Land rapid7#8184, convert IPMI protocol and modules to bindata

Author: Brent Cook

documentation/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero.md

@@ -0,0 +1,20 @@
+The ipmi_cipher_zero module is used to find IPMI 2.0-compatible systems that are vulnerable to an authentication bypass vulnerability through the use of IPMI cipher zero, which means no cipher is used at all.
+
+## Vulnerable Devices
+
+This is an error in the IPMI 2.0 specification itself, so any device BMC fully implementing IPMI 2.0 will possibly have the vulnerable non-cipher enabled.
+
+## Verification Steps
+
+Set RHOSTS to the target device or range and run:
+
+```
+msf > use auxiliary/scanner/ipmi/ipmi_cipher_zero
+msf auxiliary(ipmi_cipher_zero) > set RHOSTS 192.168.1.2
+RHOSTS => 192.168.1.2
+msf auxiliary(ipmi_cipher_zero) > run
+
+[*] Sending IPMI requests to 192.168.1.2->192.168.1.2 (1 hosts)
+[*] 192.168.1.2:623 - IPMI - NOT VULNERABLE: Rejected cipher zero with error code 17
+
+```

documentation/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.md

@@ -0,0 +1,34 @@
+The ipmi_dumphashes module identifies IPMI 2.0-compatible systems and attempts to retrieve the HMAC-SHA1 password hashes of default usernames. The hashes can be stored in a file using the OUTPUT_FILE option and then cracked using hmac_sha1_crack.rb in the tools subdirectory as well hashcat (cpu) 0.46 or newer using type 7300.
+
+## Vulnerable Devices
+
+Any IPMI 2.0 device implementing the RAKP protocol according to the IPMI specification is vulnerable. This is a design flaw rather than a vendor-specific vulnerability.
+
+## Verification Steps
+
+Set RHOSTS to the target device or range and run:
+
+```
+msf > use auxiliary/scanner/ipmi/ipmi_dumphashes
+msf auxiliary(ipmi_dumphashes) > set RHOSTS 192.168.1.2
+RHOSTS => 192.168.1.2
+msf auxiliary(ipmi_dumphashes) > run
+
+[*] 192.168.1.2:623 - IPMI - Sending IPMI probes
+[*] 192.168.1.2:623 - IPMI - Trying username 'ADMIN'...
+[-] 192.168.1.2:623 - IPMI - Returned error code 13 for username ADMIN: Unauthorized name
+[*] 192.168.1.2:623 - IPMI - Trying username 'admin'...
+[-] 192.168.1.2:623 - IPMI - Returned error code 13 for username admin: Unauthorized name
+[*] 192.168.1.2:623 - IPMI - Trying username 'root'...
+[+] 192.168.1.2:623 - IPMI - Hash found: root:redacted
+[*] 192.168.1.2:623 - IPMI - Trying username 'Administrator'...
+[-] 192.168.1.2:623 - IPMI - Returned error code 13 for username Administrator: Unauthorized name
+[*] 192.168.1.2:623 - IPMI - Trying username 'USERID'...
+[-] 192.168.1.2:623 - IPMI - Returned error code 13 for username USERID: Unauthorized name
+[*] 192.168.1.2:623 - IPMI - Trying username 'guest'...
+[-] 192.168.1.2:623 - IPMI - Returned error code 13 for username guest: Unauthorized name
+[*] 192.168.1.2:623 - IPMI - Trying username ''...
+[+] 192.168.1.2:623 - IPMI - Hash found: redacted
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```

documentation/modules/auxiliary/scanner/ipmi/ipmi_version.md

@@ -0,0 +1,21 @@
+The ipmi_version module is used to identify the version of the IPMI specification implemented by devices on a network.
+
+## Target Devices
+
+Any exposed device that implements the IPMI specification should work with this module. This is a recon module rather than an exploitation module.
+
+## Verification Steps
+
+Set RHOSTS to the target device or range and run:
+
+```
+msf > use auxiliary/scanner/ipmi/ipmi_version
+msf auxiliary(ipmi_version) > set RHOSTS 192.168.1.2
+RHOSTS => 192.168.1.2
+msf auxiliary(ipmi_version) > run
+
+[*] Sending IPMI requests to 192.168.1.2->192.168.1.2 (1 hosts)
+[*] 192.168.1.2:623 - IPMI - Probe sent
+[+] 192.168.1.2:623 - IPMI - IPMI-2.0 OEMID:180010 UserAuth(auth_msg, auth_user, non_null_user) PassAuth(password, md5, md2) Level(1.5, 2.0)
+
+```

lib/rex/proto/ipmi.rb

@@ -5,7 +5,6 @@
 module Rex
 module Proto
 module IPMI
-  require 'bit-struct'
   require 'rex/proto/ipmi/channel_auth_reply'
   require 'rex/proto/ipmi/open_session_reply'
   require 'rex/proto/ipmi/rakp2'

lib/rex/proto/ipmi/channel_auth_reply.rb

@@ -1,56 +1,57 @@
 # -*- coding: binary -*-
 
+require 'bindata'
+
 module Rex
 module Proto
 module IPMI
 
-class Channel_Auth_Reply < BitStruct
-  unsigned :rmcp_version,                    8,     "RMCP Version"
-  unsigned :rmcp_padding,                    8,     "RMCP Padding"
-  unsigned :rmcp_sequence,                   8,     "RMCP Sequence"
-  unsigned :rmcp_mtype,                      1,     "RMCP Message Type"
-  unsigned :rmcp_class,                      7,     "RMCP Message Class"
-
-  unsigned :session_auth_type,               8,     "Session Auth Type"
-  unsigned :session_sequence,               32,     "Session Sequence Number"
-  unsigned :session_id,                     32,     "Session ID"
-  unsigned :message_length,                  8,     "Message Length"
-
-  unsigned :ipmi_tgt_address,                8,     "IPMI Target Address"
-  unsigned :ipmi_tgt_lun,                    8,     "IPMI Target LUN"
-  unsigned :ipmi_header_checksum,            8,     "IPMI Header Checksum"
-  unsigned :ipmi_src_address,                8,     "IPMI Source Address"
-  unsigned :ipmi_src_lun,                    8,     "IPMI Source LUN"
-  unsigned :ipmi_command,                    8,     "IPMI Command"
-  unsigned :ipmi_completion_code,            8,     "IPMI Completion Code"
-
-  unsigned :ipmi_channel,                    8,     "IPMI Channel"
-
-  unsigned :ipmi_compat_20,                  1,     "IPMI Version Compatibility: IPMI 2.0+"
-  unsigned :ipmi_compat_reserved1,           1,     "IPMI Version Compatibility: Reserved 1"
-  unsigned :ipmi_compat_oem_auth,            1,     "IPMI Version Compatibility: OEM Authentication"
-  unsigned :ipmi_compat_password,            1,     "IPMI Version Compatibility: Straight Password"
-  unsigned :ipmi_compat_reserved2,           1,     "IPMI Version Compatibility: Reserved 2"
-  unsigned :ipmi_compat_md5,                 1,     "IPMI Version Compatibility: MD5"
-  unsigned :ipmi_compat_md2,                 1,     "IPMI Version Compatibility: MD2"
-  unsigned :ipmi_compat_none,                1,     "IPMI Version Compatibility: None"
-
-  unsigned :ipmi_user_reserved1,             2,     "IPMI User Compatibility: Reserved 1"
-  unsigned :ipmi_user_kg,                    1,     "IPMI User Compatibility: KG Set to Default"
-  unsigned :ipmi_user_disable_message_auth,  1,     "IPMI User Compatibility: Disable Per-Message Authentication"
-  unsigned :ipmi_user_disable_user_auth,     1,     "IPMI User Compatibility: Disable User-Level Authentication"
-  unsigned :ipmi_user_non_null,              1,     "IPMI User Compatibility: Non-Null Usernames Enabled"
-  unsigned :ipmi_user_null,                  1,     "IPMI User Compatibility: Null Usernames Enabled"
-  unsigned :ipmi_user_anonymous,             1,     "IPMI User Compatibility: Anonymous Login Enabled"
-
-  unsigned :ipmi_conn_reserved1,             6,     "IPMI Connection Compatibility: Reserved 1"
-  unsigned :ipmi_conn_20,                    1,     "IPMI Connection Compatibility: 2.0"
-  unsigned :ipmi_conn_15,                    1,     "IPMI Connection Compatibility: 1.5"
-
-  unsigned :ipmi_oem_id,                    24,     "IPMI OEM ID", :endian => 'little'
-
-  rest :ipm_oem_data, "IPMI OEM Data + Checksum Byte"
-
+class Channel_Auth_Reply < BinData::Record
+  endian :little
+  uint8  :rmcp_version            ,label: "RMCP Version"
+  uint8  :rmcp_padding            ,label: "RMCP Padding"
+  uint8  :rmcp_sequence           ,label: "RMCP Sequence"
+  bit1   :rmcp_mtype              ,label: "RMCP Message Type"
+  bit7   :rmcp_class              ,label: "RMCP Message Class"
+
+  uint8  :session_auth_type       ,label: "Session Auth Type"
+  uint32 :session_sequence        ,label: "Session Sequence Number"
+  uint32 :session_id              ,label: "Session ID"
+  uint8  :message_length          ,label: "Message Length"
+
+  uint8  :ipmi_tgt_address        ,label: "IPMI Target Address"
+  uint8  :ipmi_tgt_lun            ,label: "IPMI Target LUN"
+  uint8  :ipmi_header_checksum    ,label: "IPMI Header Checksum"
+  uint8  :ipmi_src_address        ,label: "IPMI Source Address"
+  uint8  :ipmi_src_luna           ,label: "IPMI Source LUN"
+  uint8  :ipmi_command            ,label: "IPMI Command"
+  uint8  :ipmi_completion_code    ,label: "IPMI Completion Code"
+
+  uint8  :ipmi_channel            ,label: "IPMI Channel"
+
+  bit1   :ipmi_compat_20          ,label: "IPMI Version Compatibility: IPMI 2.0+"
+  bit1   :ipmi_compat_reserved1   ,label: "IPMI Version Compatibility: Reserved 1"
+  bit1   :ipmi_compat_oem_auth    ,label: "IPMI Version Compatibility: OEM Authentication"
+  bit1   :ipmi_compat_password    ,label: "IPMI Version Compatibility: Straight Password"
+  bit1   :ipmi_compat_reserved2   ,label: "IPMI Version Compatibility: Reserved 2"
+  bit1   :ipmi_compat_md5         ,label: "IPMI Version Compatibility: MD5"
+  bit1   :ipmi_compat_md2         ,label: "IPMI Version Compatibility: MD2"
+  bit1   :ipmi_compat_none        ,label: "IPMI Version Compatibility: None"
+
+  bit2   :ipmi_user_reserved1     ,label: "IPMI User Compatibility: Reserved 1"
+  bit1   :ipmi_user_kg            ,label: "IPMI User Compatibility: KG Set to Default"
+  bit1   :ipmi_user_disable_message_auth ,label: "IPMI User Compatibility: Disable Per-Message Authentication"
+  bit1   :ipmi_user_disable_user_auth ,label: "IPMI User Compatibility: Disable User-Level Authentication"
+  bit1   :ipmi_user_non_null      ,label: "IPMI User Compatibility: Non-Null Usernames Enabled"
+  bit1   :ipmi_user_null          ,label: "IPMI User Compatibility: Null Usernames Enabled"
+  bit1   :ipmi_user_anonymous     ,label: "IPMI User Compatibility: Anonymous Login Enabled"
+
+  bit6   :ipmi_conn_reserved1     ,label: "IPMI Connection Compatibility: Reserved 1"
+  bit1   :ipmi_conn_20            ,label: "IPMI Connection Compatibility: 2.0"
+  bit1   :ipmi_conn_15            ,label: "IPMI Connection Compatibility: 1.5"
+  bit24  :ipmi_oem_id             ,label: "IPMI OEM ID"
+
+  rest :ipm_oem_data              ,label: "IPMI OEM Data + Checksum Byte"
 
   def to_banner
     info   = self

lib/rex/proto/ipmi/open_session_reply.rb

@@ -1,36 +1,39 @@
 # -*- coding: binary -*-
 
-module Rex
-module Proto
-module IPMI
-
-class Open_Session_Reply < BitStruct
-  unsigned :rmcp_version,  8,  "RMCP Version"
-  unsigned :rmcp_padding,  8,  "RMCP Padding"
-  unsigned :rmcp_sequence, 8,  "RMCP Sequence"
-  unsigned :rmcp_mtype,    1,  "RMCP Message Type"
-  unsigned :rmcp_class,    7,  "RMCP Message Class"
-
-  unsigned :session_auth_type, 8,  "Authentication Type"
-
-  unsigned :session_payload_encrypted,     1,  "Session Payload Encrypted"
-  unsigned :session_payload_authenticated, 1,  "Session Payload Authenticated"
-  unsigned :session_payload_type,          6,  "Session Payload Type", :endian => 'little'
-
-  unsigned :session_id,       32,  "Session ID"
-  unsigned :session_sequence, 32,  "Session Sequence Number"
-  unsigned :message_length,   16,  "Message Length", :endian => "little"
-
-  unsigned :ignored1,        8, "Ignored"
-  unsigned :error_code,      8, "RMCP Error Code"
-  unsigned :ignored2,       16, "Ignored"
-  char :console_session_id, 32, "Console Session ID"
-  char :bmc_session_id,     32, "BMC Session ID"
+require 'bindata'
 
-  rest :stuff, "The Rest of the Stuff"
-end
-
-end
-end
+module Rex
+  module Proto
+    module IPMI
+      class Open_Session_Reply < BinData::Record
+        endian  :little
+        uint8   :rmcp_version                     ,label: "RMCP Version"
+        uint8   :rmcp_padding                     ,label: "RMCP Padding"
+        uint8   :rmcp_sequence                    ,label: "RMCP Sequence"
+        bit1    :rmcp_mtype                       ,label: "RMCP Message Type"
+        bit7    :rmcp_class                       ,label: "RMCP Message Class"
+
+        uint8   :session_auth_type                ,label: "Authentication Type"
+
+        bit1    :session_payload_encrypted        ,label: "Session Payload Encr"
+        bit1    :session_payload_authenticated    ,label: "Session Payload Auth"
+        bit6    :session_payload_type             ,label: "Session Payload Type"
+
+        uint32   :session_id                      ,label: "Session ID"
+        uint32   :session_sequence                ,label: "Session Sequence Number"
+        uint16   :message_length                  ,label: "Message Length"
+
+        uint8    :ignored1                        ,label: "Ignored"
+        uint8    :error_code                      ,label: "RMCP Error Code"
+        uint16   :ignored2                        ,label: "Ignored"
+        rest     :data                            ,label: "Session Info"
+      end
+
+      class Session_Data < BinData::Record
+        endian   :little
+        string   :console_session_id, length: 4   ,label: "Console Session ID"
+        string   :bmc_session_id, length: 4       ,label: "BMC Session ID"
+      end
+    end
+  end
 end
-

lib/rex/proto/ipmi/rakp2.rb

@@ -1,36 +1,40 @@
 # -*- coding: binary -*-
 
-module Rex
-module Proto
-module IPMI
-
-class RAKP2 < BitStruct
-  unsigned :rmcp_version,      8,     "RMCP Version"
-  unsigned :rmcp_padding,      8,     "RMCP Padding"
-  unsigned :rmcp_sequence,     8,     "RMCP Sequence"
-  unsigned :rmcp_mtype,    1,     "RMCP Message Type"
-  unsigned :rmcp_class,    7,     "RMCP Message Class"
+require 'bindata'
 
-  unsigned :session_auth_type,  8,     "Authentication Type"
+module Rex
+  module Proto
+    module IPMI
+      class RAKP2 < BinData::Record
+        endian  :little
+        uint8   :rmcp_version                   ,label: "RMCP Version"
+        uint8   :rmcp_padding                   ,label: "RMCP Padding"
+        uint8   :rmcp_sequence                  ,label: "RMCP Sequence"
+        bit1    :rmcp_mtype                     ,label: "RMCP Message Type"
+        bit7    :rmcp_class                     ,label: "RMCP Message Class"
 
-  unsigned :session_payload_encrypted,  1,     "Session Payload Encrypted"
-  unsigned :session_payload_authenticated,  1,     "Session Payload Authenticated"
-  unsigned :session_payload_type,  6,     "Session Payload Type", :endian => 'little'
+        uint8   :session_auth_type              ,label: "Authentication Type"
 
-  unsigned :session_id,  32,     "Session ID"
-  unsigned :session_sequence,  32,     "Session Sequence Number"
-  unsigned :message_length,  16,     "Message Length", :endian => "little"
+        bit1    :session_payload_encrypted      ,label: "Session Payload Encrypted"
+        bit1    :session_payload_authenticated  ,label: "Session Payload Authenticated"
+        bit6    :session_payload_type           ,label: "Session Payload Type"
 
-  unsigned :ignored1, 8, "Ignored"
-  unsigned :error_code, 8, "RMCP Error Code"
-  unsigned :ignored2, 16, "Ignored"
-  char :console_session_id, 32, "Console Session ID"
-  char :bmc_random_id,  128,     "BMC Random ID"
-  char :bmc_guid,  128,     "RAKP2 Hash 2 (nulls)"
-  char :hmac_sha1,  160,     "HMAC_SHA1 Output"
-  rest :stuff, "The rest of the stuff"
-end
+        uint32  :session_id                     ,label: "Session ID"
+        uint32  :session_sequence               ,label: "Session Sequence Number"
+        uint16  :message_length                 ,label: "Message Length"
+        uint8   :ignored1                       ,label: "Ignored"
+        uint8   :error_code                     ,label: "RMCP Error Code"
+        uint16  :ignored2                       ,label: "Ignored"
+        rest    :data                           ,label: "RAKP2 Data"
+      end
 
-end
-end
+      class RAKP2_Data < BinData::Record
+        endian  :little
+        string  :console_session_id, length: 4  ,label: "Console Session ID"
+        string  :bmc_random_id, length: 16      ,label: "BMC Random ID"
+        string  :bmc_guid, length: 16           ,label: "RAKP2 Hash 2 (nulls)"
+        string  :hmac_sha1, length: 20          ,label: "HMAC_SHA1 Output"
+      end
+    end
+  end
 end

modules/auxiliary/scanner/ipmi/ipmi_cipher_zero.rb

@@ -16,7 +16,7 @@ def initialize
     super(
       'Name'        => 'IPMI 2.0 Cipher Zero Authentication Bypass Scanner',
       'Description' => %q|
-        This module identifies IPMI 2.0 compatible systems that are vulnerable
+        This module identifies IPMI 2.0-compatible systems that are vulnerable
         to an authentication bypass vulnerability through the use of cipher
         zero.
         |,
@@ -54,9 +54,8 @@ def scan_host(ip)
   end
 
   def scanner_process(data, shost, sport)
-    info = Rex::Proto::IPMI::Open_Session_Reply.new(data) rescue nil
-    return if not info
-    return if not info.session_payload_type == Rex::Proto::IPMI::PAYLOAD_RMCPPLUSOPEN_REP
+    info = Rex::Proto::IPMI::Open_Session_Reply.new.read(data)#  rescue nil
+    return unless info && info.session_payload_type == Rex::Proto::IPMI::PAYLOAD_RMCPPLUSOPEN_REP
 
     # Ignore duplicate replies
     return if @res[shost]