[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1059786580.c5150ec0farp@myrealbox.com>
Date: Fri, 01 Aug 2003 19:09:40 -0600
From: "the farpointer" <farp@...ealbox.com>
To: bugtraq@...urityfocus.com
Subject: Unix command line RPC/DCOM Vulnerability Scanner
brought to you by:
--------------------------
kid : ironkid@...ldtheb0x.com
and
farp : farp@...ldtheb0x.com
#gcc -o dcom_scanz dcom_scanz.c
# ./dcom_scanz
usage: dcom-isvuln <target-ip> [--debug]
# ./dcom_scanz 10.1.1.25
[+] Connecting to 10.1.1.25
[+] Sending DCERPC, Bind: call_id: 9 UUID: REMACT
[+] Sending REMACT, RemoteActivation reques
[+] Making second connect()
[+] Sending DCERPC, Bind: call_id: 1702446437 UUID: REMACT
[+] Sending REMACT, RemoteActivation request
-- 10.1.1.25 appears to be vulnerable!
_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
/*
* buildtheb0x presents : dcom/rpc scanner
* ---------------------------------------
*
*
* by: kid and farp
*
* greets: kajun, phr_, dvdman, Sam, flatline, #nanog, synD, and to all danny's waitress's
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#define DEST_PORT 135
char fear1[] = {
0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
0x48, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11,
0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57,
0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 };
char fear2[] = {
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
0x7e, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
0x66, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
0x05, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x6b, 0xac, 0xd8, 0x08,
0x2f, 0x2e, 0x03, 0x48, 0xaa, 0xdc, 0xc1, 0x6a,
0x62, 0xfb, 0xeb, 0x98, 0x00, 0x00, 0x00, 0x00,
0xf8, 0x91, 0x7b, 0x5a, 0x00, 0xff, 0xd0, 0x11,
0xa9, 0xb2, 0x00, 0xc0, 0x4f, 0xb6, 0xe6, 0xfc,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x02, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
0x01, 0x00, 0x00, 0x00, 0x38, 0xff, 0x0a, 0x00,
0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x46, 0x01, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x07, 0x00 };
char fear3[] = {
0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
0x48, 0x00, 0x00, 0x00, 0x65, 0x45, 0x79, 0x65,
0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11,
0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57,
0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 };
char fear4[] = }
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
0xc6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xae, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x05, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x5b, 0x52, 0x65, 0x74,
0x69, 0x6e, 0x61, 0x5d, 0x5b, 0x52, 0x65, 0x74,
0x69, 0x6e, 0x61, 0x5d, 0x00, 0x00, 0x00, 0x00,
0x65, 0x45, 0x79, 0x65, 0x32, 0x30, 0x30, 0x33,
0x65, 0x45, 0x79, 0x65, 0x32, 0x30, 0x30, 0x33,
0x68, 0x0f, 0x0b, 0x00, 0x1e, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x1e, 0x00, 0x00, 0x00,
0x5c, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x00, 0x00,
0x5c, 0x00, 0x00, 0x00, 0x63, 0x00, 0x24, 0x00,
0x5c, 0x00, 0x65, 0x00, 0x45, 0x00, 0x79, 0x00,
0x65, 0x00, 0x5f, 0x00, 0x32, 0x00, 0x30, 0x00,
0x30, 0x00, 0x33, 0x00, 0x5f, 0x00, 0x52, 0x00,
0x65, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6e, 0x00,
0x61, 0x00, 0x2e, 0x00, 0x74, 0x00, 0x78, 0x00,
0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0xb8, 0xeb, 0x0b, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x07, 0x00 };
char buf1[1024];
char buf2[1024];
char buf3[1024];
char buf4[1024];
int len,i;
int recv_length[4];
int main(int argc, char **argv)
{
int sockfd;
struct sockaddr_in dest_addr; /* hold dest addy */
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{ printf("error getting socket"); }
if (argc < 2) { printf("usage: dcom-isvuln <target-ip> [--debug]\n"); return(1); }
dest_addr.sin_family = AF_INET;
dest_addr.sin_port = htons(DEST_PORT);
dest_addr.sin_addr.s_addr = inet_addr(argv[1]);
bzero(&(dest_addr.sin_zero), 8); /* zero rest of struct */
printf("[+] Connecting to %s\n",argv[1]);
if(connect(sockfd, (struct sockaddr *)&dest_addr, sizeof(struct sockaddr)) < 0)
{ printf("\n -- %s does not accept DCERPC protocol\n", argv[1]); exit(1); }
printf("[+] Sending DCERPC, Bind: call_id: 9 UUID: REMACT\n");
if(send(sockfd, fear1, sizeof(fear1), 0) < 0)
{ printf("sending error 1"); }
if((recv_length[0]=recv(sockfd, buf1, 1024, 0)) < 0)
{ printf("receiving error 1"); }
printf("[+] Sending REMACT, RemoteActivation reques\n");
if(send(sockfd, fear2, sizeof(fear2), 0) < 0)
{ printf("sending error 2"); }
if((recv_length[1]=recv(sockfd, buf2, 1024, 0)) < 0)
{ printf("receiving error 2"); }
/* close socket */
close(sockfd);
/* open second socket to complete test */
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{ printf("error getting socket"); }
dest_addr.sin_family = AF_INET;
dest_addr.sin_port = htons(DEST_PORT);
dest_addr.sin_addr.s_addr = inet_addr(argv[1]);
bzero(&(dest_addr.sin_zero), 8); /* zero rest of struct */
printf("[+] Making second connect()\n");
if(connect(sockfd, (struct sockaddr *)&dest_addr, sizeof(struct sockaddr)) < 0)
{ printf("connect error"); }
printf("[+] Sending DCERPC, Bind: call_id: 1702446437 UUID: REMACT\n");
if(send(sockfd, fear3, sizeof(fear3), 0) < 0)
{ printf("sending error 3"); }
if((recv_length[2]=recv(sockfd, buf3, 1024, 0)) < 0)
{ printf("receiving error 3"); }
printf("[+] Sending REMACT, RemoteActivation request\n");
if(send(sockfd, fear4, sizeof(fear4), 0) < 0)
{ printf("sending error 4"); }
if((recv_length[3]=recv(sockfd, buf4, 1024, 0)) < 0)
{ printf("receiving error 4"); }
/* close connection */
close(sockfd);
if( argc == 3)
{
if( (strcmp(argv[2],"--debug")) == 0 )
{
printf("[+] Debug Response 4 contents:\n");
for(i=0; i<recv_length[3]; i++) { printf("--- position %d has value %02X\n",i,buf4[i]); }
}
}
if( (buf4[68]==0x54) && (buf4[69] == 0x01) && (buf4[70]==0x04) )
{ printf("\n -- %s appears to be vulnerable!\n\n", argv[1]); }
else if( (buf4[68]==0x04) && (buf4[69]==0x00) && (buf4[70]==0x08) )
{ printf("\n -- %s appears not vulnerable.\n\n", argv[1]); }
// add more signatures here if needed
else { printf("\n -- %s contains unidentified signature, please report if vulnable.\n\n", argv[1]); }
return(0);
}
------------------------------------------------------
Please send unknown signatures to farp@...ldtheb0x.com
Powered by blists - more mailing lists