diff --git a/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb b/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb index 33c77357caca..092b522daae5 100644 --- a/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb +++ b/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb @@ -18,19 +18,25 @@ class MetasploitModule < Msf::Auxiliary def initialize super( - 'Name' => 'SMB Session Pipe DCERPC Auditor', + 'Name' => 'SMB Session Pipe DCERPC Auditor', 'Description' => 'Determine what DCERPC services are accessible over a SMB pipe', - 'Author' => 'hdm', - 'License' => MSF_LICENSE, + 'Author' => 'hdm', + 'License' => MSF_LICENSE, ) - deregister_options('RPORT') register_options( [ - OptString.new('SMBPIPE', [ true, "The pipe name to use (BROWSER)", 'BROWSER']), - ]) + OptString.new('SMBPIPE', [ true, 'The pipe name to use (BROWSER)', 'BROWSER']), + ] + ) + end + + def connect(*args, **kwargs) + super(*args, **kwargs, direct: @smb_direct) end + attr_reader :rport + @@target_uuids = [ [ '00000131-0000-0000-c000-000000000046', '0.0' ], [ '00000134-0000-0000-c000-000000000046', '0.0' ], @@ -248,64 +254,70 @@ def initialize [ 'fdb3a030-065f-11d1-bb9b-00a024ea5525', '1.0' ], [ 'ffe561b8-bf15-11cf-8c5e-08002bb49649', '2.0' ] - -] + ] # Fingerprint a single host def run_host(ip) - ports = [139, 445] - if session print_status("Using existing session #{session.sid}") client = session.client + @rport = datastore['RPORT'] = session.port self.simple = ::Rex::Proto::SMB::SimpleClient.new(client.dispatcher.tcp_socket, client: client) - ports = [simple.port] - self.simple.connect("\\\\#{simple.address}\\IPC$") # smb_login connects to this share for some reason and it doesn't work unless we do too - end - - ports.each do |port| - datastore['RPORT'] = port - - begin - unless session - connect() - smb_login() - end - - @@target_uuids.each do |uuid| + simple.connect("\\\\#{simple.address}\\IPC$") # smb_login connects to this share for some reason and it doesn't work unless we do too + check_uuids(ip) + else + if datastore['RPORT'].blank? || datastore['RPORT'] == 0 + smb_services = [ + { port: 445, direct: true }, + { port: 139, direct: false } + ] + else + smb_services = [ + { port: datastore['RPORT'], direct: datastore['SMBDirect'] } + ] + end - handle = dcerpc_handle_target( - uuid[0], uuid[1], - 'ncacn_np', ["\\#{datastore['SMBPIPE']}"], self.simple.address - ) + smb_services.each do |smb_service| + @rport = smb_service[:port] + @smb_direct = smb_service[:direct] - begin - dcerpc_bind(handle) - print_line("UUID #{uuid[0]} #{uuid[1]} OPEN VIA #{datastore['SMBPIPE']}") - # Add Report - report_note( - :host => ip, - :proto => 'tcp', - :sname => 'smb', - :port => rport, - :type => "UUID #{uuid[0]} #{uuid[1]}", - :data => "UUID #{uuid[0]} #{uuid[1]} OPEN VIA #{datastore['SMBPIPE']}" - ) - rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e - print_line("UUID #{uuid[0]} #{uuid[1]} ERROR 0x%.8x" % e.error_code) - rescue StandardError => e - print_line("UUID #{uuid[0]} #{uuid[1]} ERROR #{$!}") - end + begin + connect + smb_login + check_uuids(ip) + disconnect + rescue ::Exception + print_line($!.to_s) end + end + end + end - disconnect() + def check_uuids(ip) + @@target_uuids.each do |uuid| + handle = dcerpc_handle_target( + uuid[0], uuid[1], + 'ncacn_np', ["\\#{datastore['SMBPIPE']}"], simple.address + ) - return - rescue ::Exception - print_line($!.to_s) + begin + dcerpc_bind(handle) + print_line("UUID #{uuid[0]} #{uuid[1]} OPEN VIA #{datastore['SMBPIPE']}") + # Add Report + report_note( + host: ip, + proto: 'tcp', + sname: 'smb', + port: rport, + type: "UUID #{uuid[0]} #{uuid[1]}", + data: "UUID #{uuid[0]} #{uuid[1]} OPEN VIA #{datastore['SMBPIPE']}" + ) + rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e + print_line("UUID #{uuid[0]} #{uuid[1]} ERROR 0x%.8x" % e.error_code) + rescue StandardError => e + print_line("UUID #{uuid[0]} #{uuid[1]} ERROR #{$!}") end end end - end