2007-04-16 01:41:50 +00:00
|
|
|
##
|
2008-10-02 05:23:59 +00:00
|
|
|
# $Id$
|
2007-04-16 01:41:50 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
##
|
2010-04-30 08:40:19 +00:00
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
2007-04-16 01:41:50 +00:00
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
2009-04-13 14:33:26 +00:00
|
|
|
# http://metasploit.com/framework/
|
2007-04-16 01:41:50 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
2008-10-02 05:23:59 +00:00
|
|
|
class Metasploit3 < Msf::Auxiliary
|
2007-04-16 01:41:50 +00:00
|
|
|
|
|
|
|
# Exploit mixins should be called first
|
2008-10-02 05:23:59 +00:00
|
|
|
include Msf::Exploit::Remote::DCERPC
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-04-16 01:41:50 +00:00
|
|
|
# Scanner mixin should be near last
|
2008-10-02 05:23:59 +00:00
|
|
|
include Msf::Auxiliary::Scanner
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-04-16 01:41:50 +00:00
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'Hidden DCERPC Service Discovery',
|
2007-05-07 04:48:45 +00:00
|
|
|
'Version' => '$Revision$',
|
2007-04-16 01:41:50 +00:00
|
|
|
'Description' => %q{
|
|
|
|
This module will query the endpoint mapper and make a list
|
|
|
|
of all ncacn_tcp RPC services. It will then connect to each of
|
2010-04-30 08:40:19 +00:00
|
|
|
these services and use the management API to list all other
|
2007-04-16 01:41:50 +00:00
|
|
|
RPC services accessible on this port. Any RPC service found attached
|
|
|
|
to a TCP port, but not listed in the endpoint mapper, will be displayed
|
|
|
|
and analyzed to see whether anonymous access is permitted.
|
|
|
|
},
|
|
|
|
'Author' => 'hdm',
|
|
|
|
'License' => MSF_LICENSE
|
|
|
|
)
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-04-16 01:41:50 +00:00
|
|
|
deregister_options('RHOST', 'RPORT')
|
|
|
|
end
|
|
|
|
|
|
|
|
# Obtain information about a single host
|
2010-04-30 08:40:19 +00:00
|
|
|
def run_host(ip)
|
2007-04-16 01:41:50 +00:00
|
|
|
begin
|
|
|
|
|
|
|
|
epm = dcerpc_endpoint_list()
|
|
|
|
if(not epm)
|
|
|
|
print_status("Could not contact the endpoint mapper on #{ip}")
|
|
|
|
return
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-04-16 01:41:50 +00:00
|
|
|
eports = {}
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-04-16 01:41:50 +00:00
|
|
|
epm.each do |ep|
|
2009-10-25 17:18:23 +00:00
|
|
|
next if !(ep[:port] and ep[:prot] and ep[:prot] == "tcp")
|
2007-04-16 01:41:50 +00:00
|
|
|
eports[ep[:port]] ||= {}
|
|
|
|
eports[ep[:port]][ep[:uuid]+'_'+ep[:vers]] = true
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-04-16 01:41:50 +00:00
|
|
|
eports.each_pair do |eport, servs|
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-04-16 01:41:50 +00:00
|
|
|
rport = eport
|
|
|
|
print_status("Looking for services on #{ip}:#{rport}...")
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-04-16 01:41:50 +00:00
|
|
|
ids = dcerpc_mgmt_inq_if_ids(rport)
|
|
|
|
return if not ids
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-04-16 01:41:50 +00:00
|
|
|
ids.each do |id|
|
|
|
|
if (not servs.has_key?(id[0]+'_'+id[1]))
|
|
|
|
print_status("\tHIDDEN: UUID #{id[0]} v#{id[1]}")
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-04-16 01:41:50 +00:00
|
|
|
conn = nil
|
|
|
|
bind = nil
|
|
|
|
call = nil
|
|
|
|
data = nil
|
|
|
|
error = nil
|
|
|
|
begin
|
|
|
|
connect(true, { 'RPORT' => eport })
|
|
|
|
conn = true
|
|
|
|
|
|
|
|
handle = dcerpc_handle(id[0], id[1], 'ncacn_ip_tcp', [eport])
|
|
|
|
dcerpc_bind(handle)
|
|
|
|
bind = true
|
|
|
|
|
|
|
|
res = dcerpc.call(0, NDR.long(0) * 128)
|
|
|
|
call = true
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-04-16 01:41:50 +00:00
|
|
|
if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
|
|
|
|
data = dcerpc.last_response.stub_data
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-04-16 01:41:50 +00:00
|
|
|
rescue ::Interrupt
|
|
|
|
raise $!
|
|
|
|
rescue ::Exception => e
|
|
|
|
error = e.to_s
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-04-16 01:41:50 +00:00
|
|
|
if (error and error =~ /DCERPC FAULT/ and error !~ /nca_s_fault_access_denied/)
|
|
|
|
call = true
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-04-16 01:41:50 +00:00
|
|
|
status = "\t\t"
|
|
|
|
status << "CONN " if conn
|
|
|
|
status << "BIND " if bind
|
|
|
|
status << "CALL " if call
|
|
|
|
status << "DATA=#{data.unpack("H*")[0]} " if data
|
|
|
|
status << "ERROR=#{error} " if error
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-04-16 01:41:50 +00:00
|
|
|
print_status(status)
|
|
|
|
print_status("")
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-04-16 01:41:50 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-04-16 01:41:50 +00:00
|
|
|
rescue ::Interrupt
|
|
|
|
raise $!
|
|
|
|
rescue ::Exception => e
|
2008-12-19 07:11:08 +00:00
|
|
|
print_status("Error: #{e}")
|
2007-04-16 01:41:50 +00:00
|
|
|
end
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-04-16 01:41:50 +00:00
|
|
|
|
2009-08-28 18:51:42 +00:00
|
|
|
end
|