Module: Msf::Exploit::Remote::Tcp

Overview

This module provides methods for establish a connection to a remote host and communicating with it.

Instance Attribute Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#sockObject (protected)

Returns the value of attribute sock.



327
328
329
# File 'lib/msf/core/exploit/remote/tcp.rb', line 327

def sock
  @sock
end

Instance Method Details

#chostObject

Returns the local host for outgoing connections



239
240
241
# File 'lib/msf/core/exploit/remote/tcp.rb', line 239

def chost
  datastore['CHOST']
end

#cleanupObject

Performs cleanup, disconnects the socket if necessary



202
203
204
205
# File 'lib/msf/core/exploit/remote/tcp.rb', line 202

def cleanup
  super
  disconnect
end

#connect(global = true, opts = {}) ⇒ Object

Establishes a TCP connection to the specified RHOST/RPORT

See Also:

  • Rex::Socket::Tcp
  • Rex::Socket::Tcp.create


90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# File 'lib/msf/core/exploit/remote/tcp.rb', line 90

def connect(global = true, opts={})

  dossl = false
  if(opts.has_key?('SSL'))
    dossl = opts['SSL']
  else
    dossl = ssl
    if (datastore.default?('SSL') and rport.to_i == 443)
      dossl = true
    end
  end

  nsock = Rex::Socket::Tcp.create(
    'PeerHost'      =>  opts['RHOST'] || rhost,
    'PeerHostname'  =>  opts['SSLServerNameIndication'] || opts['VHOST'] || opts['RHOSTNAME'],
    'PeerPort'      => (opts['RPORT'] || rport).to_i,
    'LocalHost'     =>  opts['CHOST'] || chost || "0.0.0.0",
    'LocalPort'     => (opts['CPORT'] || cport || 0).to_i,
    'SSL'           =>  dossl,
    'SSLVersion'    =>  opts['SSLVersion'] || ssl_version,
    'SSLVerifyMode' =>  opts['SSLVerifyMode'] || ssl_verify_mode,
    'SSLCipher'     =>  opts['SSLCipher'] || ssl_cipher,
    'Proxies'       => proxies,
    'Timeout'       => (opts['ConnectTimeout'] || connect_timeout || 10).to_i,
    'Context'       =>
      {
        'Msf'        => framework,
        'MsfExploit' => self,
      })

  # enable evasions on this socket
  set_tcp_evasions(nsock)

  # Set this socket to the global socket as necessary
  self.sock = nsock if (global)

  # Add this socket to the list of sockets created by this exploit
  add_socket(nsock)

  return nsock
end

#connect_timeoutObject

Returns the TCP connection timeout



246
247
248
# File 'lib/msf/core/exploit/remote/tcp.rb', line 246

def connect_timeout
  datastore['ConnectTimeout']
end

#cportObject

Returns the local port for outgoing connections



253
254
255
# File 'lib/msf/core/exploit/remote/tcp.rb', line 253

def cport
  datastore['CPORT']
end

#disconnect(nsock = self.sock) ⇒ Object

Closes the TCP connection



182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
# File 'lib/msf/core/exploit/remote/tcp.rb', line 182

def disconnect(nsock = self.sock)
  begin
    if (nsock)
      nsock.shutdown
      nsock.close
    end
  rescue IOError
  end

  if (nsock == sock)
    self.sock = nil
  end

  # Remove this socket from the list of sockets created by this exploit
  remove_socket(nsock)
end

#handler(nsock = self.sock) ⇒ Object



155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
# File 'lib/msf/core/exploit/remote/tcp.rb', line 155

def handler(nsock = self.sock)
  # If the handler claims the socket, then we don't want it to get closed
  # during cleanup
  if ((rv = super) == Handler::Claimed)
    if (nsock == self.sock)
      self.sock = nil
    end

    # Remove this socket from the list of sockets so that it will not be
    # aborted.
    remove_socket(nsock)
  end

  return rv
end

#initialize(info = {}) ⇒ Object

Initializes an instance of an exploit module that exploits a vulnerability in a TCP server.



53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# File 'lib/msf/core/exploit/remote/tcp.rb', line 53

def initialize(info = {})
  super

  register_options(
    [
      Opt::RHOST,
      Opt::RPORT
    ], Msf::Exploit::Remote::Tcp
  )

  register_advanced_options(
    [
      OptBool.new('SSL',        [ false, 'Negotiate SSL/TLS for outgoing connections', false]),
      OptString.new('SSLServerNameIndication', [ false, 'SSL/TLS Server Name Indication (SNI)', nil]),
      Opt::SSLVersion,
      OptEnum.new('SSLVerifyMode',  [ false, 'SSL verification method', 'PEER', %W{CLIENT_ONCE FAIL_IF_NO_PEER_CERT NONE PEER}]),
      OptString.new('SSLCipher',    [ false, 'String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"']),
      Opt::Proxies,
      Opt::CPORT,
      Opt::CHOST,
      OptInt.new('ConnectTimeout', [ true, 'Maximum number of seconds to establish a TCP connection', 10])
    ], Msf::Exploit::Remote::Tcp
  )

  register_evasion_options(
    [
      OptInt.new('TCP::max_send_size', [false, 'Maxiumum tcp segment size.  (0 = disable)', 0]),
      OptInt.new('TCP::send_delay', [false, 'Delays inserted before every send.  (0 = disable)', 0])
    ], Msf::Exploit::Remote::Tcp
  )
end

#lhostObject

Returns the local host



260
261
262
# File 'lib/msf/core/exploit/remote/tcp.rb', line 260

def lhost
  datastore['LHOST']
end

#lportObject

Returns the local port



267
268
269
# File 'lib/msf/core/exploit/remote/tcp.rb', line 267

def lport
  datastore['LPORT']
end

#peerObject

Returns the rhost:rport



272
273
274
# File 'lib/msf/core/exploit/remote/tcp.rb', line 272

def peer
  Rex::Socket.to_authority(rhost, rport)
end


207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
# File 'lib/msf/core/exploit/remote/tcp.rb', line 207

def print_prefix
  # Only inject a host/port prefix if we have exactly one entry.
  # Otherwise we are logging in the global context where rhost can be any
  # size (being an alias for rhosts), which is not very useful to insert into
  # a single log line.
  unless instance_variable_defined?(:@print_prefix)
    if rhost.present? && Rex::Socket::RangeWalker.new(rhost).length == 1
      @print_prefix = peer + ' - '
    else
      @print_prefix = ''
    end
  end

  super + @print_prefix
end

#proxiesObject

Returns the proxy configuration



279
280
281
# File 'lib/msf/core/exploit/remote/tcp.rb', line 279

def proxies
  datastore['Proxies']
end

#replicantObject



223
224
225
226
227
228
# File 'lib/msf/core/exploit/remote/tcp.rb', line 223

def replicant
  obj = super
  # invalidate the cached print_prefix in case the target changes
  obj.remove_instance_variable(:@print_prefix) if instance_variable_defined?(:@print_prefix)
  obj
end

#rhostObject

Returns the target host



286
287
288
# File 'lib/msf/core/exploit/remote/tcp.rb', line 286

def rhost
  datastore['RHOST']
end

#rportObject

Returns the remote port



293
294
295
# File 'lib/msf/core/exploit/remote/tcp.rb', line 293

def rport
  datastore['RPORT']
end

#set_tcp_evasions(socket) ⇒ Object

Enable evasions on a given client



133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
# File 'lib/msf/core/exploit/remote/tcp.rb', line 133

def set_tcp_evasions(socket)

  if( datastore['TCP::max_send_size'].to_i == 0 and datastore['TCP::send_delay'].to_i == 0)
    return
  end

  return if socket.respond_to?('evasive')

  socket.extend(EvasiveTCP)

  if ( datastore['TCP::max_send_size'].to_i > 0)
    socket._send_size = datastore['TCP::max_send_size']
    socket.denagle
    socket.evasive = true
  end

  if ( datastore['TCP::send_delay'].to_i > 0)
    socket._send_delay = datastore['TCP::send_delay']
    socket.evasive = true
  end
end

#shutdown(how = :SHUT_RDWR) ⇒ Object

Shutdown the TCP connection



174
175
176
177
# File 'lib/msf/core/exploit/remote/tcp.rb', line 174

def shutdown(how = :SHUT_RDWR)
  self.sock.shutdown(how) if self.sock
rescue IOError
end

#sslObject

Returns the boolean indicating SSL



300
301
302
# File 'lib/msf/core/exploit/remote/tcp.rb', line 300

def ssl
  datastore['SSL']
end

#ssl_cipherObject

Returns the SSL cipher to use for the context



321
322
323
# File 'lib/msf/core/exploit/remote/tcp.rb', line 321

def ssl_cipher
  datastore['SSLCipher']
end

#ssl_verify_modeObject

Returns the SSL certification verification mechanism



314
315
316
# File 'lib/msf/core/exploit/remote/tcp.rb', line 314

def ssl_verify_mode
  datastore['SSLVerifyMode']
end

#ssl_versionObject

Returns the string indicating SSLVersion



307
308
309
# File 'lib/msf/core/exploit/remote/tcp.rb', line 307

def ssl_version
  datastore['SSLVersion']
end