1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How did he do it? - Astrill Applet for Tomato

Discussion in 'Tomato Firmware' started by szpunk, Jul 20, 2013.

  1. szpunk

    szpunk Networkin' Nut Member

  2. rs232

    rs232 Network Guru Member

    wow, I didn't know this was possible. I haven't tried it yet but it opens a new world of possibility!
    I guess a good way to find how this works is to download the file and open it, also take a snapshot of the nvram before and after the installation to see what has changed would help
     
  3. jerrm

    jerrm Network Guru Member

    My guess -
    Assuming a VPN tomato build is required to use existing vpn executables:
    save necessary new variables to nvram
    setfile2nvram to add the html/asp/cgi gui source files
    setfile2nvram to add appropriate .init/.fire/.wanup scripts
    setfile2nvram an init script to:
    --copy the www folder (or specific files - probably just tomato.js) to a folder under tmp
    --a little search and replace to add the menu entry to copied files
    --bind mount the copied folder/files over the originals
    --restart httpd
     
  4. koitsu

    koitsu Network Guru Member

    The problem is that the command the person executed in the GUI is not fully shown; the command is more than just "wget" (the contents of the download are being send to stdout), as implied by the length of the horizontal scrollbar. I'm willing to bet the command is something like /bin/sh -c `wget ...`. This is EXTREMELY dangerous if you ask me.

    My guess is that DD-WRT may have some kind of "module" support for this type of thing.

    I've talked about this before with regards to OpenWRT and its method of doing package management, e.g. the firmwares are very bare-bones and you add on all the features you want purely via the GUI, where it downloads them off the 'net + uses opkg to manage everything, and it Just Works(tm). It's a well-designed and intelligent system, rather than a "monolithic" design which is what Tomato/TomatoUSB and many other firmwares use.

    It won't ever happen on Tomato/TomatoUSB because it would involve a ton of work and nobody has the time / wants to put in the time. The effort might as well justify a full-time job.

    P.S. -- LOL:

    Code:
    $ wget 'http://strongpath.net/ddwrt/install/2/f7746ffda148b98af0338dca95c1463f'
    --2013-07-20 11:57:14--  http://strongpath.net/ddwrt/install/2/f7746ffda148b98af0338dca95c1463f
    Resolving strongpath.net... 162.212.59.5
    Connecting to strongpath.net|162.212.59.5|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 32 [application/octet-stream]
    Saving to: 'f7746ffda148b98af0338dca95c1463f'
    
    100%[==========================================================================================>] 32          --.-K/s   in 0s
    
    2013-07-20 11:57:14 (2.54 MB/s) - 'f7746ffda148b98af0338dca95c1463f' saved [32/32]
    
    $ cat f7746ffda148b98af0338dca95c1463f
    echo "Invalid email or password"$
    
     
  5. RobbieW

    RobbieW Reformed Router Member

    What is installed is an init script of "eval `nvram get astrill_bootstrap`;" Whats in astrill_bootstrap is...
    Code:
    if [ ! -e /tmp/astrillvpn ];
    then
    echo 'echo
    "<table width=100% height=100% border=0><tr><td align=center>Astrill is intializing. Please wait <strong><span id=t>60</span> sec</strong> ...</td></tr></table><script>var t=60;
    setInterval(function(){if(t<=0)document.location.href=document.location.href;
     
    else
    document.getElementById(\"t\").innerHTML=--t;},1000)</script>"'>/www/user/cgi-bin/astrill.cgi;
    chmod +x /www/user/cgi-bin/astrill.cgi;
    sleep 60;
    fi;
     
    X="1";
     
    while [ "$X" -ne "0" ];
    do wget -q -O /tmp/astrillvpn "http://strongpath.net/ddwrt/get.php?s=xxxxxxxxxx&b=tomato&v=1.28.7501&c=Broadcom-MIPS_74K_V4.0";
    X=$?;
    if [ "$X" -ne "0" ];
    then sleep 30;
    fi;
    done;
    chmod 755 /tmp/astrillvpn;/tmp/astrillvpn startup & astrill_devices=
    
    The bit that is xxxxxx's is my Astrill id (I think) so have removed it. Installing this added 1.8k to my NVRAM, just did it to check. It can also be installed from the Astrill PC client when a user is logged in, thats the method I used.

    This only works if you have a connection at boot time, often I dont. I much prefer the ryo method that Astrill describe in an article here ... https://www.astrill.com/knowledge-base/26/Routers. I've offloaded the certificates from NVRAM onto a USB stick which got back about 3.5k of memory. It is much, much faster to initialise because it is not having to do a login etc etc when the service is started.
     
  6. M0g13r

    M0g13r LI Guru Member

    can someone post plz whats in /www/user/cgi-bin/astrill.cgi to .... pastebin or something like that

    thx

    edit: can be an easy way to make plugins/applets for tomato_usb and all based on it :)
     
  7. jerrm

    jerrm Network Guru Member

    The script is obfuscated/encrypted in some way, unless someone takes the time to crack it, posting will be useless.

    But, there's nothing really special there. The script's methods are pretty much laid out in my post above, except the only code stored on the router is just a snippet of bootstrap to download everything at boot time, and a series of astrill_* nvram settings.

    At install:
    Nvram variables are set.
    One line is added to the init script to execute the bootstrap snippet stored in nvram.
    The astrill boot process is run to make things functional.

    At boot:
    The bootstrap downloads an astrillvpn script and executes it.

    Astrillvpn then:
    downloads a custom openvpn executable.
    creates links to itself under the cgi-bin folder
    copies tomato.js to a temp file and inserts the astrill menu entry
    bind mounts temp file over the native tomato.js.
    establishes the vpn connection if set to auto-start.

    If you want to trust downloading and executing a 3rd party script at every boot, without any way to verify the authenticity of the code, then I guess it is an OK solution, but I would never do it.
     
    szpunk likes this.
  8. jerrm

    jerrm Network Guru Member

    You are correct, but it's actually eval `wget...`

    Not that that's any better. Yes, EXTREMELY dangerous.
     
  9. RobbieW

    RobbieW Reformed Router Member

    In principle - risky. This is a download from a VPN supplier though so you're about to trust them with your (sensitive) IP traffic...
     
  10. szpunk

    szpunk Networkin' Nut Member


    Thanks!
     
  11. koitsu

    koitsu Network Guru Member

    My concern is less with who the provider is or the traffic, and more with what such "blindly run" scripts could end up doing to a users' router (from security concerns to bricking it).
     

Share This Page