Auto detect valid SSH server and auth params

3 years ago · 07a8931c2f
parent 20b186839f
commit 07a8931c2f
6 changed files with 110 additions and 19 deletions
--- a/connect.py
+++ b/connect.py
@ -16,7 +16,7 @@ import gateway
 from gateway import *


-gw = gateway.Gateway(detect_device = False)
+gw = gateway.Gateway(detect_device = False, detect_ssh = False)

 if len(sys.argv) > 1:
  ip_addr = sys.argv[1]
@ -48,8 +48,9 @@ print("rom_version = {} {}".format(gw.rom_version, gw.rom_channel))
 print("mac = {}".format(gw.mac_address))

 gw.ssh_port = 122
-if gw.ping(verbose = 0) is True:
-  die(0, "Exploit already installed and running")
+ret = gw.detect_ssh(verbose = 1, interactive = True)
+if ret > 0:
+  die(0, "SSH-server already installed and running")

 stok = gw.web_login()

@ -159,6 +160,7 @@ else:
 requests.get(gw.apiurl + "xqnetdetect/netspeed")

 time.sleep(0.5)
+gw.passw = 'root'
 gw.ping(contimeout = 8)

 print("")
--- a/connect2.py
+++ b/connect2.py
@ -23,7 +23,7 @@ from gateway import *
 # RA67    FW v1.0.33    AX5 Router


-gw = Gateway(timeout = 4)
+gw = Gateway(timeout = 4, detect_ssh = False)
 if gw.status < 1:
  die("Xiaomi Mi Wi-Fi device not found (IP: {})".format(gw.ip_addr))

@ -33,8 +33,9 @@ print("mac address = {}".format(gw.mac_address))

 dn = gw.device_name
 gw.ssh_port = 22
-if gw.ping(verbose = 0) is True:
-  die(0, "Stock SSH server already installed and running")
+ret = gw.detect_ssh(verbose = 1, interactive = True)
+if ret > 0:
+  die(0, "SSH server already installed and running")

 stok = gw.web_login()
 ext_name = 'misystem/set_config_iotdev'
@ -61,6 +62,7 @@ res = exec_cmd(cmd)
 #  die('Extension "/api/misystem/set_config_iotdev" not working!!!')

 time.sleep(0.5)
+gw.passw = 'root'
 gw.ping(contimeout = 32)   # RSA host key generate very slow!

 print("")
--- a/connect3.py
+++ b/connect3.py
@ -18,7 +18,7 @@ from read_info import *
 from envbuffer import *


-gw = Gateway(timeout = 4)
+gw = Gateway(timeout = 4, detect_ssh = False)
 if gw.status < 1:
  die("Xiaomi Mi Wi-Fi device not found (IP: {})".format(gw.ip_addr))

@ -28,8 +28,9 @@ print("MAC Address = {}".format(gw.mac_address))

 dn = gw.device_name
 gw.ssh_port = 22
-if gw.ping(verbose = 0) is True:
-  die(0, "Stock SSH server already installed and running")
+ret = gw.detect_ssh(verbose = 1, interactive = True)
+if ret > 0:
+  die(0, "SSH server already installed and running")


 class ExFlasher():
--- a/gateway.py
+++ b/gateway.py
@ -28,9 +28,6 @@ if sys.version_info < (3,8,0):
 from multiprocessing import shared_memory


-EXPLOIT_VIA_DROPBEAR = True
-
-
 def die(*args):
  err = 1
  prefix = "ERROR: "
@ -57,7 +54,7 @@ def get_http_headers():


 class Gateway():
-  use_ssh = EXPLOIT_VIA_DROPBEAR
+  use_ssh = True
  verbose = 2
  timeout = 4
  memcfg = None  # shared memory "XMiR_12345"
@ -73,7 +70,7 @@ class Gateway():
  ssh = None     # SSH session
  login = 'root' # default username
  
-  def __init__(self, timeout = 4, verbose = 2, detect_device = True, load_cfg = True):
+  def __init__(self, timeout = 4, verbose = 2, detect_device = True, detect_ssh = True, load_cfg = True):
    self.verbose = verbose
    self.timeout = timeout
    self.device_name = None
@ -84,6 +81,12 @@ class Gateway():
    os.makedirs('tmp', exist_ok = True)
    if detect_device:
      self.detect_device()
+    if detect_ssh:
+      verb = 1 if verbose else 0
+      interact = True if verbose else False
+      port = self.detect_ssh(verbose = 1, interactive = interact)
+      if port <= 0:
+        die("Can't found valid SSH server on IP {}".format(self.ip_addr))

  def detect_device(self):
    self.device_name = None
@ -364,6 +367,89 @@ class Gateway():
      json.dump(config, file, indent=4, sort_keys=True)

  #===============================================================================
+  def check_ssh(self, ip, port, password, contimeout = 2, timeout = 3):    
+    err = 0
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    ssh = None
+    try:
+      sock.settimeout(contimeout)
+      sock.connect((ip, port))
+      sock.settimeout(timeout)
+    except Exception as e:
+      err = -1
+    if password and err == 0:
+      try:
+        ssh = ssh2.session.Session()
+        ssh.handshake(sock)
+      except Exception as e:
+        err = -2
+      if err == 0:
+        try:
+          ssh.userauth_password(self.login, password)
+        except Exception as e:
+          err = -3
+    try:
+      ssh.disconnect()
+    except Exception:
+      pass
+    try:
+      sock.close()
+    except Exception:
+      pass
+    return err
+
+  def detect_ssh(self, verbose = 1, interactive = True, contimeout = 2, aux_port = 122):
+    ip_addr = self.ip_addr
+    ssh_port = self.ssh_port
+    if ssh_port == aux_port:
+      aux_port = 22
+    passw = self.passw
+    if passw:
+      ret = self.check_ssh(ip_addr, ssh_port, passw, contimeout = contimeout)
+      if ret >= 0:
+        return ssh_port  # OK
+      if ret == -1:
+        ssh_port = 0
+    if ssh_port:
+      portlist = [ ssh_port, aux_port ]
+    else:
+      portlist = [ aux_port ]
+    plist = []
+    for i, port in enumerate(portlist):
+      ret = self.check_ssh(ip_addr, port, None, contimeout = contimeout)
+      if ret == 0:
+        plist.append(port)
+    if not plist:
+      if verbose >= 2:
+        print("Can't found valid SSH server on IP {}".format(ip_addr))
+      return -1
+    if passw:
+      pswlist = [ passw ]
+      if passw != 'root':
+        pswlist.append('root')
+    else:
+      pswlist = ['root', None]
+    for p, psw in enumerate(pswlist):
+      if psw is None:
+        if not interactive:
+          continue
+        psw = input("Enter password for root: ")
+      for i, port in enumerate(plist):
+        ret = self.check_ssh(ip_addr, port, psw, contimeout = contimeout)
+        if ret >= 0:
+          self.passw = psw
+          self.ssh_port = port
+          if verbose:
+            print("Detect valid SSH server on port {} (auth OK)".format(port))
+          return port
+        if ret == -3 and passw and psw == passw:
+          if verbose:
+            print("Set SSH password = None")
+          self.passw = None
+    if verbose >= 2:
+      print("Can't found valid SSH server on IP {}".format(ip_addr))
+    return -1  
+
  def set_timeout(self, timeout):
    self.timeout = timeout
    if self.use_ssh and self.ssh:
@ -567,7 +653,7 @@ class Gateway():
 if __name__ == "__main__":
  if len(sys.argv) > 1:
    ip_addr = sys.argv[1]
-    gw = Gateway(detect_device = False)
+    gw = Gateway(detect_device = False, detect_ssh = False)
    gw.ip_addr = ip_addr
    print("Device IP-address changed to {}".format(ip_addr))
    
--- a/menu.py
+++ b/menu.py
@ -10,7 +10,7 @@ import gateway
 from gateway import die


-gw = gateway.Gateway(detect_device = False)
+gw = gateway.Gateway(detect_device = False, detect_ssh = False)

 def get_header(delim, suffix = ''):
  header = delim*58 + '\n'
--- a/read_info.py
+++ b/read_info.py
@ -613,7 +613,7 @@ class SysLog():
  bdata = None    # EnvBuffer()

  def __init__(self, gw, timeout = 17, verbose = 1, infolevel = 1):
-    self.gw = gateway.Gateway() if gw is None else gw
+    self.gw = gateway.Gateway(detect_ssh = False) if gw is None else gw
    self.verbose = verbose
    self.timeout = timeout
    os.makedirs('outdir', exist_ok = True)
@ -634,7 +634,7 @@ class SysLog():
    timeout = timeout if timeout is not None else self.timeout
    self.files = []
    if not self.gw:
-      gw = gateway.Gateway()
+      gw = gateway.Gateway(detect_ssh = False)
      gw.web_login()
    else:
      gw = self.gw
@ -758,7 +758,7 @@ class SysLog():

 if __name__ == "__main__":
  if len(sys.argv) > 1 and sys.argv[1] == 'syslog':
-    gw = gateway.Gateway(timeout = 4)
+    gw = gateway.Gateway(timeout = 4, detect_ssh = False)
    if gw.status < 1:
      die("Xiaomi Mi Wi-Fi device not found (IP: {})".format(gw.ip_addr))
    slog = SysLog(gw, timeout = 17, verbose = 1, infolevel = 2)