the “script.sh" runs incorrectly on Xiaomi 4A Gigabit FW 2.28.38

[xuzheliang135]

I tryies the version 0.0.6 on my Xiaomi 4A Gigabit, and it doesn't work. I had solve other problems that mentioned in issues, such as "change to router mode" , "use stok in the same machine","use mirror for github". But they are all useless. Finally, I tried the version 0.0.1 and get reverse shell. After I get the shell, I try to find why the version 0.0.6 doesn't work. I find the payload "script.sh" was already uploaded in /tmp which means the vulnerability was not fixed in FW2.28.38. But when I runs command "sh /tmp/script.sh exploit" manually, I get error messages as below(I deleted the first line "set -euo pipefail" which raises a exception either):

: not found/script.sh: line 2: : not found.sh: line 4: setup_password : not found.sh: line 5: setup_busybox : not found.sh: line 6: start_telnet : not found.sh: line 7: start_ftp : not found.sh: line 8: start_ssh Done exploiting : not found.sh: line 10: } : not found.sh: line 11: passwd: unknown user root : not found.sh: line 16: } : not found.sh: line 17: : not found.sh: line 21: /tmp/script.sh: cd: line 22: can't cd to /tmp % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (35) ssl_handshake returned - PolarSSL: (-0x7780) SSL - A fatal alert message was received from our peer : No such file or directory : not found.sh: line 28: } : not found.sh: line 29: /tmp/script.sh: cd: line 31: can't cd to /tmp : not found.sh: line 33: : not found.sh: line 34: } : not found.sh: line 35: /tmp/script.sh: cd: line 37: can't cd to /tmp : applet not found : not found.sh: line 39: } : not found.sh: line 40: /tmp/script.sh: cd: line 42: can't cd to /tmp : not found.sh: line 43: : not found.sh: line 48: kill: you need to specify whom to kill : not found.sh: line 50: true : not found.sh: line 51: % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 163 0 163 0 0 50 0 --:--:-- 0:00:03 --:--:-- 50 100 317k 100 317k 0 0 57975 0 0:00:05 0:00:05 --:--:-- 298k 'ar: invalid number '1 : not found.sh: line 57: /tmp/script.sh: line 62: /tmp/dropbear/dropbearkey: not found /tmp/script.sh: line 63: /tmp/dropbear/dropbearkey: not found : not found.sh: line 64: : not found.sh: line 66: /tmp/dropbear/dropbear : not found.sh: line 67: : not found.sh: line 70: } : not found.sh: line 71: Remount /usr/share/xiaoqiang as read-write : not found.sh: line 74: failed: No such file or directory/usr/share/xiaoqiang : not found.sh: line 77: Done remounting : not found.sh: line 79: } : not found.sh: line 80: : not found.sh: line 86: Start /': Read-only file systemtory '/tmp : not found.sh: line 91: /tmp/script.sh: line 106: syntax error: unexpected end of file (expecting "do")

Is there something wrong in what I did or the script just doesn't work on FW 2.28.38 ? (I also tried the FW 2.28.62 you provided in README, but I haven't test weather it doesn't work for the same reason)

How I get reverse shell using version 0.0.1:

1. Using Linux to execute the code. the generated tar.gz file was different on Windows and Linux, and I believe there is something wrong with the tar.gz file generated on windows.
2. Ensure the 4444 port are reachable on your computer. you can use telnet to test from another machine

[acecilia]

You should not remove the set -euo pipefail line, by removing it you allow the script to continue with errors, which is what you see: there are many many errors showing.

The script works, many people use it without issues (I myself used it with two Xiaomi 4A Gigabit). I think there is something wrong on your procedure.

Using Linux to execute the code. the generated tar.gz file was different on Windows and Linux, and I believe there is something wrong with the tar.gz file generated on windows

That is something that has been mentioned in other issues. Glad you managed to make it work