for those who are luckily able to get in to uboot, could you try https://github.com/tkso1997/openwrt-ac2100
Turns out I'm terrible with mips and can't get more complex ROP chains than simple jumps to sleep() to run.
Someone who knows what they're doing give that a twice-over and see where I screwed up. Or better yet, if anyone with gdb working on the RM2100 stock 1.0.14 can breakpoint 0x42590C in pppd and tell me where I screwed up... (Granted, you'd need to setup pppoe-server too...)
Edit: Someone really needs to go check if the AX3600 rom actually got built with this fixed and/or has FORTIFY_SOURCE actually used.
Anyone else having problems with 5Ghz on this router?
I have issue that sometimes i loose internet connection on 5Ghz, while internet on 2.4Ghz works fine.
Im using the router as a wired repeater.
OpenWRT or stock rom? MT76 support for the chips on these boards are pretty WIP and they only bump the MT76 commit periodically in OpenWRT master.
In unrelated news:
listening on [any] 31337 ...
connect to [192.168.31.177] from (UNKNOWN) [192.168.31.1] 49743
id
uid=0(root) gid=0(root)
Well it works now, but the watchdog kills the process pretty quickly. Just fork your own shell or something in your own payload.
Trying to rewind the stack pointer hurt my brain too much, so I just brute forced a stack address that worked because there's no ASLR anyway.
2 Likes
My ax3600 arrived now, maybe i can do the check. But i have no idea what should i do
You don't really need a physical one to extract the image, but I have the feeling that Xiaomi would have patched it since the image listed on the site is dated 4 days after the pppd vuln became public knowledge. (That and the Qualcomm SDK that they built off of... probably has mitigation in place.)
I can't be bothered checking since it's a little out of my price range and I can't get the ubifs extracted anyway.
As for RM2100 owners, here you go:
Replace the source/destination mac addresses and the interface, setup pppoe-server, and run when you see an active pppoe session between the router and your pc.
I think there's a watchdog that kills off pppd (and thus your shell) after a while, so I'd only probably use this to get your foot in the door and curl over a busybox binary to secure you proper access. (Ie. DO NOT DIRECTLY MTD WRITE YOUR OPENWRT IMAGES FROM THIS)
Should work on the black cylinder AC2100 (and anything older...) if you adjust the addresses of the rop gadgets and stuff.
2 Likes
Ok, here is the ubifs for ax3600, you can easily extracted with binwalk:
Otherwise, do you have a ARM version payload?
Anyone here who knows how I can get back to stock?
I want to test the exploit! I guess I can just flash the original kernel via tftp, boot it and send the original firmware via tftp. ???
Anyone willing to share the stock kernel.bin?
for your information: I am currently compiling a new OpenWrt version with kernel 5.4., will upload it as soon as I have tested it ...
thanks, but I think I need the kernel partition first. Is there an easy way of extracting it from the firmware image?
Here is kernel for Redmi AC2100: https://drive.google.com/open?id=1QBcKs6aIUWlMJ0Ngx1hg1d7iYuEaPJxe
What exploit you want to test? I can help you with this? Please give a solution, i have a Redmi AC2100 router.
Great!
How can I get the values necessary from my ac2100 (rop gadgets addresses etc.)
Hi,
Did someone test if the BootRom DL Mode is disabled ?
The pppd binary, the libuclibc.so (Not strictly necessary but nice to have), and the memory map that gets spit out to messages when you crash it with a normal payload of all 'A' in the registers. (Assuming the mappings are different)
First two you can extract from the squashfs ín the ubifs image (assuming you can get ubireader to work, I never could and just used Percy's dumps), last one you can get from the device logs (192.168.31.1/....blahblahstok=something/api/misystem/sys_log)
There might be a little bit of messing around as I guessed the stack address by just going down by 0x200 until it landed somewhere in the nop sled.
I shouldn't have called it the AC2100 either, it's really the R2100 isn't it. Confusing model naming all round.
Yes, that's confusing. My ax3600 is also called R
3600. Could you please tell me how to confirm if this exploit is fixed in R3600? Unfortunately this is the only way which may get ssh access on 3600 now, because of the high price of a tosp-48 programer
- Opening up the pppd binary and uclibc one in a disassembler.
- Checking that this hasn't been implemented yet https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426#diff-b7f5f2404cf3f5c09b1f8ad9364bb340
- Checking that bcopy/memcpy/memmove does not call a FORTIFY_SOURCE version
- Checking that they are not position independent executables.
- Crying if you find out they actually did do it properly by virtue of using Qualcomm's BSP?
- That's strange. I can't find this
eap_requestfunction, also the string:EAP: trimming really long peer name down
- Moreover, R3600 use musl not uclibc, i don't know how to check FORTIFY_SOURCE calling
- Sadly, it is PIE.
Maybe i can ready to cry??
The `pppd` and `libc.so` file: https://send.firefox.com/download/e042bee0081e2b04/#TTMmbHbGE9YUCZaJcAfwHw
Yeah, they have stack guards on in there too.
At least Qualcomm have shown to have their BSP up to date on their flagship chipsets... 
(The only reason it works on the ramips hardware is because they have pretty much every single mitigation turned off, no stack guards, no pie, rwx stacks, etc.)