Module: Msf::Exploit::Remote::Tcp
- Included in:
- Auxiliary::Redis, Auxiliary::Rocketmq, AFP, Arkeia, Asterisk, DB2, DCERPC, DNS::Client, Ftp, Gdb, Imap, Java::Rmi::Client, MSSQL, MYSQL, NDMP, Pop2, RDP, RealPort, SMB::Client, SMB::Client::Psexec_MS17_010, SMTPDeliver, Smtp, SunRPC, TNS, Telnet, TincdExploitClient, Web, ZeroMQ
- Defined in:
- lib/msf/core/exploit/remote/tcp.rb
Overview
This module provides methods for establish a connection to a remote host and communicating with it.
Instance Attribute Summary collapse
-
#sock ⇒ Object
protected
Returns the value of attribute sock.
Instance Method Summary collapse
-
#chost ⇒ Object
Returns the local host for outgoing connections.
-
#cleanup ⇒ Object
Performs cleanup, disconnects the socket if necessary.
-
#connect(global = true, opts = {}) ⇒ Object
Establishes a TCP connection to the specified RHOST/RPORT.
-
#connect_timeout ⇒ Object
Returns the TCP connection timeout.
-
#cport ⇒ Object
Returns the local port for outgoing connections.
-
#disconnect(nsock = self.sock) ⇒ Object
Closes the TCP connection.
- #handler(nsock = self.sock) ⇒ Object
-
#initialize(info = {}) ⇒ Object
Initializes an instance of an exploit module that exploits a vulnerability in a TCP server.
-
#lhost ⇒ Object
Returns the local host.
-
#lport ⇒ Object
Returns the local port.
-
#peer ⇒ Object
Returns the rhost:rport.
- #print_prefix ⇒ Object
-
#proxies ⇒ Object
Returns the proxy configuration.
- #replicant ⇒ Object
-
#rhost ⇒ Object
Returns the target host.
-
#rport ⇒ Object
Returns the remote port.
-
#set_tcp_evasions(socket) ⇒ Object
Enable evasions on a given client.
-
#shutdown(how = :SHUT_RDWR) ⇒ Object
Shutdown the TCP connection.
-
#ssl ⇒ Object
Returns the boolean indicating SSL.
-
#ssl_cipher ⇒ Object
Returns the SSL cipher to use for the context.
-
#ssl_verify_mode ⇒ Object
Returns the SSL certification verification mechanism.
-
#ssl_version ⇒ Object
Returns the string indicating SSLVersion.
-
#sslkeylogfile ⇒ String
Returns the SSL key log file path.
Instance Attribute Details
#sock ⇒ Object (protected)
Returns the value of attribute sock.
337 338 339 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 337 def sock @sock end |
Instance Method Details
#chost ⇒ Object
Returns the local host for outgoing connections
241 242 243 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 241 def chost datastore['CHOST'] end |
#cleanup ⇒ Object
Performs cleanup, disconnects the socket if necessary
204 205 206 207 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 204 def cleanup super disconnect end |
#connect(global = true, opts = {}) ⇒ Object
Establishes a TCP connection to the specified RHOST/RPORT
91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 91 def connect(global = true, opts={}) dossl = false if(opts.has_key?('SSL')) dossl = opts['SSL'] else dossl = ssl if (datastore.default?('SSL') and rport.to_i == 443) dossl = true end end nsock = Rex::Socket::Tcp.create( 'PeerHost' => opts['RHOST'] || rhost, 'PeerHostname' => opts['SSLServerNameIndication'] || opts['VHOST'] || opts['RHOSTNAME'], 'PeerPort' => (opts['RPORT'] || rport).to_i, 'LocalHost' => opts['CHOST'] || chost || "0.0.0.0", 'LocalPort' => (opts['CPORT'] || cport || 0).to_i, 'SSL' => dossl, 'SSLVersion' => opts['SSLVersion'] || ssl_version, 'SSLVerifyMode' => opts['SSLVerifyMode'] || ssl_verify_mode, 'SSLKeyLogFile' => opts['SSLKeyLogFile'] || sslkeylogfile, 'SSLCipher' => opts['SSLCipher'] || ssl_cipher, 'Proxies' => proxies, 'Timeout' => (opts['ConnectTimeout'] || connect_timeout || 10).to_i, 'Context' => { 'Msf' => framework, 'MsfExploit' => self, }) # enable evasions on this socket set_tcp_evasions(nsock) # Set this socket to the global socket as necessary self.sock = nsock if (global) # Add this socket to the list of sockets created by this exploit add_socket(nsock) return nsock end |
#connect_timeout ⇒ Object
Returns the TCP connection timeout
248 249 250 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 248 def connect_timeout datastore['ConnectTimeout'] end |
#cport ⇒ Object
Returns the local port for outgoing connections
255 256 257 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 255 def cport datastore['CPORT'] end |
#disconnect(nsock = self.sock) ⇒ Object
Closes the TCP connection
184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 184 def disconnect(nsock = self.sock) begin if (nsock) nsock.shutdown nsock.close end rescue IOError end if (nsock == sock) self.sock = nil end # Remove this socket from the list of sockets created by this exploit remove_socket(nsock) end |
#handler(nsock = self.sock) ⇒ Object
157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 157 def handler(nsock = self.sock) # If the handler claims the socket, then we don't want it to get closed # during cleanup if ((rv = super) == Handler::Claimed) if (nsock == self.sock) self.sock = nil end # Remove this socket from the list of sockets so that it will not be # aborted. remove_socket(nsock) end return rv end |
#initialize(info = {}) ⇒ Object
Initializes an instance of an exploit module that exploits a vulnerability in a TCP server.
53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 53 def initialize(info = {}) super ( [ Opt::RHOST, Opt::RPORT ], Msf::Exploit::Remote::Tcp ) ( [ OptBool.new('SSL', [ false, 'Negotiate SSL/TLS for outgoing connections', false]), OptString.new('SSLServerNameIndication', [ false, 'SSL/TLS Server Name Indication (SNI)', nil]), Opt::SSLVersion, OptEnum.new('SSLVerifyMode', [ false, 'SSL verification method', 'PEER', %W{CLIENT_ONCE FAIL_IF_NO_PEER_CERT NONE PEER}]), OptString.new('SSLCipher', [ false, 'String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"']), OptString.new('SSLKeyLogFile', [ false, 'The SSL key log file', ENV['SSLKeyLogFile']]), Opt::Proxies, Opt::CPORT, Opt::CHOST, OptInt.new('ConnectTimeout', [ true, 'Maximum number of seconds to establish a TCP connection', 10]) ], Msf::Exploit::Remote::Tcp ) ( [ OptInt.new('TCP::max_send_size', [false, 'Maxiumum tcp segment size. (0 = disable)', 0]), OptInt.new('TCP::send_delay', [false, 'Delays inserted before every send. (0 = disable)', 0]) ], Msf::Exploit::Remote::Tcp ) end |
#lhost ⇒ Object
Returns the local host
262 263 264 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 262 def lhost datastore['LHOST'] end |
#lport ⇒ Object
Returns the local port
269 270 271 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 269 def lport datastore['LPORT'] end |
#peer ⇒ Object
Returns the rhost:rport
274 275 276 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 274 def peer Rex::Socket.(rhost, rport) end |
#print_prefix ⇒ Object
209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 209 def print_prefix # Only inject a host/port prefix if we have exactly one entry. # Otherwise we are logging in the global context where rhost can be any # size (being an alias for rhosts), which is not very useful to insert into # a single log line. unless instance_variable_defined?(:@print_prefix) if rhost.present? && Rex::Socket::RangeWalker.new(rhost).length == 1 @print_prefix = peer + ' - ' else @print_prefix = '' end end super + @print_prefix end |
#proxies ⇒ Object
Returns the proxy configuration
281 282 283 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 281 def proxies datastore['Proxies'] end |
#replicant ⇒ Object
225 226 227 228 229 230 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 225 def replicant obj = super # invalidate the cached print_prefix in case the target changes obj.remove_instance_variable(:@print_prefix) if instance_variable_defined?(:@print_prefix) obj end |
#rhost ⇒ Object
Returns the target host
288 289 290 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 288 def rhost datastore['RHOST'] end |
#rport ⇒ Object
Returns the remote port
295 296 297 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 295 def rport datastore['RPORT'] end |
#set_tcp_evasions(socket) ⇒ Object
Enable evasions on a given client
135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 135 def set_tcp_evasions(socket) if( datastore['TCP::max_send_size'].to_i == 0 and datastore['TCP::send_delay'].to_i == 0) return end return if socket.respond_to?('evasive') socket.extend(EvasiveTCP) if ( datastore['TCP::max_send_size'].to_i > 0) socket._send_size = datastore['TCP::max_send_size'] socket.denagle socket.evasive = true end if ( datastore['TCP::send_delay'].to_i > 0) socket._send_delay = datastore['TCP::send_delay'] socket.evasive = true end end |
#shutdown(how = :SHUT_RDWR) ⇒ Object
Shutdown the TCP connection
176 177 178 179 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 176 def shutdown(how = :SHUT_RDWR) self.sock.shutdown(how) if self.sock rescue IOError end |
#ssl ⇒ Object
Returns the boolean indicating SSL
302 303 304 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 302 def ssl datastore['SSL'] end |
#ssl_cipher ⇒ Object
Returns the SSL cipher to use for the context
331 332 333 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 331 def ssl_cipher datastore['SSLCipher'] end |
#ssl_verify_mode ⇒ Object
Returns the SSL certification verification mechanism
316 317 318 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 316 def ssl_verify_mode datastore['SSLVerifyMode'] end |
#ssl_version ⇒ Object
Returns the string indicating SSLVersion
309 310 311 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 309 def ssl_version datastore['SSLVersion'] end |
#sslkeylogfile ⇒ String
Returns the SSL key log file path
324 325 326 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 324 def sslkeylogfile datastore['SSLKeyLogFile'] end |