Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

dcerpc_mgmt.rb 4.6KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205
  1. # -*- coding: binary -*-
  2. module Msf
  3. ###
  4. #
  5. # This module provides service-specific methods for the DCERPC exploit mixin
  6. #
  7. ###
  8. module Exploit::Remote::DCERPC_MGMT
  9. # Connect to remote management interface
  10. def dcerpc_mgmt_connect(dport=135)
  11. Rex::Socket::Tcp.create(
  12. 'PeerHost' => rhost,
  13. 'PeerPort' => dport,
  14. 'Proxies' => proxies,
  15. 'Context' =>
  16. {
  17. 'Msf' => framework,
  18. 'MsfExploit' => self,
  19. }
  20. )
  21. end
  22. NDR = Rex::Encoder::NDR
  23. # List all interfaces registered with this remote management interface
  24. def dcerpc_mgmt_inq_if_ids(dport=135)
  25. res = []
  26. begin
  27. eps = dcerpc_mgmt_connect(dport)
  28. eph = dcerpc_handle('afa8bd80-7d8a-11c9-bef4-08002b102989', '1.0', 'ncacn_ip_tcp', [dport])
  29. opt = { 'Msf' => framework, 'MsfExploit' => self }
  30. dce = Rex::Proto::DCERPC::Client.new(eph, eps, opt)
  31. dce.call(0, '')
  32. if (dce.last_response != nil and dce.last_response.stub_data != nil)
  33. buff = dce.last_response.stub_data
  34. retstat = buff[0,4].unpack('N')[0]
  35. ifcount = buff[4,4].unpack('V')[0]
  36. ifstats = buff[12, 4 * ifcount]
  37. iflists = buff[12 + (4 * ifcount), buff.length]
  38. ifidx = 0
  39. while(ifidx < ifcount * 20)
  40. intf = Rex::Proto::DCERPC::UUID.uuid_unpack(iflists[ifidx, 16])
  41. vers = iflists[ifidx + 16,4].unpack('vv').map{|c| c.to_s}.join('.')
  42. res << [intf, vers]
  43. ifidx += 20
  44. end
  45. end
  46. rescue ::Interrupt
  47. raise $!
  48. rescue ::Exception => e
  49. print_status("Remote Management Interface Error: #{e}")
  50. res = nil
  51. end
  52. eps.close if eps
  53. res
  54. end
  55. def dcerpc_mgmt_inq_if_stats(dport=135)
  56. res = []
  57. begin
  58. eps = dcerpc_mgmt_connect(dport)
  59. eph = dcerpc_handle('afa8bd80-7d8a-11c9-bef4-08002b102989', '1.0', 'ncacn_ip_tcp', [dport])
  60. opt = { 'Msf' => framework, 'MsfExploit' => self }
  61. dce = Rex::Proto::DCERPC::Client.new(eph, eps, opt)
  62. dce.call(1, NDR.long(1024) )
  63. if (dce.last_response != nil and dce.last_response.stub_data != nil)
  64. buff = dce.last_response.stub_data
  65. rcnt = buff[0,4].unpack('V')[0]
  66. 0.upto(rcnt-1) do |s|
  67. res << buff[8 + (4*s), 4].unpack('V')[0]
  68. end
  69. end
  70. rescue ::Interrupt
  71. raise $!
  72. rescue ::Exception => e
  73. print_status("Remote Management Interface Error: #{e}")
  74. res = nil
  75. end
  76. eps.close if eps
  77. res
  78. end
  79. def dcerpc_mgmt_is_server_listening(dport=135)
  80. res = nil
  81. begin
  82. eps = dcerpc_mgmt_connect(dport)
  83. eph = dcerpc_handle('afa8bd80-7d8a-11c9-bef4-08002b102989', '1.0', 'ncacn_ip_tcp', [dport])
  84. opt = { 'Msf' => framework, 'MsfExploit' => self }
  85. dce = Rex::Proto::DCERPC::Client.new(eph, eps, opt)
  86. dce.call(2, '')
  87. if (dce.last_response != nil and dce.last_response.stub_data != nil)
  88. buff = dce.last_response.stub_data
  89. res = buff[0,4].unpack('V')[0]
  90. end
  91. rescue ::Interrupt
  92. raise $!
  93. rescue ::Exception => e
  94. print_status("Remote Management Interface Error: #{e}")
  95. res = nil
  96. end
  97. eps.close if eps
  98. res
  99. end
  100. def dcerpc_mgmt_stop_server_listening(dport=135)
  101. res = nil
  102. begin
  103. eps = dcerpc_mgmt_connect(dport)
  104. eph = dcerpc_handle('afa8bd80-7d8a-11c9-bef4-08002b102989', '1.0', 'ncacn_ip_tcp', [dport])
  105. opt = { 'Msf' => framework, 'MsfExploit' => self }
  106. dce = Rex::Proto::DCERPC::Client.new(eph, eps, opt)
  107. dce.call(3, '')
  108. if (dce.last_response != nil and dce.last_response.stub_data != nil)
  109. buff = dce.last_response.stub_data
  110. res = buff[0,4].unpack('V')[0]
  111. end
  112. rescue ::Interrupt
  113. raise $!
  114. rescue ::Exception => e
  115. print_status("Remote Management Interface Error: #{e}")
  116. res = nil
  117. end
  118. eps.close if eps
  119. res
  120. end
  121. def dcerpc_mgmt_inq_princ_name(dport=135)
  122. res = nil
  123. begin
  124. eps = dcerpc_mgmt_connect(dport)
  125. eph = dcerpc_handle('afa8bd80-7d8a-11c9-bef4-08002b102989', '1.0', 'ncacn_ip_tcp', [dport])
  126. opt = { 'Msf' => framework, 'MsfExploit' => self }
  127. dce = Rex::Proto::DCERPC::Client.new(eph, eps, opt)
  128. dce.call(4,
  129. NDR.long(2) +
  130. NDR.long(256)
  131. )
  132. if (dce.last_response != nil and dce.last_response.stub_data != nil)
  133. buff = dce.last_response.stub_data
  134. res = buff
  135. end
  136. rescue ::Interrupt
  137. raise $!
  138. rescue ::Exception => e
  139. print_status("Remote Management Interface Error: #{e}")
  140. res = nil
  141. end
  142. eps.close if eps
  143. res
  144. end
  145. end
  146. end