Module: Msf::Exploit::Remote::SunRPC
- Includes:
- Tcp
- Defined in:
- lib/msf/core/exploit/sunrpc.rb
Overview
This mixin provides utility methods for interacting with a SunRPC service on a remote machine. These methods may generally be useful in the context of exploitation. This mixin extends the Tcp exploit mixin. Only one SunRPC service can be accessed at a time using this class.
Constant Summary collapse
- XDR =
Rex::Encoder::XDR
- MSG_ACCEPTED =
0- SUCCESS =
RPC executed successfully
0- PROG_UMAVAIL =
Remote hasn't exported program
1- PROG_MISMATCH =
Remote can't support version #
2- PROC_UNAVAIL =
3- GARBAGE_ARGS =
Program can't support procedure Procedure can't decode params'
4- SYSTEM_ERR =
System encountered some error
5
Instance Attribute Summary collapse
-
#rpcobj ⇒ Object
Used to track the last SunRPC context.
Instance Method Summary collapse
- #initialize(info = {}) ⇒ Object
-
#portmap_qry ⇒ Object
XXX: Incomplete.
- #progresolv(number) ⇒ Object
- #sunrpc_authnull(*args) ⇒ Object
- #sunrpc_authunix(*args) ⇒ Object
- #sunrpc_call(proc, buf, timeout = 20) ⇒ Object
- #sunrpc_callsock ⇒ Object
- #sunrpc_create(protocol, program, version) ⇒ Object
- #sunrpc_destroy ⇒ Object
Methods included from Tcp
#chost, #cleanup, #connect, #connect_timeout, #cport, #disconnect, #handler, #lhost, #lport, #proxies, #rhost, #rport, #set_tcp_evasions, #ssl, #ssl_version
Instance Attribute Details
#rpcobj ⇒ Object
Used to track the last SunRPC context
166 167 168 |
# File 'lib/msf/core/exploit/sunrpc.rb', line 166 def rpcobj @rpcobj end |
Instance Method Details
#initialize(info = {}) ⇒ Object
29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 |
# File 'lib/msf/core/exploit/sunrpc.rb', line 29 def initialize(info = {}) super ( [ OptBool.new('ONCRPC::tcp_request_fragmentation', [false, 'Enable fragmentation of TCP ONC/RPC requests', 'false']), ], Msf::Exploit::Remote::SunRPC ) ( [ # XXX: Use portmapper to do call - Direct portmap to make the request to the program portmap_req ], Msf::Exploit::Remote::SunRPC) ( [ # XXX: XPORT Opt::RHOST, Opt::RPORT(111), ], Msf::Exploit::Remote::SunRPC ) end |
#portmap_qry ⇒ Object
XXX: Incomplete. Just moved from Rex::Proto::SunRPC::Client
132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 |
# File 'lib/msf/core/exploit/sunrpc.rb', line 132 def portmap_qry() ret = portmap_req() arr = Rex::Encoder::XDR.decode!(ret, Integer, Integer, Integer, String, Integer) if arr[1] != MSG_ACCEPTED || arr[4] != SUCCESS || arr[5] == 0 progname = progresolv(rpcobj.program) err = "Query for program #{rpcobj.program} [#{progname}] failed: " case arr[4] when PROG_UMAVAIL then err << "Program Unavailable" when PROG_MISMATCH then err << "Program Version Mismatch" when PROC_UNAVAIL then err << "Procedure Unavailable" when GARBAGE_ARGS then err << "Garbage Arguments" else err << "Unknown Error" end print_error("#{rhost}:#{rport} - SunRPC - #{err}") return nil end return ret end |
#progresolv(number) ⇒ Object
152 153 154 155 156 157 158 159 160 161 162 163 |
# File 'lib/msf/core/exploit/sunrpc.rb', line 152 def progresolv(number) names = File.join(Msf::Config.data_directory, "wordlists", "rpc_names.txt") File.open(names, "rb").each_line do |line| next if line.empty? || line =~ /^\s*#/ if line =~ /^(\S+?)\s+(\d+)/ && number == $2.to_i return $1 end end return "UNKNOWN-#{number}" end |
#sunrpc_authnull(*args) ⇒ Object
123 124 125 |
# File 'lib/msf/core/exploit/sunrpc.rb', line 123 def sunrpc_authnull(*args) rpcobj.authnull_create(*args) end |
#sunrpc_authunix(*args) ⇒ Object
127 128 129 |
# File 'lib/msf/core/exploit/sunrpc.rb', line 127 def sunrpc_authunix(*args) rpcobj.authunix_create(*args) end |
#sunrpc_call(proc, buf, timeout = 20) ⇒ Object
88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 |
# File 'lib/msf/core/exploit/sunrpc.rb', line 88 def sunrpc_call(proc, buf, timeout=20) ret = rpcobj.call(proc, buf, timeout) return print_error("#{rhost}:#{rport} - SunRPC - No response to SunRPC call for procedure: #{proc}") unless ret arr = Rex::Encoder::XDR.decode!(ret, Integer, Integer, Integer, String, Integer) if arr[1] != MSG_ACCEPTED || arr[4] != SUCCESS progname = progresolv(rpcobj.program) err = "SunRPC call for program #{rpcobj.program} [#{progname}], procedure #{proc}, failed: " if (arr[1] != MSG_ACCEPTED) err << 'Message not accepted' elsif (arr[4] and arr[4] != SUCCESS) case arr[4] when PROG_UMAVAIL then err << "Program Unavailable" when PROG_MISMATCH then err << "Program Version Mismatch" when PROC_UNAVAIL then err << "Procedure Unavailable" when GARBAGE_ARGS then err << "Garbage Arguments" when SYSTEM_ERR then err << "System Error" else err << "Unknown Error" end end print_error("#{rhost}:#{rport} - SunRPC - #{err}") return nil end return ret end |
#sunrpc_callsock ⇒ Object
114 115 116 |
# File 'lib/msf/core/exploit/sunrpc.rb', line 114 def sunrpc_callsock self.rpcobj.call_sock end |
#sunrpc_create(protocol, program, version) ⇒ Object
53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 |
# File 'lib/msf/core/exploit/sunrpc.rb', line 53 def sunrpc_create(protocol, program, version) self.rpcobj = Rex::Proto::SunRPC::Client.new( :rhost => rhost, :rport => rport.to_i, :proto => protocol, :program => program, :version => version, :context => { 'Msf' => framework, 'MsfExploit' => self, } ) if datastore['ONCRPC::tcp_request_fragmentation'] == true self.rpcobj.should_fragment = 1 end ret = rpcobj.create return print_error("#{rhost}:#{rport} - SunRPC - No response to Portmap request") unless ret arr = XDR.decode!(ret, Integer, Integer, Integer, String, Integer, Integer) if arr[1] != MSG_ACCEPTED || arr[4] != SUCCESS || arr[5] == 0 err = "#{rhost}:#{rport} - SunRPC - Portmap request failed: " err << 'Message not accepted' if arr[1] != MSG_ACCEPTED err << 'RPC did not execute' if arr[4] != SUCCESS err << 'Program not available' if arr[5] == 0 print_error(err) return nil end rpcobj.pport = arr[5] #progname = progresolv(rpcobj.program) #print_status("#{rhost} - SunRPC Found #{progname} on #{protocol} port #{rpcobj.pport}") end |
#sunrpc_destroy ⇒ Object
118 119 120 121 |
# File 'lib/msf/core/exploit/sunrpc.rb', line 118 def sunrpc_destroy rpcobj.destroy rpcobj = nil end |