CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/nfs/nfsmount.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::SunRPC

8
  include Msf::Auxiliary::Report

9
  include Msf::Auxiliary::Scanner

10
  include Msf::Auxiliary::Nfs

11


12
  def initialize

13
    super(

14
      'Name' => 'NFS Mount Scanner',

15
      'Description' => %q{

16
        This module scans NFS mounts and their permissions.

17
      },

18
      'Author'	=> ['<tebo[at]attackresearch.com>'],

19
      'References' => [

20
        ['CVE', '1999-0170'],

21
        ['CVE', '1999-0554'],

22
        ['URL', 'https://www.ietf.org/rfc/rfc1094.txt']

23
      ],

24
      'License'	=> MSF_LICENSE

25
    )

26


27
    register_options([

28
      OptEnum.new('PROTOCOL', [ true, 'The protocol to use', 'udp', ['udp', 'tcp']])

29
    ])

30


31
    register_advanced_options(

32
      [

33
        OptBool.new('Mountable', [false, 'Determine if an export is mountable', true]),

34
      ]

35
    )

36
  end

37


38
  def run_host(ip)

39
    program	= 100005

40
    progver	= 1

41
    procedure	= 5

42


43
    sunrpc_create(datastore['PROTOCOL'], program, progver)

44
    sunrpc_authnull

45
    resp = sunrpc_call(procedure, '')

46


47
    # XXX: Assume that transport is udp and port is 2049

48
    # Technically we are talking to mountd not nfsd

49


50
    report_service(

51
      host: ip,

52
      proto: datastore['PROTOCOL'],

53
      port: 2049,

54
      name: 'nfsd',

55
      info: "NFS Daemon #{program} v#{progver}"

56
    )

57


58
    exports = resp[3, 1].unpack('C')[0]

59
    if (exports == 0x01)

60
      shares = []

61
      while Rex::Encoder::XDR.decode_int!(resp) == 1

62
        dir = Rex::Encoder::XDR.decode_string!(resp)

63
        grp = []

64
        grp << Rex::Encoder::XDR.decode_string!(resp) while Rex::Encoder::XDR.decode_int!(resp) == 1

65


66
        if can_mount?(grp, datastore['Mountable'], datastore['HOSTNAME'], datastore['LHOST'] || '')

67
          print_good("#{ip} Mountable NFS Export: #{dir} [#{grp.join(', ')}]")

68
        else

69
          print_status("#{ip} NFS Export: #{dir} [#{grp.join(', ')}]")

70
        end

71
        shares << [dir, grp]

72
      end

73
      report_note(

74
        host: ip,

75
        proto: datastore['PROTOCOL'],

76
        port: 2049,

77
        type: 'nfs.exports',

78
        data: { exports: shares },

79
        update: :unique_data

80
      )

81
    elsif (exports == 0x00)

82
      vprint_status("#{ip} - No exported directories")

83
    end

84


85
    sunrpc_destroy

86
  rescue ::Rex::Proto::SunRPC::RPCTimeout, ::Rex::Proto::SunRPC::RPCError => e

87
    vprint_error(e.to_s)

88
  end

89
end

90


91