Unix command line RPC/DCOM Vulnerability Scanner

From: the farpointer (farp_at_myrealbox.com)
Date: 08/02/03

  • Next message: Lorenzo Hernandez Garcia-Hierro: "Macromedia DW MX PHP Authentication Suit Vulnerabilities"
    To: bugtraq@securityfocus.com
    Date: Fri, 01 Aug 2003 19:09:40 -0600
    
    

    brought to you by:
    --------------------------

    kid : ironkid@buildtheb0x.com

    and

    farp : farp@buildtheb0x.com

    #gcc -o dcom_scanz dcom_scanz.c

    # ./dcom_scanz
    usage: dcom-isvuln <target-ip> [--debug]

    # ./dcom_scanz 10.1.1.25
    [+] Connecting to 10.1.1.25
    [+] Sending DCERPC, Bind: call_id: 9 UUID: REMACT
    [+] Sending REMACT, RemoteActivation reques
    [+] Making second connect()
    [+] Sending DCERPC, Bind: call_id: 1702446437 UUID: REMACT
    [+] Sending REMACT, RemoteActivation request

     -- 10.1.1.25 appears to be vulnerable!

    _________________________________________________________________
    Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
    /*
     * buildtheb0x presents : dcom/rpc scanner
     * ---------------------------------------
     *
     *
     * by: kid and farp
     *
     * greets: kajun, phr_, dvdman, Sam, flatline, #nanog, synD, and to all danny's waitress's
     *
     */
    #include <stdio.h>
    #include <stdlib.h>
    #include <errno.h>
    #include <string.h>
    #include <netdb.h>
    #include <sys/types.h>
    #include <netinet/in.h>
    #include <sys/socket.h>

    #define DEST_PORT 135

    char fear1[] = {
    0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
    0x48, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
    0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
    0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
    0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11,
    0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57,
    0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
    0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
    0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 };

    char fear2[] = {
    0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
    0x7e, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
    0x66, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
    0x05, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x6b, 0xac, 0xd8, 0x08,
    0x2f, 0x2e, 0x03, 0x48, 0xaa, 0xdc, 0xc1, 0x6a,
    0x62, 0xfb, 0xeb, 0x98, 0x00, 0x00, 0x00, 0x00,
    0xf8, 0x91, 0x7b, 0x5a, 0x00, 0xff, 0xd0, 0x11,
    0xa9, 0xb2, 0x00, 0xc0, 0x4f, 0xb6, 0xe6, 0xfc,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x02, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
    0x01, 0x00, 0x00, 0x00, 0x38, 0xff, 0x0a, 0x00,
    0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x46, 0x01, 0x00, 0x00, 0x00,
    0x01, 0x00, 0x00, 0x00, 0x07, 0x00 };

    char fear3[] = {
    0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
    0x48, 0x00, 0x00, 0x00, 0x65, 0x45, 0x79, 0x65,
    0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
    0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
    0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11,
    0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57,
    0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
    0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
    0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 };

    char fear4[] = }
    0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
    0xc6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xae, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x05, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x5b, 0x52, 0x65, 0x74,
    0x69, 0x6e, 0x61, 0x5d, 0x5b, 0x52, 0x65, 0x74,
    0x69, 0x6e, 0x61, 0x5d, 0x00, 0x00, 0x00, 0x00,
    0x65, 0x45, 0x79, 0x65, 0x32, 0x30, 0x30, 0x33,
    0x65, 0x45, 0x79, 0x65, 0x32, 0x30, 0x30, 0x33,
    0x68, 0x0f, 0x0b, 0x00, 0x1e, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x1e, 0x00, 0x00, 0x00,
    0x5c, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x00, 0x00,
    0x5c, 0x00, 0x00, 0x00, 0x63, 0x00, 0x24, 0x00,
    0x5c, 0x00, 0x65, 0x00, 0x45, 0x00, 0x79, 0x00,
    0x65, 0x00, 0x5f, 0x00, 0x32, 0x00, 0x30, 0x00,
    0x30, 0x00, 0x33, 0x00, 0x5f, 0x00, 0x52, 0x00,
    0x65, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6e, 0x00,
    0x61, 0x00, 0x2e, 0x00, 0x74, 0x00, 0x78, 0x00,
    0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
    0x01, 0x00, 0x00, 0x00, 0xb8, 0xeb, 0x0b, 0x00,
    0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
    0x01, 0x00, 0x00, 0x00, 0x07, 0x00 };

    char buf1[1024];
    char buf2[1024];
    char buf3[1024];
    char buf4[1024];

    int len,i;
    int recv_length[4];

    int main(int argc, char **argv)
    {
       int sockfd;
       struct sockaddr_in dest_addr; /* hold dest addy */

       if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
           { printf("error getting socket"); }

       if (argc < 2) { printf("usage: dcom-isvuln <target-ip> [--debug]\n"); return(1); }

       dest_addr.sin_family = AF_INET;
       dest_addr.sin_port = htons(DEST_PORT);
       dest_addr.sin_addr.s_addr = inet_addr(argv[1]);
       bzero(&(dest_addr.sin_zero), 8); /* zero rest of struct */
       printf("[+] Connecting to %s\n",argv[1]);

       if(connect(sockfd, (struct sockaddr *)&dest_addr, sizeof(struct sockaddr)) < 0)
           { printf("\n -- %s does not accept DCERPC protocol\n", argv[1]); exit(1); }

       printf("[+] Sending DCERPC, Bind: call_id: 9 UUID: REMACT\n");
       if(send(sockfd, fear1, sizeof(fear1), 0) < 0)
           { printf("sending error 1"); }

       if((recv_length[0]=recv(sockfd, buf1, 1024, 0)) < 0)
           { printf("receiving error 1"); }

       printf("[+] Sending REMACT, RemoteActivation reques\n");
       if(send(sockfd, fear2, sizeof(fear2), 0) < 0)
           { printf("sending error 2"); }

       if((recv_length[1]=recv(sockfd, buf2, 1024, 0)) < 0)
           { printf("receiving error 2"); }

       /* close socket */
       close(sockfd);

       /* open second socket to complete test */

       if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
           { printf("error getting socket"); }

       dest_addr.sin_family = AF_INET;
       dest_addr.sin_port = htons(DEST_PORT);
       dest_addr.sin_addr.s_addr = inet_addr(argv[1]);
       bzero(&(dest_addr.sin_zero), 8); /* zero rest of struct */
       printf("[+] Making second connect()\n");

       if(connect(sockfd, (struct sockaddr *)&dest_addr, sizeof(struct sockaddr)) < 0)
           { printf("connect error"); }

       printf("[+] Sending DCERPC, Bind: call_id: 1702446437 UUID: REMACT\n");
       if(send(sockfd, fear3, sizeof(fear3), 0) < 0)
           { printf("sending error 3"); }

       if((recv_length[2]=recv(sockfd, buf3, 1024, 0)) < 0)
           { printf("receiving error 3"); }

       printf("[+] Sending REMACT, RemoteActivation request\n");
       if(send(sockfd, fear4, sizeof(fear4), 0) < 0)
           { printf("sending error 4"); }

       if((recv_length[3]=recv(sockfd, buf4, 1024, 0)) < 0)
           { printf("receiving error 4"); }

       /* close connection */
       close(sockfd);

       if( argc == 3)
       {
          if( (strcmp(argv[2],"--debug")) == 0 )
          {
                   printf("[+] Debug Response 4 contents:\n");
                   for(i=0; i<recv_length[3]; i++) { printf("--- position %d has value %02X\n",i,buf4[i]); }
          }
       }

       if( (buf4[68]==0x54) && (buf4[69] == 0x01) && (buf4[70]==0x04) )
         { printf("\n -- %s appears to be vulnerable!\n\n", argv[1]); }

       else if( (buf4[68]==0x04) && (buf4[69]==0x00) && (buf4[70]==0x08) )
         { printf("\n -- %s appears not vulnerable.\n\n", argv[1]); }

    // add more signatures here if needed

       else { printf("\n -- %s contains unidentified signature, please report if vulnable.\n\n", argv[1]); }

       return(0);
    }

    ------------------------------------------------------
    Please send unknown signatures to farp@buildtheb0x.com


  • Next message: Lorenzo Hernandez Garcia-Hierro: "Macromedia DW MX PHP Authentication Suit Vulnerabilities"

    Relevant Pages