Class: Rex::Proto::DCERPC::Client

Inherits:
Object
  • Object
show all
Defined in:
lib/rex/proto/dcerpc/client.rb

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(handle, socket, useroptions = Hash.new) ⇒ Client

initialize a DCE/RPC Function Call

Raises:

  • (ArgumentError)


12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# File 'lib/rex/proto/dcerpc/client.rb', line 12

def initialize(handle, socket, useroptions = Hash.new)
  self.handle = handle
  self.socket = socket
  self.options = {
    'smb_user'   => '',
    'smb_pass'   => '',
    'smb_pipeio' => 'rw',
    'smb_name'   => nil,
    'read_timeout'    => 10,
    'connect_timeout' => 5
  }

  self.options.merge!(useroptions)

  # If the caller passed us a smb_client object, use it and
  # and skip the connect/login/ipc$ stages of the setup
  if (self.options['smb_client'])
    self.smb = self.options['smb_client']
  end

  # we must have a valid handle, regardless of everything else
  raise ArgumentError, 'handle is not a Rex::Proto::DCERPC::Handle' if !self.handle.is_a?(Rex::Proto::DCERPC::Handle)

  # we do this in case socket needs setup first, ie, socket = nil
  if !self.options['no_socketsetup']
    self.socket_check()
  end

  raise ArgumentError, 'socket can not read' if !self.socket.respond_to?(:read)
  raise ArgumentError, 'socket can not write' if !self.socket.respond_to?(:write)

  if !self.options['no_autobind']
    self.bind()
  end
end

Instance Attribute Details

#contextObject

Returns the value of attribute context.



9
10
11
# File 'lib/rex/proto/dcerpc/client.rb', line 9

def context
  @context
end

#handleObject

Returns the value of attribute handle.



9
10
11
# File 'lib/rex/proto/dcerpc/client.rb', line 9

def handle
  @handle
end

#ispipeObject

Returns the value of attribute ispipe.



9
10
11
# File 'lib/rex/proto/dcerpc/client.rb', line 9

def ispipe
  @ispipe
end

#last_responseObject

Returns the value of attribute last_response.



9
10
11
# File 'lib/rex/proto/dcerpc/client.rb', line 9

def last_response
  @last_response
end

#no_bindObject

Returns the value of attribute no_bind.



9
10
11
# File 'lib/rex/proto/dcerpc/client.rb', line 9

def no_bind
  @no_bind
end

#optionsObject

Returns the value of attribute options.



9
10
11
# File 'lib/rex/proto/dcerpc/client.rb', line 9

def options
  @options
end

#smbObject

Returns the value of attribute smb.



9
10
11
# File 'lib/rex/proto/dcerpc/client.rb', line 9

def smb
  @smb
end

#socketObject

Returns the value of attribute socket.



9
10
11
# File 'lib/rex/proto/dcerpc/client.rb', line 9

def socket
  @socket
end

Class Method Details

.read_response(socket, timeout = ) ⇒ Object

Process a DCERPC response packet from a socket



286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
# File 'lib/rex/proto/dcerpc/client.rb', line 286

def self.read_response(socket, timeout=self.options['read_timeout'])

  data = socket.get_once(-1, timeout)

  # We need at least 10 bytes to find the FragLen
  if (! data or data.length() < 10)
    return
  end

  # Pass the first 10 bytes to the constructor
  resp = Rex::Proto::DCERPC::Response.new(data.slice!(0, 10))

  # Something went wrong in the parser...
  if (! resp.frag_len)
    return resp
  end

  # Do we need to read more data?
  if (resp.frag_len > (data.length + 10))
    begin
      data << socket.timed_read(resp.frag_len - data.length - 10, timeout)
    rescue Timeout::Error
    end
  end

  # Still missing some data...
  if (data.length() != resp.frag_len - 10)
    # TODO: Bubble this up somehow
    # $stderr.puts "Truncated DCERPC response :-("
    return resp
  end

  resp.parse(data)
  return resp
end

Instance Method Details

#bindObject



196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
# File 'lib/rex/proto/dcerpc/client.rb', line 196

def bind()
  bind = ''
  context = ''
  if self.options['fake_multi_bind']

    args = [ self.handle.uuid[0], self.handle.uuid[1] ]

    if (self.options['fake_multi_bind_prepend'])
      args << self.options['fake_multi_bind_prepend']
    end

    if (self.options['fake_multi_bind_append'])
      args << self.options['fake_multi_bind_append']
    end

    bind, context = Rex::Proto::DCERPC::Packet.make_bind_fake_multi(*args)
  else
    bind, context = Rex::Proto::DCERPC::Packet.make_bind(*self.handle.uuid)
  end

  raise ::Rex::Proto::DCERPC::Exceptions::BindError, 'make_bind failed' if !bind

  self.write(bind)
  raw_response = self.read()

  response = Rex::Proto::DCERPC::Response.new(raw_response)
  self.last_response = response
  if response.type == 12 or response.type == 15
    if self.last_response.ack_result[context] == 2
      raise ::Rex::Proto::DCERPC::Exceptions::BindError, "Could not bind to #{self.handle}"
    end
    self.context = context
  else
    raise ::Rex::Proto::DCERPC::Exceptions::BindError, "Could not bind to #{self.handle}"
  end
end

#call(function, data, do_recv = true) ⇒ Object

Perform a DCE/RPC Function Call



234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
# File 'lib/rex/proto/dcerpc/client.rb', line 234

def call(function, data, do_recv = true)

  frag_size = data.length
  if options['frag_size']
    frag_size = options['frag_size']
  end
  object_id = ''
  if options['object_call']
    object_id = self.handle.uuid[0]
  end
  if options['random_object_id']
    object_id = Rex::Proto::DCERPC::UUID.uuid_unpack(Rex::Text.rand_text(16))
  end

  call_packets = Rex::Proto::DCERPC::Packet.make_request(function, data, frag_size, self.context, object_id)
  call_packets.each { |packet|
    self.write(packet)
  }

  return true if not do_recv

  raw_response = ''
  data = ''
  last_frag = false

  until last_frag do
    begin
      raw_response = self.read()
    rescue ::EOFError
      raise Rex::Proto::DCERPC::Exceptions::NoResponse
    end

    if (raw_response == nil or raw_response.length == 0)
      raise Rex::Proto::DCERPC::Exceptions::NoResponse
    end

    self.last_response = Rex::Proto::DCERPC::Response.new(raw_response)

    if self.last_response.type == 3
      e = Rex::Proto::DCERPC::Exceptions::Fault.new
      e.fault = self.last_response.status
      raise e
    end

    data << self.last_response.stub_data
    last_frag = (self.last_response.flags & Rex::Proto::DCERPC::Response::FLAG_LAST_FRAG) == Rex::Proto::DCERPC::Response::FLAG_LAST_FRAG
  end

  data
end

#readObject



129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
# File 'lib/rex/proto/dcerpc/client.rb', line 129

def read()

  max_read = self.options['pipe_read_max_size'] || 1024*1024
  min_read = self.options['pipe_read_min_size'] || max_read

  raw_response = ''

  # Are we reading from a remote pipe over SMB?
  if (self.socket.class == Rex::Proto::SMB::SimpleClient::OpenPipe)
    begin
      raw_response = self.socket.read(65535, 0)
    rescue Rex::Proto::SMB::Exceptions::NoReply
      # I don't care if I didn't get a reply...
    rescue Rex::Proto::SMB::Exceptions::ErrorCode => exception
      if exception.error_code != 0xC000014B
        raise exception
      end
    end
  # This must be a regular TCP or UDP socket
  else
    if (self.socket.type? == 'tcp')
      if (false and max_read)
        while (true)
          data = self.socket.get_once((rand(max_read-min_read)+min_read), self.options['read_timeout'])
          break if not data
          break if not data.length
          raw_response << data
        end
      else
        # Just read the entire response in one go
        raw_response = self.socket.get_once(-1, self.options['read_timeout'])
      end
    else
      # No segmented read support for non-TCP sockets
      raw_response = self.socket.read(0xFFFFFFFF / 2 - 1)  # read max data
    end
  end

  raw_response
end

#smb_connectObject



109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# File 'lib/rex/proto/dcerpc/client.rb', line 109

def smb_connect()

  if(not self.smb)
    if self.socket.peerport == 139
      smb = Rex::Proto::SMB::SimpleClient.new(self.socket)
    else
      smb = Rex::Proto::SMB::SimpleClient.new(self.socket, true)
    end

    smb.('*SMBSERVER', self.options['smb_user'], self.options['smb_pass'])
    smb.connect("\\\\#{self.handle.address}\\IPC$")
    self.smb = smb
    self.smb.client.read_timeout = self.options['read_timeout']
  end

  f = self.smb.create_pipe(self.handle.options[0])
  f.mode = self.options['smb_pipeio']
  self.socket = f
end

#socket_checkObject



48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# File 'lib/rex/proto/dcerpc/client.rb', line 48

def socket_check()
  if self.socket == nil
    self.socket_setup()
  end

  case self.handle.protocol
    when 'ncacn_ip_tcp'
      if self.socket.type? != 'tcp'
        raise ::Rex::Proto::DCERPC::Exceptions::InvalidSocket, "ack, #{self.handle.protocol} requires socket type tcp, not #{self.socket.type?}!"
      end
    when 'ncacn_np'
      if self.socket.class == Rex::Proto::SMB::SimpleClient::OpenPipe
        self.ispipe = 1
      elsif self.socket.type? == 'tcp'
        self.smb_connect()
      else
        raise ::Rex::Proto::DCERPC::Exceptions::InvalidSocket, "ack, #{self.handle.protocol} requires socket type tcp, not #{self.socket.type?}!"
      end
      # No support ncacn_ip_udp (is it needed now that its ripped from Vista?)
    else
      raise ::Rex::Proto::DCERPC::Exceptions::InvalidSocket, "Unsupported protocol : #{self.handle.protocol}"
  end
end

#socket_setupObject

Create the appropriate socket based on protocol



73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
# File 'lib/rex/proto/dcerpc/client.rb', line 73

def socket_setup()
  ctx = { 'Msf' => self.options['Msf'], 'MsfExploit' => self.options['MsfExploit'] }
  self.socket = case self.handle.protocol

    when 'ncacn_ip_tcp'
      Rex::Socket.create_tcp(
        'PeerHost' => self.handle.address,
        'PeerPort' => self.handle.options[0],
        'Context' => ctx,
        'Timeout' => self.options['connect_timeout']
      )

    when 'ncacn_np'
      begin
        socket = Rex::Socket.create_tcp(
          'PeerHost' => self.handle.address,
          'PeerPort' => 445,
          'Context' => ctx,
          'Timeout' => self.options['connect_timeout']
        )
      rescue ::Timeout::Error, Rex::ConnectionRefused
        socket = Rex::Socket.create_tcp(
          'PeerHost' => self.handle.address,
          'PeerPort' => 139,
          'Context' => ctx,
          'Timeout' => self.options['connect_timeout']
        )
      end
      socket
    else nil
  end

  # Add this socket to the exploit's list of open sockets
  options['MsfExploit'].add_socket(self.socket) if (options['MsfExploit'])
end

#write(data) ⇒ Object

Write data to the underlying socket, limiting the sizes of the writes based on the pipe_write_min / pipe_write_max options.



172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
# File 'lib/rex/proto/dcerpc/client.rb', line 172

def write(data)

  max_write = self.options['pipe_write_max_size'] || data.length
  min_write = self.options['pipe_write_min_size'] || max_write

  if(min_write > max_write)
    max_write = min_write
  end

  idx = 0

  if (self.socket.class == Rex::Proto::SMB::SimpleClient::OpenPipe)
    while(idx < data.length)
      bsize = (rand(max_write-min_write)+min_write).to_i
      len = self.socket.write(data[idx, bsize])
      idx += bsize
    end
  else
    self.socket.write(data)
  end

  data.length
end