diff --git a/extras/language/luci b/extras/language/luci index 1ac5a58..8b953c5 100644 --- a/extras/language/luci +++ b/extras/language/luci @@ -30,6 +30,3 @@ config internal 'ccache' config internal 'themes' option xiaoqiang '/xiaoqiang' option OpenWrt '/luci-static/openwrt.org' - -config 5 'debuglevel' - diff --git a/remote_command_execution_vulnerability.py b/remote_command_execution_vulnerability.py index d1b1ab8..553f28e 100644 --- a/remote_command_execution_vulnerability.py +++ b/remote_command_execution_vulnerability.py @@ -41,14 +41,14 @@ def get_stok(router_ip_address): try: r0 = requests.get("http://{router_ip_address}/cgi-bin/luci/web".format(router_ip_address=router_ip_address)) except: - print ("Xiaomi router not found...") + print ("Xiaomi router not found.") return None - try: + try: mac = re.findall(r'deviceId = \'(.*?)\'', r0.text)[0] + key = re.findall(r'key: \'(.*)\',', r0.text)[0] except: - print ("Xiaomi router not found...") + print ("Unable to find deviceId or key.") return None - key = re.findall(r'key: \'(.*)\',', r0.text)[0] nonce = "0_" + mac + "_" + str(int(time.time())) + "_" + str(random.randint(1000, 10000)) router_password = input("Enter router admin password: ") account_str = hashlib.sha1((router_password + key).encode('utf-8')).hexdigest() @@ -67,8 +67,8 @@ def get_stok(router_ip_address): stok = get_stok(router_ip_address) or input("You need to get the stok manually, then input the stok here: ") print("""There two options to provide the files needed for invasion: - 1. Use a local TCP file server runing on random port to provide files in local directory `script_tools`. - 2. Download needed files from remote github repository. (choose this option only if github is accessable inside router device.)""") + 1. Use a local TCP file server running on random port to provide files in local directory `script_tools`. + 2. Download needed files from remote github repository. (choose this option only if github is accessible inside router device.)""") use_local_file_server = (input("Which option do you prefer? (default: 1)") or "1") == "1" # From https://blog.securityevaluators.com/show-mi-the-vulns-exploiting-command-injection-in-mi-router-3-55c6bcb48f09 diff --git a/set_english.py b/set_english.py index 0d59b16..fe28036 100644 --- a/set_english.py +++ b/set_english.py @@ -9,12 +9,13 @@ import os import ftplib -router_ip_address = input("Router IP address: ") -# router_ip_address = '192.168.0.21' +router_ip_address = "miwifi.com" +# router_ip_address = "192.168.31.1" +router_ip_address = input("Router IP address: [press enter for using the default '{}']".format(router_ip_address)) or router_ip_address session = ftplib.FTP(router_ip_address,'root','') -# Uploading a lenguage file will not succeed as the filesystem is ro +# Uploading a language file will not succeed as the filesystem is ro # languageFile = open('extras/language/i18n/base.en.lmo','rb') # session.storbinary('STOR /usr/lib/lua/luci/i18n/base.en.lmo', languageFile) # languageFile.close() diff --git a/tcp_file_server.py b/tcp_file_server.py index ac430fd..1941a74 100644 --- a/tcp_file_server.py +++ b/tcp_file_server.py @@ -26,7 +26,7 @@ def run(self): self.server_thread = threading.Thread(target=self.server.serve_forever) self.server_thread.daemon = True self.server_thread.start() - print("local file server is runing on {}:{}. root='{}'".format(self.ip, self.port, self.server.root_dir)) + print("local file server is running on {}:{}. root='{}'".format(self.ip, self.port, self.server.root_dir)) def __exit__(self, exc_type, exc_val, exc_tb): self.server.shutdown()