New evasion options for controlling how many fake uuids to place before and after the real uid when eexploiting DCERPC bugs

Added a new evasion option for picking readAndX/writeAndX or transNamedPipe methods for DCERPC delivery, however a struct2 issue seems to be breaking this (will investigate tomorrow).

Fixed a typo in the initialize method of the OpenPipe class


git-svn-id: file:///home/svn/incoming/trunk@3634 4d416f70-5f16-0410-b530-b9f4589650da

lib/msf/core/exploit/dcerpc.rb

@@ -26,7 +26,11 @@ module Exploit::Remote::DCERPC
 		register_evasion_options(
 			[
 				OptInt.new('DCERPC::max_frag_size',   [ true, 'Set the DCERPC packet fragmentation size', 4096]),
-				OptBool.new('DCERPC::fake_bind_multi', [ false, 'Use multi-context bind calls', 'True' ])
+				OptBool.new('DCERPC::fake_bind_multi', [ false, 'Use multi-context bind calls', 'True' ]),
+				OptInt.new('DCERPC::fake_bind_multi_prepend',  [ false, 'Set the number of UUIDs to prepend before the target', 0]),
+				OptInt.new('DCERPC::fake_bind_multi_append',   [ false, 'Set the number of UUIDs to append the target', 0]),
+				OptEnum.new('DCERPC::smb_pipeio', [ false, 'Use a different delivery method for accessing named pipes', 'rw', ['rw', 'trans']] )
+				
 			], Msf::Exploit::Remote::DCERPC)
 
 		register_options(
@@ -50,6 +54,14 @@ module Exploit::Remote::DCERPC
 
 		if datastore['DCERPC::fake_bind_multi']
 			opts['fake_multi_bind'] = 1
+			
+			if datastore['DCERPC::fake_bind_multi_prepend']
+				opts['fake_multi_bind_prepend'] = datastore['DCERPC::fake_bind_multi_prepend']
+			end
+			
+			if datastore['DCERPC::fake_bind_multi_append']
+				opts['fake_multi_bind_append'] = datastore['DCERPC::fake_bind_multi_append']
+			end				
 		end
 
 		if datastore['SMBUSER']
@@ -60,6 +72,10 @@ module Exploit::Remote::DCERPC
 			opts['smb_pass'] = datastore['SMBPASS']
 		end
 
+		if datastore['DCERPC::smb_pipeio']
+			opts['smb_pipeio'] = datastore['DCERPC::smb_pipeio']
+		end
+		
 		if self.simple
 			opts['smb_client'] = self.simple
 		end

lib/rex/proto/dcerpc/client.rb

@@ -176,7 +176,18 @@ require 'rex/proto/smb/exceptions'
 		bind = ''
 		context = ''
 		if self.options['fake_multi_bind']
-			bind, context = Rex::Proto::DCERPC::Packet.make_bind_fake_multi(self.handle.uuid[0], self.handle.uuid[1])
+			
+			args = [ self.handle.uuid[0], self.handle.uuid[1] ]
+			
+			if (self.options['fake_multi_bind_prepend'])
+				args << self.options['fake_multi_bind_prepend']
+			end
+			
+			if (self.options['fake_multi_bind_append'])
+				args << self.options['fake_multi_bind_append']
+			end			
+
+			bind, context = Rex::Proto::DCERPC::Packet.make_bind_fake_multi(*args)
 		else
 			bind, context = Rex::Proto::DCERPC::Packet.make_bind(self.handle.uuid[0], self.handle.uuid[1])
 		end

lib/rex/proto/dcerpc/packet.rb

@@ -45,7 +45,11 @@ require 'rex/text'
 	end
 
 	# Create an obfuscated DCERPC BIND request packet
-	def self.make_bind_fake_multi(uuid, vers, bind_head=rand(6)+10, bind_tail=rand(4))
+	def self.make_bind_fake_multi(uuid, vers, bind_head=0, bind_tail=0)
+
+		bind_head = rand(6)+10 if bind_head == 0
+		bind_tail = rand(4)+1 if bind_head == 0
+
 		u = Rex::Proto::DCERPC::UUID
 		
 		# Process the version strings ("1.0", 1.0, "1", 1)

lib/rex/proto/smb/simpleclient.rb

@@ -110,13 +110,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		# Valid modes are: 'trans' and 'rw'
 		attr_accessor :mode
 		
-		def initalize(*args)
+		def initialize(*args)
 			super(*args)
 			mode = 'rw'
 			@buff = ''
 		end
 		
 		def read_buffer(length, offset=0)
+			length ||= @buff.length
 			@buff.slice!(0, length)
 		end
 		
@@ -144,8 +145,9 @@ EVADE = Rex::Proto::SMB::Evasions
 		end
 		
 		def write_trans(data, offset=0)
+			# Payload is not being filled the the response !?!!?
 			ack = self.client.trans_named_pipe(self.file_id, data)
-			@buff << ack['Payload'].v['Payload']		
+			@buff << ack['Payload'].v['Payload']
 		end
 	end