请勿乱用！
Hacking the Linksys WRT54G
UPDATE: The official CVE-2008-1247 entry for these vulnerabilities confirm that although the complexity of these attacks is low, their impact is extremely high.

These demos assume one thing: factory defaults. All of them use the generic 192.168.1.1 local gateway address.

BEWARE: If you were not previously logged in to the router prior to submitting any of these requests, you WILL be prompted to authenticate. This is just an illusion: the scripts that handle configuration requests do NOT check for proper credentials, so just cancel the authorization dialog, in a separate tab/browser log into the router, and see if your settings have changed (mine do).

Refer to own.txt for reference on how the POST strings are constructed. Some info may be missing but I'm still updating here...

A couple new things I've found inside the default configuration file, The router uses a military NTP server, ntp2.usno.navy.mil, for synchronizing time. The device's virtual memory/file system info is located at /mem/pricf/0, which I'm still exploring. The only reference I've found in regards to /mem/pricf/0, by the way, is on a Korean site so it's still relatively new territory. By simply viewing the ASCII within Config.bin we can view the administrative user name and password, external and internal IPs, router name, available service configurations, and so on. It becomes more interesting when the device is not left in default mode as more information is available pertaining to what is and isn't left on. The firmware seems to come from a company named Intoto,

Here is a dump of Config.bin using the default settings:

TROC
/mem/pricf/0
(c) 2001 Copyright Intoto, Inc
5VGWJ
WRT54G
linksysrouter
self
ntp2.usno.navy.mil
root
00000000000000
mirror0
None
None
httpSharenet
mirror0
httpSharenet
httpSubnet
httpSharenet
httpSubnet
19192.168.1.1
httpSharenet
httpSubnet
PPPOE
PPPOE
PPTP
PPTP
L2TP
L2TP
PPPOE
PPPoE
Med=vl1,AC=,Fr=Sync
PPTP
PPTP
:M-2:I-0.0.0.0:F-2:B-2
L2TP
L2TP
M:2:P:0.0.0.0:K:0:A:0:F:1:B:0:T:33000:R:33300:Y:555:G:Intoto-Net:U:Intoto-India
Intoto
IntotoSoft
Intoto
WANIPConn1
WANIPConn1
----
admin
admin
linksys
long
default
langpak_en
PING
TFTP
IMAP
HTTPS
SNMP
NNTP
POP3
SMTP
HTTP
TELNET
RegularNAT1
RegularNAT1
RegularNAT1
RegularNAT1
RegularNAT1
DefaultTcp
DefaultUdp
DefaultIcmp
ftpinac
dnsinac
hainac
gatekeeper
msgudp
tftp
pcanywhere
l2tp
rtsp554
rtsp7070
h323
msgtcp
pptp
n2pe
cuseeme
mszone
CORP
SELF
DefPoly
DefISAKMP
DefPPTP
DefL2TP                                                                                                                 

I should mention that the external IP was available to me when I dumped Config.bin after making some changes in the Web interface. By default, it is not viewable. Here the admin password is 'asdf':

TROC
/mem/pricf/0
(c) 2001 Copyright Intoto, Inc
5VGWJ
WRT54G
linksysrouter
self
ntp2.usno.navy.mil
root
00000000000000
mirror0
None
None
httpSharenet
mirror0
httpSharenet
httpSubnet
httpSharenet
httpSubnet
19192.168.1.1
httpSharenet
httpSubnet
6868.87.85.98;68.87.69.146
httpSharenet
httpSubnet
hshsd1.co.comcast.net.
httpSharenet
httpSubnet
PPPOE
PPPOE
PPTP
PPTP
L2TP
L2TP
PPPOE
PPPoE
Med=vl1,AC=,Fr=Sync
PPTP
PPTP
:M-2:I-0.0.0.0:F-2:B-2
L2TP
L2TP
M:2:P:0.0.0.0:K:0:A:0:F:1:B:0:T:33000:R:33300:Y:555:G:Intoto-Net:U:Intoto-India
Intoto
IntotoSoft
Intoto
WANIPConn1
x.x.x.x -- external IP now exists!
WANIPConn1
admin
asdf
linksys
long
default
langpak_en
PING
TFTP
IMAP
HTTPS
SNMP
NNTP
POP3
SMTP
HTTP
TELNET
RegularNAT1
RegularNAT1
RegularNAT1
RegularNAT1
RegularNAT1
DefaultTcp
DefaultUdp
DefaultIcmp
ftpinac
dnsinac
hainac
gatekeeper
msgudp
tftp
pcanywhere
l2tp
rtsp554
rtsp7070
h323
msgtcp
pptp
n2pe
cuseeme
mszone
CORP
SELF
DefPoly
DefISAKMP
DefPPTP
DefL2TP

Poison DNS: static DNS 1 = 1.2.3.4; static DNS 2 = 5.6.7.8; static DNS 3 = 9.8.7.6:

Reset administrative password to 'asdf':

Enable mixed wireless network mode with SSID 'pwnage' on channel 6, SSID broadcasting enabled:

Disable all wireless encryption:

Disable wireless MAC filtering:

Enable DMZ to 192.168.1.100:

Disable DMZ:

Enable remote management on port 31337 with password 'asdf', wireless web access and UPnP enabled:

Enable port forwarding on port 22, SSH, using TCP/UDP to 192.168.1.100:

Enable port forwarding on port 21, FTP, using TCP/UDP to 192.168.1.100:

Enable port triggering on ports 21 & 22, FTP & SSH, respectively:

Enable incoming/outgoing log:

Disable incoming/outgoing log:

Ping a target URL five times:

Trace route a target URL:

DHCP release dynamic IP:

DHCP renew dynamic IP:

Enable VPN (IPSec/PPTP/L2TP) passthrough:

Disable VPN (IPSec/PPTP/L2TP) passthrough:

Restore factory defaults:

Backup current configuration: