From edd6f5a50841814e080a5feac954f7a6fb1bbb2e Mon Sep 17 00:00:00 2001 From: nikita-yfh <70135428+nikita-yfh@users.noreply.github.com> Date: Wed, 1 Jun 2022 08:25:09 +0300 Subject: [PATCH 1/8] MTK fix --- oneshot.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/oneshot.py b/oneshot.py index 806ffc4..6a187ee 100755 --- a/oneshot.py +++ b/oneshot.py @@ -1069,6 +1069,7 @@ def usage(): --iface-down : Down network interface when the work is finished -l, --loop : Run in a loop -r, --reverse-scan : Reverse order of networks in the list of networks. Useful on small displays + -m, --mtk-fix : MTK interface fix, turn off Wi-Fi to use this -v, --verbose : Verbose output Example: @@ -1156,6 +1157,11 @@ def usage(): action='store_true', help='Reverse order of networks in the list of networks. Useful on small displays' ) + parser.add_argument( + '-m', '--mtk-fix', + action='store_true', + help='MTK interface fix, turn off Wi-Fi to use thiss' + ) parser.add_argument( '-v', '--verbose', action='store_true', @@ -1168,6 +1174,11 @@ def usage(): die("The program requires Python 3.6 and above") if os.getuid() != 0: die("Run it as root") + + if args.mtk_fix: + subprocess.run("chmod 644 /dev/wmtWifi", shell=True, stdout=sys.stdout, stderr=sys.stdout) + subprocess.run("echo 1 > /dev/wmtWifi, shell=True, stdout=sys.stdout, stderr=sys.stdout) + if not ifaceUp(args.interface): die('Unable to up interface "{}"'.format(args.interface)) From e581c85f6c52e6adc0ab0e8db06a8dc376d82816 Mon Sep 17 00:00:00 2001 From: Victor Golovanenko Date: Wed, 15 Jun 2022 22:34:33 +0300 Subject: [PATCH 2/8] Reworked interface activate function for MTK SoC devices --- README.md | 3 +++ oneshot.py | 26 ++++++++++++++++++-------- 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index ec76add..5d5918e 100644 --- a/README.md +++ b/README.md @@ -116,6 +116,9 @@ Please note that root access is required. --vuln-list= : Use custom file with vulnerable devices list ['vulnwsc.txt'] --iface-down : Down network interface when the work is finished -l, --loop : Run in a loop + -r, --reverse-scan : Reverse order of networks in the list of networks. Useful on small displays + --mtk-wifi : Activate MediaTek Wi-Fi interface driver on startup and deactivate it on exit + (for internal Wi-Fi adapters implemented in MediaTek SoCs). Turn off Wi-Fi in the system settings before using this. -v, --verbose : Verbose output ``` diff --git a/oneshot.py b/oneshot.py index 6a187ee..cc90d40 100755 --- a/oneshot.py +++ b/oneshot.py @@ -14,6 +14,7 @@ import collections import statistics import csv +from pathlib import Path from typing import Dict @@ -1069,7 +1070,8 @@ def usage(): --iface-down : Down network interface when the work is finished -l, --loop : Run in a loop -r, --reverse-scan : Reverse order of networks in the list of networks. Useful on small displays - -m, --mtk-fix : MTK interface fix, turn off Wi-Fi to use this + --mtk-wifi : Activate MediaTek Wi-Fi interface driver on startup and deactivate it on exit + (for internal Wi-Fi adapters implemented in MediaTek SoCs). Turn off Wi-Fi in the system settings before using this. -v, --verbose : Verbose output Example: @@ -1158,9 +1160,11 @@ def usage(): help='Reverse order of networks in the list of networks. Useful on small displays' ) parser.add_argument( - '-m', '--mtk-fix', + '--mtk-wifi', action='store_true', - help='MTK interface fix, turn off Wi-Fi to use thiss' + help='Activate MediaTek Wi-Fi interface driver on startup and deactivate it on exit ' + '(for internal Wi-Fi adapters implemented in MediaTek SoCs). ' + 'Turn off Wi-Fi in the system settings before using this.' ) parser.add_argument( '-v', '--verbose', @@ -1174,11 +1178,14 @@ def usage(): die("The program requires Python 3.6 and above") if os.getuid() != 0: die("Run it as root") - - if args.mtk_fix: - subprocess.run("chmod 644 /dev/wmtWifi", shell=True, stdout=sys.stdout, stderr=sys.stdout) - subprocess.run("echo 1 > /dev/wmtWifi, shell=True, stdout=sys.stdout, stderr=sys.stdout) - + + if args.mtk_wifi: + wmtWifi_device = Path("/dev/wmtWifi") + if not wmtWifi_device.is_char_device(): + die("Unable to activate MediaTek Wi-Fi interface device (--mtk-wifi): " + "/dev/wmtWifi does not exist or it is not a character device") + wmtWifi_device.chmod(0o644) + wmtWifi_device.write_text("1") if not ifaceUp(args.interface): die('Unable to up interface "{}"'.format(args.interface)) @@ -1224,3 +1231,6 @@ def usage(): if args.iface_down: ifaceUp(args.interface, down=True) + + if args.mtk_wifi: + wmtWifi_device.write_text("0") From f785d5c23d244c22441a2be52d9f74327b560835 Mon Sep 17 00:00:00 2001 From: Victor Golovanenko Date: Wed, 15 Jun 2022 23:22:14 +0300 Subject: [PATCH 3/8] Added flake8 configuration --- .flake8 | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .flake8 diff --git a/.flake8 b/.flake8 new file mode 100644 index 0000000..6deafc2 --- /dev/null +++ b/.flake8 @@ -0,0 +1,2 @@ +[flake8] +max-line-length = 120 From 3b566424f4e952d1c3a645d7bfdd8b8ac9773c09 Mon Sep 17 00:00:00 2001 From: Victor Golovanenko Date: Wed, 15 Jun 2022 23:24:51 +0300 Subject: [PATCH 4/8] README: updated troubleshooting note for MTK Android devices --- README.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/README.md b/README.md index 5d5918e..f2f198c 100644 --- a/README.md +++ b/README.md @@ -146,11 +146,7 @@ Launch online WPS bruteforce with the specified first half of the PIN: #### "Device or resource busy (-16)" Try disabling Wi-Fi in the system settings and kill the Network manager. Alternatively, you can try running OneShot with ```--iface-down``` argument. #### The wlan0 interface disappears when Wi-Fi is disabled on Android devices with MediaTek SoC - Try run the following: -``` -sudo chmod 644 /dev/wmtWifi -sudo sh -c 'echo 1 > /dev/wmtWifi' -``` + Try running OneShot with the `--mtk-wifi` flag to initialize Wi-Fi device driver. # Acknowledgements ## Special Thanks * `rofl0r` for initial implementation; From 236ce3786f27312717352124a6fba5448bdcc6ef Mon Sep 17 00:00:00 2001 From: Victor Golovanenko Date: Wed, 15 Jun 2022 23:28:18 +0300 Subject: [PATCH 5/8] Fixed a bug in the Companion --- oneshot.py | 1 + 1 file changed, 1 insertion(+) diff --git a/oneshot.py b/oneshot.py index cc90d40..c9c4b6f 100755 --- a/oneshot.py +++ b/oneshot.py @@ -453,6 +453,7 @@ def sendAndReceive(self, command): inmsg = b.decode('utf-8', errors='replace') return inmsg + @staticmethod def _explain_wpas_not_ok_status(command: str, respond: str): if command.startswith(('WPS_REG', 'WPS_PBC')): if respond == 'UNKNOWN COMMAND': From 31596196fd923c87e79623ab0af001231c7d259f Mon Sep 17 00:00:00 2001 From: Victor Golovanenko Date: Wed, 15 Jun 2022 23:30:28 +0300 Subject: [PATCH 6/8] README: changed link to Termux app --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f2f198c..37fd4f3 100644 --- a/README.md +++ b/README.md @@ -73,7 +73,7 @@ Optional: getting a list of vulnerable to pixie dust devices for highlighting in ``` sudo wget https://raw.githubusercontent.com/drygdryg/OneShot/master/vulnwsc.txt ``` -## [Termux](https://play.google.com/store/apps/details?id=com.termux) +## [Termux](https://termux.com/) Please note that root access is required. #### Using installer From 46dd5cf4cadf161f0da8ad498b143e29966a0a3a Mon Sep 17 00:00:00 2001 From: root Date: Mon, 5 Sep 2022 14:31:23 +0200 Subject: [PATCH 7/8] Added missing dependency in the doc for Termux and check error code from wpa_supplicant subprocess --- README.md | 2 +- oneshot.py | 9 +++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 37fd4f3..0c73d88 100644 --- a/README.md +++ b/README.md @@ -84,7 +84,7 @@ Please note that root access is required. **Installing requirements** ``` pkg install -y root-repo - pkg install -y git tsu python wpa-supplicant pixiewps iw + pkg install -y git tsu python wpa-supplicant pixiewps iw openssl ``` **Getting OneShot** ``` diff --git a/oneshot.py b/oneshot.py index c9c4b6f..368880e 100755 --- a/oneshot.py +++ b/oneshot.py @@ -439,8 +439,13 @@ def __init_wpa_supplicant(self): self.wpas = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, encoding='utf-8', errors='replace') # Waiting for wpa_supplicant control interface initialization - while not os.path.exists(self.wpas_ctrl_path): - pass + while True: + ret = self.wpas.poll() + if ret is not None and ret != 0: + raise ValueError('wpa_supplicant returned an error: ' + self.wpas.communicate()[0]) + if os.path.exists(self.wpas_ctrl_path): + break + time.sleep(.1) def sendOnly(self, command): """Sends command to wpa_supplicant""" From 129fa7c1c54905f7f382aceb42452804b38eb821 Mon Sep 17 00:00:00 2001 From: Victor Golovanenko Date: Tue, 14 Feb 2023 00:42:43 +0300 Subject: [PATCH 8/8] Update vulnerable WSC list --- vulnwsc.txt | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/vulnwsc.txt b/vulnwsc.txt index bdc0872..ff2c97d 100644 --- a/vulnwsc.txt +++ b/vulnwsc.txt @@ -1,12 +1,15 @@ +ADSL Router EV-2006-07-27 ADSL RT2860 AIR3G WSC Wireless Access Point AIR3G WSC Device AirLive Wireless Gigabit AP AirLive Wireless Gigabit AP Archer_A9 1.0 +ArcherC20i 1.0 Archer A2 5.0 Archer A5 4.0 Archer C2 1.0 Archer C2 3.0 Archer C5 4.0 +Archer C6 3.20 Archer C6U 1.0.0 Archer C20 1.0 Archer C20 4.0 @@ -18,12 +21,15 @@ Archer C50 5.0 Archer C50 6.0 Archer MR200 1.0 Archer MR200 4.0 +Archer MR400 4.2 Archer MR200 5.0 Archer VR300 1.20 Archer VR400 3.0 +Archer VR2100 1.0 B-LINK 123456 Belkin AP EV-2012-09-01 DAP-1360 DAP-1360 +DIR-635 B3 DIR-819 v1.0.1 DIR-842 DIR-842 DWR-921C3 WBR-0001 @@ -32,7 +38,10 @@ D-Link Router DIR-605L D-Link Router DIR-615H1 D-Link Router DIR-655 D-Link Router DIR-809 +D-Link Router GO-RT-N150 +Edimax Edimax EC120-F5 1.0 +EC220-G5 2.0 EV-2009-02-06 Enhanced Wireless Router F6D4230-4 v1 Home Internet Center KEENETIC series @@ -44,6 +53,7 @@ Linksys Wireless Access Point EA7500 Linksys Wireless Router WRT110 NBG-419N NBG-419N Netgear AP EV-2012-08-04 +NETGEAR Wireless Access Point NETGEAR NETGEAR Wireless Access Point R6220 NETGEAR Wireless Access Point R6260 N/A EV-2010-09-20 @@ -65,6 +75,8 @@ TD-W9960 1.0 TD-W9960 1.20 TD-W9960v 1.0 TD-W8968 2.0 +TEW-731BR TEW-731BR +TL-MR100 1.0 TL-MR3020 3.0 TL-MR3420 5.0 TL-MR6400 3.0 @@ -85,11 +97,13 @@ TL-WR850N 3.0 TL-WR1042N EV-2010-09-20 Trendnet router TEW-625br Trendnet router TEW-651br +VN020-F3 1.0 VMG3312-T20A RT2860 VMG8623-T50A RT2860 WAP300N WAP300N WAP3205 WAP3205 Wi-Fi Protected Setup Router RT-AC1200G+ +Wi-Fi Protected Setup Router RT-AX55 Wi-Fi Protected Setup Router RT-N10U Wi-Fi Protected Setup Router RT-N12 Wi-Fi Protected Setup Router RT-N12D1 @@ -97,6 +111,7 @@ Wi-Fi Protected Setup Router RT-N12VP Wireless Access Point . Wireless Router 123456 Wireless Router RTL8xxx EV-2009-02-06 +Wireless Router Wireless Router Wireless WPS Router <#ZVMODELVZ#> Wireless WPS Router RT-N10E Wireless WPS Router RT-N10LX @@ -135,7 +150,9 @@ WPS Router RT-N56U WPS Router RT-N56UB1 WPS Router RT-N65U WPS Router RT-N300 +WR5570 2011-05-13 ZyXEL NBG-416N AP Router +ZyXEL NBG-416N AP Router NBG-416N ZyXEL NBG-418N AP Router ZyXEL NBG-418N AP Router NBG-418N ZyXEL Wireless AP Router NBG-417N