Supermicro Onboard IPMI Static SSL Certificate Scanner

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::Tcp  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  PRIVATE_KEY = <<-EOF.gsub(/^ {4}/, '')    -----BEGIN RSA PRIVATE KEY-----    MIICXQIBAAKBgQC1q1kR6chWLfwspD84Asyy6EFV6SYRGy/gILsYGtn9kCQi2RFo    bNxS5CvphbGWn9D9n5gJpTVWLWb3LwJxGuBKSRj2wrHLlejzw6kSmF+3xFCuMfxV    FSj8TM8JqlOqM1c6lvH2MSXnN7pJBVcekNKbBUEfptakPSejStljbXecSwIDAQAB    AoGAah4/FzGiboTKCyGeNA+eltsIXzCjpdZlrtwvrbLxpyXtldWKT59XS6ww4mXQ    CJYuNBhnbSrt7vrybG0vVfZHEOCvK+5YKBOtvRgrWDgs1Bkc5hsdI5gLx3jE7g6M    PuUvD7ueF4OzYeYRrOLWr957jl32n+hD/k65bKWAUp3aTDECQQDqnEPZWlmoH7Jp    6woRnEp+1cullHv8DviM5Huh+JeBotSa03p4unhKlRYSqnHdeHU2343n1VUDzvnV    LQWi5G+FAkEAxjt0S67lyuuVD842uZRHt2WSQvwt23aKzQ+EJwV0IXYzfefeLzEm    dDdvc1AJ31gweAQK89/5/1EEF40K7BJdjwJBAJDFdtTT/QlS7eyQPjlZwVp9IVp+    wvdqYZPHlkb/uLYlPZ6Aq01+e6ZCU0mXZgYtQ99lmhKaQQjFmsMiMh0va2UCQA2T    NLuaFpJ235ZdgNHknaSpiAKeUmWdEJRKY7poXTONbKlKn6SLsR50TWWQLZzl5SvS    2w0oYW5ile0m84CHIXECQQCrABn0HY4Ll9/4FX+OCWamqwENltU1GcGIogeyFymK    ZVX8QdAVoUiZoUaVku946j63WNSkI1sU/UWhL6XDt4gx    -----END RSA PRIVATE KEY-----  EOF  def initialize    super(      'Name'        => 'Supermicro Onboard IPMI Static SSL Certificate Scanner',      'Description' => %q{        This module checks for a static SSL certificate shipped with Supermicro Onboard IPMI        controllers. An attacker with access to the publicly-available firmware can perform        man-in-the-middle attacks and offline decryption of communication to the controller.        This module has been on a Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware        version SMT_X9_214.      },      'Author'       =>        [          'hdm', # Discovery and analysis          'juan' # Metasploit module        ],      'License'     => MSF_LICENSE,      'References'  =>        [          [ 'CVE', '2013-3619' ],          [ 'URL', 'https://www.rapid7.com/blog/post/2013/11/06/supermicro-ipmi-firmware-vulnerabilities/']        ],      'DisclosureDate' => 'Nov 06 2013'    )    register_options(      [        Opt::RPORT(443),      ])  end  # Fingerprint a single host  def run_host(ip)    connect(true, {"SSL" => true}) #Force SSL    cert  = OpenSSL::X509::Certificate.new(sock.peer_cert)    disconnect    unless cert      vprint_error("#{ip}:#{rport} - No certificate found")      return    end    pkey = OpenSSL::PKey::RSA.new(PRIVATE_KEY)    result = cert.verify(pkey)    if result      print_good("#{ip}:#{rport} - Vulnerable to CVE-2013-3619 (Static SSL Certificate)")      # Report with the SSL Private Key hash for the host      digest = OpenSSL::Digest::SHA1.new(pkey.public_key.to_der).to_s.scan(/../).join(":")      report_note(        :host  => ip,        :proto => 'tcp',        :port  => rport,        :type  => 'supermicro.ipmi.ssl.certificate.pkey_hash',        :data  => digest      )      report_vuln({        :host  => rhost,        :port  => rport,        :proto => 'tcp',        :name  => "Supermicro Onboard IPMI Static SSL Certificate",        :refs  => self.references      })    end  endend