diff --git a/lib/msf/core/exploit/dcerpc.rb.ut.rb b/lib/msf/core/exploit/dcerpc.rb.ut.rb index 362789365f..44123630e1 100644 --- a/lib/msf/core/exploit/dcerpc.rb.ut.rb +++ b/lib/msf/core/exploit/dcerpc.rb.ut.rb @@ -23,4 +23,5 @@ class Exploit::Remote::DCERPC::UnitTest < Test::Unit::TestCase end -end \ No newline at end of file +end + diff --git a/lib/msf/core/exploit/dcerpc_epm.rb b/lib/msf/core/exploit/dcerpc_epm.rb index 292d711ca6..bba6aa94a1 100644 --- a/lib/msf/core/exploit/dcerpc_epm.rb +++ b/lib/msf/core/exploit/dcerpc_epm.rb @@ -11,7 +11,7 @@ module Exploit::Remote::DCERPC_EPM def dcerpc_endpoint_find_tcp(host, uuid, vers, transport) res = dcerpc_endpoint_list() return nil if not res - + res.each do |ent| if (ent[:uuid] == uuid and ent[:vers] == vers and ent[:prot] == 'tcp') return ent[:port] @@ -20,12 +20,12 @@ module Exploit::Remote::DCERPC_EPM nil end - + # Contact the endpoint mapper of the target host and find the transport def dcerpc_endpoint_find_udp(host, uuid, vers, transport) res = dcerpc_endpoint_list() return nil if not res - + res.each do |ent| if (ent[:uuid] == uuid and ent[:vers] == vers and ent[:prot] == 'udp') return ent[:port] @@ -34,16 +34,16 @@ module Exploit::Remote::DCERPC_EPM nil end - + # Contact the endpoint mapper and create a hash of all endpoints def dcerpc_endpoint_list res = [] - + print_status("Connecting to the endpoint mapper service...") begin eps = nil dport = nil - + [135, 593].each do |i| dport = i begin @@ -57,24 +57,24 @@ module Exploit::Remote::DCERPC_EPM 'MsfExploit' => self, } ) - + break - + rescue ::Exception end end - + if (not eps) print_status("Could not connect to the endpoint mapper service") return nil end - + eph = dcerpc_handle('e1af8308-5d1f-11c9-91a4-08002b14a0fa', '3.0', 'ncacn_ip_tcp', [dport]) opt = { 'Msf' => framework, 'MsfExploit' => self } dce = Rex::Proto::DCERPC::Client.new(eph, eps, opt) hnd = nil - + while(true) # Placeholders @@ -89,9 +89,9 @@ module Exploit::Remote::DCERPC_EPM :vers => nil, :note => nil } - + data = nil - + if(not hnd) # NULL handle to start with data = [0, 0, 0, 0, 0, 0, 0, 0, 0, 1].pack("V*") @@ -99,9 +99,9 @@ module Exploit::Remote::DCERPC_EPM # Use the existing handle data = [0, 0, 0, 0, 0].pack("V*") + hnd end - + ret = dce.call(2, data) - + if ( dce.last_response == nil or dce.last_response.stub_data == nil or @@ -111,25 +111,25 @@ module Exploit::Remote::DCERPC_EPM # break from the parsing loop break end - + # Record the response data buf = dce.last_response.stub_data - + # Record the handle if needed hnd = buf[4, 20] if not hnd - + # Parse the response data nlen = buf[60, 4].unpack('V')[0] if (nlen > 1) info[:note] = buf[64, nlen - 1] end - + # Align the stub offset soff = nlen + 72 while (soff % 4 != 0) soff += 1 end - + # Determine number of records rcnt = buf[soff, 2].unpack('v')[0] soff += 2 @@ -138,24 +138,24 @@ module Exploit::Remote::DCERPC_EPM 1.upto(rcnt) do |i| rlen = buf[soff, 2].unpack('v')[0] soff += 2 - + if (i == 1) info[:uuid] = Rex::Proto::DCERPC::UUID.uuid_unpack(buf[soff+1, 16]) - info[:vers] = "#{buf[soff+17]}.#{buf[soff+18]}" + info[:vers] = buf[soff+17,2].unpack('CC').map{|s| s.to_s}.join(".") end - + if (i > 3) info[:type] = buf[soff, 1].unpack("C*")[0] end - + soff += rlen - + xlen = buf[soff, 2].unpack('v')[0] soff += 2 - + case info[:type] when nil - + # TCP when 7 info[:prot] = 'tcp' @@ -165,16 +165,16 @@ module Exploit::Remote::DCERPC_EPM when 8 info[:prot] = 'udp' info[:port] = buf[soff, 2].unpack('n')[0] - + # ADDR when 9 info[:host] = buf[soff, 4].unpack('C4').join('.') - + # PIPE when 15 info[:prot] = 'pipe' info[:pipe] = buf[soff, xlen].unpack("a*")[0] - + # LRPC when 16 info[:prot] = 'lrpc' @@ -182,7 +182,7 @@ module Exploit::Remote::DCERPC_EPM # NETBIOS when 17,24 - info[:host] = buf[soff, xlen].unpack("a*")[0] + info[:host] = buf[soff, xlen].unpack("a*")[0] # HTTP when 31 @@ -193,28 +193,29 @@ module Exploit::Remote::DCERPC_EPM when 22 # not parsed else - print_status("EPM unknown type: #{info[:type]} #{buf[soff, xlen].unpack("H*")[0]}") + print_status("EPM unknown type: #{info[:type]} #{buf[soff, xlen].unpack("H*")[0]}") end - + soff += xlen - end - + end + info[:pipe].gsub!("\x00", '') if info[:pipe] info[:host].gsub!("\x00", '') if info[:host] res << info end - + rescue ::Interrupt raise $! - + rescue ::Exception => e print_status("Could not obtain the endpoint list: #{e}") res = nil end - + res end end end + diff --git a/lib/msf/core/exploit/dcerpc_lsa.rb b/lib/msf/core/exploit/dcerpc_lsa.rb index ffe6e31a02..67d251f43e 100644 --- a/lib/msf/core/exploit/dcerpc_lsa.rb +++ b/lib/msf/core/exploit/dcerpc_lsa.rb @@ -27,11 +27,12 @@ module Exploit::Remote::DCERPC_LSA NDR.long(0) + # Effective Only # Access Mask NDR.long(0x02000000) - + res = dcerpc.call(6, stubdata) - + dcerpc.last_response.stub_data[0,20] end - + end -end \ No newline at end of file +end + diff --git a/lib/msf/core/exploit/dcerpc_mgmt.rb b/lib/msf/core/exploit/dcerpc_mgmt.rb index 78d2c64c08..664c68cc2d 100644 --- a/lib/msf/core/exploit/dcerpc_mgmt.rb +++ b/lib/msf/core/exploit/dcerpc_mgmt.rb @@ -6,7 +6,7 @@ module Msf # ### module Exploit::Remote::DCERPC_MGMT - + # Connect to remote management interface def dcerpc_mgmt_connect(dport=135) Rex::Socket::Tcp.create( @@ -22,34 +22,34 @@ module Exploit::Remote::DCERPC_MGMT end NDR = Rex::Encoder::NDR - + # List all interfaces registered with this remote management interface def dcerpc_mgmt_inq_if_ids(dport=135) res = [] - + begin - + eps = dcerpc_mgmt_connect(dport) - + eph = dcerpc_handle('afa8bd80-7d8a-11c9-bef4-08002b102989', '1.0', 'ncacn_ip_tcp', [dport]) opt = { 'Msf' => framework, 'MsfExploit' => self } - + dce = Rex::Proto::DCERPC::Client.new(eph, eps, opt) dce.call(0, '') - + if (dce.last_response != nil and dce.last_response.stub_data != nil) buff = dce.last_response.stub_data - + retstat = buff[0,4].unpack('N')[0] ifcount = buff[4,4].unpack('V')[0] ifstats = buff[12, 4 * ifcount] iflists = buff[12 + (4 * ifcount), buff.length] - + ifidx = 0 while(ifidx < ifcount * 20) intf = Rex::Proto::DCERPC::UUID.uuid_unpack(iflists[ifidx, 16]) - vers = "#{iflists[ifidx + 16, 2].unpack('v')[0]}.#{iflists[ifidx + 18, 2].unpack('v')[0]}" + vers = iflists[ifidx + 16,4].unpack('vv').map{|c| c.to_s}.join('.') res << [intf, vers] ifidx += 20 end @@ -61,27 +61,27 @@ module Exploit::Remote::DCERPC_MGMT print_status("Remote Management Interface Error: #{e}") res = nil end - + eps.close if eps - + res end def dcerpc_mgmt_inq_if_stats(dport=135) res = [] - + begin - + eps = dcerpc_mgmt_connect(dport) - + eph = dcerpc_handle('afa8bd80-7d8a-11c9-bef4-08002b102989', '1.0', 'ncacn_ip_tcp', [dport]) opt = { 'Msf' => framework, 'MsfExploit' => self } - + dce = Rex::Proto::DCERPC::Client.new(eph, eps, opt) dce.call(1, NDR.long(1024) ) - + if (dce.last_response != nil and dce.last_response.stub_data != nil) buff = dce.last_response.stub_data rcnt = buff[0,4].unpack('V')[0] @@ -96,26 +96,26 @@ module Exploit::Remote::DCERPC_MGMT print_status("Remote Management Interface Error: #{e}") res = nil end - + eps.close if eps - + res end def dcerpc_mgmt_is_server_listening(dport=135) res = nil - + begin - + eps = dcerpc_mgmt_connect(dport) - + eph = dcerpc_handle('afa8bd80-7d8a-11c9-bef4-08002b102989', '1.0', 'ncacn_ip_tcp', [dport]) opt = { 'Msf' => framework, 'MsfExploit' => self } - + dce = Rex::Proto::DCERPC::Client.new(eph, eps, opt) dce.call(2, '') - + if (dce.last_response != nil and dce.last_response.stub_data != nil) buff = dce.last_response.stub_data res = buff[0,4].unpack('V')[0] @@ -127,26 +127,26 @@ module Exploit::Remote::DCERPC_MGMT print_status("Remote Management Interface Error: #{e}") res = nil end - + eps.close if eps - + res end def dcerpc_mgmt_stop_server_listening(dport=135) res = nil - + begin - + eps = dcerpc_mgmt_connect(dport) - + eph = dcerpc_handle('afa8bd80-7d8a-11c9-bef4-08002b102989', '1.0', 'ncacn_ip_tcp', [dport]) opt = { 'Msf' => framework, 'MsfExploit' => self } - + dce = Rex::Proto::DCERPC::Client.new(eph, eps, opt) dce.call(3, '') - + if (dce.last_response != nil and dce.last_response.stub_data != nil) buff = dce.last_response.stub_data res = buff[0,4].unpack('V')[0] @@ -158,29 +158,29 @@ module Exploit::Remote::DCERPC_MGMT print_status("Remote Management Interface Error: #{e}") res = nil end - + eps.close if eps - + res end def dcerpc_mgmt_inq_princ_name(dport=135) res = nil - + begin - + eps = dcerpc_mgmt_connect(dport) - + eph = dcerpc_handle('afa8bd80-7d8a-11c9-bef4-08002b102989', '1.0', 'ncacn_ip_tcp', [dport]) opt = { 'Msf' => framework, 'MsfExploit' => self } - + dce = Rex::Proto::DCERPC::Client.new(eph, eps, opt) - dce.call(4, + dce.call(4, NDR.long(2) + NDR.long(256) ) - + if (dce.last_response != nil and dce.last_response.stub_data != nil) buff = dce.last_response.stub_data res = buff @@ -192,12 +192,13 @@ module Exploit::Remote::DCERPC_MGMT print_status("Remote Management Interface Error: #{e}") res = nil end - + eps.close if eps - + res end - + end -end \ No newline at end of file +end +