Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::SunRPC
8
  include Msf::Auxiliary::Report
9
  include Msf::Auxiliary::Scanner
10
  include Msf::Auxiliary::Nfs
11

12
  def initialize
13
    super(
14
      'Name' => 'NFS Mount Scanner',
15
      'Description' => %q{
16
        This module scans NFS mounts and their permissions.
17
      },
18
      'Author'	=> ['<tebo[at]attackresearch.com>'],
19
      'References' => [
20
        ['CVE', '1999-0170'],
21
        ['CVE', '1999-0554'],
22
        ['URL', 'https://www.ietf.org/rfc/rfc1094.txt']
23
      ],
24
      'License'	=> MSF_LICENSE
25
    )
26

27
    register_options([
28
      OptEnum.new('PROTOCOL', [ true, 'The protocol to use', 'udp', ['udp', 'tcp']])
29
    ])
30

31
    register_advanced_options(
32
      [
33
        OptBool.new('Mountable', [false, 'Determine if an export is mountable', true]),
34
      ]
35
    )
36
  end
37

38
  def run_host(ip)
39
    program	= 100005
40
    progver	= 1
41
    procedure	= 5
42

43
    sunrpc_create(datastore['PROTOCOL'], program, progver)
44
    sunrpc_authnull
45
    resp = sunrpc_call(procedure, '')
46

47
    # XXX: Assume that transport is udp and port is 2049
48
    # Technically we are talking to mountd not nfsd
49

50
    report_service(
51
      host: ip,
52
      proto: datastore['PROTOCOL'],
53
      port: 2049,
54
      name: 'nfsd',
55
      info: "NFS Daemon #{program} v#{progver}"
56
    )
57

58
    exports = resp[3, 1].unpack('C')[0]
59
    if (exports == 0x01)
60
      shares = []
61
      while Rex::Encoder::XDR.decode_int!(resp) == 1
62
        dir = Rex::Encoder::XDR.decode_string!(resp)
63
        grp = []
64
        grp << Rex::Encoder::XDR.decode_string!(resp) while Rex::Encoder::XDR.decode_int!(resp) == 1
65

66
        if can_mount?(grp, datastore['Mountable'], datastore['HOSTNAME'], datastore['LHOST'] || '')
67
          print_good("#{ip} Mountable NFS Export: #{dir} [#{grp.join(', ')}]")
68
        else
69
          print_status("#{ip} NFS Export: #{dir} [#{grp.join(', ')}]")
70
        end
71
        shares << [dir, grp]
72
      end
73
      report_note(
74
        host: ip,
75
        proto: datastore['PROTOCOL'],
76
        port: 2049,
77
        type: 'nfs.exports',
78
        data: { exports: shares },
79
        update: :unique_data
80
      )
81
    elsif (exports == 0x00)
82
      vprint_status("#{ip} - No exported directories")
83
    end
84

85
    sunrpc_destroy
86
  rescue ::Rex::Proto::SunRPC::RPCTimeout, ::Rex::Proto::SunRPC::RPCError => e
87
    vprint_error(e.to_s)
88
  end
89
end
90

91