Unix command line RPC/DCOM Vulnerability Scanner

"the farpointer" <farp@myrealbox.com> · Fri, 01 Aug 2003 19:09:40 -0600



brought to you by:
--------------------------

kid : ironkid@buildtheb0x.com

and

farp : farp@buildtheb0x.com


#gcc -o dcom_scanz dcom_scanz.c

# ./dcom_scanz
usage: dcom-isvuln <target-ip> [--debug]

# ./dcom_scanz 10.1.1.25
[+] Connecting to 10.1.1.25
[+] Sending DCERPC, Bind: call_id: 9 UUID: REMACT
[+] Sending REMACT, RemoteActivation reques
[+] Making second connect()
[+] Sending DCERPC, Bind: call_id: 1702446437 UUID: REMACT
[+] Sending REMACT, RemoteActivation request

 -- 10.1.1.25 appears to be vulnerable!

_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online  http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
/*
 *  buildtheb0x presents : dcom/rpc scanner
 *  ---------------------------------------
 *
 *
 *  by: kid and farp
 *
 *  greets: kajun, phr_, dvdman, Sam, flatline, #nanog, synD, and to all danny's waitress's
 *
 */
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>

#define DEST_PORT 135

char fear1[] = {
0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
0x48, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11,
0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57,
0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 };

char fear2[] = {
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
0x7e, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
0x66, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
0x05, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x6b, 0xac, 0xd8, 0x08,
0x2f, 0x2e, 0x03, 0x48, 0xaa, 0xdc, 0xc1, 0x6a,
0x62, 0xfb, 0xeb, 0x98, 0x00, 0x00, 0x00, 0x00,
0xf8, 0x91, 0x7b, 0x5a, 0x00, 0xff, 0xd0, 0x11,
0xa9, 0xb2, 0x00, 0xc0, 0x4f, 0xb6, 0xe6, 0xfc,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x02, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
0x01, 0x00, 0x00, 0x00, 0x38, 0xff, 0x0a, 0x00,
0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x46, 0x01, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x07, 0x00 };

char fear3[] = {
0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
0x48, 0x00, 0x00, 0x00, 0x65, 0x45, 0x79, 0x65,
0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11,
0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57,
0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 };

char fear4[] = }
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
0xc6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xae, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x05, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x5b, 0x52, 0x65, 0x74,
0x69, 0x6e, 0x61, 0x5d, 0x5b, 0x52, 0x65, 0x74,
0x69, 0x6e, 0x61, 0x5d, 0x00, 0x00, 0x00, 0x00,
0x65, 0x45, 0x79, 0x65, 0x32, 0x30, 0x30, 0x33,
0x65, 0x45, 0x79, 0x65, 0x32, 0x30, 0x30, 0x33,
0x68, 0x0f, 0x0b, 0x00, 0x1e, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x1e, 0x00, 0x00, 0x00,
0x5c, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x00, 0x00,
0x5c, 0x00, 0x00, 0x00, 0x63, 0x00, 0x24, 0x00,
0x5c, 0x00, 0x65, 0x00, 0x45, 0x00, 0x79, 0x00,
0x65, 0x00, 0x5f, 0x00, 0x32, 0x00, 0x30, 0x00,
0x30, 0x00, 0x33, 0x00, 0x5f, 0x00, 0x52, 0x00,
0x65, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6e, 0x00,
0x61, 0x00, 0x2e, 0x00, 0x74, 0x00, 0x78, 0x00,
0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0xb8, 0xeb, 0x0b, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x07, 0x00 };

char buf1[1024];
char buf2[1024];
char buf3[1024];
char buf4[1024];

int len,i;
int recv_length[4];

int main(int argc, char **argv)
{
   int sockfd;
   struct sockaddr_in dest_addr;   /* hold dest addy */

   if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
       { printf("error getting socket"); }

   if (argc < 2) { printf("usage: dcom-isvuln <target-ip> [--debug]\n"); return(1); }

   dest_addr.sin_family = AF_INET;
   dest_addr.sin_port = htons(DEST_PORT);
   dest_addr.sin_addr.s_addr = inet_addr(argv[1]);
   bzero(&(dest_addr.sin_zero), 8);   /* zero rest of struct */
   printf("[+] Connecting to %s\n",argv[1]);

   if(connect(sockfd, (struct sockaddr *)&dest_addr, sizeof(struct sockaddr)) < 0)
       { printf("\n  -- %s does not accept DCERPC protocol\n", argv[1]); exit(1); }


   printf("[+] Sending DCERPC, Bind: call_id: 9 UUID: REMACT\n");
   if(send(sockfd, fear1, sizeof(fear1), 0) < 0)
       { printf("sending error 1"); }

   if((recv_length[0]=recv(sockfd, buf1, 1024, 0)) < 0)
       { printf("receiving error 1"); }


   printf("[+] Sending REMACT, RemoteActivation reques\n");
   if(send(sockfd, fear2, sizeof(fear2), 0) < 0)
       { printf("sending error 2"); }

   if((recv_length[1]=recv(sockfd, buf2, 1024, 0)) < 0)
       { printf("receiving error 2"); }

   /* close socket */
   close(sockfd);


   /* open second socket to complete test */

   if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
       { printf("error getting socket"); }

   dest_addr.sin_family = AF_INET;
   dest_addr.sin_port = htons(DEST_PORT);
   dest_addr.sin_addr.s_addr = inet_addr(argv[1]);
   bzero(&(dest_addr.sin_zero), 8);   /* zero rest of struct */
   printf("[+] Making second connect()\n");

   if(connect(sockfd, (struct sockaddr *)&dest_addr, sizeof(struct sockaddr)) < 0)
       { printf("connect error"); }

   printf("[+] Sending DCERPC, Bind: call_id: 1702446437 UUID: REMACT\n");
   if(send(sockfd, fear3, sizeof(fear3), 0) < 0)
       { printf("sending error 3"); }

   if((recv_length[2]=recv(sockfd, buf3, 1024, 0)) < 0)
       { printf("receiving error 3"); }

   printf("[+] Sending REMACT, RemoteActivation request\n");
   if(send(sockfd, fear4, sizeof(fear4), 0) < 0)
       { printf("sending error 4"); }

   if((recv_length[3]=recv(sockfd, buf4, 1024, 0)) < 0)
       { printf("receiving error 4"); }

   /* close connection */
   close(sockfd);


   if( argc == 3)
   {
      if( (strcmp(argv[2],"--debug")) == 0 )
      {
               printf("[+] Debug Response 4 contents:\n");
               for(i=0; i<recv_length[3]; i++) { printf("--- position %d has value %02X\n",i,buf4[i]); }
      }
   }


   if( (buf4[68]==0x54) && (buf4[69] == 0x01) && (buf4[70]==0x04) )
     { printf("\n  -- %s appears to be vulnerable!\n\n", argv[1]); }

   else if( (buf4[68]==0x04) && (buf4[69]==0x00) && (buf4[70]==0x08) )
     { printf("\n  -- %s appears not vulnerable.\n\n", argv[1]); }

// add more signatures here if needed

   else { printf("\n  -- %s contains unidentified signature, please report if vulnable.\n\n", argv[1]); }


   return(0);
} 


------------------------------------------------------
Please send unknown signatures to farp@buildtheb0x.com