metasploit-framework/lib/msf/core/exploit/sunrpc.rb

77 lines
1.5 KiB
Ruby

require 'rex/proto/sunrpc'
module Msf
###
#
# This mixin provides utility methods for interacting with a SunRPC service on
# a remote machine. These methods may generally be useful in the context of
# exploitation. This mixin extends the Tcp exploit mixin. Only one SunRPC
# service can be accessed at a time using this class.
#
###
module Exploit::Remote::SunRPC
include Exploit::Remote::Tcp
XDR = Rex::Proto::SunRPC::XDR
def initialize(info = {})
super
register_evasion_options(
[
OptBool.new('ONCRPC::tcp_request_fragmentation', [false, 'Enable fragmentation of TCP ONC/RPC requests', 'false']),
], Msf::Exploit::Remote::SunRPC
)
register_advanced_options(
[
# XXX: Use portmapper to do call
], Msf::Exploit::Remote::SunRPC)
register_options(
[
# XXX: XPORT
Opt::RHOST,
Opt::RPORT(111),
], Msf::Exploit::Remote::SunRPC
)
end
def sunrpc_create(protocol, program, version)
self.rpcobj = Rex::Proto::SunRPC::Client.new(rhost, rport.to_i, protocol, program, version)
if datastore['ONCRPC::tcp_request_fragmentation'] == true
self.rpcobj.should_fragment = 1
end
# if datastore['XPORT']
# rpcobj.pport = datastore['XPORT']
# else
rpcobj.create
# end
end
def sunrpc_call(proc, buf)
rpcobj.call(proc, buf)
end
def sunrpc_destroy
rpcobj.destroy
rpcobj = nil
end
def sunrpc_authnull(*args)
rpcobj.authnull_create(*args)
end
def sunrpc_authunix(*args)
rpcobj.authunix_create(*args)
end
# Used to track the last SunRPC context
attr_accessor :rpcobj
end
end