def ifidscheck(self, port):
"""
Looks to see what ifids are available on that port
saves the results in self.UUIDfound and self.namedpipe
returns a list of the ifids possible to find on this port
can be called in any of the thousands of threads we start up
returns False when we did not find it
"""
if self.done:
#no need to check this port
self.log("Not checking port %d since we're already done" % port)
return False
ifidsscan = self.engine.getModuleExploit("ifids")
ifidsscan.link(self)
ifidsscan.port = port
done = False
if port in [139, 445]:
#run a loop
self.log("Running ifids on all named pipes")
for pipe in allnamedpipes:
#can't do this because other threads are setting self.done!
#if self.done:
# self.log("Found our UUID on named pipe %s"%pipe)
# return ifidsscan.result
ifidsscan.namedpipe = pipe
ifidsscan.run()
result = ifidsscan.result
if result and self.UUID:
for interface in result:
if unicode(interface[2]) == assert_unicode(self.UUID):
#we don't check the IFID's version
#we found it!
self.UUIDfound = port
self.namedpipe = pipe
self.done = 1
return result
else:
#just run once
ifidsscan.run()
result = ifidsscan.result
if result and self.UUID:
for interface in result:
if unicode(interface[2]) == assert_unicode(self.UUID):
#we don't check the IFID's version
self.UUIDfound = port
self.done = 1
return result
#we found it!
self.log("Did not find UUID %s in that ifids list" % self.UUID)
return False
def cd(self, directory):
"""
Change working directory.
Changes directory on the remote system by checking
to see that that directory exists and then modifying our
local copy of the directory. The server itself does not
save state as to our current directory. That's only stored
here on the client.
"""
if not directory:
self.log('No directory to cd into')
return
directory = assert_unicode(directory)
if directory == u'..':
self.cwd = u'\\' + u'\\'.join(self.cwd.split(u'\\')[:-1])
elif directory != u'.':
try:
if directory[0] != u'\\':
new_dir = (self.cwd + u'\\' + directory).replace(
u'\\\\', u'\\')
else:
new_dir = directory
self.smbobj.check_directory(new_dir)
self.cwd = new_dir
except SMBClientException, ex:
self.log("Error: %s" % ex)
self.log("Didn't change directory")
return 0
def vfs_stat(self, path):
"""
Do a stat operation on path.
Return tuple with results.
"""
path = assert_unicode(path)
if path == u'':
retstat = (0, 0, {"is_dir": False})
return retstat # failed!
if path in [u"/", u"\\"]:
return (0, 0, {"is_dir": True})
# Fix path to be universal
path = path.replace(u'/', u'\\')
ret = []
self.log(u'vfs_stat: path is %s' % path)
try:
ret = self.shell.smbobj.query_information(path)
except SMBQueryInformationException:
pass
if ret == []:
retstat = (0, 0, {"is_dir": False})
else:
isexe = False
if len(path) > 4:
isexe = path[-4:].lower() == u".exe"
retstat = (ret[0], ret[1], {"is_dir": ret[2], "is_exe": isexe})
return retstat
def mkdir(self, directory):
"""
Make directory
"""
if not directory:
self.log('No directory given to mkdir!')
return
directory = assert_unicode(directory)
if directory[0] != u'\\':
directory = (self.cwd + u'\\' + directory).replace(u'\\\\', u'\\')
try:
self.smbobj.mkdir(directory)
except SMBClientException:
return 0
return 1
def vfs_dir(self, path=u''):
path = assert_unicode(path)
path = path.replace(u'/', u'\\') # Fix path to be universal
res = self.shell.smbobj.dir(filename=path + u'\\*')
out = []
self.log(u'vfs_dir: path is %s' % path)
for i in res:
name = i['FileName']
if name not in (u".", u".."):
is_dir = True if i[
'ExtFileAttributes'] & ATTR_DIRECTORY else False
is_exe = False
if len(name) > 4:
is_exe = name[-4:].lower() == u'.exe'
out.append(
(name, i['EndOfFile'],
self.shell.smb_nt_64bit_time(i['LastChangeTime']), {
"is_dir": is_dir,
"is_exe": is_exe
}))
return out
def searchifids(self):
"generate our connectionList from ifids list"
self.connectionList = []
ret = self.exploitnodes("dcedump")[0]
if ret == None:
ret = []
for result in ret:
#search through the list of results
if result.isUUID(self.UUID) and result.isRemote():
#found an endpoint for our UUID
self.connectionList += [result.getendpoint(self.host)]
if self.connectionList != []:
self.log("Found a remote endpoint in dcedump, using that...")
self.log("Endpoint found: %s" % self.connectionList)
return self.connectionList
#knowledge primitive
ifidsknown = self.target.get_knowledge("ifids", None)
if ifidsknown == None:
if self.engine:
if self.portscan:
# rather large portscan
ranges = [(130, 2048)]
else:
#some very small range of ports to scan
ranges = [(135, 140), (445, 446), (1025, 1030)]
portscanner = self.engine.getModuleExploit("portscan")
portscanner.link(self)
allports = []
self.log("MSRPC Exploit scanning: %s" % (ranges))
for r in ranges:
allports += range(r[0], r[1])
portscanner.argsDict["mode"] = "Custom Range"
portscanner.argsDict["allports"] = allports
portscanner.argsDict["postscan"] = "ifids"
portscanner.argsDict["UUID"] = self.UUID
ret = portscanner.run()
if portscanner.UUIDfound:
#we found our ifid!
port = int(portscanner.UUIDfound)
self.log("Found our UUID on port %d" % port)
if portscanner.namedpipe: #named pipe ports
self.log("Using named pipe %s" % portscanner.namedpipe)
self.connectionList += [
"ncacn_np:%s[%s]" %
(self.host, portscanner.namedpipe)
]
else:
self.connectionList += [
"ncacn_ip_tcp:%s[%d]" % (self.host, port)
]
return self.connectionList
#ifidsknown=self.target.get_knowledge("ifids",None)
#if ifidsknown in [None,[]]:
# return []
else:
return []
#get list from that
ifidslist = ifidsknown.known
for item in ifidslist:
ifid = item[2]
version = item[3]
if unicode(ifid) == assert_unicode(self.UUID):
if version == self.uuidversion:
#found the endpoint!
cL = item[1]
self.log("Found endpoint in stored ifids list %s" % cL)
self.connectionList = cL
if self.connectionList == []:
self.log("Did not find: %s version: %s in: %s" %
(self.UUID, self.uuidversion, ifidslist))
self.log(
"Didn't find endpoint. Perhaps you need to portscan with ifids option on"
)
return self.connectionList
def isUUID(self, UUID):
UUID = assert_unicode(UUID)
return UUID == unicode(uuid.UUID(bytes_le=self.handle_dict['uuid']))