2005-06-05 05:42:43 +00:00
|
|
|
module Msf
|
|
|
|
|
|
|
|
###
|
|
|
|
#
|
|
|
|
# This module provides methods for establish a connection to a remote host and
|
|
|
|
# communicating with it.
|
|
|
|
#
|
|
|
|
###
|
|
|
|
module Exploit::Remote::Tcp
|
2005-11-15 15:11:43 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# Initializes an instance of an exploit module that exploits a
|
|
|
|
# vulnerability in a TCP server.
|
|
|
|
#
|
2005-06-05 06:07:18 +00:00
|
|
|
def initialize(info = {})
|
2005-06-05 23:45:58 +00:00
|
|
|
super
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RHOST,
|
|
|
|
Opt::RPORT,
|
2005-11-11 01:22:03 +00:00
|
|
|
Opt::SSL
|
2005-06-05 23:45:58 +00:00
|
|
|
], Msf::Exploit::Remote::Tcp)
|
2005-06-05 05:42:43 +00:00
|
|
|
end
|
|
|
|
|
2005-06-05 06:07:18 +00:00
|
|
|
#
|
|
|
|
# Establishes a TCP connection to the specified RHOST/RPORT
|
|
|
|
#
|
|
|
|
def connect(global = true)
|
2005-07-15 23:46:05 +00:00
|
|
|
nsock = Rex::Socket::Tcp.create(
|
2005-06-05 06:07:18 +00:00
|
|
|
'PeerHost' => datastore['RHOST'],
|
|
|
|
'PeerPort' => datastore['RPORT'].to_i,
|
2005-07-16 07:32:11 +00:00
|
|
|
'LocalHost' => datastore['CHOST'] || "0.0.0.0",
|
2005-11-11 01:22:03 +00:00
|
|
|
'LocalPort' => datastore['CPORT'] ? datastore['CPORT'].to_i : 0,
|
2005-11-15 21:25:23 +00:00
|
|
|
'SSL' => datastore['SSL'],
|
|
|
|
'Context' =>
|
|
|
|
{
|
|
|
|
'Msf' => framework,
|
2005-11-24 18:50:33 +00:00
|
|
|
'MsfExploit' => self,
|
2005-11-15 21:25:23 +00:00
|
|
|
})
|
2005-06-05 06:07:18 +00:00
|
|
|
|
|
|
|
# Set this socket to the global socket as necessary
|
2005-07-15 23:46:05 +00:00
|
|
|
self.sock = nsock if (global)
|
2005-06-05 06:07:18 +00:00
|
|
|
|
2005-11-24 18:50:33 +00:00
|
|
|
# Add this socket to the list of sockets created by this exploit
|
|
|
|
sockets << nsock
|
|
|
|
|
2005-07-15 23:46:05 +00:00
|
|
|
return nsock
|
|
|
|
end
|
|
|
|
|
|
|
|
def handler(nsock = self.sock)
|
|
|
|
# If the handler claims the socket, then we don't want it to get closed
|
|
|
|
# during cleanup
|
2005-11-24 18:50:33 +00:00
|
|
|
if ((rv = super) == Handler::Claimed)
|
|
|
|
if (nsock == self.sock)
|
|
|
|
self.sock = nil
|
|
|
|
end
|
|
|
|
|
|
|
|
# Remove this socket from the list of sockets so that it will not be
|
|
|
|
# aborted.
|
|
|
|
sockets.delete(nsock)
|
2005-07-15 23:46:05 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
return rv
|
2005-06-05 06:07:18 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Closes the TCP connection
|
|
|
|
#
|
2005-07-15 23:46:05 +00:00
|
|
|
def disconnect(nsock = self.sock)
|
2005-11-24 19:15:24 +00:00
|
|
|
begin
|
|
|
|
if (nsock)
|
|
|
|
nsock.shutdown
|
|
|
|
nsock.close
|
|
|
|
end
|
|
|
|
rescue IOError
|
2005-06-05 06:07:18 +00:00
|
|
|
end
|
|
|
|
|
2005-07-15 23:46:05 +00:00
|
|
|
if (nsock == sock)
|
|
|
|
self.sock = nil
|
2005-06-05 06:07:18 +00:00
|
|
|
end
|
2005-11-24 18:50:33 +00:00
|
|
|
|
|
|
|
# Remove this socket from the list of sockets created by this exploit
|
|
|
|
sockets.delete(nsock)
|
2005-06-05 06:07:18 +00:00
|
|
|
end
|
|
|
|
|
2005-07-15 23:46:05 +00:00
|
|
|
#
|
|
|
|
# Performs cleanup, disconnects the socket if necessary
|
|
|
|
#
|
|
|
|
def cleanup
|
|
|
|
super
|
|
|
|
|
|
|
|
disconnect
|
|
|
|
end
|
|
|
|
|
|
|
|
##
|
|
|
|
#
|
|
|
|
# Wrappers for getters
|
|
|
|
#
|
|
|
|
##
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns the target host
|
|
|
|
#
|
|
|
|
def rhost
|
|
|
|
datastore['RHOST']
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns the remote port
|
|
|
|
#
|
|
|
|
def rport
|
|
|
|
datastore['RPORT']
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns the local host
|
|
|
|
#
|
|
|
|
def lhost
|
|
|
|
datastore['LHOST']
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns the local port
|
|
|
|
#
|
|
|
|
def lport
|
|
|
|
datastore['LPORT']
|
|
|
|
end
|
|
|
|
|
2005-06-05 06:07:18 +00:00
|
|
|
protected
|
|
|
|
|
2005-07-15 23:46:05 +00:00
|
|
|
attr_accessor :sock
|
2005-06-05 06:07:18 +00:00
|
|
|
|
2005-06-05 05:42:43 +00:00
|
|
|
end
|
|
|
|
|
2005-09-21 04:48:37 +00:00
|
|
|
|
|
|
|
###
|
|
|
|
#
|
|
|
|
# This mixin provides a generic interface for running a TCP server of some
|
|
|
|
# sort that is designed to exploit clients. Exploits that include this mixin
|
|
|
|
# automatically take a passive stance.
|
|
|
|
#
|
|
|
|
###
|
|
|
|
module Exploit::Remote::TcpServer
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Stance' => Msf::Exploit::Stance::Passive))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
2005-09-22 03:24:32 +00:00
|
|
|
OptAddress.new('SRVHOST', [ true, "The local host to listen on." ]),
|
|
|
|
OptPort.new('SRVPORT', [ true, "The local port to listen on.", 8080 ])
|
2005-09-21 04:48:37 +00:00
|
|
|
], Msf::Exploit::Remote::TcpServer)
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# This mixin overrides the exploit method so that it can initiate the
|
|
|
|
# service that corresponds with what the client has requested.
|
|
|
|
#
|
|
|
|
def exploit
|
|
|
|
start_service
|
2005-09-22 03:24:32 +00:00
|
|
|
|
|
|
|
print_status("Server started.");
|
2005-09-21 04:48:37 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Stops the service, if one was created.
|
|
|
|
#
|
|
|
|
def cleanup
|
|
|
|
stop_service
|
2005-09-22 03:24:32 +00:00
|
|
|
|
|
|
|
print_status("Server stopped.");
|
2005-09-21 04:48:37 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Starts the service.
|
|
|
|
#
|
2005-09-22 03:24:32 +00:00
|
|
|
def start_service(*args)
|
2005-09-21 04:48:37 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Stops the service.
|
|
|
|
#
|
|
|
|
def stop_service
|
2005-09-22 03:24:32 +00:00
|
|
|
if (service)
|
2005-09-29 20:18:24 +00:00
|
|
|
Rex::ServiceManager.stop_service(self.service)
|
|
|
|
|
|
|
|
self.service.deref
|
2005-09-22 03:24:32 +00:00
|
|
|
self.service = nil
|
|
|
|
end
|
2005-09-21 04:48:37 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns the local host that is being listened on.
|
|
|
|
#
|
|
|
|
def srvhost
|
|
|
|
datastore['SRVHOST']
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns the local port that is being listened on.
|
|
|
|
#
|
|
|
|
def srvport
|
|
|
|
datastore['SRVPORT']
|
|
|
|
end
|
|
|
|
|
|
|
|
protected
|
2005-09-22 03:24:32 +00:00
|
|
|
|
2005-11-15 15:11:43 +00:00
|
|
|
attr_accessor :service # :nodoc:
|
2005-09-21 04:48:37 +00:00
|
|
|
|
|
|
|
end
|
|
|
|
|
2005-06-05 05:42:43 +00:00
|
|
|
end
|