Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/appletv/appletv_display_image.rb
19813 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'Apple TV Image Remote Control',

14
        'Description' => %q{

15
          This module will show an image on an AppleTV device for a period of time.

16
          Some AppleTV devices are actually password-protected, in that case please

17
          set the PASSWORD datastore option. For password brute forcing, please see

18
          the module auxiliary/scanner/http/appletv_login.

19
        },

20
        'Author' => [

21
          '0a29406d9794e4f9b30b3c5d6702c708', # Original work

22
          'sinn3r' # You can blame me for mistakes

23
        ],

24
        'References' => [

25
          ['URL', 'http://nto.github.io/AirPlay.html']

26
        ],

27
        'DefaultOptions' => { 'HttpUsername' => 'AirPlay' },

28
        'License' => MSF_LICENSE,

29
        'Notes' => {

30
          'Stability' => [CRASH_SAFE],

31
          'SideEffects' => [IOC_IN_LOGS, SCREEN_EFFECTS],

32
          'Reliability' => []

33
        }

34
      )

35
    )

36


37
    # Make the PASSWORD option more visible and hope the user is more aware of this option

38
    register_options([

39
      Opt::RPORT(7000),

40
      OptInt.new('TIME', [true, 'Time in seconds to show the image', 10]),

41
      OptPath.new('FILE', [true, 'Image to upload and show']),

42
      OptString.new('HttpPassword', [false, 'The password for AppleTV AirPlay'])

43
    ])

44


45
    # We're not actually using any of these against AppleTV in our Rex HTTP client init,

46
    # so deregister them so we don't overwhelm the user with fake options.

47
    deregister_options(

48
      'HTTP::uri_encode_mode', 'HTTP::uri_full_url', 'HTTP::pad_method_uri_count',

49
      'HTTP::pad_uri_version_count', 'HTTP::pad_method_uri_type', 'HTTP::pad_uri_version_type',

50
      'HTTP::method_random_valid', 'HTTP::method_random_invalid', 'HTTP::method_random_case',

51
      'HTTP::uri_dir_self_reference', 'HTTP::uri_dir_fake_relative', 'HTTP::uri_use_backslashes',

52
      'HTTP::pad_fake_headers', 'HTTP::pad_fake_headers_count', 'HTTP::pad_get_params',

53
      'HTTP::pad_get_params_count', 'HTTP::pad_post_params', 'HTTP::pad_post_params_count',

54
      'HTTP::uri_fake_end', 'HTTP::uri_fake_params_start', 'HTTP::header_folding',

55
      'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2', 'NTLM::SendLM', 'NTLM::SendNTLM',

56
      'NTLM::SendSPN', 'NTLM::UseLMKey', 'DOMAIN', 'DigestAuthIIS', 'VHOST'

57
    )

58
  end

59


60
  #

61
  # Sends an image request to AppleTV. HttpClient isn't used because we actually need to keep

62
  # the connection alive so that the video can keep playing.

63
  #

64
  def send_image_request(opts)

65
    http = Rex::Proto::Http::Client.new(

66
      rhost,

67
      rport.to_i,

68
      {

69
        'Msf' => framework,

70
        'MsfExploit' => self

71
      },

72
      ssl,

73
      ssl_version,

74
      proxies,

75
      datastore['HttpUsername'],

76
      datastore['HttpPassword']

77
    )

78
    add_socket(http)

79


80
    http.set_config('agent' => datastore['UserAgent'])

81


82
    req = http.request_raw(opts)

83
    res = http.send_recv(req)

84


85
    Rex.sleep(datastore['TIME']) if res.code == 200

86
    http.close

87


88
    res

89
  end

90


91
  def get_image_data

92
    File.open(datastore['FILE'], 'rb') { |f| f.read(f.stat.size) }

93
  end

94


95
  def show_image

96
    image = get_image_data

97


98
    opts = {

99
      'method' => 'PUT',

100
      'uri' => '/photo',

101
      'data' => image

102
    }

103


104
    res = send_image_request(opts)

105


106
    if !res

107
      print_status('The connection timed out')

108
    elsif res.code == 200

109
      print_status('Received HTTP 200')

110
    else

111
      print_error('The request failed due to an unknown reason')

112
    end

113
  end

114


115
  def run

116
    print_status("Image request sent. Duration set: #{datastore['TIME']} seconds")

117
    show_image

118
  end

119
end

120


121