Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::SunRPC
8
  include Msf::Auxiliary::Report
9
  include Msf::Auxiliary::Scanner
10

11
  def initialize
12
    super(
13
      'Name'        => 'SunRPC Portmap Program Enumerator',
14
      'Description' => '
15
        This module calls the target portmap service and enumerates all program
16
        entries and their running port numbers.
17
      ',
18
      'Author'      => ['<tebo[at]attackresearch.com>'],
19
      'References'  =>
20
        [
21
          ['URL',	'https://www.ietf.org/rfc/rfc1057.txt']
22
        ],
23
      'License'	=> MSF_LICENSE
24
    )
25

26
    register_options([
27
      OptEnum.new('PROTOCOL', [true, 'Protocol to use', 'tcp', %w[tcp udp]]),
28
    ])
29
  end
30

31
  def run_host(ip)
32
    peer = "#{ip}:#{rport}"
33
    proto = datastore['PROTOCOL']
34
    vprint_status "SunRPC - Enumerating programs"
35

36
    begin
37
      program		= 100000
38
      progver		= 2
39
      procedure	= 4
40

41
      sunrpc_create(proto, program, progver)
42
      sunrpc_authnull
43
      resp = sunrpc_call(procedure, "")
44

45
      progs = resp[3, 1].unpack('C')[0]
46
      maps = []
47
      if (progs == 0x01)
48
        while Rex::Encoder::XDR.decode_int!(resp) == 1
49
          maps << Rex::Encoder::XDR.decode!(resp, Integer, Integer, Integer, Integer)
50
        end
51
      end
52
      sunrpc_destroy
53
      return if maps.empty?
54
      vprint_good("Found #{maps.size} programs available")
55

56
      table = Rex::Text::Table.new(
57
        'Header'  => "SunRPC Programs for #{ip}",
58
        'Indent'  => 1,
59
        'Columns' => %w(Name Number Version Port Protocol)
60
      )
61

62
      maps.each do |map|
63
        prog, vers, prot_num, port = map[0, 4]
64
        thing = "RPC Program ##{prog} v#{vers} on port #{port} w/ protocol #{prot_num}"
65
        if prot_num == 0x06
66
          proto = 'tcp'
67
        elsif prot_num == 0x11
68
          proto = 'udp'
69
        else
70
          print_error("#{peer}: unknown protocol number for #{thing}")
71
          next
72
        end
73

74
        resolved = progresolv(prog)
75
        table << [ resolved, prog, vers, port, proto ]
76
        report_service(
77
          host: ip,
78
          port: port,
79
          proto: proto,
80
          name: resolved,
81
          info: "Prog: #{prog} Version: #{vers} - via portmapper"
82
        )
83
      end
84

85
      print_good(table.to_s)
86
    rescue ::Rex::Proto::SunRPC::RPCTimeout, ::Rex::Proto::SunRPC::RPCError => e
87
      vprint_error(e.to_s)
88
    end
89
  end
90
end
91

92