Path: blob/master/modules/auxiliary/scanner/misc/sercomm_backdoor_scanner.rb
19778 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::Tcp7include Msf::Auxiliary::Scanner8include Msf::Auxiliary::Report910def initialize(info = {})11super(12update_info(13info,14'Name' => 'SerComm Network Device Backdoor Detection',15'Description' => %q{16This module can identify SerComm manufactured network devices which17contain a backdoor, allowing command injection or account disclosure.18},19'Author' => [20'Eloi Vanderbeken <eloi.vanderbeken[at]gmail.com>', # Initial discovery, poc21'Matt "hostess" Andreko <mandreko[at]accuvant.com>' # Msf module22],23'License' => MSF_LICENSE,24'References' => [25[ 'CVE', '2014-0659' ],26[ 'OSVDB', '101653' ],27[ 'URL', 'https://github.com/elvanderb/TCP-32764' ]28],29'DisclosureDate' => '2013-12-31',30'Notes' => {31'Reliability' => UNKNOWN_RELIABILITY,32'Stability' => UNKNOWN_STABILITY,33'SideEffects' => UNKNOWN_SIDE_EFFECTS34}35)36)3738register_options([39Opt::RPORT(32764)40])41end4243def do_report(ip, endianness)44report_vuln({45:host => ip,46:port => rport,47:name => "SerComm Network Device Backdoor",48:refs => self.references,49:info => "SerComm Network Device Backdoor found on a #{endianness} device"50})51end5253def run_host(ip)54begin55connect56sock.put(Rex::Text.rand_text(5))57res = sock.get_once58disconnect5960if (res && res.start_with?("MMcS"))61print_good("#{ip}:#{rport} - Possible backdoor detected - Big Endian")62do_report(ip, "Big Endian")63elsif (res && res.start_with?("ScMM"))64print_good("#{ip}:#{rport} - Possible backdoor detected - Little Endian")65do_report(ip, "Little Endian")66else67vprint_status("#{ip}:#{rport} - Backdoor not detected.")68end69rescue Rex::ConnectionError => e70vprint_error("#{ip}:#{rport} - Connection failed: #{e.class}: #{e}")71end72end73end747576