Merge pull request rapid7#19529 from NtAlexio2/pipe_dcerpc_auditor_rport

smcintyre-r7 · web-flow · commit 3b0195918cb6 · 2024-11-01T11:11:45.000-04:00
Allow settings the RPORT option for pipe_dcerpc_auditor
diff --git a/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb b/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb
@@ -18,19 +18,25 @@ class MetasploitModule < Msf::Auxiliary
 
   def initialize
     super(
-      'Name'        => 'SMB Session Pipe DCERPC Auditor',
+      'Name' => 'SMB Session Pipe DCERPC Auditor',
       'Description' => 'Determine what DCERPC services are accessible over a SMB pipe',
-      'Author'      => 'hdm',
-      'License'     => MSF_LICENSE,
+      'Author' => 'hdm',
+      'License' => MSF_LICENSE,
     )
 
-    deregister_options('RPORT')
     register_options(
       [
-        OptString.new('SMBPIPE', [ true,  "The pipe name to use (BROWSER)", 'BROWSER']),
-      ])
+        OptString.new('SMBPIPE', [ true, 'The pipe name to use (BROWSER)', 'BROWSER']),
+      ]
+    )
+  end
+
+  def connect(*args, **kwargs)
+    super(*args, **kwargs, direct: @smb_direct)
   end
 
+  attr_reader :rport
+
   @@target_uuids = [
     [ '00000131-0000-0000-c000-000000000046', '0.0' ],
     [ '00000134-0000-0000-c000-000000000046', '0.0' ],
@@ -248,64 +254,70 @@ def initialize
     [ 'fdb3a030-065f-11d1-bb9b-00a024ea5525', '1.0' ],
     [ 'ffe561b8-bf15-11cf-8c5e-08002bb49649', '2.0' ]
 
-
-]
+  ]
 
   # Fingerprint a single host
   def run_host(ip)
-    ports = [139, 445]
-
     if session
       print_status("Using existing session #{session.sid}")
       client = session.client
+      @rport = datastore['RPORT'] = session.port
       self.simple = ::Rex::Proto::SMB::SimpleClient.new(client.dispatcher.tcp_socket, client: client)
-      ports = [simple.port]
-      self.simple.connect("\\\\#{simple.address}\\IPC$") # smb_login connects to this share for some reason and it doesn't work unless we do too
-    end
-
-    ports.each do |port|
-      datastore['RPORT'] = port
-
-      begin
-        unless session
-          connect()
-          smb_login()
-        end
-
-        @@target_uuids.each do |uuid|
+      simple.connect("\\\\#{simple.address}\\IPC$") # smb_login connects to this share for some reason and it doesn't work unless we do too
+      check_uuids(ip)
+    else
+      if datastore['RPORT'].blank? || datastore['RPORT'] == 0
+        smb_services = [
+          { port: 445, direct: true },
+          { port: 139, direct: false }
+        ]
+      else
+        smb_services = [
+          { port: datastore['RPORT'], direct: datastore['SMBDirect'] }
+        ]
+      end
 
-          handle = dcerpc_handle_target(
-            uuid[0], uuid[1],
-            'ncacn_np', ["\\#{datastore['SMBPIPE']}"], self.simple.address
-          )
+      smb_services.each do |smb_service|
+        @rport = smb_service[:port]
+        @smb_direct = smb_service[:direct]
 
-          begin
-            dcerpc_bind(handle)
-            print_line("UUID #{uuid[0]} #{uuid[1]} OPEN VIA #{datastore['SMBPIPE']}")
-            # Add Report
-            report_note(
-              :host	=> ip,
-              :proto => 'tcp',
-              :sname	=> 'smb',
-              :port	=> rport,
-              :type	=> "UUID #{uuid[0]} #{uuid[1]}",
-              :data	=> "UUID #{uuid[0]} #{uuid[1]} OPEN VIA #{datastore['SMBPIPE']}"
-            )
-          rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
-            print_line("UUID #{uuid[0]} #{uuid[1]} ERROR 0x%.8x" % e.error_code)
-          rescue StandardError => e
-            print_line("UUID #{uuid[0]} #{uuid[1]} ERROR #{$!}")
-          end
+        begin
+          connect
+          smb_login
+          check_uuids(ip)
+          disconnect
+        rescue ::Exception
+          print_line($!.to_s)
         end
+      end
+    end
+  end
 
-        disconnect()
+  def check_uuids(ip)
+    @@target_uuids.each do |uuid|
+      handle = dcerpc_handle_target(
+        uuid[0], uuid[1],
+        'ncacn_np', ["\\#{datastore['SMBPIPE']}"], simple.address
+      )
 
-        return
-      rescue ::Exception
-        print_line($!.to_s)
+      begin
+        dcerpc_bind(handle)
+        print_line("UUID #{uuid[0]} #{uuid[1]} OPEN VIA #{datastore['SMBPIPE']}")
+        # Add Report
+        report_note(
+          host: ip,
+          proto: 'tcp',
+          sname: 'smb',
+          port: rport,
+          type: "UUID #{uuid[0]} #{uuid[1]}",
+          data: "UUID #{uuid[0]} #{uuid[1]} OPEN VIA #{datastore['SMBPIPE']}"
+        )
+      rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
+        print_line("UUID #{uuid[0]} #{uuid[1]} ERROR 0x%.8x" % e.error_code)
+      rescue StandardError => e
+        print_line("UUID #{uuid[0]} #{uuid[1]} ERROR #{$!}")
       end
     end
   end
 
-
 end
