Today a guy gave me a spare OSBRiDGE 24XLGi, since he used them outdoor
and the case did break.
The 24XLGi is a wireless router used for long distance links.
The bootloader seems to be crippled, and there are no open ports, apart
the HTTP one.
Firmware upgrade are made via the web interface, and the systems checks
for some sort of CRC
while surfing in the web interface i found the "service" page, which
cointains a ping form to test connectivity:
So I suspected
that it just runs `ping $hostname` using the system shell, but the
hostname size were limited to 15 characters (12 numbers and 3 dots), so
I started the Mozilla DOM inspector and raised it to 50, then I added
"; ping 192.168.1.150" to the hostname, where 192.168.1.150 is a
nonexistant host:
In the meantime I did start a sniff with tcpdump and, I found that the
router was asking for the 192.168.1.150 address, the injection worked!
I started injecting some commands with curl and when executing a bad
command I found in the HTTP headers:
Client-Junk: sh:
iname: not found
so all was clear, command stderr goes into the HTTP headers!
So I wrote my hackish perl script which injects the commands and
redirects all to sdterr: inject.pl
$ inject.pl uname -a
Linux (none)
2.4.18-MIPS-01.00 #653 �ro maj 23 11:38:56 CEST 2007 mips unknown
