Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auxiliary Module auxiliary/scanner/dcerpc/hidden is not iterating through all endpoints #9357

Closed
bka-dev opened this issue Dec 30, 2017 · 3 comments
Closed

Auxiliary Module auxiliary/scanner/dcerpc/hidden is not iterating through all endpoints #9357

bka-dev opened this issue Dec 30, 2017 · 3 comments

Comments

@bka-dev
Copy link
Contributor

bka-dev commented Dec 30, 2017
edited

Hello,

I discovered a little bug in module /auxiliary/scanner/dcerpc/hidden

To list hidden RPC endpoints, I tried executing this module against my target system.
Some of the endpoints are available, others are not reachable from my system which would result in a timeout.

Turns out, that the auxiliary module terminates as soon as it hits an endpoint, that is either not reachable, or denies the access to it. Instead of terminating it should try the next discovered endpoint.

Expected behavior

resource (rpc_hidden.conf)> use auxiliary/scanner/dcerpc/hidden
resource (rpc_hidden.conf)> set rhosts TARGET
resource (rpc_hidden.conf)> run
[*] TARGET:         - Connecting to the endpoint mapper service...
[*] TARGET:         - Looking for services on TARGET:49152...
[*] TARGET:         - Remote Management Interface Error: The connection timed out (TARGET:49152).
[*] TARGET:         - Looking for services on TARGET:49159...
[*] TARGET:         - Remote Management Interface Error: The connection timed out (TARGET:49159).
[*] TARGET:         - Looking for services on TARGET:49158...
[*] TARGET:         -     HIDDEN: UUID 00000134-0000-0000-c000-000000000046 v0.0 
[*] TARGET:         -             CONN BIND ERROR=DCERPC FAULT => nca_s_fault_access_denied
[*] TARGET:         -
[*] TARGET:         -     HIDDEN: UUID 18f70770-8e64-11cf-9af1-0020af6e72f4 v0.0 
[*] TARGET:         -             CONN BIND ERROR=DCERPC FAULT => nca_s_fault_access_denied
[*] TARGET:         -
[*] TARGET:         -     HIDDEN: UUID 00000131-0000-0000-c000-000000000046 v0.0 
[*] TARGET:         -             CONN BIND ERROR=DCERPC FAULT => nca_s_fault_access_denied
[*] TARGET:         -
[*] TARGET:         -     HIDDEN: UUID 00000143-0000-0000-c000-000000000046 v0.0 
[*] TARGET:         -             CONN BIND ERROR=DCERPC FAULT => nca_s_fault_access_denied
[*] TARGET:         -
[*] TARGET:         - Looking for services on TARGET:49157...
[*] TARGET:         -     HIDDEN: UUID 41208ee0-e970-11d1-9b9e-00e02c064c39 v1.0 
[*] TARGET:         -             CONN BIND ERROR=DCERPC FAULT => nca_s_fault_access_denied
[*] TARGET:         -
[*] TARGET:         -     HIDDEN: UUID fc13257d-5567-4dea-898d-c6f9c48415a0 v1.0
[*] TARGET:         -             CONN BIND ERROR=DCERPC FAULT => nca_s_fault_access_denied
[*] TARGET:         -
[*] TARGET:         -     HIDDEN: UUID 00000134-0000-0000-c000-000000000046 v0.0
[*] TARGET:         -             CONN BIND ERROR=DCERPC FAULT => nca_s_fault_access_denied
[...]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Current behavior

resource (rpc_hidden.conf)> use auxiliary/scanner/dcerpc/hidden
resource (rpc_hidden.conf)> set rhosts TARGET
rhosts => TARGET
resource (rpc_hidden.conf)> run
[*] TARGET:         - Connecting to the endpoint mapper service...
[*] TARGET:         - Looking for services on TARGET:49152...
[*] TARGET:         - Remote Management Interface Error: The connection timed out (TARGET:49152).
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Affected Code Lines

The issue is caused by the following line (hidden.rb:58):

return if not ids

When no interface identifiers are returned for the current endpoint, the function returns, rather than moving to the next discovered endpoint.

Proposed Fix

The affected line above could be replaced by the following line, to move to the next iteration step rather than terminating after the current endpoint threw an error:

next if not ids

Environment

Metasploit version

Framework: 4.16.29-dev-8de760f
Console : 4.16.29-dev-8de760f

OS

Metasploit installed in Docker Container (Alpine Linux 3.4) via git.

References

[1] https://www.rapid7.com/db/modules/auxiliary/scanner/dcerpc/hidden
[2] https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/dcerpc/hidden.rb#L58
@void-in
Copy link
Contributor

void-in commented Dec 31, 2017

Can you generate a pull request for the fix?

@bka-dev bka-dev mentioned this issue Dec 31, 2017
Merged
5 tasks
@bka-dev
Copy link
Contributor Author

bka-dev commented Dec 31, 2017

Sure, just created the request here: Pull #9359

@bka-dev
Copy link
Contributor Author

bka-dev commented Jan 7, 2018

Pull request was merged into master and was therefore closed. So this issue can be closed as well.

@bka-dev bka-dev closed this as completed Jan 7, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@void-in @bka-dev