metasploit-framework/lib/msf/core/exploit/ftp.rb

232 lines
4.7 KiB
Ruby

module Msf
require 'msf/core/exploit/tcp'
###
#
# This module exposes methods that may be useful to exploits that deal with
# servers that speak the File Transfer Protocol (FTP).
#
###
module Exploit::Remote::Ftp
include Exploit::Remote::Tcp
#
# Creates an instance of an FTP exploit module.
#
def initialize(info = {})
super
# Register the options that all FTP exploits may make use of.
register_options(
[
Opt::RHOST,
Opt::RPORT(21),
OptString.new('FTPUSER', [ false, 'The username to authenticate as', 'anonymous']),
OptString.new('FTPPASS', [ false, 'The password for the specified username', 'mozilla@example.com'])
], Msf::Exploit::Remote::Ftp)
register_advanced_options(
[
OptInt.new('FTPTimeout', [ true, 'The number of seconds to wait for a reply from an FTP command', 10])
], Msf::Exploit::Remote::Ftp)
register_autofilter_ports([ 21, 2121])
register_autofilter_services(%W{ ftp })
@ftpbuff = ""
end
#
# This method establishes an FTP connection to host and port specified by
# the RHOST and RPORT options, respectively. After connecting, the banner
# message is read in and stored in the 'banner' attribute.
#
def connect(global = true, verbose = true)
print_status("Connecting to FTP server #{rhost}:#{rport}...") if verbose
fd = super(global)
# Wait for a banner to arrive...
self.banner = recv_ftp_resp(fd)
print_status("Connected to target FTP server.") if verbose
# Return the file descriptor to the caller
fd
end
#
# Connect and login to the remote FTP server using the credentials
# that have been supplied in the exploit options.
#
def connect_login(global = true, verbose = true)
ftpsock = connect(global, verbose)
if !(user and pass)
print_status("No username and password were supplied, unable to login")
return false
end
print_status("Authenticating as #{user} with password #{pass}...") if verbose
res = send_user(user, ftpsock)
if (res !~ /^(331|2)/)
print_status("The server rejected our username") if verbose
return false
end
if (pass)
print_status("Sending password...") if verbose
res = send_pass(pass, ftpsock)
if (res !~ /^2/)
print_status("The server rejected our password") if verbose
return false
end
end
return true
end
#
# This method logs in as the supplied user by transmitting the FTP
# 'USER <user>' command.
#
def send_user(user, nsock = self.sock)
raw_send("USER #{user}\r\n", nsock)
recv_ftp_resp(nsock)
end
#
# This method completes user authentication by sending the supplied
# password using the FTP 'PASS <pass>' command.
#
def send_pass(pass, nsock = self.sock)
raw_send("PASS #{pass}\r\n", nsock)
recv_ftp_resp(nsock)
end
#
# This method sends one command with zero or more parameters
#
def send_cmd(args, recv = true, nsock = self.sock)
cmd = args.join(" ") + "\r\n"
ret = raw_send(cmd, nsock)
if (recv)
return recv_ftp_resp(nsock)
end
return ret
end
#
# This method transmits a FTP command and waits for a response. If one is
# received, it is returned to the caller.
#
def raw_send_recv(cmd, nsock = self.sock)
nsock.put(cmd)
nsock.get_once(-1, ftp_timeout)
end
#
# This method reads an FTP response based on FTP continuation stuff
#
def recv_ftp_resp(nsock = self.sock)
found_end = FALSE
resp = ""
left = ""
if !@ftpbuff.empty?
left << @ftpbuff
@ftpbuff = ""
end
while TRUE
data = nsock.get_once(-1, ftp_timeout)
if not data
@ftpbuff << resp
@ftpbuff << left
return data
end
got = left + data
left = ""
# handle the end w/o newline case
enlidx = got.rindex(0x0a.chr)
if enlidx != (got.length-1)
if not enlidx
left << got
next
else
left << got.slice!((enlidx+1)..got.length)
end
end
# split into lines
rarr = got.split(/\r?\n/)
rarr.each do |ln|
if not found_end
resp << ln
resp << "\r\n"
if ln.length > 3 and ln[3,1] == ' '
found_end = TRUE
end
else
left << ln
left << "\r\n"
end
end
if found_end
@ftpbuff << left
return resp
end
end
end
#
# This method transmits a FTP command and does not wait for a response
#
def raw_send(cmd, nsock = self.sock)
nsock.put(cmd)
end
##
#
# Wrappers for getters
#
##
#
# Returns the user string from the 'FTPUSER' option.
#
def user
datastore['FTPUSER']
end
#
# Returns the user string from the 'FTPPASS' option.
#
def pass
datastore['FTPPASS']
end
#
# Returns the number of seconds to wait for a FTP reply
#
def ftp_timeout
(datastore['FTPTimeout'] || 10).to_i
end
protected
#
# This attribute holds the banner that was read in after a successful call
# to connect or connect_login.
#
attr_accessor :banner
end
end