infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Bug fixes and a new "hidden" service detection module 

git-svn-id: file:///home/svn/framework3/trunk@4685 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2007-04-16 01:41:50 +00:00
parent 2612ad5f2f
commit 35ab9bfb89
2 changed files with 131 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

128
modules/auxiliary/scanner/dcerpc/hidden.rb Normal file
View File

@ -0,0 +1,128 @@
##
# $Id:$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
module Msf
class Auxiliary::Scanner::Dcerpc::RPC_HIDDEN < Msf::Auxiliary
# Exploit mixins should be called first
include Exploit::Remote::DCERPC
# Scanner mixin should be near last
include Auxiliary::Scanner
def initialize
super(
'Name' => 'Hidden DCERPC Service Discovery',
'Version' => '$Revision: 3624 $',
'Description' => %q{
This module will query the endpoint mapper and make a list
of all ncacn_tcp RPC services. It will then connect to each of
these services and use the management API to list all other
RPC services accessible on this port. Any RPC service found attached
to a TCP port, but not listed in the endpoint mapper, will be displayed
and analyzed to see whether anonymous access is permitted.
},
'Author' => 'hdm',
'License' => MSF_LICENSE
)
deregister_options('RHOST', 'RPORT')
end
# Obtain information about a single host
def run_host(ip)
begin
epm = dcerpc_endpoint_list()
if(not epm)
print_status("Could not contact the endpoint mapper on #{ip}")
return
end
eports = {}
epm.each do |ep|
next if not (ep[:port] and ep[:prot] and ep[:prot] == "tcp")
eports[ep[:port]] ||= {}
eports[ep[:port]][ep[:uuid]+'_'+ep[:vers]] = true
end
eports.each_pair do |eport, servs|
rport = eport
print_status("Looking for services on #{ip}:#{rport}...")
ids = dcerpc_mgmt_inq_if_ids(rport)
return if not ids
ids.each do |id|
if (not servs.has_key?(id[0]+'_'+id[1]))
print_status("\tHIDDEN: UUID #{id[0]} v#{id[1]}")
conn = nil
bind = nil
call = nil
data = nil
error = nil
begin
connect(true, { 'RPORT' => eport })
conn = true
handle = dcerpc_handle(id[0], id[1], 'ncacn_ip_tcp', [eport])
dcerpc_bind(handle)
bind = true
res = dcerpc.call(0, NDR.long(0) * 128)
call = true
if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
data = dcerpc.last_response.stub_data
end
rescue ::Interrupt
raise $!
rescue ::Exception => e
error = e.to_s
end
if (error and error =~ /DCERPC FAULT/ and error !~ /nca_s_fault_access_denied/)
call = true
end
status = "\t\t"
status << "CONN " if conn
status << "BIND " if bind
status << "CALL " if call
status << "DATA=#{data.unpack("H*")[0]} " if data
status << "ERROR=#{error} " if error
print_status(status)
print_status("")
end
end
end
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_status("Error: #{e.to_s}")
end
end
end
end

6
modules/auxiliary/scanner/dcerpc/management.rb
View File

@ -52,13 +52,13 @@ class Auxiliary::Scanner::Dcerpc::RPC_MGMT < Msf::Auxiliary
print_status("UUID #{id[0]} v#{id[1]}")
stats = dcerpc_mgmt_inq_if_stats(rport)
print_status("\t stats: " + stats.map{|i| "0x%.8x" % i}.join(", "))
print_status("\t stats: " + stats.map{|i| "0x%.8x" % i}.join(", ")) if stats
live = dcerpc_mgmt_is_server_listening(rport)
print_status("\t listening: %.8x" % live)
print_status("\t listening: %.8x" % live) if live
dead = dcerpc_mgmt_stop_server_listening(rport)
print_status("\t killed: %.8x" % dead)
print_status("\t killed: %.8x" % dead) if dead
princ = dcerpc_mgmt_inq_princ_name(rport)
print_status("\t name: #{princ.unpack("H*")[0]}") if princ