Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[GigabitEthernet]

One of these is now winging its way to me from that site that begins with an E .

[burakkucat]

Or is it an e, followed by a B? 

I will be interesting in reading about your experiments, in due course, Alec.

[ZenmasteR]

full featured busybox compiled for homehub (mips)

https://skydrive.live.com/#cid=0E86B6C68CC33600&id=E86B6C68CC33600%21103

copy to memory stick and access via /mnt/usb/<disklabel>

Hi
How would i go about using this on a homehub3b?

thanks

[towcow]

you need to run Zachary Cutlip's exploit to get a root shell onto the hub

https://github.com/zcutlip/exploit-poc/tree/master/BT/homehub3b

I ran the exploit from Cygwin on Windows. Or use a Linux/Unix device.

Then put a FAT32 or NTFS usbstick with busybox on it into the back of the Hub and it will automount as /mnt/usb/<disklabel>

[GigabitEthernet]

How does one undo the exploit?

[GigabitEthernet]

I can't get the exploit to work. I get:

Code: [Select]

Traceback (most recent call last):
  File "./hh3b_exploit.py", line 75, in <module>
    from simplesploit.overflow_development.overflowbuilder import RopGadget, OverflowSection, OverflowBuffer
ImportError: No module named simplesploit.overflow_development.overflowbuilder
Any ideas?

[burakkucat]

There is really not much to go wrong.

I will advise that you perform a factory reset of the HH3.0B ('paper-clip in the hole' technique) and then configure your computer's NIC as per the README file contained within the exploit package. Note that you will need to configure the CALLBACK_IP parameter to the appropriate IP address as used by your computer.

[bcat@Duo2 homehub3b]$ cat README
README

DESCRIPTION
This proof-of-concept exploit code will yield a root shell on the
target HomeHub 3.0b. See included vulnerability report for details
and affected firmware versions.

This is NOT an unlock for your HomeHub 3.0b.  Although it will yield a
root shell, it does not, in itself, unlock your device.  It probably is only
useful to and should be used by those interested in conducting further
research into the HomeHub 3.0b.

NOTES
--You must edit environment.py to set *your* ip address.  This is
   the address that the exploited router will call back to.
--This exploit is not whitespace-safe.  What this means for you is
   that your IP address must not contain any numbers which map to
   whitespace characters (space, tab, carriage return, etc). It must
   also not contain any 0 octets (e.g., 192.168.0.1).
--This is a multicast exploit.  Any device on the same LAN as the target
  device will receive the exploit packet.  Generally, this should not be a
  problem, but you may care to use this only on an isolated network.  If any
  *other* devices misbehave when using this exploit, I would be interested in
  knowing.  email me at uid000_at_gmail_com.

[bcat@Duo2 homehub3b]$

[bcat@Duo2 homehub3b]$ cat environment.py
# Copyright (c) 2013 Zachary Cutlip
#                    Tactical Network Solutions, LLC

#void 0 octects, and values that map to whitepace chacters.
CALLBACK_IP="192.168.99.64"
[bcat@Duo2 homehub3b]$

"Works For Me."   

[GigabitEthernet]

Yep, it's working in Cygwin now. I couldn't get it to work on Linux.

[GigabitEthernet]

So does this exploit allow telnet access permanently? What do I do with busybox when its on the drive and plugged into the Home Hub?

[burakkucat]

It is probably not what you want . . . unless you are researching into the creation of an actual unlocking method. Let's look again at what Zach says --

This is NOT an unlock for your HomeHub 3.0b.  Although it will yield a
root shell, it does not, in itself, unlock your device.  It probably is only
useful to and should be used by those interested in conducting further
research into the HomeHub 3.0b.

Although I started this thread, way back when, I have not had the time available to commit to a dedicated assault on the device. 

Perhaps you would like to visit PsiDOC and discuss the latest status for this modem/router with the regulars based 'over there'?

[dmcdonnell]

FYI - BT HomeHub 4.0 available soon.

See http://www.btplc.com/News/Articles/Showarticle.cfm?ArticleID=4E2E1EF5-FCBA-4CE4-B769-E48E0F68ACED

[ZenmasteR]

just had a new update done on my 3b

V100R001C01B036SP03_L_B

[towcow]

I too just got the V100R001C01B036SP03_L_B update. Exploit no longer works. Looks like SSDP has been disabled

[zcutlip]

Hello all,

Sorry for being away for a such a long time.  I'm also sorry to see that peoples' HH3bs are getting patched and my exploit no longer works on the new firmware.

I just wanted to let everyone know that I'll be presenting this research at 44Con in London this September in case anyone is planning on attending.
http://44con.com/speakers/

I also wanted to let people know that I've cleaned up the exploit somewhat and refactored it to use my new project, Bowcaster.  The exploit uses a payload encoder I wrote for Bowcaster, so whitespace and null bytes in the callback IP address should no longer be a problem.

You can get the PoC exploit code from github:
https://github.com/zcutlip/exploit-poc
And you'll need Bowcaster installed on your system as well:
https://github.com/zcutlip/bowcaster/tree/v0.1

Hope to see you at 44Con!

Zach

[Chrysalis]

it would be great if eg. the hh5 became unlockable, like on VM their dir615 turned out to be a great router with ddwrt on it.