AirMaster 3000m Multiple Backdoors

2018.11.30
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: AirMaster3000m Multiple backdoors # Date: 29/11/2018 # Exploit Author: Koorosh Ghorbani # Vendor Homepage: http://mobinnet.ir/ # Firmware Version: V2.0.1B1053 Disassembled `GoAhead` binary shows multiple backdoors : la $a1, aMMallocFailure # "m malloc failure" la $t9, nvram_bufget addiu $a1, (aLogin - 0x4F0000) # "Login" jalr $t9 ; nvram_bufget li $a0, 2 lw $gp, 0x48+var_38($sp) move $s4, $v0 la $v0, aMMallocFailure # "m malloc failure" la $t9, nvram_bufget li $a0, 2 jalr $t9 ; nvram_bufget addiu $a1, $v0, (aAccessDeniedWr+0x14 - 0x4F0000) # "Password" lw $gp, 0x48+var_38($sp) li $a0, 2 la $a1, aMMallocFailure # "m malloc failure" la $t9, nvram_bufget addiu $a1, (aGuestid - 0x4F0000) # "GuestId" jalr $t9 ; nvram_bufget sw $v0, 0x48+var_30($sp) lw $gp, 0x48+var_38($sp) move $s5, $v0 la $v0, aMMallocFailure # "m malloc failure" la $t9, nvram_bufget li $a0, 2 jalr $t9 ; nvram_bufget addiu $a1, $v0, (aGuestpassword - 0x4F0000) # "GuestPassword" lw $gp, 0x48+var_38($sp) li $a0, 2 la $a1, aMMallocFailure # "m malloc failure" la $t9, nvram_bufget addiu $a1, (aViplogin - 0x4F0000) # "VipLogin" jalr $t9 ; nvram_bufget sw $v0, 0x48+var_2C($sp) lw $gp, 0x48+var_38($sp) move $s3, $v0 la $v0, aMMallocFailure # "m malloc failure" la $t9, nvram_bufget li $a0, 2 jalr $t9 ; nvram_bufget addiu $a1, $v0, (aVippassword - 0x4F0000) # "VipPassword" lw $gp, 0x48+var_38($sp) move $a0, $s1 # s1 la $t9, strcmp move $a1, $s4 # s2 jalr $t9 ; strcmp move $fp, $v0 lw $gp, 0x48+var_38($sp) beqz $v0, loc_462788 move $a0, $s1 # s1 nvram_bufget refers to "NVRAM" , the NVRAM dump shows following credentials : Login=Root Password=PWDd0N~WH*4G#DN VipLogin=VIP VipPassword=V!P83869000 GuestId=admin GuestPassword=admin full NVRAM dump file(s) exists under /tmp/nvramconfig Default Credentials : admin:admin Backdoor Credentials : VIP:V!P83869000 Root:PWDd0N~WH*4G#DN


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top