CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/misc/sercomm_backdoor_scanner.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Tcp

8
  include Msf::Auxiliary::Scanner

9
  include Msf::Auxiliary::Report

10


11
  def initialize(info={})

12
    super(update_info(info,

13
      'Name'        => 'SerComm Network Device Backdoor Detection',

14
      'Description' => %q{

15
        This module can identify SerComm manufactured network devices which

16
        contain a backdoor, allowing command injection or account disclosure.

17
      },

18
      'Author'         =>

19
        [

20
          'Eloi Vanderbeken <eloi.vanderbeken[at]gmail.com>', # Initial discovery, poc

21
          'Matt "hostess" Andreko <mandreko[at]accuvant.com>' # Msf module

22
        ],

23
        'License'     => MSF_LICENSE,

24
        'References'     =>

25
        [

26
          [ 'CVE', '2014-0659' ],

27
          [ 'OSVDB', '101653' ],

28
          [ 'URL', 'https://github.com/elvanderb/TCP-32764' ]

29
        ],

30
        'DisclosureDate' => '2013-12-31' ))

31


32
    register_options([

33
        Opt::RPORT(32764)

34
      ])

35
  end

36


37
  def do_report(ip, endianness)

38
    report_vuln({

39
      :host => ip,

40
      :port => rport,

41
      :name => "SerComm Network Device Backdoor",

42
      :refs => self.references,

43
      :info => "SerComm Network Device Backdoor found on a #{endianness} device"

44
    })

45
  end

46


47
  def run_host(ip)

48
    begin

49
      connect

50
      sock.put(Rex::Text.rand_text(5))

51
      res = sock.get_once

52
      disconnect

53


54
      if (res && res.start_with?("MMcS"))

55
        print_good("#{ip}:#{rport} - Possible backdoor detected - Big Endian")

56
        do_report(ip, "Big Endian")

57
      elsif (res && res.start_with?("ScMM"))

58
        print_good("#{ip}:#{rport} - Possible backdoor detected - Little Endian")

59
        do_report(ip, "Little Endian")

60
      else

61
        vprint_status("#{ip}:#{rport} - Backdoor not detected.")

62
      end

63
    rescue Rex::ConnectionError => e

64
      vprint_error("#{ip}:#{rport} - Connection failed: #{e.class}: #{e}")

65
    end

66
  end

67
end

68


69