From 6da1b367a50e1c41afe8103f657dfacf5179f166 Mon Sep 17 00:00:00 2001
From: patrik <patrik@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Tue, 29 May 2012 18:25:49 +0000
Subject: [PATCH] o [NSE] Added the script eppc-enum-processes that enumerates
 active   applications, their PID and the UID under which they run through the
 Apple   Remote Event protocol. [Patrik Karlsson]

---
 CHANGELOG                       |   4 ++
 scripts/eppc-enum-processes.nse | 101 ++++++++++++++++++++++++++++++++
 scripts/script.db               |   1 +
 3 files changed, 106 insertions(+)
 create mode 100644 scripts/eppc-enum-processes.nse

diff --git a/CHANGELOG b/CHANGELOG
index 29f63fee6..bcc038dbb 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,9 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE] Added the script eppc-enum-processes that enumerates active
+  applications, their PID and the UID under which they run through the Apple
+  Remote Event protocol. [Patrik Karlsson]
+
 o [NSE] Added the Internet Storage Name Service (iSNS) library and the
   isns-info script that lists information about portals and iSCSI devices.
   [Patrik Karlsson]
diff --git a/scripts/eppc-enum-processes.nse b/scripts/eppc-enum-processes.nse
new file mode 100644
index 000000000..9df92eef8
--- /dev/null
+++ b/scripts/eppc-enum-processes.nse
@@ -0,0 +1,101 @@
+local shortport = require('shortport')
+local bin       = require('bin')
+local tab       = require('tab')
+
+description = [[
+Attempt to enumerate process info over the Apple Remote Event protocol.
+When accessing an application over the Apple Remote Event protocol the
+service responds with the uid and pid of the application, if it is running,
+prior to requesting authentication.
+]]
+
+---
+-- @usage
+-- nmap -p 3031 <ip> --script eppc-enum-processes
+--
+-- @output
+-- PORT     STATE SERVICE
+-- 3031/tcp open  eppc
+-- | eppc-enum-processes: 
+-- | application       uid  pid
+-- | Address Book      501  269
+-- | Facetime          501  495
+-- | Finder            501  274
+-- | iPhoto            501  267
+-- | Photo booth       501  471
+-- | Remote Buddy      501  268
+-- | Safari            501  270
+-- | Terminal          501  266
+-- | Transmission      501  265
+-- |_VLC media player  501  367
+--
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"discovery", "safe"}
+
+portrule = shortport.port_or_service(3031, "eppc", "tcp", "open")
+
+action = function( host, port )
+	
+	local socket = nmap.new_socket()
+	socket:set_timeout(5000)
+	
+	local try = nmap.new_try( 
+		function() 
+			stdnse.print_debug("%s: failed", SCRIPT_NAME)
+			socket:close()
+		end
+	)
+	
+	-- a list of application that may or may not be running on the target
+	local apps = {
+		"Address Book",
+		"App Store",
+		"Facetime",
+		"Finder", 
+		"Firefox", 
+		"Google Chrome",
+		"iChat",
+		"iPhoto", 
+		"Keychain Access",
+		"iTunes",
+		"Photo booth",
+		"QuickTime Player",
+		"Remote Buddy",
+		"Safari",
+		"Spotify",
+		"Terminal",
+		"TextMate", 
+		"Transmission",
+		"VLC",
+		"VLC media player",
+	}
+	
+	local results = tab.new(3)
+	tab.addrow( results, "application", "uid", "pid" )
+
+	for _, app in ipairs(apps) do
+		try( socket:connect(host, port, "tcp") )
+		local data
+
+		local packets = { 
+			"PPCT\0\0\0\1\0\0\0\1",
+			-- unfortunately I've found no packet specifications, so this has to do
+			bin.pack("HCpH", "e44c50525401e101", 225 + #app, app, "dfdbe302013ddfdfdfdfd500") 
+		}
+
+		for _, v in ipairs(packets) do
+			try( socket:send(v) )
+			data = try( socket:receive() )
+		end
+
+		local uid, pid = data:match("uid=(%d+)&pid=(%d+)")
+		if ( uid and pid ) then	tab.addrow( results, app, uid, pid ) end
+
+		try( socket:close() )
+	end
+	
+	return "\n" .. tab.dump(results)
+	
+end
\ No newline at end of file
diff --git a/scripts/script.db b/scripts/script.db
index 48acac8d8..f2cfcbe5a 100644
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -93,6 +93,7 @@ Entry { filename = "drda-info.nse", categories = { "discovery", "safe", "version
 Entry { filename = "duplicates.nse", categories = { "safe", } }
 Entry { filename = "eap-info.nse", categories = { "broadcast", "safe", } }
 Entry { filename = "epmd-info.nse", categories = { "default", "discovery", "safe", } }
+Entry { filename = "eppc-enum-processes.nse", categories = { "discovery", "safe", } }
 Entry { filename = "finger.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "firewalk.nse", categories = { "discovery", "safe", } }
 Entry { filename = "ftp-anon.nse", categories = { "auth", "default", "safe", } }