metasploit-framework/modules/auxiliary/scanner/portscan/ftpbounce.rb

90 lines
2.0 KiB
Ruby

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
# Order is important here
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
include Msf::Exploit::Remote::Ftp
def initialize
super(
'Name' => 'FTP Bounce Port Scanner',
'Description' => %q{
Enumerate TCP services via the FTP bounce PORT/LIST
method.
},
'Author' => 'kris katterjohn',
'License' => MSF_LICENSE
)
register_options([
OptString.new('PORTS', [true, "Ports to scan (e.g. 22-25,80,110-900)", "1-10000"]),
OptAddress.new('BOUNCEHOST', [true, "FTP relay host"]),
OptPort.new('BOUNCEPORT', [true, "FTP relay port", 21])
])
deregister_options('RHOST', 'RPORT')
end
# No IPv6 support yet
def support_ipv6?
false
end
def rhost
datastore['BOUNCEHOST']
end
def rport
datastore['BOUNCEPORT']
end
def run_host(ip)
ports = Rex::Socket.portspec_crack(datastore['PORTS'])
if ports.empty?
raise Msf::OptionValidateError.new(['PORTS'])
end
return if not connect_login
ports.each do |port|
# Clear out the receive buffer since we're heavily dependent
# on the response codes. We need to do this between every
# port scan attempt unfortunately.
while true
r = sock.get_once(-1, 0.25)
break if not r or r.empty?
end
begin
host = (ip.split('.') + [port / 256, port % 256]).join(',')
resp = send_cmd(["PORT", host])
if resp =~ /^5/
#print_error("Got error from PORT to #{ip}:#{port}")
next
elsif not resp
next
end
resp = send_cmd(["LIST"])
if resp =~ /^[12]/
print_status(" TCP OPEN #{ip}:#{port}")
report_service(:host => ip, :port => port)
end
rescue ::Exception
print_error("Unknown error: #{$!}")
end
end
end
end