Adds support for exploitation over dialup via the new Telephony library.
git-svn-id: file:///home/svn/framework3/trunk@6120 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
4b3c8c3f33
commit
0d1ca42ed6
|
@ -240,6 +240,9 @@ class Exploit < Msf::Module
|
|||
require 'msf/core/exploit/pop2'
|
||||
require 'msf/core/exploit/tns'
|
||||
|
||||
# Telephony
|
||||
require 'msf/core/exploit/dialup'
|
||||
|
||||
# Networks
|
||||
require 'msf/core/exploit/lorcon'
|
||||
require 'msf/core/exploit/capture'
|
||||
|
|
|
@ -0,0 +1,100 @@
|
|||
require 'serialport'
|
||||
require 'telephony'
|
||||
|
||||
|
||||
module Msf
|
||||
|
||||
module Exploit::Remote::Dialup
|
||||
|
||||
def initialize(info = {})
|
||||
super
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptInt.new( 'BAUDRATE', [true, 'Baud Rate', 19200]),
|
||||
OptEnum.new( 'DATABITS', [true, 'Data Bits (4 is Windows Only)', '8', ['4', '5', '6', '7', '8'], '8']),
|
||||
OptString.new('DIALPREFIX', [true, 'Dial Prefix', 'ATDT *67, *70,']),
|
||||
OptString.new('DIALSUFFIX', [false, 'Dial Suffix', nil]),
|
||||
OptInt.new( 'DIALTIMEOUT', [true, 'Dial Timeout in seconds', 60]),
|
||||
OptBool.new( 'DISPLAYMODEM', [true, 'Displays modem commands and responses on the console', false]),
|
||||
OptEnum.new( 'FLOWCONTROL', [true, 'Flow Control', 'None', ['None', 'Hardware', 'Software'], 'None']),
|
||||
OptString.new('INITSTRING', [true, 'Initialization String', 'AT X6 S11=80']),
|
||||
OptString.new('NUMBER', [true, 'Number to Dial (e.g. 1.800.950.9955, (202) 358-1234, 358.1234 etc.)', nil]),
|
||||
OptEnum.new( 'PARITY', [true, 'Parity (Mark & Space are Windows Only)', 'None', ['None', 'Even', 'Odd', 'Mark', 'Space'], 'None']),
|
||||
OptString.new('SERIALPORT', [true, 'Serial Port (e.g. 0 (COM1), 1 (COM2), /dev/ttyS0, etc.)', '/dev/ttyS0']),
|
||||
OptEnum.new( 'STOPBITS', [true, 'Stop Bits', '1', ['1', '2'], '1']),
|
||||
], self.class)
|
||||
|
||||
deregister_options('RHOST')
|
||||
end
|
||||
|
||||
# Opens the modem connection
|
||||
def connect_dialup(global = true, opts={})
|
||||
serialport = datastore['SERIALPORT']
|
||||
baud = datastore['BAUDRATE'].to_i
|
||||
data_bits = datastore['DATABITS'].to_i
|
||||
stop_bits = datastore['STOPBITS'].to_i
|
||||
parity = case datastore['PARITY']
|
||||
when 'Even' : SerialPort::EVEN
|
||||
when 'Odd' : SerialPort::ODD
|
||||
when 'Mark' : SerialPort::MARK
|
||||
when 'Space': SerialPort::SPACE
|
||||
else SerialPort::NONE
|
||||
end
|
||||
initstring = datastore['INITSTRING']
|
||||
dialprefix = datastore['DIALPREFIX']
|
||||
dialsuffix = datastore['DIALSUFFIX']
|
||||
dialtimeout = datastore['DIALTIMEOUT'].to_i
|
||||
number = datastore['NUMBER'].tr(' ', '')
|
||||
|
||||
modem = Telephony::Modem.new(serialport)
|
||||
modem.params = {
|
||||
'baud' => baud,
|
||||
'data_bits' => data_bits,
|
||||
'parity' => parity,
|
||||
'stop_bits' => stop_bits
|
||||
}
|
||||
modem.display = datastore['DISPLAYMODEM']
|
||||
|
||||
print_status("Initializing Modem")
|
||||
result = modem.put_command('ATZ', 3)
|
||||
if result != 'OK'
|
||||
print_error("Error resetting modem")
|
||||
return
|
||||
end
|
||||
result = modem.put_command(initstring, 3)
|
||||
if result != 'OK'
|
||||
print_error("Error initializing modem")
|
||||
return
|
||||
end
|
||||
|
||||
print_status("Dialing: #{number} (#{dialtimeout} sec. timeout)")
|
||||
dialstring = dialprefix + ' ' + number
|
||||
dialstring += (' ' + dialsuffix) if dialsuffix
|
||||
|
||||
time = Time.now
|
||||
result = modem.put_command(dialstring, dialtimeout)
|
||||
while result =~ /RINGING/i
|
||||
result = modem.get_response(dialtimeout-(Time.now-time))
|
||||
end
|
||||
|
||||
case result
|
||||
when /CONNECT/i:
|
||||
print_status("Carrier: #{result}" )
|
||||
return modem
|
||||
else
|
||||
#print_error("No Carrier")
|
||||
disconnect_dialup(modem)
|
||||
return nil
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
# Closes the modem connection
|
||||
def disconnect_dialup(modem)
|
||||
modem.hangup
|
||||
modem.close
|
||||
end
|
||||
|
||||
end
|
||||
end
|
|
@ -146,4 +146,4 @@ protected
|
|||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -0,0 +1,48 @@
|
|||
require 'msf/core/handler/find_port'
|
||||
|
||||
module Msf
|
||||
module Handler
|
||||
|
||||
###
|
||||
#
|
||||
# This handler expects a plain Unix command shell on the supplied socket
|
||||
#
|
||||
###
|
||||
module FindTty
|
||||
|
||||
include FindPort
|
||||
|
||||
#
|
||||
# Returns the string representation of the handler type, in this case
|
||||
# 'find_tag'.
|
||||
#
|
||||
def self.handler_type
|
||||
return "find_shell"
|
||||
end
|
||||
|
||||
#
|
||||
# Returns the connection oriented general handler type, in this case
|
||||
# 'find'.
|
||||
#
|
||||
def self.general_handler_type
|
||||
"find"
|
||||
end
|
||||
|
||||
#
|
||||
# Remove the CPORT option from our included FindPort class
|
||||
#
|
||||
def initialize(info = {})
|
||||
super
|
||||
options.remove_option('CPORT')
|
||||
end
|
||||
|
||||
protected
|
||||
|
||||
def _check_shell(sock)
|
||||
return true
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
|
@ -0,0 +1,67 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/projects/Framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'telephony'
|
||||
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
include Msf::Exploit::Remote::Dialup
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Test Dialup Exploit',
|
||||
'Description' => %q{
|
||||
This exploit connects to a system's modem over dialup and provides
|
||||
the user with a readout of the login banner.
|
||||
},
|
||||
'Version' => '$Revision: 1 $',
|
||||
'Author' =>
|
||||
[
|
||||
'I)ruid',
|
||||
],
|
||||
'Arch' => ARCH_CMD,
|
||||
'Platform' => ['unix'],
|
||||
'License' => MSF_LICENSE,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1000,
|
||||
'BadChars' => '',
|
||||
'DisableNops' => true,
|
||||
},
|
||||
'PayloadCompat' =>
|
||||
{
|
||||
'PayloadType' => 'cmd_tty',
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
['Automatic', { } ],
|
||||
],
|
||||
'DefaultTarget' => 0
|
||||
))
|
||||
|
||||
end
|
||||
|
||||
def exploit
|
||||
# Connect to the system via dialup
|
||||
modem = connect_dialup
|
||||
if ! modem
|
||||
print_error("Unable to connect.")
|
||||
return
|
||||
end
|
||||
|
||||
# Log in
|
||||
|
||||
# Handoff to the shell handler
|
||||
modem.display = false
|
||||
handler(modem.sock)
|
||||
|
||||
disconnect_dialup(modem)
|
||||
end
|
||||
|
||||
end
|
|
@ -23,7 +23,7 @@ module Metasploit3
|
|||
super(merge_info(info,
|
||||
'Name' => 'Unix Command, Interact with established connection',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => 'Interacts with a shell on an established TCP connection',
|
||||
'Description' => 'Interacts with a shell on an established socket connection',
|
||||
'Author' => 'hdm',
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'unix',
|
||||
|
@ -39,4 +39,4 @@ module Metasploit3
|
|||
))
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
|
@ -0,0 +1,42 @@
|
|||
##
|
||||
# $Id: interact.rb 5773 2008-10-19 21:03:39Z ramon $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/projects/Framework/
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/handler/find_tty'
|
||||
require 'msf/base/sessions/command_shell'
|
||||
|
||||
|
||||
module Metasploit3
|
||||
|
||||
include Msf::Payload::Single
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Unix Command, Interact with established connection',
|
||||
'Version' => '$Revision: 5773 $',
|
||||
'Description' => 'Interacts with a TTY on an established socket connection',
|
||||
'Author' => 'hdm',
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'unix',
|
||||
'Arch' => ARCH_CMD,
|
||||
'Handler' => Msf::Handler::FindTty,
|
||||
'Session' => Msf::Sessions::CommandShell,
|
||||
'PayloadType' => 'cmd_tty',
|
||||
'Payload' =>
|
||||
{
|
||||
'Offsets' => { },
|
||||
'Payload' => ''
|
||||
}
|
||||
))
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue