the “script.sh" runs incorrectly on Xiaomi 4A Gigabit FW 2.28.38
Closed this issue · 1 comments
I tryies the version 0.0.6 on my Xiaomi 4A Gigabit, and it doesn't work. I had solve other problems that mentioned in issues, such as "change to router mode" , "use stok in the same machine","use mirror for github". But they are all useless. Finally, I tried the version 0.0.1 and get reverse shell.
After I get the shell, I try to find why the version 0.0.6 doesn't work. I find the payload "script.sh" was already uploaded in /tmp which means the vulnerability was not fixed in FW2.28.38. But when I runs command "sh /tmp/script.sh exploit" manually, I get error messages as below(I deleted the first line "set -euo pipefail" which raises a exception either):
: not found/script.sh: line 2:
: not found.sh: line 4: setup_password
: not found.sh: line 5: setup_busybox
: not found.sh: line 6: start_telnet
: not found.sh: line 7: start_ftp
: not found.sh: line 8: start_ssh
Done exploiting
: not found.sh: line 10: }
: not found.sh: line 11:
passwd: unknown user root
: not found.sh: line 16: }
: not found.sh: line 17:
: not found.sh: line 21:
/tmp/script.sh: cd: line 22: can't cd to /tmp
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (35) ssl_handshake returned - PolarSSL: (-0x7780) SSL - A fatal alert message was received from our peer
: No such file or directory
: not found.sh: line 28: }
: not found.sh: line 29:
/tmp/script.sh: cd: line 31: can't cd to /tmp
: not found.sh: line 33:
: not found.sh: line 34: }
: not found.sh: line 35:
/tmp/script.sh: cd: line 37: can't cd to /tmp
: applet not found
: not found.sh: line 39: }
: not found.sh: line 40:
/tmp/script.sh: cd: line 42: can't cd to /tmp
: not found.sh: line 43:
: not found.sh: line 48:
kill: you need to specify whom to kill
: not found.sh: line 50: true
: not found.sh: line 51:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 163 0 163 0 0 50 0 --:--:-- 0:00:03 --:--:-- 50
100 317k 100 317k 0 0 57975 0 0:00:05 0:00:05 --:--:-- 298k
'ar: invalid number '1
: not found.sh: line 57:
/tmp/script.sh: line 62: /tmp/dropbear/dropbearkey: not found
/tmp/script.sh: line 63: /tmp/dropbear/dropbearkey: not found
: not found.sh: line 64:
: not found.sh: line 66: /tmp/dropbear/dropbear
: not found.sh: line 67:
: not found.sh: line 70: }
: not found.sh: line 71:
Remount /usr/share/xiaoqiang as read-write
: not found.sh: line 74:
failed: No such file or directory/usr/share/xiaoqiang
: not found.sh: line 77:
Done remounting
: not found.sh: line 79: }
: not found.sh: line 80:
: not found.sh: line 86:
Start
/': Read-only file systemtory '/tmp
: not found.sh: line 91:
/tmp/script.sh: line 106: syntax error: unexpected end of file (expecting "do")
Is there something wrong in what I did or the script just doesn't work on FW 2.28.38 ?
(I also tried the FW 2.28.62 you provided in README, but I haven't test weather it doesn't work for the same reason)
How I get reverse shell using version 0.0.1:
- Using Linux to execute the code. the generated tar.gz file was different on Windows and Linux, and I believe there is something wrong with the tar.gz file generated on windows.
- Ensure the 4444 port are reachable on your computer. you can use telnet to test from another machine
You should not remove the set -euo pipefail
line, by removing it you allow the script to continue with errors, which is what you see: there are many many errors showing.
The script works, many people use it without issues (I myself used it with two Xiaomi 4A Gigabit
). I think there is something wrong on your procedure.
Using Linux to execute the code. the generated tar.gz file was different on Windows and Linux, and I believe there is something wrong with the tar.gz file generated on windows
That is something that has been mentioned in other issues. Glad you managed to make it work