CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/lib/rex/proto/ipmi/utils.rb
Views: 11704
1
# -*- coding: binary -*-

2


3
module Rex

4
module Proto

5
module IPMI

6
class Utils

7


8
  def self.checksum(data)

9
    sum = 0

10
    data.unpack("C*").each {|c| sum += c }

11
    sum = ~sum + 1

12
    sum & 0xff

13
  end

14


15
  def self.create_ipmi_getchannel_probe

16
    [   # Get Channel Authentication Capabilities

17
      0x06, 0x00, 0xff, 0x07, # RMCP Header

18
      0x00, 0x00, 0x00, 0x00,

19
      0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x20, 0x18,

20
      0xc8, 0x81, 0x00, 0x38, 0x8e, 0x04, 0xb5

21
    ].pack("C*")

22
  end

23


24
  # open rmcpplus_request

25
  def self.create_ipmi_session_open_request(console_session_id)

26
    head = [

27
      0x06, 0x00, 0xff, 0x07,   # RMCP Header

28
      0x06,                     # RMCP+ Authentication Type

29
      PAYLOAD_RMCPPLUSOPEN_REQ, # Payload Type

30
      0x00, 0x00, 0x00, 0x00,   # Session ID

31
      0x00, 0x00, 0x00, 0x00    # Sequence Number

32
    ].pack("C*")

33


34
    data =

35
    [   # Maximum access

36
      0x00, 0x00,

37
      # Reserved

38
      0x00, 0x00

39
    ].pack("C*") +

40
    console_session_id +

41
    [

42
      0x00, 0x00, 0x00, 0x08,

43
      0x01, 0x00, 0x00, 0x00,

44
      0x01, 0x00, 0x00, 0x08,

45
      # HMAC-SHA1

46
      0x01, 0x00, 0x00, 0x00,

47
      0x02, 0x00, 0x00, 0x08,

48
      # AES Encryption

49
      0x01, 0x00, 0x00, 0x00

50
    ].pack("C*")

51


52
    head + [data.length].pack('v') + data

53
  end

54


55


56
  # open rmcpplus_request with cipherzero

57
  def self.create_ipmi_session_open_cipher_zero_request(console_session_id)

58
    head = [

59
      0x06, 0x00, 0xff, 0x07,   # RMCP Header

60
      0x06,                     # RMCP+ Authentication Type

61
      PAYLOAD_RMCPPLUSOPEN_REQ, # Payload Type

62
      0x00, 0x00, 0x00, 0x00,   # Session ID

63
      0x00, 0x00, 0x00, 0x00    # Sequence Number

64
    ].pack("C*")

65


66
    data =

67
    [   # Maximum access

68
      0x00, 0x00,

69
      # Reserved

70
      0x00, 0x00

71
    ].pack("C*") +

72
    console_session_id +

73
    [

74
      0x00, 0x00, 0x00, 0x08,

75
      # Cipher 0

76
      0x00, 0x00, 0x00, 0x00,

77
      0x01, 0x00, 0x00, 0x08,

78
      # Cipher 0

79
      0x00, 0x00, 0x00, 0x00,

80
      0x02, 0x00, 0x00, 0x08,

81
      # No Encryption

82
      0x00, 0x00, 0x00, 0x00

83
    ].pack("C*")

84


85
    head + [data.length].pack('v') + data

86
  end

87


88
  def self.create_ipmi_rakp_1(bmc_session_id, console_random_id, username)

89
    head = [

90
      0x06, 0x00, 0xff, 0x07,  # RMCP Header

91
      0x06,                    # RMCP+ Authentication Type

92
      PAYLOAD_RAKP1,           # Payload Type

93
      0x00, 0x00, 0x00, 0x00,

94
      0x00, 0x00, 0x00, 0x00,

95
    ].pack("C*")

96


97
    data =

98
      [0x00, 0x00, 0x00, 0x00].pack("C*") +

99
      bmc_session_id +

100
      console_random_id +

101
      [

102
        0x14, 0x00, 0x00,

103
        username.length

104
      ].pack("C*") +

105
      username

106


107
    head + [data.length].pack('v') + data

108
  end

109


110


111
  def self.create_rakp_hmac_sha1_salt(con_sid, bmc_sid, con_rid, bmc_rid, bmc_gid, auth_level, username)

112
    con_sid +

113
    bmc_sid +

114
    con_rid +

115
    bmc_rid +

116
    bmc_gid +

117
    [ auth_level ].pack("C") +

118
    [ username.length ].pack("C") +

119
    username

120
  end

121


122
  def self.verify_rakp_hmac_sha1(salt, hash, password)

123
    OpenSSL::HMAC.digest('sha1', password, salt) == hash

124
  end

125


126
end

127
end

128
end

129
end

130


131