Changeset 5467

Timestamp:

04/04/08 16:15:55 (6 months ago)

Author:

hdm

Message:

Handle DCERPC reads over SMB pipes in a more efficient fashion. Rename the sadmind exploit, since Solaris is redundant

Files:

• framework3/trunk/lib/rex/proto/dcerpc/client.rb (modified) (3 diffs)
• framework3/trunk/lib/rex/proto/dcerpc/response.rb (modified) (2 diffs)
• framework3/trunk/modules/exploits/solaris/sunrpc/sadmind_exec.rb (moved) (moved from framework3/trunk/modules/exploits/solaris/sunrpc/solaris_sadmind_exec.rb)

framework3/trunk/lib/rex/proto/dcerpc/client.rb

@@ -142 +142 @@
-                        begin
-                                if(max_read)
+                                        
+                                        read_limit = nil
+                                        
-                                        while(true)
-                                                # Random read offsets will not work on Windows NT 4.0 (thanks Dave!)
-
+
+
+
+
+
+
+
+
+
-                                                last if not data.length
-                                                raw_response += data
+                                                
+                                                # Keep reading until we have at least the DCERPC header
+                                                next if raw_response.length < 10
+                                                
+                                                # We now have to process the raw_response and parse out the DCERPC fragment length
+                                                # if we have read enough data. Once we have the length value, we need to make sure
+                                                # that we don't read beyond this amount, or it can screw up the SMB state
+                                                begin 
+                                                        check = Rex::Proto::DCERPC::Response.new(raw_response)
+                                                        read_limit = check.frag_len
+                                                rescue ::Rex::Proto::DCERPC::Exceptions::InvalidPacket
+                                                end
+                                                
+                                                break if (read_limit and read_limit == raw_response.length)
-                                        end
-                                else
@@ -161 +186 @@
-                else 
-                        if (self.socket.type? == 'tcp')
-
+false and 
-                                        while (true)
-                                                data = self.socket.get_once((rand(max_read-min_read)+min_read), self.options['read_timeout'])
@@ -187 +212 @@
-                max_write = self.options['pipe_write_max_size'] || data.length
-                min_write = self.options['pipe_write_min_size'] || max_write
+                
+                if(min_write > max_write)
+                        max_write = min_write
+                end
+                
-                idx = 0
-

framework3/trunk/lib/rex/proto/dcerpc/response.rb

@@ -27 +27 @@
-                
-                if (! data or data.length < 10)
-Packet header must be at least 10 bytes long
+DCERPC response packet is incomplete
-                end
-                
@@ -48 +48 @@
-                uuid = Rex::Proto::DCERPC::UUID
-                data = self.raw
-
+
+
+
+
+
+
-                # BIND_ACK == 12, ALTER_CONTEXT_RESP == 15
-                if (self.type == 12 or self.type == 15)