9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Attempts to enumerate process info over the Apple Remote Event protocol. When accessing an application over the Apple Remote Event protocol the service responds with the uid and pid of the application, if it is running, prior to requesting authentication.
nmap -p 3031 <ip> --script eppc-enum-processes
PORT STATE SERVICE
3031/tcp open eppc
| eppc-enum-processes:
| application uid pid
| Address Book 501 269
| Facetime 501 495
| Finder 501 274
| iPhoto 501 267
| Photo booth 501 471
| Remote Buddy 501 268
| Safari 501 270
| Terminal 501 266
| Transmission 501 265
|_VLC media player 501 367
local nmap = require('nmap')
local shortport = require('shortport')
local stdnse = require('stdnse')
local string = require('string')
local tab = require('tab')
description = [[
Attempts to enumerate process info over the Apple Remote Event protocol.
When accessing an application over the Apple Remote Event protocol the
service responds with the uid and pid of the application, if it is running,
prior to requesting authentication.
]]
---
-- @usage
-- nmap -p 3031 <ip> --script eppc-enum-processes
--
-- @output
-- PORT STATE SERVICE
-- 3031/tcp open eppc
-- | eppc-enum-processes:
-- | application uid pid
-- | Address Book 501 269
-- | Facetime 501 495
-- | Finder 501 274
-- | iPhoto 501 267
-- | Photo booth 501 471
-- | Remote Buddy 501 268
-- | Safari 501 270
-- | Terminal 501 266
-- | Transmission 501 265
-- |_VLC media player 501 367
--
author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "safe"}
portrule = shortport.port_or_service(3031, "eppc", "tcp", "open")
action = function( host, port )
local socket = nmap.new_socket()
socket:set_timeout(5000)
local try = nmap.new_try(
function()
stdnse.debug1("failed")
socket:close()
end
)
-- a list of application that may or may not be running on the target
local apps = {
"Address Book",
"App Store",
"Facetime",
"Finder",
"Firefox",
"Google Chrome",
"iChat",
"iPhoto",
"Keychain Access",
"iTunes",
"Photo booth",
"QuickTime Player",
"Remote Buddy",
"Safari",
"Spotify",
"Terminal",
"TextMate",
"Transmission",
"VLC",
"VLC media player",
}
local results = tab.new(3)
tab.addrow( results, "application", "uid", "pid" )
for _, app in ipairs(apps) do
try( socket:connect(host, port, "tcp") )
local data
local packets = {
"PPCT\0\0\0\1\0\0\0\1",
-- unfortunately I've found no packet specifications, so this has to do
stdnse.fromhex("e44c50525401e101")
.. string.pack("Bs1", 225 + #app, app)
.. stdnse.fromhex("dfdbe302013ddfdfdfdfd500"),
}
for _, v in ipairs(packets) do
try( socket:send(v) )
data = try( socket:receive() )
end
local uid, pid = data:match("uid=(%d+)&pid=(%d+)")
if ( uid and pid ) then tab.addrow( results, app, uid, pid ) end
try( socket:close() )
end
return "\n" .. tab.dump(results)
end
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%