Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/misc/sunrpc_portmapper.rb
19516 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::SunRPC

8
  include Msf::Auxiliary::Report

9
  include Msf::Auxiliary::Scanner

10


11
  def initialize

12
    super(

13
      'Name' => 'SunRPC Portmap Program Enumerator',

14
      'Description' => '

15
        This module calls the target portmap service and enumerates all program

16
        entries and their running port numbers.

17
      ',

18
      'Author' => ['<tebo[at]attackresearch.com>'],

19
      'References' => [

20
        ['URL',	'https://www.ietf.org/rfc/rfc1057.txt']

21
      ],

22
      'License'	=> MSF_LICENSE

23
    )

24


25
    register_options([

26
      OptEnum.new('PROTOCOL', [true, 'Protocol to use', 'tcp', %w[tcp udp]]),

27
    ])

28
  end

29


30
  def run_host(ip)

31
    peer = "#{ip}:#{rport}"

32
    proto = datastore['PROTOCOL']

33
    vprint_status "SunRPC - Enumerating programs"

34


35
    begin

36
      program	= 100000

37
      progver	= 2

38
      procedure	= 4

39


40
      sunrpc_create(proto, program, progver)

41
      sunrpc_authnull

42
      resp = sunrpc_call(procedure, "")

43


44
      progs = resp[3, 1].unpack('C')[0]

45
      maps = []

46
      if (progs == 0x01)

47
        while Rex::Encoder::XDR.decode_int!(resp) == 1

48
          maps << Rex::Encoder::XDR.decode!(resp, Integer, Integer, Integer, Integer)

49
        end

50
      end

51
      sunrpc_destroy

52
      return if maps.empty?

53


54
      vprint_good("Found #{maps.size} programs available")

55


56
      table = Rex::Text::Table.new(

57
        'Header' => "SunRPC Programs for #{ip}",

58
        'Indent' => 1,

59
        'Columns' => %w(Name Number Version Port Protocol)

60
      )

61


62
      maps.each do |map|

63
        prog, vers, prot_num, port = map[0, 4]

64
        thing = "RPC Program ##{prog} v#{vers} on port #{port} w/ protocol #{prot_num}"

65
        if prot_num == 0x06

66
          proto = 'tcp'

67
        elsif prot_num == 0x11

68
          proto = 'udp'

69
        else

70
          print_error("#{peer}: unknown protocol number for #{thing}")

71
          next

72
        end

73


74
        resolved = progresolv(prog)

75
        table << [ resolved, prog, vers, port, proto ]

76
        report_service(

77
          host: ip,

78
          port: port,

79
          proto: proto,

80
          name: resolved,

81
          info: "Prog: #{prog} Version: #{vers} - via portmapper"

82
        )

83
      end

84


85
      print_good(table.to_s)

86
    rescue ::Rex::Proto::SunRPC::RPCTimeout, ::Rex::Proto::SunRPC::RPCError => e

87
      vprint_error(e.to_s)

88
    end

89
  end

90
end

91


92