aiden
/
xmir-patcher
mirror of https://github.com/openwrt-xiaomi/xmir-patcher
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

connect: Multi exploit test

Browse Source
main
remittor 4 days ago
parent 3f3b921967
commit cc1a760729
4 changed files with 69 additions and 62 deletions
Show Stats Download Patch File Download Diff File

25
connect.py
Unescape Escape View File

@ -51,14 +51,25 @@ dn = gw.device_name
# import connect4 # import connect4
# sys.exit(0) # sys.exit(0)
#if dn in 'RD01 RD02 RD03 CR8818 RD04 RD05 RD06 CR8816 CR8819 RD08 ':
if dn[:2] in ['RD','BE','RN'] or dn.startswith('CR88') or dn == 'RA80V2':
import connect6
sys.exit(0)
if gw.model_id <= 0 or gw.model_id >= gw.get_modelid_by_name('R2100'): if gw.model_id <= 0 or gw.model_id >= gw.get_modelid_by_name('R2100'):
import connect5 # init gw and check ssh
sys.exit(0) gw = create_gateway(timeout = 4, die_if_sshOk = True, die_if_ftpOk = True, web_login = True)
exp_modules = [
'connect6', # arn_switch/start_binding
'connect5', # smartcontroller
]
for mod_name in exp_modules:
try:
import_module(mod_name, gw)
break # Ok
except ExploitNotWorked as e:
print('WARN:', str(e))
continue # try next module
except Exception:
raise
sys.exit(0)
# =============================================================================== # ===============================================================================

35
connect5.py
Unescape Escape View File

@ -17,32 +17,13 @@ import json
import xmir_base import xmir_base
from gateway import * from gateway import *
class ExploitError(Exception): pass
try:
gw = Gateway(timeout = 4, detect_ssh = False) gw = inited_gw
if gw.status < 1: except NameError:
die("Xiaomi Mi Wi-Fi device not found (IP: {})".format(gw.ip_addr)) gw = create_gateway(die_if_sshOk = True)
print("device_name =", gw.device_name)
print("rom_version = {} {}".format(gw.rom_version, gw.rom_channel))
print("mac address = {}".format(gw.mac_address))
dn = gw.device_name
gw.ssh_port = 22
ret = gw.detect_ssh(verbose = 1, interactive = True)
if ret == 23:
if gw.use_ftp:
die("Telnet and FTP servers already running!")
print("Telnet server already running, but FTP server not respond")
elif ret > 0:
die(0, "SSH server already installed and running")
ccode = gw.device_info["countrycode"] ccode = gw.device_info["countrycode"]
if ccode == "CN":
print('CountryCode = CN')
stok = gw.web_login()
# CVE-2023-26319 Note: https://blog.thalium.re/posts/rooting-xiaomi-wifi-routers/ # CVE-2023-26319 Note: https://blog.thalium.re/posts/rooting-xiaomi-wifi-routers/
@ -149,7 +130,7 @@ def exec_tiny_cmd(cmd, act_delay = 2):
code = dres['code'] code = dres['code']
except Exception: except Exception:
if res == 'Internal Server Error': if res == 'Internal Server Error':
die(f'Exploit "smartcontroller" not working! [{res}]') raise ExploitNotWorked(f'Exploit "smartcontroller" not working! [{res}]')
raise ExploitError(f'Error on parse response for command "scene_setting" => {res}') raise ExploitError(f'Error on parse response for command "scene_setting" => {res}')
if code != 0: if code != 0:
raise ExploitError(f'Error on exec command "scene_setting" => {res}') raise ExploitError(f'Error on exec command "scene_setting" => {res}')
@ -241,13 +222,13 @@ hackCheck = False
res = exec_smart_command("aaaaa;$", ignore_err_code = 2) res = exec_smart_command("aaaaa;$", ignore_err_code = 2)
if isinstance(res, dict): if isinstance(res, dict):
if res['msg'] != 'api not exists': if res['msg'] != 'api not exists':
die(f'Smartcontroller return error: {res}') raise ExploitNotWorked(f'Smartcontroller return error: {res}')
else: else:
if 'Internal Server Error' in res: if 'Internal Server Error' in res:
print(f'Detect using xiaoqiang "hackCheck" fix ;-)') print(f'Detect using xiaoqiang "hackCheck" fix ;-)')
hackCheck = True hackCheck = True
else: else:
die(f'Smartcontroller return Error: {res}') raise ExploitNotWorked(f'Smartcontroller return Error: {res}')
# get device orig system time # get device orig system time
dst = gw.get_device_systime() dst = gw.get_device_systime()
@ -291,7 +272,7 @@ gw.set_device_systime(dst, wait = False)
if not sc_activated: if not sc_activated:
time.sleep(1) time.sleep(1)
reset_smart_task() reset_smart_task()
die('Exploit "smartcontroller" not working!!!') raise ExploitNotWorked('Exploit "smartcontroller" not working!!!')
#print('Logger ...') #print('Logger ...')
#res = exec_cmd("logger hello") #res = exec_cmd("logger hello")

33
connect6.py
Unescape Escape View File

@ -10,33 +10,10 @@ import xmir_base
from gateway import * from gateway import *
gw = Gateway(timeout = 4, detect_ssh = False) try:
if gw.status < 1: gw = inited_gw
die(f"Xiaomi Mi Wi-Fi device not found (IP: {gw.ip_addr})") except NameError:
gw = create_gateway(die_if_sshOk = False)
print(f"device_name = {gw.device_name}")
print(f"rom_version = {gw.rom_version} {gw.rom_channel}")
print(f"mac address = {gw.mac_address}")
dn = gw.device_name
gw.ssh_port = 22
ret = gw.detect_ssh(verbose = 1, interactive = True)
if ret == 23:
if gw.use_ftp:
die("Telnet and FTP servers already running!")
print("Telnet server already running, but FTP server not respond")
elif ret > 0:
#die(0, "SSH server already installed and running")
pass
info = gw.get_init_info()
if not info or info["code"] != 0:
die('Cannot get init_info')
ccode = info["countrycode"]
print(f'Current CountryCode = {ccode}')
stok = gw.web_login()
def exploit_1(cmd, api = 'API/misystem/arn_switch'): def exploit_1(cmd, api = 'API/misystem/arn_switch'):
@ -79,7 +56,7 @@ for idx, exp_func in enumerate(exp_list):
gw.set_diag_iperf_test_thr(20) gw.set_diag_iperf_test_thr(20)
if not exec_cmd: if not exec_cmd:
die('Exploits arn_switch/start_binding not working!!!') raise ExploitNotWorked('Exploits arn_switch/start_binding not working!!!')
if exec_cmd == exploit_1: if exec_cmd == exploit_1:
print('Exploit "arn_switch" detected!') print('Exploit "arn_switch" detected!')

38
gateway.py
Unescape Escape View File

@ -31,6 +31,11 @@ from multiprocessing import shared_memory
import xqmodel import xqmodel
class ExploitError(Exception): pass
class ExploitNotWorked(Exception): pass
def die(*args): def die(*args):
err = 1 err = 1
prefix = "ERROR: " prefix = "ERROR: "
@ -973,6 +978,39 @@ class Gateway():
return hasher.hexdigest() return hasher.hexdigest()
#===============================================================================
def import_module(mod_name, gw):
import importlib.util
mod_spec = importlib.util.spec_from_file_location(mod_name, f"{mod_name}.py")
mod_object = importlib.util.module_from_spec(mod_spec)
sys.modules[mod_name] = mod_object
if gw is not None:
mod_object.inited_gw = gw
mod_spec.loader.exec_module(mod_object)
def create_gateway(timeout = 4, die_if_sshOk = True, die_if_ftpOk = True, web_login = True, ssh_port = 22):
gw = Gateway(timeout = timeout, detect_ssh = False)
if gw.status < 1:
die(f"Xiaomi Mi Wi-Fi device not found (IP: {gw.ip_addr})")
print(f"device_name = {gw.device_name}")
print(f"rom_version = {gw.rom_version} {gw.rom_channel}")
print(f"mac_address = {gw.mac_address}")
gw.ssh_port = ssh_port if ssh_port else 22
ret = gw.detect_ssh(verbose = 1, interactive = True)
if ret == 23:
if gw.use_ftp and die_if_ftpOk:
die("Telnet and FTP servers already running!")
print("Telnet server already running, but FTP server not respond")
elif ret > 0:
if die_if_sshOk:
die(0, "SSH server already installed and running")
ccode = gw.device_info["countrycode"]
print(f'CountryCode = {ccode}')
if web_login:
gw.web_login()
return gw
#=============================================================================== #===============================================================================
if __name__ == "__main__": if __name__ == "__main__":
if len(sys.argv) > 1: if len(sys.argv) > 1:

Write Preview
Loading…
Cancel
Save