Sblocco Modem Alice Gate 2 Plus Wifi Business Models
Come resettare i modem Telecom; Comandi Telnet vari; Sblocco Alice Gate VoIP 2 Plus Wi-Fi (AGPF) Sblocco Modem ADSL2+ Wi-Fi N (AGPWI) senza aprirlo; Sblocco completo ADSL2+ Wi-Fi N (AGPWI) senza antenne; Sblocco completo ADSL2+ Wi-Fi N (AGPWI) con antenne; AGPF e APGWI: Come cambiare il firmware; CONTATTACI.
Questo articolo è dedicato allo sblocco dei modelli AGA/AGB/AG2P-AG3/AGPV-AGPF dei modem Alice mediante backdoor.
se volete essere seguiti passo per passo o volete la soluzione pronta contattatemi via mail (la trovate nella Home) e cercherò di aiutarvi.
Io e drPepperOne abbiamo scoperto una backdoor nei modem Alice a base Broadcom che permette in un solo colpo da LAN di abilitare telnet, ftp, tftp e modalità web estesa. Ciò che molti non sanno è che nei modem c’è un vero e proprio Sistema Operativo e che telnet implementa in questi casi una vera e propria shell remota da cui controllare l’intero sistema. Inoltre le interfacce web estese (credo tutte) presentano una pagina per cambiare firmware senza troppe difficoltà
Per abilitare la backdoor è sufficiente inviare un pacchetto IP opportunamente formattato al modem su cui c’è un socket raw in ascolto.
Tale pacchetto deve avere le seguenti caratteristiche:
- protocollo IP
- Protocol Number 255
- lunghezza 28 byte (8 byte di payload)
- il payload è costituito dai primi 8 byte dell’md5 con salt del mac del device br0
in questi modelli di modem br0 ha lo stesso mac di eth0 ed è quindi facile da reperire. Esso si potrebbe anche ottenere dai mac di eth1 e wl0 che sono più o meno consecutivi a seconda dei modelli dei modem. Su AGA per esempio mac(eth1)=mac(eth0)+1 e mac(wl0)=mac(eth0)+4.
L’algoritmo di creazione del payload è il seguente:
Building Architecture of Sthapatya Veda by Dr. V Ganapati Sthapati LibraryThing. Jeffrey Abramson, a partner in the family-owned Tower Companies, is a long-time TM practitioner 67 and the chairman of the board of trustees of Maharishi University of Management. Building Architecture Sthapatya Veda Pdf: Full Version Free Software Download. Posted on 7/11/2018 by admin. Feb 14, 2018 - Full-Text Paper (PDF): A Comparative Study on Vaastu Shastra. Download full-text PDF. Join for free. With Heidegger's 'Building, Dwelling and Thinking' as they explain. Building Architecture of Sthapatya Veda. Sthapatya veda malayalam.
Così com’è il programma prevede che venga passato come parametro un file di 6 byte contenente il mac di br0.Il file compilato su WinXP lo travate al seguente link:
saxdax & drPepperOne
/* Alice Backdoor Pwd creator by saxdax */
/* this code generates an 8 byte hash to use as the paylod of the ip packet */
/* the mac must be in an hex file and has to be passed as argument to the program */
#include
#include
#include
#include “md5.h”
/*
* RFC 1321 compliant MD5 implementation
*
* Copyright (C) 2001-2003 Christophe Devine
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#define GET_UINT32(n,b,i)
{
(n) = ( (uint32) (b)[(i) ] )
( (uint32) (b)[(i) + 1] << 8 )
( (uint32) (b)[(i) + 2] << 16 )
( (uint32) (b)[(i) + 3] << 24 );
}
#define PUT_UINT32(n,b,i)
{
(b)[(i) ] = (uint8) ( (n) );
(b)[(i) + 1] = (uint8) ( (n) >> 8 );
(b)[(i) + 2] = (uint8) ( (n) >> 16 );
(b)[(i) + 3] = (uint8) ( (n) >> 24 );
}
void md5_starts( md5_context *ctx )
{
ctx->total[0] = 0;
ctx->total[1] = 0;
ctx->state[0] = 0x67452301;
ctx->state[1] = 0xEFCDAB89;
ctx->state[2] = 0x98BADCFE;
ctx->state[3] = 0x10325476;
}
void md5_process( md5_context *ctx, uint8 data[64] )
{
uint32 X[16], A, B, C, D;
GET_UINT32( X[0], data, 0 );
GET_UINT32( X[1], data, 4 );
GET_UINT32( X[2], data, 8 );
GET_UINT32( X[3], data, 12 );
GET_UINT32( X[4], data, 16 );
GET_UINT32( X[5], data, 20 );
GET_UINT32( X[6], data, 24 );
GET_UINT32( X[7], data, 28 );
GET_UINT32( X[8], data, 32 );
GET_UINT32( X[9], data, 36 );
GET_UINT32( X[10], data, 40 );
GET_UINT32( X[11], data, 44 );
GET_UINT32( X[12], data, 48 );
GET_UINT32( X[13], data, 52 );
GET_UINT32( X[14], data, 56 );
GET_UINT32( X[15], data, 60 );
#define S(x,n) ((x << n) ((x & 0xFFFFFFFF) >> (32 – n)))
#define P(a,b,c,d,k,s,t)
{
a += F(b,c,d) + X[k] + t; a = S(a,s) + b;
}
A = ctx->state[0];
B = ctx->state[1];
C = ctx->state[2];
D = ctx->state[3];
#define F(x,y,z) (z ^ (x & (y ^ z)))
P( A, B, C, D, 0, 7, 0xD76AA478 );
P( D, A, B, C, 1, 12, 0xE8C7B756 );
P( C, D, A, B, 2, 17, 0x242070DB );
P( B, C, D, A, 3, 22, 0xC1BDCEEE );
P( A, B, C, D, 4, 7, 0xF57C0FAF );
P( D, A, B, C, 5, 12, 0x4787C62A );
P( C, D, A, B, 6, 17, 0xA8304613 );
P( B, C, D, A, 7, 22, 0xFD469501 );
P( A, B, C, D, 8, 7, 0x698098D8 );
P( D, A, B, C, 9, 12, 0x8B44F7AF );
P( C, D, A, B, 10, 17, 0xFFFF5BB1 );
P( B, C, D, A, 11, 22, 0x895CD7BE );
P( A, B, C, D, 12, 7, 0x6B901122 );
P( D, A, B, C, 13, 12, 0xFD987193 );
P( C, D, A, B, 14, 17, 0xA679438E );
P( B, C, D, A, 15, 22, 0x49B40821 );
#undef F
#define F(x,y,z) (y ^ (z & (x ^ y)))
P( A, B, C, D, 1, 5, 0xF61E2562 );
P( D, A, B, C, 6, 9, 0xC040B340 );
P( C, D, A, B, 11, 14, 0x265E5A51 );
P( B, C, D, A, 0, 20, 0xE9B6C7AA );
P( A, B, C, D, 5, 5, 0xD62F105D );
P( D, A, B, C, 10, 9, 0x02441453 );
P( C, D, A, B, 15, 14, 0xD8A1E681 );
P( B, C, D, A, 4, 20, 0xE7D3FBC8 );
P( A, B, C, D, 9, 5, 0x21E1CDE6 );
P( D, A, B, C, 14, 9, 0xC33707D6 );
P( C, D, A, B, 3, 14, 0xF4D50D87 );
P( B, C, D, A, 8, 20, 0x455A14ED );
P( A, B, C, D, 13, 5, 0xA9E3E905 );
P( D, A, B, C, 2, 9, 0xFCEFA3F8 );
P( C, D, A, B, 7, 14, 0x676F02D9 );
P( B, C, D, A, 12, 20, 0x8D2A4C8A );
#undef F
#define F(x,y,z) (x ^ y ^ z)
P( A, B, C, D, 5, 4, 0xFFFA3942 );
P( D, A, B, C, 8, 11, 0x8771F681 );
P( C, D, A, B, 11, 16, 0x6D9D6122 );
P( B, C, D, A, 14, 23, 0xFDE5380C );
P( A, B, C, D, 1, 4, 0xA4BEEA44 );
P( D, A, B, C, 4, 11, 0x4BDECFA9 );
P( C, D, A, B, 7, 16, 0xF6BB4B60 );
P( B, C, D, A, 10, 23, 0xBEBFBC70 );
P( A, B, C, D, 13, 4, 0x289B7EC6 );
P( D, A, B, C, 0, 11, 0xEAA127FA );
P( C, D, A, B, 3, 16, 0xD4EF3085 );
P( B, C, D, A, 6, 23, 0x04881D05 );
P( A, B, C, D, 9, 4, 0xD9D4D039 );
P( D, A, B, C, 12, 11, 0xE6DB99E5 );
P( C, D, A, B, 15, 16, 0x1FA27CF8 );
P( B, C, D, A, 2, 23, 0xC4AC5665 );
#undef F
#define F(x,y,z) (y ^ (x ~z))
P( A, B, C, D, 0, 6, 0xF4292244 );
P( D, A, B, C, 7, 10, 0x432AFF97 );
P( C, D, A, B, 14, 15, 0xAB9423A7 );
P( B, C, D, A, 5, 21, 0xFC93A039 );
P( A, B, C, D, 12, 6, 0x655B59C3 );
P( D, A, B, C, 3, 10, 0x8F0CCC92 );
P( C, D, A, B, 10, 15, 0xFFEFF47D );
P( B, C, D, A, 1, 21, 0x85845DD1 );
P( A, B, C, D, 8, 6, 0x6FA87E4F );
P( D, A, B, C, 15, 10, 0xFE2CE6E0 );
P( C, D, A, B, 6, 15, 0xA3014314 );
P( B, C, D, A, 13, 21, 0x4E0811A1 );
P( A, B, C, D, 4, 6, 0xF7537E82 );
P( D, A, B, C, 11, 10, 0xBD3AF235 );
P( C, D, A, B, 2, 15, 0x2AD7D2BB );
P( B, C, D, A, 9, 21, 0xEB86D391 );
#undef F
ctx->state[0] += A;
ctx->state[1] += B;
ctx->state[2] += C;
ctx->state[3] += D;
}
void md5_update( md5_context *ctx, uint8 *input, uint32 length )
{
uint32 left, fill;
if( ! length ) return;
left = ctx->total[0] & 0x3F;
fill = 64 – left;
ctx->total[0] += length;
ctx->total[0] &= 0xFFFFFFFF;
if( ctx->total[0] < length )
ctx->total[1]++;
if( left && length >= fill )
{
memcpy( (void *) (ctx->buffer + left),
(void *) input, fill );
md5_process( ctx, ctx->buffer );
length -= fill;
input += fill;
left = 0;
}
while( length >= 64 )
{
md5_process( ctx, input );
length -= 64;
input += 64;
}
if( length )
{
memcpy( (void *) (ctx->buffer + left),
(void *) input, length );
}
}
static uint8 md5_padding[64] =
{
0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
};
void md5_finish( md5_context *ctx, uint8 digest[16] )
{
uint32 last, padn;
uint32 high, low;
uint8 msglen[8];
high = ( ctx->total[0] >> 29 )
( ctx->total[1] << 3 );
low = ( ctx->total[0] << 3 );
PUT_UINT32( low, msglen, 0 );
PUT_UINT32( high, msglen, 4 );
//for(int i=0;i<8;i++) printf(“length %dn”,msglen[i]);
last = ctx->total[0] & 0x3F;
padn = ( last < 56 ) ? ( 56 – last ) : ( 120 – last );
md5_update( ctx, md5_padding, padn );
md5_update( ctx, msglen, 8 );
PUT_UINT32( ctx->state[0], digest, 0 );
PUT_UINT32( ctx->state[1], digest, 4 );
PUT_UINT32( ctx->state[2], digest, 8 );
PUT_UINT32( ctx->state[3], digest, 12 );
}
//#ifdef TEST
/*
* those are the standard RFC 1321 test vectors
*/
static char *msg[] =
{
“”,
“a”,
“abc”,
“message digest”,
“abcdefghijklmnopqrstuvwxyz”,
“ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789”,
“12345678901234567890123456789012345678901234567890123456789012”
“345678901234567890”
};
static char *val[] =
{
“d41d8cd98f00b204e9800998ecf8427e”,
“0cc175b9c0f1b6a831c399e269772661”,
“900150983cd24fb0d6963f7d28e17f72”,
“f96b697d7cb7938d525a2f31aaf161d0”,
“c3fcd3d76192e4007dfb496cca67e13b”,
“d174ab98d277d9f5a5611c2c9f419d9f”,
“57edf4a22be3c955ac49da2e2107b67a”
};
//Salt per AGA/AGB/AG3(Vela)
static char saltOrig[] =
{0x04, 0x07, 0x67, 0x10, 0x02, 0x81, 0xFA, 0x66, 0x11, 0x41, 0x68, 0x11, 0x17, 0x01, 0x05, 0x22, 0x71, 0x04, 0x10, 0x33};
//Salt per AGPV/AGPF
//static char saltOrig[] =
//{0x43, 0x22, 0x11, 0x11, 0x22, 0x81, 0xFA, 0x65, 0x11, 0x41, 0x54, 0x11, 0x17, 0x12, 0x15, 0x22, 0x72, 0x03, 0x10, 0x66};
int main( int argc, char *argv[] )
{
FILE *f;
int i, j;
char output[33];
md5_context ctx;
unsigned char buf[1000];
unsigned char md5sum[16];
unsigned char salt[20];
printf( “****************************n”);
printf( “Alice BackDoor hash creator n”);
printf( “by saxdax and drPepperOne n”);
printf( “****************************nn”);
if( argc < 2 )
{
printf( “n Usage: %s pathfileMACnn”, argv[0] );
return 0;
}
if( ! ( f = fopen( argv[1], “rb” ) ) )
{
perror( “fopen” );
return( 1 );
}
md5_starts( &ctx );
while( ( i = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
{
md5_update( &ctx, buf, i );
}
memcpy(salt, saltOrig, 20);
md5_update( &ctx, salt, 20 );
md5_finish( &ctx, md5sum );
printf(“Payload is: “);
for( j = 0; j < 8; j++ )
{
printf( “%02x”, md5sum[j] );
}
return( 0 );
}
AGA/AGB/AG3 http://rapidshare.com/files/153439269/AliceBDhashCreator.zip.html
AGPV/AGPF http://rapidshare.com/files/156053651/md5_AGPV_AGPF.exe.html
Tali programmi sono validi fino alle seguenti versioni di firmware:
AG2P: 3.1.0
AG3: 3.2.4
AGA: 3.2.4
AGB: 3.2.4
AGPF: AGPF_4.3.4.0001 (e la 4.4.0)
AGPV: 4.3.1
Il programma deve essere lanciato da linea di comando e restituisce a video gli 8 byte del payload.
A questo punto potete utilizzare qualsiasi strumento di injection preferiate.
Io ho utilizzato Colasoft Packet Builder, generatore visuale con GUI su Windows.
Allego il template di un pacchetto già pronto in cui cambiare solo IP del modem e del pc, mac del modem e del pc e payload (nalla parte in basso a sinistra esadecimale di colasoft PB):
drPepperOne ha utilizzato Nemesis da linea di comando, disponibile per Linux e Windows.
Una volta creato un file di 8 byte con un editor esadecimale, con nome per es. hash.hex, la sintassi da usare con Nemesys è:
Code: nemesis ip -D 192.168.1.1 -p 255 -P hash.hex
Se il pacchetto è corretto il router risponderà con un pacchetto ICMP con codici 3 e 2 (protocol unreachable).
A questo punto potete collegarvi a telnet, ftp e tftp ed utilizzare l’interfaccia web estesa senza aver aperto il modem!
Buon divertimento.