2012-06-29 05:18:28 +00:00
|
|
|
# -*- coding: binary -*-
|
2011-05-12 20:03:55 +00:00
|
|
|
require 'rex/proto/dcerpc'
|
|
|
|
|
require 'rex/encoder/ndr'
|
2007-04-14 05:22:22 +00:00
|
|
|
require 'msf/core/exploit/dcerpc_epm'
|
|
|
|
|
require 'msf/core/exploit/dcerpc_mgmt'
|
2007-06-09 02:26:35 +00:00
|
|
|
require 'msf/core/exploit/dcerpc_lsa'
|
2005-07-17 08:24:30 +00:00
|
|
|
|
2005-06-05 05:42:43 +00:00
|
|
|
module Msf
|
|
|
|
|
|
|
|
|
|
###
|
|
|
|
|
#
|
|
|
|
|
# This mixin provides utility methods for interacting with a DCERPC service on
|
|
|
|
|
# a remote machine. These methods may generally be useful in the context of
|
2010-07-09 18:03:48 +00:00
|
|
|
# exploitation. This mixin extends the Tcp exploit mixin. Only one DCERPC
|
2005-09-16 03:29:27 +00:00
|
|
|
# service can be accessed at a time using this class.
|
2005-06-05 05:42:43 +00:00
|
|
|
#
|
|
|
|
|
###
|
|
|
|
|
module Exploit::Remote::DCERPC
|
|
|
|
|
|
2005-09-16 03:29:27 +00:00
|
|
|
# Alias over the Rex DCERPC protocol modules
|
|
|
|
|
DCERPCPacket = Rex::Proto::DCERPC::Packet
|
|
|
|
|
DCERPCClient = Rex::Proto::DCERPC::Client
|
|
|
|
|
DCERPCResponse = Rex::Proto::DCERPC::Response
|
2013-02-19 18:55:06 +00:00
|
|
|
DCERPCUUID = Rex::Proto::DCERPC::UUID
|
2006-06-13 21:27:01 +00:00
|
|
|
NDR = Rex::Encoder::NDR
|
2005-12-13 06:08:40 +00:00
|
|
|
|
2007-04-14 05:22:22 +00:00
|
|
|
|
|
|
|
|
# Support TCP-based RPC services
|
|
|
|
|
include Exploit::Remote::Tcp
|
2010-07-09 18:03:48 +00:00
|
|
|
|
|
|
|
|
# Helper methods for specific services
|
2007-04-14 05:22:22 +00:00
|
|
|
include Exploit::Remote::DCERPC_EPM
|
|
|
|
|
include Exploit::Remote::DCERPC_MGMT
|
2007-06-09 02:26:35 +00:00
|
|
|
include Exploit::Remote::DCERPC_LSA
|
2010-07-09 18:03:48 +00:00
|
|
|
|
2005-06-05 06:07:18 +00:00
|
|
|
def initialize(info = {})
|
2005-06-05 23:45:58 +00:00
|
|
|
super
|
2010-07-09 18:03:48 +00:00
|
|
|
|
2006-04-30 19:49:27 +00:00
|
|
|
register_evasion_options(
|
2005-10-03 13:51:05 +00:00
|
|
|
[
|
2006-04-30 19:49:27 +00:00
|
|
|
OptInt.new('DCERPC::max_frag_size', [ true, 'Set the DCERPC packet fragmentation size', 4096]),
|
2011-07-23 13:47:41 +00:00
|
|
|
OptBool.new('DCERPC::fake_bind_multi', [ false, 'Use multi-context bind calls', true ]),
|
2006-05-03 05:53:37 +00:00
|
|
|
OptInt.new('DCERPC::fake_bind_multi_prepend', [ false, 'Set the number of UUIDs to prepend before the target', 0]),
|
|
|
|
|
OptInt.new('DCERPC::fake_bind_multi_append', [ false, 'Set the number of UUIDs to append the target', 0]),
|
|
|
|
|
OptEnum.new('DCERPC::smb_pipeio', [ false, 'Use a different delivery method for accessing named pipes', 'rw', ['rw', 'trans']] )
|
2010-07-09 18:03:48 +00:00
|
|
|
|
2005-10-03 13:51:05 +00:00
|
|
|
], Msf::Exploit::Remote::DCERPC)
|
|
|
|
|
|
2005-06-05 23:45:58 +00:00
|
|
|
register_options(
|
|
|
|
|
[
|
|
|
|
|
Opt::RHOST,
|
2005-07-17 10:30:11 +00:00
|
|
|
Opt::RPORT(135),
|
Merged revisions 5366-5377 via svnmerge from
svn+ssh://metasploit.com/home/svn/framework3/branches/framework-3.1
........
r5366 | hdm | 2008-01-26 20:30:53 -0600 (Sat, 26 Jan 2008) | 2 lines
Update version information
........
r5367 | hdm | 2008-01-26 21:10:57 -0600 (Sat, 26 Jan 2008) | 3 lines
Updated for version 3.1
........
r5369 | hdm | 2008-01-26 21:13:31 -0600 (Sat, 26 Jan 2008) | 3 lines
Wipe the private directories from the branch.
........
r5371 | hdm | 2008-01-27 17:24:24 -0600 (Sun, 27 Jan 2008) | 5 lines
Timeout options added for dcerpc connect and read times. Addition of novell netware as a supported target platform. Inclusion of the serverprotect exploit (still works on the latest version). Addition of the first remote netware kernel exploit that leads to a shell, addition of netware stager and shell, and first draft of the release notes for 3.1
........
r5372 | hdm | 2008-01-27 17:30:08 -0600 (Sun, 27 Jan 2008) | 3 lines
Formatting, indentation, fixed the static IP embedded in the request
........
r5373 | hdm | 2008-01-27 20:02:48 -0600 (Sun, 27 Jan 2008) | 3 lines
Correctly trap exploit errors in a way that works with all of the UIs
........
r5374 | hdm | 2008-01-27 20:23:25 -0600 (Sun, 27 Jan 2008) | 3 lines
More last-minute bug fixes
........
r5375 | hdm | 2008-01-27 20:37:43 -0600 (Sun, 27 Jan 2008) | 3 lines
Force multi-bind off in netware, correct label display in gtk gui labels
........
r5376 | hdm | 2008-01-27 20:50:03 -0600 (Sun, 27 Jan 2008) | 3 lines
More exception handling fun
........
git-svn-id: file:///home/svn/framework3/trunk@5378 4d416f70-5f16-0410-b530-b9f4589650da
2008-01-28 03:06:31 +00:00
|
|
|
], Msf::Exploit::Remote::DCERPC)
|
|
|
|
|
|
|
|
|
|
register_advanced_options(
|
|
|
|
|
[
|
2010-07-09 18:03:48 +00:00
|
|
|
OptInt.new('DCERPC::ReadTimeout', [ true, 'The number of seconds to wait for DCERPC responses', 10] )
|
|
|
|
|
], Msf::Exploit::Remote::DCERPC)
|
Merged revisions 5366-5377 via svnmerge from
svn+ssh://metasploit.com/home/svn/framework3/branches/framework-3.1
........
r5366 | hdm | 2008-01-26 20:30:53 -0600 (Sat, 26 Jan 2008) | 2 lines
Update version information
........
r5367 | hdm | 2008-01-26 21:10:57 -0600 (Sat, 26 Jan 2008) | 3 lines
Updated for version 3.1
........
r5369 | hdm | 2008-01-26 21:13:31 -0600 (Sat, 26 Jan 2008) | 3 lines
Wipe the private directories from the branch.
........
r5371 | hdm | 2008-01-27 17:24:24 -0600 (Sun, 27 Jan 2008) | 5 lines
Timeout options added for dcerpc connect and read times. Addition of novell netware as a supported target platform. Inclusion of the serverprotect exploit (still works on the latest version). Addition of the first remote netware kernel exploit that leads to a shell, addition of netware stager and shell, and first draft of the release notes for 3.1
........
r5372 | hdm | 2008-01-27 17:30:08 -0600 (Sun, 27 Jan 2008) | 3 lines
Formatting, indentation, fixed the static IP embedded in the request
........
r5373 | hdm | 2008-01-27 20:02:48 -0600 (Sun, 27 Jan 2008) | 3 lines
Correctly trap exploit errors in a way that works with all of the UIs
........
r5374 | hdm | 2008-01-27 20:23:25 -0600 (Sun, 27 Jan 2008) | 3 lines
More last-minute bug fixes
........
r5375 | hdm | 2008-01-27 20:37:43 -0600 (Sun, 27 Jan 2008) | 3 lines
Force multi-bind off in netware, correct label display in gtk gui labels
........
r5376 | hdm | 2008-01-27 20:50:03 -0600 (Sun, 27 Jan 2008) | 3 lines
More exception handling fun
........
git-svn-id: file:///home/svn/framework3/trunk@5378 4d416f70-5f16-0410-b530-b9f4589650da
2008-01-28 03:06:31 +00:00
|
|
|
|
2005-06-05 05:42:43 +00:00
|
|
|
end
|
2005-06-05 08:38:24 +00:00
|
|
|
|
2006-04-30 19:49:27 +00:00
|
|
|
def dcerpc_handle(uuid, version, protocol, opts)
|
2006-08-13 18:03:28 +00:00
|
|
|
self.handle = Rex::Proto::DCERPC::Handle.new([uuid, version], protocol, rhost, opts)
|
2005-12-15 04:46:52 +00:00
|
|
|
end
|
|
|
|
|
|
2006-04-30 19:49:27 +00:00
|
|
|
def dcerpc_bind(h)
|
2005-12-15 04:46:52 +00:00
|
|
|
opts = { 'Msf' => framework, 'MsfExploit' => self }
|
2005-09-16 03:29:27 +00:00
|
|
|
|
2006-04-30 19:49:27 +00:00
|
|
|
if datastore['DCERPC::max_frag_size']
|
|
|
|
|
opts['frag_size'] = datastore['DCERPC::max_frag_size']
|
2005-12-15 04:46:52 +00:00
|
|
|
end
|
2005-09-16 03:29:27 +00:00
|
|
|
|
2006-04-30 19:49:27 +00:00
|
|
|
if datastore['DCERPC::fake_bind_multi']
|
2005-12-15 04:46:52 +00:00
|
|
|
opts['fake_multi_bind'] = 1
|
2010-07-09 18:03:48 +00:00
|
|
|
|
2006-05-03 05:53:37 +00:00
|
|
|
if datastore['DCERPC::fake_bind_multi_prepend']
|
|
|
|
|
opts['fake_multi_bind_prepend'] = datastore['DCERPC::fake_bind_multi_prepend']
|
|
|
|
|
end
|
2010-07-09 18:03:48 +00:00
|
|
|
|
2006-05-03 05:53:37 +00:00
|
|
|
if datastore['DCERPC::fake_bind_multi_append']
|
|
|
|
|
opts['fake_multi_bind_append'] = datastore['DCERPC::fake_bind_multi_append']
|
2010-07-09 18:03:48 +00:00
|
|
|
end
|
2006-01-27 05:33:08 +00:00
|
|
|
end
|
2010-07-09 18:03:48 +00:00
|
|
|
|
2008-04-04 20:54:39 +00:00
|
|
|
opts['connect_timeout'] = (datastore['ConnectTimeout'] || 10).to_i
|
2010-07-09 18:03:48 +00:00
|
|
|
|
2008-04-04 20:54:39 +00:00
|
|
|
opts['read_timeout'] = (datastore['DCERPC::ReadTimeout'] || 10).to_i
|
2010-07-09 18:03:48 +00:00
|
|
|
|
|
|
|
|
|
2008-04-04 20:54:39 +00:00
|
|
|
# Configure the SMB evasion options
|
2010-07-09 18:03:48 +00:00
|
|
|
|
2008-04-04 20:54:39 +00:00
|
|
|
if (datastore['SMBUser'])
|
2007-02-18 07:06:30 +00:00
|
|
|
opts['smb_user'] = datastore['SMBUser']
|
2006-01-27 05:33:08 +00:00
|
|
|
end
|
2010-07-09 18:03:48 +00:00
|
|
|
|
2008-04-04 20:54:39 +00:00
|
|
|
if (datastore['SMBPass'])
|
2007-02-18 07:06:30 +00:00
|
|
|
opts['smb_pass'] = datastore['SMBPass']
|
2006-01-27 05:33:08 +00:00
|
|
|
end
|
2005-11-16 17:56:07 +00:00
|
|
|
|
2008-04-04 20:54:39 +00:00
|
|
|
if (datastore['DCERPC::smb_pipeio'])
|
2006-05-03 05:53:37 +00:00
|
|
|
opts['smb_pipeio'] = datastore['DCERPC::smb_pipeio']
|
|
|
|
|
end
|
2010-07-09 18:03:48 +00:00
|
|
|
|
2008-04-04 20:54:39 +00:00
|
|
|
if (datastore['SMB::pipe_write_min_size'])
|
|
|
|
|
opts['pipe_write_min_size'] = datastore['SMB::pipe_write_min_size']
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
if (datastore['SMB::pipe_write_max_size'])
|
|
|
|
|
opts['pipe_write_max_size'] = datastore['SMB::pipe_write_max_size']
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
if (datastore['SMB::pipe_read_min_size'])
|
|
|
|
|
opts['pipe_read_min_size'] = datastore['SMB::pipe_read_min_size']
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
if (datastore['SMB::pipe_read_max_size'])
|
|
|
|
|
opts['pipe_read_max_size'] = datastore['SMB::pipe_read_max_size']
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
if (self.respond_to?('simple') and self.simple)
|
2006-04-30 19:49:27 +00:00
|
|
|
opts['smb_client'] = self.simple
|
|
|
|
|
end
|
2010-07-09 18:03:48 +00:00
|
|
|
|
|
|
|
|
# Create the DCERPC client
|
2007-02-26 17:38:01 +00:00
|
|
|
self.dcerpc = Rex::Proto::DCERPC::Client.new(h, self.sock, opts)
|
2005-09-16 03:29:27 +00:00
|
|
|
|
2006-04-30 19:49:27 +00:00
|
|
|
if (self.handle.protocol == 'ncacn_np' and not self.simple)
|
2005-12-15 04:46:52 +00:00
|
|
|
self.simple = self.dcerpc.smb # expose the simple client if we have access to it
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2011-01-11 17:56:27 +00:00
|
|
|
def dcerpc_call(function, stub = '', timeout=nil, do_recv=true)
|
Merged revisions 5366-5377 via svnmerge from
svn+ssh://metasploit.com/home/svn/framework3/branches/framework-3.1
........
r5366 | hdm | 2008-01-26 20:30:53 -0600 (Sat, 26 Jan 2008) | 2 lines
Update version information
........
r5367 | hdm | 2008-01-26 21:10:57 -0600 (Sat, 26 Jan 2008) | 3 lines
Updated for version 3.1
........
r5369 | hdm | 2008-01-26 21:13:31 -0600 (Sat, 26 Jan 2008) | 3 lines
Wipe the private directories from the branch.
........
r5371 | hdm | 2008-01-27 17:24:24 -0600 (Sun, 27 Jan 2008) | 5 lines
Timeout options added for dcerpc connect and read times. Addition of novell netware as a supported target platform. Inclusion of the serverprotect exploit (still works on the latest version). Addition of the first remote netware kernel exploit that leads to a shell, addition of netware stager and shell, and first draft of the release notes for 3.1
........
r5372 | hdm | 2008-01-27 17:30:08 -0600 (Sun, 27 Jan 2008) | 3 lines
Formatting, indentation, fixed the static IP embedded in the request
........
r5373 | hdm | 2008-01-27 20:02:48 -0600 (Sun, 27 Jan 2008) | 3 lines
Correctly trap exploit errors in a way that works with all of the UIs
........
r5374 | hdm | 2008-01-27 20:23:25 -0600 (Sun, 27 Jan 2008) | 3 lines
More last-minute bug fixes
........
r5375 | hdm | 2008-01-27 20:37:43 -0600 (Sun, 27 Jan 2008) | 3 lines
Force multi-bind off in netware, correct label display in gtk gui labels
........
r5376 | hdm | 2008-01-27 20:50:03 -0600 (Sun, 27 Jan 2008) | 3 lines
More exception handling fun
........
git-svn-id: file:///home/svn/framework3/trunk@5378 4d416f70-5f16-0410-b530-b9f4589650da
2008-01-28 03:06:31 +00:00
|
|
|
otimeout = dcerpc.options['read_timeout']
|
2010-07-09 18:03:48 +00:00
|
|
|
|
2006-04-30 19:49:27 +00:00
|
|
|
begin
|
Merged revisions 5366-5377 via svnmerge from
svn+ssh://metasploit.com/home/svn/framework3/branches/framework-3.1
........
r5366 | hdm | 2008-01-26 20:30:53 -0600 (Sat, 26 Jan 2008) | 2 lines
Update version information
........
r5367 | hdm | 2008-01-26 21:10:57 -0600 (Sat, 26 Jan 2008) | 3 lines
Updated for version 3.1
........
r5369 | hdm | 2008-01-26 21:13:31 -0600 (Sat, 26 Jan 2008) | 3 lines
Wipe the private directories from the branch.
........
r5371 | hdm | 2008-01-27 17:24:24 -0600 (Sun, 27 Jan 2008) | 5 lines
Timeout options added for dcerpc connect and read times. Addition of novell netware as a supported target platform. Inclusion of the serverprotect exploit (still works on the latest version). Addition of the first remote netware kernel exploit that leads to a shell, addition of netware stager and shell, and first draft of the release notes for 3.1
........
r5372 | hdm | 2008-01-27 17:30:08 -0600 (Sun, 27 Jan 2008) | 3 lines
Formatting, indentation, fixed the static IP embedded in the request
........
r5373 | hdm | 2008-01-27 20:02:48 -0600 (Sun, 27 Jan 2008) | 3 lines
Correctly trap exploit errors in a way that works with all of the UIs
........
r5374 | hdm | 2008-01-27 20:23:25 -0600 (Sun, 27 Jan 2008) | 3 lines
More last-minute bug fixes
........
r5375 | hdm | 2008-01-27 20:37:43 -0600 (Sun, 27 Jan 2008) | 3 lines
Force multi-bind off in netware, correct label display in gtk gui labels
........
r5376 | hdm | 2008-01-27 20:50:03 -0600 (Sun, 27 Jan 2008) | 3 lines
More exception handling fun
........
git-svn-id: file:///home/svn/framework3/trunk@5378 4d416f70-5f16-0410-b530-b9f4589650da
2008-01-28 03:06:31 +00:00
|
|
|
dcerpc.options['read_timeout'] = timeout if timeout
|
2011-01-11 17:56:27 +00:00
|
|
|
dcerpc.call(function, stub, do_recv)
|
2006-04-30 19:49:27 +00:00
|
|
|
rescue ::Rex::Proto::SMB::Exceptions::NoReply, Rex::Proto::DCERPC::Exceptions::NoResponse
|
|
|
|
|
print_status("The DCERPC service did not reply to our request")
|
|
|
|
|
return
|
Merged revisions 5366-5377 via svnmerge from
svn+ssh://metasploit.com/home/svn/framework3/branches/framework-3.1
........
r5366 | hdm | 2008-01-26 20:30:53 -0600 (Sat, 26 Jan 2008) | 2 lines
Update version information
........
r5367 | hdm | 2008-01-26 21:10:57 -0600 (Sat, 26 Jan 2008) | 3 lines
Updated for version 3.1
........
r5369 | hdm | 2008-01-26 21:13:31 -0600 (Sat, 26 Jan 2008) | 3 lines
Wipe the private directories from the branch.
........
r5371 | hdm | 2008-01-27 17:24:24 -0600 (Sun, 27 Jan 2008) | 5 lines
Timeout options added for dcerpc connect and read times. Addition of novell netware as a supported target platform. Inclusion of the serverprotect exploit (still works on the latest version). Addition of the first remote netware kernel exploit that leads to a shell, addition of netware stager and shell, and first draft of the release notes for 3.1
........
r5372 | hdm | 2008-01-27 17:30:08 -0600 (Sun, 27 Jan 2008) | 3 lines
Formatting, indentation, fixed the static IP embedded in the request
........
r5373 | hdm | 2008-01-27 20:02:48 -0600 (Sun, 27 Jan 2008) | 3 lines
Correctly trap exploit errors in a way that works with all of the UIs
........
r5374 | hdm | 2008-01-27 20:23:25 -0600 (Sun, 27 Jan 2008) | 3 lines
More last-minute bug fixes
........
r5375 | hdm | 2008-01-27 20:37:43 -0600 (Sun, 27 Jan 2008) | 3 lines
Force multi-bind off in netware, correct label display in gtk gui labels
........
r5376 | hdm | 2008-01-27 20:50:03 -0600 (Sun, 27 Jan 2008) | 3 lines
More exception handling fun
........
git-svn-id: file:///home/svn/framework3/trunk@5378 4d416f70-5f16-0410-b530-b9f4589650da
2008-01-28 03:06:31 +00:00
|
|
|
ensure
|
|
|
|
|
dcerpc.options['read_timeout'] = otimeout
|
2006-04-30 19:49:27 +00:00
|
|
|
end
|
2005-12-15 04:46:52 +00:00
|
|
|
end
|
2005-09-16 03:29:27 +00:00
|
|
|
|
2005-12-13 06:08:40 +00:00
|
|
|
# Convert a standard ASCII string to 16-bit Unicode
|
2006-04-30 19:49:27 +00:00
|
|
|
def unicode(str)
|
2005-12-13 06:08:40 +00:00
|
|
|
Rex::Text.to_unicode(str)
|
2005-09-16 03:29:27 +00:00
|
|
|
end
|
2010-07-09 18:03:48 +00:00
|
|
|
|
2006-04-30 19:49:27 +00:00
|
|
|
# Useful accessors for tracking DCERPC state
|
2007-02-26 17:38:01 +00:00
|
|
|
attr_accessor :handle, :dcerpc
|
2010-07-09 18:03:48 +00:00
|
|
|
|
2005-06-05 05:42:43 +00:00
|
|
|
end
|
|
|
|
|
|
2008-11-03 09:17:08 +00:00
|
|
|
end
|
2010-07-09 18:03:48 +00:00
|
|
|
|
