2009-01-23 02:05:28 +00:00
|
|
|
##
|
|
|
|
# $Id$
|
|
|
|
##
|
|
|
|
|
|
|
|
##
|
2010-04-29 04:47:47 +00:00
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
2009-01-23 02:05:28 +00:00
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2009-01-23 02:05:28 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
|
|
|
# Order is important here
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
include Msf::Exploit::Remote::Ftp
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'FTP Bounce Port Scanner',
|
|
|
|
'Version' => '$Revision$',
|
|
|
|
'Description' => %q{
|
|
|
|
Enumerate TCP services via the FTP bounce PORT/LIST
|
|
|
|
method, which can still come in handy every once in
|
|
|
|
a while (I know of a server that still allows this
|
|
|
|
just fine...).
|
|
|
|
},
|
2009-04-03 15:05:35 +00:00
|
|
|
'Author' => 'kris katterjohn',
|
2009-01-23 02:05:28 +00:00
|
|
|
'License' => MSF_LICENSE
|
|
|
|
)
|
|
|
|
|
|
|
|
register_options([
|
|
|
|
OptString.new('PORTS', [true, "Ports to scan (e.g. 22-25,80,110-900)", "1-10000"]),
|
|
|
|
OptAddress.new('BOUNCEHOST', [true, "FTP relay host"]),
|
|
|
|
OptPort.new('BOUNCEPORT', [true, "FTP relay port", 21])
|
|
|
|
])
|
|
|
|
|
|
|
|
deregister_options('RHOST', 'RPORT')
|
|
|
|
end
|
|
|
|
|
2011-12-04 19:16:44 +00:00
|
|
|
# No IPv6 support yet
|
|
|
|
def support_ipv6?
|
|
|
|
false
|
|
|
|
end
|
2012-03-18 05:07:27 +00:00
|
|
|
|
2009-01-23 02:05:28 +00:00
|
|
|
def run_host(ip)
|
|
|
|
ports = Rex::Socket.portspec_crack(datastore['PORTS'])
|
|
|
|
|
|
|
|
if ports.empty?
|
2010-07-25 21:37:54 +00:00
|
|
|
print_error("Error: No valid ports specified")
|
2009-01-23 02:05:28 +00:00
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
datastore['RHOST'] = datastore['BOUNCEHOST']
|
|
|
|
datastore['RPORT'] = datastore['BOUNCEPORT']
|
|
|
|
|
|
|
|
return if not connect_login
|
|
|
|
|
|
|
|
ports.each do |port|
|
|
|
|
# Clear out the receive buffer since we're heavily dependent
|
|
|
|
# on the response codes. We need to do this between every
|
|
|
|
# port scan attempt unfortunately.
|
|
|
|
while true
|
|
|
|
r = self.sock.get(0.25)
|
|
|
|
break if not r or r.empty?
|
|
|
|
end
|
|
|
|
|
|
|
|
begin
|
|
|
|
host = (ip.split('.') + [port / 256, port % 256]).join(',')
|
|
|
|
|
2010-04-29 04:47:47 +00:00
|
|
|
resp = send_cmd(["PORT", host])
|
2009-01-23 02:05:28 +00:00
|
|
|
|
|
|
|
if resp =~ /^5/
|
|
|
|
#print_error("Got error from PORT to #{ip}:#{port}")
|
|
|
|
next
|
|
|
|
elsif not resp
|
|
|
|
next
|
|
|
|
end
|
|
|
|
|
2010-04-29 04:47:47 +00:00
|
|
|
resp = send_cmd(["LIST"])
|
2009-01-23 02:05:28 +00:00
|
|
|
|
|
|
|
if resp =~ /^[12]/
|
|
|
|
print_status(" TCP OPEN #{ip}:#{port}")
|
|
|
|
report_service(:host => ip, :port => port)
|
|
|
|
end
|
|
|
|
rescue ::Exception
|
2010-07-25 21:37:54 +00:00
|
|
|
print_error("Unknown error: #{$!}")
|
2009-01-23 02:05:28 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|