2009-01-23 02:05:28 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2009-01-23 02:05:28 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Auxiliary
|
2009-01-23 02:05:28 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Order is important here
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
include Msf::Exploit::Remote::Ftp
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'FTP Bounce Port Scanner',
|
|
|
|
'Description' => %q{
|
|
|
|
Enumerate TCP services via the FTP bounce PORT/LIST
|
2014-04-15 02:46:05 +00:00
|
|
|
method.
|
2013-08-30 21:28:54 +00:00
|
|
|
},
|
|
|
|
'Author' => 'kris katterjohn',
|
|
|
|
'License' => MSF_LICENSE
|
|
|
|
)
|
|
|
|
|
|
|
|
register_options([
|
|
|
|
OptString.new('PORTS', [true, "Ports to scan (e.g. 22-25,80,110-900)", "1-10000"]),
|
|
|
|
OptAddress.new('BOUNCEHOST', [true, "FTP relay host"]),
|
2015-12-05 16:24:10 +00:00
|
|
|
OptPort.new('BOUNCEPORT', [true, "FTP relay port", 21]),
|
2015-12-05 15:22:52 +00:00
|
|
|
OptInt.new('DELAY', [true, "The delay between connections, per thread, in milliseconds", 0]),
|
2015-12-05 16:24:10 +00:00
|
|
|
OptInt.new('JITTER', [true, "The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.", 0])
|
2013-08-30 21:28:54 +00:00
|
|
|
])
|
|
|
|
|
|
|
|
deregister_options('RHOST', 'RPORT')
|
|
|
|
end
|
|
|
|
|
|
|
|
# No IPv6 support yet
|
|
|
|
def support_ipv6?
|
|
|
|
false
|
|
|
|
end
|
|
|
|
|
2014-04-15 02:46:05 +00:00
|
|
|
def rhost
|
|
|
|
datastore['BOUNCEHOST']
|
|
|
|
end
|
|
|
|
|
|
|
|
def rport
|
|
|
|
datastore['BOUNCEPORT']
|
|
|
|
end
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def run_host(ip)
|
|
|
|
ports = Rex::Socket.portspec_crack(datastore['PORTS'])
|
|
|
|
if ports.empty?
|
2013-12-18 21:04:53 +00:00
|
|
|
raise Msf::OptionValidateError.new(['PORTS'])
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
|
2015-12-05 15:22:52 +00:00
|
|
|
jitter_value = datastore['JITTER'].to_i
|
2015-12-05 15:33:04 +00:00
|
|
|
if jitter_value < 0
|
2015-12-05 15:22:52 +00:00
|
|
|
raise Msf::OptionValidateError.new(['JITTER'])
|
2015-12-05 15:33:04 +00:00
|
|
|
end
|
2015-12-05 15:22:52 +00:00
|
|
|
|
|
|
|
delay_value = datastore['DELAY'].to_i
|
2015-12-05 15:33:04 +00:00
|
|
|
if delay_value < 0
|
2015-12-05 15:22:52 +00:00
|
|
|
raise Msf::OptionValidateError.new(['DELAY'])
|
|
|
|
end
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
return if not connect_login
|
|
|
|
|
|
|
|
ports.each do |port|
|
|
|
|
# Clear out the receive buffer since we're heavily dependent
|
|
|
|
# on the response codes. We need to do this between every
|
|
|
|
# port scan attempt unfortunately.
|
|
|
|
while true
|
2014-06-28 20:22:16 +00:00
|
|
|
r = sock.get_once(-1, 0.25)
|
2013-08-30 21:28:54 +00:00
|
|
|
break if not r or r.empty?
|
|
|
|
end
|
|
|
|
|
|
|
|
begin
|
|
|
|
|
2015-12-05 15:22:52 +00:00
|
|
|
# Add the delay based on JITTER and DELAY if needs be
|
|
|
|
add_delay_jitter(delay_value,jitter_value)
|
|
|
|
|
|
|
|
host = (ip.split('.') + [port / 256, port % 256]).join(',')
|
2013-08-30 21:28:54 +00:00
|
|
|
resp = send_cmd(["PORT", host])
|
|
|
|
|
|
|
|
if resp =~ /^5/
|
|
|
|
#print_error("Got error from PORT to #{ip}:#{port}")
|
|
|
|
next
|
|
|
|
elsif not resp
|
|
|
|
next
|
|
|
|
end
|
|
|
|
|
|
|
|
resp = send_cmd(["LIST"])
|
|
|
|
|
|
|
|
if resp =~ /^[12]/
|
|
|
|
print_status(" TCP OPEN #{ip}:#{port}")
|
|
|
|
report_service(:host => ip, :port => port)
|
|
|
|
end
|
|
|
|
rescue ::Exception
|
|
|
|
print_error("Unknown error: #{$!}")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2009-01-23 02:05:28 +00:00
|
|
|
end
|