Module: Msf::Exploit::Remote::TcpServer

Includes:
SocketServer
Included in:
FtpServer, HttpServer, SMB::Server
Defined in:
lib/msf/core/exploit/remote/tcp_server.rb

Overview

This mixin provides a generic interface for running a TCP server of some sort that is designed to exploit clients. Exploits that include this mixin automatically take a passive stance.

Instance Attribute Summary

Attributes included from SocketServer

#service

Instance Method Summary collapse

Methods included from SocketServer

#_determine_server_comm, #cleanup, #exploit, #on_client_data, #primer, #regenerate_payload, #srvhost, #srvport, #stop_service, #via_string_for_ip

Instance Method Details

#initialize(info = {}) ⇒ Object


16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 16

def initialize(info = {})
  super

  register_options(
    [
      OptBool.new('SSL',        [ false, 'Negotiate SSL for incoming connections', false]),
      # SSLVersion is currently unsupported for TCP servers (only supported by clients at the moment)
      OptPath.new('SSLCert',    [ false, 'Path to a custom SSL certificate (default is randomly generated)'])
    ], Msf::Exploit::Remote::TcpServer
  )

  register_advanced_options(
    [
      OptString.new('ListenerComm', [ false, 'The specific communication channel to use for this service']),
      OptBool.new('SSLCompression', [ false, 'Enable SSL/TLS-level compression', false ]),
      OptString.new('SSLCipher',    [ false, 'String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"'])
    ], Msf::Exploit::Remote::TcpServer)

  register_evasion_options(
    [
      OptInt.new('TCP::max_send_size', [false, 'Maximum tcp segment size.  (0 = disable)', 0]),
      OptInt.new('TCP::send_delay', [false, 'Delays inserted before every send.  (0 = disable)', 0])
    ], Msf::Exploit::Remote::Tcp
  )
end

#on_client_close(client) ⇒ Object

Called when a client has disconnected.


50
51
# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 50

def on_client_close(client)
end

#on_client_connect(client) ⇒ Object

Called when a client connects.


44
45
# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 44

def on_client_connect(client)
end

#sslObject

Returns the SSL option


115
116
117
# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 115

def ssl
  datastore['SSL']
end

#ssl_certObject

Returns the SSLCert option


122
123
124
# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 122

def ssl_cert
  datastore['SSLCert']
end

#ssl_cipherObject

Returns the SSLCipher option


129
130
131
# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 129

def ssl_cipher
  datastore['SSLCipher']
end

#ssl_compressionBool

Returns enable SSL/TLS-level compression.

Returns:

  • (Bool)

    enable SSL/TLS-level compression


134
135
136
# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 134

def ssl_compression
  datastore['SSLCompression']
end

#start_service(*args) ⇒ Object

Starts the service.


56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 56

def start_service(*args)
  begin

    comm = _determine_server_comm

    self.service = Rex::Socket::TcpServer.create(
      'LocalHost' => srvhost,
      'LocalPort' => srvport,
      'SSL'       => ssl,
      'SSLCert'   => ssl_cert,
      'SSLCipher'   => ssl_cipher,
      'SSLCompression' => ssl_compression,
      'Comm'      => comm,
      'Context'   =>
        {
          'Msf'        => framework,
          'MsfExploit' => self,
        })

    self.service.on_client_connect_proc = Proc.new { |client|
      on_client_connect(client)
    }
    self.service.on_client_data_proc = Proc.new { |client|
      on_client_data(client)
    }
    self.service.on_client_close_proc = Proc.new { |client|
      on_client_close(client)
    }

    # Start the listening service
    self.service.start

  rescue ::Errno::EACCES => e
    if (srvport.to_i < 1024)
      print_line(" ")
      print_error("Could not start the TCP server: #{e}.")
      print_error(
        "This module is configured to use a privileged TCP port (#{srvport}). " +
        "On Unix systems, only the root user account is allowed to bind to privileged ports." +
        "Please run the framework as root to use this module."
      )
      print_error(
        "On Microsoft Windows systems, this error is returned when a process attempts to "+
        "listen on a host/port combination that is already in use. For example, Windows XP "+
        "will return this error if a process attempts to bind() over the system SMB/NetBIOS services."
      )
      print_line(" ")
    end
    raise e
  end

  via = via_string_for_ip(srvhost, comm)
  hoststr = Rex::Socket.is_ipv6?(srvhost) ? "[#{srvhost}]" : srvhost
  print_status("Started service listener on #{hoststr}:#{srvport} #{via}")
end