5. System enumeration (via shell)

**some of the logs have been changed after resetting router

/tmp/gn-httpd does not exist anymore
...

5.1 Gaining a shell

[...insert image of physical connection from host to device using USB-UART adapter + wires]

UART shell | Penetration testing & ethical hacking conceptsjarrettgxz-sec.gitbook.io

First, identify the device name of the USB-UART adapter:

$ ls /dev | grep -i usb
ttyUSB0

Next, use picocom to retrieve a shell, with the baud rate as 115200 (a common first guess)

$ picocom -b 115200 /dev/ttyUSB0

Received a log output with non-gibberish text
- this means that the correct baud rate was chosen
A "Hit enter to continue..." message was shown
- From there, we are able to pop a BusyBox v1.7.2 shell

5.2 General enumeration

List of enumeration steps:

Read through the initial boot logs
Identify firmware version (to verify if the current version is still vulnerable)

nvram
build date

Identify architecture
Identify httpd binary locations
...

5.2.1 Boot logs

Boot version

CFE version 5.100.138.11 based on BBP 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: 11/23/11 12:16:38 CST (wzh@cybertan)
Copyright (C) 2000-2008 Broadcom Corporation.

Commands

The following compiles a few interesting commands listed in the boot logs:

cmd=[insmod emf ]
cmd=[insmod igs ]
cmd=[insmod ...]
... # other insmod commands

cmd=[iptables -t nat -F wlwarning2wan ]
cmd=[iptables -F wlwarningaccept ]
cmd=[ip6tables -t mangle -F wlwarning2wan ]
cmd=[ip6tables -t filter -F wlwarningaccept ]

cmd=[tftpd -s /tmp -c -l -P E150 ]
cmd=[cron ]
cmd=[httpd ]
cmd=[/tmp/gn-httpd -p 51000 -G ]
cmd=[touch /tmp/hosts ]
cmd=[dnsmasq -R -h -i br1 -i br0 -c 0 -r /tmp/resolv.conf ]
cmd=[route del -net 224.0.0.0 netmask 240.0.0.0 dev br0 ]
cmd=[route add -net 224.0.0.0 netmask 240.0.0.0 dev br0 ]
cmd=[cesmDNS -o /tmp/.mdns_host_info -d -h CISCO007 -l 192.168.1.1 ]
cmd=[/tmp/gn-dhcpd -cf /tmp/dhcpd-br1.conf -lf /tmp/dhcpd-br1.leases -df /tmp/udhcpd-br1.leases -pf /var/run/dhcpd-br1.pid br1 ]
cmd=[dhcpd -cf /tmp/dhcpd-br0.conf -lf /tmp/dhcpd.leases -df /tmp/udhcpd.leases -pf /var/run/dhcpd.pid br0 ]
cmd=[/bin/eapd ]
cmd=[nas ]
cmd=[/bin/wps_monitor ]
cmd=[netbios /tmp/samba/lib/netbios.conf ]
cmd=[nlinkd ]
cmd=[/sbin/monitor_cable ]
cmd=[/usr/sbin/arp -c ]

cmd=[iptables -t filter -A FORWARD -i br1 -d 192.168.1.0/24 -j DROP ]
cmd=[iptables -t filter -A FORWARD -i br0 -d 192.168.33.0/24 -j DROP ]
cmd=[iptables -t nat -A PREROUTING -i br1 -p tcp -d 192.168.33.1 --dport 80 -j DNAT --to-destination 192.168.33.1:51000 ]
cmd=[touch /tmp/hosts ]
cmd=[/usr/sbin/ip -6 addr flush dev vlan2 scope global ]
cmd=[ip6tables -t filter -F ]
cmd=[ip6tables -t filter -Z ]
cmd=[ip6tables -t mangle -F ]
cmd=[ip6tables -t mangle -Z ]

Discussion of important commands:

a. httpd binary

cmd=[httpd ]
cmd=[/tmp/gn-httpd -p 51000 -G ]
cmd=[iptables -t nat -A PREROUTING -i br1 -p tcp -d 192.168.33.1 --dport 80 -j DNAT --to-destination 192.168.33.1:51000 ]

Both the httpd and /tmp/gn-httpd binary are executed on ports 80 (likely) and 51000 respectively
The iptables rule forcefully redirects all traffic destined for 192.168.33.1 port 80 to port 51000 instead

Other useful information

Linux version 2.6.22 (wzh@cybertan) (gcc version 4.2.3) #2 Wed Feb 15 20:33:15 CST 2012
Kernel command line: root=/dev/mtdblock2 console=ttyS0,115200 init=/sbin/preinit

5.2.2 Firmware version

# firmware version
$ nvram get firmware_version
$ nvram show | grep -i version

# uname
$ uname -v
Wed Feb 15 20:33:15 CST 2012

We have identified that the build date is Feb 15 2012

With the following simple Google dork:

site:downloads.linksys.com "e1200"

I managed to find details for a few release notes, with the earliest on Aug 28, 2013, and the latest on Jan 5, 2018

It is highly probable that the current firmware on the device has not been patched at all, and would most likely still be vulnerable to the CVEs we have discussed before.

5.2.3 Further enumeration

Available memory:

# cat /proc/meminfo
# free

List all the available binaries:

# echo $PATH
/usr/bin:/bin:/usr/sbin:/sbin

# ls /usr/bin
# ls /bin
# ls /usr/sbin
# ls /sbin

Architecture & stack protections:

# uname -u
# cat /etc/version
# cat /etc/banner
# cat /etc/issue

# cat /proc/cpuinfo
# cat /proc/sys/kernel/randomize_va_space

5.3 `/tmp/gn-httpd` binary (CVE)

Let's focus on the following CVE:

NVD - CVE-2025-60690nvd.nist.gov

First, we have to identify the location of the vulnerable binary. From previous enumeration steps, we know that requests to port 80 are redirected to port 51000, which is handled by the /tmp/gn-httpd binary

# ps w | grep 51000
  336 root       3864 S   /tmp/gn-httpd -p 51000 -G

Next, we have to understand the entry point of the vulnerability. In this case, it would be the URL path we need to send our HTTP request (either GET, POST, etc.) in order to reach the get_merge_ipaddr function of the httpd binary

The function concatenates up to four user-supplied CGI parameters

We know that the vulnerability deals with CGI

Apache Tutorial: Dynamic Content with CGI - Apache HTTP Server Version 2.4httpd.apache.org

5.3.1 Find all `.cgi` files

Look for all occurrences of the string value .cgi and extract the filenames. Next, we can look for the location, and view the content of these files:

# find / -name 'xxxx.cgi' 2>/dev/null
...
# cat xxxx.cgi

5.3.2 Finding information for the `get_merge_ipaddr` function

# ls /www 
# ls -R /www/cgi-bin

# grep -r 'get_merge_ipaddr' /

Previous4. Networking Next6. Reverse engineering (exploit development)

Last updated 2 days ago

hashtag**some of the logs have been changed after resetting router

hashtag5.1 Gaining a shell

hashtag5.2 General enumeration

hashtag5.2.1 Boot logs

hashtag5.2.2 Firmware version

hashtag5.2.3 Further enumeration

hashtag5.3 /tmp/gn-httpd binary (CVE)

hashtag5.3.1 Find all .cgi files

hashtag5.3.2 Finding information for the get_merge_ipaddr function