DavidWittman/supermicro-psblock-fix.expect

## supermicro-psblock-fix.expect
#!/usr/bin/expect -f

# This script secures SuperMicro IPMI implementations which are vulnerable
# to viewing the IPMI password in plaintext on port 49152. It does this by
# using the shell available in some SuperMicro BMCs to drop traffic to port
# 49152 in iptables.
#
# See http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/
# for more details on the vulnerability.
#
# Usage ./supermicro-psblock-fix.expect $IPMI_HOST <$IPMI_PASSWORD>
#  e.g. ./supermicro-psblock-fix.expect 10.0.0.2
#       ./supermicro-psblock-fix.expect 10.0.0.2 PASSWORD123

set timeout 30
set IPMI [lindex $argv 0]
set PASSWORD [lindex $argv 1]
set USER ADMIN
set PROMPT ->
set PORT 49152

# Default password to "ADMIN" (SuperMicro default) if one isn't passed in
if { [string length $PASSWORD] == 0 } {
  set PASSWORD ADMIN
}

spawn ssh -o StrictHostKeyChecking=no $USER@$IPMI
expect "password: "
send -- "$PASSWORD\r"
expect {
  "#" {
    # In most cases, the BMCs which drop straight a shell do not support
    # using the TCP module for iptables, which is no bueno.
    puts "\nERROR: Unsupported firmware version."
    exit 1
  }
  -exact $PROMPT {}
}

send -- "shell sh\r"
expect {
  "#" {
    send -- "iptables-save | grep -q '\\-A INPUT -p tcp -m tcp --dport $PORT -j DROP' && echo 'OK'\r"
    expect {
      "OK\r\n#" {
        puts "\niptables rule is already in place."
      }
      "#" {
        send -- "iptables -I INPUT -m tcp -p tcp --dport $PORT -j DROP\r"
        expect "#"
        send -- "iptables-save > /nv/ipctrl/rultbl.sav\r"
        expect "#"
        puts "\nSuccessfully blocked port $PORT in iptables!"
      }
    }
  }
  "shell command not support now." {
    puts "\nERROR: Accessing the shell is not available on this BMC."
    exit 1
  }
  timeout {
    puts "\nERROR: Timeout accessing shell on the BMC."
    exit 1
  }
}
	#!/usr/bin/expect -f

	# This script secures SuperMicro IPMI implementations which are vulnerable
	# to viewing the IPMI password in plaintext on port 49152. It does this by
	# using the shell available in some SuperMicro BMCs to drop traffic to port
	# 49152 in iptables.
	#
	# See http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/
	# for more details on the vulnerability.
	#
	# Usage ./supermicro-psblock-fix.expect $IPMI_HOST <$IPMI_PASSWORD>
	# e.g. ./supermicro-psblock-fix.expect 10.0.0.2
	# ./supermicro-psblock-fix.expect 10.0.0.2 PASSWORD123

	set timeout 30
	set IPMI [lindex $argv 0]
	set PASSWORD [lindex $argv 1]
	set USER ADMIN
	set PROMPT ->
	set PORT 49152

	# Default password to "ADMIN" (SuperMicro default) if one isn't passed in
	if { [string length $PASSWORD] == 0 } {
	set PASSWORD ADMIN
	}

	spawn ssh -o StrictHostKeyChecking=no $USER@$IPMI
	expect "password: "
	send -- "$PASSWORD\r"
	expect {
	"#" {
	# In most cases, the BMCs which drop straight a shell do not support
	# using the TCP module for iptables, which is no bueno.
	puts "\nERROR: Unsupported firmware version."
	exit 1
	}
	-exact $PROMPT {}
	}

	send -- "shell sh\r"
	expect {
	"#" {
	send -- "iptables-save \| grep -q '\\-A INPUT -p tcp -m tcp --dport $PORT -j DROP' && echo 'OK'\r"
	expect {
	"OK\r\n#" {
	puts "\niptables rule is already in place."
	}
	"#" {
	send -- "iptables -I INPUT -m tcp -p tcp --dport $PORT -j DROP\r"
	expect "#"
	send -- "iptables-save > /nv/ipctrl/rultbl.sav\r"
	expect "#"
	puts "\nSuccessfully blocked port $PORT in iptables!"
	}
	}
	}
	"shell command not support now." {
	puts "\nERROR: Accessing the shell is not available on this BMC."
	exit 1
	}
	timeout {
	puts "\nERROR: Timeout accessing shell on the BMC."
	exit 1
	}
	}