Help, I overwote symlinks to busybox and bricked WRT3200ACM

j3tz · December 6, 2023, 6:30am

Several topics here.

There seems to be a remote code execution shell (busybox --> ash) embedded in the linux kernel that allows arbitrary command of the router via connection with a master server.
Reinstalling OpenWRT or reverting to factory firmware does not correct the issue.
the file structure of the OpenWRT firmware image has nested directories and symlinks that override settings in Luci.
I decided to disconnect from internet, leave the OpenWRT settings default and then pipe some commands for ash to execute in the event the bootloader was backdoored. Then I reconnected to the internet. Here's some of the output I got in my Putty terminal:

Decompress to stdout▒▒recv(%s) errormalformed packet received from %s: size %ure                                                 ply from %s: peer is unsyncedreply from %s: delay %f is too high, ignoringreply                                                  from %s: offset:%+f delay:%f status:0x%02x strat:%d refid:0x%08x rootdelay:%f re                                                 ach:0x%02xwant smaller interval: offset/jitter = %udeficit %d, rta_len=%d!recvse                                                 nd failedresponded to query from %sduplicate peer %s (%s)ntpdsending query to %s                                                 timed out waiting for %s, reach 0x%02x, next query in %uspoll:%us sockets:%u int                                                 erval:%usperiodicunsync
--- %s ping statistics ---
%lu packets transmitted, %lu packets received, %lu duplicates, %lu%% packet loss
round-trip min/avg/max = %u.%03u/%u.%03u/%u.%03u ms
command line is not complete, try "help"duplicate "%s": "%s" is the second value                                                 resolving %sgateway %s is a NETWORKnetmask %.8x and host route conflictbogus net                                                 mask %snetmask and route address conflictSIOCADDRTSIOCDELRT/proc/net/psched%*08x                                                 %*08x%08x%08x/proc/net/ipv6_routeNext HopDestinationKernel IPv6 routing table
%-44s%-40sFlags Metric Ref    Use Iface
%32s%x%*s%x%32s%x%x%x%x%s
%-43s %-39s %-5s %-6d %-2d %7d %-8s
OUT-OF-RANGE
%04x:
%d bytes from %s to %s: icmp type %u (%s) code %u
 %02xIPV6_CHECKSUMsetsockopt(%s)SO_SNDBUFTOSsetsockopt(%s,%d)can't set multicast                                                  source interfacegetsocknametraceroute to %s (%s), %d hops max, %d byte packets
%2dUNICAST_HOPSsetsockopt(%s) %dTTLsent %d octets, ret=%d  *packet too short (%d                                                  bytes) from %s
  %s (%s) %d bytes to %s  %u.%03u ms ! !N !H !P !F-%d !S !A !C !V !U !I !T !<%d>                                                 ERROR truncatedcan't send flush requestnonecan't talk to rtnetlinkOVERRUNEOF on                                                  netlinksender address length == %dtruncated messagemalformed message: len=%d!RTN                                                 ETLINK answersunexpected reply!message truncatedremnant of size %d!if%dnil ifnam                                                 eDeleted %d: %s@NONE: @%s: NO-CARRIER,,M-DOWNmtu %u qdisc %s master %s state %s                                                  SIOCGIFTXQLENqlen %d[%d]%c    link/%s  peer  brd can't find device '%s'/etc/ipro                                                 ute2/rt_%sdatabase %s is corrupted at line %dprotosglobalnowheresitescopesrealms                                                 dsfieldtables???%u: %s    inet     inet6     family %d  peer %s/%d brd %s any %s                                                  scope %s secondary tentative dadfailed deprecated dynamic noprefixroute flags %                                                 02x valid_lft forevervalid_lft %dsec preferred_lft forever preferred_lft %dsec                                                        %snot RTM_NEWNEIGH: %08x %08x %08xBUG: wrong nlmsg len %ddev %s lladdr %s r                                                 outer proxy ref %d used %d/%d/%d probes %u%cINCOMPLETE%cREACHABLE%cSTALE%cDELAY%                                                 cPROBE%cFAILED%cNOARP%cPERMANENTNot a route: %08x %08x %08x
default from %s/%u from %s from 0/%u via %s table %s  src %s  metric %d dead onl                                                 ink pervasive notify %c    cache  expires %dsec error %d iif %s%u:      from %s/                                                 %u0/%dto %s/%u to 0/%d tos %s fwmark %#x/%#x fwmark %#x iif %s lookup %s %s %d r                                                 ealms %s/map-to %s masquerade (DUP!)%d bytes from %s: seq=%u ttl=%d time=%u.%03u                                                  ms  MSS Window  irttMetric Ref    Use/proc/net/routeKernel IP routing table
Destination     Gateway         Genmask         Flags %s Iface
%*[^
]
%63s%lx%lx%X%d%d%d%lx%d%d%d
%-15.15s %-15.15s %-16s%-6s%5d %-5d %6d %s
%-6d %-2d %7d %s
-net-hostA:nedump terminatedany"%s" is invalid lladdrprefix"%s" may be inet %s,                                                  but it is not allowed in this contextan %s %s is expected rather than "%s""ip ne                                                 igh flush"nud stateflush terminatedNothing to flush*** Flush is complete after %                                                 d round(s) ***

*** Round %d, deleting %d entries ***
*** Flush not complete bPuTTYailing out after %d roundscan't send dump requestne                                                 ed at least destination addressnot a route?wrong len %dcan't connect the routeca                                                 n't flush link addressesscopeeither "%s" is duplicate, or "%s" is garbage"ip rou                                                 te flush"protocoltable-1can't flush routing cacheneed "dev IFACE""dev" (%s) must                                                  match "label" (%s)broadcast can be set only for IPv4 addressesvalid_lft is zero
preferred_lft is greater than valid_lft
type vlanunknown VLAN encapsulation protocol '%s'argument of "%s" must be "on" o                                                 r "off"type vrffwmasktable IDIPqlennetns"dev"wrong address (%s) length: expected                                                  %d bytesSIOCSIFHWADDRSIOCSIFNAMESIOCSIFTXQLENSIOCSIFMTUlockredirectkernelbootst                                                 aticgatedmrtzebrabirdEcho ReplyICMP 1ICMP 2Dest UnreachableSource QuenchRedirect                                                 ICMP 6ICMP 7EchoRouter AdvertRouter SolicitTime ExceededParam ProblemTimestampTi                                                 mestamp ReplyInfo RequestInfo ReplyErrorPacket Too BigEcho RequestMembership Que                                                 ryMembership ReportMembership ReductionNeighbor SolicitNeighbor Advert^nqNxwp:*S                                                 :lI:d46aAbgL=0:dd:wn:Il^FIlnrdvt:i:m:p:q:s:w:z:f:46-1onoff
                                                                               g                                                 enericloopbacketherinfinibandieee802trieee802.11ieee1394irdaslipcslipslip6cslip6                                                 pppipiptunnel6sitgrevoid%s requires an argumentaddchangechgreplacedeletelistshow                                                 lstflushLOOPBACKBROADCASTPOINTOPOINTMULTICASTNOARPUPLOWER_UPUGHRDMDAC!n/proc/sys                                                 /net/ipv4/route/flushshowflushaaddappendchangechgdeletegetlistshowprependreplace                                                 testflushadddeletelistshowupdownnamemtuqlenmulticastarppromiscaddressnetnsmaster                                                 nomasterdevsrcviamtuadvmssscopeprotocoltabledevoiftometriconlinkpermanentreachab                                                 lenoarpnonestaleincompletedelayprobefailedidprotocolreorder_hdrgvrpmvrploose_bin                                                 dingtodevnudprotocoldevoifiifviatablecachefromtoscopeallrootmatchexactmainlinkna                                                 metypedevaddressadddeletesetshowlstlistfromtopreferenceorderprioritytosfwmarkrea                                                 lmstablelookupsuppress_prefixlengthsuppress_ifgroupdeviifnatmap-totypehelplocaln                                                 atbroadcastbrdanycastmulticastprohibitunreachableblackholexresolveunicastthrow▒                                                  UNKNOWNNOTPRESENTDOWNLOWERLAYERDOWNTESTINGDORMANTUPpeerremotebroadcastbrdanycast                                                 valid_lftpreferred_lftscopedevlabelnoprefixroutelocaltoscopeuplabeldevfromiifoif                                                 devnotifyconnectedto802.1q802.1ad#net#hostmetricnetmaskgwgatewaymsswindowirttdev                                                 device reject!mod"dyn#reinstateadddeldeletebad packet, malformed option fieldSO_                                                 BROADCASTcan't send signal/proc/meminfoCached: %lu %*s
MemAvailable: %lu %*s
SReclaimable: %lu %*s
freeusedtotal       %12s%12s%12s%12s%12s%12s
Mem:   availablebuff/cacheshared%12s%12s%12s%12s%12s%12s
-/+ buffers/cache: Swap:  %2u) %s
unknown signal '%s'bad signal name '%s'you need to specify whom to kill%s: no pr                                                 ocess killedcan't kill pid %dvlafxons:+P:+  PID USER       VSZ STAT COMMAND mgtp                                                 ezy%5u %-8.8s %s %s  setterror: '%s' must be of the form name=valueerror: malfor                                                 med setting '%s'error: '%s' is an unknown keyerror %sing key '%s'%s = error read                                                 ing key '%s'+neAapwq/etc/sysctl.conf/proc/sys;#=fchdir/proc/statcan't read '%s'
%s
Mem: %luK used, %luK free, %luK shrd, %luK buff, %luK cachedCPU:%4u%% usr%4u%% s                                                 ys%4u%% nic%4u%% idle%4u%% io%4u%% irq%4u%% sirqLoad average: loadavg  PID  PPID                                                  USER     STAT   VSZ %VSZ %CPU COMMAND
%5u%6u %-8.8s %s  %.5s%4u%%%4u%% d:n:bHmno process info in /proc%04u-%02u-%02u %                                                 02u:%02u:%02u
 %02u:%02u:%02u up %u day%s, %2u:%02u%u min,  load average: %u.%02u, %u.%02u, %u                                                 .%02u
%s%u.%u.%u.%uinterface=%smask=%uopt%u=siaddr=giaddr=boot_file=%.128ssname=%.64sd                                                 econfigbindtodevicebind(%s)connectsocket(%s)UDPoption 0x%02x did not fit into th                                                 e packetcan't add option 0x%02xsending renew to server %sbroadcasting renewunica                                                 sting a release of %s to %sreleasesending %sentering released state (default)bou                                                 nd/usr/share/udhcpc/default.scriptudhcp 1.35.0  =:,     ,       /-started, v1.35                                                 .0leasefailno lease, forkPuTTYing to backgroundno lease, failinglease lost, ente                                                 ring init stateSIGTERMreceived %spacket with bad magic, ignoringread error: %m,                                                  reopening socketno server ID, using 0.0.0.0lease of %s obtained from %s, lease t                                                 ime %u%sDHCP NAKnakDone(%d) (core dumped)[%d]   Running
%*c%d %s%*c%s%sline %d: can't set tty process group: %m%d: %msyntax error: %s(..                                                 .)${$((${#))"} ||  && until while ; fi; done() { ... }<<...esac>|>>>&<& | if ; t                                                 hen ; else ; do for  in case ;; %lldNo current jobNo previous job%s: ambiguous%s                                                 : no such jobjob %s not created under job control -%u-lIllegal number: %s%s=%s
illegal option -%cno arg for -%c optionbad substitution%.*s: is read only%.*s: b                                                 ad variable name%:OLDPWDCDPATHcan't cd to %s: %m%s: %s not found
can't open '%s': %mcan't access tty; job control turned offcan't fork: %m[%d]  |                                                  %sYou have stopped jobs.
 is a shell keywordspecial alias  is an alias for %s is a function is a %sshell                                                  builtin: not found
pvVredir errorbad fd numbercan't create pipe: %m/dev/fd/%dparameter not set or n                                                 ull%.*s: %s%s*?[\no such filecan't open %s: %snonexistent directorycan't create                                                  %s: %sbuilt-in shell (ash)

%s %s

newlineredirection&&||;;`casedoelifelseforthenuntilwhileeerrexitfnoglobIignoreeo                                                 fmmonitornnoexecxxtracevverboseCnoclobberaallexportbnotifyunounsetEerrtrace^www^                                                 CV:F:i:np:qRr:s:T:+t:+SA:+O:*ox:*fBbvvipipefailPATH=/sbin:/usr/sbin:/bin:/usr/bi                                                 n*?[\▒▒IFS=
00
!!( )0* ,368<BCde+w
x)y▒▒▒
▒)▒▒259
subnettimezonerouterdnslprsrvhostnamebootsizedomainswapsrvrootpathipttlmtubroadc                                                 astroutesnisdomainnissrvntpsrvwinsleaseserveridmessagevendortftpbootfiletzstrtzd                                                 bstrsearchsipsrvstaticroutespxeconffilepxepathprefixreboottimeip6rdmsstaticroute                                                 swpad▒▒@=▒MemTotalMemFreeMemSharedShmemBuffersCachedSwapTotalSwapFreeDirtyWriteb                                                 ackAnonPagesMappedSlabcpu %llu %llu %llu %llu %llu %llu %llu %lluPuTT/▒▒EXITHUPI                                                 NTQUITILLTRAPABRTBUSFPEKILLUSR1SEGVUSR2PIPEALRMTERMSTKFLTCHLDCONTSTOPTSTPTTINTTO                                                 UURGXCPUXFSZVTALRMPROFWINCHPOLLPWRSYS=:▒▒▒▒▒▒▒▒▒

clientid-noneCvendorclassVfqdnFinterfaceinownpidfilepquitqreleaseRrequestrscript                                                 stimeoutTretriesttryagainAsyslogSrequest-optionOno-default-optionsoforegroundfba                                                 ckgroundbbroadcastB}-+?=%%%###:///not in a functiona:oncepages%4d %s
^Cillegal option %co %s%-16s%s
set %co %s
illegal option %c%c%s%s%.*s%s
np%llu%llu.%06uusage: getopts optstring var [arg]OPTARGOPTERRIllegal option -%c
No arg for -%c option
OPTINDunexpected %s (expecting %s)missing '))'unterminated quoted stringmissing                                                  '}'EOF in backquote substitutionbad for loop variablebad function name
Use "exit" to leave shell.
%s: not foundvftrap -- %s %s
%s: invalid signal specification%um%u.%03us%cexpression expectedinvalid countinv                                                 alid file descriptorinvalid timeoutp:u:rt:n:sd:IFSread: '%s': bad variable nameR                                                 EPLY%04o
illegal mode: %sunlimited%llu
%-32s(-%c) error setting limitPS1=\w \$ PPIDSHLVLHOSTNAMEp:st:facilityunknown %s                                                  name: %scs:+n:+rklogctl-command-c takes only one argument"%08.8_Ax
""%08.8_ax  "8/1 "%02x ""  "8/1 "%02x ""  |"16/1 "%_p""|
""%07.7_ax "8/2 "%04x ""
"RTC_RD_TIMETZTZ=UTC0/etc/adjtimeUTCRTC_SET_TIME%s  0.000000 seconds
image size is too bigimage is too smallSetting up swapspace version 1, size = %l                                                 lu bytes
%s,%.*smount.%s-o%s is write-protected, mounting read-onlybad option '%s'unc=\\%                                                 s\%.*s,prefixpath=%sunc=\\%s\%.*scifs/\,ip=ip=%snfs%s%saddr=%soffset=sizelimit=/                                                 dev/loop-control/dev/loop%ucan't setup loop devicenodevmounting %s on %s failed/                                                 etc/fstab/proc/mountsrwno %s%s on %s type %s (%s)
swapcan't find %s in %saeaed::p:/proc/swapsdiscardnoautopri/init'%s' is not a re                                                 gular fileroot filesystem is not ramfs/tmpfserror moving rootLINENO=FUNCNAME=/et                                                 c/profile$HOME/.profileENV%s not defined in %sBASH_XTRACEFD%s%.*s%s_arithmetic s                                                 yntax errorexpression recursion loop detectedmalformed ?: operatorexponent less                                                  than 0divide by zero"%07.7_ax "16/1 "%03o ""
""%07.7_ax "16/1 "%3_c ""
""%07.7_ax "8/2 "  %05u ""
""%07.7_ax "8/2 " %06o ""
""%07.7_ax "8/2 "   %04x ""
"alertcritdebugemergnoticepanicwarnwarningauthauthprivcrondaemonftpkernlprmailma                                                 rknewssecuritysysloguseruucplocal0local1local2local3local4local5local6local7PS1=                                                 $ PS2=> PS4=+ EPOCHSECONDSEPOCHREALTIME3.3:2[2[[6alias2bg3break2cd0chdir2command                                                 3continue2echo3eval3exec3exit7export2false2fg2getopts2hash0history2jobs2kill0let                                                 7local2printf2pwd2read7readonly3return3set3shift3source2test3times3trap2true2typ                                                 e2ulimit2umask2unalias3unset2wait^+sxnu-1^lurswtf:vr--wst:w--rst:s--wrt:t--rsw:l                                                 --u:u--l^L:-1^o:*t:rwanfvsiO:?2^+c:-2nrbtfavx\01234567SWAPSPACE2"%07.7_Ax
"permission denied (are you root?)OPTIND=1/etc/filesystems/proc/filesystemsshare                                                 dsexclusivexunlockunonblocknbcdoxCe:f:n:s:vlocaltimelutcushowrhctosysssystohcwsy                                                 stztrtcfcdefilmnqrstuvxcore file size (blocks)data seg size (kb)scheduling prior                                                 ityfile size (blocks)pending signalsmax locked memory (kb)max memory size (kb)op                                                 en filesPOSIX message queues (bytes)real-time prioritystack size (kb)cpu time (s                                                 econds)max user processesvirtual memory (kb)file locksloopdefaultsnoautoswswap_n                                                 etdevnosuidsuiddevnodevexecnoexecsyncdirsyncasyncatimenoatimediratimenodiratimer                                                 elatimenorelatimestrictatimenostrictatimelazytimenolazytimenosymfollowmandnomand                                                 loudrbindbindmovemake-sharedmake-slavemakePuTTY-privatemake-unbindablemake-rshar                                                 edmake-rslavemake-rprivatemake-runbindablerorwremount<<=▒>>=▒<<
>>,||&&!=*<=k>=K==
|=B&="*=/=#%=C+=▒-=▒--3^=b++**/!0<
--~,?:$)4(ogu                     >+=|& */.%N+
}-+?=-HSac::d::e::f::i::l::m::n::q::r::s::t::u::v::x::
()&|;
                                                                               %                                                 s busy - remounted read-onlycan't remount %s read-onlyfldnrat:cvican't unmount %                                                 s%s.%stgz%0*llo%llu+%llu records in
%llu+%llu records out

Question: Why is there a shell in the firmware kernel?

psherman · December 6, 2023, 7:29am

Can you provide specifics here or proof? And it should be stated that anything you demonstrate here must be using the official openwrt firmware (obtained directly from openwrt.org).

If you are talking about the boot loader, that would be the only common thing between openwrt and the vendor/factory firmware. And in this case, it is distinctly not related to openwrt.

Specifics, please? Luci is a web interface built on top of the standard uci command line interface. It has the ability to edit config files via uci commands. But it doesn’t override directories and symlinks or other settings. (There may be some exceptions where config items are not available in the web ui and may cause some command line driven configs to get messed up, but that is exception, not the rule).

How exactly did you send commands and what commands did you send? And that is a lot of output - care to highlight the specific things that are of concern to you?

zbojet · December 17, 2023, 1:51am

Sorry for the late reply - what I initially thought could have been malware might be nothing to worry about.

I will need to dig a bit deeper into the files, but I do recall seeing something that looked odd.

Let's focus on the output from the Putty session for now. There is a lot of output.

I can say the only commands I piped back to ash while unplugged from the internet was to delete itself recursively.

That output I posted came as one big dump. I did not enter any of the commands that are mangled in there - which makes it all odd. Every bit of the output is strange to me.

There was also one part of the output where a variable called ROOT was changed to NEW_ROOT but that is not listed in my posted output anymore.

If we need to focus on any output from that terminal dump, how about:

"alertcritdebugemergnoticepanicwarnwarningauthauthprivcrondaemonftpkernlprmailma                                                 rknewssecuritysysloguseruucplocal0local1local2local3local4local5local6local7PS1=                                                 $ PS2=> PS4=+ EPOCHSECONDSEPOCHREALTIME3.3:2[2[[6alias2bg3break2cd0chdir2command                                                 3continue2echo3eval3exec3exit7export2false2fg2getopts2hash0history2jobs2kill0let                                                 7local2printf2pwd2read7readonly3return3set3shift3source2test3times3trap2true2typ                                                 e2ulimit2umask2unalias3unset2wait^+sxnu-1^lurswtf:vr--wst:w--rst:s--wrt:t--rsw:l                                                 --u:u--l^L:-1^o:*t:rwanfvsiO:?2^+c:-2nrbtfavx\01234567SWAPSPACE2"%07.7_Ax
"permission denied (are you root?)OPTIND=1/etc/filesystems/proc/filesystemsshare                                                 dsexclusivexunlockunonblocknbcdoxCe:f:n:s:vlocaltimelutcushowrhctosysssystohcwsy                                                 stztrtcfcdefilmnqrstuvxcore file size (blocks)data seg size (kb)scheduling prior                                                 ityfile size (blocks)pending signalsmax locked memory (kb)max memory size (kb)op                                                 en filesPOSIX message queues (bytes)real-time prioritystack size (kb)cpu time (s                                                 econds)max user processesvirtual memory (kb)file locksloopdefaultsnoautoswswap_n                                                 etdevnosuidsuiddevnodevexecnoexecsyncdirsyncasyncatimenoatimediratimenodiratimer                                                 elatimenorelatimestrictatimenostrictatimelazytimenolazytimenosymfollowmandnomand                                                 loudrbindbindmovemake-sharedmake-slavemakePuTTY-privatemake-unbindablemake-rshar                                                 edmake-rslavemake-rprivatemake-runbindablerorwremount<<=▒>>=▒<<
>>,||&&!=*<=k>=K==
|=B&="*=/=#%=C+=▒-=▒--3^=b++**/!0<
--~,?:$)4(ogu                     >+=|& */.%N+
}-+?=-HSac::d::e::f::i::l::m::n::q::r::s::t::u::v::x::
()&|;

It looks like a bunch of commands that were sent to router with arguments and error messages all mangled together.

pwd2read7readonly3return3set3shift3source2test3times3trap2true2typ                                                 e2ulimit2umask2unalias3unset2wait^+sxnu-1^lurswtf:vr--wst:w--rst:s--wrt:t--rsw:l                                                 --u:u--l^L:-1^o:*t:rwanfvsiO:?2^+c:-2nrbtfavx\01234567SWAPSPACE2"%07.7_Ax
"permission denied (are you root?)

What's 01234567SWAPSPACE?

All of it is weird. Right? Can you explain what's going on?

psherman · December 17, 2023, 3:09am

No, I can't explain it. It doesn't even look like OpenWrt. If that is coming from your putty session, those commands are being issued by your computer in some way... maybe there is a fault of some sort with your serial uart adapter (voltage, baud rate, bad ground, etc) causing unexpected input (to the router) and/or scrambling the output from the router to your putty session.

Do you know what commands you issued specifically? And why did you do that?

The thing is that if you're running OpenWrt, you would have a ROM partition that would contain all the base files, and then an overlay that has the specific user configuration. If you erase files, you can directly erase things on the overlay, and the rest of the files are just "marked" as deleted (because they are in ROM, they can't actually be deleted). This is why you can just use failsafe mode and issue the firstboot command to set everything back to defaults.

Have you tried failsafe?

zbojet · December 17, 2023, 4:35am

I don't recall the exact commands - I believe I listed all the symlinked instances of busybox, then called those instances while executing rm -rf *.

The objective was to completely hose busybox and that ash shell and see what happened. I figured the router was already running and it would still work if I disabled busybox and ash shell and I was right.

I remember specifically calling ash and busybox and the router could not find the commands. When I reconnected to the internet a burst of output landed in my putty terminal which makes me think router was probably connected to a remote server? Maybe that is faulty logic.

If the remote server was using ash to control router, lost connection, lost ash entirely, then reconnected when I came back online, I could see it dumping a bunch of output to my own ssh session terminal as a glitch perhaps.

The commands may very well have come from my computer too - I have no idea. The output I pasted was definitely not entered as input to Putty. It was output to the terminal.

I just figured the router was backdoored, hacked, and part of an advertising click botnet or something goofy.

I had to closet that router for the moment. It is stuck in some odd purgatory state where I cannot access it, but it connects to the internet. I'm not really sure how to get it into a state where I can reset it or reset the firmware.

I had not heard of failsafe mode. I won't give up on the router yet.

psherman · December 17, 2023, 4:38am

By erasing all files, you marked everything as deleted, which means that the system thinks it doesn't exist.

With any luck, booting into failsafe mode is the solution here:

Note that you need to manually set a static IP address on your computer (such as 192.168.1.32, subnet mask 255.255.255.0).

Then, with failsafe engaged, ssh into the router (192.168.1.1) and issue the following command:

firstboot -y && reboot

zbojet · December 17, 2023, 4:41am

Thanks for the help - I'll give it a shot

hnyman · December 17, 2023, 5:43am

Looks like printable characters from some memory area, and most of the unprintable chars are not shown.. Likely the string data from some programs's code piped into terminal, possibly from busybox that you decided to hose.

E.g. the first chars are log message class names shortened: alert, critical, debug, emergency, notice, panic, warning.

You will get pretty similar even on your pc, if you cat a binary program into shell or open it with a text editor.

Well, hosing busybox causes major problems, as it is so tightly tied to everything.
Even failsafe may fail, but let's hope that it still works.

You are talking about wrt3200acm, right? It is dual-boot device, where you could revert back to the alternative partition that contain the firmware before last sysupgrade. There is a three times power-off trick, based on u-boot bootloader, so the current OpenWrt (with hosed busybox) has no role in that. Read device wiki about that. Read the "power switch" section of https://openwrt.org/toh/linksys/wrt3200acm#firmware_recovery

hnyman · December 17, 2023, 8:20am

zbojet:

If we need to focus on any output from that terminal dump, how about:

"alertcritdebugemergnoticepanicwarnwarningauthauthprivcrondaemonftpkernlprmailma                                                 rknewssecuritysysloguseruucplocal0local1local2local3local4local5local6local7PS1=                                                 $ PS2=> PS4=+ EPOCHSECONDSEPOCHREALTIME3.3:2[2[[6alias2bg3break2cd0chdir2command                                                 3continue2echo3eval3exec3exit7export2false2fg2getopts2hash0history2jobs2kill0let                                                 7local2printf2pwd2read7readonly3return3set3shift3source2test3times3trap2true2typ                                                 e2ulimit2umask2unalias3unset2wait^+sxnu-1^lurswtf:vr--wst:w--rst:s--wrt:t--rsw:l                                                 --u:u--l^L:-1^o:*t:rwanfvsiO:?2^+c:-2nrbtfavx\01234567SWAPSPACE2"%07.7_Ax
"permission denied (are you root?)OPTIND=1/etc/filesystems/proc/filesystemsshare                                                 dsexclusivexunlockunonblocknbcdoxCe:f:n:s:vlocaltimelutcushowrhctosysssystohcwsy                                                 stztrtcfcdefilmnqrstuvxcore file size (blocks)data seg size (kb)scheduling prior                                                 ityfile size (blocks)pending signalsmax locked memory (kb)max memory size (kb)op                                                 en filesPOSIX message queues (bytes)real-time prioritystack size (kb)cpu time (s                                                 econds)max user processesvirtual memory (kb)file locksloopdefaultsnoautoswswap_n                                                 etdevnosuidsuiddevnodevexecnoexecsyncdirsyncasyncatimenoatimediratimenodiratimer                                                 elatimenorelatimestrictatimenostrictatimelazytimenolazytimenosymfollowmandnomand                                                 loudrbindbindmovemake-sharedmake-slavemakePuTTY-privatemake-unbindablemake-rshar                                                 edmake-rslavemake-rprivatemake-runbindablerorwremount<<=▒>>=▒<<
>>,||&&!=*<=k>=K==
|=B&="*=/=#%=C+=▒-=▒--3^=b++**/!0<
--~,?:$)4(ogu                     >+=|& */.%N+
}-+?=-HSac::d::e::f::i::l::m::n::q::r::s::t::u::v::x::
()&|;

It looks like a bunch of commands that were sent to router with arguments and error messages all mangled together.

Like I said earlier, printable strings from /bin/busybox binary executable dumped into terminal.

Here are same strings fetched more clearly from the /bin/busybox binary:

root@router5:~# strings /bin/busybox  | head -n 3390 | tail -n 20
crit
debug
emerg
notice
panic
warn
warning
auth
authpriv
cron
daemon
kern
mail
mark
news
security
syslog
user
uucp
local0

Or with hexdump:

root@router5:~# hexdump -C /bin/busybox  | head -n 25560 | tail -n 20
00063ec0  31 20 22 25 33 5f 63 20  22 22 0a 22 00 22 25 30  |1 "%3_c ""."."%0|
00063ed0  37 2e 37 5f 61 78 20 22  38 2f 32 20 22 20 20 25  |7.7_ax "8/2 "  %|
00063ee0  30 35 75 20 22 22 0a 22  00 22 25 30 37 2e 37 5f  |05u ""."."%07.7_|
00063ef0  61 78 20 22 38 2f 32 20  22 20 25 30 36 6f 20 22  |ax "8/2 " %06o "|
00063f00  22 0a 22 00 22 25 30 37  2e 37 5f 61 78 20 22 38  |"."."%07.7_ax "8|
00063f10  2f 32 20 22 20 20 20 25  30 34 78 20 22 22 0a 22  |/2 "   %04x ""."|
00063f20  00 61 6c 65 72 74 00 63  72 69 74 00 64 65 62 75  |.alert.crit.debu|
00063f30  67 00 65 6d 65 72 67 00  6e 6f 74 69 63 65 00 70  |g.emerg.notice.p|
00063f40  61 6e 69 63 00 77 61 72  6e 00 77 61 72 6e 69 6e  |anic.warn.warnin|
00063f50  67 00 61 75 74 68 00 61  75 74 68 70 72 69 76 00  |g.auth.authpriv.|
00063f60  63 72 6f 6e 00 64 61 65  6d 6f 6e 00 66 74 70 00  |cron.daemon.ftp.|
00063f70  6b 65 72 6e 00 6c 70 72  00 6d 61 69 6c 00 6d 61  |kern.lpr.mail.ma|
00063f80  72 6b 00 6e 65 77 73 00  73 65 63 75 72 69 74 79  |rk.news.security|
00063f90  00 73 79 73 6c 6f 67 00  75 73 65 72 00 75 75 63  |.syslog.user.uuc|
00063fa0  70 00 6c 6f 63 61 6c 30  00 6c 6f 63 61 6c 31 00  |p.local0.local1.|
00063fb0  6c 6f 63 61 6c 32 00 6c  6f 63 61 6c 33 00 6c 6f  |local2.local3.lo|
00063fc0  63 61 6c 34 00 6c 6f 63  61 6c 35 00 6c 6f 63 61  |cal4.local5.loca|
00063fd0  6c 36 00 6c 6f 63 61 6c  37 00 50 53 31 3d 24 20  |l6.local7.PS1=$ |
00063fe0  00 50 53 32 3d 3e 20 00  50 53 34 3d 2b 20 00 52  |.PS2=> .PS4=+ .R|
00063ff0  41 4e 44 4f 4d 00 45 50  4f 43 48 53 45 43 4f 4e  |ANDOM.EPOCHSECON|

Likewise

is found. That is actually a command-line option character parsing definition for "getopt" function

root@router5:~# strings /bin/busybox  | grep "e::f::i::l::m::n::q"
-HSac::d::e::f::i::l::m::n::q::r::s::t::u::v::x::

Ps. from main/master snapshot, so location may vary if you are using 23.05.x

 -----------------------------------------------------
 OpenWrt SNAPSHOT, r24660-c22aa0be3e
 -----------------------------------------------------
root@router5:~# opkg list-installed | grep busy
busybox - 1.36.1-1

zbojet · December 18, 2023, 12:51pm

The triple boot trick worked and I'm back to my last OpenWRT state.

What I find odd is that the router immediately starts spamming port 54 UDP and creates hundreds of threads as soon as it starts up. I assume it is looking for a DNS server, but this is just using the luci interface.

Thanks for the insightful details regarding the terminal output - I am still not quite sure how I managed to dump the busybox binary executable embedded in the kernel.

This binary output is also intermixed with what appears to be some kind of "interaction" from a user or script? The error messages in the output lead me to believe that some kind of interaction with busybox occurred.

Here's more mystery terminal output from my hosing of busybox:

Query #%d completed in %ums:
** server can't find %s: %s
*** Can't find %s: Parse error
number %s is not in %llu..%llu rangeinvalid number '%s'%.16s/brport/port_no%s (%                                                 u)
 port id                %.4x                    state           %15s
designated_rootpath_cost        path cost         %4u
designated_bridge designated bridge     %smessage_age_timer     message age time                                                 r       designated_port
 designated port        %.4xforward_delay_timer         forward delay timer    d                                                 esignated_cost
 designated cost        %4uhold_timer             hold timer
 flags                  config_pendingCONFIG_PENDING change_ackTOPOLOGY_CHANGE_A                                                 CK hairpin_mode
 hairpin mode           %4uinvalid query type "%s"127.0.0.1ip6.arpa%u.%u.%u.%u.i                                                 n-addr.arpa;; connection timed out; no servers could be reached

*** Can't find %s: No answer
NO OPT %c!/etc/passwd/etc/shadowunsimilar to old passwordtoo weaktoo many simila                                                 r characterssimilar to hostnamesimilar to gecossimilar to usernametoo shortmd5a:                                                 lud%s can't change password for %sno record of %s in %s, using %scan't change lo                                                 cked password for %sChanging password for %s
Old password: incorrect password for %sIncorrect passwordNew password: Retype pa                                                 ssword: Passwords don't matchsha512password for %s is unchangedpassword encrypti                                                 on failed!%scan't update password file %spassword for %s changed by %spassword f                                                 or %s is already %slockedBad password: %s
/etc/crontabscrond (busybox 1.35.0) started, log level %dcrond/var/run/%s.pidwak                                                 eup dt=%ldtime disparity of %ld minutes detectedfile %s: line %s job: %d %suser                                                  %s: process already running: %sUSER %s pid %3d cmd %ssetegidseteuid%s.%u%s.newca                                                 n't create %s/%scan't append to %s/%s{%s}: afon:t:%%7ll%s Command terminated by                                                  signal %u
Command exited with non-zero status %u
%\%uh %um %02us%um %u.%02us%u%%?%%%u.%02ulaentuwxrWpPID/Program name    can't sc                                                 an /proc - are you root?showing only processes with your user IDActive Internet                                                  connections (servers and established)(only servers)(w/o servers)Local Address
Proto Recv-Q Send-Q %-*s %-*s State       %s
Foreign Address/proc/net/tcp/proc/net/tcp6/proc/net/udp/proc/net/udp6/proc/net/r                                                 aw/proc/net/raw6Active UNIX domain sockets
Proto RefCnt Flags       Type       State         I-Node %sPath
/proc/net/unix60LOGIN_TIMEOUTf:h:p-f is for root only/dev/ on '%s' from '%s' on                                                  '%s' login: Password: Login incorrectinvalid password for '%s'%swaitpid.hushlogi                                                 n/etc/motdroot login%s-%s/sys/class/netbridge %s does not existbridge %s%.16s/br                                                 forwardcan't read bridge %s forward dbport no   mac addr                is local                                                 ?       ageing timer

I dunno what busybox does and when it comes into play when the router starts up. I'm not sure what would have been executing commands against the router via busybox.

If I recall correctly, something in the bootloader looked strange. Honestly, a lot looks strange, but that could be ignorance on my part.

Is there anything you'd like me to check that might confirm whether or not the router in its current state is indeed pwned?

I'll try to dig up the files I flagged as suspicious and confirm there is an exploit embedded in it if I am able to spot it. If anything this is a good learning experience.

zbojet · December 18, 2023, 12:55pm

I don't know if this is of any interest, but this also ended up in the Putty terminal. Looks like helpful documentation for busybox/ash?

PTR▒ANYdisabledlisteninglearningforwardingblocki[-il] [-|+Cabefmnuvx] [-|+o OPT]                                                 ... [-c 'SCRIPT' [ARG0 ARGS] | FILE ARGS | -s ARGS]

Unix shell interpreter[OPTIONS] [AWK_PROGRAM] [FILE]...

        -v VAR=VAL      Set variable
        -F SEP          Use SEP as field separator
        -f FILE         Read program from FILE
        -e AWK_PROGRAMFILE [SUFFIX] | -a FILE... | -s SUFFIX FILE...

Strip directory path and SUFFIX from FILE

        -a              All arguments are FILEs
        -s SUFFIX       Remove SUFFIX (implies -a)COMMAND [BRIDGE [ARGS]]

Manage ethernet bridges
Commands:
        show [BRIDGE]...        Show bridges
        addbr BRIDGE            Create BRIDGE
        delbr BRIDGE            Delete BRIDGE
        addif BRIDGE IFACE      Add IFACE to BRIDGE
        delif BRIDGE IFACE      Delete IFACE from BRIDGE
        showmacs BRIDGE                 List MAC addresses
        showstp BRIDGE                  Show STP info
        stp BRIDGE 1/yes/on|0/no/off    Set STP on/off
        setageing BRIDGE SECONDS        Set ageing time
        setfd BRIDGE SECONDS            Set bridge forward delay
        sethello BRIDGE SECONDS         Set hello time
        setmaxage BRIDGE SECONDS        Set max message age
        setbridgeprio BRIDGE PRIO       Set bridge priority
        setportprio BRIDGE IFACE PRIO   Set port priority
        setpathcost BRIDGE IFACE COST   Set path cost[FILE]...

Print FILEs to stdout
[-Rh]... GROUP FILE...

Change the group membership of FILEs to GROUP

        -h      Affect symlinks instead of symlink targets
        -R      Recurse[-R] MODE[,MODE]... FILE...

MODE is octal number (bit pattern sstrwxrwxrwx) or [ugoa]{+|-|=}[rwxXst]

        -R      Recurse[-Rh]... USER[:[GRP]] FILE...

Change the owner and/or group of FILEs to USER and/or GRP

        -h      Affect symlinks instead of symlink targets
        -R      RecurseNEWROOT [PROG ARGS]

Run PROG with root directory set to NEWROOT

Clear screen[-ls] [-n NUM] FILE1 [FILE2]

Compare FILE1 with FILE2 (or stdin)

        -l      Write the byte numbers (decimal) and values (octal)
                for all differing bytes
        -s      Quiet
        -n NUM  Compare at most NUM bytes[-arPLHpfinlsTu] SOURCE DEST
or: cp [-arPLHpfinlsu] SOURCE... { -t DIRECTORY | DIRECTORY }

Copy SOURCEs to DEST

        -a      Same as -dpR
        -R,-r   Recurse
        -d,-P   Preserve symlinks (default if -R)
        -L      Follow all symlinks
        -H      Follow symlinks on command line
        -p      Preserve file attributes if possible
        -f      Overwrite
        -i      Prompt before overwrite
        -n      Don't overwrite
        -l,-s   Create (sym)links
        -T      Refuse to copy if DEST is a directory
        -t DIR  Copy all SOURCEs into DIR
        -u      Copy only newer files[-fbS] [-l N] [-L LOGFILE] [-c DIR]

        -f      Foreground
        -b      Background (default)
        -S      Log to syslog (default)
        -l N    Set log level. Most verbose 0, default 8
        -L FILE Log to FILE
        -c DIR  Cron dir. Default:/etc/crontabs[-c DIR] [-u USER] [-ler]|[FILE]

        -c      Crontab directory
        -u      User
        -l      List crontab
        -e      Edit crontab
        -r      Delete crontab
        FILE    Replace crontab by FILE ('-': stdin)[OPTIONS] [FILE]...

Print selected fields from FILEs to stdout

        -b LIST Output only bytes from LIST
        -c LIST Output only characters from LIST
        -d SEP  Field delimiter for input (default -f TAB, -F run of whitespace)
        -O SEP  Field delimeter for output (default = -d for -f, one space for -                                                 F)
        -D      Don't sort/collate sections or match -fF lines without delimeter
        -f LIST Print only these fields (-d is single char)
        -s      Output only lines containing delimiter
        -n      Ignored[OPTIONS] [+FMT] [[-s] TIME]

Display time (using +FMT), or set time

        -u              Work in UTC (don't convert to local time)
        [-s] TIME       Set time to TIME
        -d TIME         Display TIME, not 'now'
        -D FMT          FMT (strptime format) for -s/-d TIME conversion
        -r FILE         Display last modification time of FILE
        -R              Output RFC-2822 date
        -I[SPEC]        Output ISO-8601 date
                        SPEC=date (default), hours, minutes, seconds or ns

Recognized TIME formats:
        @seconds_since_1970
        hh:mm[:ss]
        [YYYY.]MM.DD-hh:mm[:ss]
        YYYY-MM-DD hh:mm[:ss]
        [[[[[YY]YY]MM]DD]hh]mm[.ss][if=FILE] [of=FILE] [ibs=N obs=N/bs=N] [count                                                 =N] [skip=N] [seek=N]
        [conv=notrunc|noerror|sync|fsync]
        [iflag=skip_bytes|count_bytes|fullblock|direct] [oflag=seek_bytes|append                                                 |direct]

Copy a file with converting and formatting

        if=FILE         Read from FILE instead of stdin
        of=FILE         Write to FILE instead of stdout
        bs=N            Read and write N bytes at a time
        ibs=N           Read N bytes at a time
        obs=N           Write N bytes at a time
        count=N         Copy only N input blocks
        skip=N          Skip N input blocks
        seek=N          Skip N output blocks
        conv=notrunc    Don't truncate output file
        conv=noerror    Continue after read errors
        conv=sync       Pad blocks with zeros
        conv=fsync      Physically write data out before finishing
        conv=swab       Swap every pair of bytes
        iflag=skip_bytes        skip=N is in bytes
        iflag=count_bytes       count=N is in bytes
        oflag=seek_bytes        seek=N is in bytes
        iflag=direct    O_DIRECT input
        oflag=direct    O_DIRECT output
        iflag=fullblock Read full blocks
        oflag=append    Open output in append mode

N may be suffixed by c (1), w (2), b (512), kB (1000), k (1024), MB, M, GB, G[-P                                                 kmhT] [-t TYPE] [FILESYSTEM]...

Print filesystem usage statistics

        -P      POSIX output format
        -k      1024-byte blocks (default)
        -m      1M-byte blocks
        -h      Human readable (e.g. 1K 243M 2G)
        -T      Print filesystem type
        -t TYPE Print only mounts of this typeFILENAME

Strip non-directory suffix from FILENAME[-cr] [-n LEVEL] [-s SIZE]

Print or control the kernel ring buffer

        -c              Clear ring buffer after printingPuTTYPuTTY
        -n LEVEL        Set console logging level
        -s SIZE         Buffer size
        -r              Print raw message buffer[-aHLdclsxhmk] [FILE]...

Summarize disk space used for FILEs (or directories)

        -a      Show file sizes too
        -b      Apparent size (including holes)
        -L      Follow all symlinks
        -H      Follow symlinks on command line
        -d N    Limit output to directories (and files with -a) of depth < N
        -c      Show grand total
        -l      Count sizes many times if hard linked
        -s      Display only a total for each argument
        -x      Skip directories on different filesystems
        -h      Sizes in human readable format (e.g., 1K 243M 2G)
        -m      Sizes in megabytes
        -k      Sizes in kilobytes (default)[-neE] [ARG]...

Print ARGs to stdout

        -n      No trailing newline
        -e      Interpret backslash escapes (\t=tab etc)
        -E      Don't interpret backslash escapes (default[-i0] [-u NAME]... [-]                                                  [NAME=VALUE]... [PROG ARGS]

Print current environment or run PROG after setting up environment

        -, -i   Start with empty environment
        -0      NUL terminated output
        -u NAME Remove variable from environmentEXPRESSION

Print the value of EXPRESSION

EXPRESSION may be:
        ARG1 | ARG2     ARG1 if it is neither null nor 0, otherwise ARG2
        ARG1 & ARG2     ARG1 if neither argument is null or 0, otherwise 0
        ARG1 < ARG2     1 if ARG1 is less than ARG2, else 0. Similarly:
        ARG1 <= ARG2
        ARG1 = ARG2
        ARG1 != ARG2
        ARG1 >= ARG2
        ARG1 > ARG2
        ARG1 + ARG2     Sum of ARG1 and ARG2. Similarly:
        ARG1 - ARG2
        ARG1 * ARG2
        ARG1 / ARG2
        ARG1 % ARG2
        STRING : REGEXP         Anchored pattern match of REGEXP in STRING
        match STRING REGEXP     Same as STRING : REGEXP
        substr STRING POS LEN   Substring of STRING, POS counts from 1
        index STRING CHARS      Index in STRING where any CHARS is found, or 0
        length STRING           Length of STRING
        quote TOKEN             Interpret TOKEN as a string, even if
                                it is a keyword like 'match' or an
                                operator like '/'
        (EXPRESSION)            Value of EXPRESSION

Beware that many operators need to be escaped or quoted for shells.
Comparisons are arithmetic if both ARGs are numbers, else
lexicographical. Pattern matches return the string matched between
\( and \) or null; if \( and \) are not used, they return the number
of characters matched or [-HL] [PATH]... [OPTIONS] [ACTIONS]

Search for files and perform actions on them.
First failed action stops processing of current file.
Defaults: PATH is current directory, action is '-print'

        -L,-follow      Follow symlinks
        -H              ...on command line only
        -xdev           Don't descend directories on other filesystems
        -maxdepth N     Descend at most N levels. -maxdepth 0 applies
                        actions to command line arguments only
        -mindepth N     Don't act on first N levels
        -depth          Act on directory *after* traversing it

Actions:
        ( ACTIONS )     Group actions for -o / -a
        ! ACT           Invert ACT's success/failure
        ACT1 [-a] ACT2  If ACT1 fails, stop, else do ACT2
        ACT1 -o ACT2    If ACT1 succeeds, stop, else do ACT2
                        Note: -a has higher priority than -o
        -name PATTERN   Match file name (w/o directory name) to PATTERN
        -iname PATTERN  Case insensitive -name
        -path PATTERN   Match path to PATTERN
        -ipath PATTERN  Case insensitive -path
        -regex PATTERN  Match path to regex PATTERN
        -type X         File type is X (one of: f,d,l,b,c,s,p)
        -perm MASK      At least one mask bit (+MASK), all bits (-MASK),
                        or exactly MASK bits are set in file's mode
        -mtime DAYS     mtime is greater than (+N), less than (-N),
                        or exactly N days in the past
        -mmin MINS      mtime is greater than (+N), less than (-N),
                        or exactly N minutes in the past
        -newer FILE     mtime is more recent than FILE's
        -user NAME/ID   File is owned by given user
        -group NAME/ID  File is owned by given group
        -size N[bck]    File size is N (c:bytes,k:kbytes,b:512 bytes(def.))
                        +/-N: file size is bigger/smaller than N
        -prune          If current file is directory, don't descend into it
If none of the following actions is specified, -print is assumed
        -print          Print file name
        -print0         Print file name, NUL terminated
        -exec CMD ARG ; Run CMD with all instances of {} replaced by
                        file name. Fails if CMD exits with nonzero[-sxun] FD | {                                                  FILE [-c] PROG ARGS }

[Un]lock file descriptor, or lock FILE, run PROG

        -s      Shared lock
        -x      Exclusive lock (default)
        -u      Unlock FD
        -n      Fail rather than wait

Display free and used memory[-d] FILE...

Write all buffered blocks in FILEs to disk

        -d      Avoid syncing metadata[-HhnlLoqvsrRiwFE] [-m N] [-A|B|C N] { PAT                                                 TERN | -e PATTERN... | -f FILE... } [FILE]...

Search for PATTERN in FILEs (or stdin)

        -H      Add 'filename:' prefix
        -h      Do not add 'filename:' prefix
        -n      Add 'line_no:' prefix
        -l      Show only names of files that match
        -L      Show only names of files that don't match
        -c      Show only count of matching lines
        -o      Show only the matching part of line
        -q      Quiet. Return 0 if PATTERN is found, 1 otherwise
        -v      Select non-matching lines
        -s      Suppress open and read errors
        -r      Recurse
        -R      Recurse and dereference symlinks
        -i      Ignore case
        -w      Match whole words only
        -x      Match whole lines only
        -F      PATTERN is a literal (not regexp)
        -E      PATTERN is an extended regexp
        -m N    Match up to N times per file
        -A N    Print N lines of trailing context
        -B N    Print N lines of leading context
        -C N    Same as '-A N -B N'
        -e PTRN Pattern to match
        -f FILE Read pattern from file[-cfkt] [FILE]...

Decompress FILEs (or stdin)

        -c      Write to stdout
        -f      Force
        -k      Keep input files
        -t      Test integrity[-cfkdt] [FILE]...

Compress FILEs (or stdin)

        -d      Decompress
        -c      Write to stdout
        -f      Force
        -k      Keep input files
        -t      Test integrity[-d DELAY] [-nf]

Halt the system

        -d SEC  Delay interval
        -n      Do not sync
        -f      Force (don't go through init)[OPTIONS] [FILE]...

Print first 10 lines of FILEs (or stdin).
With more than one FILE, precede each with a filename header.

        -n N[bkm]       Print first N lines
        -n -N[bkm]      Print all except N last lines
        -c [-]N[bkm]    Print first N bytes
                        (b:*512 k:*1024 m:*1024^2)
        -q              Never print headers
        -v              Always print headers[-bcdoxCv] [-e FMT] [-f FMT_FILE] [-                                                 n LEN] [-s OFS] [FILE]...

Display FILEs (or stdin) in a user specified format

        -b              1-byte octal display
        -c              1-byte character display
        -d              2-byte decimal display
        -o              2-byte octal display
        -x              2-byte hex display
        -C              hex+ASCII 16 bytes per line
        -v              Show all (no dup folding)
        -e FORMAT_STR   Example: '16/1 "%02x|""\n"'
        -f FORMAT_FILE
        -n LENGTH       Show only first LENGTH bytes
        -s OFFSET       Skip OFFSET bytes[-swul] [--systz] [-f DEV]

Show or set hardware clock (RTC)

        -s      Set system time from RTC
        -w      Set RTC from system time
        --systz Set in-kernel timezone, correct system time
                if RTC is kept in local time
        -f DEV  Use specified device (e.g. /dev/rtc2)
        -u      Assume RTC is kept in UTC
        -l      Assume RTC is kept in local time
                (if neither is given, read from /etc/adjtime)[-ugGnr] [USER]

Print information about USER or the current user

        -u      User ID
        -g      Group ID
        -G      Supplementary group IDs
        -n      Print names instead of numbers
        -r      Print real ID instead of effective ID[-a] [IFACE] [ADDRESS]

Configure a network interface

        [add ADDRESS[/PREFIXLEN]]
        [del ADDRESS[/PREFIXLEN]]
        [[-]broadcast [ADDRESS]] [[-]pointopoint [ADDRESS]]
        [netmask ADDRESS] [dstaddr ADDRESS]
        [hw ether ADDRESS] [metric NN] [mtu NN]
        [[-]trailers] [[-]arp] [[-]allmulti]
        [multicast] [[-]promisc] [txqueuelen NN] [[-]dynamic]
        [up|down] ...[OPTIONS] address|route|link|neigh|rule [ARGS]

OPTIONS := -f[amily] inet|inet6|link | -o[neline]

ip addr add|del IFADDR dev IFACE | show|flush [dev IFACE] [to PREFIX]
ip route list|flush|add|del|change|append|replace|test ROUTE
ip link set IFACE [up|down] [arp on|off] [multicast on|off]
        [promisc on|off] [mtu NUM] [name NAME] [qlen NUM] [address MAC]
        [master IFACE | nomaster] [netns PID]
ip neigh show|flush [to PREFIX] [dev DEV] [nud STATE]
ip rule [list] | add|del SELECTOR ACTION[-l] [-SIG] PID...

Send a signal (default: TERM) to given PIDs

        -l      List all signal names and numbers[-lq] [-SIG] PROCESS_NAME...

Send a signal (default: TERM) to given processes

        -l      List all signal names and numbers
        -q      Don't complain if no processes were killed[-EFNh~] [FILE]...

View FILE (or stdin) one screenful at a time

        -E      Quit once the end of a file is reached
        -F      Quit if entire file fits on first screen
        -N      Prefix line number to each line
        -~      Suppress ~s displayed past EOF[-sfnbtv] [-S SUF] TARGET... LINK|                                                 DIR

Create a link LINK or DIR/TARGET to the specified TARGET(s)

        -s      Make symlinks instead of hardlinks
        -f      Remove existing destinations
        -n      Don't dereference symlinks - treat like normal file
        -b      Make a backup of the target (if exists) before link operation
        -S SUF  Use suffix instead of ~ when making backup files
        -T      Treat LINK as a file, not DIR
        -v      Verbos[-s] [-t TAG] [-p PRIO] [MESSAGE]

Write MESSAGE (or stPuTTYdin) to syslog

        -s      Log to stderr as well as the system log
        -t TAG  Log using the specified tag (defaults to user name)
        -p PRIO Priority (number or FACILITY.LEVEL pair)[-p] [-h HOST] [[-f] USE                                                 R]

Begin a new session on the system

        -f      Don't authenticate (user already authenticated)
        -h HOST Host user came from (for network logins)
        -p      Preserve environment

$LOGIN_TIMEOUT          Seconds (default 60, 0 - disable)[-1AaCxdLHRFplinshrSXvc                                                 tu] [-w WIDTH] [FILE]...

List directory contents

        -1      One column output
        -a      Include names starting with .
        -A      Like -a, but exclude . and ..
        -x      List by lines
        -d      List directory names, not contents
        -L      Follow symlinks
        -H      Follow symlinks on command line
        -R      Recurse
        -p      Append / to directory names
        -F      Append indicator (one of */=@|) to names
        -l      Long format
        -i      List inode numbers
        -n      List numeric UIDs and GIDs instead of names
        -s      List allocated blocks
        -lc     List ctime
        -lu     List atime
        --full-time     List full date/time
        -h      Human readable sizes (1K 243M 2G)
        --group-directories-first
        -S      Sort by size
        -X      Sort by extension
        -v      Sort by version
        -t      Sort by mtime
        -tc     Sort by ctime
        -tu     Sort by atime
        -r      Reverse sort order
        -w N    Format N columns wide
        --color[={always,never,auto}][-c[sw]] [FILE]...

Print or check MD5 checksums

        -c      Check sums against list in FILEs
        -s      Don't output anything, status code shows success
        -w      Warn about improperly formatted checksum lines[-m MODE] [-p] DIR                                                 ECTORY...

Create DIRECTORY

        -m MODE Mode
        -p      No error if exists; make parent directories as needed[-m MODE] N                                                 AME

Create named pipe

        -m MODE Mode (default a=rw)[-m MODE] NAME TYPE [MAJOR MINOR]

Create a special file (block, character, or pipe)

        -m MODE Creation mode (default a=rw)
TYPE:
        b       Block device
        c or u  Character device
        p       Named pipe (MAJOR MINOR must be omitted)[-L LBL] BLOCKDEV [KBYTE                                                 S]

Prepare BLOCKDEV to be used as swap partition

        -L LBL  Label[-dt] [-p DIR] [TEMPLATE]

Create a temporary file with name based on TEMPLATE and print its name.
TEMPLATE must end with XXXXXX (e.g. [/dir/]nameXXXXXX).
Without TEMPLATE, -t tmp.XXXXXX is assumed.

        -d      Make directory, not file
        -q      Fail silently on errors
        -t      Prepend base directory name to TEMPLATE
        -p DIR  Use DIR as a base directory (implies -t)
        -u      Do not create anything; print a name

Base directory is: -p DIR, else $TMPDIR, else /tmp[OPTIONS] [-o OPT] DEVICE NODE

Mount a filesystem. Filesystem autodetection requires /proc.

        -a              Mount all filesystems in fstab
        -i              Don't run mount helper
        -r              Read-only mount
        -t FSTYPE[,...] Filesystem type(s)
        -O OPT          Mount only filesystems with option OPT (-a only)
-o OPT:
        loop            Ignored (loop devices are autodetected)
        [a]sync         Writes are [a]synchronous
        [no]atime       Disable/enable updates to inode access times
        [no]diratime    Disable/enable atime updates to directories
        [no]relatime    Disable/enable atime updates relative to modification ti                                                 me
        [no]dev         (Dis)allow use of special device files
        [no]exec        (Dis)allow use of executable files
        [no]suid        (Dis)allow set-user-id-root programs
        [r]shared       Convert [recursively] to a shared subtree
        [r]slave        Convert [recursively] to a slave subtree
        [r]private      Convert [recursively] to a private subtree
        [un]bindable    Make mount point [un]able to be bind mounted
        [r]bind         Bind a file or directory [recursively] to another locati                                                 on
        move            Relocate an existing mount point
        remount         Remount a mounted filesystem, changing flags
        ro              Same as -r

There are filesystem-specific -o flags.[-finT] SOURCE DEST
or: mv [-fin] SOURCE... { -t DIRECTORY | DIRECTORY }

Rename SOURCE to DEST, or move SOURCEs to DIRECTORY

        -f      Don't prompt before overwriting
        -i      Interactive, prompt before overwrite
        -n      Don't overwrite an existing file
        -T      Refuse to move if DEST is a directory
        -t DIR  Move all SOURCEs into DIR[IPADDR PORT]

Open a pipe to IP:POR[-ral] [-tuwx] [-enWp]

Display networking information

        -r      Routing table
        -a      All sockets
        -l      Listening sockets
                Else: connected sockets
        -t      TCP sockets
        -u      UDP sockets
        -w      Raw sockets
        -x      Unix sockets
                Else: all socket types
        -e      Other/more information
        -n      Don't resolPuTTYve names
        -W      Wide display
        -p      Show PID/program name for sockets[-n ADJUST] [PROG ARGS]

Change scheduling priority, run PROG

        -n ADJUST       Adjust priority by ADJUST[-type=QUERY_TYPE] [-debug] HOS                                                 T [DNS_SERVER]

Query DNS about HOST

QUERY_TYPE: soa,ns,a,aaaa,cname,mx,txt,ptr,srv,any[-dnqNwl] [-I IFACE] [-S PROG]                                                  [-p PEER]...

NTP client/server

        -d[d]   Verbose
        -n      Run in foreground
        -q      Quit after clock is set
        -N      Run at high priority
        -w      Do not set time (only query peers), implies -n
        -S PROG Run PROG after stepping time, stratum change, and every 11 min
        -p PEER Obtain time from PEER (may be repeated)
        -l      Also run as server on port 123
        -I IFACE Bind server to IFACE, implies -l[-a ALG] [-dlu] [USER]

Change USER's password (default: current user)

        -a ALG  des,md5,sha256/512 (default md5)
        -d      Set password to ''
        -l      Lock (disable) account
        -u      Unlock (enable) account[-flanovx] [-s SID|-P PPID|PATTERN]

Display process(es) selected by regex PATTERN

        -l      Show command name too
        -a      Show command line too
        -f      Match against entire command line
        -n      Show the newest process only
        -o      Show the oldest process only
        -v      Negate the match
        -x      Match whole name (not substring)
        -s      Match session ID (0 for current)
        -P      Match parent process ID[NAME]...

List PIDs of all processes with names that match NAMEs[OPTIONS] HOST

Send ICMP ECHO_REQUESTs to HOST

        -4,-6           Force IP or IPv6 name resolution
        -c CNT          Send only CNT pings
        -s SIZE         Send SIZE data bytes in packets (default 56)
        -i SECS         Interval
        -A              Ping as soon as reply is recevied
        -t TTL          Set TTL
        -I IFACE/IP     Source interface or IP address
        -W SEC          Seconds to wait for the first response (default 10)
                        (after all -c CNT packets are sent)
        -w SEC          Seconds until ping exits (default:infinite)
                        (can exit earlier with -c CNT)
        -q              Quiet, only display output at start/finish
        -p HEXBYTE      Payload pattern[OPTIONS] HOST

Send ICMP ECHO_REQUESTs to HOST

        -c CNT          Send only CNT pings
        -s SIZE         Send SIZE data bytes in packets (default 56)
        -i SECS         Interval
        -A              Ping as soon as reply is recevied
        -I IFACE/IP     Source interface or IP address
        -W SEC          Seconds to wait for the first response (default 10)
                        (after all -c CNT packets are sent)
        -w SEC          Seconds until ping exits (default:infinite)
                        (can exit earlier with -c CNT)
        -q              Quiet, only display output at start/finish
        -p HEXBYTE      Payload patternNEW_ROOT PUT_OLD

Move the current root file system to PUT_OLD and make NEW_ROOT
the new root file system[-d DELAY] [-nf]

Halt and shut off power

        -d SEC  Delay interval
        -n      Do not sync
        -f      Force (don't go through init)FORMAT [ARG]...

Format and print ARG(s) according to FORMAT (a-la C printf)

Show list of processes

        w       Wide output

Print the full filename of the current working directory[-fnv] FILE

Display the value of a symlink

        -f      Canonicalize by following all symlinks
        -n      Don't add newline
        -v      Verbose[-d DELAY] [-nf]

Reboot the system

        -d SEC  Delay interval
        -n      Do not sync
        -f      Force (don't go through init)

Reset the screen[-irf] FILE...

Remove (unlink) FILEs

        -i      Always prompt before removing
        -f      Never prompt
        -R,-r   Recurse[-p] DIRECTORY...

Remove DIRECTORY if it is empty

        -p      Include parents
        --ignore-fail-on-non-empty[-ne] [-A inet[6]] [{add|del} [-net|-host] TAR                                                 GET [netmask MASK]
        [gw GATEWAY] [metric N] [mss BYTES] [window BYTES] [reject] [IFACE]]

Show or edit kernel routing tables

        -n      Don't resolve names
        -e      Display other/more information
        -A inet[6]      Select address family[-i[SFX]] [-nrE] [-f FILE]... [-e C                                                 MD]... [FILE]...PuTTY
or: sed [-i[SFX]] [-nrE] CMD [FILE]...

        -e CMD  Add CMD to sed commands to be executed
        -f FILE Add FILE contents to sed commands to be executed
        -i[SFX] Edit files in-place (otherwise write to stdout)
                Optionally back files up, appending SFX
        -n      Suppress automatic printing of pattern space
        -r,-E   Use extended regex syntax

If no -e or -f, the first non-option argument is the sed command string.
Remaining arguments are input files (stdin if none).[-w] [-s SEP] [FIRST [INC]]                                                  LAST

Print numbers from FIRST to LAST, in steps of INC.
FIRST, INC default to 1.

        -w      Pad to last with leading zeros
        -s SEP  String separator[-il] [-|+Cabefmnuvx] [-|+o OPT]... [-c 'SCRIPT'                                                  [ARG0 ARGS] | FILE ARGS | -s ARGS]

Unix shell interpreter[-c[sw]] [FILE]...

Print or check SHA256 checksums

        -c      Check sums against list in FILEs
        -s      Don't output anything, status code shows success
        -w      Warn about improperly formatted checksum lines[N]...

Pause for a time equal to the total of the args given, where each arg can
have an optional suffix of (s)econds, (m)inutes, (h)ours, or (d)ays[-nru] [FILE]                                                 ...

Sort lines of text

        -n      Sort numbers
        -r      Reverse sort order
        -s      Stable (don't sort ties alphabetically)
        -u      Suppress duplicate lines
        -z      NUL terminated input and output[OPTIONS] [-S|-K] ... [-- ARGS...                                                 ]

Search for matching processes, and then
-K: stop all matching processes
-S: start a process unless a matching process is found

Process matching:
        -u USERNAME|UID Match only this user's processes
        -n NAME         Match processes with NAME
                        in comm field in /proc/PID/stat
        -x EXECUTABLE   Match processes with this command
                        in /proc/PID/cmdline
        -p FILE         Match a process with PID from FILE
        All specified conditions must match
-S only:
        -x EXECUTABLE   Program to run
        -a NAME         Zeroth argument
        -b              Background
        -c USER[:[GRP]] Change user/group
        -m              Write PID to pidfile specified by -p
-K only:
        -s SIG          Signal to send
        -t              Match only, exit with 0 if found
Other:
        -q              Quiet[-fo] [-t o|d|x] [-n LEN] [FILE]...

Display printable strings in a binary file

        -f              Precede strings with filenames
        -o              Precede strings with octal offsets
        -t o|d|x        Precede strings with offsets in base 8/10/16
        -n LEN          At least LEN characters form a string (default 4)[-a] [D                                                 EVICE]

hnyman · December 18, 2023, 1:06pm

Looks like the printable contents from some point in the combined busybox binary executable.

Well, busybox is a really central item. It provides the default shell "ash" and the same combined binary provides the functionality of most small linux commands like cp, mv, whatever.

That looks like possible error messages shown to the user (C printf format strings). Again, part of the busybox binary.