Class: Metasploit::Framework::LoginScanner::X3

Inherits:
Object
  • Object
show all
Includes:
Base, RexSocket, Tcp::Client
Defined in:
lib/metasploit/framework/login_scanner/x3.rb

Constant Summary collapse

DEFAULT_PORT = 
1818
REALM_KEY = 
nil

Instance Attribute Summary

Attributes included from Tcp::Client

#max_send_size, #send_delay, #sock

Instance Method Summary collapse

Methods included from Tcp::Client

#chost, #connect, #cport, #disconnect, #proxies, #rhost, #rport, #set_tcp_evasions, #ssl, #ssl_version

Instance Method Details

#attempt_login(credential) ⇒ Object

[View source] [View on GitHub]

46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
 
# File 'lib/metasploit/framework/login_scanner/x3.rb', line 46

def (credential)
  result_options = {
    credential: credential,
    status: Metasploit::Model::::Status::INCORRECT,
    host: host,
    port: port,
    protocol: 'tcp',
    service_name: 'X3 AdxAdmin'
  }

  # encrypt the password
  enc_pass = encrypt_pass(credential.private.to_s)
  # building the initial authentication packet
  # [2bytes][userlen 1 byte][username][userlen 1 byte][username][passlen 1 byte][CRYPT:HASH]
  user = credential.public.to_s

  t_auth_buffer = [user.length].pack('c')
  t_auth_buffer << user
  t_auth_buffer << user.length
  t_auth_buffer << user
  t_auth_buffer << enc_pass.length
  t_auth_buffer << enc_pass

  auth_buffer = "\x6a"
  auth_buffer << t_auth_buffer.length
  auth_buffer << t_auth_buffer

  begin
    connect
    select([sock], nil, nil, 0.4)

    if enc_pass
      sock.put(auth_buffer)
      result_options[:proof] = sock.get_once(1024, 2)

      if result_options[:proof] && result_options[:proof].length == 4 && (result_options[:proof].chars != [
        "\xFF", "\xFF", "\xFF", "\xFF"
      ])
        result_options[:status] = Metasploit::Model::::Status::SUCCESSFUL
      end
    end
  rescue Rex::ConnectionError, EOFError, Timeout::Error, Errno::EPIPE => e
    result_options.merge!(
      proof: e,
      status: Metasploit::Model::::Status::UNABLE_TO_CONNECT
    )
  end

  disconnect if sock

  Result.new(result_options)
end

#encrypt_pass(inp) ⇒ Object

[View source] [View on GitHub]

19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
 
# File 'lib/metasploit/framework/login_scanner/x3.rb', line 19

def encrypt_pass(inp)
  # check if it's already encrypted
  return inp if inp.start_with?('CRYPT:')

  num2 = inp.length
  num = 17
  ret = ''
  charset0 = 'cromanwqxfzpgedkvstjhyilu'.chars
  xyz = 'zxWyZxzvwYzxZXxxZWWyWxYXz'.chars
  charset1 = 'cf2tln3yuVkDr7oPaQ8bsSd4x'.chars

  (0..num2 - 1).each do |i|
    num5 = inp[i].ord
    num7 = num5.to_f / num
    num10 = (num5 % num)
    num11 = xyz[i].ord
    num12 = num11 - num7
    num12 += 1 if num12.to_i != num12
    ret << num12.to_i.chr
    ret << charset0[num10].ord.chr
    off = charset0.find_index(ret.split('').to_a[-1])
    ret << charset1[off].ord.chr if (off & 1).zero?
  end

  "CRYPT:#{ret}"
end