Fixes #441. Unpack the version in a way that works with 1.9

git-svn-id: file:///home/svn/framework3/trunk@7319 4d416f70-5f16-0410-b530-b9f4589650da
2009-11-02 15:09:54 +00:00 · 2009-11-02 15:09:54 +00:00 · c0a0507fdf
parent c0758f7bc6
commit c0a0507fdf
4 changed files with 90 additions and 86 deletions
--- a/lib/msf/core/exploit/dcerpc.rb.ut.rb
+++ b/lib/msf/core/exploit/dcerpc.rb.ut.rb
@ -23,4 +23,5 @@ class Exploit::Remote::DCERPC::UnitTest < Test::Unit::TestCase

 end

-end
+end
+
--- a/lib/msf/core/exploit/dcerpc_epm.rb
+++ b/lib/msf/core/exploit/dcerpc_epm.rb
@ -11,7 +11,7 @@ module Exploit::Remote::DCERPC_EPM
 	def dcerpc_endpoint_find_tcp(host, uuid, vers, transport)
 		res = dcerpc_endpoint_list()
 		return nil if not res
-		
+
 		res.each do |ent|
 			if (ent[:uuid] == uuid and ent[:vers] == vers and ent[:prot] == 'tcp')
 				return ent[:port]
@ -20,12 +20,12 @@ module Exploit::Remote::DCERPC_EPM

 		nil
 	end
-	
+
 	# Contact the endpoint mapper of the target host and find the transport
 	def dcerpc_endpoint_find_udp(host, uuid, vers, transport)
 		res = dcerpc_endpoint_list()
 		return nil if not res
-		
+
 		res.each do |ent|
 			if (ent[:uuid] == uuid and ent[:vers] == vers and ent[:prot] == 'udp')
 				return ent[:port]
@ -34,16 +34,16 @@ module Exploit::Remote::DCERPC_EPM

 		nil
 	end
-	
+
 	# Contact the endpoint mapper and create a hash of all endpoints
 	def dcerpc_endpoint_list
 		res = []
-		
+
 		print_status("Connecting to the endpoint mapper service...")
 		begin
 			eps   = nil
 			dport = nil
-			
+
 			[135, 593].each do |i|
 				dport = i
 				begin
@ -57,24 +57,24 @@ module Exploit::Remote::DCERPC_EPM
 							'MsfExploit' => self,
 						}
 					)
-					
+
 					break
-					
+
 				rescue ::Exception
 				end
 			end
-			
+
 			if (not eps)
 				print_status("Could not connect to the endpoint mapper service")
 				return nil
 			end
-			
+
 			eph = dcerpc_handle('e1af8308-5d1f-11c9-91a4-08002b14a0fa', '3.0', 'ncacn_ip_tcp', [dport])
 			opt = { 'Msf' => framework, 'MsfExploit' => self }
 			dce = Rex::Proto::DCERPC::Client.new(eph, eps, opt)

 			hnd = nil
-			
+
 			while(true)

 				# Placeholders
@ -89,9 +89,9 @@ module Exploit::Remote::DCERPC_EPM
 					:vers => nil,
 					:note => nil
 				}
-						
+
 				data = nil
-				
+
 				if(not hnd)
 					# NULL handle to start with
 					data = [0, 0, 0, 0, 0, 0, 0, 0, 0, 1].pack("V*")
@ -99,9 +99,9 @@ module Exploit::Remote::DCERPC_EPM
 					# Use the existing handle
 					data = [0, 0, 0, 0, 0].pack("V*") + hnd
 				end
-			
+
 				ret = dce.call(2, data)
-				
+
 				if (
 					dce.last_response == nil or
 					dce.last_response.stub_data == nil or
@ -111,25 +111,25 @@ module Exploit::Remote::DCERPC_EPM
 					# break from the parsing loop
 					break
 				end
-				
+
 				# Record the response data
 				buf = dce.last_response.stub_data
-				
+
 				# Record the handle if needed
 				hnd = buf[4, 20] if not hnd
-				
+
 				# Parse the response data
 				nlen = buf[60, 4].unpack('V')[0]
 				if (nlen > 1)
 					info[:note] = buf[64, nlen - 1]
 				end
-				
+
 				# Align the stub offset
 				soff = nlen + 72
 				while (soff % 4 != 0)
 					soff += 1
 				end
-				
+
 				# Determine number of records
 				rcnt = buf[soff, 2].unpack('v')[0]
 				soff += 2
@ -138,24 +138,24 @@ module Exploit::Remote::DCERPC_EPM
 				1.upto(rcnt) do |i|
 					rlen = buf[soff, 2].unpack('v')[0]
 					soff += 2
-					
+
 					if (i == 1)
 						info[:uuid] = Rex::Proto::DCERPC::UUID.uuid_unpack(buf[soff+1, 16])
-						info[:vers] = "#{buf[soff+17]}.#{buf[soff+18]}"
+						info[:vers] = buf[soff+17,2].unpack('CC').map{|s| s.to_s}.join(".")
 					end
-					
+
 					if (i > 3)
 						info[:type] = buf[soff, 1].unpack("C*")[0]
 					end
-					
+
 					soff += rlen
-					
+
 					xlen = buf[soff, 2].unpack('v')[0]
 					soff += 2
-					
+
 					case info[:type]
 					when nil
-					
+
 					# TCP
 					when 7
 						info[:prot] = 'tcp'
@ -165,16 +165,16 @@ module Exploit::Remote::DCERPC_EPM
 					when 8
 						info[:prot] = 'udp'
 						info[:port] = buf[soff, 2].unpack('n')[0]
-					
+
 					# ADDR
 					when 9
 						info[:host] = buf[soff, 4].unpack('C4').join('.')
-					
+
 					# PIPE
 					when 15
 						info[:prot] = 'pipe'
 						info[:pipe] = buf[soff, xlen].unpack("a*")[0]
-						
+
 					# LRPC
 					when 16
 						info[:prot] = 'lrpc'
@ -182,7 +182,7 @@ module Exploit::Remote::DCERPC_EPM

 					# NETBIOS
 					when 17,24
-						info[:host] = buf[soff, xlen].unpack("a*")[0]	
+						info[:host] = buf[soff, xlen].unpack("a*")[0]

 					# HTTP
 					when 31
@ -193,28 +193,29 @@ module Exploit::Remote::DCERPC_EPM
 					when 22
 						# not parsed
 					else
-						print_status("EPM unknown type: #{info[:type]} #{buf[soff, xlen].unpack("H*")[0]}")																	
+						print_status("EPM unknown type: #{info[:type]} #{buf[soff, xlen].unpack("H*")[0]}")
 					end
-					
+
 					soff += xlen
-				end	
-				
+				end
+
 				info[:pipe].gsub!("\x00", '') if info[:pipe]
 				info[:host].gsub!("\x00", '') if info[:host]

 				res << info
 			end
-			
+
 		rescue ::Interrupt
 			raise $!
-			
+
 		rescue ::Exception => e
 			print_status("Could not obtain the endpoint list: #{e}")
 			res = nil
 		end
-	
+
 		res
 	end

 end
 end
+
--- a/lib/msf/core/exploit/dcerpc_lsa.rb
+++ b/lib/msf/core/exploit/dcerpc_lsa.rb
@ -27,11 +27,12 @@ module Exploit::Remote::DCERPC_LSA
 					NDR.long(0)  + # Effective Only
 			# Access Mask
 			NDR.long(0x02000000)
-			
+
 		res = dcerpc.call(6, stubdata)
-		
+
 		dcerpc.last_response.stub_data[0,20]
 	end
-		
+
 end
-end
+end
+
--- a/lib/msf/core/exploit/dcerpc_mgmt.rb
+++ b/lib/msf/core/exploit/dcerpc_mgmt.rb
@ -6,7 +6,7 @@ module Msf
 #
 ###
 module Exploit::Remote::DCERPC_MGMT
-		
+
 	# Connect to remote management interface
 	def dcerpc_mgmt_connect(dport=135)
 		Rex::Socket::Tcp.create(
@ -22,34 +22,34 @@ module Exploit::Remote::DCERPC_MGMT
 	end

 	NDR = Rex::Encoder::NDR
-			
+
 	# List all interfaces registered with this remote management interface
 	def dcerpc_mgmt_inq_if_ids(dport=135)
 		res = []
-		
+
 		begin
-			
+
 			eps = dcerpc_mgmt_connect(dport)
-		
+
 			eph = dcerpc_handle('afa8bd80-7d8a-11c9-bef4-08002b102989', '1.0', 'ncacn_ip_tcp', [dport])
 			opt = { 'Msf' => framework, 'MsfExploit' => self }
-			
+
 			dce = Rex::Proto::DCERPC::Client.new(eph, eps, opt)

 			dce.call(0, '')
-			
+
 			if (dce.last_response != nil and dce.last_response.stub_data != nil)
 				buff = dce.last_response.stub_data
-				
+
 				retstat = buff[0,4].unpack('N')[0]
 				ifcount = buff[4,4].unpack('V')[0]
 				ifstats = buff[12, 4 * ifcount]
 				iflists = buff[12 + (4 * ifcount), buff.length]
-				
+
 				ifidx = 0
 				while(ifidx < ifcount * 20)
 					intf = Rex::Proto::DCERPC::UUID.uuid_unpack(iflists[ifidx, 16])
-					vers = "#{iflists[ifidx + 16, 2].unpack('v')[0]}.#{iflists[ifidx + 18, 2].unpack('v')[0]}"
+					vers = iflists[ifidx + 16,4].unpack('vv').map{|c| c.to_s}.join('.')
 					res << [intf, vers]
 					ifidx += 20
 				end
@ -61,27 +61,27 @@ module Exploit::Remote::DCERPC_MGMT
 			print_status("Remote Management Interface Error: #{e}")
 			res = nil
 		end
-	
+
 		eps.close if eps
-	
+
 		res
 	end


 	def dcerpc_mgmt_inq_if_stats(dport=135)
 		res = []
-		
+
 		begin
-			
+
 			eps = dcerpc_mgmt_connect(dport)
-		
+
 			eph = dcerpc_handle('afa8bd80-7d8a-11c9-bef4-08002b102989', '1.0', 'ncacn_ip_tcp', [dport])
 			opt = { 'Msf' => framework, 'MsfExploit' => self }
-			
+
 			dce = Rex::Proto::DCERPC::Client.new(eph, eps, opt)

 			dce.call(1, NDR.long(1024) )
-			
+
 			if (dce.last_response != nil and dce.last_response.stub_data != nil)
 				buff = dce.last_response.stub_data
 				rcnt = buff[0,4].unpack('V')[0]
@ -96,26 +96,26 @@ module Exploit::Remote::DCERPC_MGMT
 			print_status("Remote Management Interface Error: #{e}")
 			res = nil
 		end
-	
+
 		eps.close if eps
-	
+
 		res
 	end

 	def dcerpc_mgmt_is_server_listening(dport=135)
 		res = nil
-		
+
 		begin
-			
+
 			eps = dcerpc_mgmt_connect(dport)
-		
+
 			eph = dcerpc_handle('afa8bd80-7d8a-11c9-bef4-08002b102989', '1.0', 'ncacn_ip_tcp', [dport])
 			opt = { 'Msf' => framework, 'MsfExploit' => self }
-			
+
 			dce = Rex::Proto::DCERPC::Client.new(eph, eps, opt)

 			dce.call(2, '')
-			
+
 			if (dce.last_response != nil and dce.last_response.stub_data != nil)
 				buff = dce.last_response.stub_data
 				res  = buff[0,4].unpack('V')[0]
@ -127,26 +127,26 @@ module Exploit::Remote::DCERPC_MGMT
 			print_status("Remote Management Interface Error: #{e}")
 			res = nil
 		end
-	
+
 		eps.close if eps
-	
+
 		res
 	end

 	def dcerpc_mgmt_stop_server_listening(dport=135)
 		res = nil
-		
+
 		begin
-			
+
 			eps = dcerpc_mgmt_connect(dport)
-		
+
 			eph = dcerpc_handle('afa8bd80-7d8a-11c9-bef4-08002b102989', '1.0', 'ncacn_ip_tcp', [dport])
 			opt = { 'Msf' => framework, 'MsfExploit' => self }
-			
+
 			dce = Rex::Proto::DCERPC::Client.new(eph, eps, opt)

 			dce.call(3, '')
-			
+
 			if (dce.last_response != nil and dce.last_response.stub_data != nil)
 				buff = dce.last_response.stub_data
 				res  = buff[0,4].unpack('V')[0]
@ -158,29 +158,29 @@ module Exploit::Remote::DCERPC_MGMT
 			print_status("Remote Management Interface Error: #{e}")
 			res = nil
 		end
-	
+
 		eps.close if eps
-	
+
 		res
 	end

 	def dcerpc_mgmt_inq_princ_name(dport=135)
 		res = nil
-		
+
 		begin
-			
+
 			eps = dcerpc_mgmt_connect(dport)
-		
+
 			eph = dcerpc_handle('afa8bd80-7d8a-11c9-bef4-08002b102989', '1.0', 'ncacn_ip_tcp', [dport])
 			opt = { 'Msf' => framework, 'MsfExploit' => self }
-			
+
 			dce = Rex::Proto::DCERPC::Client.new(eph, eps, opt)

-			dce.call(4, 
+			dce.call(4,
 				NDR.long(2) +
 				NDR.long(256)
 			)
-			
+
 			if (dce.last_response != nil and dce.last_response.stub_data != nil)
 				buff = dce.last_response.stub_data
 				res  = buff
@ -192,12 +192,13 @@ module Exploit::Remote::DCERPC_MGMT
 			print_status("Remote Management Interface Error: #{e}")
 			res = nil
 		end
-	
+
 		eps.close if eps
-	
+
 		res
 	end

-		
+
 end
-end
+end
+