Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7

8
  # Exploit mixins should be called first
9
  include Msf::Exploit::Remote::DCERPC
10

11
  include Msf::Auxiliary::Report
12

13
  # Scanner mixin should be near last
14
  include Msf::Auxiliary::Scanner
15

16
  def initialize
17
    super(
18
      'Name'        => 'Remote Management Interface Discovery',
19
      'Description' => %q{
20
        This module can be used to obtain information from the Remote
21
        Management Interface DCERPC service.
22
      },
23
      'Author'      => 'hdm',
24
      'License'     => MSF_LICENSE
25
    )
26

27
    register_options(
28
      [
29
        Opt::RPORT(135)
30
      ])
31
  end
32

33
  # Obtain information about a single host
34
  def run_host(ip)
35
    begin
36

37
      ids = dcerpc_mgmt_inq_if_ids(rport)
38
      return if not ids
39
      ids.each do |id|
40
        print_status("UUID #{id[0]} v#{id[1]}")
41

42
        reportdata = ""
43

44
        stats = dcerpc_mgmt_inq_if_stats(rport)
45
        if stats
46
          print_status("\t stats: " + stats.map{|i| "0x%.8x" % i}.join(", "))
47
          reportdata << "stats: " + stats.map{|i| "0x%.8x" % i}.join(", ") + " "
48
        end
49

50
        live  = dcerpc_mgmt_is_server_listening(rport)
51
        if live
52
          print_status("\t listening: %.8x" % live)
53
          #reportdata << "listening: %.8x" % live + " "
54
        end
55

56
        dead  = dcerpc_mgmt_stop_server_listening(rport)
57
        if dead
58
          print_status("\t killed: %.8x" % dead)
59
          #reportdata << "killed: %.8x" % dead + " "
60
        end
61

62
        princ = dcerpc_mgmt_inq_princ_name(rport)
63
        if princ
64
          print_status("\t name: #{princ.unpack("H*")[0]}")
65
          #reportdata << "name: #{princ.unpack("H*")[0]}"
66
        end
67

68
        # Add Report
69
        report_note(
70
          :host   => ip,
71
          :proto  => 'tcp',
72
          :port   => datastore['RPORT'],
73
          :type   => "DCERPC UUID #{id[0]} v#{id[1]}",
74
          :data   => reportdata
75
        )
76

77
      end
78

79
    rescue ::Interrupt
80
      raise $!
81
    rescue ::Exception => e
82
      print_error("Error: #{e}")
83
    end
84
  end
85
end
86

87