metasploit-framework/lib/msf/core/exploit/dcerpc.rb

85 lines
2.1 KiB
Ruby
Raw Normal View History

require 'rex/proto/dcerpc'
module Msf
###
#
# This mixin provides utility methods for interacting with a DCERPC service on
# a remote machine. These methods may generally be useful in the context of
# exploitation. This mixin extends the Tcp exploit mixin. Only one DCERPC
# service can be accessed at a time using this class.
#
###
module Exploit::Remote::DCERPC
include Exploit::Remote::Tcp
# Alias over the Rex DCERPC protocol modules
DCERPCPacket = Rex::Proto::DCERPC::Packet
DCERPCClient = Rex::Proto::DCERPC::Client
DCERPCResponse = Rex::Proto::DCERPC::Response
DCERPCUUID = Rex::Proto::DCERPC::UUID
NDR = Rex::Proto::DCERPC::NDR
def initialize(info = {})
super
register_advanced_options(
[
OptInt.new('DCERPCFragSize', [ true, 'Set the DCERPC packet fragmentation size', 127]),
OptBool.new('DCERPCFakeMultiBind', [ false, 'Use multi-context bind calls', 'True' ])
], Msf::Exploit::Remote::DCERPC)
register_options(
[
Opt::RHOST,
Opt::RPORT(135),
], Msf::Exploit::Remote::DCERPC
)
end
def dcerpc_handle (uuid, version, protocol, opts)
self.handle = Rex::Proto::DCERPC::Handle.new([uuid, version], protocol, datastore['RHOST'], opts)
end
def dcerpc_bind (h)
opts = { 'Msf' => framework, 'MsfExploit' => self }
if datastore['DCERPCFragSize']
opts['frag_size'] = datastore['DCERPCFragSize']
end
if datastore['DCERPCFakeMultiBind']
opts['fake_multi_bind'] = 1
end
if datastore['SMBUSER']
opts['smb_user'] = datastore['SMBUSER']
end
if datastore['SMBPASS']
opts['smb_pass'] = datastore['SMBPASS']
end
self.dcerpc = Rex::Proto::DCERPC::Client.new(h, dcerpc_socket(), opts)
if self.handle.protocol == 'ncacn_np'
self.simple = self.dcerpc.smb # expose the simple client if we have access to it
end
end
def dcerpc_call (function, stub = '')
dcerpc.call(function, stub)
end
# Convert a standard ASCII string to 16-bit Unicode
def unicode (str)
Rex::Text.to_unicode(str)
end
# Used to track the last DCERPC context
attr_accessor :dcerpc_bind_context, :handle, :dcerpc, :dcerpc_socket
end
end