Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix early termination of auxiliary/scanner/dcerpc/hidden #9359

Merged
merged 1 commit into from Jan 4, 2018
Merged

Fix early termination of auxiliary/scanner/dcerpc/hidden #9359

merged 1 commit into from Jan 4, 2018

Conversation

bka-dev
Copy link
Contributor

@bka-dev bka-dev commented Dec 31, 2017
edited by asoto-r7

Resolves Issue #9357

This commit fixes an issue, where auxiliary/scanner/dcerpc/hidden terminates directly, once an endpoint can't be reached or access is denied. Normally the next endpoint in list should be checked, instead of terminating directly.

The commit replaces a "return" statement in a loop with a "next" statement. This ensures that once an error occurs, the next iteration step will be followed instead of leaving the loop.

Example Output

resource (rpc_hidden.conf)> use auxiliary/scanner/dcerpc/hidden
resource (rpc_hidden.conf)> set rhosts TARGET
resource (rpc_hidden.conf)> run
[*] TARGET:         - Connecting to the endpoint mapper service...
[*] TARGET:         - Looking for services on TARGET:49152...
[*] TARGET:         - Remote Management Interface Error: The connection timed out (TARGET:49152).
[*] TARGET:         - Looking for services on TARGET:49159...
[*] TARGET:         - Remote Management Interface Error: The connection timed out (TARGET:49159).
[*] TARGET:         - Looking for services on TARGET:49158...
[*] TARGET:         -     HIDDEN: UUID 00000134-0000-0000-c000-000000000046 v0.0 
[*] TARGET:         -             CONN BIND ERROR=DCERPC FAULT => nca_s_fault_access_denied
[*] TARGET:         -
[*] TARGET:         -     HIDDEN: UUID 18f70770-8e64-11cf-9af1-0020af6e72f4 v0.0 
[*] TARGET:         -             CONN BIND ERROR=DCERPC FAULT => nca_s_fault_access_denied
[*] TARGET:         -
[*] TARGET:         -     HIDDEN: UUID 00000131-0000-0000-c000-000000000046 v0.0 
[*] TARGET:         -             CONN BIND ERROR=DCERPC FAULT => nca_s_fault_access_denied
[*] TARGET:         -
[*] TARGET:         -     HIDDEN: UUID 00000143-0000-0000-c000-000000000046 v0.0 
[*] TARGET:         -             CONN BIND ERROR=DCERPC FAULT => nca_s_fault_access_denied
[*] TARGET:         -
[*] TARGET:         - Looking for services on TARGET:49157...
[*] TARGET:         -     HIDDEN: UUID 41208ee0-e970-11d1-9b9e-00e02c064c39 v1.0 
[*] TARGET:         -             CONN BIND ERROR=DCERPC FAULT => nca_s_fault_access_denied
[*] TARGET:         -
[*] TARGET:         -     HIDDEN: UUID fc13257d-5567-4dea-898d-c6f9c48415a0 v1.0
[*] TARGET:         -             CONN BIND ERROR=DCERPC FAULT => nca_s_fault_access_denied
[*] TARGET:         -
[*] TARGET:         -     HIDDEN: UUID 00000134-0000-0000-c000-000000000046 v0.0
[*] TARGET:         -             CONN BIND ERROR=DCERPC FAULT => nca_s_fault_access_denied
[...]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

(More details can be found in the original issue description)

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use auxiliary/scanner/dcerpc/hidden
  • set RHOSTS
  • run
  • *Verify that all endpoints, identified by the endpoint mapper are processed

@bka-dev
Fix early termination of auxiliary/scanner/dcerpc/hidden
086f657 
This commit fixes an issue, where auxiliary/scanner/dcerpc/hidden terminates directly, once an endpoint can't be reached or access is denied. Instead the next endpoint in list should be checked, instead of terminating directly.
@bka-dev bka-dev mentioned this pull request Dec 31, 2017
Closed
@sempervictus
Copy link
Contributor

Wow, facepalm in full force.
Thanks for finding that.

@asoto-r7 asoto-r7 merged commit 086f657 into rapid7:master Jan 4, 2018
@asoto-r7
Copy link
Contributor

asoto-r7 commented Jan 4, 2018

Release Notes

The auxiliary/scanner/dcerpc/hidden module now continues iterating through DCE/RPC endpoints, even if an ACCESS_DENIED error is returned.

@tdoan-r7 tdoan-r7 added the rn-fix release notes fix label Jan 10, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@asoto-r7 asoto-r7

Labels
rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@bka-dev @sempervictus @asoto-r7 @tdoan-r7