2005-06-05 05:42:43 +00:00
|
|
|
module Msf
|
|
|
|
|
2009-03-14 05:06:13 +00:00
|
|
|
module EvasiveTCP
|
|
|
|
attr_accessor :_send_size, :_send_delay, :evasive
|
2006-02-03 19:55:56 +00:00
|
|
|
|
2009-03-14 05:06:13 +00:00
|
|
|
def denagle
|
|
|
|
begin
|
|
|
|
setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1)
|
|
|
|
rescue ::Exception
|
2006-02-03 19:55:56 +00:00
|
|
|
end
|
|
|
|
end
|
2009-03-14 05:06:13 +00:00
|
|
|
|
|
|
|
def write(buf, opts={})
|
|
|
|
|
|
|
|
return super(buf, opts) if not @evasive
|
|
|
|
|
|
|
|
ret = 0
|
|
|
|
idx = 0
|
|
|
|
len = @_send_size || buf.length
|
|
|
|
|
|
|
|
while(idx < buf.length)
|
|
|
|
|
|
|
|
if(@_send_delay and idx > 0)
|
|
|
|
select(nil, nil, nil, @_send_delay)
|
|
|
|
end
|
|
|
|
|
|
|
|
pkt = buf[idx, len]
|
2006-02-03 19:55:56 +00:00
|
|
|
|
2009-03-14 05:06:13 +00:00
|
|
|
res = super(pkt, opts)
|
|
|
|
flush()
|
2006-02-03 19:55:56 +00:00
|
|
|
|
2009-03-14 05:06:13 +00:00
|
|
|
idx += len
|
|
|
|
ret += res if res
|
|
|
|
end
|
|
|
|
ret
|
2006-02-03 19:55:56 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2005-06-05 05:42:43 +00:00
|
|
|
###
|
|
|
|
#
|
|
|
|
# This module provides methods for establish a connection to a remote host and
|
|
|
|
# communicating with it.
|
|
|
|
#
|
|
|
|
###
|
|
|
|
module Exploit::Remote::Tcp
|
2005-11-15 15:11:43 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# Initializes an instance of an exploit module that exploits a
|
|
|
|
# vulnerability in a TCP server.
|
|
|
|
#
|
2005-06-05 06:07:18 +00:00
|
|
|
def initialize(info = {})
|
2005-06-05 23:45:58 +00:00
|
|
|
super
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RHOST,
|
2007-02-18 07:02:47 +00:00
|
|
|
Opt::RPORT
|
2006-02-03 19:55:56 +00:00
|
|
|
], Msf::Exploit::Remote::Tcp
|
|
|
|
)
|
|
|
|
|
2007-02-18 07:02:47 +00:00
|
|
|
register_advanced_options(
|
|
|
|
[
|
|
|
|
Opt::SSL,
|
|
|
|
Opt::Proxies,
|
|
|
|
Opt::CPORT,
|
2007-04-24 06:27:39 +00:00
|
|
|
Opt::CHOST,
|
|
|
|
OptInt.new('ConnectTimeout', [ true, 'Maximum number of seconds to establish a TCP connection', 10])
|
2007-02-18 07:02:47 +00:00
|
|
|
], Msf::Exploit::Remote::Tcp
|
|
|
|
)
|
|
|
|
|
2006-02-03 19:55:56 +00:00
|
|
|
register_evasion_options(
|
|
|
|
[
|
|
|
|
OptInt.new('TCP::max_send_size', [false, 'Maxiumum tcp segment size. (0 = disable)', 0]),
|
|
|
|
OptInt.new('TCP::send_delay', [false, 'Delays inserted before every send. (0 = disable)', 0])
|
|
|
|
], Msf::Exploit::Remote::Tcp
|
|
|
|
)
|
2005-06-05 05:42:43 +00:00
|
|
|
end
|
|
|
|
|
2005-06-05 06:07:18 +00:00
|
|
|
#
|
|
|
|
# Establishes a TCP connection to the specified RHOST/RPORT
|
|
|
|
#
|
2007-04-14 07:16:33 +00:00
|
|
|
def connect(global = true, opts={})
|
2005-07-15 23:46:05 +00:00
|
|
|
nsock = Rex::Socket::Tcp.create(
|
2007-04-14 07:16:33 +00:00
|
|
|
'PeerHost' => opts['RHOST'] || rhost,
|
|
|
|
'PeerPort' => (opts['RPORT'] || rport).to_i,
|
|
|
|
'LocalHost' => opts['CHOST'] || chost || "0.0.0.0",
|
|
|
|
'LocalPort' => (opts['CPORT'] || cport || 0).to_i,
|
2006-08-12 23:08:20 +00:00
|
|
|
'SSL' => ssl,
|
|
|
|
'Proxies' => proxies,
|
2007-04-24 06:27:39 +00:00
|
|
|
'Timeout' => (opts['ConnectTimeout'] || connect_timeout || 10).to_i,
|
2005-11-15 21:25:23 +00:00
|
|
|
'Context' =>
|
|
|
|
{
|
|
|
|
'Msf' => framework,
|
2005-11-24 18:50:33 +00:00
|
|
|
'MsfExploit' => self,
|
2005-11-15 21:25:23 +00:00
|
|
|
})
|
2005-06-05 06:07:18 +00:00
|
|
|
|
2006-02-03 19:55:56 +00:00
|
|
|
# enable evasions on this socket
|
2009-03-14 05:06:13 +00:00
|
|
|
set_tcp_evasions(nsock)
|
2006-02-03 19:55:56 +00:00
|
|
|
|
2005-06-05 06:07:18 +00:00
|
|
|
# Set this socket to the global socket as necessary
|
2005-07-15 23:46:05 +00:00
|
|
|
self.sock = nsock if (global)
|
2005-06-05 06:07:18 +00:00
|
|
|
|
2005-11-24 18:50:33 +00:00
|
|
|
# Add this socket to the list of sockets created by this exploit
|
|
|
|
sockets << nsock
|
|
|
|
|
2005-07-15 23:46:05 +00:00
|
|
|
return nsock
|
|
|
|
end
|
|
|
|
|
2009-03-14 05:06:13 +00:00
|
|
|
# Enable evasions on a given client
|
|
|
|
def set_tcp_evasions(socket)
|
|
|
|
|
|
|
|
if( datastore['TCP::max_send_size'] == 0 and datastore['TCP::send_delay'] == 0)
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
return if socket.respond_to?('evasive')
|
|
|
|
|
|
|
|
socket.extend(EvasiveTCP)
|
|
|
|
|
|
|
|
if ( datastore['TCP::max_send_size'] > 0)
|
|
|
|
socket._send_size = datastore['TCP::max_send_size']
|
|
|
|
socket.denagle
|
|
|
|
socket.evasive = true
|
|
|
|
end
|
|
|
|
|
|
|
|
if ( datastore['TCP::send_delay'] > 0)
|
|
|
|
socket._send_delay = datastore['TCP::send_delay']
|
|
|
|
socket.evasive = true
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2005-07-15 23:46:05 +00:00
|
|
|
def handler(nsock = self.sock)
|
|
|
|
# If the handler claims the socket, then we don't want it to get closed
|
|
|
|
# during cleanup
|
2005-11-24 18:50:33 +00:00
|
|
|
if ((rv = super) == Handler::Claimed)
|
|
|
|
if (nsock == self.sock)
|
|
|
|
self.sock = nil
|
|
|
|
end
|
|
|
|
|
|
|
|
# Remove this socket from the list of sockets so that it will not be
|
|
|
|
# aborted.
|
|
|
|
sockets.delete(nsock)
|
2005-07-15 23:46:05 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
return rv
|
2005-06-05 06:07:18 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Closes the TCP connection
|
|
|
|
#
|
2005-07-15 23:46:05 +00:00
|
|
|
def disconnect(nsock = self.sock)
|
2005-11-24 19:15:24 +00:00
|
|
|
begin
|
|
|
|
if (nsock)
|
|
|
|
nsock.shutdown
|
|
|
|
nsock.close
|
|
|
|
end
|
|
|
|
rescue IOError
|
2005-06-05 06:07:18 +00:00
|
|
|
end
|
|
|
|
|
2005-07-15 23:46:05 +00:00
|
|
|
if (nsock == sock)
|
|
|
|
self.sock = nil
|
2005-06-05 06:07:18 +00:00
|
|
|
end
|
2005-11-24 18:50:33 +00:00
|
|
|
|
|
|
|
# Remove this socket from the list of sockets created by this exploit
|
|
|
|
sockets.delete(nsock)
|
2005-06-05 06:07:18 +00:00
|
|
|
end
|
|
|
|
|
2005-07-15 23:46:05 +00:00
|
|
|
#
|
|
|
|
# Performs cleanup, disconnects the socket if necessary
|
|
|
|
#
|
|
|
|
def cleanup
|
|
|
|
super
|
|
|
|
|
|
|
|
disconnect
|
|
|
|
end
|
|
|
|
|
|
|
|
##
|
|
|
|
#
|
|
|
|
# Wrappers for getters
|
|
|
|
#
|
|
|
|
##
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns the target host
|
|
|
|
#
|
|
|
|
def rhost
|
|
|
|
datastore['RHOST']
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns the remote port
|
|
|
|
#
|
|
|
|
def rport
|
|
|
|
datastore['RPORT']
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns the local host
|
|
|
|
#
|
|
|
|
def lhost
|
|
|
|
datastore['LHOST']
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns the local port
|
|
|
|
#
|
|
|
|
def lport
|
|
|
|
datastore['LPORT']
|
|
|
|
end
|
|
|
|
|
2006-08-12 23:08:20 +00:00
|
|
|
#
|
|
|
|
# Returns the local host for outgoing connections
|
|
|
|
#
|
|
|
|
def chost
|
|
|
|
datastore['CHOST']
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns the local port for outgoing connections
|
|
|
|
#
|
|
|
|
def cport
|
|
|
|
datastore['CPORT']
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns the boolean indicating SSL
|
|
|
|
#
|
|
|
|
def ssl
|
|
|
|
datastore['SSL']
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns the proxy configuration
|
|
|
|
#
|
|
|
|
def proxies
|
|
|
|
datastore['Proxies']
|
|
|
|
end
|
2007-04-24 06:27:39 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# Returns the TCP connection timeout
|
|
|
|
#
|
|
|
|
def connect_timeout
|
|
|
|
datastore['ConnectTimeout']
|
|
|
|
end
|
2006-08-12 23:08:20 +00:00
|
|
|
|
2005-06-05 06:07:18 +00:00
|
|
|
protected
|
|
|
|
|
2005-07-15 23:46:05 +00:00
|
|
|
attr_accessor :sock
|
2005-06-05 06:07:18 +00:00
|
|
|
|
2005-06-05 05:42:43 +00:00
|
|
|
end
|
|
|
|
|
2005-09-21 04:48:37 +00:00
|
|
|
|
|
|
|
###
|
|
|
|
#
|
|
|
|
# This mixin provides a generic interface for running a TCP server of some
|
|
|
|
# sort that is designed to exploit clients. Exploits that include this mixin
|
|
|
|
# automatically take a passive stance.
|
|
|
|
#
|
|
|
|
###
|
|
|
|
module Exploit::Remote::TcpServer
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Stance' => Msf::Exploit::Stance::Passive))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
2008-03-22 06:34:52 +00:00
|
|
|
Opt::SSL,
|
2007-07-03 04:20:50 +00:00
|
|
|
OptAddress.new('SRVHOST', [ true, "The local host to listen on.", '0.0.0.0' ]),
|
2008-03-22 06:34:52 +00:00
|
|
|
OptPort.new('SRVPORT', [ true, "The local port to listen on.", 8080 ]),
|
2005-09-21 04:48:37 +00:00
|
|
|
], Msf::Exploit::Remote::TcpServer)
|
2006-02-03 19:55:56 +00:00
|
|
|
|
|
|
|
register_evasion_options(
|
|
|
|
[
|
2007-07-03 04:20:50 +00:00
|
|
|
OptInt.new('TCP::max_send_size', [false, 'Maximum tcp segment size. (0 = disable)', 0]),
|
2006-02-03 19:55:56 +00:00
|
|
|
OptInt.new('TCP::send_delay', [false, 'Delays inserted before every send. (0 = disable)', 0])
|
|
|
|
], Msf::Exploit::Remote::Tcp
|
|
|
|
)
|
2005-09-21 04:48:37 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# This mixin overrides the exploit method so that it can initiate the
|
|
|
|
# service that corresponds with what the client has requested.
|
|
|
|
#
|
|
|
|
def exploit
|
2008-11-16 20:54:41 +00:00
|
|
|
|
2007-07-03 04:20:50 +00:00
|
|
|
start_service()
|
|
|
|
print_status("Server started.")
|
2008-11-16 20:54:41 +00:00
|
|
|
|
|
|
|
# Call the exploit primer
|
2008-10-27 20:31:40 +00:00
|
|
|
primer
|
2008-11-16 20:54:41 +00:00
|
|
|
|
|
|
|
# Wait on the service to stop
|
|
|
|
self.service.wait
|
2008-10-27 20:31:40 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Primer method to call after starting service but before handling connections
|
|
|
|
#
|
|
|
|
def primer
|
2005-09-21 04:48:37 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Stops the service, if one was created.
|
|
|
|
#
|
|
|
|
def cleanup
|
2007-07-03 04:20:50 +00:00
|
|
|
if(service)
|
|
|
|
stop_service()
|
|
|
|
print_status("Server stopped.")
|
|
|
|
end
|
2005-09-21 04:48:37 +00:00
|
|
|
end
|
|
|
|
|
2006-12-14 02:20:21 +00:00
|
|
|
#
|
|
|
|
# Called when a client connects.
|
|
|
|
#
|
|
|
|
def on_client_connect(client)
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Called when a client has data available for reading.
|
|
|
|
#
|
|
|
|
def on_client_data(client)
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Called when a client has disconnected.
|
|
|
|
#
|
|
|
|
def on_client_close(client)
|
|
|
|
end
|
|
|
|
|
2005-09-21 04:48:37 +00:00
|
|
|
#
|
|
|
|
# Starts the service.
|
|
|
|
#
|
2005-09-22 03:24:32 +00:00
|
|
|
def start_service(*args)
|
2007-07-03 04:20:50 +00:00
|
|
|
begin
|
|
|
|
|
|
|
|
self.service = Rex::Socket::TcpServer.create(
|
|
|
|
'LocalHost' => srvhost,
|
|
|
|
'LocalPort' => srvport,
|
2008-03-22 06:34:52 +00:00
|
|
|
'SSL' => ssl,
|
2007-07-03 04:20:50 +00:00
|
|
|
'Context' =>
|
|
|
|
{
|
|
|
|
'Msf' => framework,
|
|
|
|
'MsfExploit' => self,
|
|
|
|
})
|
|
|
|
|
|
|
|
self.service.on_client_connect_proc = Proc.new { |client|
|
|
|
|
on_client_connect(client)
|
|
|
|
}
|
|
|
|
self.service.on_client_data_proc = Proc.new { |client|
|
|
|
|
on_client_data(client)
|
|
|
|
}
|
|
|
|
self.service.on_client_close_proc = Proc.new { |client|
|
|
|
|
on_client_close(client)
|
|
|
|
}
|
|
|
|
|
2008-11-16 20:54:41 +00:00
|
|
|
# Start the listening service
|
2007-07-03 04:20:50 +00:00
|
|
|
self.service.start
|
2008-11-16 20:54:41 +00:00
|
|
|
|
2007-07-03 04:20:50 +00:00
|
|
|
rescue ::Errno::EACCES => e
|
|
|
|
if (srvport.to_i < 1024)
|
|
|
|
print_line(" ")
|
2008-12-19 07:11:08 +00:00
|
|
|
print_error("Could not start the TCP server: #{e}.")
|
2007-07-03 04:20:50 +00:00
|
|
|
print_error(
|
|
|
|
"This module is configured to use a privileged TCP port (#{srvport}). " +
|
|
|
|
"On Unix systems, only the root user account is allowed to bind to privileged ports." +
|
|
|
|
"Please run the framework as root to use this module."
|
|
|
|
)
|
2007-07-16 02:17:32 +00:00
|
|
|
print_error(
|
|
|
|
"On Microsoft Windows systems, this error is returned when a process attempts to "+
|
|
|
|
"listen on a host/port combination that is already in use. For example, Windows XP "+
|
|
|
|
"will return this error if a process attempts to bind() over the system SMB/NetBIOS services."
|
|
|
|
)
|
2007-07-03 04:20:50 +00:00
|
|
|
print_line(" ")
|
|
|
|
end
|
|
|
|
raise e
|
|
|
|
end
|
2006-12-14 02:20:21 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Stops the service.
|
|
|
|
#
|
|
|
|
def stop_service
|
|
|
|
if (service)
|
2008-11-16 20:54:41 +00:00
|
|
|
begin
|
|
|
|
self.service.deref if self.service.kind_of?(Rex::Service)
|
|
|
|
self.service.close if self.service.kind_of?(Rex::Socket)
|
|
|
|
self.service = nil
|
|
|
|
rescue ::Exception
|
|
|
|
end
|
2006-12-14 02:20:21 +00:00
|
|
|
end
|
2005-09-21 04:48:37 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns the local host that is being listened on.
|
|
|
|
#
|
|
|
|
def srvhost
|
|
|
|
datastore['SRVHOST']
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns the local port that is being listened on.
|
|
|
|
#
|
|
|
|
def srvport
|
|
|
|
datastore['SRVPORT']
|
|
|
|
end
|
|
|
|
|
2008-03-22 06:34:52 +00:00
|
|
|
#
|
|
|
|
# Returns the SSL option
|
|
|
|
#
|
|
|
|
def ssl
|
|
|
|
datastore['SSL']
|
|
|
|
end
|
|
|
|
|
|
|
|
|
2007-07-03 04:20:50 +00:00
|
|
|
#
|
|
|
|
# Re-generates the payload, substituting the current RHOST and RPORT with
|
|
|
|
# the supplied client host and port from the socket.
|
|
|
|
#
|
|
|
|
def regenerate_payload(cli, arch = nil, platform = nil, target = nil)
|
|
|
|
|
|
|
|
ohost = datastore['RHOST']
|
|
|
|
oport = datastore['RPORT']
|
2007-07-03 04:38:56 +00:00
|
|
|
p = nil
|
|
|
|
|
2007-07-03 04:20:50 +00:00
|
|
|
begin
|
|
|
|
# Update the datastore with the supplied client peerhost/peerport
|
|
|
|
datastore['RHOST'] = cli.peerhost
|
|
|
|
datastore['RPORT'] = cli.peerport
|
|
|
|
|
|
|
|
if ((p = super(arch, platform, target)) == nil)
|
2007-07-03 04:39:18 +00:00
|
|
|
print_error("Failed to generate payload")
|
2007-07-03 04:20:50 +00:00
|
|
|
return nil
|
|
|
|
end
|
|
|
|
|
|
|
|
# Allow the payload to start a new handler
|
|
|
|
add_handler({
|
|
|
|
'RHOST' => datastore['RHOST'],
|
|
|
|
'RPORT' => datastore['RPORT']
|
|
|
|
})
|
|
|
|
|
|
|
|
ensure
|
2008-05-16 21:20:43 +00:00
|
|
|
datastore['RHOST'] = ohost
|
|
|
|
datastore['RPORT'] = oport
|
2007-07-03 04:20:50 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
p
|
|
|
|
end
|
|
|
|
|
2005-09-21 04:48:37 +00:00
|
|
|
protected
|
2005-09-22 03:24:32 +00:00
|
|
|
|
2005-11-15 15:11:43 +00:00
|
|
|
attr_accessor :service # :nodoc:
|
2005-09-21 04:48:37 +00:00
|
|
|
|
|
|
|
end
|
|
|
|
|
2008-11-16 20:54:41 +00:00
|
|
|
end
|