-
Notifications
You must be signed in to change notification settings - Fork 1
/
cinema-qsc-usl-devices.nse
439 lines (395 loc) · 14.1 KB
/
cinema-qsc-usl-devices.nse
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
local nmap = require "nmap"
local stdnse = require "stdnse"
local http = require "http"
local nsedebug = require "nsedebug"
description = [[
Detects socket fingerprint of QSC-USL cinema devices and flags if found.
Will attempt to pull out software and firmware version of system
]]
--------------------------------------------------------------------
---
-- @usage
-- nmap -sS -p21,22,80,10001 --script=cinema-qsc-usl-devices <target>
-- @output
-- PORT STATE SERVICE
-- 21/tcp filtered ftp
-- 22/tcp filtered ssh
-- 80/tcp open http
-- | cinema-qsc-usl-devices:
-- | classification: sound-processor
-- | vendor: QSC-USL
-- | productName: JSD-60
-- | serialNumber: 3458
-- | version: E,141205,141218,141014
-- | PCBversion: E
-- | bootloaderVersion: 141205
-- | picVersion: 141218
-- | dspVersion: 141014
-- | hostname: JSD60-FORBES-C1
-- | theaterName: Forbes Services Club
-- | theaterNumber: 1
-- | dcs: IMS2000
-- | automation: JNIOR
-- | comments:
-- |_ projector: NC1100L-A
-- 10001/tcp open scp-config
author = "James Gardiner"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = { "cinema", "safe", "intrusive" }
-- if port 80 and port 21, 22, 10001 states match a device fingerprint..
portrule = function(host, port)
if port.number ~= 80 then
return false
end
if port.state ~= "open" or port.protocol ~= "tcp" then
return false
end
-- if port 80 and all these following ports are open, we can assume its a Dolby player
local ftp = { number = 21, protocol = "tcp" }
local ftp_open = nmap.get_port_state(host, ftp)
local ssh = { number = 22, protocol = "tcp" }
local ssh_open = nmap.get_port_state(host, ssh)
local usl = { number = 10001, protocol = "tcp" }
local usl_open = nmap.get_port_state(host, usl)
local res = false
if ftp_open.state ~= 'open' and
ssh_open.state ~= 'open' and
usl_open.state == 'open' then
res = true
end
return res
end
-------------------------------------------------------------------------------------------------------------
local function all_trim(s)
if s == nil then
return ''
end
return s:match("^%s*(.-)%s*$")
end
function TableConcat(t1, t2)
for i = 1, #t2 do
t1[#t1 + 1] = t2[i]
end
return t1
end
local function starts_with(str, start)
return str:sub(1, #start) == start
end
local function socket_command(host, cmd)
local port = { number = 10001, protocol = 'tcp' }
local socket = nmap.new_socket()
socket:set_timeout(400)
local catch = function()
print('Catch on connection')
socket:close()
end
local try = nmap.new_try(catch)
try(socket:connect(host.ip, port.number))
-- print('Send command [' .. all_trim(cmd) .. ']')
-- just read anything left in buffer, make sure its clean
local junk = socket:receive_lines(1)
stdnse.debug("Initial connect read any junk: junk = " .. nsedebug.tostr(junk))
try(socket:send(cmd))
local response = try(socket:receive_lines(1))
socket:close()
--
-- fix a wierd bug: some times we get the serialNumber
-- Some times we get a random 3 digital number then a return then the real serial number.
-- no idea why and cannot reproduce. so...
-- So adding this code to try and sort it out.
-- if we have a return that has 2 ^M in it then try again to request the variable.
--
local _, nCount = string.gsub(response, "\n", "")
if nCount > 1 then
local f = assert(io.open("/tmp/cinema-qsc-usl-device.debug.txt", "a"))
f:write("ER1: " .. host.ip .. ":" .. all_trim(cmd) .. " = [" .. response .. "]\n")
f:close()
stdnse.debug("response has two new-lines so try again. response = " .. nsedebug.tostr(response))
-- try again
local try2 = nmap.new_try(catch)
try2(socket:connect(host.ip, port.number))
try2(socket:send(cmd))
response = try2(socket:receive_lines(1))
socket:close()
stdnse.debug("try 2 result response = " .. nsedebug.tostr(response))
f = assert(io.open("/tmp/cinema-qsc-usl-device.debug.txt", "a"))
f:write("try2: " .. all_trim(cmd) .. " : " .. response .. "\n")
f:close()
end
local trim_response = all_trim(response)
stdnse.debug(all_trim(cmd) .. " : " .. "trim_response = " .. nsedebug.tostr(trim_response))
if string.len(trim_response) == 7 and starts_with(trim_response, '300') then
stdnse.debug("DEAL WITH ERROR: response = " .. nsedebug.tostr(response))
-- write the exact string we got back from target
local f = assert(io.open("/tmp/cinema-qsc-usl-device.debug.txt", "a"))
f:write("ER2: " .. host.ip .. ":" .. all_trim(cmd) .. " = [" .. response .. "]\n")
f:close()
trim_response = string.sub(trim_response, 4, -1)
end
local f = assert(io.open("/tmp/cinema-qsc-usl-device.debug.txt", "a"))
f:write("res: " .. host.ip .. ":" .. all_trim(cmd) .. " = [" .. response .. "]\n")
f:close()
return trim_response
end
local function split(str, sep)
local result = {}
local regex = ("([^%s]+)"):format(sep)
for each in str:gmatch(regex) do
table.insert(result, each)
end
return result
end
local function getHttpUrl(host, urlPath)
local http_port = { number = 80, protocol = 'tcp' }
local get_res = http.get(host, http_port, urlPath)
-- stdnse.debug("http GET = " .. nsedebug.tostr(get_res))
local res, body
if get_res.status == 404 then
res = false
else
res = true
body = get_res.body
end
return res, body
end
local function magiclines(s)
if s:sub(-1) ~= "\n" then s = s .. "\n" end
return s:gmatch("(.-)\n")
end
function Split(s, delimiter)
local result = {};
for match in (s .. delimiter):gmatch("(.-)" .. delimiter) do
table.insert(result, match);
end
return result;
end
local function oldJsd100_search(search_str, body)
-- print("oldJsd100_search(body = " .. body .. ")")
local res
local lines = {}
for s in body:gmatch("[^\r\n]+") do
table.insert(lines, s)
end
-- stdnse.pretty_printer(lines)
for i, line in ipairs(lines) do
-- print("line = " .. i .. ": " .. line)
if string.find(line, '<tr><td>' .. search_str .. '</td><td>') then
local line_array = Split(line, '</td><td>')
-- stdnse.debug("line_array = " .. nsedebug.tostr(line_array))
res = line_array[2]:gsub("</td></tr>", ""):gsub("[%s]", "")
if search_str == "Model Number" then
res = res:gsub("JSD%-100v", "")
end
if search_str == "Host Name" then
res = res:gsub("</tr>", "")
end
break
end
end
return res
end
-- Now lets try and query the player for some useful information
action = function(host, port)
local productName = 'na'
local serialNumber = 'na'
local classification = 'na'
local version = nil
local PCBversion = nil
local bootloaderVersion = nil
local picVersion = nil
local dspVersion = nil
local hostname = nil
local theaterName = nil
local theaterNumber = nil
local dcs = nil
local automation = nil
local comments = nil
local projector = nil
local lineOneTable, lineTwoTable
local output = stdnse.output_table()
--
-- Fetch the http://host/ConfigFlash.html
local get_status, configFlash_body
local get_status2, configFlash_body2
local get_status3, page_body3 = "not-set"
get_status, configFlash_body = getHttpUrl(host, '/ConfigFlash.html')
-- stdnse.debug("get_status = " .. nsedebug.tostr(get_status))
if get_status == false then
get_status2, configFlash_body = getHttpUrl(host, '/debug/ConfigFlash.html')
-- stdnse.debug("get_status2 = " .. nsedebug.tostr(get_status2))
if get_status2 == false then
--
-- could be an old IRC-28C with older firmware that does not suppore ConfigFlash.html
get_status3, page_body3 = getHttpUrl(host, '/')
if get_status3 == true then
-- looks like a IRC-28C or older JSD100
local page_title = all_trim(string.match(page_body3, '<title>(.-)</title>'))
stdnse.debug("page_title = " .. nsedebug.tostr(page_title))
if page_title == 'USL Caption Encoder' then
-- special case, a older firmware IRC-28C
stdnse.debug('special case, a older firmware IRC-28C')
local h1 = all_trim(string.match(page_body3, '<h1>(.-)</h1>'))
productName = 'IRC-28C'
version = split(h1, ' ')[4]
classification = 'accessibility'
elseif string.find(page_title, "JSD%-100") then -- Note dash -, needs special escpate char %
-- special case, a older firmware JSD-100
stdnse.debug('special case, a older firmware JSD-100')
productName = 'OLD-JSD-100'
end
else
return false
end
end
else
-- stdnse.debug("configFlash_body = " .. nsedebug.tostr(configFlash_body))
end
if configFlash_body ~= nil then
-- stdnse.debug("configFlash_body = " .. nsedebug.tostr(configFlash_body))
local configFlash = string.match(configFlash_body, '<pre>(.-)</pre>')
configFlash = all_trim(configFlash)
-- configFlash = configFlash:gsub("\x0D", "")
stdnse.debug("configFlash = " .. nsedebug.tostr(configFlash))
-- before we plit into lines, check if its a IRC by looking for 'irc.sys.ip'
local irc_start, irc_end = string.find(configFlash, 'irc.sys.ip')
if irc_start ~= nil then
productName = "IRC-28C"
end
--
local configFlash_table = split(configFlash, "\n")
stdnse.debug("configFlash_body = " .. nsedebug.tostr(configFlash_table))
lineOneTable = split(configFlash_table[1], ' ')
stdnse.debug("lineOneTable = " .. nsedebug.tostr(lineOneTable))
lineTwoTable = split(configFlash_table[2], ' ')
stdnse.debug("lineTwoTable = " .. nsedebug.tostr(lineTwoTable))
-- tes what it is based on the LINE info.
if lineOneTable[3] == "JSD-60" or
lineOneTable[3] == "JSD-100" then
classification = 'sound-processor'
productName = lineOneTable[3]
elseif lineOneTable[3] == "CM-8E" then
productName = lineOneTable[3]
classification = 'sound-device'
elseif lineOneTable[3] == "LSS-200" then
classification = 'quality-assurance'
productName = lineOneTable[3]
serialNumber = 'to_implement'
version = 'to_implement'
elseif productName == "IRC-28C" then
-- productName = "IRC-28C"
classification = 'accessibility'
end
end
if productName == 'JSD-60' then
serialNumber = all_trim(socket_command(host, 'jsd60.sys.serial_number\r\n'))
stdnse.debug("serialNumber = " .. nsedebug.tostr(serialNumber))
theaterName = socket_command(host, 'jsd60.sys.theater_name\r\n')
theaterNumber = socket_command(host, 'jsd60.sys.theater_number\r\n')
dcs = socket_command(host, 'jsd60.sys.dcs\r\n')
automation = socket_command(host, 'jsd60.sys.automation\r\n')
comments = socket_command(host, 'jsd60.sys.comments\r\n')
projector = socket_command(host, 'jsd60.sys.projector\r\n')
version = socket_command(host, 'jsd60.sys.ver\r\n')
hostname = socket_command(host, 'jsd60.sys.host\r\n')
local verTable = split(version, '\t')
PCBversion = verTable[1]
bootloaderVersion = verTable[2]
picVersion = verTable[3]
dspVersion = verTable[4]
version = PCBversion .. ',' .. bootloaderVersion .. ',' .. picVersion .. ',' .. dspVersion
elseif productName == 'JSD-100' then
serialNumber = all_trim(socket_command(host, 'jsd100.sys.serial_number\r\n'))
theaterName = socket_command(host, 'jsd100.sys.theater_name\r\n')
theaterNumber = socket_command(host, 'jsd100.sys.theater_number\r\n')
dcs = socket_command(host, 'jsd100.sys.dcs\r\n')
automation = socket_command(host, 'jsd100.sys.automation\r\n')
comments = socket_command(host, 'jsd100.sys.comments\r\n')
projector = socket_command(host, 'jsd100.sys.projector\r\n')
version = socket_command(host, 'jsd100.sys.ver\r\n')
hostname = socket_command(host, 'jsd100.sys.host\r\n')
local verTable = split(version, '\t')
PCBversion = verTable[1]
bootloaderVersion = verTable[2]
picVersion = verTable[3]
dspVersion = verTable[4]
version = PCBversion .. ',' .. bootloaderVersion .. ',' .. picVersion .. ',' .. dspVersion
--
elseif productName == 'OLD-JSD-100' then
-- stdnse.debug("OLD-JSD-100 and page_body3 = " .. page_body3)
-- stdnse.debug("OLD-JSD-100 and page_body3 = " .. nsedebug.tostr(page_body3))
--
productName = 'JSD-100'
serialNumber = 'na'
classification = 'sound-processor'
theaterName = oldJsd100_search('Theater Name', page_body3)
theaterNumber = oldJsd100_search('Theater Number', page_body3)
dcs = oldJsd100_search('Digital Server', page_body3)
automation = oldJsd100_search('Automation', page_body3)
comments = oldJsd100_search('Comments', page_body3)
projector = oldJsd100_search('Projector', page_body3)
version = oldJsd100_search('Model Number', page_body3)
hostname = oldJsd100_search('Host Name', page_body3)
--
elseif productName == 'CM-8E' then
serialNumber = all_trim(socket_command(host, 'cm8.sys.serial_number\r\n'))
theaterName = socket_command(host, 'cm8.sys.theater_name\r\n')
theaterNumber = socket_command(host, 'cm8.sys.theater_number\r\n')
theaterName = socket_command(host, 'cm8.sys.theater_name\r\n')
dcs = socket_command(host, 'cm8.sys.dcs\r\n')
automation = socket_command(host, 'cm8.sys.automation\r\n')
comments = socket_command(host, 'cm8.sys.comments\r\n')
projector = socket_command(host, 'cm8.sys.projector\r\n')
hostname = socket_command(host, 'cm8.sys.host\r\n')
version = all_trim(lineTwoTable[5])
--
elseif productName == 'IRC-28C' then
--
comments = socket_command(host, 'irc.sys.comments\r\n')
hostname = socket_command(host, 'irc.sys.host\r\n')
theaterName = socket_command(host, 'irc.sys.theater_name\r\n')
theaterNumber = socket_command(host, 'irc.sys.theater_number\r\n')
dcs = socket_command(host, 'irc.sys.dcs_ip\r\n')
end
-- required variables are
--- classification, vendor, productName, serialNumber, softwareVersion
output.classification = classification
output.vendor = 'QSC-USL'
-- local productName
output.productName = productName
output.serialNumber = serialNumber
output.version = version
if PCBversion then
output.PCBversion = PCBversion
end
if bootloaderVersion then
output.bootloaderVersion = bootloaderVersion
end
if picVersion then
output.picVersion = picVersion
end
if dspVersion then
output.dspVersion = dspVersion
end
if hostname then
output.hostname = hostname
end
if theaterName then
output.theaterName = theaterName
end
if theaterNumber then
output.theaterNumber = theaterNumber
end
if dcs then
output.dcs = dcs
end
if automation then
output.automation = automation
end
if comments then
output.comments = comments
end
if projector then
output.projector = projector
end
return output
end