diff --git a/lib/metasploit/framework/login_scanner/acpp.rb b/lib/metasploit/framework/login_scanner/acpp.rb index 093361afc8..07841c0c7a 100644 --- a/lib/metasploit/framework/login_scanner/acpp.rb +++ b/lib/metasploit/framework/login_scanner/acpp.rb @@ -17,10 +17,13 @@ module Metasploit # # CONSTANTS # + DEFAULT_PORT = 5009 LIKELY_PORTS = [ 5009 ] LIKELY_SERVICE_NAMES = [ 'acpp' ] + PRIVATE_TYPES = [ :password ] REALM_KEY = nil + # This method attempts a single login with a single credential against the target # @param credential [Credential] The credential object to attmpt to login with # @return [Metasploit::Framework::LoginScanner::Result] The LoginScanner Result object @@ -38,13 +41,18 @@ module Metasploit disconnect if self.sock connect - acpp = Rex::Proto::ACPP::Client.new(sock) + client = Rex::Proto::ACPP::Client.new(sock) - if acpp.authenticate(credential.private) - result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL + auth_response = client.authenticate(credential.private) + if auth_response.successful? + status = Metasploit::Model::Login::Status::SUCCESSFUL else - result_options[:status] = Metasploit::Model::Login::Status::INCORRECT + status = Metasploit::Model::Login::Status::INCORRECT end + result_options.merge!( + proof: "Status code #{auth_response.status}", + status: status + ) rescue ::EOFError, Errno::ENOTCONN, Rex::ConnectionError, ::Timeout::Error => e result_options.merge!( proof: e.message, diff --git a/modules/auxiliary/scanner/acpp/login.rb b/modules/auxiliary/scanner/acpp/login.rb index 0c6edcb79e..8bdb79e769 100644 --- a/modules/auxiliary/scanner/acpp/login.rb +++ b/modules/auxiliary/scanner/acpp/login.rb @@ -17,39 +17,32 @@ class Metasploit3 < Msf::Auxiliary def initialize super( - 'Name' => 'ACPP Authentication Scanner', - 'Description' => %q{ - }, + 'Name' => 'Apple Airport ACPP Authentication Scanner', + 'Description' => %q( + This module attempts to authenticate to an Apple Airport using its + proprietary and largely undocumented protocol known only as ACPP. + ), 'Author' => [ - 'carstein ', - 'jduck' + 'Jon Hart ' ], 'References' => [ - [ 'CVE', '1999-0506'] # Weak password + %w(CVE 2003-0270) # Fixed XOR key used to encrypt password ], 'License' => MSF_LICENSE ) register_options( [ - Opt::Proxies, Opt::RPORT(5009), - OptString.new('PASSWORD', [ false, 'The password to test' ]), - OptPath.new('PASS_FILE', [ false, "File containing passwords, one per line", - File.join(Msf::Config.data_directory, "wordlists", "vnc_passwords.txt") ]), - - #We need to set the following options to make sure BLANK_PASSWORDS functions properly - OptString.new('USERNAME', [false, 'A specific username to authenticate as', '']), - OptBool.new('USER_AS_PASS', [false, 'Try the username as the password for all users', false]) ], self.class) register_autofilter_ports([5009]) end def run_host(ip) - print_status("#{ip}:#{rport} - Starting ACPP login sweep") + vprint_status("#{ip}:#{rport} - Starting ACPP login sweep") cred_collection = Metasploit::Framework::CredentialCollection.new( blank_passwords: datastore['BLANK_PASSWORDS'], @@ -85,11 +78,10 @@ class Metasploit3 < Msf::Auxiliary credential_core = create_credential(credential_data) credential_data[:core] = credential_core create_credential_login(credential_data) - - print_good "#{ip}:#{rport} - LOGIN SUCCESSFUL: #{result.credential}" + print_good("#{ip}:#{rport} - ACPP LOGIN SUCCESSFUL: #{result.credential}") else invalidate_login(credential_data) - vprint_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})" + vprint_error("#{ip}:#{rport} - ACPP LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})") end end