From 29c0a10fd2b44207044127ab29c8e75de7ef3c43 Mon Sep 17 00:00:00 2001 From: NtAlexio2 Date: Fri, 4 Oct 2024 12:37:06 -0400 Subject: [PATCH 1/2] allow settings the RPORT option for pipe_dcerpc_auditor --- .../scanner/smb/pipe_dcerpc_auditor.rb | 99 +++++++++++-------- 1 file changed, 58 insertions(+), 41 deletions(-) diff --git a/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb b/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb index 33c77357caca..bdb68af5b8e4 100644 --- a/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb +++ b/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb @@ -24,13 +24,20 @@ def initialize 'License' => MSF_LICENSE, ) - deregister_options('RPORT') register_options( [ OptString.new('SMBPIPE', [ true, "The pipe name to use (BROWSER)", 'BROWSER']), ]) end + def connect(*args, **kwargs) + super(*args, **kwargs, direct: @smb_direct) + end + + def rport + @rport + end + @@target_uuids = [ [ '00000131-0000-0000-c000-000000000046', '0.0' ], [ '00000134-0000-0000-c000-000000000046', '0.0' ], @@ -253,59 +260,69 @@ def initialize # Fingerprint a single host def run_host(ip) - ports = [139, 445] - if session print_status("Using existing session #{session.sid}") client = session.client + @rport = datastore['RPORT'] = session.port self.simple = ::Rex::Proto::SMB::SimpleClient.new(client.dispatcher.tcp_socket, client: client) - ports = [simple.port] self.simple.connect("\\\\#{simple.address}\\IPC$") # smb_login connects to this share for some reason and it doesn't work unless we do too - end - - ports.each do |port| - datastore['RPORT'] = port + check_uuids(ip) + else + if datastore['RPORT'].blank? || datastore['RPORT'] == 0 + smb_services = [ + { port: 445, direct: true }, + { port: 139, direct: false } + ] + else + smb_services = [ + { port: datastore['RPORT'], direct: datastore['SMBDirect'] } + ] + end - begin - unless session - connect() - smb_login() + smb_services.each do |smb_service| + @rport = smb_service[:port] + @smb_direct = smb_service[:direct] + + begin + connect + smb_login + check_uuids(ip) + disconnect + rescue ::Exception + print_line($!.to_s) end - @@target_uuids.each do |uuid| - - handle = dcerpc_handle_target( - uuid[0], uuid[1], - 'ncacn_np', ["\\#{datastore['SMBPIPE']}"], self.simple.address - ) + end + end - begin - dcerpc_bind(handle) - print_line("UUID #{uuid[0]} #{uuid[1]} OPEN VIA #{datastore['SMBPIPE']}") - # Add Report - report_note( - :host => ip, - :proto => 'tcp', - :sname => 'smb', - :port => rport, - :type => "UUID #{uuid[0]} #{uuid[1]}", - :data => "UUID #{uuid[0]} #{uuid[1]} OPEN VIA #{datastore['SMBPIPE']}" - ) - rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e - print_line("UUID #{uuid[0]} #{uuid[1]} ERROR 0x%.8x" % e.error_code) - rescue StandardError => e - print_line("UUID #{uuid[0]} #{uuid[1]} ERROR #{$!}") - end - end + end - disconnect() + def check_uuids(ip) + @@target_uuids.each do |uuid| + + handle = dcerpc_handle_target( + uuid[0], uuid[1], + 'ncacn_np', ["\\#{datastore['SMBPIPE']}"], self.simple.address + ) - return - rescue ::Exception - print_line($!.to_s) + begin + dcerpc_bind(handle) + print_line("UUID #{uuid[0]} #{uuid[1]} OPEN VIA #{datastore['SMBPIPE']}") + # Add Report + report_note( + :host => ip, + :proto => 'tcp', + :sname => 'smb', + :port => rport, + :type => "UUID #{uuid[0]} #{uuid[1]}", + :data => "UUID #{uuid[0]} #{uuid[1]} OPEN VIA #{datastore['SMBPIPE']}" + ) + rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e + print_line("UUID #{uuid[0]} #{uuid[1]} ERROR 0x%.8x" % e.error_code) + rescue StandardError => e + print_line("UUID #{uuid[0]} #{uuid[1]} ERROR #{$!}") end end end - end From 6983ec5e12c45267db4639413d24efa42af531f5 Mon Sep 17 00:00:00 2001 From: NtAlexio2 Date: Sun, 13 Oct 2024 13:38:05 -0400 Subject: [PATCH 2/2] fix lintings in pipe_dcerpc_auditor --- .../scanner/smb/pipe_dcerpc_auditor.rb | 39 ++++++++----------- 1 file changed, 17 insertions(+), 22 deletions(-) diff --git a/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb b/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb index bdb68af5b8e4..092b522daae5 100644 --- a/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb +++ b/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb @@ -18,25 +18,24 @@ class MetasploitModule < Msf::Auxiliary def initialize super( - 'Name' => 'SMB Session Pipe DCERPC Auditor', + 'Name' => 'SMB Session Pipe DCERPC Auditor', 'Description' => 'Determine what DCERPC services are accessible over a SMB pipe', - 'Author' => 'hdm', - 'License' => MSF_LICENSE, + 'Author' => 'hdm', + 'License' => MSF_LICENSE, ) register_options( [ - OptString.new('SMBPIPE', [ true, "The pipe name to use (BROWSER)", 'BROWSER']), - ]) + OptString.new('SMBPIPE', [ true, 'The pipe name to use (BROWSER)', 'BROWSER']), + ] + ) end def connect(*args, **kwargs) super(*args, **kwargs, direct: @smb_direct) end - def rport - @rport - end + attr_reader :rport @@target_uuids = [ [ '00000131-0000-0000-c000-000000000046', '0.0' ], @@ -255,8 +254,7 @@ def rport [ 'fdb3a030-065f-11d1-bb9b-00a024ea5525', '1.0' ], [ 'ffe561b8-bf15-11cf-8c5e-08002bb49649', '2.0' ] - -] + ] # Fingerprint a single host def run_host(ip) @@ -265,7 +263,7 @@ def run_host(ip) client = session.client @rport = datastore['RPORT'] = session.port self.simple = ::Rex::Proto::SMB::SimpleClient.new(client.dispatcher.tcp_socket, client: client) - self.simple.connect("\\\\#{simple.address}\\IPC$") # smb_login connects to this share for some reason and it doesn't work unless we do too + simple.connect("\\\\#{simple.address}\\IPC$") # smb_login connects to this share for some reason and it doesn't work unless we do too check_uuids(ip) else if datastore['RPORT'].blank? || datastore['RPORT'] == 0 @@ -282,7 +280,7 @@ def run_host(ip) smb_services.each do |smb_service| @rport = smb_service[:port] @smb_direct = smb_service[:direct] - + begin connect smb_login @@ -291,18 +289,15 @@ def run_host(ip) rescue ::Exception print_line($!.to_s) end - end end - end def check_uuids(ip) @@target_uuids.each do |uuid| - handle = dcerpc_handle_target( uuid[0], uuid[1], - 'ncacn_np', ["\\#{datastore['SMBPIPE']}"], self.simple.address + 'ncacn_np', ["\\#{datastore['SMBPIPE']}"], simple.address ) begin @@ -310,12 +305,12 @@ def check_uuids(ip) print_line("UUID #{uuid[0]} #{uuid[1]} OPEN VIA #{datastore['SMBPIPE']}") # Add Report report_note( - :host => ip, - :proto => 'tcp', - :sname => 'smb', - :port => rport, - :type => "UUID #{uuid[0]} #{uuid[1]}", - :data => "UUID #{uuid[0]} #{uuid[1]} OPEN VIA #{datastore['SMBPIPE']}" + host: ip, + proto: 'tcp', + sname: 'smb', + port: rport, + type: "UUID #{uuid[0]} #{uuid[1]}", + data: "UUID #{uuid[0]} #{uuid[1]} OPEN VIA #{datastore['SMBPIPE']}" ) rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e print_line("UUID #{uuid[0]} #{uuid[1]} ERROR 0x%.8x" % e.error_code)