metasploit-framework/modules/auxiliary/scanner/misc/sunrpc_portmapper.rb

88 lines
2.3 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
2013-08-30 21:28:54 +00:00
include Msf::Exploit::Remote::SunRPC
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
2013-08-30 21:28:54 +00:00
def initialize
super(
'Name' => 'SunRPC Portmap Program Enumerator',
'Description' => '
This module calls the target portmap service and enumerates all program
entries and their running port numbers.
',
'Author' => ['<tebo[at]attackresearch.com>'],
'References' =>
2013-08-30 21:28:54 +00:00
[
['URL', 'http://www.ietf.org/rfc/rfc1057.txt']
2013-08-30 21:28:54 +00:00
],
'License' => MSF_LICENSE
)
end
2013-08-30 21:28:54 +00:00
def run_host(ip)
peer = "#{ip}:#{rport}"
vprint_status "#{peer} - SunRPC - Enumerating programs"
2013-08-30 21:28:54 +00:00
begin
program = 100000
progver = 2
procedure = 4
return unless sunrpc_create('udp', program, progver)
sunrpc_authnull
2013-08-30 21:28:54 +00:00
resp = sunrpc_call(procedure, "")
progs = resp[3, 1].unpack('C')[0]
maps = []
2013-08-30 21:28:54 +00:00
if (progs == 0x01)
while XDR.decode_int!(resp) == 1
maps << XDR.decode!(resp, Integer, Integer, Integer, Integer)
2013-08-30 21:28:54 +00:00
end
end
sunrpc_destroy
return if maps.empty?
print_good("#{peer} - Found #{maps.size} programs available")
table = Rex::Ui::Text::Table.new(
'Header' => "SunRPC Programs for #{ip}",
'Indent' => 1,
'Columns' => %w(Name Number Version Port Protocol)
)
2013-08-30 21:28:54 +00:00
maps.each do |map|
prog, vers, prot_num, port = map[0, 4]
thing = "RPC Program ##{prog} v#{vers} on port #{port} w/ protocol #{prot_num}"
if prot_num == 0x06
proto = 'tcp'
elsif prot_num == 0x11
proto = 'udp'
else
print_error("#{peer}: unknown protocol number for #{thing}")
next
end
resolved = progresolv(prog)
table << [ resolved, prog, vers, port, proto ]
2013-08-30 21:28:54 +00:00
report_service(
host: ip,
port: port,
proto: proto,
name: resolved,
info: "Prog: #{prog} Version: #{vers} - via portmapper"
2013-08-30 21:28:54 +00:00
)
end
print_good(table.to_s)
rescue ::Rex::Proto::SunRPC::RPCTimeout, ::Rex::Proto::SunRPC::RPCError => e
vprint_error(e.to_s)
2013-08-30 21:28:54 +00:00
end
end
end