2005-11-11 01:49:02 +00:00
|
|
|
module Msf
|
|
|
|
|
|
|
|
|
|
require 'msf/core/exploit/tcp'
|
|
|
|
|
|
|
|
|
|
###
|
|
|
|
|
#
|
|
|
|
|
# This module exposes methods that may be useful to exploits that deal with
|
|
|
|
|
# servers that speak the File Transfer Protocol (FTP).
|
|
|
|
|
#
|
|
|
|
|
###
|
|
|
|
|
module Exploit::Remote::Ftp
|
|
|
|
|
|
|
|
|
|
include Exploit::Remote::Tcp
|
|
|
|
|
|
2005-11-15 15:11:43 +00:00
|
|
|
#
|
|
|
|
|
# Creates an instance of an FTP exploit module.
|
|
|
|
|
#
|
2005-11-11 01:49:02 +00:00
|
|
|
def initialize(info = {})
|
|
|
|
|
super
|
|
|
|
|
|
|
|
|
|
# Register the options that all FTP exploits may make use of.
|
|
|
|
|
register_options(
|
|
|
|
|
[
|
|
|
|
|
Opt::RHOST,
|
|
|
|
|
Opt::RPORT(21),
|
2006-02-08 01:07:47 +00:00
|
|
|
OptString.new('FTPUSER', [ false, 'The username to authenticate as', 'anonymous']),
|
|
|
|
|
OptString.new('FTPPASS', [ false, 'The password for the specified username', 'mozilla@example.com'])
|
2005-11-11 01:49:02 +00:00
|
|
|
], Msf::Exploit::Remote::Ftp)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# This method establishes an FTP connection to host and port specified by
|
|
|
|
|
# the RHOST and RPORT options, respectively. After connecting, the banner
|
|
|
|
|
# message is read in and stored in the 'banner' attribute.
|
|
|
|
|
#
|
2006-02-18 17:12:25 +00:00
|
|
|
def connect(global = true, verbose = true)
|
|
|
|
|
print_status("Connecting to FTP server #{rhost}:#{rport}...") if verbose
|
2005-11-11 01:49:02 +00:00
|
|
|
|
2006-02-18 17:12:25 +00:00
|
|
|
fd = super(global)
|
2005-11-11 01:49:02 +00:00
|
|
|
|
|
|
|
|
# Wait for a banner to arrive...
|
2005-11-24 17:45:00 +00:00
|
|
|
self.banner = fd.get_once
|
2005-11-11 01:49:02 +00:00
|
|
|
|
2006-02-18 17:12:25 +00:00
|
|
|
print_status("Connected to target FTP server.") if verbose
|
2005-11-11 01:49:02 +00:00
|
|
|
|
|
|
|
|
# Return the file descriptor to the caller
|
|
|
|
|
fd
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Connect and login to the remote FTP server using the credentials
|
|
|
|
|
# that have been supplied in the exploit options.
|
|
|
|
|
#
|
2006-02-18 17:12:25 +00:00
|
|
|
def connect_login(global = true, verbose = true)
|
|
|
|
|
ftpsock = connect(global, verbose)
|
2005-11-11 01:49:02 +00:00
|
|
|
|
2005-12-05 05:00:27 +00:00
|
|
|
if (not (user and pass))
|
|
|
|
|
print_status("No username and password were supplied, unable to login")
|
|
|
|
|
return false
|
|
|
|
|
end
|
2005-11-11 01:49:02 +00:00
|
|
|
|
2006-02-18 17:12:25 +00:00
|
|
|
print_status("Authenticating as #{user} with password #{pass}...") if verbose
|
2005-12-05 05:00:27 +00:00
|
|
|
res = send_user(user, ftpsock)
|
|
|
|
|
|
|
|
|
|
if (res !~ /^(331|2)/)
|
2008-10-04 21:42:37 +00:00
|
|
|
print_status("The server rejected our username") if verbose
|
2005-12-05 05:00:27 +00:00
|
|
|
return false
|
|
|
|
|
end
|
2005-11-25 20:02:21 +00:00
|
|
|
|
2005-12-05 05:00:27 +00:00
|
|
|
if (pass)
|
2006-02-18 17:12:25 +00:00
|
|
|
print_status("Sending password...") if verbose
|
2005-12-05 05:00:27 +00:00
|
|
|
res = send_pass(pass, ftpsock)
|
|
|
|
|
if (res !~ /^2/)
|
2008-10-04 21:42:37 +00:00
|
|
|
print_status("The server rejected our password") if verbose
|
2005-12-05 05:00:27 +00:00
|
|
|
return false
|
2005-11-11 01:49:02 +00:00
|
|
|
end
|
|
|
|
|
end
|
2005-12-05 05:00:27 +00:00
|
|
|
|
|
|
|
|
return true
|
2005-11-11 01:49:02 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# This method logs in as the supplied user by transmitting the FTP
|
|
|
|
|
# 'USER <user>' command.
|
|
|
|
|
#
|
|
|
|
|
def send_user(user, nsock = self.sock)
|
2005-11-24 17:45:00 +00:00
|
|
|
raw_send_recv("USER #{user}\r\n", nsock)
|
2005-11-11 01:49:02 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# This method completes user authentication by sending the supplied
|
|
|
|
|
# password using the FTP 'PASS <pass>' command.
|
|
|
|
|
#
|
|
|
|
|
def send_pass(pass, nsock = self.sock)
|
2005-11-24 17:45:00 +00:00
|
|
|
raw_send_recv("PASS #{pass}\r\n", nsock)
|
2005-11-11 01:49:02 +00:00
|
|
|
end
|
2005-11-24 17:45:00 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# This method sends one command with zero or more parameters
|
|
|
|
|
#
|
|
|
|
|
def send_cmd(args, recv = true, nsock = self.sock)
|
2005-11-25 20:02:21 +00:00
|
|
|
cmd = args.join(" ") + "\r\n"
|
2005-11-24 17:45:00 +00:00
|
|
|
if (recv)
|
|
|
|
|
return raw_send_recv(cmd, nsock)
|
|
|
|
|
else
|
|
|
|
|
return raw_send(cmd, nsock)
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2005-11-11 01:49:02 +00:00
|
|
|
#
|
2005-11-24 17:45:00 +00:00
|
|
|
# This method transmits a FTP command and waits for a response. If one is
|
2005-11-11 01:49:02 +00:00
|
|
|
# received, it is returned to the caller.
|
|
|
|
|
#
|
2005-11-24 17:45:00 +00:00
|
|
|
def raw_send_recv(cmd, nsock = self.sock)
|
|
|
|
|
nsock.put(cmd)
|
|
|
|
|
nsock.get_once
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# This method transmits a FTP command and does not wait for a response
|
|
|
|
|
#
|
2005-11-11 01:49:02 +00:00
|
|
|
def raw_send(cmd, nsock = self.sock)
|
|
|
|
|
nsock.put(cmd)
|
|
|
|
|
end
|
2005-11-24 17:45:00 +00:00
|
|
|
|
2005-11-11 01:49:02 +00:00
|
|
|
##
|
|
|
|
|
#
|
|
|
|
|
# Wrappers for getters
|
|
|
|
|
#
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
#
|
2006-02-08 01:07:47 +00:00
|
|
|
# Returns the user string from the 'FTPUSER' option.
|
2005-11-11 01:49:02 +00:00
|
|
|
#
|
|
|
|
|
def user
|
2006-02-08 01:07:47 +00:00
|
|
|
datastore['FTPUSER']
|
2005-11-11 01:49:02 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
2006-02-08 01:07:47 +00:00
|
|
|
# Returns the user string from the 'FTPPASS' option.
|
2005-11-11 01:49:02 +00:00
|
|
|
#
|
|
|
|
|
def pass
|
2006-02-08 01:07:47 +00:00
|
|
|
datastore['FTPPASS']
|
2005-11-11 01:49:02 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
protected
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# This attribute holds the banner that was read in after a successful call
|
|
|
|
|
# to connect or connect_login.
|
|
|
|
|
#
|
|
|
|
|
attr_accessor :banner
|
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
end
|
