layerthree
04-02-2005, 19:02
Hi,
Has anyone been able to modifiy the default httpd server to execute arbitrary cgi code?
This is not a platforrm specific question, since the Belkin, Linksys, and Asus all seem to use the reference code from broadcom, but all have different methods enabled.
Belkin just seem to use apply.cgi
While Linksys uses gozila.cgi, apply.cgi and a few others.
What I like to be able to do is use proccgi (shell script cgi wrapper) to execute arbitrary code.
I've traced it down to httpd.c calls broadcom.c in the shared directory for the cgi functions. Of the different GPL released codes I looked looked at, all the broadcom.c source look different. The closest I've come is the latest Linksys firmware with this line still intact, but not defined:
grep internal broadcom.c
websUrlHandlerDefine("/internal.cgi", NULL, 0, internal_cgi, 0);
And for comparison of cgi handlers that are enabled:
grep \.cgi broadcom.c
validate_cgi(webs_t wp)
gozila_cgi(webs_t wp, char_t *urlPrefix, char_t *webDir, int arg, char_t *url, char_t *path, char_t *query)
apply_cgi(webs_t wp, char_t *urlPrefix, char_t *webDir, int arg,
if(value && !strcmp(value,"gozila_cgi")){
gozila_cgi(wp, urlPrefix, webDir, arg, url, path, query);
validate_cgi(wp);
websUrlHandlerDefine("/apply.cgi", NULL, 0, apply_cgi, 0);
websUrlHandlerDefine("/internal.cgi", NULL, 0, internal_cgi, 0);
init_cgi(post_buf); //Added by Daniel(2004-07-29)
do_apply_cgi(char *url, webs_t stream)
init_cgi(query); //Added by Daniel(2004-07-29)
//init_cgi(query); //Masked by Daniel(2004-07-29)
apply_cgi(stream, NULL, NULL, 0, url, path, query);
init_cgi(NULL); //Added by Daniel(2004-07-29) for new cgi.c
{ "apply.cgi*", "text/html", no_cache, do_apply_post, do_apply_cgi, do_auth },
{ "upgrade.cgi*", "text/html", no_cache, do_upgrade_post, do_upgrade_cgi, do_auth },
{ "Gozila.cgi*", "text/html", no_cache, NULL, do_setup_wizard, do_auth },// for setup wizard
{ "restore.cgi**", "text/html", no_cache, do_upgrade_post, do_upgrade_cgi, do_auth },
My apologies if this is the wrong forum to ask. Just seems like the WL-500 custom firmwares are closest based on stock firmware. Every other firmware out there is either a complete repackaged or a CLOSED version of GPL, go figure.
Thanks in advance
Has anyone been able to modifiy the default httpd server to execute arbitrary cgi code?
This is not a platforrm specific question, since the Belkin, Linksys, and Asus all seem to use the reference code from broadcom, but all have different methods enabled.
Belkin just seem to use apply.cgi
While Linksys uses gozila.cgi, apply.cgi and a few others.
What I like to be able to do is use proccgi (shell script cgi wrapper) to execute arbitrary code.
I've traced it down to httpd.c calls broadcom.c in the shared directory for the cgi functions. Of the different GPL released codes I looked looked at, all the broadcom.c source look different. The closest I've come is the latest Linksys firmware with this line still intact, but not defined:
grep internal broadcom.c
websUrlHandlerDefine("/internal.cgi", NULL, 0, internal_cgi, 0);
And for comparison of cgi handlers that are enabled:
grep \.cgi broadcom.c
validate_cgi(webs_t wp)
gozila_cgi(webs_t wp, char_t *urlPrefix, char_t *webDir, int arg, char_t *url, char_t *path, char_t *query)
apply_cgi(webs_t wp, char_t *urlPrefix, char_t *webDir, int arg,
if(value && !strcmp(value,"gozila_cgi")){
gozila_cgi(wp, urlPrefix, webDir, arg, url, path, query);
validate_cgi(wp);
websUrlHandlerDefine("/apply.cgi", NULL, 0, apply_cgi, 0);
websUrlHandlerDefine("/internal.cgi", NULL, 0, internal_cgi, 0);
init_cgi(post_buf); //Added by Daniel(2004-07-29)
do_apply_cgi(char *url, webs_t stream)
init_cgi(query); //Added by Daniel(2004-07-29)
//init_cgi(query); //Masked by Daniel(2004-07-29)
apply_cgi(stream, NULL, NULL, 0, url, path, query);
init_cgi(NULL); //Added by Daniel(2004-07-29) for new cgi.c
{ "apply.cgi*", "text/html", no_cache, do_apply_post, do_apply_cgi, do_auth },
{ "upgrade.cgi*", "text/html", no_cache, do_upgrade_post, do_upgrade_cgi, do_auth },
{ "Gozila.cgi*", "text/html", no_cache, NULL, do_setup_wizard, do_auth },// for setup wizard
{ "restore.cgi**", "text/html", no_cache, do_upgrade_post, do_upgrade_cgi, do_auth },
My apologies if this is the wrong forum to ask. Just seems like the WL-500 custom firmwares are closest based on stock firmware. Every other firmware out there is either a complete repackaged or a CLOSED version of GPL, go figure.
Thanks in advance