CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7

8
  # Exploit mixins should be called first
9
  include Msf::Exploit::Remote::DCERPC
10

11
  include Msf::Auxiliary::Report
12

13
  # Scanner mixin should be near last
14
  include Msf::Auxiliary::Scanner
15

16
  def initialize
17
    super(
18
      'Name'        => 'Endpoint Mapper Service Discovery',
19
      'Description' => %q{
20
        This module can be used to obtain information from the
21
        Endpoint Mapper service.
22
      },
23
      'Author'      => 'hdm',
24
      'License'     => MSF_LICENSE
25
    )
26

27
    register_options(
28
      [
29
        Opt::RPORT(135)
30
      ])
31
  end
32

33
  # Obtain information about a single host
34
  def run_host(ip)
35
    begin
36

37
      ids = dcerpc_endpoint_list()
38
      return if not ids
39
      name = nil
40
      ids.each do |id|
41
        next if not id[:prot]
42
        line = "#{id[:uuid]} v#{id[:vers]} "
43
        line << "#{id[:prot].upcase} "
44
        line << "(#{id[:port]}) " if id[:port]
45
        line << "(#{id[:pipe]}) " if id[:pipe]
46
        line << "#{id[:host]} " if id[:host]
47
        line << "[#{id[:note]}]" if id[:note]
48
        print_status(line)
49
        if (id[:host] and id[:host][0,2] == "\\\\")
50
          name = id[:host][2..-1]
51
        end
52
        if id[:prot].downcase == "tcp" or id[:prot].downcase == "udp"
53
          report_service(
54
            :host => ip,
55
            :port => id[:port],
56
            :proto => id[:prot].downcase,
57
            :name => "dcerpc",
58
            :info => "#{id[:uuid]} v#{id[:vers]} #{id[:note]}"
59
          )
60
        end
61
      end
62
      report_host(:host => ip, :name => name) if name
63
      report_service(
64
        :host => ip,
65
        :port => rport,
66
        :proto => 'tcp',
67
        :name => "dcerpc",
68
        :info => "Endpoint Mapper (#{ids.length} services)"
69
      )
70

71
    rescue ::Interrupt
72
      raise $!
73
    rescue ::Rex::Proto::DCERPC::Exceptions::Fault
74
    rescue ::Exception => e
75
      print_error("#{ip}:#{rport} error: #{e}")
76
    end
77
  end
78

79

80
end
81

82