Cambium ePMP 1000 Login Scanner

2017-01-04T22:49:32
ID MSF:AUXILIARY/SCANNER/HTTP/EPMP1000_WEB_LOGIN
Type metasploit
Reporter Rapid7
Modified 2019-08-15T23:10:44

Description

This module scans for Cambium ePMP 1000 management login portal(s), and attempts to identify valid credentials. Default login credentials are - admin/admin, installer/installer, home/home and readonly/readonly.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::EPMP

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'Cambium ePMP 1000 Login Scanner',
      'Description' => %{
        This module scans for Cambium ePMP 1000 management login portal(s), and
        attempts to identify valid credentials. Default login credentials are -
        admin/admin, installer/installer, home/home and readonly/readonly.
      },
      'Author' =>
        [
          'Karn Ganeshen <KarnGaneshen[at]gmail.com>'
        ],
      'References' =>
        [
          ['URL', 'http://ipositivesecurity.com/2015/11/28/cambium-epmp-1000-multiple-vulnerabilities/']
        ],
      'License'        => MSF_LICENSE
     )
    )

    register_options(
      [
        Opt::RPORT(80),	# Application may run on a different port too. Change port accordingly.
        OptString.new('USERNAME', [false, 'A specific username to authenticate as', 'admin']),
        OptString.new('PASSWORD', [false, 'A specific password to authenticate with', 'admin'])
      ], self.class
    )
  end

  def run_host(ip)
    unless is_app_epmp1000?
      return
    end
  end

  #
  # Brute-force the login page
  #

  def do_login(epmp_ver)
    if epmp_ver < '3.4.1' # <3.4.1 uses login_1
      each_user_pass do |user, pass|
        login_1(user, pass, epmp_ver)
      end
    else
      each_user_pass do |user, pass|
        login_2(user, pass, epmp_ver)
      end
    end
  end
end