Module: Msf::Exploit::Remote::Tcp

Included in:

Auxiliary::Redis, Auxiliary::Rocketmq, AFP, Arkeia, Asterisk, DB2, DCERPC, DNS::Client, Ftp, Gdb, Imap, Java::Rmi::Client, MSSQL, MYSQL, NDMP, Pop2, Postgres, RDP, RealPort, SMB::Client, SMB::Client::Psexec_MS17_010, SMTPDeliver, Smtp, SunRPC, TNS, Telnet, TincdExploitClient, Web, ZeroMQ

Defined in:

lib/msf/core/exploit/remote/tcp.rb

Overview

This module provides methods for establish a connection to a remote host and communicating with it.

Instance Attribute Summary

• #sock ⇒ Object protected

  Returns the value of attribute sock.

Instance Method Summary

• #chost ⇒ Object

  Returns the local host for outgoing connections.

• #cleanup ⇒ Object

  Performs cleanup, disconnects the socket if necessary.

• #connect(global = true, opts = {}) ⇒ Object

  Establishes a TCP connection to the specified RHOST/RPORT.

• #connect_timeout ⇒ Object

  Returns the TCP connection timeout.

• #cport ⇒ Object

  Returns the local port for outgoing connections.

• #disconnect(nsock = self.sock) ⇒ Object

  Closes the TCP connection.

• #handler(nsock = self.sock) ⇒ Object
• #initialize(info = {}) ⇒ Object

  Initializes an instance of an exploit module that exploits a vulnerability in a TCP server.

• #lhost ⇒ Object

  Returns the local host.

• #lport ⇒ Object

  Returns the local port.

• #peer ⇒ Object

  Returns the rhost:rport.

• #print_prefix ⇒ Object
• #proxies ⇒ Object

  Returns the proxy configuration.

• #replicant ⇒ Object
• #rhost ⇒ Object

  Returns the target host.

• #rport ⇒ Object

  Returns the remote port.

• #set_tcp_evasions(socket) ⇒ Object

  Enable evasions on a given client.

• #shutdown(how = :SHUT_RDWR) ⇒ Object

  Shutdown the TCP connection.

• #ssl ⇒ Object

  Returns the boolean indicating SSL.

• #ssl_cipher ⇒ Object

  Returns the SSL cipher to use for the context.

• #ssl_verify_mode ⇒ Object

  Returns the SSL certification verification mechanism.

• #ssl_version ⇒ Object

  Returns the string indicating SSLVersion.

• #sslkeylogfile ⇒ String

  Returns the SSL key log file path.

Instance Attribute Details

#sock ⇒ Object (protected)

Returns the value of attribute sock.

# File 'lib/msf/core/exploit/remote/tcp.rb', line 338

def sock
  @sock
end

Instance Method Details

#chost ⇒ Object

Returns the local host for outgoing connections

# File 'lib/msf/core/exploit/remote/tcp.rb', line 242

def chost
  datastore['CHOST']
end

#cleanup ⇒ Object

Performs cleanup, disconnects the socket if necessary

# File 'lib/msf/core/exploit/remote/tcp.rb', line 205

def cleanup
  super
  disconnect
end

#connect(global = true, opts = {}) ⇒ Object

Establishes a TCP connection to the specified RHOST/RPORT

See Also:

• Rex::Socket::Tcp
• Rex::Socket::Tcp.create

# File 'lib/msf/core/exploit/remote/tcp.rb', line 91

def connect(global = true, opts={})

  dossl = false
  if(opts.has_key?('SSL'))
    dossl = opts['SSL']
  else
    dossl = ssl
    if (datastore.default?('SSL') and rport.to_i == 443)
      dossl = true
    end
  end

  nsock = Rex::Socket::Tcp.create(
    'PeerHost'      =>  opts['RHOST'] || rhost,
    'PeerHostname'  =>  opts['SSLServerNameIndication'] || opts['VHOST'] || opts['RHOSTNAME'],
    'PeerPort'      => (opts['RPORT'] || rport).to_i,
    'LocalHost'     =>  opts['CHOST'] || chost || "0.0.0.0",
    'LocalPort'     => (opts['CPORT'] || cport || 0).to_i,
    'SSL'           =>  dossl,
    'SSLVersion'    =>  opts['SSLVersion'] || ssl_version,
    'SSLVerifyMode' =>  opts['SSLVerifyMode'] || ssl_verify_mode,
    'SSLKeyLogFile' =>  opts['SSLKeyLogFile'] || sslkeylogfile,
    'SSLCipher'     =>  opts['SSLCipher'] || ssl_cipher,
    'Proxies'       => proxies,
    'Timeout'       => (opts['ConnectTimeout'] || connect_timeout || 10).to_i,
    'Comm'          =>  opts['Comm'],
    'Context'       =>
      {
        'Msf'        => framework,
        'MsfExploit' => self,
      })

  # enable evasions on this socket
  set_tcp_evasions(nsock)

  # Set this socket to the global socket as necessary
  self.sock = nsock if (global)

  # Add this socket to the list of sockets created by this exploit
  add_socket(nsock)

  return nsock
end

#connect_timeout ⇒ Object

Returns the TCP connection timeout

# File 'lib/msf/core/exploit/remote/tcp.rb', line 249

def connect_timeout
  datastore['ConnectTimeout']
end

#cport ⇒ Object

Returns the local port for outgoing connections

# File 'lib/msf/core/exploit/remote/tcp.rb', line 256

def cport
  datastore['CPORT']
end

#disconnect(nsock = self.sock) ⇒ Object

Closes the TCP connection

# File 'lib/msf/core/exploit/remote/tcp.rb', line 185

def disconnect(nsock = self.sock)
  begin
    if (nsock)
      nsock.shutdown
      nsock.close
    end
  rescue IOError
  end

  if (nsock == sock)
    self.sock = nil
  end

  # Remove this socket from the list of sockets created by this exploit
  remove_socket(nsock)
end

#handler(nsock = self.sock) ⇒ Object

# File 'lib/msf/core/exploit/remote/tcp.rb', line 158

def handler(nsock = self.sock)
  # If the handler claims the socket, then we don't want it to get closed
  # during cleanup
  if ((rv = super) == Handler::Claimed)
    if (nsock == self.sock)
      self.sock = nil
    end

    # Remove this socket from the list of sockets so that it will not be
    # aborted.
    remove_socket(nsock)
  end

  return rv
end

#initialize(info = {}) ⇒ Object

Initializes an instance of an exploit module that exploits a vulnerability in a TCP server.

# File 'lib/msf/core/exploit/remote/tcp.rb', line 53

def initialize(info = {})
  super

  register_options(
    [
      Opt::RHOST,
      Opt::RPORT
    ], Msf::Exploit::Remote::Tcp
  )

  register_advanced_options(
    [
      OptBool.new('SSL',        [ false, 'Negotiate SSL/TLS for outgoing connections', false]),
      OptString.new('SSLServerNameIndication', [ false, 'SSL/TLS Server Name Indication (SNI)', nil]),
      Opt::SSLVersion,
      OptEnum.new('SSLVerifyMode',  [ false, 'SSL verification method', 'PEER', %W{CLIENT_ONCE FAIL_IF_NO_PEER_CERT NONE PEER}]),
      OptString.new('SSLCipher',    [ false, 'String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"']),
      OptString.new('SSLKeyLogFile', [ false, 'The SSL key log file', ENV['SSLKeyLogFile']]),
      Opt::Proxies,
      Opt::CPORT,
      Opt::CHOST,
      OptInt.new('ConnectTimeout', [ true, 'Maximum number of seconds to establish a TCP connection', 10])
    ], Msf::Exploit::Remote::Tcp
  )

  register_evasion_options(
    [
      OptInt.new('TCP::max_send_size', [false, 'Maxiumum tcp segment size.  (0 = disable)', 0]),
      OptInt.new('TCP::send_delay', [false, 'Delays inserted before every send.  (0 = disable)', 0])
    ], Msf::Exploit::Remote::Tcp
  )
end

#lhost ⇒ Object

Returns the local host

# File 'lib/msf/core/exploit/remote/tcp.rb', line 263

def lhost
  datastore['LHOST']
end

#lport ⇒ Object

Returns the local port

# File 'lib/msf/core/exploit/remote/tcp.rb', line 270

def lport
  datastore['LPORT']
end

#peer ⇒ Object

Returns the rhost:rport

# File 'lib/msf/core/exploit/remote/tcp.rb', line 275

def peer
  Rex::Socket.to_authority(rhost, rport)
end

#print_prefix ⇒ Object

# File 'lib/msf/core/exploit/remote/tcp.rb', line 210

def print_prefix
  # Only inject a host/port prefix if we have exactly one entry.
  # Otherwise we are logging in the global context where rhost can be any
  # size (being an alias for rhosts), which is not very useful to insert into
  # a single log line.
  unless instance_variable_defined?(:@print_prefix)
    if rhost.present? && Rex::Socket::RangeWalker.new(rhost).length == 1
      @print_prefix = peer + ' - '
    else
      @print_prefix = ''
    end
  end

  super + @print_prefix
end

#proxies ⇒ Object

Returns the proxy configuration

# File 'lib/msf/core/exploit/remote/tcp.rb', line 282

def proxies
  datastore['Proxies']
end

#replicant ⇒ Object

# File 'lib/msf/core/exploit/remote/tcp.rb', line 226

def replicant
  obj = super
  # invalidate the cached print_prefix in case the target changes
  obj.remove_instance_variable(:@print_prefix) if instance_variable_defined?(:@print_prefix)
  obj
end

#rhost ⇒ Object

Returns the target host

# File 'lib/msf/core/exploit/remote/tcp.rb', line 289

def rhost
  datastore['RHOST']
end

#rport ⇒ Object

Returns the remote port

# File 'lib/msf/core/exploit/remote/tcp.rb', line 296

def rport
  datastore['RPORT']
end

#set_tcp_evasions(socket) ⇒ Object

Enable evasions on a given client

# File 'lib/msf/core/exploit/remote/tcp.rb', line 136

def set_tcp_evasions(socket)

  if( datastore['TCP::max_send_size'].to_i == 0 and datastore['TCP::send_delay'].to_i == 0)
    return
  end

  return if socket.respond_to?('evasive')

  socket.extend(EvasiveTCP)

  if ( datastore['TCP::max_send_size'].to_i > 0)
    socket._send_size = datastore['TCP::max_send_size']
    socket.denagle
    socket.evasive = true
  end

  if ( datastore['TCP::send_delay'].to_i > 0)
    socket._send_delay = datastore['TCP::send_delay']
    socket.evasive = true
  end
end

#shutdown(how = :SHUT_RDWR) ⇒ Object

Shutdown the TCP connection

# File 'lib/msf/core/exploit/remote/tcp.rb', line 177

def shutdown(how = :SHUT_RDWR)
  self.sock.shutdown(how) if self.sock
rescue IOError
end

#ssl ⇒ Object

Returns the boolean indicating SSL

# File 'lib/msf/core/exploit/remote/tcp.rb', line 303

def ssl
  datastore['SSL']
end

#ssl_cipher ⇒ Object

Returns the SSL cipher to use for the context

# File 'lib/msf/core/exploit/remote/tcp.rb', line 332

def ssl_cipher
  datastore['SSLCipher']
end

#ssl_verify_mode ⇒ Object

Returns the SSL certification verification mechanism

# File 'lib/msf/core/exploit/remote/tcp.rb', line 317

def ssl_verify_mode
  datastore['SSLVerifyMode']
end

#ssl_version ⇒ Object

Returns the string indicating SSLVersion

# File 'lib/msf/core/exploit/remote/tcp.rb', line 310

def ssl_version
  datastore['SSLVersion']
end

#sslkeylogfile ⇒ String

Returns the SSL key log file path

Returns:

• (String)

# File 'lib/msf/core/exploit/remote/tcp.rb', line 325

def sslkeylogfile
  datastore['SSLKeyLogFile']
end