CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6


7
class MetasploitModule < Msf::Auxiliary

8
  include Msf::Auxiliary::Report

9
  include Msf::Auxiliary::UDPScanner

10


11
  def initialize

12
    super(

13
      'Name'        => 'IPMI 2.0 Cipher Zero Authentication Bypass Scanner',

14
      'Description' => %q|

15
        This module identifies IPMI 2.0-compatible systems that are vulnerable

16
        to an authentication bypass vulnerability through the use of cipher

17
        zero.

18
        |,

19
      'Author'      => [ 'Dan Farmer <zen[at]fish2.com>', 'hdm' ],

20
      'License'     => MSF_LICENSE,

21
      'References'  =>

22
        [

23
          ['CVE', '2013-4782'],

24
          ['URL', 'http://fish2.com/ipmi/cipherzero.html'],

25
          ['OSVDB', '93038'],

26
          ['OSVDB', '93039'],

27
          ['OSVDB', '93040'],

28


29
        ],

30
      'DisclosureDate' => 'Jun 20 2013'

31
    )

32


33
    register_options(

34
    [

35
      Opt::RPORT(623)

36
    ])

37


38
  end

39


40
  def scanner_prescan(batch)

41
    print_status("Sending IPMI requests to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")

42
    @res = {}

43
  end

44


45
  def scan_host(ip)

46
    console_session_id = Rex::Text.rand_text(4)

47
    scanner_send(

48
      Rex::Proto::IPMI::Utils.create_ipmi_session_open_cipher_zero_request(console_session_id),

49
      ip, datastore['RPORT']

50
    )

51
  end

52


53
  def scanner_process(data, shost, sport)

54
    info = Rex::Proto::IPMI::Open_Session_Reply.new.read(data)#  rescue nil

55
    return unless info && info.session_payload_type == Rex::Proto::IPMI::PAYLOAD_RMCPPLUSOPEN_REP

56


57
    # Ignore duplicate replies

58
    return if @res[shost]

59


60
    @res[shost] ||= info

61


62
    if info.error_code == 0

63
      print_good("#{shost}:#{sport} - IPMI - VULNERABLE: Accepted a session open request for cipher zero")

64
      report_vuln(

65
        :host  => shost,

66
        :port  => datastore['RPORT'].to_i,

67
        :proto => 'udp',

68
        :sname => 'ipmi',

69
        :name  => 'IPMI 2.0 RAKP Cipher Zero Authentication Bypass',

70
        :info  => "Accepted a session open request for cipher zero",

71
        :refs  => self.references

72
      )

73
    else

74
      vprint_status("#{shost}:#{sport} - IPMI - NOT VULNERABLE: Rejected cipher zero with error code #{info.error_code}")

75
    end

76
  end

77
end

78


79