New evasion options for controlling how many fake uuids to place before and after the real uid when eexploiting DCERPC bugs
Added a new evasion option for picking readAndX/writeAndX or transNamedPipe methods for DCERPC delivery, however a struct2 issue seems to be breaking this (will investigate tomorrow). Fixed a typo in the initialize method of the OpenPipe class git-svn-id: file:///home/svn/incoming/trunk@3634 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
304001a454
commit
64827d1238
|
@ -26,7 +26,11 @@ module Exploit::Remote::DCERPC
|
|||
register_evasion_options(
|
||||
[
|
||||
OptInt.new('DCERPC::max_frag_size', [ true, 'Set the DCERPC packet fragmentation size', 4096]),
|
||||
OptBool.new('DCERPC::fake_bind_multi', [ false, 'Use multi-context bind calls', 'True' ])
|
||||
OptBool.new('DCERPC::fake_bind_multi', [ false, 'Use multi-context bind calls', 'True' ]),
|
||||
OptInt.new('DCERPC::fake_bind_multi_prepend', [ false, 'Set the number of UUIDs to prepend before the target', 0]),
|
||||
OptInt.new('DCERPC::fake_bind_multi_append', [ false, 'Set the number of UUIDs to append the target', 0]),
|
||||
OptEnum.new('DCERPC::smb_pipeio', [ false, 'Use a different delivery method for accessing named pipes', 'rw', ['rw', 'trans']] )
|
||||
|
||||
], Msf::Exploit::Remote::DCERPC)
|
||||
|
||||
register_options(
|
||||
|
@ -50,6 +54,14 @@ module Exploit::Remote::DCERPC
|
|||
|
||||
if datastore['DCERPC::fake_bind_multi']
|
||||
opts['fake_multi_bind'] = 1
|
||||
|
||||
if datastore['DCERPC::fake_bind_multi_prepend']
|
||||
opts['fake_multi_bind_prepend'] = datastore['DCERPC::fake_bind_multi_prepend']
|
||||
end
|
||||
|
||||
if datastore['DCERPC::fake_bind_multi_append']
|
||||
opts['fake_multi_bind_append'] = datastore['DCERPC::fake_bind_multi_append']
|
||||
end
|
||||
end
|
||||
|
||||
if datastore['SMBUSER']
|
||||
|
@ -60,6 +72,10 @@ module Exploit::Remote::DCERPC
|
|||
opts['smb_pass'] = datastore['SMBPASS']
|
||||
end
|
||||
|
||||
if datastore['DCERPC::smb_pipeio']
|
||||
opts['smb_pipeio'] = datastore['DCERPC::smb_pipeio']
|
||||
end
|
||||
|
||||
if self.simple
|
||||
opts['smb_client'] = self.simple
|
||||
end
|
||||
|
|
|
@ -176,7 +176,18 @@ require 'rex/proto/smb/exceptions'
|
|||
bind = ''
|
||||
context = ''
|
||||
if self.options['fake_multi_bind']
|
||||
bind, context = Rex::Proto::DCERPC::Packet.make_bind_fake_multi(self.handle.uuid[0], self.handle.uuid[1])
|
||||
|
||||
args = [ self.handle.uuid[0], self.handle.uuid[1] ]
|
||||
|
||||
if (self.options['fake_multi_bind_prepend'])
|
||||
args << self.options['fake_multi_bind_prepend']
|
||||
end
|
||||
|
||||
if (self.options['fake_multi_bind_append'])
|
||||
args << self.options['fake_multi_bind_append']
|
||||
end
|
||||
|
||||
bind, context = Rex::Proto::DCERPC::Packet.make_bind_fake_multi(*args)
|
||||
else
|
||||
bind, context = Rex::Proto::DCERPC::Packet.make_bind(self.handle.uuid[0], self.handle.uuid[1])
|
||||
end
|
||||
|
|
|
@ -45,7 +45,11 @@ require 'rex/text'
|
|||
end
|
||||
|
||||
# Create an obfuscated DCERPC BIND request packet
|
||||
def self.make_bind_fake_multi(uuid, vers, bind_head=rand(6)+10, bind_tail=rand(4))
|
||||
def self.make_bind_fake_multi(uuid, vers, bind_head=0, bind_tail=0)
|
||||
|
||||
bind_head = rand(6)+10 if bind_head == 0
|
||||
bind_tail = rand(4)+1 if bind_head == 0
|
||||
|
||||
u = Rex::Proto::DCERPC::UUID
|
||||
|
||||
# Process the version strings ("1.0", 1.0, "1", 1)
|
||||
|
|
|
@ -110,13 +110,14 @@ EVADE = Rex::Proto::SMB::Evasions
|
|||
# Valid modes are: 'trans' and 'rw'
|
||||
attr_accessor :mode
|
||||
|
||||
def initalize(*args)
|
||||
def initialize(*args)
|
||||
super(*args)
|
||||
mode = 'rw'
|
||||
@buff = ''
|
||||
end
|
||||
|
||||
def read_buffer(length, offset=0)
|
||||
length ||= @buff.length
|
||||
@buff.slice!(0, length)
|
||||
end
|
||||
|
||||
|
@ -144,8 +145,9 @@ EVADE = Rex::Proto::SMB::Evasions
|
|||
end
|
||||
|
||||
def write_trans(data, offset=0)
|
||||
# Payload is not being filled the the response !?!!?
|
||||
ack = self.client.trans_named_pipe(self.file_id, data)
|
||||
@buff << ack['Payload'].v['Payload']
|
||||
@buff << ack['Payload'].v['Payload']
|
||||
end
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue