Module: Msf::Exploit::Remote::NDMP

Includes:

Tcp

Defined in:

lib/msf/core/exploit/remote/ndmp.rb

Overview

This module exposes methods for accessing NDMP services

Instance Attribute Summary

• #recv_buff ⇒ Object

  Returns the value of attribute recv_buff.

Attributes included from Tcp

#sock

Instance Method Summary

• #connect ⇒ Object

  Flush the receive buffer on a new connection.

• #initialize(info = {}) ⇒ Object

  Creates an instance of a NDMP exploit module.

• #ndmp_info ⇒ Object

  This method dumps ndmp version information.

• #ndmp_recv(nsock = self.sock) ⇒ Object

  This method reads from the socket and parses out a single NDMP response, buffering the rest.

• #ndmp_send(data, nsock = self.sock) ⇒ Object

  This method tacks a length header on a packet then sends it out the socket.

Methods included from Tcp

#chost, #cleanup, #connect_timeout, #cport, #disconnect, #handler, #lhost, #lport, #peer, #print_prefix, #proxies, #replicant, #rhost, #rport, #set_tcp_evasions, #shutdown, #ssl, #ssl_cipher, #ssl_verify_mode, #ssl_version

Instance Attribute Details

#recv_buff ⇒ Object

Returns the value of attribute recv_buff.

# File 'lib/msf/core/exploit/remote/ndmp.rb', line 121

def recv_buff
  @recv_buff
end

Instance Method Details

#connect ⇒ Object

Flush the receive buffer on a new connection

# File 'lib/msf/core/exploit/remote/ndmp.rb', line 33

def connect
  super
  self.recv_buff = ''
end

#initialize(info = {}) ⇒ Object

Creates an instance of a NDMP exploit module.

# File 'lib/msf/core/exploit/remote/ndmp.rb', line 17

def initialize(info = {})
  super

  # Register the options that all NDMP exploits may make use of.
  register_options(
    [
      Opt::RHOST,
      Opt::RPORT(10000),
    ], Msf::Exploit::Remote::NDMP)

  self.recv_buff = ''
end

#ndmp_info ⇒ Object

This method dumps ndmp version information

# File 'lib/msf/core/exploit/remote/ndmp.rb', line 41

def ndmp_info
  connect
  req = [
      1,               # Sequence number
      Time.now.to_i,   # Current time
      0,               # Message type (request)
      0x108,           # Message name (version)
      0,               # Reply sequence number
      0,               # Error status
    ].pack('NNNNNN')

  resp = ndmp_recv()
  ndmp_send(req)
  resp = ndmp_recv()
  disconnect

  if !(resp and resp.length > 28)
    return false
  end

  info = { }

  i = 32

  vend_len = resp[i, 4].unpack('N')[0]
  vend     = resp[i + 4, vend_len]
  i += vend_len + 4 + 1

  prod_len = resp[i, 4].unpack('N')[0]
  prod     = resp[i + 4, prod_len]
  i += prod_len + 4 + 1

  vers_len = resp[i, 4].unpack('N')[0]
  vers     = resp[i + 4, vers_len]
  i += vers_len + 4 + 1

  info['Version'] = vers
  info['Product'] = prod
  info['Vendor']  = vend

  return info
end

#ndmp_recv(nsock = self.sock) ⇒ Object

This method reads from the socket and parses out a single NDMP response, buffering the rest

# File 'lib/msf/core/exploit/remote/ndmp.rb', line 88

def ndmp_recv(nsock = self.sock)
  # Attempt to read at least four bytes (the length value)
  if (self.recv_buff.length < 4)
    self.recv_buff << ( sock.get_once( 4 - self.recv_buff.length, 5) || '' )
  end

  # If we did not receive a full length value, return early
  if (self.recv_buff.length < 4)
    return false
  end

  # Read the length header out of the message
  dlen = self.recv_buff[0, 4].unpack('N')[0] & 0x7fffffff

  # Read any pending data and append it to the buffer
  self.recv_buff << ( sock.get_once || '' )

  # Do we have the entire response message?
  if (self.recv_buff.length >= dlen + 4)
    return self.recv_buff.slice!(0, dlen + 4)
  end

  return false
end

#ndmp_send(data, nsock = self.sock) ⇒ Object

This method tacks a length header on a packet then sends it out the socket

# File 'lib/msf/core/exploit/remote/ndmp.rb', line 117

def ndmp_send(data, nsock = self.sock)
  nsock.put( [ data.length + 0x80000000 ].pack('N') + data )
end