Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Add Huawei HG532n command injection exploit #8245
The Huawei HG532n routers, shipped by TE-Data Egypt, are vulnerable to a command injection exploit in the ping field of their limited shell interface, leading to a root shell.
TE-Data, the incumbent ISP operator in Egypt, provided this router to customers by default. A 3-day finger-printing network scan shows around 50,000+ device exploitable in the wild.
Affected hardware/software version strings:
The web interface has two kinds of logins, a limited
The web interface's user mode provides very limited functionality, only WIFI passwords change and NAT port-forwarding. Nonetheless by port forwarding the router's own (filtered) telnet port, it becomes remotely accessible.
Due to the ISP's (encrypted) runtime router configuration at
Since this is specific to a certain hardware device, please find below PCAP captures (and
Also kindly check below a screenshot of the exploit + an example run when
I'd suggest maybe moving most of the stuff in the info hash to the docs. Keep it somewhat along the lines of:
Otherwise everything looks good at first glance. Do you happen to have a firmware image for this device?
Sure, will update the PR now. (Edit: done)
Ok. I'm preparing a VM now for the r7 team to login into. Hosts outside the ISP network will not be able to access the target routers' port 80, so this will be a VM from within where things should work.
Apr 17, 2017
1 check passed
pushed a commit
this pull request
Apr 17, 2017
The exploits/linux/http/huawei_hg532n_cmdinject module has been added to the framework. It exploits Huawei HG532n routers, which as shipped by TE-Data Egypt, are vulnerable to a command injection exploit in the ping field of their limited shell interface.
@Boushy Update your environment to the required ruby-2.4 version where the
P.S. Merged pull requests are not a place for asking for help. Discuss over IRC or open an explicit Github issue ticket for that.
I get this please help
[-] Handler failed to bind to 156.202.xxx.xxx:443:- -
I'm going to take a stab in the dark since you've given us little to go by (like info on the target since you are authorized to test it and all), and haven't show us the options...
I’m sorry I should have been more clear. the issue is in thsese last few lines
DOWNFILE no Filename to download, (default: random)
Payload options (linux/mipsbe/meterpreter_reverse_tcp):
Name Current Setting Required Description
LHOST 156.202.32.xx yes The listen address
0 Linux mipsbe Payload