- there is a restriction that blocks modification of parameter `system.button.handler`, but it can be easily bypassed by changing name of parent xml node (e.g. `name="exploit"`)
39
+
- code execution can be achieved not only by changing parameter `system.button.handler`, but also using `ddns.service.ip_script`, `firewall.include.path`, `uhttpd.main`, and others...
40
+
5. compress and encrypt modified backup file
41
+
6. go to advanced -> system -> restore settings -> upload modified backup file
42
+
7. after reboot, push the led button that triggers execution of injected command `/usr/sbin/telnetd -l /bin/login.sh`
43
+
8. remotelly login to router: `telnet 192.168.1.1`