Rosewill RXS-3211 IP Camera Password Retriever
This module takes advantage of a protocol design issue with the Rosewill admin executable in order to retrieve passwords, allowing remote attackers to take administrative control over the device. Other similar IP Cameras such as Edimax, Hawking, Zonet, etc, are also believed to have the same flaw, but not fully tested. The protocol deisgn issue also allows attackers to reset passwords on the device.
Rank
- Normal
Authors
- Ben Schmidt < >
Vulnerability References
Development
Similar Modules
- auxiliary/scanner/misc/cctv_dvr_login
- auxiliary/scanner/misc/ib_service_mgr_info
- auxiliary/scanner/misc/java_rmi_server
- auxiliary/scanner/misc/oki_scanner
- auxiliary/scanner/misc/redis_server
- auxiliary/scanner/misc/sunrpc_portmapper
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/scanner/misc/rosewill_rxs3211_passwords
msf auxiliary(rosewill_rxs3211_passwords) > set RHOSTS [TARGET HOST RANGE]
msf auxiliary(rosewill_rxs3211_passwords) > run
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/scanner/misc/rosewill_rxs3211_passwords
msf auxiliary(rosewill_rxs3211_passwords) > set RHOSTS [TARGET HOST RANGE]
msf auxiliary(rosewill_rxs3211_passwords) > run
Module Options
| CHOST | The local client address |
| RHOSTS | The target address range or CIDR identifier |
| RPORT | The target port (default: 13364) |
| THREADS | The number of concurrent threads (default: 1) |
| CPORT | The local client port |
| ConnectTimeout | Maximum number of seconds to establish a TCP connection |
| Proxies | Use a proxy chain |
| SSL | Negotiate SSL for outgoing connections |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) |
| ShowProgress | Display progress messages during a scan |
| ShowProgressPercent | The interval in percent that progress should be shown |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| TCP::max_send_size | Maxiumum tcp segment size. (0 = disable) |
| TCP::send_delay | Delays inserted before every send. (0 = disable) |