1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7

8
  # Exploit mixins should be called first
9
  include Msf::Exploit::Remote::DCERPC
10

11
  include Msf::Auxiliary::Report
12

13
  # Scanner mixin should be near last
14
  include Msf::Auxiliary::Scanner
15

16
  def initialize
17
    super(
18
      'Name' => 'Hidden DCERPC Service Discovery',
19
      'Description' => %q{
20
        This module will query the endpoint mapper and make a list
21
      of all ncacn_tcp RPC services. It will then connect to each of
22
      these services and use the management API to list all other
23
      RPC services accessible on this port. Any RPC service found attached
24
      to a TCP port, but not listed in the endpoint mapper, will be displayed
25
      and analyzed to see whether anonymous access is permitted.
26
      },
27
      'Author' => 'hdm',
28
      'License' => MSF_LICENSE,
29
      'Notes' => {
30
        'Stability' => [CRASH_SAFE],
31
        'SideEffects' => [],
32
        'Reliability' => []
33
      }
34
    )
35

36
    deregister_options('RPORT')
37
  end
38

39
  # Obtain information about a single host
40
  def run_host(ip)
41
    epm = dcerpc_endpoint_list
42
    if !epm
43
      print_status("Could not contact the endpoint mapper on #{ip}")
44
      return
45
    end
46

47
    eports = {}
48

49
    epm.each do |ep|
50
      next if !(ep[:port] && ep[:prot] && (ep[:prot] == 'tcp'))
51

52
      eports[ep[:port]] ||= {}
53
      eports[ep[:port]][ep[:uuid] + '_' + ep[:vers]] = true
54
    end
55

56
    eports.each_pair do |eport, servs|
57
      rport = eport
58
      print_status("Looking for services on #{ip}:#{rport}...")
59

60
      ids = dcerpc_mgmt_inq_if_ids(rport)
61
      next if !ids
62

63
      ids.each do |id|
64
        next if servs.key?(id[0] + '_' + id[1])
65

66
        print_status("\tHIDDEN: UUID #{id[0]} v#{id[1]}")
67

68
        conn = nil
69
        bind = nil
70
        call = nil
71
        data = nil
72
        error = nil
73
        begin
74
          connect(true, { 'RPORT' => eport })
75
          conn = true
76

77
          handle = dcerpc_handle(id[0], id[1], 'ncacn_ip_tcp', [eport])
78
          dcerpc_bind(handle)
79
          bind = true
80

81
          dcerpc.call(0, NDR.long(0) * 128)
82
          call = true
83

84
          if !dcerpc.last_response.nil? && !dcerpc.last_response.stub_data.nil?
85
            data = dcerpc.last_response.stub_data
86
          end
87
        rescue ::Interrupt
88
          raise $ERROR_INFO
89
        rescue StandardError => e
90
          error = e.to_s
91
        end
92

93
        if error
94
          if error =~ /DCERPC FAULT/ && error !~ /nca_s_fault_access_denied/
95
            call = true
96
          else
97
            elog(e)
98
          end
99
        end
100

101
        status = "\t\t"
102
        status << 'CONN ' if conn
103
        status << 'BIND ' if bind
104
        status << 'CALL ' if call
105
        status << "DATA=#{data.unpack('H*')[0]} " if data
106
        status << "ERROR=#{error} " if error
107

108
        print_status(status)
109
        print_status('')
110

111
        report_note(
112
          host: ip,
113
          proto: 'tcp',
114
          port: datastore['RPORT'],
115
          type: "DCERPC HIDDEN: UUID #{id[0]} v#{id[1]}",
116
          data: { status: status }
117
        )
118
      end
119
    end
120
  rescue ::Interrupt
121
    raise $ERROR_INFO
122
  rescue StandardError => e
123
    print_status("Error: #{e}")
124
  end
125
end
126

127