From 0d47952611198ef6b1163f366dc03922d20b1475 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Wed, 17 Apr 2024 09:42:04 +0200 Subject: Adding upstream version 7.94+git20230807.3be01efb1+dfsg. Signed-off-by: Daniel Baumann --- scripts/eppc-enum-processes.nse | 105 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 105 insertions(+) create mode 100644 scripts/eppc-enum-processes.nse (limited to 'scripts/eppc-enum-processes.nse') diff --git a/scripts/eppc-enum-processes.nse b/scripts/eppc-enum-processes.nse new file mode 100644 index 0000000..5d8f374 --- /dev/null +++ b/scripts/eppc-enum-processes.nse @@ -0,0 +1,105 @@ +local nmap = require('nmap') +local shortport = require('shortport') +local stdnse = require('stdnse') +local string = require('string') +local tab = require('tab') + +description = [[ +Attempts to enumerate process info over the Apple Remote Event protocol. +When accessing an application over the Apple Remote Event protocol the +service responds with the uid and pid of the application, if it is running, +prior to requesting authentication. +]] + +--- +-- @usage +-- nmap -p 3031 --script eppc-enum-processes +-- +-- @output +-- PORT STATE SERVICE +-- 3031/tcp open eppc +-- | eppc-enum-processes: +-- | application uid pid +-- | Address Book 501 269 +-- | Facetime 501 495 +-- | Finder 501 274 +-- | iPhoto 501 267 +-- | Photo booth 501 471 +-- | Remote Buddy 501 268 +-- | Safari 501 270 +-- | Terminal 501 266 +-- | Transmission 501 265 +-- |_VLC media player 501 367 +-- + +author = "Patrik Karlsson" +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"discovery", "safe"} + +portrule = shortport.port_or_service(3031, "eppc", "tcp", "open") + +action = function( host, port ) + + local socket = nmap.new_socket() + socket:set_timeout(5000) + + local try = nmap.new_try( + function() + stdnse.debug1("failed") + socket:close() + end + ) + + -- a list of application that may or may not be running on the target + local apps = { + "Address Book", + "App Store", + "Facetime", + "Finder", + "Firefox", + "Google Chrome", + "iChat", + "iPhoto", + "Keychain Access", + "iTunes", + "Photo booth", + "QuickTime Player", + "Remote Buddy", + "Safari", + "Spotify", + "Terminal", + "TextMate", + "Transmission", + "VLC", + "VLC media player", + } + + local results = tab.new(3) + tab.addrow( results, "application", "uid", "pid" ) + + for _, app in ipairs(apps) do + try( socket:connect(host, port, "tcp") ) + local data + + local packets = { + "PPCT\0\0\0\1\0\0\0\1", + -- unfortunately I've found no packet specifications, so this has to do + stdnse.fromhex("e44c50525401e101") + .. string.pack("Bs1", 225 + #app, app) + .. stdnse.fromhex("dfdbe302013ddfdfdfdfd500"), + } + + for _, v in ipairs(packets) do + try( socket:send(v) ) + data = try( socket:receive() ) + end + + local uid, pid = data:match("uid=(%d+)&pid=(%d+)") + if ( uid and pid ) then tab.addrow( results, app, uid, pid ) end + + try( socket:close() ) + end + + return "\n" .. tab.dump(results) + +end -- cgit v1.2.3