An ELF file was recovered from the following GPON Router authentication bypass and command injection attempt:

The UPX packed ELF file has 36/58 detections on VirusTotal
 #Readelf Output
 #Hex dump via "xxd" verifies the ELF file is UPX packed.
Unpack attempt via “upx -d” fail due to error: “p_info corrupted”

“p_info” is a 12-byte section in the UPX packed program header. Below, it can be observed filled with zeros:

“p_info” is the size of the unpacked file. “p_info” and “p_filesize” contain the same value. “p_filesize” is found at the end of file, shown below in blue: Hex: 00042A7C

The bytes 5 – 12 in “p_info” are replaced with the value found in “p_filesize” (shown below):
UPX unpack is now successful:

The UPX packed ELF File with the fixed “p_info” section has 13/58 detections on VirusTotal

The unpacked ELF file has 24/59 detections on VirusTotal

Note: The File Size of the unpacked Elf file on VirusTotal is recognized as 266.62 KB The “p_filesize” Hex: 00042A7C in decimal is 273020 273020 bytes Divided by 1024 = 266.62 KB

String Analysis via Floss:

Corrupted UPX Packed ELF Repair