Module: Msf::Exploit::Remote::Ftp

Includes:
Tcp
Defined in:
lib/msf/core/exploit/ftp.rb

Overview

This module exposes methods that may be useful to exploits that deal with servers that speak the File Transfer Protocol (FTP).

Instance Method Summary collapse

Methods included from Tcp

#chost, #cleanup, #connect_timeout, #cport, #disconnect, #handler, #lhost, #lport, #proxies, #rhost, #rport, #set_tcp_evasions, #ssl, #ssl_version

Instance Method Details

#connect(global = true, verbose = nil) ⇒ Object

This method establishes an FTP connection to host and port specified by the RHOST and RPORT options, respectively. After connecting, the banner message is read in and stored in the 'banner' attribute.


49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# File 'lib/msf/core/exploit/ftp.rb', line 49

def connect(global = true, verbose = nil)
  verbose ||= datastore['FTPDEBUG']
  verbose ||= datastore['VERBOSE']

  print_status("Connecting to FTP server #{rhost}:#{rport}...") if verbose

  fd = super(global)

  # Wait for a banner to arrive...
  self.banner = recv_ftp_resp(fd)

  print_status("Connected to target FTP server.") if verbose

  # Return the file descriptor to the caller
  fd
end

#connect_login(global = true, verbose = nil) ⇒ Object

Connect and login to the remote FTP server using the credentials that have been supplied in the exploit options.


103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
# File 'lib/msf/core/exploit/ftp.rb', line 103

def (global = true, verbose = nil)
  verbose ||= datastore['FTPDEBUG']
  verbose ||= datastore['VERBOSE']
  ftpsock = connect(global, verbose)

  if !(user and pass)
    print_error("No username and password were supplied, unable to login")
    return false
  end

  print_status("Authenticating as #{user} with password #{pass}...") if verbose
  res = send_user(user, ftpsock)

  if (res !~ /^(331|2)/)
    print_error("The server rejected our username") if verbose
    return false
  end

  if (pass)
    print_status("Sending password...") if verbose
    res = send_pass(pass, ftpsock)
    if (res !~ /^2/)
      print_error("The server rejected our password") if verbose
      return false
    end
  end

  return true
end

#data_connect(mode = nil, nsock = self.sock) ⇒ Object

This method handles establishing datasocket for data channel


69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# File 'lib/msf/core/exploit/ftp.rb', line 69

def data_connect(mode = nil, nsock = self.sock)
  if mode
    res = send_cmd([ 'TYPE' , mode ], true, nsock)
    return nil if not res =~ /^200/
  end

  # force datasocket to renegotiate
  self.datasocket.shutdown if self.datasocket != nil

  res = send_cmd(['PASV'], true, nsock)
  return nil if not res =~ /^227/

  # 227 Entering Passive Mode (127,0,0,1,196,5)
  if res =~ /\((\d+)\,(\d+),(\d+),(\d+),(\d+),(\d+)/
    # convert port to FTP syntax
    datahost = "#{$1}.#{$2}.#{$3}.#{$4}"
    dataport = ($5.to_i * 256) + $6.to_i
    self.datasocket = Rex::Socket::Tcp.create('PeerHost' => datahost, 'PeerPort' => dataport)
  end
  self.datasocket
end

#data_disconnectObject

This method handles disconnecting our data channel


94
95
96
97
# File 'lib/msf/core/exploit/ftp.rb', line 94

def data_disconnect
  self.datasocket.shutdown
  self.datasocket = nil
end

#ftp_timeoutObject

Returns the number of seconds to wait for a FTP reply


330
331
332
# File 'lib/msf/core/exploit/ftp.rb', line 330

def ftp_timeout
  (datastore['FTPTimeout'] || 10).to_i
end

#initialize(info = {}) ⇒ Object

Creates an instance of an FTP exploit module.


19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# File 'lib/msf/core/exploit/ftp.rb', line 19

def initialize(info = {})
  super

  # Register the options that all FTP exploits may make use of.
  register_options(
    [
      Opt::RHOST,
      Opt::RPORT(21),
      OptString.new('FTPUSER', [ false, 'The username to authenticate as', 'anonymous']),
      OptString.new('FTPPASS', [ false, 'The password for the specified username', '[email protected]'])
    ], Msf::Exploit::Remote::Ftp)

  register_advanced_options(
    [
      OptInt.new('FTPTimeout', [ true, 'The number of seconds to wait for a reply from an FTP command', 16]),
      OptBool.new('FTPDEBUG', [ false, 'Whether or not to print verbose debug statements', false ])
    ], Msf::Exploit::Remote::Ftp)

  register_autofilter_ports([ 21, 2121])
  register_autofilter_services(%W{ ftp })

  @ftpbuff = ""

end

#passObject

Returns the user string from the 'FTPPASS' option.


323
324
325
# File 'lib/msf/core/exploit/ftp.rb', line 323

def pass
  datastore['FTPPASS']
end

#raw_send(cmd, nsock = self.sock) ⇒ Object

This method transmits a FTP command and does not wait for a response


302
303
304
305
# File 'lib/msf/core/exploit/ftp.rb', line 302

def raw_send(cmd, nsock = self.sock)
  print_status("FTP send: #{cmd.inspect}") if datastore['FTPDEBUG']
  nsock.put(cmd)
end

#raw_send_recv(cmd, nsock = self.sock) ⇒ Object

This method transmits a FTP command and waits for a response. If one is received, it is returned to the caller.


239
240
241
242
# File 'lib/msf/core/exploit/ftp.rb', line 239

def raw_send_recv(cmd, nsock = self.sock)
  nsock.put(cmd)
  nsock.get_once(-1, ftp_timeout)
end

#recv_ftp_resp(nsock = self.sock) ⇒ Object

This method reads an FTP response based on FTP continuation stuff


247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
# File 'lib/msf/core/exploit/ftp.rb', line 247

def recv_ftp_resp(nsock = self.sock)
  found_end = false
  resp = ""
  left = ""
  if !@ftpbuff.empty?
    left << @ftpbuff
    @ftpbuff = ""
  end
  while true
    data = nsock.get_once(-1, ftp_timeout)
    if not data
      @ftpbuff << resp
      @ftpbuff << left
      return data
    end

    got = left + data
    left = ""

    # handle the end w/o newline case
    enlidx = got.rindex(0x0a.chr)
    if enlidx != (got.length-1)
      if not enlidx
        left << got
        next
      else
        left << got.slice!((enlidx+1)..got.length)
      end
    end

    # split into lines
    rarr = got.split(/\r?\n/)
    rarr.each do |ln|
      if not found_end
        resp << ln
        resp << "\r\n"
        if ln.length > 3 and ln[3,1] == ' '
          found_end = true
        end
      else
        left << ln
        left << "\r\n"
      end
    end
    if found_end
      @ftpbuff << left
      print_status("FTP recv: #{resp.inspect}") if datastore['FTPDEBUG']
      return resp
    end
  end
end

#send_cmd(args, recv = true, nsock = self.sock) ⇒ Object

This method sends one command with zero or more parameters


162
163
164
165
166
167
168
169
# File 'lib/msf/core/exploit/ftp.rb', line 162

def send_cmd(args, recv = true, nsock = self.sock)
  cmd = args.join(" ") + "\r\n"
  ret = raw_send(cmd, nsock)
  if (recv)
    return recv_ftp_resp(nsock)
  end
  return ret
end

#send_cmd_data(args, data, mode = 'a', nsock = self.sock) ⇒ Object

This method transmits the command in args and receives / uploads DATA via data channel For commands not needing data, it will fall through to the original send_cmd

For commands that send data only, the return will be the server response. For commands returning both data and a server response, an array will be returned.

NOTE: This function always waits for a response from the server.


180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
# File 'lib/msf/core/exploit/ftp.rb', line 180

def send_cmd_data(args, data, mode = 'a', nsock = self.sock)
  type = nil
  # implement some aliases for various commands
  if (args[0] =~ /^DIR$/i || args[0] =~ /^LS$/i)
    # TODO || args[0] =~ /^MDIR$/i || args[0] =~ /^MLS$/i
    args[0] = "LIST"
    type = "get"
  elsif (args[0] =~ /^GET$/i)
    args[0] = "RETR"
    type = "get"
  elsif (args[0] =~ /^PUT$/i)
    args[0] = "STOR"
    type = "put"
  end

  # fall back if it's not a supported data command
  if not type
    return send_cmd(args, true, nsock)
  end

  # Set the transfer mode and connect to the remove server
  return nil if not data_connect(mode)

  # Our pending command should have got a connection now.
  res = send_cmd(args, true, nsock)
  # make sure could open port
  return nil unless res =~ /^(150|125) /

  # dispatch to the proper method
  if (type == "get")
    # failed listings jsut disconnect..
    begin
      data = self.datasocket.get_once(-1, ftp_timeout)
    rescue ::EOFError
      data = nil
    end
  else
    sent = self.datasocket.put(data)
  end

  # close data channel so command channel updates
  data_disconnect

  # get status of transfer
  ret = nil
  if (type == "get")
    ret = recv_ftp_resp(nsock)
    ret = [ ret, data ]
  else
    ret = recv_ftp_resp(nsock)
  end

  ret
end

#send_pass(pass, nsock = self.sock) ⇒ Object

This method completes user authentication by sending the supplied password using the FTP 'PASS <pass>' command.


146
147
148
149
# File 'lib/msf/core/exploit/ftp.rb', line 146

def send_pass(pass, nsock = self.sock)
  raw_send("PASS #{pass}\r\n", nsock)
  recv_ftp_resp(nsock)
end

#send_quit(nsock = self.sock) ⇒ Object

This method sends a QUIT command.


154
155
156
157
# File 'lib/msf/core/exploit/ftp.rb', line 154

def send_quit(nsock = self.sock)
  raw_send("QUIT\r\n", nsock)
  recv_ftp_resp(nsock)
end

#send_user(user, nsock = self.sock) ⇒ Object

This method logs in as the supplied user by transmitting the FTP 'USER <user>' command.


137
138
139
140
# File 'lib/msf/core/exploit/ftp.rb', line 137

def send_user(user, nsock = self.sock)
  raw_send("USER #{user}\r\n", nsock)
  recv_ftp_resp(nsock)
end

#userObject

Returns the user string from the 'FTPUSER' option.


316
317
318
# File 'lib/msf/core/exploit/ftp.rb', line 316

def user
  datastore['FTPUSER']
end