Quantcast
Channel: Haxorware Forums - All Forums
Viewing all 1989 articles
Browse latest View live

[Tutorial] Reverse engineering a Hitron's CLI password

0
0
This tutorial will be a slightly more advanced intro to reverse engineering than my other tutorial about the Hitron's bootloader password.

On the Hitron CDA3-35 (and actually a lot more Hitron modems as well), when you attempt to access the shell or production commands from the Puma6 CLI (not to be confused with bash/sh) - it asks for a password!

[Image: GxeQbtZ.png]

The Puma6 CLI is useful for many things such as changing your MAC address, IP addresses, debug options, and more. That being said, I would really prefer access to it!

Let's figure out how to bypass this password.


Finding our target
The first thing we will do is find familiar strings, just like the last tutorial. The strings that we should be looking for are "Password:" and "Wrong password!".

To search for these, we must unpack the filesystem - this is outside the scope of this tutorial, so I will assume you have already done this.

[Image: zdrf4sp.png]

Using a program capable of searching the text in many files at once, such as Notepad++, search for these strings. You will find 1 file that contains both.

[Image: Si0scat.png]

So, our target is libcli_core.so.

Unfortunately, this won't be so easy as the last one were we could just crack the hash.
But, just for your own curiosity these are two hashes which were located nearby these strings:
f8010ce0f74f55de1dd99ae6745e9713 and 6b86849528dd3e92e7f1a95b8a7eb89e

[Image: W4Z63UX.png]
Unfortunately, there is no rainbow table results for either of these hashes...so we must do more work.


Reverse engineering libcli_core.so

Now, to get started with real reverse engineering.
We can't simply use Notepad for the rest of this tutorial - we're going to need something better: Ghidra.
Ghidra is a tool designed and released by the US National Security Agency.

You can download it from here:
https://www.nsa.gov/resources/everyone/ghidra/

If you are experienced already, you can use IDA Pro for this task as well - however I only have experience in Ghidra which is why we're using it here.

Step one is to import libcli_core.so into Ghidra.
[Image: IrMtPc3.png]

Open it up, and Ghidra will ask you if you want to analyze it: Select yes.
[Image: EezMpR1.png]
Leave the default options and hit Analyze.

Wait a few moments for the analysis to finish. Once it's done, let's search for those strings we found earlier.

Finding the function

[Image: V8Qf3KI.png]

Hit Search All, then let's check out the results!

This looks like the right one:
[Image: OJ6Pc06.png]

Analyzing the function - two for the price of one?!

Here's the function that we found:

[Image: AjznM0M.png]

There is two interesting parts to this function.

The first bypass
The first part opens the file "/nvram/mfg", and if it exists - it bypasses the password entirely!

So, if you hit CTRL+C and run
Code:
touch /nvram/mfg

then run cli again, and try to access Production....it works! It does not even ask you for the password.

However, from my analysis this section of code is actually not present on most older Hitron modems....what about that other function?

The second bypass
If that file doesn't exist, it asks the user for input, then inserts that input into a system call:

Code:
echo -n %s | md5sum | cut -d \' \' -f1

The %s is replaced with the user input.

This simply MD5s your input. After it runs that command, it compares the output of that command to the password hash we found earlier:
6b86849528dd3e92e7f1a95b8a7eb89e

If it's the same, you're in!

Unfortunately, we do not know the true value of this password - we only know the hashed value..which isn't enough.

........But wait, a system call?

The input for this password is actually unescaped. What we have found here is a arbitrary shell injection exploit.
Not only can we run shell commands from here, but we can manipulate the output of this command arbitrarily.

Let's just use this input:
Code:
6b86849528dd3e92e7f1a95b8a7eb89e ;#

The password is bypassed!

[Image: Y9rQ0Lj.png]

How does this work?

This is actually a rather simple bypass. Let's take a look at that original shell command:
Code:
echo -n %s | md5sum | cut -d \' \' -f1

Now, let's take a look at it with our command inserted for %s:

Code:
echo -n 6b86849528dd3e92e7f1a95b8a7eb89e ;# | md5sum | cut -d \' \' -f1

What we've effectively done is split up the command with ;, then commented out the rest of the command.

Effectively, we've deleted out the MD5 section of the command, so our input is directly correlated to the output. 
So, we just set the output to whatever it's expecting, and we're in!
We never even have to know what the true password is.

You can also insert more commands after ; if you wish, such as reboot, and it will be executed!


That concludes the analysis of this function. As you can tell, the function is really not secure at all and whoever wrote it probably should not be writing code for devices like modems.

TG1682G firmware

0
0
Howdy, 

I am trying to unbrand a comcast tg1682g. Does anyone have a firmware file for this modem? maybe one from not-comcast carrier?

I have a cmts so i can flash over config file.

Thanks for the help!

Puma 7 Firmware -hitron coda

[Tutorial] How to unpack and repack UBFI firmware images

0
0
UBFI images are the firmware images that Puma5 and some Puma6 modems use.

Before we can unpack these, first let's learn exactly what goes into these images.

A standard UBFI image is actually two files concatenated together:
  • A uImage boot script file
  • A uImage multi-image file containing the following:
    • zImage Linux kernel
    • Squashfs root filesystem
    So, unpacking these files should be relatively straightforward: We need to extract the boot script, zImage, and Squashfs.

    If we check out the file format in Binwalk, we see basically that:
    [Image: y0fKTpV.png]


    Unpacking images

    To unpack UBFI images, we're going to use a hex editor and copy the data out by hand.
    Start by opening your UBFI image in a hex editor.

    Boot Script
    To extract the boot script, identify the first character in your boot script. It should be visible very early.

    [Image: IcYJGLq.png]

    So, 4 bytes before the first character in our boot script is the length of the boot script, it is 2300.

    Now, use your hex editor's block select feature to select the block starting at our first character, with a length of 2300.

    [Image: YFRzdnv.png]

    Copy and paste into a new file, and check it out to make sure it looks right!
    [Image: P2xTBAT.png]


    At the end of our boot script, we see some null bytes:
    [Image: uzxjYG4.png]

    These can safely be deleted. It is an artifact from padding, and normally these are ignored.

    zImage Kernel and Squashfs
    To find the kernel, we're actually going to use binwalk. It will save us time.

    [Image: TqnOXRO.png]

    We easily locate the starting positions of the zImage and the Squashfs:
    2394 and FD800.

    Now navigate to 2394 with Goto, then go 4 bytes before...what do we see?
    [Image: xgqaO16.png]

    So, 4 bytes before the zImage (just like for the boot script), we find the lengths of the files in the image.
    Since this is a multi-image file, and there is two files, there's two lengths. Each length is separated with 1 byte.

    First come first serve, the zImage is our first length and the Squashfs is our second length.
    So, our zImage length is FB46C and our Squashfs length is 400C00.

    So, block select from 2394 with a length of FB46C.
    You should be able to see the beginning of the Squashfs immediately after your selection.
    [Image: oXw0eHF.png]

    Copy+paste, save and you've got the zImage!


    The exact same process is used to extract the Squashfs: block select from FD800 with a length of 400C00.

    Unpacking Squashfs
    To make changes to the root filesystem, you will have to unpack the Squashfs. This is extremely simple!

    Code:
    unsquashfs -d squashfs-root squashfsfilename

    You can install unsquashfs by installing squashfs-tools on Debian/Ubuntu, refer to Google for other distros.


    Repacking images


    The first thing we have to do is repack the Squashfs back into a Squashfs filesystem. To do this, it's just as simple as unpacking it:
    Code:
    mksquashfs squashfs-root squashfsfilename -noappend -comp xz

    This will repack (and overwrite) our squashfs from all the files in squashfs-root - which is where we extracted it originally.

    You may need to tinker with block size and compression algorithms - not all modems support all compression algorithms.

    Once this is done, we just need to create new uImages and concatenate them.
    But, before we can make new uImages, we're going to need another package: uboot-tools.

    Once you have everything ready, run these commands with the appropriate file names:
    Code:
    mkimage -A powerpc -O linux -T script -a 0 -e 0 -C none -n "Boot Script File" -d bootscriptfilename BootScriptuImage
    mkimage -A arm -O linux -T multi -a 0xA00000 -e 0xA00000 -C none -n "Multi Image File" -d zImagefilename:Squashfsfilename KernelFileSystemuImage
    cat BootScriptuImage KernelFileSystemuImage > UBFI
    This will compile bootscriptfilename, zImagefilename, and Squashfsfilename into a working UBFI image.

    You should note that the data address and entrypoint may differ on some modems, you can find the correct values  from Binwalk:

    [Image: XHDyEvU.png]

    However, most modems use the same values.

    Enjoy!

    Help! Forgot Forceware login password

    0
    0
    Guys, I forgot the password, the default Username/Password: "admin"/"force" or "sbhacker"/"sbh doesn't work. 

    I searched for solutions and found a post:

    SSH into forceware and run the following command (change "yournewpassword" to desired password)
    Code:
    Code:
    hpasswd yournewpassword

    Now take the results from the previous command and use it to replace the word "output_here" in this command and run it
    Code:
    Code:
    echo "admin:output_here" >/nvram/fw/.htpasswd

    Example
    Code:
    Code:
    echo "admin:KdcE8nHjwFGB6" >/nvram/fw/.htpasswd

    Now you can log in the WebUI with the new password

    I know it's stupid to ask, but what does it mean to "SSH to forceware" and how exactly should I do?

    Spectrum Activation Page

    0
    0
    Hey All,

    Happy New Year Everyone,

    I've had a Docsis 3.0 modem working on charter for over a year now, with a docsis 2.0 modem as a backup, over the holidays both modems stopped working. At first it was the docsis 2.0 modem, upon connection it would connect just fine and show up as active but the pages would not load with the message "not safe, somebody might be stealing your info" and occasional redirections to spectrum activation page. Now the same things started happening with the docsis 3.0 modem. It's an arris 6141. I've had something similar a couple of months ago, changing the DNS address seemed to help and bypass that page and make the modem usable again, now it simply does not work.

    Just want to see if anybody has experienced this and if there's a way around this. I would greatly appreciate any help. 

    TL;DR - modem connects just fine, all seems active, getting "Website not secure in chrome message, and redirects to spectrum activation page".

    Thanks!

    Breakout clip for PS8211-0?

    0
    0
    Does anyone know of a breakout clip for the Phison PS8211-0? I'd like to install BitWare, but my hands are terribly shaky.

    Puma 7 Firmware -hitron coda


    optimum certs

    0
    0
    anyone has optimum certs for trade??/pm me  Smile

    SBG6580 Attempt To Clone (Newbie Post)

    Previous optimum certs
    0
    0
    So I followed the steps provided in this post.

    http://www.haxorware.com/forums/showthre...2#pid33852

    Unfortunately, I was unable to set the modems CM-Mac. It did allow me to set the CMTS Mac. 


    Primary address failed, secondary active;CM-MAC=64:55:b1:00:00:00;CMTS-MAC=00:01:00:00:00:00;CM-QOS=1.1;CM-VER=3.0;


    Active Modem Mac: 00:01:00:00:00:00
    Inactive Modem Mac: 64:55:b1:00:00:00


    How do I set the CM Modem mac? Is that even possible using the steps in the other post? I'm pretty new to this stuff so I want to know if anyone could help me out. 

    Am I crazy ? All My settings changed.

    0
    0
    I’m in nyc.   I’m out 15 mins.   Everything working fine at the time.  I come back home to blue status lights on my modem and all my settings changed.   
    Has this happened to anyone else ???   
    I think the provider made this change.  Is it possible ?    Am I crazy ??

    Sincerely 
    Confused in nyc.

    Author: XeNonDumps New Updates (track1 track2 fullz  SELL FRESH Dumps (ORIGINAL TRACK

    Next TC4400
    0
    0
    Author: XeNonDumps New Updates (track1 track2 fullz  SELL FRESH Dumps (ORIGINAL TRACK1/2), Fullz/ Visa, MasterCard, Amex, Disco , dump)


    I offer you a good Dumps/Fullz/Bank printed plastic with holos and signature line selling service.
    USA, CANADA, EU, LATIN, ASIA and EXOTIC dumps!
    Big and HOT new base! Don't loose your chance!

    ====== SELL CVV HOT AND FRESH ALL COUNTRY ======

    - I'm looking for a good customer to buy cvv everyday and long-term
    - I will discount or bonus if you order bulk

    + Format Cvv fullz info :
    |Type Of Card|Card Number|Exp.Date|CVV2|First Name|Last Name|DOB|SSN|Address|City|State|Zip Code|Country|Email|Phone number|MMN|DL|

    ---------------------------
    Cvv Eu...
    France = $20 (fullz info = $40)
    Germany = $20 (fullz info = $40)
    Italy = $20 (fullz info = $40)
    Sweden = $20 (fullz info = $40)
    Asia = $15 (fullz info = $35)

    EUROPE, ASIA, SOUTH AMERICA

    Visa Classic | MasterCard Standart 101 CODE - $70 per 1 dump
    Visa Classic | MasterCard Standart 201 CODE - $50 per 1 dump
    Visa Gold | Platinum | MasterCard Gold | Platinum 101 CODE - $90 per 1 dump
    Visa Gold | Platinum | MasterCard Gold | Platinum 201 CODE - $70 per 1 dump
    VISA|MASTERCARD BUSINESS | SIGNATURE | PURCHASE | CORPORATE 101 CODE - $100 per 1 dump
    VISA|MASTERCARD BUSINESS | SIGNATURE | PURCHASE | CORPORATE 201 CODE - $80 per 1 dump
    INFINITE | 101 CODE- $150 per 1 Dump
    INFINITE | 201 CODE- $100 per 1 Dump

    USA

    Visa Classic | MasterCard Standart 101 CODE - $30 per 1 dump
    Visa Gold | Platinum | MasterCard Gold | Platinum 101 CODE - $25 per 1 dump
    VISA|MASTERCARD BUSINESS | SIGNATURE | PURCHASE | CORPORATE 101 CODE - $30 per 1 dump
    Amex | Discovery - $30 per 1 dump

    CANADA, AUSTRALIA

    Visa Classic | MasterCard Standart 201 CODE - $20
    Visa Gold | Platinum | MasterCard Gold | Platinum 201 CODE - $25 per 1 dump
    VISA|MASTERCARD BUSINESS | SIGNATURE| PURCHASE | CORPORATE 201 CODE - $35 per 1 dump


    1. High valid rate 100% valid.
    2. Don't ask dumps for free (dumps for test, etc), If you can't BUY some dumps for test, we don't want work with you.
    We are also not sending dumps for cashing!
    3. Daily update.
    4. I'm not reseller like somebody else.
    5. I always replace if low balance because i dont sell dead goods here.
    6. My test minimum $200 = 5pcs Dumps Inbulk

    Payment:

    1. Bitcoin

    3. Western Union/Money Gram.


    ——— My ICQ : 775 680

    ——— Discord : SooRich#1123

    ——— Email : billybender70@yahoo.com

    <=========== ADD ME LET GET PAID TOGETHER ============>

    TC4400

    0
    0
    Has anyone worked on the TC4400-am technicolor??? If so private message me pls!!!

    I’m selling Western Union , Bank and Paypal Transfers all over the world.I’m getting

    Next TC4400
    Previous TC4400
    0
    0
    I’m selling Western Union , Bank and Paypal Transfers all over the world.I’m getting much stuff through spamming but also have a big experience in botnets etc.I’ve got 5 western union main computers data with the help of a strong botnet, Now i can change the info of a WU mtcn and can redirect any payment on any name. Simply I change the receiver name and country and payment goes to that person to whom i want to send.If anyone want to make big and instant money than contact me for deal.

    Here is a List Job that we're done, We Will Update more Job soon

    -Sell CC All Country 100% fresh with high balance.
    (United States,Australia,Canada,France,United Kingdom,Spain,Italy,Indonesia,Germany,Norway,Denmark
    Brazil,Sweden,New Zealand,Ireland,Switzerland,Turkey,Belgium,Japan,Mexico,Netherlands,India,Finland
    South Africa,South Korea,Greece,Singapore,Reunion,Saudi Arabia,Guadeloupe).
     
    -Sell US + UK CC Full Info

    -Sell Dumps Cards.

    -Sell USA Full Information (Name/Address/SSN/Dob/DL/City/State/Zipcode/phone)

    -Sell Paypal Account + Internet Account(Mail Pass/walmart/ebay/target/bestbuy..more.....).

    ->>>>> WESTERN UNION TRANSFER < <<<<

    Info needed for WU transfers :-

    1: Full name
    2: Cell number (Not Necessary)
    3: City
    4: Country
    5: Valid email for sending you MTCN info etc


    I transfer minimum 1200$ with price 150$ first for the time customer
    Western Union Online Software(Western Union Bug(WU Bug)
    Version Latest With an Activation Code :100$

    - Price List For WU Transfer:

    $1400 Transfer = $250 Charges ( Payment BTC/PM/MG)
    $2000 Transfer = $350
    $4000 Transfer = $500
    $5000 Transfer = $650
    $7000 Transfer = $800

    - MTCN Will be ready for pick up in maximum 45 mins after payment
    - Please Dont ask me for any test transfer


    ========== - Bank transfer will take maximum 6hour to show money in your bank account ============

    - Info needed for Bank transfers :-

    1: Bank name
    2: Bank address
    3: Zip code
    4: Account Holder
    5: Account number
    6: Account Type
    7: Routing number
    8: Swift number
    9: BIC and IBAN
     
     
    -Price List For Bank Transfer:
     
    $1600 transfer = $250 Charges (Payment BTC/PM/MG)
    $2500 Transfer = $350 Charges
    $5000 Transfer = $600 Charges
    $10000 Transfer = $1000
    $15000 Transfer = $1500

    I transfer minimum 1000$ with price 100$ first for the time customer
    Western Union Online Software(Western Union Bug(WU Bug)
    Version Latest With an Activation Code :100$


    - Accept payment: PM(Perfect Money) - BTC(Bitcoin) & WU-MG with Reguler buyer.
     
    Contact Us

    ICQ Contacts : 420876

    Email : ytime5012@gmail.com

    TeleGram ID : @WiggiCucci

    Dicord ID : SooRich#1123

    Thank you for read my post and hope to work with you soon

    Have a nice day

    TC4400

    0
    0
    Has anyone worked on the TC4400-am technicolor??? If so private message me pls!!!

    Connection.

    Previous TC4400
    0
    0
    I have a sb6120 forceware 1.2 for about 6 years.   got it from a guy on CL.   I never expected it to last this long.  it’s been very reliable.    The last couple days been hell.   The last couple days it won’t stay connected longer then 5 mins.  

    My question is will the updated version 1.4 work better?   Or should I get a new one All together with Bitware?     Please help me.  I only need direction.   The guy that sold it to me droppped off the face of the earth.     My Lil kids are driving me nuts bc there’s no internet.    


    Thank you.

    (newbie) question about spectrum with sb6141 full backup?

    Previous Connection.
    0
    0
    just got sb6141 from ebay with forceware installed. 
    i guess i need install some files so i can use with spectrum (socal) 
    i know lots of people here knows but can i do full backup from another modem (has forceware too) 
    to my modem is that will including all files and certificates??! 
    thank you in advance.

    Putty and winscp help

    0
    0
    Can someone ponit me to a tutorial on how to set up putty and winscp to extract sert and pri vate key

    WE ARE A GROUP OF RUSSIA HACKERS, WE ARE HERE TO SHARE WITH YOU ALL WHAT WE HAVE AND

    0
    0
    WE ARE A GROUP OF RUSSIA HACKERS, WE ARE HERE TO SHARE WITH YOU ALL WHAT WE HAVE AND YOU TOO. PLEASE NO BERGAIN, WORK QUICKLY. AND HONEST.
    - Our online support only to serious customers....


    - I'm work business , professional and quality.
    - I have info ssn dob ( name + address + city + state + phone + ssn + dob )
    - If you need CVV please let me know the bins u need so that i will skim for u
    - I'm best and always sell CC fresh with high balance.

      I CAN SELL YOU CARDS WITH SAME LAST NAME AND FULLZ.

    -|178517|275-72-6988|04/27/1973|Michael|O|Williams|W|M|6|0|190|HAZ|RU393939|2 000| OH |2334 Crossland Ct|Dayton|45404|
    -|8085|Adam|R|Ward|638126402|102583|19382751|414|am berdale oak|san antonio|tx|78249|8326595524|adamw@lonestar.utsa.ed u|


    *******FOR WU AND BANK OR MONEY GRAM TRANSFER ITS MY JOB*******

    I’m selling Western Union , Bank and Paypal Transfers all over the world.I’m getting much stuff through spamming but also have a big experience in botnets etc.I’ve got 5 western union main computers data with the help of a strong botnet,

           === WU, MG AND BANK TRANSFER THE SAME PRICE===

    $250 = $3000 Balance
    $380 = $5000 Balance
    $500 = $7000 Balance
    $800 = $10,000 Balance and more ....

    I have low balance for any frist time buyers . $120 = $1000 Balance . For More Info .

    MORE OF MY WORKS........

    Name sender : Jamel johnson
    MTCN : 3434304668 / 8973628030 (same name sender)
    And orther MTCN : 0448746596 + 3033978004 + 9035112719 .....and more....

    =========== PAYPAL ACCOUNTS US, EU AND UK ==========

    1 . Balance 7000$ = 300$
    2 . Balance 14000$ = 500$
    3 . Balance 18000$ = 800$

    =============== BANK LOGS ====================

    And have more Bank account login with more country , If u really want to buy and make business with me just contact me now .


    -------------- My Business Regulations ------------------
    - I can do make wu transfer very good and speed.
    - I promise cc of me very good and fresh all with good price .
    - If cvv not good i dont sell because it dead already.

    =============== MY CONTACTS =====================

    * My TeleGram : @G3tr1ch

    * Contact me via ICQ Address: 775680

    * Email : sideteam5968@gmail.com

    ------- THANKS, LOOK FORWARD TO WORKING WITH YOU ALL ----------

    Thoughts about haxorware.com security

    0
    0
    Hi there,

    I want to ask a question about the domain haxorware.com. Is there a plan to activate HTTPS? With Let's Encrypt there is a free CA available. Also I would raise a question about a .onion address for this forum.

    Please don't take this wrong. I'm happy to have this forum but at least the missing HTTPS nowadays worries me.

    I will appreciate any answer.
    Viewing all 1989 articles
    Browse latest View live