module Msf require 'msf/core/exploit/tcp' ### # # This module exposes methods that may be useful to exploits that deal with # servers that speak the File Transfer Protocol (FTP). # ### module Exploit::Remote::Ftp include Exploit::Remote::Tcp # # Creates an instance of an FTP exploit module. # def initialize(info = {}) super # Register the options that all FTP exploits may make use of. register_options( [ Opt::RHOST, Opt::RPORT(21), OptString.new('FTPUSER', [ false, 'The username to authenticate as', 'anonymous']), OptString.new('FTPPASS', [ false, 'The password for the specified username', 'mozilla@example.com']) ], Msf::Exploit::Remote::Ftp) register_advanced_options( [ OptInt.new('FTPTimeout', [ true, 'The number of seconds to wait for a reply from an FTP command', 16]) ], Msf::Exploit::Remote::Ftp) register_autofilter_ports([ 21, 2121]) register_autofilter_services(%W{ ftp }) @ftpbuff = "" end # # This method establishes an FTP connection to host and port specified by # the RHOST and RPORT options, respectively. After connecting, the banner # message is read in and stored in the 'banner' attribute. # def connect(global = true, verbose = true) print_status("Connecting to FTP server #{rhost}:#{rport}...") if verbose fd = super(global) # Wait for a banner to arrive... self.banner = recv_ftp_resp(fd) print_status("Connected to target FTP server.") if verbose # Return the file descriptor to the caller fd end # # Connect and login to the remote FTP server using the credentials # that have been supplied in the exploit options. # def connect_login(global = true, verbose = true) ftpsock = connect(global, verbose) if !(user and pass) print_error("No username and password were supplied, unable to login") return false end print_status("Authenticating as #{user} with password #{pass}...") if verbose res = send_user(user, ftpsock) if (res !~ /^(331|2)/) print_error("The server rejected our username") if verbose return false end if (pass) print_status("Sending password...") if verbose res = send_pass(pass, ftpsock) if (res !~ /^2/) print_error("The server rejected our password") if verbose return false end end return true end # # This method logs in as the supplied user by transmitting the FTP # 'USER ' command. # def send_user(user, nsock = self.sock) raw_send("USER #{user}\r\n", nsock) recv_ftp_resp(nsock) end # # This method completes user authentication by sending the supplied # password using the FTP 'PASS ' command. # def send_pass(pass, nsock = self.sock) raw_send("PASS #{pass}\r\n", nsock) recv_ftp_resp(nsock) end # # This method sends a QUIT command. # def send_quit(nsock = self.sock) raw_send("QUIT\r\n", nsock) recv_ftp_resp(nsock) end # # This method sends one command with zero or more parameters # def send_cmd(args, recv = true, nsock = self.sock) cmd = args.join(" ") + "\r\n" ret = raw_send(cmd, nsock) if (recv) return recv_ftp_resp(nsock) end return ret end # # This method transmits a FTP command and waits for a response. If one is # received, it is returned to the caller. # def raw_send_recv(cmd, nsock = self.sock) nsock.put(cmd) nsock.get_once(-1, ftp_timeout) end # # This method reads an FTP response based on FTP continuation stuff # def recv_ftp_resp(nsock = self.sock) found_end = FALSE resp = "" left = "" if !@ftpbuff.empty? left << @ftpbuff @ftpbuff = "" end while TRUE data = nsock.get_once(-1, ftp_timeout) if not data @ftpbuff << resp @ftpbuff << left return data end got = left + data left = "" # handle the end w/o newline case enlidx = got.rindex(0x0a.chr) if enlidx != (got.length-1) if not enlidx left << got next else left << got.slice!((enlidx+1)..got.length) end end # split into lines rarr = got.split(/\r?\n/) rarr.each do |ln| if not found_end resp << ln resp << "\r\n" if ln.length > 3 and ln[3,1] == ' ' found_end = TRUE end else left << ln left << "\r\n" end end if found_end @ftpbuff << left return resp end end end # # This method transmits a FTP command and does not wait for a response # def raw_send(cmd, nsock = self.sock) nsock.put(cmd) end ## # # Wrappers for getters # ## # # Returns the user string from the 'FTPUSER' option. # def user datastore['FTPUSER'] end # # Returns the user string from the 'FTPPASS' option. # def pass datastore['FTPPASS'] end # # Returns the number of seconds to wait for a FTP reply # def ftp_timeout (datastore['FTPTimeout'] || 10).to_i end protected # # This attribute holds the banner that was read in after a successful call # to connect or connect_login. # attr_accessor :banner end end