파일 구조 분석
┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ ls -alR
.:
total 56
drwxrwxr-x 14 kali kali 4096 Feb 20 10:12 .
drwxrwxr-x 4 kali kali 4096 Feb 20 10:12 ..
drwxrwxr-x 2 kali kali 4096 May 31 2023 bin
drwxrwxr-x 2 kali kali 4096 May 31 2023 boot
drwxrwxr-x 6 kali kali 4096 Feb 20 10:12 dev
drwxrwxr-x 9 kali kali 4096 Feb 20 10:12 etc
drwxrwxr-x 2 kali kali 4096 May 31 2023 home
lrwxrwxrwx 1 kali kali 8 May 31 2023 init -> bin/init
drwxrwxr-x 3 kali kali 4096 May 31 2023 lib
drwxrwxr-x 2 kali kali 4096 May 31 2023 mnt
drwxrwxr-x 2 kali kali 4096 May 31 2023 proc
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 root -> /dev/null
drwxrwxr-x 2 kali kali 4096 May 31 2023 sys
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 tmp -> /dev/null
drwxrwxr-x 4 kali kali 4096 May 31 2023 usr
drwxrwxr-x 2 kali kali 4096 May 31 2023 var
drwxrwxr-x 8 kali kali 4096 Feb 20 10:12 web
./bin:
total 6580
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 14 kali kali 4096 Feb 20 10:12 ..
-rwxr-xr-x 1 kali kali 10032 May 31 2023 acltd
lrwxrwxrwx 1 kali kali 7 May 31 2023 addgroup -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 adduser -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 ash -> busybox
-rwxrwxr-x 1 kali kali 109996 May 31 2023 auth
lrwxrwxrwx 1 kali kali 7 May 31 2023 awk -> busybox
-rwxr-xr-x 1 kali kali 13788 May 31 2023 batchUpgrade
-rwxr-xr-x 1 kali kali 13788 May 31 2023 batchUpgrades
-rwxrwxr-x 1 kali kali 499956 May 31 2023 boa
-rwxrwxr-x 1 kali kali 21648 May 31 2023 brctl
lrwxrwxrwx 1 kali kali 7 May 31 2023 bunzip2 -> busybox
-rwxrwxr-x 1 kali kali 378028 May 31 2023 busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 bzcat -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 cat -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 chgrp -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 chmod -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 chown -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 chpasswd -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 chroot -> busybox
-rwxr-xr-x 1 kali kali 40 May 31 2023 cmd
-rwxr-xr-x 1 kali kali 40 May 31 2023 cmd1
-rwxr-xr-x 1 kali kali 34 May 31 2023 connect6.sh
-rwxr-xr-x 1 kali kali 32 May 31 2023 connect.sh
lrwxrwxrwx 1 kali kali 7 May 31 2023 cp -> busybox
-rwxr-xr-x 1 kali kali 47 May 31 2023 crc
-rwxr-xr-x 1 kali kali 47 May 31 2023 crc1
-rwxr-xr-x 1 kali kali 57836 May 31 2023 crpc
lrwxrwxrwx 1 kali kali 7 May 31 2023 cut -> busybox
-rwxrwxr-x 1 kali kali 471600 May 31 2023 cwmpClient
lrwxrwxrwx 1 kali kali 7 May 31 2023 date -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 dd -> busybox
-rwxrwxr-x 1 kali kali 11772 May 31 2023 ddns_inet
lrwxrwxrwx 1 kali kali 7 May 31 2023 delgroup -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 deluser -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 depmod -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 df -> busybox
-rwxrwxr-x 1 kali kali 139988 May 31 2023 dhcp6c
-rwxr-xr-x 1 kali kali 1080 May 31 2023 dhcp6cRcv.sh
-rwxrwxr-x 1 kali kali 14588 May 31 2023 dhcp6ctl
-rwxrwxr-x 1 kali kali 129476 May 31 2023 dhcp6s
lrwxrwxrwx 1 kali kali 7 May 31 2023 diff -> busybox
-rwxr-xr-x 1 kali kali 28 May 31 2023 disconnect.sh
-rwxrwxr-x 1 kali kali 37868 May 31 2023 dnrd
-rwxrwxr-x 1 kali kali 95276 May 31 2023 dnsmasq
-rwxrwxr-x 1 kali kali 6620 May 31 2023 dnsspoof
lrwxrwxrwx 1 kali kali 7 May 31 2023 du -> busybox
-rwxr-xr-x 1 kali kali 207 May 31 2023 dw
-rwxr-xr-x 1 kali kali 2828 May 31 2023 ebtables
-rwxr-xr-x 1 kali kali 6476 May 31 2023 ebtables-restore
-rwxr-xr-x 1 kali kali 1663 May 31 2023 ebtables-save
lrwxrwxrwx 1 kali kali 7 May 31 2023 echo -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 egrep -> busybox
-rwxr-xr-x 1 kali kali 123 May 31 2023 ew
lrwxrwxrwx 1 kali kali 7 May 31 2023 expr -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 false -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 fdisk -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 fgrep -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 find -> busybox
-rwxr-xr-x 1 kali kali 32 May 31 2023 firewall.sh
-rwxrwxr-x 1 kali kali 96780 May 31 2023 flash
lrwxrwxrwx 1 kali kali 7 May 31 2023 free -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 fsck -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 ftpget -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 ftpput -> busybox
-rwxr-xr-x 1 kali kali 10300 May 31 2023 fwd
-rwxr-xr-x 1 kali kali 62 May 31 2023 fwdbg
-rwxr-xr-x 1 kali kali 10300 May 31 2023 fwds
-rwxr-xr-x 1 kali kali 98 May 31 2023 getmib
-rwxr-xr-x 1 kali kali 98 May 31 2023 getmib1
lrwxrwxrwx 1 kali kali 7 May 31 2023 getty -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 grep -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 halt -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 head -> busybox
-rwxr-xr-x 1 kali kali 90536 May 31 2023 hle_entity
lrwxrwxrwx 1 kali kali 7 May 31 2023 hostname -> busybox
-rwxrwxr-x 1 kali kali 12620 May 31 2023 iapp
-rwxr-xr-x 1 kali kali 104 May 31 2023 ib
-rwxr-xr-x 1 kali kali 104 May 31 2023 ib1
-rwxr-xr-x 1 kali kali 105 May 31 2023 id1
-rwxr-xr-x 1 kali kali 105 May 31 2023 idd
-rwxr-xr-x 1 kali kali 105 May 31 2023 idd1
lrwxrwxrwx 1 kali kali 7 May 31 2023 ifconfig -> busybox
-rwxrwxr-x 1 kali kali 20812 May 31 2023 igmpproxy
lrwxrwxrwx 1 kali kali 7 May 31 2023 init -> busybox
-rwxr-xr-x 1 kali kali 116 May 31 2023 init.sh
lrwxrwxrwx 1 kali kali 7 May 31 2023 insmod -> busybox
-rwxrwxr-x 1 kali kali 178500 May 31 2023 ip
-rwxrwxr-x 1 kali kali 253588 May 31 2023 ip6tables
-rwxr-xr-x 1 kali kali 72 May 31 2023 ip_qos.sh
-rwxrwxr-x 1 kali kali 275796 May 31 2023 iptables
-rwxrwxr-x 1 kali kali 24428 May 31 2023 ipv6_manage_inet
-rwxr-xr-x 1 kali kali 111 May 31 2023 irf
-rwxr-xr-x 1 kali kali 111 May 31 2023 irf1
-rwxr-xr-x 1 kali kali 104 May 31 2023 iw
-rwxr-xr-x 1 kali kali 104 May 31 2023 iw1
-rwxrwxr-x 1 kali kali 33108 May 31 2023 iwcontrol
-rwxrwxr-x 1 kali kali 23716 May 31 2023 iwpriv
lrwxrwxrwx 1 kali kali 7 May 31 2023 kill -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 killall -> busybox
-rwxr-xr-x 1 kali kali 301 May 31 2023 killsh.sh
lrwxrwxrwx 1 kali kali 7 May 31 2023 klogd -> busybox
-rwxrwxr-x 1 kali kali 86220 May 31 2023 l2tpd
-rwxr-xr-x 1 kali kali 27 May 31 2023 l2tp.sh
-rwxr-xr-x 1 kali kali 48196 May 31 2023 lld2d
lrwxrwxrwx 1 kali kali 7 May 31 2023 ln -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 login -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 ls -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 lsmod -> busybox
-rwxrwxr-x 1 kali kali 82732 May 31 2023 main_lc5761
-rwxr-xr-x 1 kali kali 91676 May 31 2023 map_agent
-rwxr-xr-x 1 kali kali 4636 May 31 2023 map_checker
-rwxr-xr-x 1 kali kali 100972 May 31 2023 map_controller
-rwxr-xr-x 1 kali kali 3004 May 31 2023 map_del_device
-rwxrwxr-x 1 kali kali 29580 May 31 2023 map_reinit
-rwxrwxr-x 1 kali kali 4332 May 31 2023 map_reset
-rwxrwxr-x 1 kali kali 25456 May 31 2023 Mcli
lrwxrwxrwx 1 kali kali 7 May 31 2023 md5sum -> busybox
-rwxrwxr-x 1 kali kali 3004 May 31 2023 MeshAgent_Start
-rwxr-xr-x 1 kali kali 3468 May 31 2023 meshconf
-rwxrwxr-x 1 kali kali 102988 May 31 2023 miniigd
lrwxrwxrwx 1 kali kali 7 May 31 2023 mkdir -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 mknod -> busybox
-rwxrwxr-x 1 kali kali 25708 May 31 2023 mldproxy
-rwxr-xr-x 1 kali kali 182 May 31 2023 mmd_cmdr
-rwxr-xr-x 1 kali kali 196 May 31 2023 mmd_cmdw
lrwxrwxrwx 1 kali kali 7 May 31 2023 modprobe -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 mount -> busybox
-rwxr-xr-x 1 kali kali 803 May 31 2023 mp_98c.sh
-rwxr-xr-x 1 kali kali 678 May 31 2023 mp.sh
-rwxrwxr-x 1 kali kali 45952 May 31 2023 Mser
-rwxr-xr-x 1 kali kali 46 May 31 2023 mu
lrwxrwxrwx 1 kali kali 7 May 31 2023 mv -> busybox
-rwxrwxr-x 1 kali kali 187492 May 31 2023 ndppd
lrwxrwxrwx 1 kali kali 7 May 31 2023 nice -> busybox
-rwxrwxr-x 1 kali kali 25828 May 31 2023 ntpclient
-rwxrwxr-x 1 kali kali 13228 May 31 2023 ntp_inet
-rwxr-xr-x 1 kali kali 27 May 31 2023 ntp.sh
-rwxr-xr-x 1 kali kali 115 May 31 2023 ob
-rwxr-xr-x 1 kali kali 115 May 31 2023 ob1
-rwxr-xr-x 1 kali kali 116 May 31 2023 od
-rwxr-xr-x 1 kali kali 116 May 31 2023 od1
-rwxr-xr-x 1 kali kali 122 May 31 2023 orf
-rwxr-xr-x 1 kali kali 122 May 31 2023 orf1
-rwxr-xr-x 1 kali kali 115 May 31 2023 ow
-rwxr-xr-x 1 kali kali 115 May 31 2023 ow1
-rwxrwxr-x 1 kali kali 3116 May 31 2023 Parac2d
-rwxrwxr-x 1 kali kali 17180 May 31 2023 parentcontrol
lrwxrwxrwx 1 kali kali 7 May 31 2023 passwd -> busybox
-rwxrwxr-x 1 kali kali 11900 May 31 2023 pctime
-rwxr-xr-x 1 kali kali 184 May 31 2023 phyr
-rwxr-xr-x 1 kali kali 151 May 31 2023 phyw
lrwxrwxrwx 1 kali kali 7 May 31 2023 ping -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 ping6 -> busybox
-rwxr-xr-x 1 kali kali 61 May 31 2023 post_startup.sh
lrwxrwxrwx 1 kali kali 7 May 31 2023 poweroff -> busybox
-rwxrwxr-x 1 kali kali 241172 May 31 2023 pppd
-rwxrwxr-x 1 kali kali 12748 May 31 2023 ppp_inet
-rwxr-xr-x 1 kali kali 49 May 31 2023 pppoe_conn_patch.sh
-rwxr-xr-x 1 kali kali 87 May 31 2023 pppoe_disc_patch.sh
-rwxr-xr-x 1 kali kali 30 May 31 2023 pppoe.sh
-rwxrwxr-x 1 kali kali 50160 May 31 2023 pptp
-rwxr-xr-x 1 kali kali 29 May 31 2023 pptp.sh
lrwxrwxrwx 1 kali kali 7 May 31 2023 ps -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 pwd -> busybox
-rwxrwxr-x 1 kali kali 163484 May 31 2023 radvd
-rwxrwxr-x 1 kali kali 115692 May 31 2023 radvdump
lrwxrwxrwx 1 kali kali 7 May 31 2023 reboot -> busybox
-rwxrwxr-x 1 kali kali 2796 May 31 2023 rebootschedule
-rwxrwxr-x 1 kali kali 2620 May 31 2023 rebootschedules
-rwxr-xr-x 1 kali kali 38 May 31 2023 rebootschedule.sh
-rwxr-xr-x 1 kali kali 111 May 31 2023 reinit.sh
-rwxrwxr-x 1 kali kali 10028 May 31 2023 reload
lrwxrwxrwx 1 kali kali 7 May 31 2023 renice -> busybox
-rwxrwxr-x 1 kali kali 2156 May 31 2023 reset
lrwxrwxrwx 1 kali kali 7 May 31 2023 rm -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 rmdir -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 rmmod -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 route -> busybox
-rwxrwxr-x 1 kali kali 39836 May 31 2023 routed
-rwxr-xr-x 1 kali kali 48 May 31 2023 rssi
-rwxr-xr-x 1 kali kali 48 May 31 2023 rssi1
-rwxr-xr-x 1 kali kali 40 May 31 2023 script_check_l2tp_status.sh
lrwxrwxrwx 1 kali kali 7 May 31 2023 sed -> busybox
-rwxr-xr-x 1 kali kali 108 May 31 2023 setmib
-rwxr-xr-x 1 kali kali 108 May 31 2023 setmib1
-rwxr-xr-x 1 kali kali 1251 May 31 2023 set_rx_gain_from_flash.sh
lrwxrwxrwx 1 kali kali 7 May 31 2023 sh -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 sleep -> busybox
-rwxr-xr-x 1 kali kali 1361 May 31 2023 smb.sh
-rwxr-xr-x 1 kali kali 2406 May 31 2023 snmpd.sh
lrwxrwxrwx 1 kali kali 7 May 31 2023 start-stop-daemon -> busybox
-rwxr-xr-x 1 kali kali 1117 May 31 2023 startup.sh
lrwxrwxrwx 1 kali kali 7 May 31 2023 sync -> busybox
-rwxrwxr-x 1 kali kali 169420 May 31 2023 sysconf
lrwxrwxrwx 1 kali kali 7 May 31 2023 syslogd -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 tail -> busybox
-rwxrwxr-x 1 kali kali 210136 May 31 2023 tc
lrwxrwxrwx 1 kali kali 7 May 31 2023 telnetd -> busybox
-rwxrwxr-x 1 kali kali 169404 May 31 2023 timelycheck
lrwxrwxrwx 1 kali kali 7 May 31 2023 top -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 touch -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 tr -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 traceroute -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 true -> busybox
lrwxrwxrwx 1 kali kali 6 May 31 2023 udhcpc -> udhcpd
-rwxrwxr-x 1 kali kali 47452 May 31 2023 udhcpd
-rwxrwxr-x 1 kali kali 10252 May 31 2023 UDPserver
lrwxrwxrwx 1 kali kali 7 May 31 2023 umount -> busybox
-rwxrwxr-x 1 kali kali 145512 May 31 2023 updatedd
lrwxrwxrwx 1 kali kali 7 May 31 2023 uptime -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 vconfig -> busybox
lrwxrwxrwx 1 kali kali 7 May 31 2023 vi -> busybox
-rwxrwxr-x 1 kali kali 5244 May 31 2023 watchdog
lrwxrwxrwx 1 kali kali 7 May 31 2023 wc -> busybox
-rwxr-xr-x 1 kali kali 669868 May 31 2023 wget
-rwxr-xr-x 1 kali kali 31 May 31 2023 wlanapp.sh
-rwxrwxr-x 1 kali kali 285084 May 31 2023 wscd
lrwxrwxrwx 1 kali kali 7 May 31 2023 xargs -> busybox
./boot:
total 8
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 14 kali kali 4096 Feb 20 10:12 ..
./dev:
total 24
drwxrwxr-x 6 kali kali 4096 Feb 20 10:12 .
drwxrwxr-x 14 kali kali 4096 Feb 20 10:12 ..
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 log -> /dev/null
drwxrwxr-x 2 kali kali 4096 May 31 2023 misc
drwxrwxr-x 2 kali kali 4096 May 31 2023 net
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 oprofile -> /dev/null
drwxrwxr-x 2 kali kali 4096 May 31 2023 pts
drwxrwxr-x 2 kali kali 4096 May 31 2023 voip
./dev/misc:
total 8
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 6 kali kali 4096 Feb 20 10:12 ..
./dev/net:
total 8
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 6 kali kali 4096 Feb 20 10:12 ..
./dev/pts:
total 8
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 6 kali kali 4096 Feb 20 10:12 ..
./dev/voip:
total 8
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 6 kali kali 4096 Feb 20 10:12 ..
./etc:
total 196
drwxrwxr-x 9 kali kali 4096 Feb 20 10:12 .
drwxrwxr-x 14 kali kali 4096 Feb 20 10:12 ..
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 boa -> /dev/null
drwxrwxr-x 2 kali kali 4096 May 31 2023 boa.org
-rwxr-xr-x 1 kali kali 1273 May 31 2023 cacert.pem
-rwxr-xr-x 1 kali kali 1391 May 31 2023 certificate.crt
-rwxr-xr-x 1 kali kali 3525 May 31 2023 client.pem
-rwxr-xr-x 1 kali kali 60 May 31 2023 crpc_url_head
-rwxr-xr-x 1 kali kali 16 May 31 2023 crpc_url_postfix
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 cwmp_config -> /dev/null
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 cwmp_default -> /dev/null
-rwxr-xr-x 1 kali kali 43 May 31 2023 DefaultCwmpNotify.txt
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 dnrd -> /dev/null
-rwxr-xr-x 1 kali kali 14805 May 31 2023 dnsmasq.conf
-rw-r--r-- 1 kali kali 1362 May 31 2023 ethertypes
-rwxr-xr-x 1 kali kali 32 Aug 27 2019 group
-rwxr-xr-x 1 kali kali 17 Aug 27 2019 host.conf
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 hosts -> /dev/null
-rwxr-xr-x 1 kali kali 9662 May 31 2023 icon.ico
drwxr-xr-x 2 kali kali 4096 May 31 2023 init.d
-rwxr-xr-x 1 kali kali 309 May 31 2023 inittab
drwxr-xr-x 2 kali kali 4096 May 31 2023 iproute2
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 linuxigd -> /dev/null
-rwxr-xr-x 1 kali kali 54 May 31 2023 lld2d.conf
-rwxr-xr-x 1 kali kali 1552 Aug 27 2019 mime.types
-rwxr-xr-x 1 kali kali 2514 Sep 1 2020 minidlna.conf
-rwxr-xr-x 1 kali kali 334 Aug 27 2019 motd
-rwxr-xr-x 1 kali kali 592 May 31 2023 multiap.conf
-rwxr-xr-x 1 kali kali 224 May 31 2023 ndppd.conf
-rwxr-xr-x 1 kali kali 58 Jul 21 2020 passwd
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 ppp -> /dev/null
-rwxr-xr-x 1 kali kali 1704 May 31 2023 privateKey.key
-rwxr-xr-x 1 kali kali 3050 May 31 2023 radvd.conf
drwxrwxr-x 3 kali kali 4096 May 31 2023 rc.d
-rwxr-xr-x 1 kali kali 9662 May 31 2023 realsil_gw.ico
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 resolv.conf -> /dev/null
drwxr-xr-x 2 kali kali 4096 May 31 2023 samba
-rwxr-xr-x 1 kali kali 8251 Aug 27 2019 services
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 shadow -> /dev/null
-rwxr-xr-x 1 kali kali 87 Jul 21 2020 shadow.sample
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 simplecfg -> /dev/null
-rwxr-xr-x 1 kali kali 6199 May 31 2023 simplecfgservice.xml
drwxrwxr-x 2 kali kali 4096 May 31 2023 sysconfig
drwxrwxr-x 2 kali kali 4096 May 31 2023 tmp
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 TZ -> /dev/null
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 udhcpc -> /dev/null
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 udhcpd -> /dev/null
-rwxr-xr-x 1 kali kali 1359 Aug 27 2019 ushare.conf
-rw-rw-r-- 1 kali kali 41 May 31 2023 version
-rwxr-xr-x 1 kali kali 4527 Sep 1 2020 vsftpd.conf
-rwxr-xr-x 1 kali kali 1995 May 31 2023 wscd.conf
./etc/boa.org:
total 24
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 9 kali kali 4096 Feb 20 10:12 ..
-rwxr-xr-x 1 kali kali 9607 May 31 2023 boa.conf
-rwxr-xr-x 1 kali kali 2118 May 31 2023 mime.types
./etc/init.d:
total 16
drwxr-xr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 9 kali kali 4096 Feb 20 10:12 ..
-rwxr-xr-x 1 kali kali 3393 May 31 2023 rcS
-rwxr-xr-x 1 kali kali 3394 Apr 16 2022 rcS_GW
./etc/iproute2:
total 12
drwxr-xr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 9 kali kali 4096 Feb 20 10:12 ..
-rwxr-xr-x 1 kali kali 114 Aug 27 2019 rt_tables
./etc/rc.d:
total 12
drwxrwxr-x 3 kali kali 4096 May 31 2023 .
drwxrwxr-x 9 kali kali 4096 Feb 20 10:12 ..
drwxrwxr-x 2 kali kali 4096 May 31 2023 init.d
./etc/rc.d/init.d:
total 12
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 3 kali kali 4096 May 31 2023 ..
-rwxr-xr-x 1 kali kali 3374 May 31 2023 ebtables
./etc/samba:
total 24
drwxr-xr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 9 kali kali 4096 Feb 20 10:12 ..
-rwxr-xr-x 1 kali kali 10136 Aug 27 2019 smb.conf
-rwxr-xr-x 1 kali kali 104 Aug 27 2019 smbpasswd
./etc/sysconfig:
total 12
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 9 kali kali 4096 Feb 20 10:12 ..
-rw------- 1 kali kali 1390 May 31 2023 ebtables-config
./etc/tmp:
total 24
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 9 kali kali 4096 Feb 20 10:12 ..
-rwxr-xr-x 1 kali kali 2951 May 31 2023 picsdesc6.skl
-rwxr-xr-x 1 kali kali 2976 May 31 2023 picsdesc6.xml
-rwxr-xr-x 1 kali kali 2916 May 31 2023 picsdesc.skl
-rwxr-xr-x 1 kali kali 2941 May 31 2023 picsdesc.xml
./home:
total 8
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 14 kali kali 4096 Feb 20 10:12 ..
./lib:
total 4176
drwxrwxr-x 3 kali kali 4096 May 31 2023 .
drwxrwxr-x 14 kali kali 4096 Feb 20 10:12 ..
lrwxrwxrwx 1 kali kali 19 May 31 2023 ld.so.0 -> ld-uClibc-0.9.33.so
-rwxr-xr-x 1 kali kali 28996 May 31 2023 ld-uClibc-0.9.33.so
lrwxrwxrwx 1 kali kali 14 May 31 2023 ld-uClibc.so -> ld-uClibc.so.0
lrwxrwxrwx 1 kali kali 19 May 31 2023 ld-uClibc.so.0 -> ld-uClibc-0.9.33.so
-rwxrwxr-x 1 kali kali 142304 May 31 2023 libapmib.so
-rwxrwxr-x 1 kali kali 36436 May 31 2023 libcjson.so
-rwxr-xr-x 1 kali kali 22756 May 31 2023 libcrypt-0.9.33.so
-rwxrwxr-x 1 kali kali 1617960 May 31 2023 libcrypto.so.1.0.0
lrwxrwxrwx 1 kali kali 13 May 31 2023 libcrypt.so -> libcrypt.so.0
lrwxrwxrwx 1 kali kali 18 May 31 2023 libcrypt.so.0 -> libcrypt-0.9.33.so
lrwxrwxrwx 1 kali kali 19 May 31 2023 libc.so.0 -> libuClibc-0.9.33.so
-rwxr-xr-x 1 kali kali 12492 May 31 2023 libdl-0.9.33.so
lrwxrwxrwx 1 kali kali 10 May 31 2023 libdl.so -> libdl.so.0
lrwxrwxrwx 1 kali kali 15 May 31 2023 libdl.so.0 -> libdl-0.9.33.so
-rwxr-xr-x 1 kali kali 3240 May 31 2023 libebt_802_3.so
-rwxr-xr-x 1 kali kali 1160 May 31 2023 libebtable_broute.so
-rwxr-xr-x 1 kali kali 1332 May 31 2023 libebtable_filter.so
-rwxr-xr-x 1 kali kali 1332 May 31 2023 libebtable_nat.so
-rwxr-xr-x 1 kali kali 7740 May 31 2023 libebt_among.so
-rwxr-xr-x 1 kali kali 3352 May 31 2023 libebt_arpreply.so
-rwxr-xr-x 1 kali kali 7804 May 31 2023 libebt_arp.so
-rwxr-xr-x 1 kali kali 62796 May 31 2023 libebtc.so
-rwxr-xr-x 1 kali kali 10288 May 31 2023 libebt_ip6.so
-rwxr-xr-x 1 kali kali 6468 May 31 2023 libebt_ip.so
-rwxr-xr-x 1 kali kali 4060 May 31 2023 libebt_limit.so
-rwxr-xr-x 1 kali kali 4644 May 31 2023 libebt_log.so
-rwxr-xr-x 1 kali kali 2472 May 31 2023 libebt_mark_m.so
-rwxr-xr-x 1 kali kali 3940 May 31 2023 libebt_mark.so
-rwxr-xr-x 1 kali kali 4924 May 31 2023 libebt_nat.so
-rwxr-xr-x 1 kali kali 3800 May 31 2023 libebt_nflog.so
-rwxr-xr-x 1 kali kali 3216 May 31 2023 libebt_pkttype.so
-rwxr-xr-x 1 kali kali 2456 May 31 2023 libebt_redirect.so
-rwxr-xr-x 1 kali kali 1748 May 31 2023 libebt_standard.so
-rwxr-xr-x 1 kali kali 7220 May 31 2023 libebt_stp.so
-rwxr-xr-x 1 kali kali 4056 May 31 2023 libebt_ulog.so
-rwxr-xr-x 1 kali kali 3940 May 31 2023 libebt_vlan.so
lrwxrwxrwx 1 kali kali 13 May 31 2023 libgcc.so -> libgcc_s.so.1
lrwxrwxrwx 1 kali kali 13 May 31 2023 libgcc_s.so -> libgcc_s.so.1
-rwxr-xr-x 1 kali kali 93000 May 31 2023 libgcc_s.so.1
-rwxr-xr-x 1 kali kali 93236 May 31 2023 libm-0.9.33.so
-rwxrwxr-x 1 kali kali 2092 May 31 2023 libmapvendor.so
lrwxrwxrwx 1 kali kali 9 May 31 2023 libm.so -> libm.so.0
lrwxrwxrwx 1 kali kali 14 May 31 2023 libm.so.0 -> libm-0.9.33.so
-rwxr-xr-x 1 kali kali 3340 May 31 2023 libmtdapi.so
-rwxrw---- 1 kali kali 373864 May 31 2023 libmultiap.so
-rwxr-xr-x 1 kali kali 74568 May 31 2023 libpthread-0.9.33.so
lrwxrwxrwx 1 kali kali 20 May 31 2023 libpthread.so.0 -> libpthread-0.9.33.so
-rwxr-xr-x 1 kali kali 872 May 31 2023 libresolv-0.9.33.so
lrwxrwxrwx 1 kali kali 14 May 31 2023 libresolv.so -> libresolv.so.0
lrwxrwxrwx 1 kali kali 19 May 31 2023 libresolv.so.0 -> libresolv-0.9.33.so
-rwxr-xr-x 1 kali kali 12520 May 31 2023 librt-0.9.33.so
lrwxrwxrwx 1 kali kali 10 May 31 2023 librt.so -> librt.so.0
lrwxrwxrwx 1 kali kali 15 May 31 2023 librt.so.0 -> librt-0.9.33.so
-rwxrwxr-x 1 kali kali 372536 May 31 2023 libssl.so.1.0.0
lrwxrwxrwx 1 kali kali 19 May 31 2023 libstdc++.so -> libstdc++.so.6.0.19
lrwxrwxrwx 1 kali kali 19 May 31 2023 libstdc++.so.6 -> libstdc++.so.6.0.19
-rwxr-xr-x 1 kali kali 869768 May 31 2023 libstdc++.so.6.0.19
-rwxrwxr-x 1 kali kali 283876 May 31 2023 libuClibc-0.9.33.so
drwxrwxr-x 3 kali kali 4096 May 31 2023 modules
./lib/modules:
total 12
drwxrwxr-x 3 kali kali 4096 May 31 2023 .
drwxrwxr-x 3 kali kali 4096 May 31 2023 ..
drwxrwxr-x 3 kali kali 4096 Feb 20 10:12 3.10.90
./lib/modules/3.10.90:
total 16
drwxrwxr-x 3 kali kali 4096 Feb 20 10:12 .
drwxrwxr-x 3 kali kali 4096 May 31 2023 ..
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 build -> /dev/null
drwxrwxr-x 2 kali kali 4096 May 31 2023 kernel
-rw-rw-r-- 1 kali kali 3791 May 31 2023 modules.builtin
-rw-rw-r-- 1 kali kali 0 May 31 2023 modules.order
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 source -> /dev/null
./lib/modules/3.10.90/kernel:
total 8
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 3 kali kali 4096 Feb 20 10:12 ..
./mnt:
total 8
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 14 kali kali 4096 Feb 20 10:12 ..
./proc:
total 8
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 14 kali kali 4096 Feb 20 10:12 ..
./sys:
total 8
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 14 kali kali 4096 Feb 20 10:12 ..
./usr:
total 16
drwxrwxr-x 4 kali kali 4096 May 31 2023 .
drwxrwxr-x 14 kali kali 4096 Feb 20 10:12 ..
drwxrwxr-x 3 kali kali 4096 May 31 2023 local
drwxrwxr-x 3 kali kali 4096 May 31 2023 share
./usr/local:
total 12
drwxrwxr-x 3 kali kali 4096 May 31 2023 .
drwxrwxr-x 4 kali kali 4096 May 31 2023 ..
drwxrwxr-x 3 kali kali 4096 May 31 2023 man
./usr/local/man:
total 12
drwxrwxr-x 3 kali kali 4096 May 31 2023 .
drwxrwxr-x 3 kali kali 4096 May 31 2023 ..
drwxrwxr-x 2 kali kali 4096 May 31 2023 man8
./usr/local/man/man8:
total 48
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 3 kali kali 4096 May 31 2023 ..
-rw-r--r-- 1 kali kali 40843 May 31 2023 ebtables.8
./usr/share:
total 12
drwxrwxr-x 3 kali kali 4096 May 31 2023 .
drwxrwxr-x 4 kali kali 4096 May 31 2023 ..
drwxrwxr-x 2 kali kali 4096 Feb 20 10:12 udhcpc
./usr/share/udhcpc:
total 148
drwxrwxr-x 2 kali kali 4096 Feb 20 10:12 .
drwxrwxr-x 3 kali kali 4096 May 31 2023 ..
-rwxr-xr-x 1 kali kali 95 May 31 2023 br0.bound
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 br0.deconfig -> /dev/null
-rwxr-xr-x 1 kali kali 96 May 31 2023 br0.renew
-rwxr-xr-x 1 kali kali 41 May 31 2023 br0.sh
-rwxr-xr-x 1 kali kali 596 May 31 2023 eth0.bound
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 eth0.deconfig -> /dev/null
-rwxr-xr-x 1 kali kali 42 May 31 2023 eth0.sh
-rwxr-xr-x 1 kali kali 95 May 31 2023 eth1.1.bound
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 eth1.1.deconfig -> /dev/null
-rwxr-xr-x 1 kali kali 96 May 31 2023 eth1.1.renew
-rwxr-xr-x 1 kali kali 44 May 31 2023 eth1.1.sh
-rwxr-xr-x 1 kali kali 95 May 31 2023 eth1.2.bound
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 eth1.2.deconfig -> /dev/null
-rwxr-xr-x 1 kali kali 96 May 31 2023 eth1.2.renew
-rwxr-xr-x 1 kali kali 44 May 31 2023 eth1.2.sh
-rwxr-xr-x 1 kali kali 96 May 31 2023 eth1.3.bound
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 eth1.3.deconfig -> /dev/null
-rwxr-xr-x 1 kali kali 96 May 31 2023 eth1.3.renew
-rwxr-xr-x 1 kali kali 44 May 31 2023 eth1.3.sh
-rwxr-xr-x 1 kali kali 96 May 31 2023 eth1.4.bound
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 eth1.4.deconfig -> /dev/null
-rwxr-xr-x 1 kali kali 96 May 31 2023 eth1.4.renew
-rwxr-xr-x 1 kali kali 44 May 31 2023 eth1.4.sh
-rwxr-xr-x 1 kali kali 95 May 31 2023 eth1.bound
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 eth1.deconfig -> /dev/null
-rwxr-xr-x 1 kali kali 96 May 31 2023 eth1.renew
-rwxr-xr-x 1 kali kali 42 May 31 2023 eth1.sh
-rwxr-xr-x 1 kali kali 95 May 31 2023 usb0.bound
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 usb0.deconfig -> /dev/null
-rwxr-xr-x 1 kali kali 96 May 31 2023 usb0.renew
-rwxr-xr-x 1 kali kali 42 May 31 2023 usb0.sh
-rwxr-xr-x 1 kali kali 121 May 31 2023 wlan0.bound
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 wlan0.deconfig -> /dev/null
-rwxr-xr-x 1 kali kali 122 May 31 2023 wlan0.renew
-rwxr-xr-x 1 kali kali 43 May 31 2023 wlan0.sh
-rwxr-xr-x 1 kali kali 121 May 31 2023 wlan0-vxd.bound
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 wlan0-vxd.deconfig -> /dev/null
-rwxr-xr-x 1 kali kali 122 May 31 2023 wlan0-vxd.renew
-rwxr-xr-x 1 kali kali 47 May 31 2023 wlan0-vxd.sh
-rwxr-xr-x 1 kali kali 121 May 31 2023 wlan1.bound
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 wlan1.deconfig -> /dev/null
-rwxr-xr-x 1 kali kali 122 May 31 2023 wlan1.renew
-rwxr-xr-x 1 kali kali 43 May 31 2023 wlan1.sh
-rwxr-xr-x 1 kali kali 121 May 31 2023 wlan1-vxd.bound
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 wlan1-vxd.deconfig -> /dev/null
-rwxr-xr-x 1 kali kali 122 May 31 2023 wlan1-vxd.renew
-rwxr-xr-x 1 kali kali 47 May 31 2023 wlan1-vxd.sh
./var:
total 8
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 14 kali kali 4096 Feb 20 10:12 ..
./web:
total 1336
drwxrwxr-x 8 kali kali 4096 Feb 20 10:12 .
drwxrwxr-x 14 kali kali 4096 Feb 20 10:12 ..
-rwxr-xr-x 1 kali kali 26270 Dec 3 2022 8021q_vlan.htm
-rwxr-xr-x 1 kali kali 3838 Dec 2 2022 acltbl.htm
-rwxr-xr-x 1 kali kali 5635 Dec 2 2022 ac_table.htm
drwxrwxr-x 2 kali kali 4096 May 31 2023 add
-rwxr-xr-x 1 kali kali 2986 Dec 2 2022 arptbl.htm
-rwxr-xr-x 1 kali kali 248 Dec 2 2022 blank.htm
-rwxr-xr-x 1 kali kali 634 Dec 12 2022 bottom.htm
-rwxr-xr-x 1 kali kali 1494 Dec 2 2022 bupload.htm
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 ca.cer -> /dev/null
drwxrwxr-x 2 kali kali 4096 May 31 2023 cgi-bin
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 config.dat -> /dev/null
-rwxr-xr-x 1 kali kali 5072 Dec 2 2022 countDownPage2.htm
-rwxr-xr-x 1 kali kali 5284 Jan 13 2023 countDownPage.htm
-rwxr-xr-x 1 kali kali 7940 Dec 2 2022 ddns.htm
-rwxr-xr-x 1 kali kali 1320 Dec 2 2022 dhcptbl.htm
-rwxr-xr-x 1 kali kali 3108 Dec 2 2022 dmz.htm
-rwxr-xr-x 1 kali kali 15359 Dec 2 2022 dos.htm
-rwxr-xr-x 1 kali kali 20981 Feb 27 2023 EasyMesh_SetUp.htm
-rwxr-xr-x 1 kali kali 63 Dec 2 2022 empty2.htm
-rwxr-xr-x 1 kali kali 99 Dec 2 2022 empty.htm
-rwxr-xr-x 1 kali kali 318 Dec 2 2022 favicon.ico
-rwxr-xr-x 1 kali kali 3388 Dec 2 2022 guest_net_Ad.htm
-rwxr-xr-x 1 kali kali 3672 Dec 2 2022 guest_net.htm
-rwxr-xr-x 1 kali kali 2350 Dec 2 2022 help.css
-rwxr-xr-x 1 kali kali 17674 Dec 2 2022 help.js
-rwxr-xr-x 1 kali kali 1496 Jan 13 2023 home.htm
drwxrwxr-x 2 kali kali 4096 May 31 2023 icon
drwxrwxr-x 8 kali kali 4096 May 31 2023 img
-rwxr-xr-x 1 kali kali 221 Dec 2 2022 index.htm
-rwxr-xr-x 1 kali kali 345 Dec 2 2022 index.html
-rwxr-xr-x 1 kali kali 8971 Jan 11 2022 ip6filter.htm
-rwxr-xr-x 1 kali kali 25734 Dec 2 2022 ip6_qos.htm
-rwxr-xr-x 1 kali kali 491 Dec 2 2022 IpChange.htm
-rwxr-xr-x 1 kali kali 1745 Dec 2 2022 ipv6.htm
-rwxr-xr-x 1 kali kali 17911 Feb 27 2023 IPv6_Setup.htm
-rwxr-xr-x 1 kali kali 6825 Feb 27 2023 IPv6_Status.htm
drwxrwxr-x 2 kali kali 4096 May 31 2023 js
-rwxr-xr-x 1 kali kali 5085 Dec 12 2022 login.htm
-rwxr-xr-x 1 kali kali 1386 Feb 9 2023 logout.htm
-rwxr-xr-x 1 kali kali 6250 Dec 2 2022 macfilter.htm
drwxrwxr-x 4 kali kali 4096 May 31 2023 mobile
-rwxr-xr-x 1 kali kali 1359 Dec 2 2022 multi_ap_channel_scan.htm
-rwxr-xr-x 1 kali kali 1227 Dec 2 2022 multi_ap_channel_scan_result.htm
-rwxr-xr-x 1 kali kali 8094 Feb 27 2023 multi_ap_popup_client_details.htm
-rwxr-xr-x 1 kali kali 2435 Feb 27 2023 multi_ap_popup_device_add.htm
-rwxr-xr-x 1 kali kali 4042 Feb 27 2023 multi_ap_popup_device_connect.htm
-rwxr-xr-x 1 kali kali 2614 Feb 27 2023 multi_ap_popup_device_del_count.htm
-rwxr-xr-x 1 kali kali 4598 Feb 27 2023 multi_ap_popup_device_del.htm
-rwxr-xr-x 1 kali kali 16714 Feb 27 2023 multi_ap_popup_device_details.htm
-rwxr-xr-x 1 kali kali 3118 Feb 27 2023 multi_ap_popup_device_success.htm
-rwxr-xr-x 1 kali kali 6950 Dec 2 2022 multi_ap_setting_general.htm
-rwxr-xr-x 1 kali kali 5586 Dec 2 2022 multi_ap_setting_topology.htm
-rwxr-xr-x 1 kali kali 11001 Feb 27 2023 multi_ap_setting_topology_mod.htm
-rwxr-xr-x 1 kali kali 31332 Dec 2 2022 multi_ap_setting_vlan.htm
-rwxr-xr-x 1 kali kali 5672 Dec 2 2022 normal_ws.css
-rwxr-xr-x 1 kali kali 343 Dec 2 2022 nph-test.cgi
-rwxr-xr-x 1 kali kali 10473 Dec 2 2022 ntp.htm
-rwxr-xr-x 1 kali kali 24865 Dec 2 2022 parent_control.htm
-rwxr-xr-x 1 kali kali 3233 Dec 2 2022 password.htm
-rwxr-xr-x 1 kali kali 3031 Dec 2 2022 pocket_sitesurvey.htm
-rwxr-xr-x 1 kali kali 6144 Dec 2 2022 portfilter6.htm
-rwxr-xr-x 1 kali kali 11156 Jul 6 2022 portfw.htm
-rwxr-xr-x 1 kali kali 4484 Dec 2 2022 portfwlist.htm
-rwxr-xr-x 1 kali kali 2325 Dec 2 2022 portfwserlist.htm
-rwxr-xr-x 1 kali kali 1151 Dec 2 2022 reboot.htm
-rwxr-xr-x 1 kali kali 16000 Dec 2 2022 reboot_schedule.htm
-rwxr-xr-x 1 kali kali 2423 Dec 2 2022 reload.htm
-rwxr-xr-x 1 kali kali 8368 Jan 13 2023 repeater_sitesurvey.htm
-rwxr-xr-x 1 kali kali 3012 Dec 2 2022 rfw.htm
-rwxr-xr-x 1 kali kali 37 Dec 2 2022 rfw_percent.htm
-rwxr-xr-x 1 kali kali 14269 Dec 2 2022 route.htm
-rwxr-xr-x 1 kali kali 1042 Dec 2 2022 routetbl.htm
-rwxr-xr-x 1 kali kali 3218 Dec 2 2022 saveconf.htm
-rwxr-xr-x 1 kali kali 6403 Dec 2 2022 share.js
-rwxr-xr-x 1 kali kali 41734 Dec 2 2022 smart_qos.htm
-rwxr-xr-x 1 kali kali 12437 Dec 3 2022 stats.htm
-rwxr-xr-x 1 kali kali 25433 Feb 27 2023 status.htm
-rwxr-xr-x 1 kali kali 9395 Dec 2 2022 style.css
-rwxr-xr-x 1 kali kali 5399 Dec 2 2022 syslog.htm
-rwxr-xr-x 1 kali kali 21469 Dec 2 2022 tcpiplan.htm
-rwxr-xr-x 1 kali kali 9288 Dec 2 2022 tcpip_staticdhcp.htm
-rwxr-xr-x 1 kali kali 65744 Dec 2 2022 tcpipwan.htm
-rwxr-xr-x 1 kali kali 195 Dec 2 2022 test.cgi
-rwxr-xr-x 1 kali kali 11222 Feb 27 2023 title.htm
-rwxr-xr-x 1 kali kali 8607 May 29 2023 tr069config.htm
-rwxr-xr-x 1 kali kali 3035 Dec 2 2022 upload.htm
-rwxr-xr-x 1 kali kali 55 Dec 2 2022 upload_st.htm
-rwxr-xr-x 1 kali kali 8825 Dec 2 2022 urlfilter.htm
lrwxrwxrwx 1 kali kali 9 Feb 20 10:12 user.cer -> /dev/null
-rwxr-xr-x 1 kali kali 162910 Feb 27 2023 util_gw.js
-rwxr-xr-x 1 kali kali 15843 Dec 2 2022 util_qos.js
-rwxr-xr-x 1 kali kali 33 Dec 2 2022 wan_status.htm
-rwxr-xr-x 1 kali kali 2048 Dec 2 2022 wirelessScan_tbl.htm
-rwxr-xr-x 1 kali kali 94699 May 29 2023 wizard.htm
-rwxr-xr-x 1 kali kali 789 Jan 13 2023 wizardset.htm
-rwxr-xr-x 1 kali kali 12428 Dec 2 2022 wlactrlGuest.htm
-rwxr-xr-x 1 kali kali 12189 Dec 2 2022 wlactrlRoot.htm
-rwxr-xr-x 1 kali kali 27373 Feb 27 2023 wladvanced.htm
-rwxr-xr-x 1 kali kali 4066 Dec 2 2022 wlan_schedule.htm
-rwxr-xr-x 1 kali kali 2445 Dec 2 2022 wlbandmode.htm
-rwxr-xr-x 1 kali kali 38489 Dec 2 2022 wlbasic.htm
-rwxr-xr-x 1 kali kali 10734 Dec 2 2022 wlsch.htm
-rwxr-xr-x 1 kali kali 50588 May 29 2023 wlsecurity_all.htm
-rwxr-xr-x 1 kali kali 9625 Dec 2 2022 wlsecurity.htm
-rwxr-xr-x 1 kali kali 5365 Dec 2 2022 wlstatbl.htm
-rwxr-xr-x 1 kali kali 1293 Dec 2 2022 wlwdstbl.htm
./web/add:
total 96
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 8 kali kali 4096 Feb 20 10:12 ..
-rwxr-xr-x 1 kali kali 6330 Dec 2 2022 menuAd.htm
-rwxr-xr-x 1 kali kali 3964 Dec 2 2022 menuBs.htm
-rwxr-xr-x 1 kali kali 27884 Dec 12 2022 stat_net.htm
-rwxr-xr-x 1 kali kali 225 Dec 2 2022 top_empty.htm
-rwxr-xr-x 1 kali kali 2942 Dec 2 2022 top_menu_EasyMesh.htm
-rwxr-xr-x 1 kali kali 1092 Dec 2 2022 top_menu_firewall.htm
-rwxr-xr-x 1 kali kali 1134 Dec 2 2022 top_menu_nat.htm
-rwxr-xr-x 1 kali kali 2015 Dec 2 2022 top_menu_net.htm
-rwxr-xr-x 1 kali kali 2125 Dec 2 2022 top_menu_servers.htm
-rwxr-xr-x 1 kali kali 2338 Dec 2 2022 top_menu_tools.htm
-rwxr-xr-x 1 kali kali 4430 Dec 2 2022 top_menu_wifilock.htm
-rwxr-xr-x 1 kali kali 1967 Dec 2 2022 top_menu_wireless.htm
-rwxr-xr-x 1 kali kali 2711 Dec 2 2022 vpnpass.htm
-rwxr-xr-x 1 kali kali 820 Dec 2 2022 wladvancedtop.htm
./web/cgi-bin:
total 16
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 8 kali kali 4096 Feb 20 10:12 ..
-rwxr-xr-x 1 kali kali 5996 May 31 2023 cstecgi.cgi
./web/icon:
total 372
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 8 kali kali 4096 Feb 20 10:12 ..
-rwxr-xr-x 1 kali kali 3013 Dec 2 2022 application.png
-rwxr-xr-x 1 kali kali 225 Dec 2 2022 arrow_01.png
-rwxr-xr-x 1 kali kali 218 Dec 2 2022 arrow_02.png
-rwxr-xr-x 1 kali kali 254 Dec 2 2022 arrow_03.png
-rwxr-xr-x 1 kali kali 280 Dec 2 2022 arrow_04.png
-rwxr-xr-x 1 kali kali 276 Dec 2 2022 arrow_05.png
-rwxr-xr-x 1 kali kali 355 Dec 2 2022 arrow_06.png
-rwxr-xr-x 1 kali kali 23108 Dec 2 2022 BG.png
-rwxr-xr-x 1 kali kali 95 Dec 2 2022 btn_03.png
-rwxr-xr-x 1 kali kali 115 Dec 2 2022 btn_04.png
-rwxr-xr-x 1 kali kali 3280 Dec 2 2022 circle.png
-rwxr-xr-x 1 kali kali 2614 Dec 2 2022 cpu.png
-rwxr-xr-x 1 kali kali 3015 Dec 2 2022 devices.png
-rwxr-xr-x 1 kali kali 2467 Dec 2 2022 guest.png
-rwxr-xr-x 1 kali kali 289 Dec 2 2022 icon_01.png
-rwxr-xr-x 1 kali kali 2948 Dec 2 2022 icon_02.png
-rwxr-xr-x 1 kali kali 524 Dec 2 2022 icon_03.png
-rwxr-xr-x 1 kali kali 453 Dec 2 2022 icon_04.png
-rwxr-xr-x 1 kali kali 546 Dec 2 2022 icon_05.png
-rwxr-xr-x 1 kali kali 560 Dec 2 2022 icon_06.png
-rwxr-xr-x 1 kali kali 2727 Dec 2 2022 icon_07.png
-rwxr-xr-x 1 kali kali 3328 Dec 2 2022 icon_08.png
-rwxr-xr-x 1 kali kali 2906 Dec 2 2022 icon_09.png
-rwxr-xr-x 1 kali kali 3494 Dec 2 2022 icon_10.png
-rwxr-xr-x 1 kali kali 3021 Dec 2 2022 icon_11.png
-rwxr-xr-x 1 kali kali 3581 Dec 2 2022 icon_12.png
-rwxr-xr-x 1 kali kali 3699 Dec 2 2022 icon_13.png
-rwxr-xr-x 1 kali kali 3725 Dec 2 2022 icon_14.png
-rwxr-xr-x 1 kali kali 163 Dec 2 2022 icon_15.png
-rwxr-xr-x 1 kali kali 2119 Dec 2 2022 icon_application_01.png
-rwxr-xr-x 1 kali kali 2359 Dec 2 2022 icon_application_02.png
-rwxr-xr-x 1 kali kali 1904 Dec 2 2022 icon_application_03.png
-rwxr-xr-x 1 kali kali 2303 Dec 2 2022 icon_application_04.png
-rwxr-xr-x 1 kali kali 2136 Dec 2 2022 icon_application_05.png
-rwxr-xr-x 1 kali kali 548 Dec 2 2022 icon_down_.png
-rwxr-xr-x 1 kali kali 474 Dec 2 2022 icon_select.png
-rwxr-xr-x 1 kali kali 893 Dec 2 2022 icon_signal_01.png
-rwxr-xr-x 1 kali kali 637 Dec 2 2022 icon_signal_02.png
-rwxr-xr-x 1 kali kali 406 Dec 2 2022 icon_signal_03.png
-rwxr-xr-x 1 kali kali 2104 Dec 2 2022 icon_system_01.png
-rwxr-xr-x 1 kali kali 2529 Dec 2 2022 icon_system_02.png
-rwxr-xr-x 1 kali kali 2445 Dec 2 2022 icon_system_03.png
-rwxr-xr-x 1 kali kali 2750 Dec 2 2022 icon_system_04.png
-rwxr-xr-x 1 kali kali 1150 Dec 2 2022 icon_tool_01.png
-rwxr-xr-x 1 kali kali 1713 Dec 2 2022 icon_tool_02.png
-rwxr-xr-x 1 kali kali 1555 Dec 2 2022 icon_tool_03.png
-rwxr-xr-x 1 kali kali 1132 Dec 2 2022 icon_tool_04.png
-rwxr-xr-x 1 kali kali 1446 Dec 2 2022 icon_tool_05.png
-rwxr-xr-x 1 kali kali 1251 Dec 2 2022 icon_tool_06.png
-rwxr-xr-x 1 kali kali 1502 Dec 2 2022 icon_tool_07.png
-rwxr-xr-x 1 kali kali 1289 Dec 2 2022 icon_tool_08.png
-rwxr-xr-x 1 kali kali 3582 Dec 2 2022 icon_up.png
-rwxr-xr-x 1 kali kali 542 Dec 2 2022 icon_up_.png
-rwxr-xr-x 1 kali kali 5231 Dec 2 2022 logo_01.png
-rwxr-xr-x 1 kali kali 2425 Dec 2 2022 logo_02.png
-rwxr-xr-x 1 kali kali 1731 Dec 2 2022 mesh.png
-rwxr-xr-x 1 kali kali 3424 Dec 2 2022 mode.png
-rwxr-xr-x 1 kali kali 4429 Dec 2 2022 online.png
-rwxr-xr-x 1 kali kali 3832 Dec 2 2022 parental.png
-rwxr-xr-x 1 kali kali 3285 Dec 2 2022 pc.png
-rwxr-xr-x 1 kali kali 112 Dec 2 2022 +.png
-rwxr-xr-x 1 kali kali 84 Dec 2 2022 -.png
-rwxr-xr-x 1 kali kali 2930 Dec 2 2022 QOS_01.png
-rwxr-xr-x 1 kali kali 2430 Dec 2 2022 QOS_02.png
-rwxr-xr-x 1 kali kali 4334 Dec 2 2022 qos.png
-rwxr-xr-x 1 kali kali 555 Dec 2 2022 ram.png
-rwxr-xr-x 1 kali kali 680 Dec 2 2022 router.png
-rwxr-xr-x 1 kali kali 243 Dec 2 2022 selb.png
-rwxr-xr-x 1 kali kali 385 Dec 2 2022 select.png
-rwxr-xr-x 1 kali kali 218 Dec 2 2022 sell.png
-rwxr-xr-x 1 kali kali 460 Dec 2 2022 speed_down2.png
-rwxr-xr-x 1 kali kali 1919 Dec 2 2022 speed_up2.png
-rwxr-xr-x 1 kali kali 2922 Dec 2 2022 tools.png
-rwxr-xr-x 1 kali kali 4222 Dec 2 2022 url.png
-rwxr-xr-x 1 kali kali 1922 Dec 2 2022 user.png
-rwxr-xr-x 1 kali kali 13455 Nov 7 2022 vpn.png
-rwxr-xr-x 1 kali kali 4014 Dec 2 2022 wifi_schedule.png
-rwxr-xr-x 1 kali kali 3461 Dec 2 2022 wireless.png
-rwxr-xr-x 1 kali kali 1503 Dec 2 2022 wizard.png
./web/img:
total 528
drwxrwxr-x 8 kali kali 4096 May 31 2023 .
drwxrwxr-x 8 kali kali 4096 Feb 20 10:12 ..
-rwxr-xr-x 1 kali kali 1411 Dec 2 2022 added.png
-rwxr-xr-x 1 kali kali 489 Dec 2 2022 add.png
-rwxr-xr-x 1 kali kali 418 Dec 2 2022 checkbox_on.png
-rwxr-xr-x 1 kali kali 277 Dec 2 2022 checkbox.png
-rwxr-xr-x 1 kali kali 265 Dec 2 2022 check_dis.png
-rwxr-xr-x 1 kali kali 350 Dec 2 2022 check_on_dis.png
-rwxr-xr-x 1 kali kali 367 Dec 2 2022 delete.png
-rwxr-xr-x 1 kali kali 398 Dec 2 2022 del.png
-rwxr-xr-x 1 kali kali 490 Dec 2 2022 download.png
-rwxr-xr-x 1 kali kali 635 Dec 2 2022 drop.png
-rwxr-xr-x 1 kali kali 1435 Dec 2 2022 edited.png
-rwxr-xr-x 1 kali kali 520 Dec 2 2022 edit.png
-rwxr-xr-x 1 kali kali 561 Dec 2 2022 err.png
-rwxr-xr-x 1 kali kali 775 Dec 2 2022 Gnet.png
-rwxr-xr-x 1 kali kali 860 Dec 2 2022 guest.png
-rwxr-xr-x 1 kali kali 833 Dec 2 2022 help.png
-rwxr-xr-x 1 kali kali 1106 Dec 2 2022 icon_point.png
-rwxr-xr-x 1 kali kali 3146 Dec 2 2022 img_add.png
-rwxr-xr-x 1 kali kali 3131 Dec 2 2022 img_clock.png
-rwxr-xr-x 1 kali kali 2954 Dec 2 2022 img_del1.png
-rwxr-xr-x 1 kali kali 3061 Dec 2 2022 img_del2.png
-rwxr-xr-x 1 kali kali 1881 Dec 2 2022 imgdel.png
-rwxr-xr-x 1 kali kali 3219 Dec 2 2022 img_dis.png
-rwxr-xr-x 1 kali kali 3049 Dec 2 2022 img_edit.png
-rwxr-xr-x 1 kali kali 3143 Dec 2 2022 img_en.png
-rwxr-xr-x 1 kali kali 668 Dec 2 2022 img_left.png
-rwxr-xr-x 1 kali kali 1961 Dec 2 2022 imgpc.png
-rwxr-xr-x 1 kali kali 693 Dec 2 2022 img_right.png
-rwxr-xr-x 1 kali kali 722 Dec 2 2022 key.png
-rwxr-xr-x 1 kali kali 486 Dec 2 2022 link.png
-rwxr-xr-x 1 kali kali 2248 Dec 2 2022 load.gif
-rwxr-xr-x 1 kali kali 6199 Dec 2 2022 login_ie.jpg
-rwxr-xr-x 1 kali kali 22089 Dec 2 2022 login.png
-rwxr-xr-x 1 kali kali 3904 Dec 2 2022 logo.png
drwxrwxr-x 2 kali kali 4096 May 31 2023 map
drwxrwxr-x 2 kali kali 4096 May 31 2023 menu
drwxrwxr-x 2 kali kali 4096 May 31 2023 menubasic
-rwxr-xr-x 1 kali kali 689 Dec 2 2022 Mesh1.png
-rwxr-xr-x 1 kali kali 4174 Dec 2 2022 Mesh2.png
-rwxr-xr-x 1 kali kali 107812 Dec 2 2022 Meshwps.png
-rwxr-xr-x 1 kali kali 811 Dec 2 2022 net.png
-rwxr-xr-x 1 kali kali 674 Dec 2 2022 ok.png
-rwxr-xr-x 1 kali kali 454 Dec 2 2022 port.png
-rwxr-xr-x 1 kali kali 450 Dec 2 2022 radio_dis.png
-rwxr-xr-x 1 kali kali 549 Dec 2 2022 radio_on_dis.png
-rwxr-xr-x 1 kali kali 519 Dec 2 2022 radio_on.png
-rwxr-xr-x 1 kali kali 478 Dec 2 2022 radio.png
-rwxr-xr-x 1 kali kali 742 Dec 2 2022 refresh.png
drwxrwxr-x 2 kali kali 4096 May 31 2023 rpt
-rwxr-xr-x 1 kali kali 1018 Dec 2 2022 sel.png
drwxrwxr-x 2 kali kali 4096 May 31 2023 status
-rwxr-xr-x 1 kali kali 750 Dec 2 2022 status.png
-rwxr-xr-x 1 kali kali 1002 Dec 2 2022 switch_dis.png
-rwxr-xr-x 1 kali kali 581 Dec 2 2022 switch_on.png
-rwxr-xr-x 1 kali kali 582 Dec 2 2022 switch.png
-rwxr-xr-x 1 kali kali 660 Dec 2 2022 system.png
-rwxr-xr-x 1 kali kali 670 Dec 2 2022 time.png
-rwxr-xr-x 1 kali kali 490 Dec 2 2022 tips.png
drwxrwxr-x 2 kali kali 4096 May 31 2023 topmenu
-rwxr-xr-x 1 kali kali 316 Dec 2 2022 trash.png
-rwxr-xr-x 1 kali kali 957 Dec 2 2022 u168.png
-rwxr-xr-x 1 kali kali 1058 Dec 2 2022 u170.png
-rwxr-xr-x 1 kali kali 48017 Dec 2 2022 u1860.png
-rwxr-xr-x 1 kali kali 2574 Dec 2 2022 u186.png
-rwxr-xr-x 1 kali kali 2112 Dec 2 2022 u187.png
-rwxr-xr-x 1 kali kali 165 Dec 2 2022 u188.png
-rwxr-xr-x 1 kali kali 4594 Dec 2 2022 u218.png
-rwxr-xr-x 1 kali kali 159 Dec 2 2022 u219.png
-rwxr-xr-x 1 kali kali 8149 Dec 2 2022 u4390.png
-rwxr-xr-x 1 kali kali 4243 Dec 2 2022 u439.png
-rwxr-xr-x 1 kali kali 1635 Dec 2 2022 u4410.png
-rwxr-xr-x 1 kali kali 709 Dec 2 2022 u441.png
-rwxr-xr-x 1 kali kali 1731 Dec 2 2022 u4500.png
-rwxr-xr-x 1 kali kali 726 Dec 2 2022 u450.png
-rwxr-xr-x 1 kali kali 1374 Dec 2 2022 u491.png
-rwxr-xr-x 1 kali kali 732 Dec 2 2022 u493.png
-rwxr-xr-x 1 kali kali 472 Dec 2 2022 u777.png
-rwxr-xr-x 1 kali kali 1391 Dec 2 2022 u779.png
-rwxr-xr-x 1 kali kali 1351 Dec 2 2022 u780.png
-rwxr-xr-x 1 kali kali 639 Dec 2 2022 unbell.png
-rwxr-xr-x 1 kali kali 625 Dec 2 2022 unlink.png
-rwxr-xr-x 1 kali kali 436 Dec 2 2022 upload.png
-rwxr-xr-x 1 kali kali 646 Dec 2 2022 wifi.png
./web/img/map:
total 112
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 8 kali kali 4096 May 31 2023 ..
-rwxr-xr-x 1 kali kali 2470 Dec 2 2022 clients_on.png
-rwxr-xr-x 1 kali kali 2608 Dec 2 2022 clients.png
-rwxr-xr-x 1 kali kali 1859 Dec 2 2022 connect.png
-rwxr-xr-x 1 kali kali 1769 Dec 2 2022 disconnect.png
-rwxr-xr-x 1 kali kali 2892 Dec 2 2022 down.png
-rwxr-xr-x 1 kali kali 448 Dec 2 2022 gt_ph.png
-rwxr-xr-x 1 kali kali 723 Dec 2 2022 lan.png
-rwxr-xr-x 1 kali kali 8865 Dec 2 2022 net_on.png
-rwxr-xr-x 1 kali kali 10665 Dec 2 2022 net.png
-rwxr-xr-x 1 kali kali 191 Dec 2 2022 point-off.png
-rwxr-xr-x 1 kali kali 217 Dec 2 2022 point-on.png
-rwxr-xr-x 1 kali kali 662 Dec 2 2022 port.png
-rwxr-xr-x 1 kali kali 4925 Dec 2 2022 router_on.png
-rwxr-xr-x 1 kali kali 5680 Dec 2 2022 router.png
-rwxr-xr-x 1 kali kali 2869 Dec 2 2022 up.png
-rwxr-xr-x 1 kali kali 676 Dec 2 2022 wan.png
-rwxr-xr-x 1 kali kali 1448 Dec 2 2022 wifi2g_off.png
-rwxr-xr-x 1 kali kali 1603 Dec 2 2022 wifi2g.png
-rwxr-xr-x 1 kali kali 1318 Dec 2 2022 wifi5g_off.png
-rwxr-xr-x 1 kali kali 1440 Dec 2 2022 wifi5g.png
./web/img/menu:
total 104
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 8 kali kali 4096 May 31 2023 ..
-rwxr-xr-x 1 kali kali 910 Dec 2 2022 lock_n.png
-rwxr-xr-x 1 kali kali 809 Dec 2 2022 lock_o.png
-rwxr-xr-x 1 kali kali 1016 Dec 2 2022 nat_n.png
-rwxr-xr-x 1 kali kali 660 Dec 2 2022 nat_o.png
-rwxr-xr-x 1 kali kali 1395 Dec 2 2022 net_n.png
-rwxr-xr-x 1 kali kali 938 Dec 2 2022 net_o.png
-rwxr-xr-x 1 kali kali 1218 Dec 2 2022 parental_n.png
-rwxr-xr-x 1 kali kali 752 Dec 2 2022 parental_o.png
-rwxr-xr-x 1 kali kali 1399 Dec 2 2022 qos_n.png
-rwxr-xr-x 1 kali kali 867 Dec 2 2022 qos_o.png
-rwxr-xr-x 1 kali kali 1050 Dec 2 2022 security_n.png
-rwxr-xr-x 1 kali kali 673 Dec 2 2022 security_o.png
-rwxr-xr-x 1 kali kali 1071 Dec 2 2022 service_n.png
-rwxr-xr-x 1 kali kali 1071 Dec 2 2022 service_o.png
-rwxr-xr-x 1 kali kali 1055 Dec 2 2022 status_n.png
-rwxr-xr-x 1 kali kali 720 Dec 2 2022 status_o.png
-rwxr-xr-x 1 kali kali 752 Dec 2 2022 storage_n.png
-rwxr-xr-x 1 kali kali 565 Dec 2 2022 storage_o.png
-rwxr-xr-x 1 kali kali 918 Dec 2 2022 tools_n.png
-rwxr-xr-x 1 kali kali 575 Dec 2 2022 tools_o.png
-rwxr-xr-x 1 kali kali 887 Dec 2 2022 vpn_n.png
-rwxr-xr-x 1 kali kali 539 Dec 2 2022 vpn_o.png
-rwxr-xr-x 1 kali kali 1175 Dec 2 2022 wifi_n.png
-rwxr-xr-x 1 kali kali 729 Dec 2 2022 wifi_o.png
./web/img/menubasic:
total 60
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 8 kali kali 4096 May 31 2023 ..
-rwxr-xr-x 1 kali kali 1873 Dec 2 2022 guest_n.png
-rwxr-xr-x 1 kali kali 1173 Dec 2 2022 guest_o.png
-rwxr-xr-x 1 kali kali 2009 Dec 2 2022 net_n.png
-rwxr-xr-x 1 kali kali 1356 Dec 2 2022 net_o.png
-rwxr-xr-x 1 kali kali 1598 Dec 2 2022 parental_n.png
-rwxr-xr-x 1 kali kali 1041 Dec 2 2022 parental_o.png
-rwxr-xr-x 1 kali kali 1954 Dec 2 2022 qos_n.png
-rwxr-xr-x 1 kali kali 1199 Dec 2 2022 qos_o.png
-rwxr-xr-x 1 kali kali 1134 Dec 2 2022 status_n.png
-rwxr-xr-x 1 kali kali 794 Dec 2 2022 status_o.png
-rwxr-xr-x 1 kali kali 873 Dec 2 2022 url_o.png
-rwxr-xr-x 1 kali kali 1372 Dec 2 2022 wifi_n.png
-rwxr-xr-x 1 kali kali 827 Dec 2 2022 wifi_o.png
./web/img/rpt:
total 36
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 8 kali kali 4096 May 31 2023 ..
-rwxr-xr-x 1 kali kali 373 Dec 2 2022 lock.png
-rwxr-xr-x 1 kali kali 1501 Dec 2 2022 signal_1.png
-rwxr-xr-x 1 kali kali 1736 Dec 2 2022 signal_2.png
-rwxr-xr-x 1 kali kali 1854 Dec 2 2022 signal_3.png
-rwxr-xr-x 1 kali kali 1926 Dec 2 2022 signal_4.png
-rwxr-xr-x 1 kali kali 320 Dec 2 2022 sign_right.png
-rwxr-xr-x 1 kali kali 336 Dec 2 2022 unlock.png
./web/img/status:
total 32
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 8 kali kali 4096 May 31 2023 ..
-rwxr-xr-x 1 kali kali 705 Dec 2 2022 CPU1.png
-rwxr-xr-x 1 kali kali 1182 Dec 2 2022 CPU.png
-rwxr-xr-x 1 kali kali 490 Dec 2 2022 down.png
-rwxr-xr-x 1 kali kali 351 Dec 2 2022 RAM1.png
-rwxr-xr-x 1 kali kali 524 Dec 2 2022 RAM.png
-rwxr-xr-x 1 kali kali 436 Dec 2 2022 up.png
./web/img/topmenu:
total 76
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 8 kali kali 4096 May 31 2023 ..
-rwxr-xr-x 1 kali kali 793 Dec 2 2022 advance_n.png
-rwxr-xr-x 1 kali kali 587 Dec 2 2022 advance_o.png
-rwxr-xr-x 1 kali kali 855 Dec 2 2022 basic_n.png
-rwxr-xr-x 1 kali kali 457 Dec 2 2022 basic_o.png
-rwxr-xr-x 1 kali kali 1609 Dec 2 2022 imgmesh_n.png
-rwxr-xr-x 1 kali kali 1326 Dec 2 2022 imgmesh_o.png
-rwxr-xr-x 1 kali kali 446 Dec 2 2022 led_n.png
-rwxr-xr-x 1 kali kali 553 Dec 2 2022 led_o_old.png
-rwxr-xr-x 1 kali kali 754 Dec 2 2022 led_o.png
-rwxr-xr-x 1 kali kali 476 Dec 2 2022 logout_n.png
-rwxr-xr-x 1 kali kali 363 Dec 2 2022 logout_o.png
-rwxr-xr-x 1 kali kali 741 Dec 2 2022 reboot_n.png
-rwxr-xr-x 1 kali kali 530 Dec 2 2022 reboot_o.png
-rwxr-xr-x 1 kali kali 1134 Dec 2 2022 wechat_n.png
-rwxr-xr-x 1 kali kali 814 Dec 2 2022 wechat_o.png
-rwxr-xr-x 1 kali kali 1117 Dec 2 2022 wizard_n.png
-rwxr-xr-x 1 kali kali 681 Dec 2 2022 wizard_o.png
./web/js:
total 796
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 8 kali kali 4096 Feb 20 10:12 ..
-rwxr-xr-x 1 kali kali 24635 Dec 2 2022 jcommon.js
-rwxr-xr-x 1 kali kali 89501 Dec 2 2022 jquery.min.js
-rwxr-xr-x 1 kali kali 93220 Jan 13 2023 language_en.js
-rwxr-xr-x 1 kali kali 144849 Jan 13 2023 language_ru.js
-rwxr-xr-x 1 kali kali 87309 Jan 13 2023 language_sc.js
-rwxr-xr-x 1 kali kali 87761 Jan 13 2023 language_tc.js
-rwxr-xr-x 1 kali kali 148291 Jan 13 2023 language_ua.js
-rwxr-xr-x 1 kali kali 111455 Jan 13 2023 language_vn.js
./web/mobile:
total 212
drwxrwxr-x 4 kali kali 4096 May 31 2023 .
drwxrwxr-x 8 kali kali 4096 Feb 20 10:12 ..
-rwxr-xr-x 1 kali kali 7941 Dec 2 2022 ac_table.asp
-rwxr-xr-x 1 kali kali 3018 Jan 13 2023 app.asp
drwxrwxr-x 2 kali kali 4096 May 31 2023 css
-rwxr-xr-x 1 kali kali 770 Dec 28 2022 easyMesh_setup.asp
-rwxr-xr-x 1 kali kali 784 Feb 27 2023 easyMesh_status.asp
-rwxr-xr-x 1 kali kali 2932 Dec 2 2022 forgot.asp
-rwxr-xr-x 1 kali kali 789 Dec 2 2022 guestnet.asp
-rwxr-xr-x 1 kali kali 7760 Jan 13 2023 home.asp
-rwxr-xr-x 1 kali kali 12146 Dec 2 2022 internet.asp
drwxrwxr-x 2 kali kali 4096 May 31 2023 js
-rwxr-xr-x 1 kali kali 6300 Dec 2 2022 login.asp
-rwxr-xr-x 1 kali kali 828 Dec 2 2022 logout.asp
-rwxr-xr-x 1 kali kali 1034 Dec 2 2022 ntp.asp
-rwxr-xr-x 1 kali kali 17638 Dec 2 2022 parentcontrol.asp
-rwxr-xr-x 1 kali kali 908 Dec 2 2022 password.asp
-rwxr-xr-x 1 kali kali 1275 Dec 2 2022 reboot.asp
-rwxr-xr-x 1 kali kali 1178 Dec 2 2022 reset.asp
-rwxr-xr-x 1 kali kali 823 Dec 2 2022 rfw.asp
-rwxr-xr-x 1 kali kali 4693 Dec 2 2022 setlg.asp
-rwxr-xr-x 1 kali kali 1042 Dec 2 2022 smartqos.asp
-rwxr-xr-x 1 kali kali 8470 Dec 2 2022 stat.asp
-rwxr-xr-x 1 kali kali 598 Dec 2 2022 success.asp
-rwxr-xr-x 1 kali kali 3557 Jan 13 2023 sysmode.asp
-rwxr-xr-x 1 kali kali 4678 Dec 2 2022 tools.asp
-rwxr-xr-x 1 kali kali 996 Dec 2 2022 urlfilter.asp
-rwxr-xr-x 1 kali kali 1080 Dec 2 2022 usbshare.asp
-rwxr-xr-x 1 kali kali 989 Dec 2 2022 vpn.asp
-rwxr-xr-x 1 kali kali 798 Dec 2 2022 wan.asp
-rwxr-xr-x 1 kali kali 11204 Dec 2 2022 wifi.asp
-rwxr-xr-x 1 kali kali 2482 Dec 2 2022 wifische.asp
-rwxr-xr-x 1 kali kali 4670 Dec 2 2022 wifiSignal.asp
-rwxr-xr-x 1 kali kali 1463 Dec 2 2022 wizard.asp
-rwxr-xr-x 1 kali kali 1242 Dec 2 2022 wlanlock.asp
-rwxr-xr-x 1 kali kali 803 Dec 2 2022 wlbasic.asp
-rwxr-xr-x 1 kali kali 994 Dec 2 2022 wlsch.asp
./web/mobile/css:
total 16
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 4 kali kali 4096 May 31 2023 ..
-rwxr-xr-x 1 kali kali 6868 Jan 13 2023 csstyle.css
./web/mobile/js:
total 64
drwxrwxr-x 2 kali kali 4096 May 31 2023 .
drwxrwxr-x 4 kali kali 4096 May 31 2023 ..
-rwxr-xr-x 1 kali kali 5972 Dec 2 2022 language_en.js
-rwxr-xr-x 1 kali kali 8993 Dec 2 2022 language_ru.js
-rwxr-xr-x 1 kali kali 5827 Dec 2 2022 language_sc.js
-rwxr-xr-x 1 kali kali 5860 Dec 2 2022 language_tc.js
-rwxr-xr-x 1 kali kali 8590 Dec 2 2022 language_ua.js
-rwxr-xr-x 1 kali kali 7087 Dec 2 2022 language_vn.js주안점 정리
핵심 실행 파일 / 서비스
/bin/boa: Boa 웹서버 실행 파일 (보안 취약점이 있을 가능성 높음)/bin/dnsmasq: DNS/DHCP 서비스 실행/bin/telnetd: Telnet 서비스 활성화 가능성 (보안 취약)/bin/busybox: 경량 유틸리티 모음, 주요 명령어 처리/bin/init,/etc/init.d/rcS: 시스템 초기화 스크립트
설정 파일
/etc/inittab: 시스템 초기화 관련 설정/etc/passwd,/etc/shadow.sample: 사용자 계정 정보, 해시 암호 포함/etc/dnsmasq.conf: DNS/DHCP 서비스 설정
웹 인터페이스 관련 파일
/web/: 관리자 페이지 관련 HTML, JavaScript, CGI 스크립트 포함/web/cgi-bin/cstecgi.cgi: CGI 기반 관리자 페이지 취약점 가능성 (명령 주입 확인 필요)/etc/boa.conf: Boa 웹서버 설정 파일
분석 방향 정하기
-
boa웹서버 취약점 탐색boa는 2005년 개발이 중단된 경량 웹서버 → 기존 CVE 목록 확인/etc/boa.conf파일을 분석하여 디렉토리 트래버설 및 인증 우회 가능성 탐색boa가 실행하는 CGI 스크립트(/web/cgi-bin/cstecgi.cgi)에서 명령 주입 가능성 확인
-
telnetd서비스 존재 여부 확인/bin/telnetd가 존재하므로 기본적으로 telnet 서비스가 활성화될 가능성/etc/inittab,/etc/init.d/rcS내 telnet 실행 여부 확인
-
하드코딩된 계정 정보 및 취약한 암호화
/etc/passwd및/etc/shadow.sample파일 확인- MD5 기반 해시 암호 포함 가능: 취약한 해시 알고리즘
-
네트워크 서비스 점검
dnsmasq,iptables,pppd등 네트워크 관련 설정 분석- DHCP, 방화벽 설정이 안전하게 구성되어 있는지 확인
취약점 분석 개시
Boa 및 웹 서버 측면
boa.conf
-
웹 서버 실행 계정이
rootUser root/Group root로 설정됨 → Boa 웹 서버가 root 권한으로 실행- Boa에서 발생한 취약점이 악용되면 시스템 전체가 위험해질 수 있음
- Exploit 최우선 목표!
-
문서 루트 (
DocumentRoot /var/web)- 웹 파일이
/var/web디렉토리에서 제공됨 - 특정 맛있는 파일(예:
.htpasswd)이 포함되었는지 확인 필요
- 동적분석 세션에서 확인해보기
- 웹 파일이
-
CGI 스크립트 실행 허용
ScriptAlias /cgi-bin/ /var/web/cgi-bin//var/web/cgi-bin/내부의 모든 스크립트가 실행 가능 → 명령 주입 가능성
-
CGI 실행 파일 확장자 허용
AddType application/x-httpd-cgi cgiAddType application/x-httpd-cgi php.cgi및.php파일이 CGI로 실행됨 → 공격자가 악성 CGI 업로드 시 코드 실행 가능
cstecgi.cgi
-
실행 바이너리 파일 (
ELF포맷)cstecgi.cgi는 바이너리 실행 파일 (ELF 포맷)- 바이너리 내에서 문자열 추출 (
strings cstecgi.cgi수행 필요)
-
의심스러운 문자열
ping -c 1 8.8.8.8 > /dev/null- 명령 주입 가능성 있음 (사용자 입력을 검증 없이
ping실행할 경우 위험)
- 명령 주입 가능성 있음 (사용자 입력을 검증 없이
"topicurl":"setting/refineCSAuth"getSysStatusCfghttp://www.carystudio.com/router/wechatmanage/routerurl?url=- 외부 URL이 포함됨 → 외부 서버 통신 기능이 있나?
-
취약점 가능성
ping명령을 포함하는 점에서, 명령 주입 (Command Injection) 취약점 가능성- 추가 분석 필요:
strings,ghidra,gdb등을 사용해 내부 로직 확인할 것
strings cstecgi.cgi로 검사
- 시스템 명령 실행 관련 함수
system
sprintf
strcpysystem()→ 외부 명령어 실행 가능 (명령 주입 가능성)sprintf()→ 입력 검증 없이 문자열을 구성하면 취약 (버퍼 오버플로우 가능성)strcpy()→ 입력 크기 제한이 없다면 위험 (버퍼 오버플로우 가능성)
- JSON 관련 라이브러리 (
libcjson.so)
cJSON_CreateObject
cJSON_Print
cJSON_Parse
cJSON_GetObjectItem
cJSON_GetArrayItem
cJSON_CreateString
cJSON_CreateNumber
cJSON_AddItemToObject- JSON 데이터를 다루는 코드가 포함됨 → 외부에서 JSON 데이터를 받아 처리하는 기능이 있을 가능성
cJSON_Parse()사용 시, 입력값 검증이 없다면 JSON 인젝션 취약점이 발생할 수 있음
- 환경 변수 및 네트워크 입력 관련 문자열
CONTENT_LENGTH
REMOTE_ADDR
QUERY_STRING
http_host- 웹 서버에서 들어오는 HTTP 요청과 관련된 변수들 → CGI가 요청을 직접 처리하고 있을 가능성
QUERY_STRING→ URL의 GET 파라미터를 직접 처리할 경우 명령 주입 가능성 높음
- 하드코딩된 외부 통신 URL
http://www.carystudio.com/router/wechatmanage/routerurl?url=- CGI가 외부 서버와 통신할 가능성이 있음
- 공격자가 조작된 URL을 보낼 경우, 정보 유출 가능성이 있을 수 있음
- 이 URL이 사용자 입력을 통해 동적으로 구성되는지 확인해야 함
ping명령어 실행 (명령 주입 가능성)
ping -c 1 8.8.8.8 > /dev/nullsystem("ping -c 1 8.8.8.8 > /dev/null")같은 코드가 있는 경우
- 입력값이 고정된 경우 문제없음
- 만약 사용자 입력을 통해 대상 IP가 변경될 경우 명령 주입이 가능
- 예를 들어,ping -c 1 8.8.8.8; rm -rf /같은 입력이 들어가면 임의 명령어 실행 가능
- 근데 뭐 저건 고정이겠지
- MAC 주소 및 네트워크 정보 관련 문자열
%02x:%02x:%02x:%02x:%02x:%02x
lanMac
lanIp
getSysStatusCfg
getCrpcConfig- MAC 주소 및 LAN IP를 조회하는 기능이 있을 가능성
- 시스템 내부 정보를 노출하는 취약점이 있을 수 있음
- 하드코딩 크레덴셜 하나 더 가나?
cstecgi.cgi 바이너리 리버싱
int __fastcall main(int argc, const char **argv, const char **envp)
{
int v3; // $a1
int v4; // $a2
int v5; // $v0
int v6; // $s1
int v7; // $s2
int v8; // $a2
int v9; // $a1
int v10; // $a2
int v11; // $v0
int v12; // $s2
char *v13; // $s0
int v14; // $s1
int v15; // $a1
int v16; // $a2
int v17; // $s0
int v18; // $s1
int ArrayItem; // $a0
int v20; // $s2
int Object; // $s0
int String; // $v0
int v23; // $v0
int v24; // $v0
const char *v25; // $a1
int v26; // $v0
__int64 v27; // $v0
int Number; // $v0
int v29; // $v0
int v30; // $s2
unsigned int i; // $s3
int v32; // $v0
const char *v33; // $s2
unsigned __int8 v35; // [sp+28h] [-21DCh] BYREF
unsigned __int8 v36; // [sp+29h] [-21DBh]
unsigned __int8 v37; // [sp+2Ah] [-21DAh]
unsigned __int8 v38; // [sp+2Bh] [-21D9h]
unsigned __int8 v39; // [sp+2Ch] [-21D8h]
unsigned __int8 v40; // [sp+2Dh] [-21D7h]
_DWORD v41[25]; // [sp+68h] [-219Ch] BYREF
_BYTE v42[100]; // [sp+CCh] [-2138h] BYREF
char v43[100]; // [sp+130h] [-20D4h] BYREF
char v44[100]; // [sp+194h] [-2070h] BYREF
_BYTE v45[4096]; // [sp+1F8h] [-200Ch] BYREF
char v46[4096]; // [sp+11F8h] [-100Ch] BYREF
const char *v47; // [sp+21F8h] [-Ch]
v6 = getenv("stationIp", argv, envp);
v5 = getenv("CONTENT_LENGTH", v3, v4);
v7 = strtol(v5, 0, 10);
puts("\n");
if ( apmib_init() )
{
memset(v46, 0, sizeof(v46));
if ( (unsigned int)v46 >= 0x1000 )
v8 = 4096;
else
v8 = v7 + 1;
fread(v46, 1, v8, stdin);
if ( !v6 )
getenv("REMOTE_ADDR", v9, v10);
v11 = getenv("QUERY_STRING", v9, v10);
v12 = v11;
v13 = v46;
if ( v11 )
{
v14 = strstr(v11, "CSAuthUrl=");
if ( v14 )
{
v13 = v45;
memset(v45, 0, sizeof(v45));
sprintf(v45, "{\"topicurl\":\"setting/refineCSAuth\",\"CSAuthUrl\":\"%s\"}", v14 + 10);
}
else
{
v13 = v45;
if ( strstr(v12, "CSAuth=login") )
{
memset(v45, 0, sizeof(v45));
sprintf(v45, "{\"topicurl\":\"setting/formPostCSAuth\",\"CSAuthUrl\":\"%s\"}", v46);
}
else
{
v13 = v46;
if ( strstr(v12, "action=login") )
{
v17 = strstr(v12, "flag=1");
v47 = (const char *)getenv("http_host", v15, v16);
memset(v45, 0, sizeof(v45));
if ( v17 )
{
sprintf(v45, "{\"topicurl\":\"setting/loginAuth\",\"loginAuthUrl\":\"%s&http_host=%s&flag=1\"}", v46, v47);
v13 = v45;
}
else
{
v13 = v45;
sprintf(v45, "{\"topicurl\":\"setting/loginAuth\",\"loginAuthUrl\":\"%s&http_host=%s\"}", v46, v47);
}
}
}
}
}
v18 = cJSON_Parse(v13);
if ( v18 )
{
if ( *v13 == 91 )
ArrayItem = cJSON_GetArrayItem(v18, 0);
else
ArrayItem = v18;
v20 = *(_DWORD *)(cJSON_GetObjectItem(ArrayItem, "topicurl") + 16);
Object = cJSON_CreateObject();
if ( strstr(v20, "getSysStatusCfg") )
{
apmib_get(201, &v35);
sprintf(v41, "%02x:%02x:%02x:%02x:%02x:%02x", v35, v36, v37, v38, v39, v40);
String = cJSON_CreateString(v41);
cJSON_AddItemToObject(Object, "lanMac", String);
apmib_get(170, v41);
v23 = inet_ntoa(v41[0]);
strcpy((int)v41, v23);
v24 = cJSON_CreateString(v41);
v25 = "lanIp";
}
else
{
if ( !strstr(v20, "getCrpcConfig") )
goto LABEL_31;
strcpy((int)v41, (int)"ping -c 1 8.8.8.8 > /dev/null");
v26 = system((int)v41);
v27 = sub_4012F8(v26 == 0);
Number = cJSON_CreateNumber(v27, HIDWORD(v27));
cJSON_AddItemToObject(Object, "status", Number);
v29 = fopen("/tmp/crpc_url", "r");
v30 = v29;
if ( v29 )
{
fgets(v42, 100, v29);
fclose(v30);
}
memset(v44, 0, sizeof(v44));
for ( i = 0; i < strlen(v42); ++i )
{
v32 = (char)v42[i];
if ( v32 == 10 )
break;
v44[i] = v32;
}
apmib_get(201, &v35);
sprintf(v43, "%02x:%02x:%02x:%02x:%02x:%02x", v35, v36, v37, v38, v39, v40);
sprintf(v41, "%s%s?mac=%s", "http://www.carystudio.com/router/wechatmanage/routerurl?url=", v44, v43);
v24 = cJSON_CreateString(v41);
v25 = "url";
}
cJSON_AddItemToObject(Object, v25, v24);
LABEL_31:
v33 = (const char *)cJSON_Print(Object);
printf("%s", v33);
cJSON_Delete(Object);
cJSON_Delete(v18);
free(v33);
exit(0);
}
}
return -1;
}system()이getCrpcConfig처리 과정에서 호출- 사용자 입력 (
QUERY_STRING)을 통해getCrpcConfig요청 시ping명령 실행 가능해 보임 - 입력값이
system()으로 전달되기 전에 필터링이 없을 경우, 명령 주입 가능성 존재
상세 분석
if (strstr(v20, "getCrpcConfig")) // `QUERY_STRING`에 "getCrpcConfig"가 포함된 경우
{
strcpy((int)v41, (int)"ping -c 1 8.8.8.8 > /dev/null");
v26 = system((int)v41); // system() 호출!!
}QUERY_STRING값에서"getCrpcConfig"문자열이 포함된 경우
-system("ping -c 1 8.8.8.8 > /dev/null");실행
"ping -c 1 8.8.8.8"같은 정적인 명령을 실행하면 원래는 안전system()실행 전에 사용자 입력값을 조작할 수 있다면, 명령 주입이 가능할 수도 있음- 뭔가 될 거 같아서 못 놓겠다
취약점 가능성 분석
v11 = getenv("QUERY_STRING"); // HTTP Query String 가져오기
...
v20 = *(_DWORD *)(cJSON_GetObjectItem(ArrayItem, "topicurl") + 16); // JSON에서 "topicurl" 가져오기
if (strstr(v20, "getCrpcConfig")) // "getCrpcConfig" 요청 확인
{
strcpy((int)v41, (int)"ping -c 1 8.8.8.8 > /dev/null");
v26 = system((int)v41);
}-
system()에 전달되는 명령어는 하드코딩된"ping -c 1 8.8.8.8 > /dev/null"문자열- 사용자의 입력값 (
QUERY_STRING)이system()인자로 직접 연결되지 않음 - 즉, 외부에서 직접 명령어 삽입이 불가능
- 사용자의 입력값 (
-
QUERY_STRING을 이용해system()을 우회할 가능성"getCrpcConfig"값을 조작해도,"ping -c 1 8.8.8.8 > /dev/null"명령 자체를 변경할 방법이 없음
cJSON_Parse
v18 = cJSON_Parse(v13);v13에 저장된 JSON을 직접 파싱.- JSON 데이터를 통한 인젝션 공격 가능성 확인 필요
apmib_get
목표
apmib_get(201, &v35);및apmib_get(170, v41);의 역할 확인- 기기에서 민감한 정보(예: MAC 주소, LAN IP 등)가 노출될 가능성이 있는지 분석
apmib_get()이 특정 입력값과 연결될 수 있는지 확인
호출/사용 흐름 분석
if ( strstr(v20, "getSysStatusCfg") )
{
apmib_get(201, &v35);
sprintf(v41, "%02x:%02x:%02x:%02x:%02x:%02x", v35, v36, v37, v38, v39, v40);
String = cJSON_CreateString(v41);
cJSON_AddItemToObject(Object, "lanMac", String);
apmib_get(170, v41);
v23 = inet_ntoa(v41[0]);
strcpy((int)v41, v23);
v24 = cJSON_CreateString(v41);
v25 = "lanIp";
}문제점 예상
apmib_get(201, &v35);→ LAN MAC 주소를 가져옴apmib_get(170, v41);→ LAN IP 주소를 가져옴- MAC 및 IP 정보를 JSON 응답으로 반환함
"getSysStatusCfg"요청이 들어오면 MAC 주소 및 IP가 노출될 가능성?
검증할 사항
"getSysStatusCfg"요청을 보내면 인증 없이 MAC/IP 정보를 받을 수 있는지 확인apmib_get()이QUERY_STRING같은 외부 입력값을 기반으로 다른 민감한 데이터를 반환할 가능성이 있는지 분석- MAC/IP 외에도 추가적으로
apmib_get()을 통해 반환되는 민감 정보가 있는지 조사
동적 분석 세션으로 이전
telnetd 서비스 존재 여부 확인
/bin/telnetd파일이 존재하는 것을 확인- 다만
telnetd바이너리가 존재한다고 해서 서비스가 실행된다는 보장은 없음 - 실행 여부를 확인하기 위해 시작 스크립트 및 init 설정을 확인하자
startup.sh 및 init 스크립트에서 telnetd 호출 여부 확인
startup.sh
┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ cat ./bin/startup.sh | grep TELNET
flash set TELNET_ENABLED 1┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ cat ./bin/startup.sh
#!/bin/sh
#
# script file to startup
TOOL=flash
GETMIB="$TOOL get"
LOADDEF="$TOOL default-hw"
LOADDEFDPKHW="$TOOL default-dpk"
LOADDEFSW="$TOOL default-sw"
LOADDS="$TOOL reset1"
LOADWC="$TOOL write-current"
$TOOL test-hwconf
if [ $? != 0 ]; then
echo 'HW configuration invalid, write default hw!'
$LOADDEF
fi
$TOOL test-dpkconf
if [ $? != 0 ];then
echo 'DPK configuration invalid, reset dpk!'
$LOADDEFDPKHW
fi
$TOOL test-dsconf
if [ $? != 0 ]; then
$TOOL test-csconf
if [ $? != 0 ]; then
echo 'Default configuration invalid, reset default!'
$LOADDEFSW
flash set WAN_DHCP 1
flash set TELNET_ENABLED 1 //telnet 자동 실행 부분
flash set PRODUCTION_CHECKOUT 1
flash set CWMP_FLAG 0
flash set CWMP_ENABLED 0
else
echo 'Default configuration invalid, write current configuration to default configuration!'
$LOADWC
fi
fi
$TOOL test-csconf
if [ $? != 0 ]; then
echo 'Current configuration invalid, reset to default configuration!'
$LOADDS
fi
if [ ! -e "/var/system/set_time" ]; then
flash settime
fi
# Enable Multicast and Broadcast Strom control and disable it in post_startup.sh
echo "1 3" > /proc/StormCtrl- 펌웨어 설정에
TELNET_ENABLED값을 1로 설정하는 코드 - 단순 설정값 변경이며, 직접
telnetd를 실행하는 명령어는 아님
사용자가
flash설정을 변경하면telnetd가 활성화될 가능성?
TELNET_ENABLED 1설정이 의미하는 바가 무엇인가
rcS
┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ cat ./etc/init.d/rcS | grep telnet
# telnetd &┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ cat ./etc/init.d/rcS
#!/bin/sh
ifconfig lo 127.0.0.1
CINIT=1
hostname rlx-linux
mount -t proc proc /proc
mount -t ramfs ramfs /var
if [ -d "/hw_setting" ];then
mount -t yaffs2 -o tags-ecc-off -o inband-tags /dev/mtdblock1 /hw_setting
fi
mkdir /var/tmp
mkdir /var/web
mkdir /var/log
mkdir /var/run
mkdir /var/lock
mkdir /var/system
mkdir /var/dnrd
mkdir /var/avahi
mkdir /var/dbus-1
mkdir /var/run/dbus
mkdir /var/lib
mkdir /var/lib/misc
mkdir /var/home
mkdir /var/root
mkdir /var/tmp/net
###for tr069
mkdir /var/cwmp_default
mkdir /var/cwmp_config
if [ ! -f /var/cwmp_default/DefaultCwmpNotify.txt ]; then
cp -p /etc/DefaultCwmpNotify.txt /var/cwmp_default/DefaultCwmpNotify.txt 2>/dev/null
fi
##For miniigd
mkdir /var/linuxigd
cp /etc/tmp/pics* /var/linuxigd 2>/dev/null
##For pptp
mkdir /var/ppp
mkdir /var/ppp/peers
#smbd
mkdir /var/config
mkdir /var/private
mkdir /var/tmp/usb
mkdir /var/tmp/mmc
#snmpd
mkdir /var/net-snmp
cp /bin/pppoe.sh /var/ppp/true
echo "#!/bin/sh" > /var/ppp/true
#echo "PASS" >> /var/ppp/true
#for console login
cp /etc/shadow.sample /var/shadow
#for weave
cp /etc/avahi-daemon.conf /var/avahi
cp -rf /etc/boa.org /var/boa
cp -rf /web/* /var/web/
#extact web pages
cd /web
#flash extr /web
cd /
mkdir -p /var/udhcpc
mkdir -p /var/udhcpd
cp /bin/init.sh /var/udhcpc/eth0.deconfig
echo " " > /var/udhcpc/eth0.deconfig
cp /bin/init.sh /var/udhcpc/eth1.deconfig
echo " " > /var/udhcpc/eth1.deconfig
cp /bin/init.sh /var/udhcpc/br0.deconfig
echo " " > /var/udhcpc/br0.deconfig
cp /bin/init.sh /var/udhcpc/wlan0.deconfig
echo " " > /var/udhcpc/wlan0.deconfig
if [ "$CINIT" = 1 ]; then
startup.sh
fi
# for wapi certs related
mkdir /var/myca
# wapi cert(must done before init.sh)
cp -rf /usr/local/ssl/* /var/myca/ 2>/dev/null
# loadWapiFiles >/dev/null 2>&1
# for wireless client mode 802.1x
mkdir /var/1x
cp -rf /usr/1x/* /var/1x/ 2>/dev/null
mkdir /var/openvpn
cp -rf /usr/share/openvpn/* /var/openvpn 2>/dev/null
# Start system script
ls /bin/watchdog > /dev/null && watchdog 1000&
init.sh gw all
# modify dst-cache setting
echo "24576" > /proc/sys/net/ipv4/route/max_size
echo "180" > /proc/sys/net/ipv4/route/gc_thresh
echo 20 > /proc/sys/net/ipv4/route/gc_elasticity
# echo 35 > /proc/sys/net/ipv4/route/gc_interval
# echo 60 > /proc/sys/net/ipv4/route/secret_interval
# echo 10 > /proc/sys/net/ipv4/route/gc_timeout
# echo "4096" > /proc/sys/net/nf_conntrack_max
echo "18000" > /proc/sys/net/netfilter/nf_conntrack_max #IP04442(8M/64M) 18000 16M/128M 32000 IP04443 23000
echo "600" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
echo "20" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait
echo "20" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close
echo "90" > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout
echo "120" > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout_stream
echo "90" > /proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout
# echo "1048576" > /proc/sys/net/ipv4/rt_cache_rebuild_count
echo "32" > /proc/sys/net/netfilter/nf_conntrack_expect_max
# modify IRQ Affinity setting
echo "3" > /proc/irq/33/smp_affinity
echo "1" > /proc/sys/net/ipv4/neigh/default/gc_thresh1
#echo 1 > /proc/sys/net/ipv4/ip_forward #don't enable ip_forward before set MASQUERADE
#echo 2048 > /proc/sys/net/core/hot_list_length
# start web server
boa
post_startup.sh
# telnetd &telnetd &가 주석 처리됨
inittab
┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ cat ./etc/inittab | grep telnet┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ cat ./etc/inittab
# Boot-time system configuration/initialization script.
::sysinit:/etc/init.d/rcS
# Start an "askfirst" shell on the console (whatever that may be)
#::askfirst:-/bin/sh
#::respawn:-/bin/sh
# Start an "askfirst" shell on /dev/tty2-4
#tty2::askfirst:-/bin/sh
#tty3::askfirst:-/bin/sh
#tty4::askfirst:-/bin/shinittab파일에서telnetd실행을 제어하는 항목 없음- 만약
telnetd가 실행된다면,rcS나startup.sh에서 실행될 가능성이 높음
스크립트 추가 분석 - telnet에 대하여
post_startup.sh
┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ cat ./bin/post_startup.sh
#!/bin/sh
#
echo "200 3" > /proc/StormCtrl
echo "Startup Ok"telnetd관련 내용 일체 존재하지 않음
flash get TELNET_ENABLED 관련 코드 확인
┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ grep -rn "TELNET_ENABLED" ./bin
./bin/startup.sh:33: flash set TELNET_ENABLED 1중간정리
-
startup.sh에서flash set TELNET_ENABLED 1설정TELNET_ENABLED값을1로 설정하지만,- 해당 설정을 실제로 참조하는 코드가 존재하지 않음
-
post_startup.sh에서telnetd실행 코드 없음post_startup.sh는 시스템 부팅 후 실행되지만,telnetd를 실행하는 코드가 전혀 없음
-
flash set TELNET_ENABLED을 참조하는 코드 없음flash set TELNET_ENABLED 1은 존재하지만,- 이 값을 읽어
telnetd를 실행하는 스크립트나 바이너리가 없음
-
rcS에서telnetd &가 주석 처리됨- 원래
rcS에서telnetd를 실행할 수 있었지만, 현재는 비활성화된 상태
- 원래
현재 펌웨어 버전에서는
telnetd가 기본적으로 실행되지 않음
하지만 에뮬레이팅 환경에서는 telnet 포트가 기본적으로 개방됨
TELNET_ENABLED설정이 어디선가 참조될 가능성?
TELNET_ENABLED을 참조하는 바이너리 조사
┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ grep -rn "TELNET_ENABLED"
bin/startup.sh:33: flash set TELNET_ENABLED 1
grep: lib/libapmib.so: binary file matcheslib/libapmib.so바이너리 내부에서TELNET_ENABLED이 포함
-libapmib.so가TELNET_ENABLED값을 참조할 가능성이 있음을 의미
-libapmib.so는apmib_get()과 같은 설정 관련 함수들을 포함할 가능성
┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ grep -r "telnet" .
grep: ./bin/sysconf: binary file matches
grep: ./bin/timelycheck: binary file matches
grep: ./bin/busybox: binary file matches
grep: ./lib/libcrypto.so.1.0.0: binary file matches
./etc/init.d/rcS:# telnetd &
./etc/init.d/rcS_GW:# telnetd &
./etc/services:telnet 23/tcp
./etc/services:telnet 23/udp
./etc/services:rtelnet 107/tcp
./etc/services:rtelnet 107/udp
./etc/services:telnets 992/tcp
./etc/services:telnets 992/udp
./web/js/language_tc.js:var menu_telnet= 'Telnet功能';
./web/js/language_tc.js://syscmd_telnet
./web/js/language_tc.js:var syscmd_telnet='本頁面用於打開或關閉Telnet功能。';
./web/js/language_ru.js://syscmd_telnet
./web/js/language_ru.js:var syscmd_telnet='Эта страница позволяет включать и выключать функцию Telnet.';
./web/js/language_sc.js://syscmd_telnet
./web/js/language_sc.js:var syscmd_telnet='本页面用于打开或关闭Telnet功能。';
./web/js/language_vn.js://syscmd_telnet
./web/js/language_vn.js:var syscmd_telnet='Trang này được sử dụng để bật hoặc tắt chức năng Telnet.';
./web/js/language_en.js:var menu_telnet='Function of Telnet';
./web/js/language_en.js://syscmd_telnet
./web/js/language_en.js:var syscmd_telnet='This page is used for Open Telnet.';
./web/js/language_ua.js://syscmd_telnet
./web/js/language_ua.js:var syscmd_telnet='Ця сторінка дозволяє вмикати та вимимкати Telnet.';-
sysconf,timelycheck,busybox바이너리에서telnet문자열 발견
- 이 바이너리들이telnet기능과 관련이 있을 가능성이 있음을 의미
- 특히sysconf나timelycheck가telnetd실행을 제어할 수 있을 것으로 보임 -
rcS에서telnetd &가 주석 처리
- 기본적으로telnetd는 실행되지 않음
- rcS가 아닌 다른 지점에 주안점 두고 탐색 해보기 -
웹 인터페이스(JavaScript 파일)에서
telnet설정 관련 UI 존재
-/web/js/language_en.js등 다국어 파일에서syscmd_telnet변수가 포함
-"This page is used for Open Telnet."같은 문구가 존재
- 웹 UI에서telnet활성화 기능이 있을 가능성
- 이 페이지는 어디서 보지
참조 바이너리 - telnet 분석
┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ strings ./lib/libapmib.so | grep TELNET
TELNET_ENABLED
┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ strings ./bin/sysconf | grep telnet
telnetd & >/dev/null 2>&1
┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ strings ./bin/timelycheck | grep telnet
telnetd & >/dev/null 2>&1
┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ strings ./bin/busybox | grep telnet
telnetd-
libapmib.so에서TELNET_ENABLED문자열 존재libapmib.so가TELNET_ENABLED값을 참조하는 기능을 포함할 가능성apmib_get()을 통해TELNET_ENABLED값이 조회될 수 있음을 의미- 하지만 어떤 바이너리에서
apmib_get("TELNET_ENABLED")을 호출하는지 확인이 필요
-
sysconf및timelycheck바이너리에서telnetd실행 코드 발견
telnetd & >/dev/null 2>&1-
백그라운드에서
telnetd를 실행하면서 출력 및 오류 메시지를 제거
-telnetd &: 백그라운드에서 Telnet 서버 데몬을 실행
->/dev/null: Stdout을/dev/null로 보내서 화면에 출력되지 않도록 함
-dev/null: 리눅스의 쓰레기통 역할을 하는 특수한 장치 파일
-2>&1: 2번 출력(Stderr)을 1번 출력(Stdout)과 동일한 곳(dev/null)으로 보냄 -
sysconf,timelycheck가telnetd를 실행할 가능성이 있음 -
하지만 실제 실행 조건이 어떻게 되는지 확인 필요
- 예: 특정 설정값이 있어야 할 수도 - startup.sh의 enable 값이 이건가? -
busybox에서telnetd존재busybox자체에telnetd바이너리가 포함되어 있음- 즉,
telnetd실행 시busybox의 내장 기능을 통해 동작할 가능성?
telnetd 활성화 조건 분석 필요
sysconf, timelycheck 내부에서 TELNET_ENABLED 검사 여부 확인
┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ strings ./bin/sysconf | grep TELNET
┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ strings ./bin/timelycheck | grep TELNET
┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ readelf -s ./bin/sysconf | grep apmib
┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ readelf -s ./bin/timelycheck | grep apmib-
sysconf,timelycheck에서TELNET_ENABLED을 직접 참조하지 않음- grep 결과 없음
-
sysconf,timelycheck에서apmib_get()을 사용하지 않음- grep 결과 없음
-
sysconf,timelycheck에telnetd &실행 코드가 존재- 이 실행 코드가 어떤 조건에서 실행되는지 확인하지 못함
- 현재로서는 조건 없이 실행될 수도 있고, 다른 내부 로직에 의해 결정될 수도 있음
결산
- 기본적으로는
telnetd가 실행되지 않음 sysconf또는timelycheck에telnetd를 실행하는 로직이 숨겨져 있을 가능성- 차후 동적분석 세션에서 검증 필요
하드코딩된 계정 정보 및 취약한 암호화
/etc/passwd, /etc/shadow, shadow.sample 파일 확인
┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ cat ./etc/passwd
root:x:0:0:root:/:/bin/sh
nobody:x:0:0:nobody:/:/dev/null
┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ cat ./etc/shadow
┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ cat ./etc/shadow.sample
root:$1$AhUF3wyf$avFO3rhLHOKiDlJu9f4X8/:14587:0:99999:7:::
nobody:*:14495:0:99999:7:::/etc/passwd파일에서root계정과nobody계정이 존재
-root:x:0:0:root:/:/bin/sh→x는/etc/shadow에서 암호를 참조
-nobody:x:0:0:nobody:/:/dev/null→ 제한된 권한을 가진 계정/etc/shadow는 비어 있음
-/etc/shadow.sample과 그 존재에 연관성/etc/shadow.sample에root계정의 해시된 암호 존재
-root:$1$AhUF3wyf$avFO3rhLHOKiDlJu9f4X8/
-$1$: MD5 해시 사용
-AhUF3wyf$avFO3rhLHOKiDlJu9f4X8/: 암호화된 해시 값
해시 값 크랙 시도
┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ echo '$1$AhUF3wyf$avFO3rhLHOKiDlJu9f4X8/' > hash.txt
┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ john --format=md5crypt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
123456 (?)
1g 0:00:00:00 DONE 2/3 (2025-02-22 02:53) 50.00g/s 9600p/s 9600c/s 9600C/s 123456..knight
Use the "--show" option to display all of the cracked passwords reliably
Session completed.- 보안상 매우 취약한 기본 비밀번호 (
123456) 사용이 확인 - 암호 해싱 알고리즘도
MD5-Crypt($1$)로 매우 취약
웹 UI 또는 기타 서비스에서 기본 계정 사용 여부 확인
grep -rEi 'admin|password|root' ./web
grep -rEi 'passwd|login|root' ./web/cgi-bin결과는 너무 길어서 생략
- 웹 UI에서
admin계정이 기본값으로 설정
-./web/login.htm및./web/mobile/login.asp에서username=admin하드코딩 확인
<input type="hidden" id="username" name="username" value="admin">- 웹 UI에 비밀번호 필드 존재 (
password,userpass등)
-admin계정과 함께userpass필드가 존재함 - admin? 123456?
<input type="password" id="userpass" name="password" maxlength="15">- 웹 UI
forgot password페이지에서admin:admin이 기본값
-"Default User Password"라는 변수 확인: 기본 계정 설정 가능성
<h5><script>dw(MB_def_name)</script>:admin</h5>
<h5><script>dw(MB_def_pass)</script>:admin</h5>- 웹 UI에서 관리자 비밀번호 설정 가능 (
password.htm에서/boafrm/formPasswordSetup실행)
-/boafrm/formPasswordSetup을 호출하여 관리자가 비밀번호를 변경 가능함
<form action=/boafrm/formPasswordSetup method=POST name="password">- 웹 UI에서 인증 없이
cstecgi.cgi호출 가능할 가능성
-./web/cgi-bin/cstecgi.cgi파일에서 하드코딩된login,passwd,root문자열 포함
- CGI 파일이 보안 검증 없이 실행될 경우, 인증 우회 가능성이 존재
취약점 후보 찔러보기
kali@kali:~/Desktop$ curl "http://192.168.0.1/cgi-bin/cstecgi.cgi"
<HTML><HEAD><TITLE>502 Bad Gateway</TITLE></HEAD>
<BODY><H1>502 Bad Gateway</H1>
The CGI was not CGI/1.1 compliant.
</BODY></HTML>
kali@kali:~/Desktop$ curl -X POST "http://192.168.0.1/cgi-bin/cstecgi.cgi" -d "username=admin&password=admin"
kali@kali:~/Desktop$ curl "http://192.168.0.1/cgi-bin/cstecgi.cgi?username=admin&password=123456"
<HTML><HEAD><TITLE>502 Bad Gateway</TITLE></HEAD>
<BODY><H1>502 Bad Gateway</H1>
The CGI was not CGI/1.1 compliant.
</BODY></HTML>
kali@kali:~/Desktop$ curl -b "username=admin; password=admin" "http://192.168.0.1/admin/dashboard.htm"
<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>
<BODY><H1>404 Not Found</H1>
The requested URL /admin/dashboard.htm was not found on this server.
</BODY></HTML>cstecgi.cgi실행이 차단되었거나, 웹서버 환경이 문제?
502 Bad Gateway 문제 해결 시도
kali@kali:~/Desktop$ curl -I "http://192.168.0.1/cgi-bin/cstecgi.cgi"
HTTP/1.1 502 Bad Gateway
Date: Sat, 31 Oct 2020 18:01:10 GMT
Server: Boa/0.94.14rc21
Accept-Ranges: bytes
Connection: close
Content-Type: text/html; charset=ISO-8859-1- 웹서버는
Boa/0.94.14rc21를 사용 중 - CGI 요청이 처리되지 않아
502 Bad Gateway반환됨 - 서버가
cgi-bin/디렉토리를 제대로 실행하지 못하고 있을 가능성 큼
cgi 설정 파일 점검
┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ cat ./etc/boa.org/boa.conf | grep -i "ScriptAlias"
# Redirect, Alias, and ScriptAlias all have the same semantics -- they
# Redirect for other servers, Alias for the same server, and ScriptAlias
# ScriptAlias: Maps a virtual path to a directory for serving scripts
# Example: ScriptAlias /htbin/ /www/htbin/
ScriptAlias /cgi-bin/ /var/web/cgi-bin/
┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ cat ./etc/boa.org/boa.conf | grep -i "ExecCGI"
boa.conf에서 CGI 디렉토리는/var/web/cgi-bin/으로 설정
-http://192.168.0.1/cgi-bin/cstecgi.cgi요청이/var/web/cgi-bin/cstecgi.cgi를 실행하도록 지정됨을 의미
ScriptAlias /cgi-bin/ /var/web/cgi-bin/ExecCGI관련 설정이 없음: CGI 실행이 제한될 수도
- 일부 웹서버(예: Apache)에서는ExecCGI가 활성화되지 않으면 CGI 실행이 차단
- 하지만 Boa는ExecCGI가 필수 설정은 아니므로, 직접적인 원인은 아닐 수도 있음
cgi 스크립트 자체 점검
┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ ls -lah ./web/cgi-bin/cstecgi.cgi
-rwxr-xr-x 1 kali kali 5.9K May 31 2023 ./web/cgi-bin/cstecgi.cgi
┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ file ./web/cgi-bin/cstecgi.cgi
./web/cgi-bin/cstecgi.cgi: ELF 32-bit LSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, no section header
-
cstecgi.cgi는 실행 권한(-rwxr-xr-x)을 가지고 있음- 즉 웹서버(Boa)는 이 파일을 실행할 수 있는 상태라는 것
-
cstecgi.cgi는 MIPS 아키텍처의 ELF 바이너리이며,uClibc를 사용하여 동적으로 링크
- 라우터 내에서uClibc또는 필요한 라이브러리가 없기 때문?
- 근데 라이브러리는 건든 거 없을텐데
직접 실행 시도 - telnet
kali@kali:~/Desktop$ telnet 192.168.0.1
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
rlx-linux login: user
Password:
Login incorrect
rlx-linux login: root
Password:
RLX Linux version 2.0
_ _ _
| | | ||_|
_ _ | | _ _ | | _ ____ _ _ _ _
| |/ || |\ \/ / | || | _ \| | | |\ \/ /
| |_/ | |/ \ | || | | | | |_| |/ \
|_| |_|\_/\_/ |_||_|_| |_|\____|\_/\_/
For further information check:
http://processor.realtek.com/
#root:123456으로 telnet 접속 성공
# ls
bin etc_ro lib root usr
boot firmadyne lost+found run var
dev home mnt sys web
etc init proc tmp
# cd ./var/web/cgi-bin/
# ./cstecgi.cgi
Segmentation fault- ...?
502 Bad Gateway는 웹서버가cstecgi.cgi를 실행하려다 segfault로 실패했기 때문으로 확인
segmentation fault의 원인 분석
# strace -f ./cstecgi.cgi
-sh: strace: not found
┌──(kali㉿kali)-[~/…/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root/web/cgi-bin]
└─$ ldd ./cstecgi.cgi
not a dynamic executable-
라우터에
strace가 설치되지 않음
- 이건 뭐 예상함 -
not a dynamic executable
-cstecgi.cgi가 정적으로 컴파일된 실행 파일이라는 의미
- 따라서 실행에 필요한 모든 라이브러리를 포함하고 있어야 하지만, 실행하자마자Segmentation Fault가 발생
- 실행 파일 자체가 손상되었거나, 내부 코드가 비정상적인 동작을 수행하고 있을 가능성
- ㅅ발 뭔데
더 괴롭혀보기
# echo "A" x 5000 | ./cstecgi.cgi
Segmentation fault
# export CONTENT_LENGTH=5000
# echo "A" x 5000 | ./cstecgi.cgi
#
-
길이 5000짜리 입력값을 보냈을 때
Segmentation Fault발생- 즉,
cstecgi.cgi는 입력값 검증 없이 메모리에 데이터를 할당하다가 충돌(segfault) - 버퍼 오버플로우(BOF) 취약점 존재 가능성이 매우 높음!
- 즉,
-
CONTENT_LENGTH=5000을 설정한 후 실행했을 때는Segmentation Fault발생 안함CONTENT_LENGTH가 영향을 미치지 않는 것으로 보임- 그러나 입력 데이터가 직접 BOF를 유발할 수 있다는 점 까진 확인
로그인 인증 우회
직접 요청으로 비밀번호 변경 시도
curl -X POST "http://192.168.0.1/boafrm/formPasswordSetup" -d "Cpassword=oldpassword&newPass=123456&confPass=123456"kali@kali:~/Desktop$ curl -X POST "http://192.168.0.1/boafrm/formPasswordSetup" -d "Cpassword=oldpassword&newPass=123456&confPass=123456"
<HTML><HEAD></HEAD>
<BODY>
<H1>302 Redirect</H1>The document has moved
<A HREF="login.htm?t=1604167144611">here</A>.
</BODY></HTML>- 302 리디렉트 발생
- 요청이 차단된 것으로 간주
Referer 없이 직접 요청 보내기 (CSRF 우회 가능성 확인)
curl -X POST "http://192.168.0.1/boafrm/formPasswordSetup" -H "Referer: http://malicious.com" -d "Cpassword=oldpassword&newPass=123456&confPass=123456"kali@kali:~/Desktop$ curl -X POST "http://192.168.0.1/boafrm/formPasswordSetup" -H "Referer: http://malicious.com" -d "Cpassword=oldpassword&newPass=123456&confPass=123456"
<HTML><HEAD></HEAD>
<BODY>
<H1>302 Redirect</H1>The document has moved
<A HREF="login.htm?t=1604167887349">here</A>.
</BODY></HTML>Referer값을 임의로 설정한 상태에서도 여전히302 Redirect가 발생- CSRF 보호 기능이 있는지 확실하지 않지만, 적어도 요청이 실패한 것은 분명
관리자 계정 없이 새로운 비밀번호 설정 시도
curl -X POST "http://192.168.0.1/boafrm/formPasswordSetup" -d "newPass=123456&confPass=123456"kali@kali:~/Desktop$ curl -X POST "http://192.168.0.1/boafrm/formPasswordSetup" -d "newPass=123456&confPass=123456"
<HTML><HEAD></HEAD>
<BODY>
<H1>302 Redirect</H1>The document has moved
<A HREF="login.htm?t=1604167945294">here</A>.
</BODY></HTML>- 비밀번호를 변경하려면 추가적인 인증이 필요한 것으로 보임
- 변경 요청에
Cpassword(기존 비밀번호)를 생략해도 같은 결과 발생 - 인증 없이 비밀번호를 변경하는 것은 불가능한 것으로 결론
세션 없이 관리자 패널 직접 접근 시도
curl -b "username=admin; password=123456" "http://192.168.0.1/admin/dashboard.htm"kali@kali:~/Desktop$ curl -b "username=admin; password=123456" "http://192.168.0.1/admin/dashboard.htm"
<HTML><HEAD></HEAD>
<BODY>
<H1>302 Redirect</H1>The document has moved
<A HREF="login.htm?t=160416806245">here</A>.
</BODY></HTML>- 세션 없이 관리자 페이지에 접근하는 것은 불가능
로그인 없이 직접 관리자 페이지 접근 시도
curl -X GET "http://192.168.0.1/admin/dashboard.htm"kali@kali:~/Desktop$ curl -X GET "http://192.168.0.1/admin/dashboard.htm"
<HTML><HEAD></HEAD>
<BODY>
<H1>302 Redirect</H1>The document has moved
<A HREF="login.htm?t=1604168208867">here</A>.
</BODY></HTML>- 로그인 없이 관리자 페이지에 접근하는 것은 불가능
캐시된 세션 재사용 가능성 확인
curl -X GET "http://192.168.0.1/admin/dashboard.htm" -H "Cache-Control: no-cache"kali@kali:~/Desktop$ curl -X GET "http://192.168.0.1/admin/dashboard.htm" -H "Cache-Control: no-cache"
<HTML><HEAD></HEAD>
<BODY>
<H1>302 Redirect</H1>The document has moved
<A HREF="login.htm?t=1604168248781">here</A>.
</BODY></HTML>최종 결산
- 로그인 없이 관리자 페이지 접근 불가능 (
302 Redirect) - 비밀번호 변경 시도 실패 (
302 Redirect) - CSRF 우회 불가능 (
Referer없이도 같은 응답) - 세션 없이 접근 불가능 (쿠키 조작해도
302 Redirect) - 캐시된 세션 재사용 불가능
취약한 함수 분석
위험한 함수 사용 여부 확인
┌──(kali㉿kali)-[~/…/Firmware/Totolink/_TOTOLINK-A3002R-Ge-V4.0.0-B20230531.1404.web.extracted/squashfs-root]
└─$ grep -rE "system|strcpy|sprintf|gets|strcat|exec"
usr/local/man/man8/ebtables.8:targets on a frame.
usr/local/man/man8/ebtables.8:For the extension targets please refer to the
usr/local/man/man8/ebtables.8:The targets
usr/local/man/man8/ebtables.8:script. For example the output could be used at system startup.
usr/local/man/man8/ebtables.8:Maximum initial number of packets to match: this number gets recharged by
usr/local/man/man8/ebtables.8:target is executed.
usr/share/udhcpc/eth0.sh:exec /usr/share/udhcpc/eth0.$1
usr/share/udhcpc/eth1.sh:exec /usr/share/udhcpc/eth1.$1
usr/share/udhcpc/eth1.4.sh:exec /usr/share/udhcpc/eth1.4.$1
usr/share/udhcpc/eth1.2.sh:exec /usr/share/udhcpc/eth1.2.$1
usr/share/udhcpc/wlan0.sh:exec /usr/share/udhcpc/wlan0.$1
usr/share/udhcpc/wlan1-vxd.sh:exec /usr/share/udhcpc/wlan1-vxd.$1
usr/share/udhcpc/br0.sh:exec /usr/share/udhcpc/br0.$1
usr/share/udhcpc/wlan0-vxd.sh:exec /usr/share/udhcpc/wlan0-vxd.$1
usr/share/udhcpc/wlan1.sh:exec /usr/share/udhcpc/wlan1.$1
usr/share/udhcpc/usb0.sh:exec /usr/share/udhcpc/usb0.$1
usr/share/udhcpc/eth1.1.sh:exec /usr/share/udhcpc/eth1.1.$1
usr/share/udhcpc/eth1.3.sh:exec /usr/share/udhcpc/eth1.3.$1
grep: bin/igmpproxy: binary file matches
grep: bin/dhcp6ctl: binary file matches
grep: bin/radvd: binary file matches
grep: bin/routed: binary file matches
grep: bin/main_lc5761: binary file matches
grep: bin/batchUpgrade: binary file matches
grep: bin/map_reset: binary file matches
grep: bin/ntpclient: binary file matches
grep: bin/map_del_device: binary file matches
grep: bin/rebootschedules: binary file matches
grep: bin/batchUpgrades: binary file matches
grep: bin/rebootschedule: binary file matches
grep: bin/crpc: binary file matches
grep: bin/wscd: binary file matches
grep: bin/ipv6_manage_inet: binary file matches
grep: bin/dhcp6c: binary file matches
grep: bin/iapp: binary file matches
grep: bin/ebtables-restore: binary file matches
grep: bin/sysconf: binary file matches
grep: bin/pppd: binary file matches
grep: bin/ntp_inet: binary file matches
grep: bin/reload: binary file matches
grep: bin/timelycheck: binary file matches
grep: bin/pptp: binary file matches
grep: bin/pctime: binary file matches
grep: bin/acltd: binary file matches
grep: bin/dnsmasq: binary file matches
grep: bin/auth: binary file matches
grep: bin/miniigd: binary file matches
grep: bin/udhcpd: binary file matches
grep: bin/ip6tables: binary file matches
grep: bin/lld2d: binary file matches
grep: bin/map_agent: binary file matches
grep: bin/l2tpd: binary file matches
grep: bin/map_controller: binary file matches
grep: bin/tc: binary file matches
grep: bin/ddns_inet: binary file matches
grep: bin/reset: binary file matches
grep: bin/radvdump: binary file matches
grep: bin/map_checker: binary file matches
grep: bin/ppp_inet: binary file matches
grep: bin/parentcontrol: binary file matches
bin/startup.sh:if [ ! -e "/var/system/set_time" ]; then
grep: bin/Mcli: binary file matches
grep: bin/fwds: binary file matches
grep: bin/Parac2d: binary file matches
grep: bin/flash: binary file matches
grep: bin/fwd: binary file matches
grep: bin/busybox: binary file matches
grep: bin/wget: binary file matches
grep: bin/dhcp6s: binary file matches
grep: bin/ndppd: binary file matches
grep: bin/ip: binary file matches
grep: bin/updatedd: binary file matches
grep: bin/iwcontrol: binary file matches
grep: bin/watchdog: binary file matches
grep: bin/dnsspoof: binary file matches
grep: bin/Mser: binary file matches
grep: bin/boa: binary file matches
grep: bin/hle_entity: binary file matches
grep: bin/map_reinit: binary file matches
grep: bin/dnrd: binary file matches
grep: bin/iptables: binary file matches
grep: bin/mldproxy: binary file matches
grep: bin/iwpriv: binary file matches
grep: bin/cwmpClient: binary file matches
grep: bin/UDPserver: binary file matches
grep: lib/libebt_nat.so: binary file matches
grep: lib/libcrypto.so.1.0.0: binary file matches
grep: lib/libebtc.so: binary file matches
grep: lib/libm-0.9.33.so: binary file matches
grep: lib/libebt_redirect.so: binary file matches
grep: lib/libstdc++.so.6.0.19: binary file matches
grep: lib/libebt_arpreply.so: binary file matches
grep: lib/libcjson.so: binary file matches
grep: lib/libebt_nflog.so: binary file matches
grep: lib/libebt_standard.so: binary file matches
grep: lib/libssl.so.1.0.0: binary file matches
grep: lib/librt-0.9.33.so: binary file matches
grep: lib/libgcc_s.so.1: binary file matches
grep: lib/libuClibc-0.9.33.so: binary file matches
grep: lib/libpthread-0.9.33.so: binary file matches
grep: lib/libcrypt-0.9.33.so: binary file matches
grep: lib/libmtdapi.so: binary file matches
grep: lib/libebt_ulog.so: binary file matches
grep: lib/libapmib.so: binary file matches
grep: lib/libebt_mark.so: binary file matches
grep: lib/libmultiap.so: binary file matches
grep: lib/ld-uClibc-0.9.33.so: binary file matches
etc/inittab:# Boot-time system configuration/initialization script.
etc/init.d/rcS:mkdir /var/system
etc/init.d/rcS:# Start system script
etc/init.d/rcS_GW:mkdir /var/system
etc/init.d/rcS_GW:# Start system script
etc/sysconfig/ebtables-config:# Saves all firewall rules if firewall gets stopped
etc/sysconfig/ebtables-config:# (e.g. on system shutdown).
etc/sysconfig/ebtables-config:# Saves all firewall rules if firewall gets restarted.
etc/dnsmasq.conf:# On systems which support it, dnsmasq binds the wildcard address,
etc/dnsmasq.conf:# domain of all systems configured by DHCP
etc/dnsmasq.conf:# Run an executable when a DHCP lease is created or destroyed.
etc/samba/smb.conf:# on SystemV system setting printcap name to lpstat should allow
etc/samba/smb.conf:# system
etc/samba/smb.conf:# It should not be necessary to specify the print system type unless
etc/samba/smb.conf:# it is non-standard. Currently supported print systems include:
etc/samba/smb.conf:# on a per machine basis. The %m gets replaced with the netbios name
etc/samba/smb.conf:# NOTE: If you have a BSD-style print system there is no need to
etc/samba/smb.conf:# The %m gets replaced with the machine name that is connecting.
etc/boa.org/boa.conf:# The name you provide gets run through inet_aton(3), so you have to use dotted
etc/boa.org/boa.conf:# The CGIumask is set immediately before execution of the CGI.
etc/boa.org/boa.conf:# Uncomment the next line if you want .cgi files to execute from anywhere
etc/boa.org/boa.conf:# to enable directories for script execution.
etc/vsftpd.conf:# It is recommended that you define on your system a unique user which the
etc/services:exec 512/tcp
etc/services:npmp-gui 611/tcp dqs313_execd
etc/services:npmp-gui 611/udp dqs313_execd
web/tr069config.htm: if(document.tr069.elements["autoexec"][0].checked == true)
web/tr069config.htm: else if(document.tr069.elements["autoexec"][1].checked == true)
web/tr069config.htm: <input type="radio" name=autoexec value=0 <% getInfo("tr069-autoexec-0"); %> ><script>dw(MM_Disabled)</script>
web/tr069config.htm: <input type="radio" name=autoexec value=1 <% getInfo("tr069-autoexec-1"); %> ><script>dw(MM_Enabled)</script>
web/multi_ap_popup_client_details.htm: var results = new RegExp('[\?&]' + 'count' + '=([^&#?]*)').exec(window.location.href);
web/multi_ap_popup_client_details.htm: var macresults = new RegExp('[\?&]' + 'macaddr' + '=([^&#?]*)').exec(window.location.href);
web/status.htm:<span style="background-image:url(img/system.png);"></span><span style="width:80%"><script>dw(Js_System)</script></span>
web/add/menuAd.htm:<li><span><script>dw(menu_system_status)</script></span></li>
web/multi_ap_popup_device_details.htm: var results = new RegExp('[\?&]' + 'count' + '=([^&#?]*)').exec(window.location.href);
web/mobile/home.asp:<span><script>dw(MM_system_mode)</script></span>
web/mobile/home.asp:<p class="nav-text"><script>dw(MM_system_tools)</script></p>
web/mobile/logout.asp:<h2 class="header-name"><script>dw(MM_system_tools)</script></h2>
web/mobile/sysmode.asp:<h2 class="header-name"><script>dw(MM_system_mode)</script></h2>
web/mobile/sysmode.asp:<li id="menu1"><img src="/icon/icon_system_01.png">
web/mobile/sysmode.asp:<li id="menu2"><img src="/icon/icon_system_02.png">
web/mobile/sysmode.asp:<li id="menu3"><img src="/icon/icon_system_03.png">
web/mobile/sysmode.asp:<li id="menu4"><img src="/icon/icon_system_04.png">
web/mobile/tools.asp:<h2 class="header-name"><script>dw(MM_system_tools)</script></h2>
web/mobile/rfw.asp:<h2 class="header-name"><script>dw(MM_system_tools)</script></h2>
web/mobile/js/language_tc.js:var MB_system_status = "系統信息";
web/mobile/js/language_tc.js:var MM_system_mode="系統模式";
web/mobile/js/language_tc.js:var MM_system_tools="系統工具";
web/mobile/js/language_ru.js:var MB_system_status = "Состояние системы";
web/mobile/js/language_ru.js:var MM_system_mode="Системный режим";
web/mobile/js/language_ru.js:var MM_system_tools="Системные инструменты";
web/mobile/js/language_sc.js:var MB_system_status = "系统信息";
web/mobile/js/language_sc.js:var MM_system_mode="系统模式";
web/mobile/js/language_sc.js:var MM_system_tools="系统工具";
web/mobile/js/language_vn.js:var MB_system_status = "Trạng thái hệ thống";
web/mobile/js/language_vn.js:var MM_system_mode="Chế độ hệ thống";
web/mobile/js/language_vn.js:var MM_system_tools="Công cụ hệ thống";
web/mobile/js/language_en.js:var MB_system_status = "System Status";
web/mobile/js/language_en.js:var MM_system_mode="System mode";
web/mobile/js/language_en.js:var MM_system_tools="System tools";
web/mobile/js/language_ua.js:var MB_system_status = "Інформація системи";
web/mobile/js/language_ua.js:var MM_system_mode="Режим системи";
web/mobile/js/language_ua.js:var MM_system_tools="Системні інструменти";
web/mobile/ntp.asp:<h2 class="header-name"><script>dw(MM_system_tools)</script></h2>
web/mobile/stat.asp:div.Mnet_text,div.Mwiless_text,div.Msystem_text{font-size:15px;padding-left:1rem; padding-top:7px;font-weight:bold;}
web/mobile/stat.asp:div.Msystem_img{background:url("/img/menu/tools_n.png")no-repeat;}
web/mobile/stat.asp:div.Mnet_img,div.Mwiless_img,div.Msystem_img{ position:relative;height:2rem;width:2.4rem;float:left;}
web/mobile/stat.asp:<div class="Msystem_img"></div>
web/mobile/stat.asp:<div class="Msystem_text"><span id="Msystem_text"></span><script>dw(MB_system_status)</script></div>
web/mobile/wifiSignal.asp:<h2 class="header-name"><script>dw(MM_system_tools);</script></h2>
web/mobile/password.asp:<h2 class="header-name"><script>dw(MM_system_tools)</script></h2>
web/mobile/setlg.asp:<h2 class="header-name"><script>dw(MM_system_tools)</script></h2>
web/wlan_schedule.htm: system time before enable this feature.</tr>
web/route.htm:var system_opmode =<% getIndex("opMode"); %>;
web/route.htm: if(system_opmode == 1)
grep: web/cgi-bin/cstecgi.cgi: binary file matches
web/js/language_tc.js:var menu_system_status='系統狀態';
web/js/language_tc.js://system log
web/js/language_tc.js:var Js_systemAll="所有事件";
web/js/language_tc.js:var usb_file_system='文件系統';
web/js/language_ru.js://system log
web/js/language_ru.js:var Js_systemAll="Всей системы";
web/js/language_ru.js:var menu_system_status='Состояние';
web/js/language_ru.js:var usb_file_system='файловая система';
web/js/language_sc.js:var menu_system_status='系统状态';
web/js/language_sc.js://system log
web/js/language_sc.js:var Js_systemAll="所有事件";
web/js/language_sc.js:var usb_file_system='文件系统';
web/js/language_vn.js:var menu_system_status='Trạng thái';
web/js/language_vn.js://system log
web/js/language_vn.js:var Js_systemAll="Tất cả hệ thống";
web/js/language_vn.js:var usb_file_system='Tập tin hệ thống';
web/js/language_en.js:var Js_WlSchHelpMsg="This page allows you setup the wireless schedule rule. Please do not forget to configure system time before enable this feature.";
web/js/language_en.js:var Js_NtpHelpMsg="You can maintain the system time by synchronizing with a public time server over the Internet.";
web/js/language_en.js:var menu_system_status='Status';
web/js/language_en.js://system log
web/js/language_en.js:var Js_systemAll="system all";
web/js/language_en.js:var Js_SystemHelpMsg="This page can be used to set remote log server and show the system log.";
web/js/language_en.js:var Js_UpLoadHelpMsg="This page allows you upgrade the Access Point firmware to new version. Please note, do not power off the device during the upload because it may crash the system.";
web/js/language_en.js:var syscmd_explain = 'This page can be used to run target system command.';
web/js/language_en.js:var Js_msg155="If the disk partition number is equal to or greater than two, The Windows system can only recognize the first partition! All partitions need to identify in the Linux system!";
web/js/language_en.js:var usb_file_system='File System';
web/js/language_en.js:var reset_sr="The system is restored to factory settings";
web/js/language_ua.js:var menu_system_status='Статус';
web/js/language_ua.js://system log
web/js/language_ua.js:var Js_systemAll="Вести журнал для всіх системних подій";
web/js/language_ua.js:var usb_file_system='Файлова система';
web/logout.htm: document.execCommand('ClearAuthenticationCache');
web/syslog.htm:<tr><td><script>dw(MM_Type)</script></td><td><input type="checkbox" name="syslogEnabled" value="ON" onClick="updateStateSys()"><script>dw(Js_systemAll)</script>
web/util_gw.js: if(test.exec(strMsg))
web/util_gw.js: if(field && field.value && reg.exec(field.value))//format x.x.x.x
web/util_gw.js: //if(reg.exec(str))
web/util_gw.js: if(value<0 || value>parseInt("ffff",16) || isNaN(value) || !reg.exec(ipField.value))
web/util_gw.js: if(reg.exec(prefixField.value)||prefixField.value<0 ||prefixField.value>128)
web/util_gw.js: if(strVal!="0" && !reg.exec(strVal))
web/util_gw.js: if(!reg.exec(field.value))
web/util_gw.js: //if(reg.exec(field.value))공격 벡터 선정
-
system()함수 사용 가능성"grep -rE 'system'결과에서/web/wlan_schedule.htm파일이system time을 호출하는 부분이 있음.bin폴더의 바이너리 일부가system()호출을 포함하고 있을 가능성- 특정 바이너리 내부 분석 필요 (
sysconf,timelycheck,boa,busybox등)
-
exec함수 사용 가능성web/logout.htm에서document.execCommand('ClearAuthenticationCache');호출- 여러
udhcpc스크립트에서exec사용 (/usr/share/udhcpc/eth0.sh,/usr/share/udhcpc/wlan0.sh등) exec를 통한 임의 명령 실행 가능성 확인 필요
-
자동 실행(
autoexec) 설정 존재/web/tr069config.htm파일에서autoexec관련 설정 발견- 이 설정을 조작할 수 있다면 자동 실행 명령어를 삽입하는 공격이 가능할 수도 있음
-
네트워크 설정 관련 바이너리 (
dnsmasq,pppd,dhcp6c등)grep결과에서dnsmasq,pppd,dhcp6c,iptables,boa같은 바이너리가 확인됨
중요 스크립트 리버싱
sysconf
- 특정 명령어 문자열을 생성하고,
system()함수를 이용해 실행하는 구조 - 명령어 주입 취약점 가능성이 조사해볼만 함
실행 흐름 분석
초기화
/tmp/lock파일을 생성 (open("/tmp/lock", 770))apmib_init()실행: 펌웨어 내 환경 변수 및 설정 접근apmib_get(10186, &v105);호출- 값이 1이면
system("flash default-sw");실행 후sleep(1); flash default-sw는 설정 초기화를 의미할 가능성 큼
- 값이 1이면
TOTOLINK 문자열 검증
if ( strcmp(v96, "TOTOLINK") ) {
strcpy(v96, "TOTOLINK");
apmib_set(186, v96);
}- 특정 문자열(
TOTOLINK)이 존재하는지 확인 후, 없으면 설정 변경
MAC 주소 관련 작업
apmib_get(203, &v93);
sprintf(v91, "mac %02x%02x%02x%02x%02x%02x\n", (unsigned __int8)v93, BYTE1(v93), BYTE2(v93), HIBYTE(v93), v94, v95);
sub_40D69C("/var/mac_backup.conf", 1, v91);apmib_get(203, &v93);→ MAC 주소 가져오기sub_40D69C("/var/mac_backup.conf", 1, v91);→/var/mac_backup.conf파일에 저장
플래시 메모리에 MAC 주소 저장
sprintf(v91, "flash set HW_WLAN_ADDR %02x%02x%02x%02x%02x%02x",
LOBYTE(v100[0]), BYTE1(v100[0]), BYTE2(v100[0]),
HIBYTE(v100[0]), LOBYTE(v100[1]), BYTE1(v100[1]));
system(v91);취약점 - system()
- MAC 주소 비교 후 변경될 경우
system(v91)호출
system(v91);-
문자열 기반 명령어 실행
sprintf(v91, "flash set WRITE_MAC %s", mac_address);- 이때
mac_address값이 조작될 수도...
-
플래시 메모리 수정 후
system()호출system("flash set HW_WLAN_ADDR ...")system("echo 0 > /proc/led_status");
-
특정 명령을 수동으로 실행 가능
- 시스템 로그 관련 프로세스를 종료하는 등
system("killall -9 syslogd");
system("killall -9 klogd");공격 가능성 - 명령어 삽입 공격
sysconf wlaninit "; reboot"-
flash set HW_WLAN_ADDR에; reboot을 삽입하면, 기기가 재부팅 -
검증 필요
-sysconf실행 시 외부 입력이system()으로 직접 전달되는지
-system()호출되는v91값을 디버깅 툴로 확인
안드로이드는 리눅스의 꿈을 꾸는가