Path: blob/master/modules/auxiliary/admin/appletv/appletv_display_video.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'uri'67class MetasploitModule < Msf::Auxiliary8include Msf::Exploit::Remote::HttpClient910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Apple TV Video Remote Control',15'Description' => %q{16This module plays a video on an AppleTV device. Note that17AppleTV can be somewhat picky about the server that hosts the video.18Tested servers include default IIS, default Apache, and Ruby's WEBrick.19For WEBrick, the default MIME list may need to be updated, depending on20what media file is to be played. Python SimpleHTTPServer is not21recommended. Also, if you're playing a video, the URL must be an IP22address. Some AppleTV devices are actually password-protected; in that23case please set the PASSWORD datastore option. For password24brute forcing, please see the module auxiliary/scanner/http/appletv_login.25},26'Author' => [27'0a29406d9794e4f9b30b3c5d6702c708', # Original work28'sinn3r' # Make myself liable to mistakes since I made significant changes29],30'References' => [31['URL', 'http://nto.github.io/AirPlay.html']32],33'DefaultOptions' => { 'HttpUsername' => 'AirPlay' },34'License' => MSF_LICENSE,35'Notes' => {36'Stability' => [CRASH_SAFE],37'SideEffects' => [IOC_IN_LOGS, SCREEN_EFFECTS],38'Reliability' => []39}40)41)4243register_options([44Opt::RPORT(7000),45OptInt.new('TIME', [true, 'Time in seconds to show the video', 60]),46OptString.new('URL', [true, 'URL of video to show. Must use an IP address']),47OptString.new('HttpPassword', [false, 'The password for AppleTV AirPlay'])48])4950# We're not actually using any of these against AppleTV in our Rex HTTP client init,51# so deregister them so we don't overwhelm the user with fake options.52deregister_options(53'HTTP::uri_encode_mode', 'HTTP::uri_full_url', 'HTTP::pad_method_uri_count',54'HTTP::pad_uri_version_count', 'HTTP::pad_method_uri_type', 'HTTP::pad_uri_version_type',55'HTTP::method_random_valid', 'HTTP::method_random_invalid', 'HTTP::method_random_case',56'HTTP::uri_dir_self_reference', 'HTTP::uri_dir_fake_relative', 'HTTP::uri_use_backslashes',57'HTTP::pad_fake_headers', 'HTTP::pad_fake_headers_count', 'HTTP::pad_get_params',58'HTTP::pad_get_params_count', 'HTTP::pad_post_params', 'HTTP::pad_post_params_count',59'HTTP::uri_fake_end', 'HTTP::uri_fake_params_start', 'HTTP::header_folding',60'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2', 'NTLM::SendLM', 'NTLM::SendNTLM',61'NTLM::SendSPN', 'NTLM::UseLMKey', 'DOMAIN', 'DigestAuthIIS', 'VHOST'62)63end6465#66# Sends a video request to AppleTV. HttpClient isn't used because we actually need to keep67# the connection alive so that the video can keep playing.68#69def send_video_request(opts)70http = Rex::Proto::Http::Client.new(71rhost,72rport.to_i,73{74'Msf' => framework,75'MsfExploit' => self76},77ssl,78ssl_version,79proxies,80datastore['HttpUsername'],81datastore['HttpPassword']82)83add_socket(http)8485http.set_config('agent' => datastore['UserAgent'])8687req = http.request_raw(opts)88res = http.send_recv(req)89Rex.sleep(datastore['TIME']) if res.code == 20090http.close9192res93end9495#96# Checks the URI datastore option. AppleTV is sort of picky about the URI. It's better to97# always supply an IP instead of a domain.98#99def validate_source!(uri)100unless Rex::Socket.is_ipv4?(URI(uri).host) # Same trick in target_uri form HttpClient101raise Msf::OptionValidateError, ['URL']102end103end104105#106# Plays a video as a new thread107#108def play_video_uri109uri = datastore['URL']110validate_source!(uri)111112body = "Content-Location: #{uri}\n"113body << "Start-Position: 0.0\n"114115opts = {116'method' => 'POST',117'uri' => '/play',118'headers' => {119'Content-Length' => body.length.to_s,120'Content-Type' => 'text/parameters'121},122'data' => body123}124125res = send_video_request(opts)126127if !res128print_status('The connection timed out')129elsif res.code == 200130print_status('Received HTTP 200')131else132print_error('The request failed due to an unknown reason')133end134end135136#137# Maybe it's just me not understanding the /stop API correctly, but when I send a request to138# /stop, it doesn't actually do anything. It is sort of possible to stop my video by looking139# through framework.threads.each {|t| puts t[:tm_name]}, and then kill the right thread. But140# if there are multiple appletv_display_video running, we don't seem to have a good way to141# kill the right thread we want. We could kill them all, but we shouldn't do that. So I'll142# just leave this method here, and then we'll think about how to do it later.143#144def stop_play145raise NotImplementedError146end147148def run149print_status("Video request sent. Duration set: #{datastore['TIME']} seconds")150play_video_uri151end152end153154155