2009-06-17 20:52:47 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2009-06-17 20:52:47 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Auxiliary
|
2009-06-17 20:52:47 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
include Msf::Auxiliary::Report
|
2010-07-01 23:33:07 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'TFTP Brute Forcer',
|
|
|
|
'Description' => 'This module uses a dictionary to brute force valid TFTP image names from a TFTP server.',
|
|
|
|
'Author' => 'antoine',
|
|
|
|
'License' => BSD_LICENSE
|
|
|
|
)
|
2009-06-17 20:52:47 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(69),
|
|
|
|
Opt::CHOST,
|
|
|
|
OptPath.new('DICTIONARY', [ true, 'The list of filenames',
|
2013-09-26 19:34:48 +00:00
|
|
|
File.join(Msf::Config.data_directory, "wordlists", "tftp.txt") ])
|
2017-05-03 20:42:21 +00:00
|
|
|
])
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
2009-06-17 20:52:47 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def run_host(ip)
|
|
|
|
begin
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Create an unbound UDP socket if no CHOST is specified, otherwise
|
|
|
|
# create a UDP socket bound to CHOST (in order to avail of pivoting)
|
|
|
|
udp_sock = Rex::Socket::Udp.create(
|
|
|
|
{
|
|
|
|
'LocalHost' => datastore['CHOST'] || nil,
|
|
|
|
'Context' =>
|
|
|
|
{
|
|
|
|
'Msf' => framework,
|
|
|
|
'MsfExploit' => self,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
)
|
|
|
|
add_socket(udp_sock)
|
2010-01-19 19:12:42 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
fd = File.open(datastore['DICTIONARY'], 'rb')
|
|
|
|
fd.read(fd.stat.size).split("\n").each do |filename|
|
|
|
|
filename.strip!
|
|
|
|
pkt = "\x00\x01" + filename + "\x00" + "netascii" + "\x00"
|
|
|
|
udp_sock.sendto(pkt, ip, datastore['RPORT'])
|
2014-06-30 05:46:28 +00:00
|
|
|
resp = udp_sock.get(3)
|
2013-08-30 21:28:54 +00:00
|
|
|
if resp and resp.length >= 2 and resp[0, 2] == "\x00\x03"
|
|
|
|
print_status("Found #{filename} on #{ip}")
|
|
|
|
#Add Report
|
|
|
|
report_note(
|
|
|
|
:host => ip,
|
|
|
|
:proto => 'udp',
|
|
|
|
:sname => 'tftp',
|
|
|
|
:port => datastore['RPORT'],
|
|
|
|
:type => "Found #{filename}",
|
|
|
|
:data => "Found #{filename}"
|
|
|
|
)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
fd.close
|
|
|
|
rescue
|
|
|
|
ensure
|
|
|
|
udp_sock.close
|
|
|
|
end
|
|
|
|
end
|
2009-06-17 20:52:47 +00:00
|
|
|
|
|
|
|
end
|