Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Auxiliary::Report

8
  include Msf::Auxiliary::UDPScanner

9


10
  def initialize

11
    super(

12
      'Name' => 'IPMI 2.0 Cipher Zero Authentication Bypass Scanner',

13
      'Description' => %q|

14
        This module identifies IPMI 2.0-compatible systems that are vulnerable

15
        to an authentication bypass vulnerability through the use of cipher

16
        zero.

17
        |,

18
      'Author' => [ 'Dan Farmer <zen[at]fish2.com>', 'hdm' ],

19
      'License' => MSF_LICENSE,

20
      'References' => [

21
        ['CVE', '2013-4782'],

22
        ['URL', 'http://fish2.com/ipmi/cipherzero.html'],

23
        ['OSVDB', '93038'],

24
        ['OSVDB', '93039'],

25
        ['OSVDB', '93040'],

26


27
      ],

28
      'DisclosureDate' => 'Jun 20 2013'

29
    )

30


31
    register_options(

32
      [

33
        Opt::RPORT(623)

34
      ]

35
    )

36
  end

37


38
  def scanner_prescan(batch)

39
    print_status("Sending IPMI requests to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")

40
    @res = {}

41
  end

42


43
  def scan_host(ip)

44
    console_session_id = Rex::Text.rand_text(4)

45
    scanner_send(

46
      Rex::Proto::IPMI::Utils.create_ipmi_session_open_cipher_zero_request(console_session_id),

47
      ip, datastore['RPORT']

48
    )

49
  end

50


51
  def scanner_process(data, shost, sport)

52
    info = Rex::Proto::IPMI::Open_Session_Reply.new.read(data) #  rescue nil

53
    return unless info && info.session_payload_type == Rex::Proto::IPMI::PAYLOAD_RMCPPLUSOPEN_REP

54


55
    # Ignore duplicate replies

56
    return if @res[shost]

57


58
    @res[shost] ||= info

59


60
    if info.error_code == 0

61
      print_good("#{shost}:#{sport} - IPMI - VULNERABLE: Accepted a session open request for cipher zero")

62
      report_vuln(

63
        :host => shost,

64
        :port => datastore['RPORT'].to_i,

65
        :proto => 'udp',

66
        :sname => 'ipmi',

67
        :name => 'IPMI 2.0 RAKP Cipher Zero Authentication Bypass',

68
        :info => "Accepted a session open request for cipher zero",

69
        :refs => self.references

70
      )

71
    else

72
      vprint_status("#{shost}:#{sport} - IPMI - NOT VULNERABLE: Rejected cipher zero with error code #{info.error_code}")

73
    end

74
  end

75
end

76


77