Module: Msf::Exploit::Remote::SunRPC

Includes:
Tcp
Defined in:
lib/msf/core/exploit/sunrpc.rb

Overview

This mixin provides utility methods for interacting with a SunRPC service on a remote machine. These methods may generally be useful in the context of exploitation. This mixin extends the Tcp exploit mixin. Only one SunRPC service can be accessed at a time using this class.

www.ietf.org/rfc/rfc1057.txt

Constant Summary collapse

MSG_ACCEPTED =
0
SUCCESS =

RPC executed successfully

0
PROG_UMAVAIL =

Remote hasn't exported program

1
PROG_MISMATCH =

Remote can't support version #

2
PROC_UNAVAIL =

Program can't support procedure

3
GARBAGE_ARGS =

Procedure can't decode params'

4
SYSTEM_ERR =

System encountered some error

5

Instance Attribute Summary collapse

Attributes included from Tcp

#sock

Instance Method Summary collapse

Methods included from Tcp

#chost, #cleanup, #connect, #connect_timeout, #cport, #deregister_tcp_options, #disconnect, #handler, #lhost, #lport, #peer, #print_prefix, #proxies, #rhost, #rport, #set_tcp_evasions, #shutdown, #ssl, #ssl_cipher, #ssl_verify_mode, #ssl_version

Instance Attribute Details

#rpcobjObject

Used to track the last SunRPC context


182
183
184
# File 'lib/msf/core/exploit/sunrpc.rb', line 182

def rpcobj
  @rpcobj
end

Instance Method Details

#initialize(info = {}) ⇒ Object


27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# File 'lib/msf/core/exploit/sunrpc.rb', line 27

def initialize(info = {})
  super

  register_evasion_options(
    [
      OptBool.new('ONCRPC::tcp_request_fragmentation', [false, 'Enable fragmentation of TCP ONC/RPC requests', false]),
    ], Msf::Exploit::Remote::SunRPC
  )


  register_advanced_options(
    [
      OptInt.new('TIMEOUT', [true, 'Number of seconds to wait for responses to RPC calls', 10])
      # XXX: Use portmapper to do call - Direct portmap to make the request to the program portmap_req
    ], Msf::Exploit::Remote::SunRPC)

  register_options(
    [
      # XXX: XPORT
      Opt::RHOST,
      Opt::RPORT(111),
    ], Msf::Exploit::Remote::SunRPC
  )
end

#portmap_qryObject

XXX: Incomplete. Just moved from Rex::Proto::SunRPC::Client


138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
# File 'lib/msf/core/exploit/sunrpc.rb', line 138

def portmap_qry()
  ret = portmap_req()

  begin
    arr = Rex::Encoder::XDR.decode!(ret, Integer, Integer, Integer, String, Integer)
  rescue Rex::ArgumentError
    raise Rex::Proto::SunRPC::RPCError, "#{rhost}:#{rport} - SunRPC - XDR decoding failed in #{__callee__}"
  end

  if arr[1] != MSG_ACCEPTED || arr[4] != SUCCESS || arr[5] == 0
    progname = progresolv(rpcobj.program)
    err = "Query for program #{rpcobj.program} [#{progname}] failed: "
    case arr[4]
      when PROG_UMAVAIL  then err << "Program Unavailable"
      when PROG_MISMATCH then err << "Program Version Mismatch"
      when PROC_UNAVAIL  then err << "Procedure Unavailable"
      when GARBAGE_ARGS  then err << "Garbage Arguments"
      else err << "Unknown Error"
    end
    raise ::Rex::Proto::SunRPC::RPCError, "#{rhost}:#{rport} - SunRPC - #{err}"
  end

  return ret
end

#progresolv(number) ⇒ Object


163
164
165
166
167
168
169
170
171
172
173
174
# File 'lib/msf/core/exploit/sunrpc.rb', line 163

def progresolv(number)
  names = File.join(Msf::Config.data_directory, "wordlists", "rpc_names.txt")
  File.open(names, "rb").each_line do |line|
    next if line.empty? || line =~ /^\s*#/

    if line =~ /^(\S+?)\s+(\d+)/ && number == $2.to_i
      return $1
    end
  end

  return "UNKNOWN-#{number}"
end

#sunrpc_authnull(*args) ⇒ Object


129
130
131
# File 'lib/msf/core/exploit/sunrpc.rb', line 129

def sunrpc_authnull(*args)
  rpcobj.authnull_create(*args)
end

#sunrpc_authunix(*args) ⇒ Object


133
134
135
# File 'lib/msf/core/exploit/sunrpc.rb', line 133

def sunrpc_authunix(*args)
  rpcobj.authunix_create(*args)
end

#sunrpc_call(proc, buf, timeout = timeout()) ⇒ Object


90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
# File 'lib/msf/core/exploit/sunrpc.rb', line 90

def sunrpc_call(proc, buf, timeout = timeout())
  ret = rpcobj.call(proc, buf, timeout)
  raise ::Rex::Proto::SunRPC::RPCError, "#{rhost}:#{rport} - SunRPC - No response to SunRPC call for procedure: #{proc}" unless ret

  begin
    arr = Rex::Encoder::XDR.decode!(ret, Integer, Integer, Integer, String, Integer)
  rescue Rex::ArgumentError
    raise Rex::Proto::SunRPC::RPCError, "#{rhost}:#{rport} - SunRPC - XDR decoding failed in #{__callee__}"
  end

  if arr[1] != MSG_ACCEPTED || arr[4] != SUCCESS
    progname = progresolv(rpcobj.program)
    err = "SunRPC call for program #{rpcobj.program} [#{progname}], procedure #{proc}, failed: "
    if (arr[1] != MSG_ACCEPTED)
      err << 'Message not accepted'
    elsif (arr[4] and arr[4] != SUCCESS)
      case arr[4]
        when PROG_UMAVAIL  then err << "Program Unavailable"
        when PROG_MISMATCH then err << "Program Version Mismatch"
        when PROC_UNAVAIL  then err << "Procedure Unavailable"
        when GARBAGE_ARGS  then err << "Garbage Arguments"
        when SYSTEM_ERR    then err << "System Error"
        else err << "Unknown Error"
      end
    end
    raise ::Rex::Proto::SunRPC::RPCError, "#{rhost}:#{rport} - SunRPC - #{err}"
  end
  return ret
end

#sunrpc_callsockObject


120
121
122
# File 'lib/msf/core/exploit/sunrpc.rb', line 120

def sunrpc_callsock
  self.rpcobj.call_sock
end

#sunrpc_create(protocol, program, version, time_out = timeout) ⇒ Object


52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# File 'lib/msf/core/exploit/sunrpc.rb', line 52

def sunrpc_create(protocol, program, version, time_out = timeout)
  self.rpcobj = Rex::Proto::SunRPC::Client.new(
    :rhost => rhost,
    :rport => rport.to_i,
    :proto => protocol,
    :program => program,
    :timeout => time_out,
    :version => version,
    :context => {
      'Msf'        => framework,
      'MsfExploit' => self,
    }
  )

  if datastore['ONCRPC::tcp_request_fragmentation']
    self.rpcobj.should_fragment = 1
  end

  ret = rpcobj.create
  raise ::Rex::Proto::SunRPC::RPCError, "#{rhost}:#{rport} - SunRPC - No response to Portmap request" unless ret

  begin
    arr = Rex::Encoder::XDR.decode!(ret, Integer, Integer, Integer, String, Integer, Integer)
  rescue Rex::ArgumentError
    raise Rex::Proto::SunRPC::RPCError, "#{rhost}:#{rport} - SunRPC - XDR decoding failed in #{__callee__}"
  end

  if arr[1] != MSG_ACCEPTED || arr[4] != SUCCESS || arr[5] == 0
    err = "#{rhost}:#{rport} - SunRPC - Portmap request failed: "
    err << 'Message not accepted'  if arr[1] != MSG_ACCEPTED
    err << 'RPC did not execute'   if arr[4] != SUCCESS
    err << 'Program not available' if arr[5] == 0
    raise ::Rex::Proto::SunRPC::RPCError, err
  end

  rpcobj.pport = arr[5]
end

#sunrpc_destroyObject


124
125
126
127
# File 'lib/msf/core/exploit/sunrpc.rb', line 124

def sunrpc_destroy
  rpcobj.destroy
  rpcobj = nil
end

#timeoutObject

Returns the time that this module will wait for RPC responses, in seconds


177
178
179
# File 'lib/msf/core/exploit/sunrpc.rb', line 177

def timeout
  datastore['TIMEOUT']
end