Adds support for exploitation over dialup via the new Telephony library.

git-svn-id: file:///home/svn/framework3/trunk@6120 4d416f70-5f16-0410-b530-b9f4589650da

lib/msf/core/exploit.rb

@@ -240,6 +240,9 @@ class Exploit < Msf::Module
 	require 'msf/core/exploit/pop2'
 	require 'msf/core/exploit/tns'
 	
+	# Telephony
+	require 'msf/core/exploit/dialup'
+	
 	# Networks
 	require 'msf/core/exploit/lorcon'
 	require 'msf/core/exploit/capture'

lib/msf/core/exploit/dialup.rb

@@ -0,0 +1,100 @@
+require 'serialport'
+require 'telephony'
+
+
+module Msf
+
+module Exploit::Remote::Dialup
+
+	def initialize(info = {})
+		super
+
+		register_options(
+			[
+			OptInt.new(   'BAUDRATE',     [true, 'Baud Rate', 19200]),
+         OptEnum.new(  'DATABITS',     [true, 'Data Bits (4 is Windows Only)', '8', ['4', '5', '6', '7', '8'], '8']),
+         OptString.new('DIALPREFIX',   [true, 'Dial Prefix', 'ATDT *67, *70,']),
+         OptString.new('DIALSUFFIX',   [false, 'Dial Suffix', nil]),
+         OptInt.new(   'DIALTIMEOUT',  [true, 'Dial Timeout in seconds', 60]),
+         OptBool.new(  'DISPLAYMODEM', [true, 'Displays modem commands and responses on the console', false]),
+         OptEnum.new(  'FLOWCONTROL',  [true, 'Flow Control', 'None', ['None', 'Hardware', 'Software'], 'None']),
+         OptString.new('INITSTRING',   [true, 'Initialization String', 'AT X6 S11=80']),
+         OptString.new('NUMBER',       [true, 'Number to Dial (e.g. 1.800.950.9955, (202) 358-1234, 358.1234 etc.)', nil]),
+         OptEnum.new(  'PARITY',       [true, 'Parity (Mark & Space are Windows Only)', 'None', ['None', 'Even', 'Odd', 'Mark', 'Space'], 'None']),
+         OptString.new('SERIALPORT',   [true, 'Serial Port (e.g. 0 (COM1), 1 (COM2), /dev/ttyS0, etc.)', '/dev/ttyS0']),
+         OptEnum.new(  'STOPBITS',     [true, 'Stop Bits', '1', ['1', '2'], '1']),
+			], self.class)
+
+		deregister_options('RHOST')
+	end
+
+	# Opens the modem connection
+	def connect_dialup(global = true, opts={})
+		serialport = datastore['SERIALPORT']
+		baud       = datastore['BAUDRATE'].to_i
+		data_bits  = datastore['DATABITS'].to_i
+		stop_bits  = datastore['STOPBITS'].to_i
+		parity     = case datastore['PARITY']
+			when 'Even' : SerialPort::EVEN
+			when 'Odd'  : SerialPort::ODD
+			when 'Mark' : SerialPort::MARK
+			when 'Space': SerialPort::SPACE
+			else          SerialPort::NONE
+		end
+		initstring   = datastore['INITSTRING']
+		dialprefix   = datastore['DIALPREFIX']
+		dialsuffix   = datastore['DIALSUFFIX']
+		dialtimeout  = datastore['DIALTIMEOUT'].to_i
+      number       = datastore['NUMBER'].tr(' ', '')
+
+		modem = Telephony::Modem.new(serialport)
+		modem.params = {
+			'baud'      => baud,
+			'data_bits' => data_bits,
+			'parity'    => parity,
+			'stop_bits' => stop_bits
+		}
+		modem.display = datastore['DISPLAYMODEM']
+
+		print_status("Initializing Modem")
+		result = modem.put_command('ATZ', 3)
+		if result != 'OK'
+			print_error("Error resetting modem")
+			return
+		end
+		result = modem.put_command(initstring, 3)
+		if result != 'OK'
+			print_error("Error initializing modem")
+			return
+		end
+
+		print_status("Dialing: #{number} (#{dialtimeout} sec. timeout)")
+		dialstring = dialprefix + ' ' + number
+		dialstring += (' ' + dialsuffix) if dialsuffix
+
+		time = Time.now
+		result = modem.put_command(dialstring, dialtimeout)
+		while result =~ /RINGING/i
+			result = modem.get_response(dialtimeout-(Time.now-time))
+		end
+
+		case result
+			when /CONNECT/i:
+				print_status("Carrier: #{result}" )
+				return modem
+			else
+				#print_error("No Carrier")
+				disconnect_dialup(modem)
+				return nil
+		end
+
+	end
+
+	# Closes the modem connection 
+	def disconnect_dialup(modem)
+		modem.hangup
+		modem.close
+	end
+
+end
+end

lib/msf/core/handler/find_port.rb

@@ -146,4 +146,4 @@ protected
 end
 
 end
-end
+end

lib/msf/core/handler/find_tty.rb

@@ -0,0 +1,48 @@
+require 'msf/core/handler/find_port'
+
+module Msf
+module Handler
+
+###
+#
+# This handler expects a plain Unix command shell on the supplied socket
+#
+###
+module FindTty
+
+	include FindPort
+
+	#
+	# Returns the string representation of the handler type, in this case
+	# 'find_tag'.
+	#
+	def self.handler_type
+		return "find_shell"
+	end
+
+	#
+	# Returns the connection oriented general handler type, in this case
+	# 'find'.
+	#
+	def self.general_handler_type
+		"find"
+	end
+
+	#
+	# Remove the CPORT option from our included FindPort class
+	#
+	def initialize(info = {})
+		super
+		options.remove_option('CPORT')
+	end
+
+protected
+
+	def _check_shell(sock)
+		return true
+	end	  
+
+end
+
+end
+end

modules/exploits/test/dialup.rb

@@ -0,0 +1,67 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+require 'telephony'
+
+
+class Metasploit3 < Msf::Exploit::Remote
+
+	include Msf::Exploit::Remote::Dialup
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'		=> 'Test Dialup Exploit',
+			'Description'	=> %q{
+				This exploit connects to a system's modem over dialup and provides
+				the user with a readout of the login banner.
+			},
+			'Version'	=> '$Revision: 1 $',
+			'Author'	=>
+				[
+					'I)ruid',
+				],
+			'Arch'		=> ARCH_CMD,
+			'Platform'	=> ['unix'],
+			'License'	=> MSF_LICENSE,
+         'Payload'        =>
+            {
+               'Space'    => 1000,
+               'BadChars' => '',
+					'DisableNops' => true,
+            },
+			'PayloadCompat' =>
+				{
+					'PayloadType' => 'cmd_tty',
+				},
+         'Targets'        =>
+            [
+               ['Automatic', { } ],
+            ],
+         'DefaultTarget' => 0
+		))
+
+	end
+
+	def exploit
+		# Connect to the system via dialup
+		modem = connect_dialup
+		if ! modem
+			print_error("Unable to connect.")
+			return
+		end
+
+		# Log in 
+
+		# Handoff to the shell handler
+		modem.display = false
+		handler(modem.sock)
+
+		disconnect_dialup(modem)
+	end
+
+end

modules/payloads/singles/cmd/unix/interact.rb

@@ -23,7 +23,7 @@ module Metasploit3
 		super(merge_info(info,
 			'Name'          => 'Unix Command, Interact with established connection',
 			'Version'       => '$Revision$',
-			'Description'   => 'Interacts with a shell on an established TCP connection',
+			'Description'   => 'Interacts with a shell on an established socket connection',
 			'Author'        => 'hdm',
 			'License'       => MSF_LICENSE,
 			'Platform'      => 'unix',
@@ -39,4 +39,4 @@ module Metasploit3
 			))
 	end
 
-end
+end

modules/payloads/singles/cmd/unix/interact_tty.rb

@@ -0,0 +1,42 @@
+##
+# $Id: interact.rb 5773 2008-10-19 21:03:39Z ramon $
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+
+require 'msf/core'
+require 'msf/core/handler/find_tty'
+require 'msf/base/sessions/command_shell'
+
+
+module Metasploit3
+
+	include Msf::Payload::Single
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'Unix Command, Interact with established connection',
+			'Version'       => '$Revision: 5773 $',
+			'Description'   => 'Interacts with a TTY on an established socket connection',
+			'Author'        => 'hdm',
+			'License'       => MSF_LICENSE,
+			'Platform'      => 'unix',
+			'Arch'          => ARCH_CMD,
+			'Handler'       => Msf::Handler::FindTty,
+			'Session'       => Msf::Sessions::CommandShell,
+			'PayloadType'   => 'cmd_tty',
+			'Payload'       =>
+				{
+					'Offsets' => { },
+					'Payload' => ''
+				}
+			))
+	end
+
+end