Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'uri'
7

8
class MetasploitModule < Msf::Auxiliary
9
  include Msf::Exploit::Remote::HttpClient
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Apple TV Video Remote Control',
14
      'Description'    => %q(
15
        This module plays a video on an AppleTV device. Note that
16
        AppleTV can be somewhat picky about the server that hosts the video.
17
        Tested servers include default IIS, default Apache, and Ruby's WEBrick.
18
        For WEBrick, the default MIME list may need to be updated, depending on
19
        what media file is to be played. Python SimpleHTTPServer is not
20
        recommended. Also, if you're playing a video, the URL must be an IP
21
        address. Some AppleTV devices are actually password-protected; in that
22
        case please set the PASSWORD datastore option. For password
23
        brute forcing, please see the module auxiliary/scanner/http/appletv_login.
24
      ),
25
      'Author'         =>
26
        [
27
          '0a29406d9794e4f9b30b3c5d6702c708', # Original work
28
          'sinn3r'                            # Make myself liable to mistakes since I made significant changes
29
        ],
30
      'References'     =>
31
        [
32
          ['URL', 'http://nto.github.io/AirPlay.html']
33
        ],
34
      'DefaultOptions' => { 'HttpUsername' => 'AirPlay' },
35
      'License'        => MSF_LICENSE
36
    ))
37

38
    register_options([
39
      Opt::RPORT(7000),
40
      OptInt.new('TIME', [true, 'Time in seconds to show the video', 60]),
41
      OptString.new('URL', [true, 'URL of video to show. Must use an IP address']),
42
      OptString.new('HttpPassword', [false, 'The password for AppleTV AirPlay'])
43
    ])
44

45
    # We're not actually using any of these against AppleTV in our Rex HTTP client init,
46
    # so deregister them so we don't overwhelm the user with fake options.
47
    deregister_options(
48
      'HTTP::uri_encode_mode', 'HTTP::uri_full_url', 'HTTP::pad_method_uri_count',
49
      'HTTP::pad_uri_version_count', 'HTTP::pad_method_uri_type', 'HTTP::pad_uri_version_type',
50
      'HTTP::method_random_valid', 'HTTP::method_random_invalid', 'HTTP::method_random_case',
51
      'HTTP::uri_dir_self_reference', 'HTTP::uri_dir_fake_relative', 'HTTP::uri_use_backslashes',
52
      'HTTP::pad_fake_headers', 'HTTP::pad_fake_headers_count', 'HTTP::pad_get_params',
53
      'HTTP::pad_get_params_count', 'HTTP::pad_post_params', 'HTTP::pad_post_params_count',
54
      'HTTP::uri_fake_end', 'HTTP::uri_fake_params_start', 'HTTP::header_folding',
55
      'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2', 'NTLM::SendLM', 'NTLM::SendNTLM',
56
      'NTLM::SendSPN', 'NTLM::UseLMKey', 'DOMAIN', 'DigestAuthIIS', 'VHOST'
57
    )
58
  end
59

60

61
  #
62
  # Sends a video request to AppleTV. HttpClient isn't used because we actually need to keep
63
  # the connection alive so that the video can keep playing.
64
  #
65
  def send_video_request(opts)
66
    http = nil
67

68
    http = Rex::Proto::Http::Client.new(
69
      rhost,
70
      rport.to_i,
71
      {
72
        'Msf' => framework,
73
        'MsfExploit' => self
74
      },
75
      ssl,
76
      ssl_version,
77
      proxies,
78
      datastore['HttpUsername'],
79
      datastore['HttpPassword']
80
    )
81
    add_socket(http)
82

83
    http.set_config('agent' => datastore['UserAgent'])
84

85
    req = http.request_raw(opts)
86
    res = http.send_recv(req)
87
    Rex.sleep(datastore['TIME']) if res.code == 200
88
    http.close
89

90
    res
91
  end
92

93

94
  #
95
  # Checks the URI datastore option. AppleTV is sort of picky about the URI. It's better to
96
  # always supply an IP instead of a domain.
97
  #
98
  def validate_source!(uri)
99
    unless Rex::Socket.is_ipv4?(URI(uri).host) # Same trick in target_uri form HttpClient
100
      raise Msf::OptionValidateError.new(['URL'])
101
    end
102
  end
103

104

105
  #
106
  # Plays a video as a new thread
107
  #
108
  def play_video_uri
109
    uri = datastore['URL']
110
    validate_source!(uri)
111

112
    body  = "Content-Location: #{uri}\n"
113
    body << "Start-Position: 0.0\n"
114

115
    opts = {
116
      'method'  => 'POST',
117
      'uri'     => '/play',
118
      'headers' => {
119
        'Content-Length' => body.length.to_s,
120
        'Content-Type'   => 'text/parameters'
121
      },
122
      'data'    => body
123
    }
124

125
    res = send_video_request(opts)
126

127
    if !res
128
      print_status("The connection timed out")
129
    elsif res.code == 200
130
      print_status("Received HTTP 200")
131
    else
132
      print_error("The request failed due to an unknown reason")
133
    end
134
  end
135

136

137
  #
138
  # Maybe it's just me not understanding the /stop API correctly, but when I send a request to
139
  # /stop, it doesn't actually do anything. It is sort of possible to stop my video by looking
140
  # through framework.threads.each {|t| puts t[:tm_name]}, and then kill the right thread. But
141
  # if there are multiple appletv_display_video running, we don't seem to have a good way to
142
  # kill the right thread we want. We could kill them all, but we shouldn't do that. So I'll
143
  # just leave this method here, and then we'll think about how to do it later.
144
  #
145
  def stop_play
146
    raise NotImplementedError
147
  end
148

149

150
  def run
151
    print_status("Video request sent. Duration set: #{datastore['TIME']} seconds")
152
    play_video_uri
153
  end
154
end
155

156