Land rapid7#8880, added Cisco Smart Install (SMI) scanner

Author: Brent Cook

documentation/modules/auxiliary/scanner/misc/cisco_smart_install.md

@@ -0,0 +1,30 @@
+## Vulnerable Application
+
+  Any system exposing the Cisco Smart Install (SMI) protocol, which typically runs on TCP port 4786.
+
+## Verification Steps
+
+  1. Do: ```use auxiliary/scanner/misc/cisco_smart_install```
+  2. Do: ```set [RHOSTS]```, replacing ```[RHOSTS]``` with a list of hosts to test for the presence of SMI
+  3. Do: ```run```
+  4. If the host is exposing an identifiable SMI instance, it will print the endpoint.
+
+
+## Scenarios
+
+  ```
+msf auxiliary(cisco_smart_install) > run
+
+[*] Scanned  57 of 512 hosts (11% complete)
+[*] Scanned 105 of 512 hosts (20% complete)
+[*] Scanned 157 of 512 hosts (30% complete)
+[*] Scanned 212 of 512 hosts (41% complete)
+[*] Scanned 256 of 512 hosts (50% complete)
+[*] Scanned 310 of 512 hosts (60% complete)
+[*] Scanned 368 of 512 hosts (71% complete)
+[*] Scanned 413 of 512 hosts (80% complete)
+[*] Scanned 466 of 512 hosts (91% complete)
+[+] a.b.c.d:4786   - Fingerprinted the Cisco Smart Install protocol
+[*] Scanned 512 of 512 hosts (100% complete)
+[*] Auxiliary module execution completed
+```

modules/auxiliary/scanner/misc/cisco_smart_install.rb

@@ -0,0 +1,88 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'           => 'Identify Cisco Smart Install endpoints',
+        'Description'    => %q(
+          This module attempts to connect to the specified Cisco Smart Install port
+          and determines if it speaks the Smart Install Protocol.  Exposure of SMI
+          to untrusted networks can allow complete compromise of the switch.
+        ),
+        'Author'         => 'Jon Hart <jon_hart[at]rapid7.com>',
+        'References'     =>
+          [
+            ['URL', 'https://blog.talosintelligence.com/2017/02/cisco-coverage-for-smart-install-client.html'],
+            ['URL', 'https://blogs.cisco.com/security/cisco-psirt-mitigating-and-detecting-potential-abuse-of-cisco-smart-install-feature'],
+            ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi'],
+            ['URL', 'https://github.com/Cisco-Talos/smi_check'],
+            ['URL', 'https://github.com/Sab0tag3d/SIET']
+
+          ],
+        'License'        => MSF_LICENSE
+      )
+    )
+
+    register_options(
+      [
+        Opt::RPORT(4786)
+      ]
+    )
+  end
+
+  # thanks to https://github.com/Cisco-Talos/smi_check/blob/master/smi_check.py#L52-L53
+  SMI_PROBE = "\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x08\x00\x00\x00\x01\x00\x00\x00\x00".freeze
+  SMI_RE = /^\x00{3}\x04\x00{7}\x03\x00{3}\x08\x00{3}\x01\x00{4}$/
+  def smi?
+    sock.puts(SMI_PROBE)
+    response = sock.get_once(-1)
+    if response
+      if SMI_RE.match?(response)
+        print_good("Fingerprinted the Cisco Smart Install protocol")
+        return true
+      else
+        vprint_status("No match for '#{response}'")
+      end
+    else
+      vprint_status("No response")
+    end
+  end
+
+  def run_host(_ip)
+    begin
+      connect
+      return unless smi?
+    rescue Rex::AddressInUse, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, \
+           ::Errno::ETIMEDOUT, ::Timeout::Error, ::EOFError => e
+      vprint_error("error while connecting and negotiating Cisco Smart Install: #{e}")
+      return
+    ensure
+      disconnect
+    end
+
+    service = report_service(
+      host: rhost,
+      port: rport,
+      proto: 'tcp',
+      name: 'Smart Install'
+    )
+
+    report_vuln(
+      host: rhost,
+      service: service,
+      name: name,
+      info: "Fingerprinted the Cisco Smart Install Protocol",
+      refs: references,
+      exploited_at: Time.now.utc
+    )
+  end
+end