Big style cleanup
parent
9721993b8f
commit
d5cdfe73ed
|
@ -3,7 +3,6 @@ require 'pry'
|
|||
module Rex
|
||||
module Proto
|
||||
module ACPP
|
||||
|
||||
# From what I've been able to gather from the very limited findings on the
|
||||
# web about this protocol, playing with it against a real Airport device and
|
||||
# referencing the airport-utils package in Debian/Ubuntu, the format of (at
|
||||
|
@ -44,39 +43,42 @@ module ACPP
|
|||
# also be obtained by XOR'ing the null-padded known plain text with the appropriate 32-byte
|
||||
# ciphertext from an airport-util request
|
||||
XOR_KEY = [
|
||||
14, 57, -8, 5, -60, 1, 85, 79, 12, -84,
|
||||
-123, 125, -122, -118, -75, 23, 62, 9, -56, 53,
|
||||
-12, 49, 101, 127, 60, -100, -75, 109, -106, -102,
|
||||
-91, 7, 46, 25, -40, 37, -28, 33, 117, 111,
|
||||
44, -116, -91, -99, 102, 106, 85, -9, -34, -23,
|
||||
40, -43, 20, -47, -123, -97, -36, 124, 85, -115,
|
||||
118, 122, 69, -25, -50, -7, 56, -59, 4, -63,
|
||||
-107, -113, -52, 108, 69, -67, 70, 74, 117, -41,
|
||||
-2, -55, 8, -11, 52, -15, -91, -65, -4, 92,
|
||||
117, -83, 86, 90, 101, -57, -18, -39, 24, -27,
|
||||
36, -31, -75, -81, -20, 76, 101, -35, 38, 42,
|
||||
21, -73, -98, -87, 104, -107, 84, -111, -59, -33,
|
||||
-100, 60, 21, -51, 54, 58, 5, -89, -114, -71,
|
||||
120, -123, 68, -127, -43, -49, -116, 44, 5, -3,
|
||||
6, 10, 53, -105, -66, -119, 72, -75, 116, -79,
|
||||
-27, -1, -68, 28, 53, -19, 22, 26, 37, -121,
|
||||
-82, -103, 88, -91, 100, -95, -11, -17, -84, 12,
|
||||
37, 29, -26, -22, -43, 119, 94, 105, -88, 85,
|
||||
-108, 81, 5, 31, 92, -4, -43, 13, -10, -6,
|
||||
-59, 103, 78, 121, -72, 69, -124, 65, 21, 15,
|
||||
76, -20, -59, 61, -58, -54, -11, 87, 126, 73,
|
||||
-120, 117, -76, 113, 37, 63, 124, -36, -11, 45,
|
||||
-42, -38, -27, 71, 110, 89, -104, 101, -92, 97,
|
||||
53, 47, 108, -52, -27, 93, -90, -86, -107, 55,
|
||||
30, 41, -24, 21, -44, 17, 69, 95, 28, -68,
|
||||
-107, 77, -74, -70, -123, 39
|
||||
14, 57, -8, 5, -60, 1, 85, 79, 12, -84,
|
||||
-123, 125, -122, -118, -75, 23, 62, 9, -56, 53,
|
||||
-12, 49, 101, 127, 60, -100, -75, 109, -106, -102,
|
||||
-91, 7, 46, 25, -40, 37, -28, 33, 117, 111,
|
||||
44, -116, -91, -99, 102, 106, 85, -9, -34, -23,
|
||||
40, -43, 20, -47, -123, -97, -36, 124, 85, -115,
|
||||
118, 122, 69, -25, -50, -7, 56, -59, 4, -63,
|
||||
-107, -113, -52, 108, 69, -67, 70, 74, 117, -41,
|
||||
-2, -55, 8, -11, 52, -15, -91, -65, -4, 92,
|
||||
117, -83, 86, 90, 101, -57, -18, -39, 24, -27,
|
||||
36, -31, -75, -81, -20, 76, 101, -35, 38, 42,
|
||||
21, -73, -98, -87, 104, -107, 84, -111, -59, -33,
|
||||
-100, 60, 21, -51, 54, 58, 5, -89, -114, -71,
|
||||
120, -123, 68, -127, -43, -49, -116, 44, 5, -3,
|
||||
6, 10, 53, -105, -66, -119, 72, -75, 116, -79,
|
||||
-27, -1, -68, 28, 53, -19, 22, 26, 37, -121,
|
||||
-82, -103, 88, -91, 100, -95, -11, -17, -84, 12,
|
||||
37, 29, -26, -22, -43, 119, 94, 105, -88, 85,
|
||||
-108, 81, 5, 31, 92, -4, -43, 13, -10, -6,
|
||||
-59, 103, 78, 121, -72, 69, -124, 65, 21, 15,
|
||||
76, -20, -59, 61, -58, -54, -11, 87, 126, 73,
|
||||
-120, 117, -76, 113, 37, 63, 124, -36, -11, 45,
|
||||
-42, -38, -27, 71, 110, 89, -104, 101, -92, 97,
|
||||
53, 47, 108, -52, -27, 93, -90, -86, -107, 55,
|
||||
30, 41, -24, 21, -44, 17, 69, 95, 28, -68,
|
||||
-107, 77, -74, -70, -123, 39
|
||||
].pack("C*")
|
||||
|
||||
class Message
|
||||
|
||||
# @return [Integer] the type of this message
|
||||
attr_accessor :type
|
||||
# @return [String] the password to attempt to authenticate with
|
||||
attr_accessor :password
|
||||
# @return [String] the optional message payload
|
||||
attr_accessor :payload
|
||||
# @return [Integer] the status of this message
|
||||
attr_accessor :status
|
||||
|
||||
def initialize
|
||||
|
@ -90,6 +92,9 @@ module ACPP
|
|||
@unknown4 = ''
|
||||
end
|
||||
|
||||
# Determines if this message has a successful status code
|
||||
#
|
||||
# @return [Boolean] true iff @status is 0, false otherwise
|
||||
def successful?
|
||||
@status == 0
|
||||
end
|
||||
|
@ -98,7 +103,7 @@ module ACPP
|
|||
#
|
||||
# @return [String] the string representation of this Message
|
||||
def to_s
|
||||
return with_checksum(Zlib::adler32(with_checksum(0)))
|
||||
with_checksum(Zlib.adler32(with_checksum(0)))
|
||||
end
|
||||
|
||||
# Compares this Message and another Message for equality
|
||||
|
@ -107,9 +112,9 @@ module ACPP
|
|||
# @return [Boolean] true iff the two messages are equal, false otherwise
|
||||
def ==(other)
|
||||
other.type == @type &&
|
||||
other.status == @status &&
|
||||
other.password == @password &&
|
||||
other.payload == @payload
|
||||
other.status == @status &&
|
||||
other.password == @password &&
|
||||
other.payload == @payload
|
||||
end
|
||||
|
||||
# Decodes the provided data into a Message
|
||||
|
@ -122,18 +127,18 @@ module ACPP
|
|||
data = data.dup
|
||||
fail "Incorrect ACPP message size #{data.size} -- must be 128" unless data.size == 128
|
||||
fail 'Unexpected header' unless 'acpp' == data.slice!(0, 4)
|
||||
unknown1 = data.slice!(0, 4)
|
||||
_unknown1 = data.slice!(0, 4)
|
||||
read_message_checksum = data.slice!(0, 4).unpack('N').first
|
||||
read_payload_checksum = data.slice!(0, 4).unpack('N').first
|
||||
read_payload_size = data.slice!(0, 4).unpack('N').first
|
||||
unknown2 = data.slice!(0, 8)
|
||||
_read_payload_size = data.slice!(0, 4).unpack('N').first
|
||||
_unknown2 = data.slice!(0, 8)
|
||||
type = data.slice!(0, 4).unpack('N').first
|
||||
status = data.slice!(0, 4).unpack('N').first
|
||||
unknown3 = data.slice!(0, 12)
|
||||
_unknown3 = data.slice!(0, 12)
|
||||
password = Rex::Encoding::Xor::Generic.encode(data.slice!(0, 32), XOR_KEY).first.strip
|
||||
unknown4 = data.slice!(0, 48)
|
||||
_unknown4 = data.slice!(0, 48)
|
||||
payload = data
|
||||
m = self.new
|
||||
m = new
|
||||
m.type = type
|
||||
m.password = password
|
||||
m.status = status
|
||||
|
@ -141,14 +146,14 @@ module ACPP
|
|||
|
||||
# we can now validate the checksums if desired
|
||||
if validate_checksum
|
||||
actual_message_checksum = Zlib::adler32(m.with_checksum(0))
|
||||
actual_message_checksum = Zlib.adler32(m.with_checksum(0))
|
||||
if actual_message_checksum != read_message_checksum
|
||||
fail "Invalid message checksum (expected #{read_message_checksum}, calculated #{actual_message_checksum})"
|
||||
end
|
||||
# I'm not sure this can ever happen -- if the payload checksum is wrong, then the
|
||||
# message checksum will also be wrong. So, either I misunderstand the protocol
|
||||
# or having two checksums is useless
|
||||
actual_payload_checksum = Zlib::adler32(payload)
|
||||
actual_payload_checksum = Zlib.adler32(payload)
|
||||
if actual_payload_checksum != read_payload_checksum
|
||||
fail "Invalid payload checksum (expected #{read_payload_checksum}, calculated #{actual_payload_checksum})"
|
||||
end
|
||||
|
@ -157,10 +162,11 @@ module ACPP
|
|||
end
|
||||
|
||||
def with_checksum(message_checksum)
|
||||
'acpp' + [
|
||||
[
|
||||
'acpp',
|
||||
@unknown1,
|
||||
message_checksum,
|
||||
Zlib::adler32(@payload),
|
||||
Zlib.adler32(@payload),
|
||||
@payload.size,
|
||||
@unknown2,
|
||||
@type,
|
||||
|
@ -169,10 +175,7 @@ module ACPP
|
|||
Rex::Encoding::Xor::Generic.encode([@password].pack('a32').slice(0, 32), XOR_KEY).first,
|
||||
@unknown4,
|
||||
payload
|
||||
].pack('NNNNa8NNa12a32a48a*')
|
||||
#Rex::Encoding::Xor::Generic.encode([@password].pack('a32').slice(0, 32), XOR_KEY).first +
|
||||
#([0] * 12).pack('N12') + # unknown4
|
||||
#payload
|
||||
].pack('a4NNNNa8NNa12a32a48a*')
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -9,7 +9,6 @@ require 'metasploit/framework/credential_collection'
|
|||
require 'metasploit/framework/login_scanner/acpp'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Auxiliary::Scanner
|
||||
include Msf::Auxiliary::Report
|
||||
|
@ -35,7 +34,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(5009),
|
||||
Opt::RPORT(5009)
|
||||
], self.class)
|
||||
|
||||
deregister_options(
|
||||
|
@ -47,6 +46,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'USER_FILE',
|
||||
'USER_AS_PASS'
|
||||
)
|
||||
|
||||
register_autofilter_ports([5009])
|
||||
end
|
||||
|
||||
|
@ -71,13 +71,13 @@ class Metasploit3 < Msf::Auxiliary
|
|||
bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
|
||||
connection_timeout: datastore['ConnectTimeout'],
|
||||
max_send_size: datastore['TCP::max_send_size'],
|
||||
send_delay: datastore['TCP::send_delay'],
|
||||
send_delay: datastore['TCP::send_delay']
|
||||
)
|
||||
|
||||
scanner.scan! do |result|
|
||||
credential_data = result.to_h
|
||||
credential_data.merge!(
|
||||
module_fullname: self.fullname,
|
||||
module_fullname: fullname,
|
||||
workspace_id: myworkspace_id
|
||||
)
|
||||
if result.success?
|
||||
|
@ -90,6 +90,5 @@ class Metasploit3 < Msf::Auxiliary
|
|||
vprint_error("#{ip}:#{rport} - ACPP LOGIN FAILED: #{result.credential.private} (#{result.status}: #{result.proof})")
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue