Module: Msf::Exploit::Remote::SunRPC
- Includes:
- Tcp
- Defined in:
- lib/msf/core/exploit/sunrpc.rb
Overview
This mixin provides utility methods for interacting with a SunRPC service on a remote machine. These methods may generally be useful in the context of exploitation. This mixin extends the Tcp exploit mixin. Only one SunRPC service can be accessed at a time using this class.
Constant Summary collapse
- MSG_ACCEPTED =
0
- SUCCESS =
RPC executed successfully
0
- PROG_UMAVAIL =
Remote hasn't exported program
1
- PROG_MISMATCH =
Remote can't support version #
2
- PROC_UNAVAIL =
Program can't support procedure
3
- GARBAGE_ARGS =
Procedure can't decode params'
4
- SYSTEM_ERR =
System encountered some error
5
Instance Attribute Summary collapse
-
#rpcobj ⇒ Object
Used to track the last SunRPC context.
Attributes included from Tcp
Instance Method Summary collapse
- #initialize(info = {}) ⇒ Object
-
#portmap_qry ⇒ Object
XXX: Incomplete.
- #progresolv(number) ⇒ Object
- #sunrpc_authnull(*args) ⇒ Object
- #sunrpc_authunix(*args) ⇒ Object
- #sunrpc_call(proc, buf, timeout = timeout()) ⇒ Object
- #sunrpc_callsock ⇒ Object
- #sunrpc_create(protocol, program, version, time_out = timeout) ⇒ Object
- #sunrpc_destroy ⇒ Object
-
#timeout ⇒ Object
Returns the time that this module will wait for RPC responses, in seconds.
Methods included from Tcp
#chost, #cleanup, #connect, #connect_timeout, #cport, #deregister_tcp_options, #disconnect, #handler, #lhost, #lport, #peer, #print_prefix, #proxies, #rhost, #rport, #set_tcp_evasions, #shutdown, #ssl, #ssl_cipher, #ssl_verify_mode, #ssl_version
Instance Attribute Details
#rpcobj ⇒ Object
Used to track the last SunRPC context
182 183 184 |
# File 'lib/msf/core/exploit/sunrpc.rb', line 182 def rpcobj @rpcobj end |
Instance Method Details
#initialize(info = {}) ⇒ Object
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 |
# File 'lib/msf/core/exploit/sunrpc.rb', line 27 def initialize(info = {}) super ( [ OptBool.new('ONCRPC::tcp_request_fragmentation', [false, 'Enable fragmentation of TCP ONC/RPC requests', false]), ], Msf::Exploit::Remote::SunRPC ) ( [ OptInt.new('TIMEOUT', [true, 'Number of seconds to wait for responses to RPC calls', 10]) # XXX: Use portmapper to do call - Direct portmap to make the request to the program portmap_req ], Msf::Exploit::Remote::SunRPC) ( [ # XXX: XPORT Opt::RHOST, Opt::RPORT(111), ], Msf::Exploit::Remote::SunRPC ) end |
#portmap_qry ⇒ Object
XXX: Incomplete. Just moved from Rex::Proto::SunRPC::Client
138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 |
# File 'lib/msf/core/exploit/sunrpc.rb', line 138 def portmap_qry() ret = portmap_req() begin arr = Rex::Encoder::XDR.decode!(ret, Integer, Integer, Integer, String, Integer) rescue Rex::ArgumentError raise Rex::Proto::SunRPC::RPCError, "#{rhost}:#{rport} - SunRPC - XDR decoding failed in #{__callee__}" end if arr[1] != MSG_ACCEPTED || arr[4] != SUCCESS || arr[5] == 0 progname = progresolv(rpcobj.program) err = "Query for program #{rpcobj.program} [#{progname}] failed: " case arr[4] when PROG_UMAVAIL then err << "Program Unavailable" when PROG_MISMATCH then err << "Program Version Mismatch" when PROC_UNAVAIL then err << "Procedure Unavailable" when GARBAGE_ARGS then err << "Garbage Arguments" else err << "Unknown Error" end raise ::Rex::Proto::SunRPC::RPCError, "#{rhost}:#{rport} - SunRPC - #{err}" end return ret end |
#progresolv(number) ⇒ Object
163 164 165 166 167 168 169 170 171 172 173 174 |
# File 'lib/msf/core/exploit/sunrpc.rb', line 163 def progresolv(number) names = File.join(Msf::Config.data_directory, "wordlists", "rpc_names.txt") File.open(names, "rb").each_line do |line| next if line.empty? || line =~ /^\s*#/ if line =~ /^(\S+?)\s+(\d+)/ && number == $2.to_i return $1 end end return "UNKNOWN-#{number}" end |
#sunrpc_authnull(*args) ⇒ Object
129 130 131 |
# File 'lib/msf/core/exploit/sunrpc.rb', line 129 def sunrpc_authnull(*args) rpcobj.authnull_create(*args) end |
#sunrpc_authunix(*args) ⇒ Object
133 134 135 |
# File 'lib/msf/core/exploit/sunrpc.rb', line 133 def sunrpc_authunix(*args) rpcobj.authunix_create(*args) end |
#sunrpc_call(proc, buf, timeout = timeout()) ⇒ Object
90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 |
# File 'lib/msf/core/exploit/sunrpc.rb', line 90 def sunrpc_call(proc, buf, timeout = timeout()) ret = rpcobj.call(proc, buf, timeout) raise ::Rex::Proto::SunRPC::RPCError, "#{rhost}:#{rport} - SunRPC - No response to SunRPC call for procedure: #{proc}" unless ret begin arr = Rex::Encoder::XDR.decode!(ret, Integer, Integer, Integer, String, Integer) rescue Rex::ArgumentError raise Rex::Proto::SunRPC::RPCError, "#{rhost}:#{rport} - SunRPC - XDR decoding failed in #{__callee__}" end if arr[1] != MSG_ACCEPTED || arr[4] != SUCCESS progname = progresolv(rpcobj.program) err = "SunRPC call for program #{rpcobj.program} [#{progname}], procedure #{proc}, failed: " if (arr[1] != MSG_ACCEPTED) err << 'Message not accepted' elsif (arr[4] and arr[4] != SUCCESS) case arr[4] when PROG_UMAVAIL then err << "Program Unavailable" when PROG_MISMATCH then err << "Program Version Mismatch" when PROC_UNAVAIL then err << "Procedure Unavailable" when GARBAGE_ARGS then err << "Garbage Arguments" when SYSTEM_ERR then err << "System Error" else err << "Unknown Error" end end raise ::Rex::Proto::SunRPC::RPCError, "#{rhost}:#{rport} - SunRPC - #{err}" end return ret end |
#sunrpc_callsock ⇒ Object
120 121 122 |
# File 'lib/msf/core/exploit/sunrpc.rb', line 120 def sunrpc_callsock self.rpcobj.call_sock end |
#sunrpc_create(protocol, program, version, time_out = timeout) ⇒ Object
52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 |
# File 'lib/msf/core/exploit/sunrpc.rb', line 52 def sunrpc_create(protocol, program, version, time_out = timeout) self.rpcobj = Rex::Proto::SunRPC::Client.new( :rhost => rhost, :rport => rport.to_i, :proto => protocol, :program => program, :timeout => time_out, :version => version, :context => { 'Msf' => framework, 'MsfExploit' => self, } ) if datastore['ONCRPC::tcp_request_fragmentation'] self.rpcobj.should_fragment = 1 end ret = rpcobj.create raise ::Rex::Proto::SunRPC::RPCError, "#{rhost}:#{rport} - SunRPC - No response to Portmap request" unless ret begin arr = Rex::Encoder::XDR.decode!(ret, Integer, Integer, Integer, String, Integer, Integer) rescue Rex::ArgumentError raise Rex::Proto::SunRPC::RPCError, "#{rhost}:#{rport} - SunRPC - XDR decoding failed in #{__callee__}" end if arr[1] != MSG_ACCEPTED || arr[4] != SUCCESS || arr[5] == 0 err = "#{rhost}:#{rport} - SunRPC - Portmap request failed: " err << 'Message not accepted' if arr[1] != MSG_ACCEPTED err << 'RPC did not execute' if arr[4] != SUCCESS err << 'Program not available' if arr[5] == 0 raise ::Rex::Proto::SunRPC::RPCError, err end rpcobj.pport = arr[5] end |
#sunrpc_destroy ⇒ Object
124 125 126 127 |
# File 'lib/msf/core/exploit/sunrpc.rb', line 124 def sunrpc_destroy rpcobj.destroy rpcobj = nil end |
#timeout ⇒ Object
Returns the time that this module will wait for RPC responses, in seconds
177 178 179 |
# File 'lib/msf/core/exploit/sunrpc.rb', line 177 def timeout datastore['TIMEOUT'] end |