2005-10-03 13:51:05 +00:00
|
|
|
require 'rex/proto/smb'
|
|
|
|
|
require 'rex/proto/dcerpc'
|
|
|
|
|
|
|
|
|
|
module Msf
|
|
|
|
|
|
|
|
|
|
###
|
|
|
|
|
#
|
|
|
|
|
# This mixin provides utility methods for interacting with a SMB/CIFS service on
|
|
|
|
|
# a remote machine. These methods may generally be useful in the context of
|
|
|
|
|
# exploitation. This mixin extends the Tcp exploit mixin. Only one SMB
|
|
|
|
|
# service can be accessed at a time using this class.
|
|
|
|
|
#
|
|
|
|
|
###
|
|
|
|
|
|
|
|
|
|
module Exploit::Remote::SMB
|
|
|
|
|
|
|
|
|
|
include Exploit::Remote::Tcp
|
|
|
|
|
SIMPLE = Rex::Proto::SMB::SimpleClient
|
|
|
|
|
XCEPT = Rex::Proto::SMB::Exceptions
|
|
|
|
|
|
2005-11-15 23:02:17 +00:00
|
|
|
# Alias over the Rex DCERPC protocol modules
|
|
|
|
|
DCERPCPacket = Rex::Proto::DCERPC::Packet
|
|
|
|
|
DCERPCClient = Rex::Proto::DCERPC::Client
|
|
|
|
|
DCERPCResponse = Rex::Proto::DCERPC::Response
|
|
|
|
|
DCERPCUUID = Rex::Proto::DCERPC::UUID
|
2006-01-27 05:33:08 +00:00
|
|
|
NDR = Rex::Proto::DCERPC::NDR
|
2005-12-13 06:08:40 +00:00
|
|
|
|
2005-10-03 13:51:05 +00:00
|
|
|
def initialize(info = {})
|
|
|
|
|
super
|
|
|
|
|
|
2005-11-15 23:02:17 +00:00
|
|
|
register_advanced_options(
|
|
|
|
|
[
|
2005-12-31 18:03:02 +00:00
|
|
|
OptBool.new('SMBPipeEvasion', [ true, 'Enable segmented read/writes for SMB Pipes', 'False']),
|
2005-11-17 04:25:30 +00:00
|
|
|
OptInt.new('SMBPipeWriteMinSize', [ true, 'Minimum buffer size for pipe writes', 1]),
|
|
|
|
|
OptInt.new('SMBPipeWriteMaxSize', [ true, 'Maximum buffer size for pipe writes', 1024]),
|
|
|
|
|
OptInt.new('SMBPipeReadMinSize', [ true, 'Minimum buffer size for pipe reads', 1]),
|
|
|
|
|
OptInt.new('SMBPipeReadMaxSize', [ true, 'Maximum buffer size for pipe reads', 1024]),
|
2005-11-15 23:02:17 +00:00
|
|
|
], Msf::Exploit::Remote::SMB)
|
|
|
|
|
|
2005-10-03 13:51:05 +00:00
|
|
|
register_options(
|
|
|
|
|
[
|
|
|
|
|
Opt::RHOST,
|
2005-11-15 23:02:17 +00:00
|
|
|
OptInt.new('RPORT', [ true, 'Set the SMB service port', 445]),
|
|
|
|
|
OptBool.new('SMBDirect', [ true, 'The target port is a raw SMB service (not NetBIOS)', 'True' ]),
|
|
|
|
|
OptString.new('SMBUSER', [ false, 'The username to authenticate as', '']),
|
|
|
|
|
OptString.new('SMBPASS', [ false, 'The password for the specified username', '']),
|
|
|
|
|
OptString.new('SMBDOM', [ false, 'The Windows domain to use for authentication', 'WORKGROUP']),
|
|
|
|
|
OptString.new('SMBNAME', [ true, 'The NetBIOS hostname (required for port 139 connections)', '*SMBSERVER'])
|
2005-10-03 13:51:05 +00:00
|
|
|
|
|
|
|
|
], Msf::Exploit::Remote::SMB)
|
|
|
|
|
end
|
|
|
|
|
|
2006-01-27 05:33:08 +00:00
|
|
|
def connect()
|
|
|
|
|
|
2005-12-31 18:03:02 +00:00
|
|
|
disconnect()
|
|
|
|
|
|
|
|
|
|
super
|
2006-01-27 05:33:08 +00:00
|
|
|
|
2005-12-13 06:08:40 +00:00
|
|
|
self.simple = SIMPLE.new(self.sock, datastore['SMBDirect'])
|
|
|
|
|
|
2006-01-27 05:33:08 +00:00
|
|
|
# setup pipe evasion foo
|
|
|
|
|
if datastore['SMBPipeEvasion']
|
|
|
|
|
# XXX - insert code to change the instance of the read/write functions to do segmentation
|
|
|
|
|
end
|
2005-12-13 06:08:40 +00:00
|
|
|
|
2006-01-27 05:33:08 +00:00
|
|
|
# setup smb evasion foo XXX - should be broken out to seperate bits instead of by level
|
|
|
|
|
if (datastore['SMBEvasion'])
|
2005-12-13 06:08:40 +00:00
|
|
|
self.simple.client.evasion_level = datastore['SMBEvasion'].to_i
|
|
|
|
|
print_status("Using SMB evasion level #{self.simple.client.evasion_level}")
|
|
|
|
|
end
|
2006-01-27 05:33:08 +00:00
|
|
|
end
|
2005-12-13 06:08:40 +00:00
|
|
|
|
2005-11-16 17:56:07 +00:00
|
|
|
# Convert a standard ASCII string to 16-bit Unicode
|
|
|
|
|
def unicode (str)
|
2005-11-26 02:34:39 +00:00
|
|
|
Rex::Text.to_unicode(str)
|
2005-11-16 17:56:07 +00:00
|
|
|
end
|
|
|
|
|
|
2005-11-17 04:25:30 +00:00
|
|
|
# This method establishes a SMB session over the default socket
|
2005-10-03 13:51:05 +00:00
|
|
|
def smb_login
|
|
|
|
|
simple.login(
|
|
|
|
|
datastore['SMBNAME'],
|
|
|
|
|
datastore['SMBUSER'],
|
|
|
|
|
datastore['SMBPASS'],
|
|
|
|
|
datastore['SMBDOM']
|
|
|
|
|
)
|
2005-11-15 23:02:17 +00:00
|
|
|
|
|
|
|
|
simple.connect('IPC$')
|
2005-10-03 13:51:05 +00:00
|
|
|
end
|
2005-11-17 04:25:30 +00:00
|
|
|
|
|
|
|
|
# This method returns the native operating system of the peer
|
2005-10-03 13:51:05 +00:00
|
|
|
def smb_peer_os
|
|
|
|
|
self.simple.client.peer_native_os
|
|
|
|
|
end
|
|
|
|
|
|
2005-11-17 04:25:30 +00:00
|
|
|
# This method returns the native lanman version of the peer
|
2005-10-03 13:51:05 +00:00
|
|
|
def smb_peer_lm
|
|
|
|
|
self.simple.client.peer_native_lm
|
|
|
|
|
end
|
|
|
|
|
|
2005-11-17 04:25:30 +00:00
|
|
|
# This method opens a handle to an IPC pipe
|
2005-10-03 13:51:05 +00:00
|
|
|
def smb_create(pipe)
|
|
|
|
|
self.simple.create_pipe(pipe)
|
|
|
|
|
end
|
2005-11-17 04:25:30 +00:00
|
|
|
|
2006-01-27 05:33:08 +00:00
|
|
|
def smb_dcerpc_bind (pipe, handle)
|
|
|
|
|
self.dcerpc_socket = pipe
|
|
|
|
|
self.dcerpc_bind(handle)
|
|
|
|
|
end
|
2005-11-15 23:02:17 +00:00
|
|
|
|
2005-10-03 13:51:05 +00:00
|
|
|
|
2005-11-17 04:25:30 +00:00
|
|
|
# This method calls a DCERPC procedure over a SMB pipe
|
2005-10-03 13:51:05 +00:00
|
|
|
def smb_dcerpc_call(fid, func, stub = '')
|
2005-11-15 23:02:17 +00:00
|
|
|
# Create the request packets
|
|
|
|
|
pkts = dcerpc_make_call(func, stub)
|
|
|
|
|
if (pkts == nil)
|
|
|
|
|
return
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# Verify that the socket exists
|
|
|
|
|
if (sock == nil)
|
|
|
|
|
return
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
print_status("Sending " + pkts.size.to_s + " DCERPC fragments...")
|
|
|
|
|
pkts.each { |chunk|
|
2005-11-17 04:25:30 +00:00
|
|
|
smb_dcerpc_pipe_write(fid, chunk)
|
2005-11-15 23:02:17 +00:00
|
|
|
}
|
|
|
|
|
|
2005-11-17 04:25:30 +00:00
|
|
|
data = smb_dcerpc_pipe_read(fid)
|
|
|
|
|
|
2005-11-15 23:02:17 +00:00
|
|
|
return DCERPCResponse.new(data) if data.length > 0
|
2005-10-03 13:51:05 +00:00
|
|
|
end
|
2005-11-15 23:02:17 +00:00
|
|
|
|
|
|
|
|
|
2005-11-17 04:25:30 +00:00
|
|
|
# This method provides a mechanism for executing DCERPC transactions
|
|
|
|
|
# using READ/WRITE SMB commands (vs TransactNP)
|
|
|
|
|
def smb_dcerpc_pipe_writeread(fid, request)
|
|
|
|
|
smb_dcerpc_pipe_write(fid, request)
|
|
|
|
|
smb_dcerpc_pipe_read(fid)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# This method writes out a DCERPC transaction in random size
|
|
|
|
|
# blocks with random offsets (offsets are ignored by the server)
|
2005-12-13 06:08:40 +00:00
|
|
|
def smb_dcerpc_pipe_write(fid, request)
|
2005-11-15 23:02:17 +00:00
|
|
|
pipe_write_min = datastore['SMBPipeWriteMinSize']
|
|
|
|
|
pipe_write_max = datastore['SMBPipeWriteMaxSize']
|
|
|
|
|
|
|
|
|
|
if (pipe_write_min > pipe_write_max)
|
|
|
|
|
pipe_write_min = pipe_write_max
|
|
|
|
|
end
|
2005-11-17 04:25:30 +00:00
|
|
|
|
2005-11-15 23:02:17 +00:00
|
|
|
# Write the request out in random chunk sizes
|
|
|
|
|
while (request.length > 0)
|
|
|
|
|
wsize = rand(pipe_write_max - pipe_write_min) + pipe_write_min
|
|
|
|
|
fid.write( request.slice!(0, wsize), rand(1024)+1 )
|
|
|
|
|
end
|
2005-11-17 04:25:30 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# This method reads a DCERPC transaction response in random size
|
|
|
|
|
# blocks with random offsets (offsets are ignored by the server)
|
|
|
|
|
|
|
|
|
|
# XXX - If we read on a pipe with no data, our client code times out
|
|
|
|
|
# waiting for the response. A problem occurs when data becomes available
|
|
|
|
|
# at a later time - a read response is sent back from the server, which
|
|
|
|
|
# throws off the serialed command processsing code in the client. So, to
|
|
|
|
|
# avoid significant problems, never read on a pipe when you know there
|
|
|
|
|
# is no data left. This command will become obsolete once command queueing
|
|
|
|
|
# is implemented in the client.
|
|
|
|
|
|
|
|
|
|
def smb_dcerpc_pipe_read(fid)
|
|
|
|
|
pipe_read_min = datastore['SMBPipeReadMinSize']
|
|
|
|
|
pipe_read_max = datastore['SMBPipeReadMaxSize']
|
|
|
|
|
|
|
|
|
|
if (pipe_read_min > pipe_read_max)
|
|
|
|
|
pipe_read_min = pipe_read_max
|
|
|
|
|
end
|
2005-11-15 23:02:17 +00:00
|
|
|
|
|
|
|
|
data = ''
|
|
|
|
|
# Read the response back a few bytes a time
|
|
|
|
|
begin
|
2005-11-17 04:25:30 +00:00
|
|
|
rsize = nil
|
2005-11-15 23:02:17 +00:00
|
|
|
while(true)
|
2005-11-17 04:25:30 +00:00
|
|
|
bsize = rand(pipe_read_max - pipe_read_min) + pipe_read_min
|
|
|
|
|
|
|
|
|
|
t = (fid.read(bsize, rand(1024)+1))
|
|
|
|
|
break if t.length == 0
|
2005-11-15 23:02:17 +00:00
|
|
|
data << t
|
2005-11-17 04:25:30 +00:00
|
|
|
|
|
|
|
|
# If we have at least 10 bytes of data, check the DCERPC
|
|
|
|
|
# header and determine how many bytes are left to go.
|
|
|
|
|
# We do this to avoid a read on an empty pipe.
|
|
|
|
|
|
|
|
|
|
if (rsize.nil? and data.length >= 10)
|
|
|
|
|
r = DCERPCResponse.new(data.slice(0,10))
|
|
|
|
|
rsize = r.frag_len
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# Quit reading once the full response is read
|
2005-11-17 19:41:54 +00:00
|
|
|
break if data and rsize and data.length >= rsize
|
2005-11-15 23:02:17 +00:00
|
|
|
end
|
|
|
|
|
rescue XCEPT::NoReply
|
|
|
|
|
end
|
2005-10-03 13:51:05 +00:00
|
|
|
|
2005-11-15 23:02:17 +00:00
|
|
|
return data
|
|
|
|
|
end
|
|
|
|
|
|
2005-11-29 02:57:04 +00:00
|
|
|
def smb_hostname
|
|
|
|
|
datastore['SMBNAME'] || '*SMBSERVER'
|
|
|
|
|
end
|
|
|
|
|
|
2005-11-15 23:02:17 +00:00
|
|
|
attr_accessor :simple
|
2005-10-03 13:51:05 +00:00
|
|
|
|
|
|
|
|
end
|
|
|
|
|
end
|
