iv-wrt is An intentionally vulnerable router firmware distribution based on OpenWrt.
+ Authentication Bypass; Authentication bypass is turned off for the network disgnostics page.
+ Backdoor; A backdoor user account with root priveleges has been added.
+ Command Injection; It is possible to inject ash commands into the ping field which exists on <ip-address>/admin/network/diagnostics.
+ Reflected Cross-Site Scripting; On /cgi-bin/luci/;stok=<session-token>/admin/system/packages you can search for a package to determine whether or not it’s installed. Your search string is shown above the results. It is possible to inject scripting into this field.
+ Stored Cross-Site Scripting; It is possible to inject scripting into the hostname of the router. Since the hostname appears in the title of every page in the administration interface, this results in stored XSS for all pages.
+ Cross Site Request Forgery; While a user is logged in to the administration interface, a specially-crafted link from an outside source can cause actions to be executed on the administration interface. The system does not verify that the session token is correct.
Latest Changelog : 14/04/2015:
– modified: exploits/auth_bypass.py
– modified: exploits/cmd_injection.py
– modified: exploits/csrf.py
– modified: iv-wrt.elf
To start the image you will need qemu-system-mipsel and all of its dependencies. We recommend that you create a TAP device called tap0 and bridge it to your network interface. When the image boots, its LAN ip will be 10.0.0.1.
The driver for e1000 network cards have been built into the image. The following command will tell qemu to start the image using the interface tap0 and the e1000:
qemu-system-mipsel -kernel iv-wrt.elf -nographic -m 256 -net tap,ifname=tap0,script=no,downscript=no -net nic,model=e1000