Gameguru Mania Forum Index Gameguru Mania
Daily Gaming, Hardware, Software and Technology News
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
news | cheats | reviews | specials | hardware | demos | FLASH GAMES | about | links


How to get shell on Linksys RV042G

 
Post new topic   Reply to topic    Gameguru Mania Forum Index -> Security
View previous topic :: View next topic  
Author Message
heretic
Site Admin
Site Admin


Joined: 27 May 2004
Posts: 2168

PostPosted: Thu Apr 02, 2015 9:59 pm    Post subject: How to get shell on Linksys RV042G Reply with quote

There is a special cgi script that can be acessed using HTTP/HTTPS connection. It requires logged in user, so it's not a security issue.

http://router/sysinfo123.htm When called without any parameters, it displays device information.
Commands:
?ConsoleSimulation=1/0 Enables/disables telnet server on port 23
?cmd=Reboot Reboots the router
?cmd=ClearFlag Unknown
?cmd=BackupBoot Unknown
?load -u [tftp://|http://] -s <int> Loads and flashes firmware file, same as telnet load command

Telnet server requires user/password login and drops you into commandline interface:

Username: admin
Password: ************
RV042> help
exit: Exit from the current cli
die: exit <ret> from maintask
ps: Print main-task tasks
rg_conf_print: rg_conf_print <root> - Print OpenRG configuration
starting from <root> - use / for the whole configuration
rg_conf_set: rg_conf_set <path> <value> - Set rg_conf path to a value
rg_conf_set_obscure: rg_conf_set_obscure <path> <value> - Set rg_conf path to an obscured value
rg_conf_del: rg_conf_del <path> - Del subtree path from rg_conf
rg_conf_ram_set: rg_conf_ram_set <path> <value> - Set rg_conf_ram path to a value
rg_conf_ram_print: rg_conf_ram_print <root> - Print OpenRG dynamic
configuration starting from <root> - use / for the whole configuration
reconf: reconf <flash_delay 1(=NOW) to 4> - Reconfigure the
system according to the current rg_conf
entity_close: entity_close <entity ptr> - Close an entity
host: host <name> - Resolve host by name
rgpf_config: rgpf_config [f|c|a] - Flush/Clean/Activate Firewall & NAT
rgpf_info: rgpf_info - Display Firewall & NAT information
rgpf_info2: rgpf_info2 - Display Firewall & NAT information
fw_set_age: fw_set_age <proto> <age>. Set state age in seconds, protocan be one of [ICMP=1, TCP=6, UDP=17]...
flash_commit: Save configuration to flash
restore_default: restore_defaults [-d] - Restore default configuration
(use -d to avoid rebooting after)
reboot: Reboot the system
log_lev_on: log_lev_on <severity> - redirect rg_error output from severity
equal or higher to <sevrerity> to the current cli
log_lev_off: Stop rg_error redirection to the current cli
exec: exec <path> - Execute path
rmt_upd: Remotely upgrade the box
rmt_upd_wget_close: rmt_upd_wget_close <ptr> - Kill a remote upgrade process
rg_ifconfig: rg_ifconfig <details_level>
cat: Print file contents on console
shell: Spawn busybox shell in foreground
cat_log: cat_log [fw|varlog] | e[#buf_num]
bridge_info: Prints bridge information
flash_layout: Prints the flash layout and content
flash_erase: flash_erase [-d] <section> - erases a given section in the flash
flash_dump: flash_dump [-s <section> | -r <address>] [-l <length>] [-1|2|4] - dumps the flash content
bset: Configure bootloader
ifconfig: Configure network interface
ping: Test network connectivity
nk_ip: nettools ip
dump_GPIO: GPIO register
monlink: Test network connectivity
monlinkend: Test network connectivity
wandown: Bring down WAN interface
wanup: Bring up WAN interface
lbtrafficup: Bring up WAN interface
lbtrafficdown: Bring up WAN interface
setequalize: Set equalize
delequalize: Delete equalize
addinf: dynamic add interface
delinf: dynamic delete interface
activewaninf: Get active wan interface number
teravpn: add vpn entries for TeraVPN testing
addvpn: add vpn entries
addvpn_ip_fqdn: add vpn entries
switch_reset_set: reset switch
switch_stat_get: get switch status
read_sw_reent: get reentrant num
mem_alloc: alloc memory
mem_alloc_free: alloc and free memory
nk_tag_vlan: set port base vlan / tag base vlan
nk_vlan_all: set vlan all
xml_xmit: test reciver xml file
boot: boot -g {-s <section> | -r <address>} - Boot the system (-g boot with kgdb)
load: load -u <url> {-s <section> | -r <address>} - Load and burn image
8021x_open: 8021x_open <dev_name> - Open device
8021x_close: 8021x_close - Close last 802.1x device
8021x_status: 8021x_status <dev_name> - Print 802.1x device status
8021x_set_mode: 8021x_set_mode <dev_name> <dir> <auth_control> <promiscuous> - Change operating mode of device
8021x_mac_auth: 8021x_mac_auth <dev_name> <MAC> <op> - Add or remove authorization for a device (op==1->add, 0->remove)
nk_factory_print: nk_factory_print <root> - Print factory configuration. starting from <root> - use / for the whole configuration
nk_factory_set: nk_factory_set <path> <value> - Set rg_factory path to a value
ver: ver - Display version information
help: Print this menu
etask_list_dump: Dump back trace of all etasks
set_url_filter_setting: set url filter setting
get_url_filter_statics: get url filter statics
set_url_filter_debug: set url filter debug
get_url_filter_setting: get url filter setting
Returned 0
RV042>

To get busybox shell, use shell command.

(This output is from device with RV042-v1.3.12.6tm-080527_fw.rmt firmware)
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic   Reply to topic    Gameguru Mania Forum Index -> Security All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2014 phpBB Group