metasploit-framework/lib/msf/core/exploit/tcp.rb

507 lines
10 KiB
Ruby

# -*- coding: binary -*-
module Msf
module EvasiveTCP
attr_accessor :_send_size, :_send_delay, :evasive
def denagle
begin
setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1)
rescue ::Exception
end
end
def write(buf, opts={})
return super(buf, opts) if not @evasive
ret = 0
idx = 0
len = @_send_size || buf.length
while(idx < buf.length)
if(@_send_delay and idx > 0)
::IO.select(nil, nil, nil, @_send_delay)
end
pkt = buf[idx, len]
res = super(pkt, opts)
flush()
idx += len
ret += res if res
end
ret
end
end
###
#
# This module provides methods for establish a connection to a remote host and
# communicating with it.
#
###
module Exploit::Remote::Tcp
#
# Initializes an instance of an exploit module that exploits a
# vulnerability in a TCP server.
#
def initialize(info = {})
super
register_options(
[
Opt::RHOST,
Opt::RPORT
], Msf::Exploit::Remote::Tcp
)
register_advanced_options(
[
OptBool.new('SSL', [ false, 'Negotiate SSL for outgoing connections', false]),
OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'SSL3', ['SSL2', 'SSL3', 'TLS1']]),
Opt::Proxies,
Opt::CPORT,
Opt::CHOST,
OptInt.new('ConnectTimeout', [ true, 'Maximum number of seconds to establish a TCP connection', 10])
], Msf::Exploit::Remote::Tcp
)
register_evasion_options(
[
OptInt.new('TCP::max_send_size', [false, 'Maxiumum tcp segment size. (0 = disable)', 0]),
OptInt.new('TCP::send_delay', [false, 'Delays inserted before every send. (0 = disable)', 0])
], Msf::Exploit::Remote::Tcp
)
end
#
# Establishes a TCP connection to the specified RHOST/RPORT
#
# @see Rex::Socket::Tcp
# @see Rex::Socket::Tcp.create
def connect(global = true, opts={})
dossl = false
if(opts.has_key?('SSL'))
dossl = opts['SSL']
else
dossl = ssl
if (datastore.default?('SSL') and rport.to_i == 443)
dossl = true
end
end
nsock = Rex::Socket::Tcp.create(
'PeerHost' => opts['RHOST'] || rhost,
'PeerPort' => (opts['RPORT'] || rport).to_i,
'LocalHost' => opts['CHOST'] || chost || "0.0.0.0",
'LocalPort' => (opts['CPORT'] || cport || 0).to_i,
'SSL' => dossl,
'SSLVersion'=> opts['SSLVersion'] || ssl_version,
'Proxies' => proxies,
'Timeout' => (opts['ConnectTimeout'] || connect_timeout || 10).to_i,
'Context' =>
{
'Msf' => framework,
'MsfExploit' => self,
})
# enable evasions on this socket
set_tcp_evasions(nsock)
# Set this socket to the global socket as necessary
self.sock = nsock if (global)
# Add this socket to the list of sockets created by this exploit
add_socket(nsock)
return nsock
end
# Enable evasions on a given client
def set_tcp_evasions(socket)
if( datastore['TCP::max_send_size'].to_i == 0 and datastore['TCP::send_delay'].to_i == 0)
return
end
return if socket.respond_to?('evasive')
socket.extend(EvasiveTCP)
if ( datastore['TCP::max_send_size'].to_i > 0)
socket._send_size = datastore['TCP::max_send_size']
socket.denagle
socket.evasive = true
end
if ( datastore['TCP::send_delay'].to_i > 0)
socket._send_delay = datastore['TCP::send_delay']
socket.evasive = true
end
end
def handler(nsock = self.sock)
# If the handler claims the socket, then we don't want it to get closed
# during cleanup
if ((rv = super) == Handler::Claimed)
if (nsock == self.sock)
self.sock = nil
end
# Remove this socket from the list of sockets so that it will not be
# aborted.
remove_socket(nsock)
end
return rv
end
#
# Closes the TCP connection
#
def disconnect(nsock = self.sock)
begin
if (nsock)
nsock.shutdown
nsock.close
end
rescue IOError
end
if (nsock == sock)
self.sock = nil
end
# Remove this socket from the list of sockets created by this exploit
remove_socket(nsock)
end
#
# Performs cleanup, disconnects the socket if necessary
#
def cleanup
super
disconnect
end
##
#
# Wrappers for getters
#
##
#
# Returns the target host
#
def rhost
datastore['RHOST']
end
#
# Returns the remote port
#
def rport
datastore['RPORT']
end
#
# Returns the local host
#
def lhost
datastore['LHOST']
end
#
# Returns the local port
#
def lport
datastore['LPORT']
end
#
# Returns the local host for outgoing connections
#
def chost
datastore['CHOST']
end
#
# Returns the local port for outgoing connections
#
def cport
datastore['CPORT']
end
#
# Returns the boolean indicating SSL
#
def ssl
datastore['SSL']
end
#
# Returns the string indicating SSLVersion
#
def ssl_version
datastore['SSLVersion']
end
#
# Returns the proxy configuration
#
def proxies
datastore['Proxies']
end
#
# Returns the TCP connection timeout
#
def connect_timeout
datastore['ConnectTimeout']
end
protected
attr_accessor :sock
end
###
#
# This mixin provides a generic interface for running a TCP server of some
# sort that is designed to exploit clients. Exploits that include this mixin
# automatically take a passive stance.
#
###
module Exploit::Remote::TcpServer
def initialize(info = {})
super(update_info(info,
'Stance' => Msf::Exploit::Stance::Passive))
register_options(
[
OptBool.new('SSL', [ false, 'Negotiate SSL for incoming connections', false]),
OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'SSL3', ['SSL2', 'SSL3', 'TLS1']]),
OptPath.new('SSLCert', [ false, 'Path to a custom SSL certificate (default is randomly generated)']),
OptAddress.new('SRVHOST', [ true, "The local host to listen on. This must be an address on the local machine or 0.0.0.0", '0.0.0.0' ]),
OptPort.new('SRVPORT', [ true, "The local port to listen on.", 8080 ]),
], Msf::Exploit::Remote::TcpServer)
register_advanced_options(
[
OptString.new('ListenerComm', [ false, 'The specific communication channel to use for this service']),
], Msf::Exploit::Remote::TcpServer)
register_evasion_options(
[
OptInt.new('TCP::max_send_size', [false, 'Maximum tcp segment size. (0 = disable)', 0]),
OptInt.new('TCP::send_delay', [false, 'Delays inserted before every send. (0 = disable)', 0])
], Msf::Exploit::Remote::Tcp
)
end
#
# This mixin overrides the exploit method so that it can initiate the
# service that corresponds with what the client has requested.
#
def exploit
start_service()
print_status("Server started.")
# Call the exploit primer
primer
# Wait on the service to stop
self.service.wait
end
#
# Primer method to call after starting service but before handling connections
#
def primer
end
#
# Stops the service, if one was created.
#
def cleanup
super
if(service)
stop_service()
print_status("Server stopped.")
end
end
#
# Called when a client connects.
#
def on_client_connect(client)
end
#
# Called when a client has data available for reading.
#
def on_client_data(client)
end
#
# Called when a client has disconnected.
#
def on_client_close(client)
end
#
# Starts the service.
#
def start_service(*args)
begin
comm = datastore['ListenerComm']
if comm == "local"
comm = ::Rex::Socket::Comm::Local
else
comm = nil
end
self.service = Rex::Socket::TcpServer.create(
'LocalHost' => srvhost,
'LocalPort' => srvport,
'SSL' => ssl,
'SSLCert' => ssl_cert,
'Comm' => comm,
'Context' =>
{
'Msf' => framework,
'MsfExploit' => self,
})
self.service.on_client_connect_proc = Proc.new { |client|
on_client_connect(client)
}
self.service.on_client_data_proc = Proc.new { |client|
on_client_data(client)
}
self.service.on_client_close_proc = Proc.new { |client|
on_client_close(client)
}
# Start the listening service
self.service.start
rescue ::Errno::EACCES => e
if (srvport.to_i < 1024)
print_line(" ")
print_error("Could not start the TCP server: #{e}.")
print_error(
"This module is configured to use a privileged TCP port (#{srvport}). " +
"On Unix systems, only the root user account is allowed to bind to privileged ports." +
"Please run the framework as root to use this module."
)
print_error(
"On Microsoft Windows systems, this error is returned when a process attempts to "+
"listen on a host/port combination that is already in use. For example, Windows XP "+
"will return this error if a process attempts to bind() over the system SMB/NetBIOS services."
)
print_line(" ")
end
raise e
end
end
#
# Stops the service.
#
def stop_service
if (service)
begin
self.service.deref if self.service.kind_of?(Rex::Service)
if self.service.kind_of?(Rex::Socket)
self.service.close
self.service.stop
end
self.service = nil
rescue ::Exception
end
end
end
#
# Returns the local host that is being listened on.
#
def srvhost
datastore['SRVHOST']
end
#
# Returns the local port that is being listened on.
#
def srvport
datastore['SRVPORT']
end
#
# Returns the SSL option
#
def ssl
datastore['SSL']
end
#
# Returns the SSLCert option
#
def ssl_cert
datastore['SSLCert']
end
#
# Re-generates the payload, substituting the current RHOST and RPORT with
# the supplied client host and port from the socket.
#
def regenerate_payload(cli, arch = nil, platform = nil, target = nil)
ohost = datastore['RHOST']
oport = datastore['RPORT']
p = nil
begin
# Update the datastore with the supplied client peerhost/peerport
datastore['RHOST'] = cli.peerhost
datastore['RPORT'] = cli.peerport
if ((p = super(arch, platform, target)) == nil)
print_error("Failed to generate payload")
return nil
end
# Allow the payload to start a new handler
add_handler({
'RHOST' => datastore['RHOST'],
'RPORT' => datastore['RPORT']
})
ensure
datastore['RHOST'] = ohost
datastore['RPORT'] = oport
end
p
end
protected
attr_accessor :service # :nodoc:
end
end