Module: Msf::Exploit::Remote::Tcp
- Included in:
- Auxiliary::Redis, Auxiliary::Rocketmq, AFP, Arkeia, Asterisk, DB2, DCERPC, DNS::Client, Ftp, Gdb, Imap, Java::Rmi::Client, MSSQL, MYSQL, NDMP, Pop2, RDP, RealPort, SMB::Client, SMB::Client::Psexec_MS17_010, SMTPDeliver, Smtp, SunRPC, TNS, Telnet, TincdExploitClient, Web, ZeroMQ
- Defined in:
- lib/msf/core/exploit/remote/tcp.rb
Overview
This module provides methods for establish a connection to a remote host and communicating with it.
Instance Attribute Summary collapse
-
#sock ⇒ Object
protected
Returns the value of attribute sock.
Instance Method Summary collapse
-
#chost ⇒ Object
Returns the local host for outgoing connections.
-
#cleanup ⇒ Object
Performs cleanup, disconnects the socket if necessary.
-
#connect(global = true, opts = {}) ⇒ Object
Establishes a TCP connection to the specified RHOST/RPORT.
-
#connect_timeout ⇒ Object
Returns the TCP connection timeout.
-
#cport ⇒ Object
Returns the local port for outgoing connections.
-
#disconnect(nsock = self.sock) ⇒ Object
Closes the TCP connection.
- #handler(nsock = self.sock) ⇒ Object
-
#initialize(info = {}) ⇒ Object
Initializes an instance of an exploit module that exploits a vulnerability in a TCP server.
-
#lhost ⇒ Object
Returns the local host.
-
#lport ⇒ Object
Returns the local port.
-
#peer ⇒ Object
Returns the rhost:rport.
- #print_prefix ⇒ Object
-
#proxies ⇒ Object
Returns the proxy configuration.
- #replicant ⇒ Object
-
#rhost ⇒ Object
Returns the target host.
-
#rport ⇒ Object
Returns the remote port.
-
#set_tcp_evasions(socket) ⇒ Object
Enable evasions on a given client.
-
#shutdown(how = :SHUT_RDWR) ⇒ Object
Shutdown the TCP connection.
-
#ssl ⇒ Object
Returns the boolean indicating SSL.
-
#ssl_cipher ⇒ Object
Returns the SSL cipher to use for the context.
-
#ssl_verify_mode ⇒ Object
Returns the SSL certification verification mechanism.
-
#ssl_version ⇒ Object
Returns the string indicating SSLVersion.
Instance Attribute Details
#sock ⇒ Object (protected)
Returns the value of attribute sock.
327 328 329 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 327 def sock @sock end |
Instance Method Details
#chost ⇒ Object
Returns the local host for outgoing connections
239 240 241 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 239 def chost datastore['CHOST'] end |
#cleanup ⇒ Object
Performs cleanup, disconnects the socket if necessary
202 203 204 205 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 202 def cleanup super disconnect end |
#connect(global = true, opts = {}) ⇒ Object
Establishes a TCP connection to the specified RHOST/RPORT
90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 90 def connect(global = true, opts={}) dossl = false if(opts.has_key?('SSL')) dossl = opts['SSL'] else dossl = ssl if (datastore.default?('SSL') and rport.to_i == 443) dossl = true end end nsock = Rex::Socket::Tcp.create( 'PeerHost' => opts['RHOST'] || rhost, 'PeerHostname' => opts['SSLServerNameIndication'] || opts['VHOST'] || opts['RHOSTNAME'], 'PeerPort' => (opts['RPORT'] || rport).to_i, 'LocalHost' => opts['CHOST'] || chost || "0.0.0.0", 'LocalPort' => (opts['CPORT'] || cport || 0).to_i, 'SSL' => dossl, 'SSLVersion' => opts['SSLVersion'] || ssl_version, 'SSLVerifyMode' => opts['SSLVerifyMode'] || ssl_verify_mode, 'SSLCipher' => opts['SSLCipher'] || ssl_cipher, 'Proxies' => proxies, 'Timeout' => (opts['ConnectTimeout'] || connect_timeout || 10).to_i, 'Context' => { 'Msf' => framework, 'MsfExploit' => self, }) # enable evasions on this socket set_tcp_evasions(nsock) # Set this socket to the global socket as necessary self.sock = nsock if (global) # Add this socket to the list of sockets created by this exploit add_socket(nsock) return nsock end |
#connect_timeout ⇒ Object
Returns the TCP connection timeout
246 247 248 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 246 def connect_timeout datastore['ConnectTimeout'] end |
#cport ⇒ Object
Returns the local port for outgoing connections
253 254 255 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 253 def cport datastore['CPORT'] end |
#disconnect(nsock = self.sock) ⇒ Object
Closes the TCP connection
182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 182 def disconnect(nsock = self.sock) begin if (nsock) nsock.shutdown nsock.close end rescue IOError end if (nsock == sock) self.sock = nil end # Remove this socket from the list of sockets created by this exploit remove_socket(nsock) end |
#handler(nsock = self.sock) ⇒ Object
155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 155 def handler(nsock = self.sock) # If the handler claims the socket, then we don't want it to get closed # during cleanup if ((rv = super) == Handler::Claimed) if (nsock == self.sock) self.sock = nil end # Remove this socket from the list of sockets so that it will not be # aborted. remove_socket(nsock) end return rv end |
#initialize(info = {}) ⇒ Object
Initializes an instance of an exploit module that exploits a vulnerability in a TCP server.
53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 53 def initialize(info = {}) super ( [ Opt::RHOST, Opt::RPORT ], Msf::Exploit::Remote::Tcp ) ( [ OptBool.new('SSL', [ false, 'Negotiate SSL/TLS for outgoing connections', false]), OptString.new('SSLServerNameIndication', [ false, 'SSL/TLS Server Name Indication (SNI)', nil]), Opt::SSLVersion, OptEnum.new('SSLVerifyMode', [ false, 'SSL verification method', 'PEER', %W{CLIENT_ONCE FAIL_IF_NO_PEER_CERT NONE PEER}]), OptString.new('SSLCipher', [ false, 'String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"']), Opt::Proxies, Opt::CPORT, Opt::CHOST, OptInt.new('ConnectTimeout', [ true, 'Maximum number of seconds to establish a TCP connection', 10]) ], Msf::Exploit::Remote::Tcp ) ( [ OptInt.new('TCP::max_send_size', [false, 'Maxiumum tcp segment size. (0 = disable)', 0]), OptInt.new('TCP::send_delay', [false, 'Delays inserted before every send. (0 = disable)', 0]) ], Msf::Exploit::Remote::Tcp ) end |
#lhost ⇒ Object
Returns the local host
260 261 262 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 260 def lhost datastore['LHOST'] end |
#lport ⇒ Object
Returns the local port
267 268 269 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 267 def lport datastore['LPORT'] end |
#peer ⇒ Object
Returns the rhost:rport
272 273 274 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 272 def peer Rex::Socket.(rhost, rport) end |
#print_prefix ⇒ Object
207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 207 def print_prefix # Only inject a host/port prefix if we have exactly one entry. # Otherwise we are logging in the global context where rhost can be any # size (being an alias for rhosts), which is not very useful to insert into # a single log line. unless instance_variable_defined?(:@print_prefix) if rhost.present? && Rex::Socket::RangeWalker.new(rhost).length == 1 @print_prefix = peer + ' - ' else @print_prefix = '' end end super + @print_prefix end |
#proxies ⇒ Object
Returns the proxy configuration
279 280 281 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 279 def proxies datastore['Proxies'] end |
#replicant ⇒ Object
223 224 225 226 227 228 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 223 def replicant obj = super # invalidate the cached print_prefix in case the target changes obj.remove_instance_variable(:@print_prefix) if instance_variable_defined?(:@print_prefix) obj end |
#rhost ⇒ Object
Returns the target host
286 287 288 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 286 def rhost datastore['RHOST'] end |
#rport ⇒ Object
Returns the remote port
293 294 295 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 293 def rport datastore['RPORT'] end |
#set_tcp_evasions(socket) ⇒ Object
Enable evasions on a given client
133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 133 def set_tcp_evasions(socket) if( datastore['TCP::max_send_size'].to_i == 0 and datastore['TCP::send_delay'].to_i == 0) return end return if socket.respond_to?('evasive') socket.extend(EvasiveTCP) if ( datastore['TCP::max_send_size'].to_i > 0) socket._send_size = datastore['TCP::max_send_size'] socket.denagle socket.evasive = true end if ( datastore['TCP::send_delay'].to_i > 0) socket._send_delay = datastore['TCP::send_delay'] socket.evasive = true end end |
#shutdown(how = :SHUT_RDWR) ⇒ Object
Shutdown the TCP connection
174 175 176 177 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 174 def shutdown(how = :SHUT_RDWR) self.sock.shutdown(how) if self.sock rescue IOError end |
#ssl ⇒ Object
Returns the boolean indicating SSL
300 301 302 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 300 def ssl datastore['SSL'] end |
#ssl_cipher ⇒ Object
Returns the SSL cipher to use for the context
321 322 323 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 321 def ssl_cipher datastore['SSLCipher'] end |
#ssl_verify_mode ⇒ Object
Returns the SSL certification verification mechanism
314 315 316 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 314 def ssl_verify_mode datastore['SSLVerifyMode'] end |
#ssl_version ⇒ Object
Returns the string indicating SSLVersion
307 308 309 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 307 def ssl_version datastore['SSLVersion'] end |