2005-07-17 08:24:30 +00:00
|
|
|
require 'rex/proto/dcerpc'
|
|
|
|
|
2005-06-05 05:42:43 +00:00
|
|
|
module Msf
|
|
|
|
|
|
|
|
###
|
|
|
|
#
|
|
|
|
# This mixin provides utility methods for interacting with a DCERPC service on
|
|
|
|
# a remote machine. These methods may generally be useful in the context of
|
2005-09-16 03:29:27 +00:00
|
|
|
# exploitation. This mixin extends the Tcp exploit mixin. Only one DCERPC
|
|
|
|
# service can be accessed at a time using this class.
|
2005-06-05 05:42:43 +00:00
|
|
|
#
|
|
|
|
###
|
|
|
|
module Exploit::Remote::DCERPC
|
|
|
|
include Exploit::Remote::Tcp
|
|
|
|
|
2005-09-16 03:29:27 +00:00
|
|
|
# Alias over the Rex DCERPC protocol modules
|
|
|
|
DCERPCPacket = Rex::Proto::DCERPC::Packet
|
|
|
|
DCERPCClient = Rex::Proto::DCERPC::Client
|
|
|
|
DCERPCResponse = Rex::Proto::DCERPC::Response
|
2005-12-15 04:46:52 +00:00
|
|
|
DCERPCUUID = Rex::Proto::DCERPC::UUID
|
|
|
|
NDR = Rex::Proto::DCERPC::NDR
|
2005-12-13 06:08:40 +00:00
|
|
|
|
2005-06-05 06:07:18 +00:00
|
|
|
def initialize(info = {})
|
2005-06-05 23:45:58 +00:00
|
|
|
super
|
|
|
|
|
2005-10-03 13:51:05 +00:00
|
|
|
register_advanced_options(
|
|
|
|
[
|
2005-12-13 06:08:40 +00:00
|
|
|
OptInt.new('DCERPCFragSize', [ true, 'Set the DCERPC packet fragmentation size', 127]),
|
|
|
|
OptBool.new('DCERPCFakeMultiBind', [ false, 'Use multi-context bind calls', 'True' ])
|
2005-10-03 13:51:05 +00:00
|
|
|
], Msf::Exploit::Remote::DCERPC)
|
|
|
|
|
2005-06-05 23:45:58 +00:00
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RHOST,
|
2005-07-17 10:30:11 +00:00
|
|
|
Opt::RPORT(135),
|
2005-12-13 06:08:40 +00:00
|
|
|
], Msf::Exploit::Remote::DCERPC
|
2005-12-15 04:46:52 +00:00
|
|
|
)
|
2005-06-05 05:42:43 +00:00
|
|
|
end
|
2005-06-05 08:38:24 +00:00
|
|
|
|
2005-12-15 04:46:52 +00:00
|
|
|
def dcerpc_handle (uuid, version, protocol, opts)
|
|
|
|
self.handle = Rex::Proto::DCERPC::Handle.new([uuid, version], protocol, datastore['RHOST'], opts)
|
|
|
|
end
|
|
|
|
|
|
|
|
def dcerpc_bind (h)
|
|
|
|
opts = { 'Msf' => framework, 'MsfExploit' => self }
|
2005-09-16 03:29:27 +00:00
|
|
|
|
2005-12-15 04:46:52 +00:00
|
|
|
if datastore['DCERPCFragSize']
|
|
|
|
opts['frag_size'] = datastore['DCERPCFragSize']
|
|
|
|
end
|
2005-09-16 03:29:27 +00:00
|
|
|
|
2005-12-15 04:46:52 +00:00
|
|
|
if datastore['DCERPCFakeMultiBind']
|
|
|
|
opts['fake_multi_bind'] = 1
|
2005-12-18 02:07:33 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
if datastore['SMBUSER']
|
|
|
|
opts['smb_user'] = datastore['SMBUSER']
|
|
|
|
end
|
|
|
|
|
|
|
|
if datastore['SMBPASS']
|
|
|
|
opts['smb_pass'] = datastore['SMBPASS']
|
|
|
|
end
|
2005-11-16 17:56:07 +00:00
|
|
|
|
2005-12-15 04:46:52 +00:00
|
|
|
self.dcerpc = Rex::Proto::DCERPC::Client.new(h, dcerpc_socket(), opts)
|
2005-09-16 03:29:27 +00:00
|
|
|
|
2005-12-15 04:46:52 +00:00
|
|
|
if self.handle.protocol == 'ncacn_np'
|
|
|
|
self.simple = self.dcerpc.smb # expose the simple client if we have access to it
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def dcerpc_call (function, stub = '')
|
|
|
|
dcerpc.call(function, stub)
|
|
|
|
end
|
2005-09-16 03:29:27 +00:00
|
|
|
|
2005-12-13 06:08:40 +00:00
|
|
|
# Convert a standard ASCII string to 16-bit Unicode
|
|
|
|
def unicode (str)
|
|
|
|
Rex::Text.to_unicode(str)
|
2005-09-16 03:29:27 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# Used to track the last DCERPC context
|
2005-12-15 04:46:52 +00:00
|
|
|
attr_accessor :dcerpc_bind_context, :handle, :dcerpc, :dcerpc_socket
|
2005-09-16 03:29:27 +00:00
|
|
|
|
2005-06-05 05:42:43 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
end
|