New evasion options for controlling how many fake uuids to place before and after the real uid when eexploiting DCERPC bugs

Added a new evasion option for picking readAndX/writeAndX or transNamedPipe methods for DCERPC delivery, however a struct2 issue seems to be breaking this (will investigate tomorrow).

Fixed a typo in the initialize method of the OpenPipe class


git-svn-id: file:///home/svn/incoming/trunk@3634 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2006-05-03 05:53:37 +00:00
parent 304001a454
commit 64827d1238
4 changed files with 38 additions and 5 deletions

View File

@ -26,7 +26,11 @@ module Exploit::Remote::DCERPC
register_evasion_options(
[
OptInt.new('DCERPC::max_frag_size', [ true, 'Set the DCERPC packet fragmentation size', 4096]),
OptBool.new('DCERPC::fake_bind_multi', [ false, 'Use multi-context bind calls', 'True' ])
OptBool.new('DCERPC::fake_bind_multi', [ false, 'Use multi-context bind calls', 'True' ]),
OptInt.new('DCERPC::fake_bind_multi_prepend', [ false, 'Set the number of UUIDs to prepend before the target', 0]),
OptInt.new('DCERPC::fake_bind_multi_append', [ false, 'Set the number of UUIDs to append the target', 0]),
OptEnum.new('DCERPC::smb_pipeio', [ false, 'Use a different delivery method for accessing named pipes', 'rw', ['rw', 'trans']] )
], Msf::Exploit::Remote::DCERPC)
register_options(
@ -50,6 +54,14 @@ module Exploit::Remote::DCERPC
if datastore['DCERPC::fake_bind_multi']
opts['fake_multi_bind'] = 1
if datastore['DCERPC::fake_bind_multi_prepend']
opts['fake_multi_bind_prepend'] = datastore['DCERPC::fake_bind_multi_prepend']
end
if datastore['DCERPC::fake_bind_multi_append']
opts['fake_multi_bind_append'] = datastore['DCERPC::fake_bind_multi_append']
end
end
if datastore['SMBUSER']
@ -60,6 +72,10 @@ module Exploit::Remote::DCERPC
opts['smb_pass'] = datastore['SMBPASS']
end
if datastore['DCERPC::smb_pipeio']
opts['smb_pipeio'] = datastore['DCERPC::smb_pipeio']
end
if self.simple
opts['smb_client'] = self.simple
end

View File

@ -176,7 +176,18 @@ require 'rex/proto/smb/exceptions'
bind = ''
context = ''
if self.options['fake_multi_bind']
bind, context = Rex::Proto::DCERPC::Packet.make_bind_fake_multi(self.handle.uuid[0], self.handle.uuid[1])
args = [ self.handle.uuid[0], self.handle.uuid[1] ]
if (self.options['fake_multi_bind_prepend'])
args << self.options['fake_multi_bind_prepend']
end
if (self.options['fake_multi_bind_append'])
args << self.options['fake_multi_bind_append']
end
bind, context = Rex::Proto::DCERPC::Packet.make_bind_fake_multi(*args)
else
bind, context = Rex::Proto::DCERPC::Packet.make_bind(self.handle.uuid[0], self.handle.uuid[1])
end

View File

@ -45,7 +45,11 @@ require 'rex/text'
end
# Create an obfuscated DCERPC BIND request packet
def self.make_bind_fake_multi(uuid, vers, bind_head=rand(6)+10, bind_tail=rand(4))
def self.make_bind_fake_multi(uuid, vers, bind_head=0, bind_tail=0)
bind_head = rand(6)+10 if bind_head == 0
bind_tail = rand(4)+1 if bind_head == 0
u = Rex::Proto::DCERPC::UUID
# Process the version strings ("1.0", 1.0, "1", 1)

View File

@ -110,13 +110,14 @@ EVADE = Rex::Proto::SMB::Evasions
# Valid modes are: 'trans' and 'rw'
attr_accessor :mode
def initalize(*args)
def initialize(*args)
super(*args)
mode = 'rw'
@buff = ''
end
def read_buffer(length, offset=0)
length ||= @buff.length
@buff.slice!(0, length)
end
@ -144,8 +145,9 @@ EVADE = Rex::Proto::SMB::Evasions
end
def write_trans(data, offset=0)
# Payload is not being filled the the response !?!!?
ack = self.client.trans_named_pipe(self.file_id, data)
@buff << ack['Payload'].v['Payload']
@buff << ack['Payload'].v['Payload']
end
end