Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7

8
  # Exploit mixins should be called first
9
  include Msf::Exploit::Remote::DCERPC
10

11
  include Msf::Auxiliary::Report
12

13
  # Scanner mixin should be near last
14
  include Msf::Auxiliary::Scanner
15

16
  def initialize
17
    super(
18
      'Name' => 'Hidden DCERPC Service Discovery',
19
      'Description' => %q{
20
        This module will query the endpoint mapper and make a list
21
      of all ncacn_tcp RPC services. It will then connect to each of
22
      these services and use the management API to list all other
23
      RPC services accessible on this port. Any RPC service found attached
24
      to a TCP port, but not listed in the endpoint mapper, will be displayed
25
      and analyzed to see whether anonymous access is permitted.
26
      },
27
      'Author' => 'hdm',
28
      'License' => MSF_LICENSE
29
    )
30

31
    deregister_options('RPORT')
32
  end
33

34
  # Obtain information about a single host
35
  def run_host(ip)
36
    epm = dcerpc_endpoint_list
37
    if !epm
38
      print_status("Could not contact the endpoint mapper on #{ip}")
39
      return
40
    end
41

42
    eports = {}
43

44
    epm.each do |ep|
45
      next if !(ep[:port] && ep[:prot] && (ep[:prot] == 'tcp'))
46

47
      eports[ep[:port]] ||= {}
48
      eports[ep[:port]][ep[:uuid] + '_' + ep[:vers]] = true
49
    end
50

51
    eports.each_pair do |eport, servs|
52
      rport = eport
53
      print_status("Looking for services on #{ip}:#{rport}...")
54

55
      ids = dcerpc_mgmt_inq_if_ids(rport)
56
      next if !ids
57

58
      ids.each do |id|
59
        next if servs.key?(id[0] + '_' + id[1])
60

61
        print_status("\tHIDDEN: UUID #{id[0]} v#{id[1]}")
62

63
        conn = nil
64
        bind = nil
65
        call = nil
66
        data = nil
67
        error = nil
68
        begin
69
          connect(true, { 'RPORT' => eport })
70
          conn = true
71

72
          handle = dcerpc_handle(id[0], id[1], 'ncacn_ip_tcp', [eport])
73
          dcerpc_bind(handle)
74
          bind = true
75

76
          dcerpc.call(0, NDR.long(0) * 128)
77
          call = true
78

79
          if (!dcerpc.last_response.nil? && !dcerpc.last_response.stub_data.nil?)
80
            data = dcerpc.last_response.stub_data
81
          end
82
        rescue ::Interrupt
83
          raise $ERROR_INFO
84
        rescue ::Exception => e
85
          error = e.to_s
86
        end
87

88
        if error
89
          if error =~ (/DCERPC FAULT/) && error !~ (/nca_s_fault_access_denied/)
90
            call = true
91
          else
92
            elog(e)
93
          end
94
        end
95

96
        status = "\t\t"
97
        status << 'CONN ' if conn
98
        status << 'BIND ' if bind
99
        status << 'CALL ' if call
100
        status << "DATA=#{data.unpack('H*')[0]} " if data
101
        status << "ERROR=#{error} " if error
102

103
        print_status(status)
104
        print_status('')
105

106
        ## Add Report
107
        report_note(
108
          host: ip,
109
          proto: 'tcp',
110
          port: datastore['RPORT'],
111
          type: "DCERPC HIDDEN: UUID #{id[0]} v#{id[1]}",
112
          data: status
113
        )
114
      end
115
    end
116
  rescue ::Interrupt
117
    raise $ERROR_INFO
118
  rescue ::Exception => e
119
    print_status("Error: #{e}")
120
  end
121

122
end
123

124