Class: Rex::Proto::DCERPC::Client

Inherits:
Object
  • Object
show all
Defined in:
lib/rex/proto/dcerpc/client.rb

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(handle, socket, useroptions = Hash.new) ⇒ Client

initialize a DCE/RPC Function Call

Raises:


16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# File 'lib/rex/proto/dcerpc/client.rb', line 16

def initialize(handle, socket, useroptions = Hash.new)
  self.handle = handle
  self.socket = socket
  self.options = {
    'smb_user'   => '',
    'smb_pass'   => '',
    'smb_pipeio' => 'rw',
    'smb_name'   => nil,
    'read_timeout'    => 10,
    'connect_timeout' => 5
  }

  self.options.merge!(useroptions)

  # If the caller passed us a smb_client object, use it and
  # and skip the connect/login/ipc$ stages of the setup
  if (self.options['smb_client'])
    self.smb = self.options['smb_client']
  end

  # we must have a valid handle, regardless of everything else
  raise ArgumentError, 'handle is not a Rex::Proto::DCERPC::Handle' if !self.handle.is_a?(Rex::Proto::DCERPC::Handle)

  # we do this in case socket needs setup first, ie, socket = nil
  if !self.options['no_socketsetup']
    self.socket_check()
  end

  raise ArgumentError, 'socket can not read' if !self.socket.respond_to?(:read)
  raise ArgumentError, 'socket can not write' if !self.socket.respond_to?(:write)

  if !self.options['no_autobind']
    self.bind()
  end
end

Instance Attribute Details

#contextObject

Returns the value of attribute context


13
14
15
# File 'lib/rex/proto/dcerpc/client.rb', line 13

def context
  @context
end

#handleObject

Returns the value of attribute handle


13
14
15
# File 'lib/rex/proto/dcerpc/client.rb', line 13

def handle
  @handle
end

#ispipeObject

Returns the value of attribute ispipe


13
14
15
# File 'lib/rex/proto/dcerpc/client.rb', line 13

def ispipe
  @ispipe
end

#last_responseObject

Returns the value of attribute last_response


13
14
15
# File 'lib/rex/proto/dcerpc/client.rb', line 13

def last_response
  @last_response
end

#no_bindObject

Returns the value of attribute no_bind


13
14
15
# File 'lib/rex/proto/dcerpc/client.rb', line 13

def no_bind
  @no_bind
end

#optionsObject

Returns the value of attribute options


13
14
15
# File 'lib/rex/proto/dcerpc/client.rb', line 13

def options
  @options
end

#smbObject

Returns the value of attribute smb


13
14
15
# File 'lib/rex/proto/dcerpc/client.rb', line 13

def smb
  @smb
end

#socketObject

Returns the value of attribute socket


13
14
15
# File 'lib/rex/proto/dcerpc/client.rb', line 13

def socket
  @socket
end

Class Method Details

.read_response(socket, timeout = self.options['read_timeout']) ⇒ Object

Process a DCERPC response packet from a socket


285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
# File 'lib/rex/proto/dcerpc/client.rb', line 285

def self.read_response(socket, timeout=self.options['read_timeout'])

  data = socket.get_once(-1, timeout)

  # We need at least 10 bytes to find the FragLen
  if (! data or data.length() < 10)
    return
  end

  # Pass the first 10 bytes to the constructor
  resp = Rex::Proto::DCERPC::Response.new(data.slice!(0, 10))

  # Something went wrong in the parser...
  if (! resp.frag_len)
    return resp
  end

  # Do we need to read more data?
  if (resp.frag_len > (data.length + 10))
    begin
      data << socket.timed_read(resp.frag_len - data.length - 10, timeout)
    rescue Timeout::Error
    end
  end

  # Still missing some data...
  if (data.length() != resp.frag_len - 10)
    # TODO: Bubble this up somehow
    # $stderr.puts "Truncated DCERPC response :-("
    return resp
  end

  resp.parse(data)
  return resp
end

Instance Method Details

#bindObject


201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
# File 'lib/rex/proto/dcerpc/client.rb', line 201

def bind()
  require 'rex/proto/dcerpc/packet'
  bind = ''
  context = ''
  if self.options['fake_multi_bind']

    args = [ self.handle.uuid[0], self.handle.uuid[1] ]

    if (self.options['fake_multi_bind_prepend'])
      args << self.options['fake_multi_bind_prepend']
    end

    if (self.options['fake_multi_bind_append'])
      args << self.options['fake_multi_bind_append']
    end

    bind, context = Rex::Proto::DCERPC::Packet.make_bind_fake_multi(*args)
  else
    bind, context = Rex::Proto::DCERPC::Packet.make_bind(*self.handle.uuid)
  end

  raise ::Rex::Proto::DCERPC::Exceptions::BindError, 'make_bind failed' if !bind

  self.write(bind)
  raw_response = self.read()

  response = Rex::Proto::DCERPC::Response.new(raw_response)
  self.last_response = response
  if response.type == 12 or response.type == 15
    if self.last_response.ack_result[context] == 2
      raise ::Rex::Proto::DCERPC::Exceptions::BindError, "Could not bind to #{self.handle}"
    end
    self.context = context
  else
    raise ::Rex::Proto::DCERPC::Exceptions::BindError, "Could not bind to #{self.handle}"
  end
end

#call(function, data, do_recv = true) ⇒ Object

Perform a DCE/RPC Function Call


240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
# File 'lib/rex/proto/dcerpc/client.rb', line 240

def call(function, data, do_recv = true)

  frag_size = data.length
  if options['frag_size']
    frag_size = options['frag_size']
  end
  object_id = ''
  if options['object_call']
    object_id = self.handle.uuid[0]
  end
  if options['random_object_id']
    object_id = Rex::Proto::DCERPC::UUID.uuid_unpack(Rex::Text.rand_text(16))
  end

  call_packets = Rex::Proto::DCERPC::Packet.make_request(function, data, frag_size, self.context, object_id)
  call_packets.each { |packet|
    self.write(packet)
  }

  return true if not do_recv

  raw_response = ''

  begin
    raw_response = self.read()
  rescue ::EOFError
    raise Rex::Proto::DCERPC::Exceptions::NoResponse
  end

  if (raw_response == nil or raw_response.length == 0)
    raise Rex::Proto::DCERPC::Exceptions::NoResponse
  end

  self.last_response = Rex::Proto::DCERPC::Response.new(raw_response)

  if self.last_response.type == 3
    e = Rex::Proto::DCERPC::Exceptions::Fault.new
    e.fault = self.last_response.status
    raise e
  end

  self.last_response.stub_data
end

#readObject


134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
# File 'lib/rex/proto/dcerpc/client.rb', line 134

def read()

  max_read = self.options['pipe_read_max_size'] || 1024*1024
  min_read = self.options['pipe_read_min_size'] || max_read

  raw_response = ''

  # Are we reading from a remote pipe over SMB?
  if (self.socket.class == Rex::Proto::SMB::SimpleClient::OpenPipe)
    begin
      raw_response = self.socket.read(65535, 0)
    rescue Rex::Proto::SMB::Exceptions::NoReply
      # I don't care if I didn't get a reply...
    rescue Rex::Proto::SMB::Exceptions::ErrorCode => exception
      if exception.error_code != 0xC000014B
        raise exception
      end
    end
  # This must be a regular TCP or UDP socket
  else
    if (self.socket.type? == 'tcp')
      if (false and max_read)
        while (true)
          data = self.socket.get_once((rand(max_read-min_read)+min_read), self.options['read_timeout'])
          break if not data
          break if not data.length
          raw_response << data
        end
      else
        # Just read the entire response in one go
        raw_response = self.socket.get_once(-1, self.options['read_timeout'])
      end
    else
      # No segmented read support for non-TCP sockets
      raw_response = self.socket.read(0xFFFFFFFF / 2 - 1)  # read max data
    end
  end

  raw_response
end

#smb_connectObject


113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# File 'lib/rex/proto/dcerpc/client.rb', line 113

def smb_connect()
  require 'rex/proto/smb/simpleclient'

  if(not self.smb)
    if self.socket.peerport == 139
      smb = Rex::Proto::SMB::SimpleClient.new(self.socket)
    else
      smb = Rex::Proto::SMB::SimpleClient.new(self.socket, true)
    end

    smb.('*SMBSERVER', self.options['smb_user'], self.options['smb_pass'])
    smb.connect("\\\\#{self.handle.address}\\IPC$")
    self.smb = smb
    self.smb.client.read_timeout = self.options['read_timeout']
  end

  f = self.smb.create_pipe(self.handle.options[0])
  f.mode = self.options['smb_pipeio']
  self.socket = f
end

#socket_checkObject


52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# File 'lib/rex/proto/dcerpc/client.rb', line 52

def socket_check()
  if self.socket == nil
    self.socket_setup()
  end

  case self.handle.protocol
    when 'ncacn_ip_tcp'
      if self.socket.type? != 'tcp'
        raise ::Rex::Proto::DCERPC::Exceptions::InvalidSocket, "ack, #{self.handle.protocol} requires socket type tcp, not #{self.socket.type?}!"
      end
    when 'ncacn_np'
      if self.socket.class == Rex::Proto::SMB::SimpleClient::OpenPipe
        self.ispipe = 1
      elsif self.socket.type? == 'tcp'
        self.smb_connect()
      else
        raise ::Rex::Proto::DCERPC::Exceptions::InvalidSocket, "ack, #{self.handle.protocol} requires socket type tcp, not #{self.socket.type?}!"
      end
      # No support ncacn_ip_udp (is it needed now that its ripped from Vista?)
    else
      raise ::Rex::Proto::DCERPC::Exceptions::InvalidSocket, "Unsupported protocol : #{self.handle.protocol}"
  end
end

#socket_setupObject

Create the appropriate socket based on protocol


77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
# File 'lib/rex/proto/dcerpc/client.rb', line 77

def socket_setup()
  ctx = { 'Msf' => self.options['Msf'], 'MsfExploit' => self.options['MsfExploit'] }
  self.socket = case self.handle.protocol

    when 'ncacn_ip_tcp'
      Rex::Socket.create_tcp(
        'PeerHost' => self.handle.address,
        'PeerPort' => self.handle.options[0],
        'Context' => ctx,
        'Timeout' => self.options['connect_timeout']
      )

    when 'ncacn_np'
      begin
        socket = Rex::Socket.create_tcp(
          'PeerHost' => self.handle.address,
          'PeerPort' => 445,
          'Context' => ctx,
          'Timeout' => self.options['connect_timeout']
        )
      rescue ::Timeout::Error, Rex::ConnectionRefused
        socket = Rex::Socket.create_tcp(
          'PeerHost' => self.handle.address,
          'PeerPort' => 139,
          'Context' => ctx,
          'Timeout' => self.options['connect_timeout']
        )
      end
      socket
    else nil
  end

  # Add this socket to the exploit's list of open sockets
  options['MsfExploit'].add_socket(self.socket) if (options['MsfExploit'])
end

#write(data) ⇒ Object

Write data to the underlying socket, limiting the sizes of the writes based on the pipe_write_min / pipe_write_max options.


177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
# File 'lib/rex/proto/dcerpc/client.rb', line 177

def write(data)

  max_write = self.options['pipe_write_max_size'] || data.length
  min_write = self.options['pipe_write_min_size'] || max_write

  if(min_write > max_write)
    max_write = min_write
  end

  idx = 0

  if (self.socket.class == Rex::Proto::SMB::SimpleClient::OpenPipe)
    while(idx < data.length)
      bsize = (rand(max_write-min_write)+min_write).to_i
      len = self.socket.write(data[idx, bsize])
      idx += bsize
    end
  else
    self.socket.write(data)
  end

  data.length
end