Fix dropbear installation

Integrate dropbearkey into dropbearmulti.
Disable using RSA and DSS host keys.

connect.py

@@ -116,8 +116,11 @@ with tarfile.open(fn_payload2, "w:gz", compresslevel=9) as tar:
 
 with tarfile.open(fn_payload3, "w:gz", compresslevel=9) as tar:
   tar.add(fn_pf3, arcname = os.path.basename(fn_pf3))
-  tar.add(dn_dir + fn_exploit, arcname = fn_exploit)
   tar.add(dn_tmp + fn_executor, arcname = fn_executor)
+  tar.add(dn_dir + fn_exploit, arcname = fn_exploit)
+  if gw.use_ssh:
+    tar.add(dn_dir + 'dropbear.uci.cfg', arcname = 'dropbear.uci.cfg')
+    tar.add(dn_dir + 'dropbear.init.d.sh', arcname = 'dropbear.init.d.sh')
 
 if os.path.exists(fn_pf1):
   os.remove(fn_pf1)

data/payload_ssh/dropbear.init.d.sh

@@ -0,0 +1,165 @@
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2006-2010 OpenWrt.org
+# Copyright (C) 2006 Carlos Sobrinho
+
+START=50
+STOP=50
+
+SERVICE_USE_PID=1
+
+NAME=dropbear
+PROG=/etc/dropbear/dropbear
+PIDCOUNT=0
+EXTRA_COMMANDS="killclients"
+EXTRA_HELP="	killclients Kill ${NAME} processes except servers and yourself"
+
+dropbear_start()
+{
+	append_ports()
+	{
+		local ifname="$1"
+		local port="$2"
+
+		grep -qs "^ *$ifname:" /proc/net/dev || {
+			append args "-p $port"
+			return
+		}
+
+		for addr in $(
+			ifconfig "$ifname" | sed -ne '
+				/addr: *fe[89ab][0-9a-f]:/d
+				s/.* addr: *\([0-9a-f:\.]*\).*/\1/p
+			'
+		); do
+			append args "-p $addr:$port"
+		done
+	}
+
+
+	local section="$1"
+
+	# check if section is enabled (default)
+	local enabled
+	config_get_bool enabled "${section}" enable 1
+	[ "${enabled}" -eq 0 ] && return 1
+
+	# verbose parameter
+	local verbosed
+	config_get_bool verbosed "${section}" verbose 0
+
+	# increase pid file count to handle multiple instances correctly
+	PIDCOUNT="$(( ${PIDCOUNT} + 1))"
+
+	# prepare parameters (initialise with pid file)
+	local pid_file="/var/run/${NAME}.${PIDCOUNT}.pid"
+	local args="-P $pid_file"
+	local val
+	# A) password authentication
+	config_get_bool val "${section}" PasswordAuth 1
+	[ "${val}" -eq 0 ] && append args "-s"
+	# B) listen interface and port
+	local port
+	local interface
+	config_get interface "${section}" Interface
+	config_get interface "${interface}" ifname "$interface"
+	config_get port "${section}" Port 22
+	append_ports "$interface" "$port"
+	# C) banner file
+	config_get val "${section}" BannerFile
+	[ -f "${val}" ] && append args "-b ${val}"
+	# D) gatewayports
+	config_get_bool val "${section}" GatewayPorts 0
+	[ "${val}" -eq 1 ] && append args "-a"
+	# E) root password authentication
+	config_get_bool val "${section}" RootPasswordAuth 1
+	[ "${val}" -eq 0 ] && append args "-g"
+	# F) root login
+	config_get_bool val "${section}" RootLogin 1
+	[ "${val}" -eq 0 ] && append args "-w"
+	# G) host keys
+	config_get val "${section}" rsakeyfile
+	[ -f "${val}" ] && append args "-r ${val}"
+	config_get val "${section}" dsskeyfile
+	[ -f "${val}" ] && append args "-d ${val}"
+
+	# execute program and return its exit code
+	[ "${verbosed}" -ne 0 ] && echo "${initscript}: section ${section} starting ${PROG} ${args}"
+	SERVICE_PID_FILE="$pid_file" service_start ${PROG} ${args}
+}
+
+start()
+{
+	include /lib/network
+	scan_interfaces
+	config_load "${NAME}"
+	config_foreach dropbear_start dropbear
+}
+
+stop()
+{
+	local pid_file pid_files
+	
+	pid_files=`ls /var/run/${NAME}.*.pid 2>/dev/null`
+	
+	[ -z "$pid_files" ] && return 1
+	
+	for pid_file in $pid_files; do
+		SERVICE_PID_FILE="$pid_file" service_stop ${PROG} && {
+			rm -f ${pid_file}
+		}
+	done
+}
+
+killclients()
+{
+	local ignore=''
+	local server
+	local pid
+
+	# if this script is run from inside a client session, then ignore that session
+	pid="$$"
+	while [ "${pid}" -ne 0 ]
+	 do
+		# get parent process id
+		pid=`cut -d ' ' -f 4 "/proc/${pid}/stat"`
+		[ "${pid}" -eq 0 ] && break
+
+		# check if client connection
+		grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" && {
+			append ignore "${pid}"
+			break
+		}
+	done
+
+	# get all server pids that should be ignored
+	for server in `cat /var/run/${NAME}.*.pid`
+	 do
+		append ignore "${server}"
+	done
+
+	# get all running pids and kill client connections
+	local skip
+	for pid in `pidof "${NAME}"`
+	 do
+		# check if correct program, otherwise process next pid
+		grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" || {
+			continue
+		}
+
+		# check if pid should be ignored (servers, ourself)
+		skip=0
+		for server in ${ignore}
+		 do
+			if [ "${pid}" == "${server}" ]
+			 then
+				skip=1
+				break
+			fi
+		done
+		[ "${skip}" -ne 0 ] && continue
+
+		# kill process
+		echo "${initscript}: Killing ${pid}..."
+		kill -KILL ${pid}
+	done
+}

data/payload_ssh/dropbear.uci.cfg

@@ -0,0 +1,5 @@
+config dropbear
+	option PasswordAuth 'on'
+	option RootPasswordAuth 'on'
+	option Port         '22'
+#	option BannerFile   '/etc/banner'

data/payload_ssh/exp10it.sh

@@ -4,40 +4,75 @@ nvram set bootdelay=5; nvram set uart_en=1; nvram commit
 # change password for root
 echo -e "root\nroot" | (passwd root) 
 
-if [ -f /etc/init.d/dropbear ]; then
-	# unlock autostart dropbear
-	sed -i 's/"$flg_ssh" != "1" -o "$channel" = "release"/-n ""/g' /etc/init.d/dropbear
-	if [ -f /usr/sbin/dropbear ]; then
-		# restart dropbear
-		/etc/init.d/dropbear stop
-		/etc/init.d/dropbear start
-	fi
-fi
-
-kill -9 `pgrep dropbearmulti`
+kill -9 `pgrep dropbearmulti` &>/dev/null
 
 cd /tmp
 rm -f dropbearmulti
 cat dropbearmulti_01 dropbearmulti_02 dropbearmulti_03 > dropbearmulti
 chmod +x dropbearmulti
+rm -f dropbearmulti_*
+
+if [ ! -d /etc/dropbear ]; then
+	mkdir /etc/dropbear
+	chown root /etc/dropbear
+	chmod 0700 /etc/dropbear
+fi
+
+# generate host key
+if [ ! -s /etc/dropbear/dropbear_ed25519_host_key ]; then
+	rm -f /etc/dropbear/dropbear_ed25519_host_key
+	/tmp/dropbearmulti dropbearkey -t ed25519 -f /etc/dropbear/dropbear_ed25519_host_key 2>&- >&-
+fi
+
+if [ ! -s /etc/dropbear/dropbear_ecdsa_host_key ]; then
+	rm -f /etc/dropbear/dropbear_ecdsa_host_key
+	/tmp/dropbearmulti dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key 2>&- >&-
+fi
 
 # start SSH server
 ./dropbearmulti -p 122
 
-#kill -9 `pgrep taskmonitor`
+#kill -9 `pgrep taskmonitor` &>/dev/null
 
-# install dropbear for release firmware (not devel)
-if [ ! -f /usr/sbin/dropbear ]; then
-	if [ -f /etc/init.d/dropbear ]; then
-		# stop dropbear
-		/etc/init.d/dropbear stop
+# unlock and restart preintalled dropbear (devel firmware)
+if [ -f /etc/init.d/dropbear ]; then
+	# unlock autostart dropbear
+	sed -i 's/"$flg_ssh" != "1" -o "$channel" = "release"/-n ""/g' /etc/init.d/dropbear
+	if [ -f /usr/sbin/dropbear ]; then
+		# enable dropbear
+		/etc/init.d/dropbear enable &>/dev/null 
+		# restart dropbear
+		/etc/init.d/dropbear restart
 	fi
+fi
+
+# install dropbear for release firmware (not devel)
+if [ ! -f /usr/sbin/dropbear -o ! -f /etc/init.d/dropbear ]; then
+	kill -9 `pgrep dropbear$` &>/dev/null
+
 	rm -f /etc/dropbear/dropbear
-	cp -f dropbearmulti /etc/dropbear/dropbear
+	cp -f /tmp/dropbearmulti /etc/dropbear/dropbear
 	chmod +x /etc/dropbear/dropbear
-	if [ -f /etc/init.d/dropbear ]; then
-		sed -i 's/PROG=\/usr\/sbin\/dropbear/PROG=\/etc\/dropbear\/dropbear/g' /etc/init.d/dropbear
-		# start dropbear
-		/etc/init.d/dropbear start
-	fi
+
+	rm -f /etc/config/dropbear
+	cp -f /tmp/dropbear.uci.cfg /etc/config/dropbear
+
+	rm -f /etc/init.d/dropbear
+	cp -f /tmp/dropbear.init.d.sh /etc/init.d/dropbear
+	chmod +x /etc/init.d/dropbear
+
+	rm -f /etc/rc.d/K50dropbear
+	ln -s /etc/init.d/dropbear /etc/rc.d/K50dropbear &>/dev/null
+
+	rm -f /etc/rc.d/S50dropbear
+	ln -s /etc/init.d/dropbear /etc/rc.d/S50dropbear &>/dev/null
+
+	# enable dropbear
+	/etc/init.d/dropbear enable &>/dev/null 
+
+	# restart dropbear
+	/etc/init.d/dropbear restart
 fi
+#rm -f dropbear.uci.cfg
+#rm -f dropbear.init.d.sh
+