Get a root shell (SSH)
The exploit only worked in Askey FastGates and it has been fixed in later firmware versions.
Also, the sh command in the st_shell has been removed. There are ways around this but we decided not to publish the newer exploits. It's fairly easy to find them if you reverse-engineer the binaries.
This enables the daemons using NVRAM variables, you will lose access if you reset the router.
You need Python, either 2 or 3.
It does not work any more with newer versions of the firmware.
See the project page: Depau/fastgate-python
This prevents the exploit from being removed when the NVRAM is reset (i.e. when you press the reset button). Note that changes to /etc are overwritten by firmware upgrades.
- Remount root filesystem read-write: see wiki page
- Push
sshd.shto the gateway (i.e. with an HTTP server or a USB drive, see Getting files into the gateway) - Copy the init script and enable it
cp sshd.sh /tmp/ubifs/etc/init.d/ chmod 755 /tmp/ubifs/etc/init.d/sshd.sh cd /tmp/ubifs/etc/rc3.d/ ln -s ../init.d/sshd.sh S99ssh - Remount filesystem read-only: see wiki page
- Reboot.
Our friends at Fastweb thought using a shell to check the web administration panel password was a good idea.
The web server is running as root, what could possibly go wrong?
- Go to the gateway's admin panel.
- Use whatever username you like.
- Type
'; reboot #in the password field. - Press
Login
Yeah, the password is wrong.