F0000) # "Password"
lw $gp, 0x48+var_38($sp)
li $a0, 2
la $a1, aMMallocFailure # "m malloc failure"
la $t9, nvram_bufget
addiu $a1, (aGuestid - 0x4F0000) # "GuestId"
jalr $t9 ; nvram_bufget
sw $v0, 0x48+var_30($sp)
lw $gp, 0x48+var_38($sp)
move $s5, $v0
la $v0, aMMallocFailure # "m malloc failure"
la $t9, nvram_bufget
li $a0, 2
jalr $t9 ; nvram_bufget
addiu $a1, $v0, (aGuestpassword - 0x4F0000) # "GuestPassword"
lw $gp, 0x48+var_38($sp)
li $a0, 2
la $a1, aMMallocFailure # "m malloc failure"
la $t9, nvram_bufget
addiu $a1, (aViplogin - 0x4F0000) # "VipLogin"
jalr $t9 ; nvram_bufget
sw $v0, 0x48+var_2C($sp)
lw $gp, 0x48+var_38($sp)
move $s3, $v0
la $v0, aMMallocFailure # "m malloc failure"
la $t9, nvram_bufget
li $a0, 2
jalr $t9 ; nvram_bufget
addiu $a1, $v0, (aVippassword - 0x4F0000) # "VipPassword"
lw $gp, 0x48+var_38($sp)
move $a0, $s1 # s1
la $t9, strcmp
move $a1, $s4 # s2
jalr $t9 ; strcmp
move $fp, $v0
lw $gp, 0x48+var_38($sp)
beqz $v0, loc_462788
move $a0, $s1 # s1
nvram_bufget refers to "NVRAM" , the NVRAM dump shows following credentials :
Login=Root
Password=PWDd0N~WH*4G#DN
VipLogin=VIP
VipPassword=V!P83869000
GuestId=admin
GuestPassword=admin
full NVRAM dump file(s) exists under /tmp/nvramconfig
Default Credentials :
admin:admin
Backdoor Credentials :
VIP:V!P83869000
Root:PWDd0N~WH*4G#DN
