Module: Msf::Exploit::Remote::Tcp

Included in:

AFP, Arkeia, DB2, DCERPC, Ftp, Imap, MSSQL, MYSQL, NDMP, Pop2, RealPort, SMB, SMTPDeliver, Smtp, SunRPC, TNS, Telnet, Web

Defined in:

lib/msf/core/exploit/tcp.rb

Overview

This module provides methods for establish a connection to a remote host and communicating with it.

Instance Method Summary

• #chost ⇒ Object

  Returns the local host for outgoing connections.

• #cleanup ⇒ Object

  Performs cleanup, disconnects the socket if necessary.

• #connect(global = true, opts = {}) ⇒ Object

  Establishes a TCP connection to the specified RHOST/RPORT.

• #connect_timeout ⇒ Object

  Returns the TCP connection timeout.

• #cport ⇒ Object

  Returns the local port for outgoing connections.

• #disconnect(nsock = self.sock) ⇒ Object

  Closes the TCP connection.

• #handler(nsock = self.sock) ⇒ Object
• #initialize(info = {}) ⇒ Object

  Initializes an instance of an exploit module that exploits a vulnerability in a TCP server.

• #lhost ⇒ Object

  Returns the local host.

• #lport ⇒ Object

  Returns the local port.

• #proxies ⇒ Object

  Returns the proxy configuration.

• #rhost ⇒ Object

  Returns the target host.

• #rport ⇒ Object

  Returns the remote port.

• #set_tcp_evasions(socket) ⇒ Object

  Enable evasions on a given client.

• #ssl ⇒ Object

  Returns the boolean indicating SSL.

• #ssl_version ⇒ Object

  Returns the string indicating SSLVersion.

Instance Method Details

#chost ⇒ Object

Returns the local host for outgoing connections

# File 'lib/msf/core/exploit/tcp.rb', line 231

def chost
  datastore['CHOST']
end

#cleanup ⇒ Object

Performs cleanup, disconnects the socket if necessary

# File 'lib/msf/core/exploit/tcp.rb', line 189

def cleanup
  super
  disconnect
end

#connect(global = true, opts = {}) ⇒ Object

Establishes a TCP connection to the specified RHOST/RPORT

See Also:

• Rex::Socket::Tcp
• Rex::Socket::Tcp.create

# File 'lib/msf/core/exploit/tcp.rb', line 88

def connect(global = true, opts={})

  dossl = false
  if(opts.has_key?('SSL'))
    dossl = opts['SSL']
  else
    dossl = ssl
    if (datastore.default?('SSL') and rport.to_i == 443)
      dossl = true
    end
  end

  nsock = Rex::Socket::Tcp.create(
    'PeerHost'   =>  opts['RHOST'] || rhost,
    'PeerPort'   => (opts['RPORT'] || rport).to_i,
    'LocalHost'  =>  opts['CHOST'] || chost || "0.0.0.0",
    'LocalPort'  => (opts['CPORT'] || cport || 0).to_i,
    'SSL'        =>  dossl,
    'SSLVersion' =>  opts['SSLVersion'] || ssl_version,
    'Proxies'    => proxies,
    'Timeout'    => (opts['ConnectTimeout'] || connect_timeout || 10).to_i,
    'Context'    =>
      {
        'Msf'        => framework,
        'MsfExploit' => self,
      })

  # enable evasions on this socket
  set_tcp_evasions(nsock)

  # Set this socket to the global socket as necessary
  self.sock = nsock if (global)

  # Add this socket to the list of sockets created by this exploit
  add_socket(nsock)

  return nsock
end

#connect_timeout ⇒ Object

Returns the TCP connection timeout

# File 'lib/msf/core/exploit/tcp.rb', line 266

def connect_timeout
  datastore['ConnectTimeout']
end

#cport ⇒ Object

Returns the local port for outgoing connections

# File 'lib/msf/core/exploit/tcp.rb', line 238

def cport
  datastore['CPORT']
end

#disconnect(nsock = self.sock) ⇒ Object

Closes the TCP connection

# File 'lib/msf/core/exploit/tcp.rb', line 169

def disconnect(nsock = self.sock)
  begin
    if (nsock)
      nsock.shutdown
      nsock.close
    end
  rescue IOError
  end

  if (nsock == sock)
    self.sock = nil
  end

  # Remove this socket from the list of sockets created by this exploit
  remove_socket(nsock)
end

#handler(nsock = self.sock) ⇒ Object

# File 'lib/msf/core/exploit/tcp.rb', line 150

def handler(nsock = self.sock)
  # If the handler claims the socket, then we don't want it to get closed
  # during cleanup
  if ((rv = super) == Handler::Claimed)
    if (nsock == self.sock)
      self.sock = nil
    end

    # Remove this socket from the list of sockets so that it will not be
    # aborted.
    remove_socket(nsock)
  end

  return rv
end

#initialize(info = {}) ⇒ Object

Initializes an instance of an exploit module that exploits a vulnerability in a TCP server.

# File 'lib/msf/core/exploit/tcp.rb', line 52

def initialize(info = {})
  super

  register_options(
    [
      Opt::RHOST,
      Opt::RPORT
    ], Msf::Exploit::Remote::Tcp
  )

  register_advanced_options(
    [
      OptBool.new('SSL',        [ false, 'Negotiate SSL for outgoing connections', false]),
      OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'SSL3', ['SSL2', 'SSL3', 'TLS1']]),
      OptEnum.new('SSLVerifyMode',  [ false, 'SSL verification method', 'PEER', %W{CLIENT_ONCE FAIL_IF_NO_PEER_CERT NONE PEER}]),
      OptString.new('SSLCipher',    [ false, 'String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"']),
      Opt::Proxies,
      Opt::CPORT,
      Opt::CHOST,
      OptInt.new('ConnectTimeout', [ true, 'Maximum number of seconds to establish a TCP connection', 10])
    ], Msf::Exploit::Remote::Tcp
  )

  register_evasion_options(
    [
      OptInt.new('TCP::max_send_size', [false, 'Maxiumum tcp segment size.  (0 = disable)', 0]),
      OptInt.new('TCP::send_delay', [false, 'Delays inserted before every send.  (0 = disable)', 0])
    ], Msf::Exploit::Remote::Tcp
  )
end

#lhost ⇒ Object

Returns the local host

# File 'lib/msf/core/exploit/tcp.rb', line 217

def lhost
  datastore['LHOST']
end

#lport ⇒ Object

Returns the local port

# File 'lib/msf/core/exploit/tcp.rb', line 224

def lport
  datastore['LPORT']
end

#proxies ⇒ Object

Returns the proxy configuration

# File 'lib/msf/core/exploit/tcp.rb', line 259

def proxies
  datastore['Proxies']
end

#rhost ⇒ Object

Returns the target host

# File 'lib/msf/core/exploit/tcp.rb', line 203

def rhost
  datastore['RHOST']
end

#rport ⇒ Object

Returns the remote port

# File 'lib/msf/core/exploit/tcp.rb', line 210

def rport
  datastore['RPORT']
end

#set_tcp_evasions(socket) ⇒ Object

Enable evasions on a given client

# File 'lib/msf/core/exploit/tcp.rb', line 128

def set_tcp_evasions(socket)

  if( datastore['TCP::max_send_size'].to_i == 0 and datastore['TCP::send_delay'].to_i == 0)
    return
  end

  return if socket.respond_to?('evasive')

  socket.extend(EvasiveTCP)

  if ( datastore['TCP::max_send_size'].to_i > 0)
    socket._send_size = datastore['TCP::max_send_size']
    socket.denagle
    socket.evasive = true
  end

  if ( datastore['TCP::send_delay'].to_i > 0)
    socket._send_delay = datastore['TCP::send_delay']
    socket.evasive = true
  end
end

#ssl ⇒ Object

Returns the boolean indicating SSL

# File 'lib/msf/core/exploit/tcp.rb', line 245

def ssl
  datastore['SSL']
end

#ssl_version ⇒ Object

Returns the string indicating SSLVersion

# File 'lib/msf/core/exploit/tcp.rb', line 252

def ssl_version
  datastore['SSLVersion']
end