From time to time, I used to play a little bit with my modem-router which is provided by my ISP (Belgacom @ Belgium). The bbox2 or Sagem F@st 3464 is after all, a great piece of hardware locked up by belgacom.
After some time, I managed to connect to the telnet and gain root access. Fine, let’s upload some binaries like a real busybox and some other things (incl: tcpdump, iwconfig, …). Now I have a box I can play with a bit.
Sad story: almost every 2 days, belgacom is updating the box and you end up with all your files being send to /dev/null.
I’ve then decided to write some script to put back my files in place easily when such updates are done.. OK, fine, but what would happen if belgacom decide to fix remotely the vulnerability that allow us to gain access to the box ?
We would then being forced to find another vuln, loosing a lot of time.
So, we could all learn that Belgacom is managing its bbox with the TR-069 protocol… What if we disable this daemon ? Cool. let’s go: I’ve stripped down the process of the box to the minimum: exit tr69, exit tr98, exit sipd! Good, now the box is running without updates, but even better: I have now more than 80% of the CPU and memory freed!
As I’ve spent some time writting theses scripts and compile theses binaries, I wanted to share them with you, together with an usage example. So you could find theses here
Hope it helps!
1 Response to BBox 2: For fun and profit