Class: Rex::Proto::DCERPC::Client

Inherits:
Object
  • Object
show all
Defined in:
lib/rex/proto/dcerpc/client.rb

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(handle, socket, useroptions = Hash.new) ⇒ Client

initialize a DCE/RPC Function Call

Raises:


16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# File 'lib/rex/proto/dcerpc/client.rb', line 16

def initialize(handle, socket, useroptions = Hash.new)
  self.handle = handle
  self.socket = socket
  self.options = {
    'smb_user'   => '',
    'smb_pass'   => '',
    'smb_pipeio' => 'rw',
    'smb_name'   => nil,
    'read_timeout'    => 10,
    'connect_timeout' => 5
  }

  self.options.merge!(useroptions)

  # If the caller passed us a smb_client object, use it and
  # and skip the connect/login/ipc$ stages of the setup
  if (self.options['smb_client'])
    self.smb = self.options['smb_client']
  end

  # we must have a valid handle, regardless of everything else
  raise ArgumentError, 'handle is not a Rex::Proto::DCERPC::Handle' if !self.handle.is_a?(Rex::Proto::DCERPC::Handle)

  # we do this in case socket needs setup first, ie, socket = nil
  if !self.options['no_socketsetup']
    self.socket_check()
  end

  raise ArgumentError, 'socket can not read' if !self.socket.respond_to?(:read)
  raise ArgumentError, 'socket can not write' if !self.socket.respond_to?(:write)

  if !self.options['no_autobind']
    self.bind()
  end
end

Instance Attribute Details

#contextObject

Returns the value of attribute context


13
14
15
# File 'lib/rex/proto/dcerpc/client.rb', line 13

def context
  @context
end

#handleObject

Returns the value of attribute handle


13
14
15
# File 'lib/rex/proto/dcerpc/client.rb', line 13

def handle
  @handle
end

#ispipeObject

Returns the value of attribute ispipe


13
14
15
# File 'lib/rex/proto/dcerpc/client.rb', line 13

def ispipe
  @ispipe
end

#last_responseObject

Returns the value of attribute last_response


13
14
15
# File 'lib/rex/proto/dcerpc/client.rb', line 13

def last_response
  @last_response
end

#no_bindObject

Returns the value of attribute no_bind


13
14
15
# File 'lib/rex/proto/dcerpc/client.rb', line 13

def no_bind
  @no_bind
end

#optionsObject

Returns the value of attribute options


13
14
15
# File 'lib/rex/proto/dcerpc/client.rb', line 13

def options
  @options
end

#smbObject

Returns the value of attribute smb


13
14
15
# File 'lib/rex/proto/dcerpc/client.rb', line 13

def smb
  @smb
end

#socketObject

Returns the value of attribute socket


13
14
15
# File 'lib/rex/proto/dcerpc/client.rb', line 13

def socket
  @socket
end

Class Method Details

.read_response(socket, timeout = self.options['read_timeout']) ⇒ Object

Process a DCERPC response packet from a socket


322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
# File 'lib/rex/proto/dcerpc/client.rb', line 322

def self.read_response(socket, timeout=self.options['read_timeout'])

  data = socket.get_once(-1, timeout)

  # We need at least 10 bytes to find the FragLen
  if (! data or data.length() < 10)
    return
  end

  # Pass the first 10 bytes to the constructor
  resp = Rex::Proto::DCERPC::Response.new(data.slice!(0, 10))

  # Something went wrong in the parser...
  if (! resp.frag_len)
    return resp
  end

  # Do we need to read more data?
  if (resp.frag_len > (data.length + 10))
    begin
      data << socket.timed_read(resp.frag_len - data.length - 10, timeout)
    rescue Timeout::Error
    end
  end

  # Still missing some data...
  if (data.length() != resp.frag_len - 10)
    # TODO: Bubble this up somehow
    # $stderr.puts "Truncated DCERPC response :-("
    return resp
  end

  resp.parse(data)
  return resp
end

Instance Method Details

#bindObject


237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
# File 'lib/rex/proto/dcerpc/client.rb', line 237

def bind()
  require 'rex/proto/dcerpc/packet'
  bind = ''
  context = ''
  if self.options['fake_multi_bind']

    args = [ self.handle.uuid[0], self.handle.uuid[1] ]

    if (self.options['fake_multi_bind_prepend'])
      args << self.options['fake_multi_bind_prepend']
    end

    if (self.options['fake_multi_bind_append'])
      args << self.options['fake_multi_bind_append']
    end

    bind, context = Rex::Proto::DCERPC::Packet.make_bind_fake_multi(*args)
  else
    bind, context = Rex::Proto::DCERPC::Packet.make_bind(*self.handle.uuid)
  end

  raise 'make_bind failed' if !bind

  self.write(bind)
  raw_response = self.read()

  response = Rex::Proto::DCERPC::Response.new(raw_response)
  self.last_response = response
  if response.type == 12 or response.type == 15
    if self.last_response.ack_result[context] == 2
      raise "Could not bind to #{self.handle}"
    end
    self.context = context
  else
    raise "Could not bind to #{self.handle}"
  end
end

#call(function, data, do_recv = true) ⇒ Object

Perform a DCE/RPC Function Call


276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
# File 'lib/rex/proto/dcerpc/client.rb', line 276

def call(function, data, do_recv = true)

  frag_size = data.length
  if options['frag_size']
    frag_size = options['frag_size']
  end
  object_id = ''
  if options['object_call']
    object_id = self.handle.uuid[0]
  end
  if options['random_object_id']
    object_id = Rex::Proto::DCERPC::UUID.uuid_unpack(Rex::Text.rand_text(16))
  end

  call_packets = Rex::Proto::DCERPC::Packet.make_request(function, data, frag_size, self.context, object_id)
  call_packets.each { |packet|
    self.write(packet)
  }

  return true if not do_recv

  raw_response = ''

  begin
    raw_response = self.read()
  rescue ::EOFError
    raise Rex::Proto::DCERPC::Exceptions::NoResponse
  end

  if (raw_response == nil or raw_response.length == 0)
    raise Rex::Proto::DCERPC::Exceptions::NoResponse
  end


  self.last_response = Rex::Proto::DCERPC::Response.new(raw_response)

  if self.last_response.type == 3
    e = Rex::Proto::DCERPC::Exceptions::Fault.new
    e.fault = self.last_response.status
    raise e
  end

  self.last_response.stub_data
end

#readObject


134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
# File 'lib/rex/proto/dcerpc/client.rb', line 134

def read()

  max_read = self.options['pipe_read_max_size'] || 1024*1024
  min_read = self.options['pipe_read_min_size'] || max_read

  raw_response = ''

  # Are we reading from a remote pipe over SMB?
  if (self.socket.class == Rex::Proto::SMB::SimpleClient::OpenPipe)
    begin

      # Max SMB read is 65535, cap it at 64000
      max_read = [64000, max_read].min
      min_read = [64000, min_read].min

      read_limit = nil

      while(true)
        # Random read offsets will not work on Windows NT 4.0 (thanks Dave!)

        read_cnt = (rand(max_read-min_read)+min_read)
        if(read_limit)
          if(read_cnt + raw_response.length > read_limit)
            read_cnt = raw_response.length - read_limit
          end
        end

        data = self.socket.read( read_cnt, rand(1024)+1)
        break if !(data and data.length > 0)
        raw_response += data

        # Keep reading until we have at least the DCERPC header
        next if raw_response.length < 10

        # We now have to process the raw_response and parse out the DCERPC fragment length
        # if we have read enough data. Once we have the length value, we need to make sure
        # that we don't read beyond this amount, or it can screw up the SMB state
        if (not read_limit)
          begin
            check = Rex::Proto::DCERPC::Response.new(raw_response)
            read_limit = check.frag_len
          rescue ::Rex::Proto::DCERPC::Exceptions::InvalidPacket
          end
        end
        break if (read_limit and read_limit <= raw_response.length)
      end

    rescue Rex::Proto::SMB::Exceptions::NoReply
      # I don't care if I didn't get a reply...
    rescue Rex::Proto::SMB::Exceptions::ErrorCode => exception
      if exception.error_code != 0xC000014B
        raise exception
      end
    end
  # This must be a regular TCP or UDP socket
  else
    if (self.socket.type? == 'tcp')
      if (false and max_read)
        while (true)
          data = self.socket.get_once((rand(max_read-min_read)+min_read), self.options['read_timeout'])
          break if not data
          break if not data.length
          raw_response << data
        end
      else
        # Just read the entire response in one go
        raw_response = self.socket.get_once(-1, self.options['read_timeout'])
      end
    else
      # No segmented read support for non-TCP sockets
      raw_response = self.socket.read(0xFFFFFFFF / 2 - 1)  # read max data
    end
  end

  raw_response
end

#smb_connectObject


113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# File 'lib/rex/proto/dcerpc/client.rb', line 113

def smb_connect()
  require 'rex/proto/smb/simpleclient'

  if(not self.smb)
    if self.socket.peerport == 139
      smb = Rex::Proto::SMB::SimpleClient.new(self.socket)
    else
      smb = Rex::Proto::SMB::SimpleClient.new(self.socket, true)
    end

    smb.('*SMBSERVER', self.options['smb_user'], self.options['smb_pass'])
    smb.connect("\\\\#{self.handle.address}\\IPC$")
    self.smb = smb
    self.smb.read_timeout = self.options['read_timeout']
  end

  f = self.smb.create_pipe(self.handle.options[0])
  f.mode = self.options['smb_pipeio']
  self.socket = f
end

#socket_checkObject


52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# File 'lib/rex/proto/dcerpc/client.rb', line 52

def socket_check()
  if self.socket == nil
    self.socket_setup()
  end

  case self.handle.protocol
    when 'ncacn_ip_tcp'
      if self.socket.type? != 'tcp'
        raise "ack, #{self.handle.protocol} requires socket type tcp, not #{self.socket.type?}!"
      end
    when 'ncacn_np'
      if self.socket.class == Rex::Proto::SMB::SimpleClient::OpenPipe
        self.ispipe = 1
      elsif self.socket.type? == 'tcp'
        self.smb_connect()
      else
        raise "ack, #{self.handle.protocol} requires socket type tcp, not #{self.socket.type?}!"
      end
      # No support ncacn_ip_udp (is it needed now that its ripped from Vista?)
    else
      raise "Unsupported protocol : #{self.handle.protocol}"
  end
end

#socket_setupObject

Create the appropriate socket based on protocol


77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
# File 'lib/rex/proto/dcerpc/client.rb', line 77

def socket_setup()
  ctx = { 'Msf' => self.options['Msf'], 'MsfExploit' => self.options['MsfExploit'] }
  self.socket = case self.handle.protocol

    when 'ncacn_ip_tcp'
      Rex::Socket.create_tcp(
        'PeerHost' => self.handle.address,
        'PeerPort' => self.handle.options[0],
        'Context' => ctx,
        'Timeout' => self.options['connect_timeout']
      )

    when 'ncacn_np'
      begin
        socket = Rex::Socket.create_tcp(
          'PeerHost' => self.handle.address,
          'PeerPort' => 445,
          'Context' => ctx,
          'Timeout' => self.options['connect_timeout']
        )
      rescue ::Timeout::Error, Rex::ConnectionRefused
        socket = Rex::Socket.create_tcp(
          'PeerHost' => self.handle.address,
          'PeerPort' => 139,
          'Context' => ctx,
          'Timeout' => self.options['connect_timeout']
        )
      end
      socket
    else nil
  end

  # Add this socket to the exploit's list of open sockets
  options['MsfExploit'].add_socket(self.socket) if (options['MsfExploit'])
end

#write(data) ⇒ Object

Write data to the underlying socket, limiting the sizes of the writes based on the pipe_write_min / pipe_write_max options.


213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
# File 'lib/rex/proto/dcerpc/client.rb', line 213

def write(data)

  max_write = self.options['pipe_write_max_size'] || data.length
  min_write = self.options['pipe_write_min_size'] || max_write

  if(min_write > max_write)
    max_write = min_write
  end

  idx = 0

  if (self.socket.class == Rex::Proto::SMB::SimpleClient::OpenPipe)
    while(idx < data.length)
      bsize = (rand(max_write-min_write)+min_write).to_i
      len = self.socket.write(data[idx, bsize], rand(1024)+1)
      idx += bsize
    end
  else
    self.socket.write(data)
  end

  data.length
end