RPCSCAN/rpcscan.cna at main · JDArmy/RPCSCAN · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
$uuid = @();
$uuid[0] = "ac109027-2eb9-4d3e-ab82-d2f8da000d5d";
$uuid[1] = "650a7e26-eab8-5533-ce43-9c1dfce11511";
$uuid[2] = "0d3c7f20-1c8d-4654-a1b3-51563b298bda";
$uuid[3] = "12345678-1234-ABCD-EF00-0123456789AB";

$process = @();
$process[0] = "360.exe";
$process[1] = "vpn api";
$process[2] = "UserMgrCli";
$process[3] = "Spoolsv";

alias rpcscan {
    if (-is64 $1) {
        ($cmd, $host, $threadnum) = split(' ', $0);
        # println($0);
        # println($host);
        # println($threadnum);

        $bufstr = "";
        if ($threadnum == ""){
            $threadnum = 5;
        }

        foreach $index => $value ($uuid)
        {
            $p = $process[$index];
            $u = $value;
            $paddingp = chr(0x00) x (40 - strlen($p));
            $pathcu = chr(0x00) x (40 - strlen($u));
            $bufstr = "$bufstr$p$paddingp$u$pathcu";
        }

        $hostpadding = chr(0x00) x (20 - strlen($host));
        $host = "$host$hostpadding";

        $buffer = allocate(1024);

        writeb($buffer, $host);

        writeb($buffer, pack("i-", 135));

        writeb($buffer, pack("i-", $index + 1));

        writeb($buffer, pack("i-", $threadnum));

        writeb($buffer, $bufstr);

        closef($buffer);
        $b = readb($buffer, -1);

        bdllspawn($1, script_resource("rpcscan.dll"), "$[1024]b", "rpcscan.dll", 5000, false);
    }else{
        println("\c4[-]\c0 rpcscan: x64 system support");
    }
}


beacon_command_register(
   "rpcscan",
   "rpc info scan and get process",
   "Use: rpcscan [ips] [thread num]\n\nrpc info scan and get process");