Exploring the SPA112
Inspecting firmware to find the ping utility - Published 2015-02-16
I have been using the Cisco SPA112 for a while now, and it works great for my uses. I just want to connect existing phone systems to an Asterisk install as peers and be done with it. This has worked great, up until recently when I was having connectivity issues from the Cisco SPA. Well I went digging for the usual tools ping and traceroute, but they couldn't be found! The manual claimed they were in the web interface, but as you can see below nothing existed for me.
I tried exploring the DOM a little bit to see if the links had just been hidden, but couldn't find anything in the HTML/CSS/JS. There was a lot of raw DOM manip, so I wouldn not be suprised if it just get lost in an off-by-one error or something of the sort. The following was the Admin tab as I saw it.
Finding all the ASP scripts
I noticed that every page was a dedicated .ASP script in the form of
So I decided to try my hand at a little exploring, and got really lucky! I usually run things through strings then binwalk and then give up :), so for my first step I download the latest firmware, ran it through strings and grepped for '.asp' with the command being
strings Payton_1.3.5_004p_102814_1321_pfmwr_bootldr.bin | grep .asp and got the following output
Diagnostics_tab1.asp and Diagnostics_tab2.asp right away! And luckily enought that is our ticket. They give us a working traceroute+ping. You just access them like
Digging Even Further
So I have solved the problem at hand, but let us see if we can dig even further. I would really like to get a shell! binwalk says there are some squashfs images in the bin, I am going to see if I can build my own firmware with shell access.
So using binwalk, I was able to extract the firmware running
binwalk -eM Payton_1.3.5_004p_102814_1321_pfmwr_bootldr.bin
and I found a squashfs image that is 8410145 bytes, this looks promising! However I ran into some trouble extracting it. I noticed that the 'magic number' for the file was
shsq and after some googling I found this patch
I am currently using an OSX desktop and pulled it in via Homebrew, with the following recipe that includes the linked patch. I am looking through the dump right now to see if I can find something that already evals input etc..