Path: blob/master/modules/auxiliary/admin/wemo/crockpot.rb
19813 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary67include Msf::Exploit::Remote::HttpClient8prepend Msf::Exploit::Remote::AutoCheck910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Belkin Wemo-Enabled Crock-Pot Remote Control',15'Description' => %q{16This module acts as a simple remote control for Belkin Wemo-enabled17Crock-Pots by implementing a subset of the functionality provided by the18Wemo App.1920No vulnerabilities are exploited by this Metasploit module in any way.21},22'Author' => 'wvu',23'References' => [24['URL', 'http://web.archive.org/web/20180301171809/https://www.crock-pot.com/wemo-landing-page.html'],25['URL', 'https://www.belkin.com/us/support-article?articleNum=101177'],26['URL', 'http://www.wemo.com/']27],28'License' => MSF_LICENSE,29'Actions' => [30['Cook', { 'Description' => 'Cook stuff' }],31['Stop', { 'Description' => 'Stop cooking' }]32],33'DefaultAction' => 'Cook',34'Notes' => {35'Stability' => [CRASH_SAFE],36'SideEffects' => [PHYSICAL_EFFECTS],37'Reliability' => []38}39)40)4142register_options([43Opt::RPORT(49152),44OptEnum.new('TEMP', [true, 'Temperature', 'Off', modes.keys]),45OptInt.new('TIME', [true, 'Cook time in minutes', 0])46])4748register_advanced_options([49OptBool.new('DefangedMode', [true, 'Run in defanged mode', true])50])51end5253def check54res = send_request_cgi(55'method' => 'GET',56'uri' => '/setup.xml'57)5859if res && res.code == 200 && res.body.include?('urn:Belkin:device:')60if res.body.include?('urn:Belkin:device:crockpot:1')61return Exploit::CheckCode::Appears('Wemo-enabled Crock-Pot detected')62end6364return Exploit::CheckCode::Detected('Wemo device detected, but it is not a Crock-Pot')65end6667Exploit::CheckCode::Safe68end6970def run71if datastore['DefangedMode']72print_error('Running in defanged mode')73return74end7576case action.name77when 'Cook'78print_status("Cooking on #{datastore['TEMP']} for #{datastore['TIME']}m")79res = send_request_cook(datastore['TEMP'], datastore['TIME'])80when 'Stop'81print_status('Setting temperature to Off and cook time to 0m')82res = send_request_cook('Off', 0)83end8485unless res && res.code == 200 && (time = res.get_xml_document.at('//time'))86print_error("Failed to #{action.name.downcase}, aborting!")87return88end8990print_good("Cook time set to #{time.text}m")91end9293def send_request_cook(temp, time)94send_request_cgi(95'method' => 'POST',96'uri' => '/upnp/control/basicevent1',97'ctype' => 'text/xml',98'headers' => {99'SOAPACTION' => '"urn:Belkin:service:basicevent:1#SetCrockpotState"'100},101'data' => generate_soap_xml(temp, time)102)103end104105def generate_soap_xml(temp, time)106<<~EOF107<?xml version="1.0" encoding="utf-8"?>108<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">109<s:Body>110<u:SetCrockpotState xmlns:u="urn:Belkin:service:basicevent:1">111<mode>#{modes[temp]}</mode>112<time>#{time}</time>113</u:SetCrockpotState>114</s:Body>115</s:Envelope>116EOF117end118119def modes120{121'Off' => 0,122'Warm' => 50,123'Low' => 51,124'High' => 52125}126end127128end129130131