Land rapid7#7747, Add LoginScanner module for BAVision IP cameras

dmohanty-r7 · dmohanty-r7 · commit 5cba9b003454 · 2017-01-06T16:25:44.000-06:00
diff --git a/documentation/modules/auxiliary/scanner/http/bavision_cam_login.md b/documentation/modules/auxiliary/scanner/http/bavision_cam_login.md
@@ -0,0 +1,28 @@
+This module allows you to log into an BAVision IP Camera's web server.
+
+The instructions shipped with the camera do not mention clearly regarding the existence of the
+lighttpd web server, and it uses admin:123456 as the default credential. Even if the default
+password is changed, the account could also be bruteforced since there is no policy for lockouts.
+
+
+## Vulnerable Application
+
+The web server is built into the IP camera. Specifically, this camera was tested during development:
+
+"BAVISION 1080P HD Wifi Wireless IP Camera Home Security Baby Monitor Spy Pet/Dog Cameras Video Monitoring Plug/Play,Pan/Tilt With Two-Way Audio and Night Vision"
+
+http://goo.gl/pHAqS1
+
+## Verification Steps
+
+  1. Read the instructions that come with the IP camera to set it up
+  2. Find the IP of the camera (in lab, your router should have info about this)
+  3. Do: ```use auxiliary/scanner/http/bavision_cam_login```
+  4. Set usernames and passwords
+  5. Do: ```run```
+
+## Options
+
+  **TRYDEFAULT**
+
+  The ```TRYDEFAULT``` options adds the default credential admin:123456 to the credential list.
diff --git a/lib/metasploit/framework/login_scanner/bavision_cameras.rb b/lib/metasploit/framework/login_scanner/bavision_cameras.rb
@@ -0,0 +1,119 @@
+require 'metasploit/framework/login_scanner/http'
+require 'digest'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      class BavisionCameras < HTTP
+
+        DEFAULT_PORT  = 80
+        PRIVATE_TYPES = [ :password ]
+        LOGIN_STATUS  = Metasploit::Model::Login::Status # Shorter name
+
+
+        # Checks if the target is BAVision Camera's web server. The login module should call this.
+        #
+        # @return [Boolean] TrueClass if target is SWG, otherwise FalseClass
+        def check_setup
+          login_uri = normalize_uri("#{uri}")
+          res = send_request({'uri'=> login_uri})
+
+          if res && res.headers['WWW-Authenticate'].match(/realm="IPCamera Login"/)
+            return true
+          end
+
+          false
+        end
+
+
+        # Auth to the server using digest auth
+        def try_digest_auth(cred)
+          login_uri = normalize_uri("#{uri}")
+          res = send_request({
+            'uri'        => login_uri,
+            'credential' => cred,
+            'DigestAuthIIS' => false,
+            'headers' => {'Accept'=> '*/*'}
+          })
+
+          digest = digest_auth(cred.public, cred.private, res.headers)
+
+          res = send_request({
+            'uri' => login_uri,
+            'headers' => {
+              'Authorization' => digest
+            }})
+
+          if res && res.code == 200 && res.body =~ /hy\-cgi\/user\.cgi/
+            return {:status => LOGIN_STATUS::SUCCESSFUL, :proof => res.body}
+          end
+
+          {:status => LOGIN_STATUS::INCORRECT, :proof => res.body}
+        end
+
+        # The Rex HTTP Digest auth is making the camera server to refuse to respond for some reason.
+        # The API also fails to generate the CNONCE parameter (bug), which makes it unsuitable for
+        # our needs, therefore we have our own implementation of digest auth.
+        def digest_auth(user, password, response)
+          nonce_count = 1
+          cnonce = Digest::MD5.hexdigest("%x" % (Time.now.to_i + rand(65535)))
+
+          response['www-authenticate'] =~ /^(\w+) (.*)/
+
+          params = {}
+          $2.gsub(/(\w+)="(.*?)"/) { params[$1] = $2 }
+
+          a_1 = "#{user}:#{params['realm']}:#{password}"
+          a_2 = "GET:#{uri}"
+          request_digest = ''
+          request_digest << Digest::MD5.hexdigest(a_1)
+          request_digest << ':' << params['nonce']
+          request_digest << ':' << ('%08x' % nonce_count)
+          request_digest << ':' << cnonce
+          request_digest << ':' << params['qop']
+          request_digest << ':' << Digest::MD5.hexdigest(a_2)
+
+          header = []
+          header << "Digest username=\"#{user}\""
+          header << "realm=\"#{params['realm']}\""
+          header << "qop=#{params['qop']}"
+          header << "uri=\"/\""
+          header << "nonce=\"#{params['nonce']}\""
+          header << "nc=#{'%08x' % nonce_count}"
+          header << "cnonce=\"#{cnonce}\""
+          header << "response=\"#{Digest::MD5.hexdigest(request_digest)}\""
+
+          header * ', '
+        end
+
+
+        # Attempts to login to the camera. This is called first.
+        #
+        # @param credential [Metasploit::Framework::Credential] The credential object
+        # @return [Result] A Result object indicating success or failure
+        def attempt_login(credential)
+          result_opts = {
+            credential: credential,
+            status: Metasploit::Model::Login::Status::INCORRECT,
+            proof: nil,
+            host: host,
+            port: port,
+            protocol: 'tcp'
+          }
+
+          begin
+            result_opts.merge!(try_digest_auth(credential))
+          rescue ::Rex::ConnectionError => e
+            # Something went wrong during login. 'e' knows what's up.
+            result_opts.merge!(status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: e.message)
+          end
+
+          Result.new(result_opts)
+        end
+
+      end
+    end
+  end
+end
+
diff --git a/modules/auxiliary/scanner/http/bavision_cam_login.rb b/modules/auxiliary/scanner/http/bavision_cam_login.rb
@@ -0,0 +1,137 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'metasploit/framework/login_scanner/bavision_cameras'
+require 'metasploit/framework/credential_collection'
+
+class MetasploitModule < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::AuthBrute
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::Scanner
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'        => 'BAVision IP Camera Web Server Login',
+      'Description' => %q{
+        This module will attempt to authenticate to an IP camera created by BAVision via the
+        web service. By default, the vendor ships a default credential admin:123456 to its
+        cameras, and the web server does not enforce lockouts in case of a bruteforce attack.
+      },
+      'Author'      => [ 'sinn3r' ],
+      'License'     => MSF_LICENSE
+    ))
+
+    register_options(
+      [
+        OptBool.new('TRYDEFAULT', [false, 'Try the default credential admin:123456', false])
+      ], self.class)
+  end
+
+
+  def scanner(ip)
+    @scanner ||= lambda {
+      cred_collection = Metasploit::Framework::CredentialCollection.new(
+        blank_passwords: datastore['BLANK_PASSWORDS'],
+        pass_file:       datastore['PASS_FILE'],
+        password:        datastore['PASSWORD'],
+        user_file:       datastore['USER_FILE'],
+        userpass_file:   datastore['USERPASS_FILE'],
+        username:        datastore['USERNAME'],
+        user_as_pass:    datastore['USER_AS_PASS']
+      )
+
+      if datastore['TRYDEFAULT']
+        # Add the default username and password
+        print_status("Default credential admin:123456 added to the credential queue for testing.")
+        cred_collection.add_public('admin')
+        cred_collection.add_private('123456')
+      end
+
+      return Metasploit::Framework::LoginScanner::BavisionCameras.new(
+        configure_http_login_scanner(
+          host: ip,
+          port: datastore['RPORT'],
+          cred_details:       cred_collection,
+          stop_on_success:    datastore['STOP_ON_SUCCESS'],
+          bruteforce_speed:   datastore['BRUTEFORCE_SPEED'],
+          connection_timeout: 5,
+          http_username:      datastore['HttpUsername'],
+          http_password:      datastore['HttpPassword']
+        ))
+    }.call
+  end
+
+
+  def report_good_cred(ip, port, result)
+    service_data = {
+      address: ip,
+      port: port,
+      service_name: 'http',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      module_fullname: self.fullname,
+      origin_type: :service,
+      private_data: result.credential.private,
+      private_type: :password,
+      username: result.credential.public,
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      last_attempted_at: DateTime.now,
+      status: result.status,
+      proof: result.proof
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
+
+  def report_bad_cred(ip, rport, result)
+    invalidate_login(
+      address: ip,
+      port: rport,
+      protocol: 'tcp',
+      public: result.credential.public,
+      private: result.credential.private,
+      realm_key: result.credential.realm_key,
+      realm_value: result.credential.realm,
+      status: result.status,
+      proof: result.proof
+    )
+  end
+
+  def bruteforce(ip)
+    scanner(ip).scan! do |result|
+      case result.status
+      when Metasploit::Model::Login::Status::SUCCESSFUL
+        print_brute(:level => :good, :ip => ip, :msg => "Success: '#{result.credential}'")
+        report_good_cred(ip, rport, result)
+      when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+        vprint_brute(:level => :verror, :ip => ip, :msg => result.proof)
+        report_bad_cred(ip, rport, result)
+      when Metasploit::Model::Login::Status::INCORRECT
+        vprint_brute(:level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'")
+        report_bad_cred(ip, rport, result)
+      end
+    end
+  end
+
+  def run_host(ip)
+    unless scanner(ip).check_setup
+      print_brute(:level => :error, :ip => ip, :msg => 'Target is not BAVision IP camera web server.')
+      return
+    end
+
+    bruteforce(ip)
+  end
+
+end
diff --git a/spec/lib/metasploit/framework/login_scanner/bavision_cameras_spec.rb b/spec/lib/metasploit/framework/login_scanner/bavision_cameras_spec.rb
@@ -0,0 +1,55 @@
+require 'metasploit/framework/login_scanner/bavision_cameras'
+
+RSpec.describe Metasploit::Framework::LoginScanner::BavisionCameras do
+
+    it_behaves_like 'Metasploit::Framework::LoginScanner::Base',  has_realm_key: true, has_default_realm: false
+    it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket'
+
+    subject do
+      described_class.new
+    end
+
+    describe '#digest_auth' do
+      let(:username) { 'admin' }
+      let(:password) { '123456' }
+      let(:response) {
+        {
+          "www-authenticate" => "Digest realm=\"IPCamera Login\", nonce=\"918fee7e0b1126e4c2577911901a181b\", qop=\"auth\""
+        } 
+      }
+
+      context 'when a credential is given' do
+        it 'returns a string with username' do
+          expect(subject.digest_auth(username, password, response)).to include('username=')
+        end
+
+        it 'returns a string with realm' do
+          expect(subject.digest_auth(username, password, response)).to include('realm=')
+        end
+
+        it 'returns a string with qop' do
+          expect(subject.digest_auth(username, password, response)).to include('qop=')
+        end
+
+        it 'returns a string with uri' do
+          expect(subject.digest_auth(username, password, response)).to include('uri=')
+        end
+
+        it 'returns a string with nonce' do
+          expect(subject.digest_auth(username, password, response)).to include('nonce=')
+        end
+
+        it 'returns a string with nonce count' do
+          expect(subject.digest_auth(username, password, response)).to include('nc=')
+        end
+
+        it 'returns a string with cnonce' do
+          expect(subject.digest_auth(username, password, response)).to include('cnonce=')
+        end
+
+        it 'returns a string with response' do
+          expect(subject.digest_auth(username, password, response)).to include('response=')
+        end
+      end
+    end
+end
