Module: Msf::Exploit::Remote::Tcp
- Included in:
- Auxiliary::Redis, AFP, Arkeia, DB2, DCERPC, DNS::Client, Ftp, Gdb, Imap, Java::Rmi::Client, MSSQL, MYSQL, NDMP, Pop2, RDP, RealPort, SMB::Client, SMB::Client::Psexec_MS17_010, SMTPDeliver, Smtp, SunRPC, TNS, Telnet, TincdExploitClient, Web, ZeroMQ
- Defined in:
- lib/msf/core/exploit/tcp.rb
Overview
This module provides methods for establish a connection to a remote host and communicating with it.
Instance Attribute Summary collapse
-
#sock ⇒ Object
protected
Returns the value of attribute sock.
Instance Method Summary collapse
-
#chost ⇒ Object
Returns the local host for outgoing connections.
-
#cleanup ⇒ Object
Performs cleanup, disconnects the socket if necessary.
-
#connect(global = true, opts = {}) ⇒ Object
Establishes a TCP connection to the specified RHOST/RPORT.
-
#connect_timeout ⇒ Object
Returns the TCP connection timeout.
-
#cport ⇒ Object
Returns the local port for outgoing connections.
- #deregister_tcp_options ⇒ Object
-
#disconnect(nsock = self.sock) ⇒ Object
Closes the TCP connection.
- #handler(nsock = self.sock) ⇒ Object
-
#initialize(info = {}) ⇒ Object
Initializes an instance of an exploit module that exploits a vulnerability in a TCP server.
-
#lhost ⇒ Object
Returns the local host.
-
#lport ⇒ Object
Returns the local port.
-
#peer ⇒ Object
Returns the rhost:rport.
- #print_prefix ⇒ Object
-
#proxies ⇒ Object
Returns the proxy configuration.
-
#rhost ⇒ Object
Returns the target host.
-
#rport ⇒ Object
Returns the remote port.
-
#set_tcp_evasions(socket) ⇒ Object
Enable evasions on a given client.
-
#shutdown(how = :SHUT_RDWR) ⇒ Object
Shutdown the TCP connection.
-
#ssl ⇒ Object
Returns the boolean indicating SSL.
-
#ssl_cipher ⇒ Object
Returns the SSL cipher to use for the context.
-
#ssl_verify_mode ⇒ Object
Returns the SSL certification verification mechanism.
-
#ssl_version ⇒ Object
Returns the string indicating SSLVersion.
Instance Attribute Details
#sock ⇒ Object (protected)
Returns the value of attribute sock
319 320 321 |
# File 'lib/msf/core/exploit/tcp.rb', line 319 def sock @sock end |
Instance Method Details
#chost ⇒ Object
Returns the local host for outgoing connections
231 232 233 |
# File 'lib/msf/core/exploit/tcp.rb', line 231 def chost datastore['CHOST'] end |
#cleanup ⇒ Object
Performs cleanup, disconnects the socket if necessary
205 206 207 208 |
# File 'lib/msf/core/exploit/tcp.rb', line 205 def cleanup super disconnect end |
#connect(global = true, opts = {}) ⇒ Object
Establishes a TCP connection to the specified RHOST/RPORT
94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 |
# File 'lib/msf/core/exploit/tcp.rb', line 94 def connect(global = true, opts={}) dossl = false if(opts.has_key?('SSL')) dossl = opts['SSL'] else dossl = ssl if (datastore.default?('SSL') and rport.to_i == 443) dossl = true end end nsock = Rex::Socket::Tcp.create( 'PeerHost' => opts['RHOST'] || rhost, 'PeerPort' => (opts['RPORT'] || rport).to_i, 'LocalHost' => opts['CHOST'] || chost || "0.0.0.0", 'LocalPort' => (opts['CPORT'] || cport || 0).to_i, 'SSL' => dossl, 'SSLVersion' => opts['SSLVersion'] || ssl_version, 'SSLVerifyMode' => opts['SSLVerifyMode'] || ssl_verify_mode, 'SSLCipher' => opts['SSLCipher'] || ssl_cipher, 'Proxies' => proxies, 'Timeout' => (opts['ConnectTimeout'] || connect_timeout || 10).to_i, 'Context' => { 'Msf' => framework, 'MsfExploit' => self, }) # enable evasions on this socket set_tcp_evasions(nsock) # Set this socket to the global socket as necessary self.sock = nsock if (global) # Add this socket to the list of sockets created by this exploit add_socket(nsock) return nsock end |
#connect_timeout ⇒ Object
Returns the TCP connection timeout
238 239 240 |
# File 'lib/msf/core/exploit/tcp.rb', line 238 def connect_timeout datastore['ConnectTimeout'] end |
#cport ⇒ Object
Returns the local port for outgoing connections
245 246 247 |
# File 'lib/msf/core/exploit/tcp.rb', line 245 def cport datastore['CPORT'] end |
#deregister_tcp_options ⇒ Object
85 86 87 |
# File 'lib/msf/core/exploit/tcp.rb', line 85 def ('RHOST', 'RPORT') end |
#disconnect(nsock = self.sock) ⇒ Object
Closes the TCP connection
185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 |
# File 'lib/msf/core/exploit/tcp.rb', line 185 def disconnect(nsock = self.sock) begin if (nsock) nsock.shutdown nsock.close end rescue IOError end if (nsock == sock) self.sock = nil end # Remove this socket from the list of sockets created by this exploit remove_socket(nsock) end |
#handler(nsock = self.sock) ⇒ Object
158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 |
# File 'lib/msf/core/exploit/tcp.rb', line 158 def handler(nsock = self.sock) # If the handler claims the socket, then we don't want it to get closed # during cleanup if ((rv = super) == Handler::Claimed) if (nsock == self.sock) self.sock = nil end # Remove this socket from the list of sockets so that it will not be # aborted. remove_socket(nsock) end return rv end |
#initialize(info = {}) ⇒ Object
Initializes an instance of an exploit module that exploits a vulnerability in a TCP server.
54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 |
# File 'lib/msf/core/exploit/tcp.rb', line 54 def initialize(info = {}) super ( [ Opt::RHOST, Opt::RPORT ], Msf::Exploit::Remote::Tcp ) ( [ OptBool.new('SSL', [ false, 'Negotiate SSL/TLS for outgoing connections', false]), Opt::SSLVersion, OptEnum.new('SSLVerifyMode', [ false, 'SSL verification method', 'PEER', %W{CLIENT_ONCE FAIL_IF_NO_PEER_CERT NONE PEER}]), OptString.new('SSLCipher', [ false, 'String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"']), Opt::Proxies, Opt::CPORT, Opt::CHOST, OptInt.new('ConnectTimeout', [ true, 'Maximum number of seconds to establish a TCP connection', 10]) ], Msf::Exploit::Remote::Tcp ) ( [ OptInt.new('TCP::max_send_size', [false, 'Maxiumum tcp segment size. (0 = disable)', 0]), OptInt.new('TCP::send_delay', [false, 'Delays inserted before every send. (0 = disable)', 0]) ], Msf::Exploit::Remote::Tcp ) end |
#lhost ⇒ Object
Returns the local host
252 253 254 |
# File 'lib/msf/core/exploit/tcp.rb', line 252 def lhost datastore['LHOST'] end |
#lport ⇒ Object
Returns the local port
259 260 261 |
# File 'lib/msf/core/exploit/tcp.rb', line 259 def lport datastore['LPORT'] end |
#peer ⇒ Object
Returns the rhost:rport
264 265 266 |
# File 'lib/msf/core/exploit/tcp.rb', line 264 def peer "#{rhost}:#{rport}" end |
#print_prefix ⇒ Object
210 211 212 213 214 215 216 217 218 219 220 |
# File 'lib/msf/core/exploit/tcp.rb', line 210 def print_prefix # Only inject a host/port prefix if we have exactly one entry. # Otherwise we are logging in the global context where rhost can be any # size (being an alias for rhosts), which is not very useful to insert into # a single log line. if rhost && rhost.split(' ').length == 1 super + peer + ' - ' else super end end |
#proxies ⇒ Object
Returns the proxy configuration
271 272 273 |
# File 'lib/msf/core/exploit/tcp.rb', line 271 def proxies datastore['Proxies'] end |
#rhost ⇒ Object
Returns the target host
278 279 280 |
# File 'lib/msf/core/exploit/tcp.rb', line 278 def rhost datastore['RHOST'] end |
#rport ⇒ Object
Returns the remote port
285 286 287 |
# File 'lib/msf/core/exploit/tcp.rb', line 285 def rport datastore['RPORT'] end |
#set_tcp_evasions(socket) ⇒ Object
Enable evasions on a given client
136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 |
# File 'lib/msf/core/exploit/tcp.rb', line 136 def set_tcp_evasions(socket) if( datastore['TCP::max_send_size'].to_i == 0 and datastore['TCP::send_delay'].to_i == 0) return end return if socket.respond_to?('evasive') socket.extend(EvasiveTCP) if ( datastore['TCP::max_send_size'].to_i > 0) socket._send_size = datastore['TCP::max_send_size'] socket.denagle socket.evasive = true end if ( datastore['TCP::send_delay'].to_i > 0) socket._send_delay = datastore['TCP::send_delay'] socket.evasive = true end end |
#shutdown(how = :SHUT_RDWR) ⇒ Object
Shutdown the TCP connection
177 178 179 180 |
# File 'lib/msf/core/exploit/tcp.rb', line 177 def shutdown(how = :SHUT_RDWR) self.sock.shutdown(how) if self.sock rescue IOError end |
#ssl ⇒ Object
Returns the boolean indicating SSL
292 293 294 |
# File 'lib/msf/core/exploit/tcp.rb', line 292 def ssl datastore['SSL'] end |
#ssl_cipher ⇒ Object
Returns the SSL cipher to use for the context
313 314 315 |
# File 'lib/msf/core/exploit/tcp.rb', line 313 def ssl_cipher datastore['SSLCipher'] end |
#ssl_verify_mode ⇒ Object
Returns the SSL certification verification mechanism
306 307 308 |
# File 'lib/msf/core/exploit/tcp.rb', line 306 def ssl_verify_mode datastore['SSLVerifyMode'] end |
#ssl_version ⇒ Object
Returns the string indicating SSLVersion
299 300 301 |
# File 'lib/msf/core/exploit/tcp.rb', line 299 def ssl_version datastore['SSLVersion'] end |