Module: Msf::Exploit::Remote::HttpServer
- Includes:
- Auxiliary::Report, TcpServer
- Included in:
- CmdStager::HTTP, BrowserExploit, HTML, PHPInclude, Java::HTTP::ClassLoader
- Defined in:
- lib/msf/core/exploit/remote/http_server.rb
Overview
This module provides methods for exploiting an HTTP client by acting as an HTTP server.
Defined Under Namespace
Modules: BrowserExploit, HTML, PHPInclude
Instance Attribute Summary
Attributes included from SocketServer
Instance Method Summary collapse
-
#add_resource(opts) ⇒ Object
Adds a URI resource using the supplied hash parameters.
- #add_robots_resource ⇒ Object
-
#autofilter ⇒ Object
By default, all HTTP servers are not subject to automatic exploitation.
-
#check_dependencies ⇒ Object
This method gives a derived class the opportunity to ensure that all dependencies are present before initializing the service.
-
#cleanup ⇒ Object
Take care of removing any resources that we created.
-
#cli ⇒ Object
Thread-local client accessor.
-
#cli=(cli) ⇒ Object
Thread-local client accessor.
-
#close_client(cli) ⇒ Object
Closes a client connection.
-
#create_response(code = 200, message = "OK", proto = Rex::Proto::Http::DefaultProtocol) ⇒ Object
Creates an HTTP response packet.
-
#fingerprint_user_agent(ua_str) ⇒ Object
Return a Hash containing a best guess at the actual browser and operating system versions, based on the User-Agent header.
-
#get_resource ⇒ Object
Returns the last-used resource path.
-
#get_uri(cli = self.cli) ⇒ Object
Return a full url of the form
http://1.1.1.1:8080/resource/. -
#hardcoded_uripath(uri) ⇒ void
Set #on_request_uri to handle the given
uriin addition to the one specified by the developer in opts or by the user in URIPATH. - #initialize(info = {}) ⇒ Object
-
#on_request_uri(cli, request) ⇒ Object
Called when a request is made to a single URI registered during the start_service.
- #print_prefix ⇒ Object
-
#random_uri ⇒ Object
Generates a random URI for use with making finger printing more challenging.
-
#regenerate_payload(cli, arch = nil, platform = nil, target = nil) ⇒ Object
Re-generates the payload, substituting the current RHOST and RPORT with the supplied client host and port.
-
#remove_resource(name) ⇒ Object
Removes a URI resource.
-
#report_user_agent(address, request, client_opts = {}) ⇒ Object
Store the results of server-side User-Agent fingerprinting in the DB.
-
#resource_uri ⇒ Object
Returns the configured (or random, if not configured) URI path.
-
#send_local_redirect(cli, location) ⇒ Object
Sends a 302 redirect relative to our base path.
-
#send_not_found(cli) ⇒ Object
Sends a 404.
-
#send_redirect(cli, location = '/', body = '', headers = {}) ⇒ Object
Sends a 302 redirect to the client.
-
#send_response(cli, body, headers = {}) ⇒ Object
Transmits a response to the supplied client, default content-type is text/html.
-
#send_robots(cli, request) ⇒ Object
Sends a canned robots.txt file.
-
#srvhost_addr ⇒ String
An address to which the client can route.
-
#srvport ⇒ Object
Returns the local port that is being listened on.
-
#start_service(opts = {}) ⇒ Object
:category: Exploit::Remote::TcpServer overrides.
-
#use_zlib ⇒ Object
Ensures that gzip can be used.
Methods included from Auxiliary::Report
#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot
Methods included from Metasploit::Framework::Require
optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines
Methods included from TcpServer
#on_client_close, #on_client_connect, #ssl, #ssl_cert, #ssl_cipher, #ssl_compression, #ssl_version
Methods included from SocketServer
#_determine_server_comm, #bindhost, #bindport, #cleanup_service, #exploit, #on_client_data, #primer, #srvhost, #via_string
Instance Method Details
#add_resource(opts) ⇒ Object
Adds a URI resource using the supplied hash parameters.
Path => The path to associate the procedure with.
Proc => The procedure to call when the URI is requested.
LongCall => Indicates that the request is a long call.
NOTE: Calling #add_resource will change the results of subsequent calls to #get_resource!
401 402 403 404 405 406 407 408 409 410 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 401 def add_resource(opts) @service_path = opts['Path'] res = service.add_resource(opts['Path'], opts) # This has to go *after* the call to service.add_resource in case # the service manager doesn't like it for some reason and raises. @my_resources.push(opts['Path']) res end |
#add_robots_resource ⇒ Object
178 179 180 181 182 183 184 185 186 187 188 189 190 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 178 def add_robots_resource proc = Proc.new do |cli, req| self.cli = cli send_robots(cli, req) end vprint_status('Adding hardcoded URI /robots.txt') begin add_resource('Path' => '/robots.txt', 'Proc' => proc) rescue RuntimeError => e print_warning(e.) end end |
#autofilter ⇒ Object
By default, all HTTP servers are not subject to automatic exploitation
56 57 58 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 56 def autofilter false end |
#check_dependencies ⇒ Object
This method gives a derived class the opportunity to ensure that all dependencies are present before initializing the service.
By default, all HTTP server mixins will try to use zlib.
100 101 102 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 100 def check_dependencies use_zlib end |
#cleanup ⇒ Object
Take care of removing any resources that we created
216 217 218 219 220 221 222 223 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 216 def cleanup # Must dup here because remove_resource modifies @my_resources @my_resources.dup.each do |resource| remove_resource(resource) end super end |
#cli ⇒ Object
Thread-local client accessor
63 64 65 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 63 def cli Thread.current[:cli] end |
#cli=(cli) ⇒ Object
Thread-local client accessor
70 71 72 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 70 def cli=(cli) Thread.current[:cli] = cli end |
#close_client(cli) ⇒ Object
Closes a client connection.
538 539 540 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 538 def close_client(cli) service.close_client(cli) end |
#create_response(code = 200, message = "OK", proto = Rex::Proto::Http::DefaultProtocol) ⇒ Object
Creates an HTTP response packet.
545 546 547 548 549 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 545 def create_response(code = 200, = "OK", proto = Rex::Proto::Http::DefaultProtocol) res = Rex::Proto::Http::Response.new(code, , proto); res['Content-Type'] = 'text/html' res end |
#fingerprint_user_agent(ua_str) ⇒ Object
Return a Hash containing a best guess at the actual browser and operating system versions, based on the User-Agent header.
Keys in the returned hash are similar to those expected of Report#report_client, and Msf::DBManager#report_host namely:
:ua_name-
a brief identifier for the client, e.g. “Firefox”
:ua_ver-
the version number of the client, e.g. “3.0.11”
:os_name-
something like “Windows XP”, “Windows 7”, or “Linux”
:os_flavor-
something like “Enterprise”, “Pro”, or “Home”
:os_lang-
something like “English”, “French”, or “en-US”
:arch-
one of the ARCH_* constants
Unknown values may be nil.
240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 240 def fingerprint_user_agent(ua_str) fp = { :ua_string => ua_str } # Guess the browser type based on the user agent # Check for IE last since its often impersonated case (ua_str.downcase) # Chrome tries to look like Safari, so check it first when /chrome\/(\d+(:?\.\d+)*)/ # Matches, e.g.: # Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3 fp[:ua_name] = HttpClients::CHROME fp[:ua_ver] = $1 when /version\/(\d+(:?\.\d+)*)\s*safari/ fp[:ua_name] = HttpClients::SAFARI fp[:ua_ver] = $1 when /firefox\/((:?[0-9]+\.)+[0-9]+)/ fp[:ua_name] = HttpClients::FF fp[:ua_ver] = $1 when /opera\/(\d+(:?\.\d+)*)/ fp[:ua_name] = HttpClients::OPERA fp[:ua_ver] = $1 when /mozilla\/[0-9]+\.[0-9] \(compatible; msie ([0-9]+\.[0-9]+)/i, /mozilla\/[0-9]+\.[0-9] \(.+ rv:([0-9]+\.[0-9])\)/i fp[:ua_name] = HttpClients::IE fp[:ua_ver] = $1 when /git\/([0-9]+(\.[0-9]+)+)/ fp[:ua_name] = HttpClients::GIT fp[:ua_ver] = $1 when /git-lfs\/([0-9]+(\.[0-9]+)+)/ fp[:ua_name] = HttpClients::GIT_LFS fp[:ua_ver] = $1 else fp[:ua_name] = HttpClients::UNKNOWN end # Guess the language case (ua_str.downcase) when /(en-us|en-gb)/ fp[:os_lang] = $1 end # Guess the general OS type case (ua_str.downcase) when /windows|win32/ fp[:os_name] = OperatingSystems::WINDOWS fp[:arch] = ARCH_X86 when /linux/ fp[:os_name] = OperatingSystems::LINUX when /iphone|ipad/ fp[:os_name] = OperatingSystems::APPLE_IOS fp[:arch] = 'armle' when /mac os x/ fp[:os_name] = OperatingSystems::MAC_OSX else fp[:os_name] = OperatingSystems::UNKNOWN end # Determine the specific OS variant # Note that we assume windows variants are the # client version and mismatch server editions. case (ua_str.downcase) when /windows 95/ fp[:os_name] = 'Windows 95' when /windows 98/ fp[:os_name] = 'Windows 98' when /windows nt 4/ fp[:os_name] = 'Windows NT' when /windows nt 5.0/ fp[:os_name] = 'Windows 2000' when /windows nt 5.1/ fp[:os_name] = 'Windows XP' when /windows nt 5.2/ fp[:os_name] = 'Windows 2003' when /windows nt 6.0/ fp[:os_name] = 'Windows Vista' when /windows nt 6.1/ fp[:os_name] = 'Windows 7' when /windows nt 6.2/ fp[:os_name] = 'Windows 8' when /windows nt 6.3/ fp[:os_name] = 'Windows 8.1' when /gentoo/ fp[:os_vendor] = 'Gentoo' when /debian/ fp[:os_vendor] = 'Debian' when /ubuntu/ fp[:os_vendor] = 'Ubuntu' when /fedora/ fp[:os_vendor] = 'Fedora' when /red hat|rhel/ fp[:os_vendor] = 'RHEL' when /android/ fp[:os_name] = OperatingSystems::ANDROID end # Guess the architecture case (ua_str.downcase) when /ppc/ fp[:arch] = ARCH_PPC when /x64|x86_64/ fp[:arch] = ARCH_X64 when /i.86|wow64/ # WOW64 means "Windows on Windows64" and is present # in the useragent of 32-bit IE running on 64-bit # Windows fp[:arch] = ARCH_X86 when /android|iphone|ipod|ipad/ fp[:arch] = ARCH_ARMLE else fp[:arch] = ARCH_X86 end fp end |
#get_resource ⇒ Object
Returns the last-used resource path
415 416 417 418 419 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 415 def get_resource # We don't want modules modifying their service_path inadvertently, so # give them a dup. Can be nil during module setup. @service_path ? @service_path.dup : nil end |
#get_uri(cli = self.cli) ⇒ Object
Return a full url of the form http://1.1.1.1:8080/resource/
The address portion should be something a client would be able to route, but see #srvhost_addr for caveats.
427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 427 def get_uri(cli=self.cli) resource = get_resource # The resource won't exist until the server is started return unless resource ssl = !!(datastore["SSL"]) proto = (ssl ? "https://" : "http://") if datastore['URIHOST'] host = datastore['URIHOST'] elsif (cli and cli.peerhost) host = Rex::Socket.source_address(cli.peerhost) else host = srvhost_addr end if Rex::Socket.is_ipv6?(host) host = "[#{host}]" end if datastore['URIPORT'] && datastore['URIPORT'] != 0 port = ':' + datastore['URIPORT'].to_s elsif (ssl and datastore["SRVPORT"] == 443) port = '' elsif (!ssl and datastore["SRVPORT"] == 80) port = '' else port = ":" + datastore["SRVPORT"].to_s end uri = proto + host + port + resource uri end |
#hardcoded_uripath(uri) ⇒ void
This MUST be called from SocketServer#primer so that the service has been set
This method returns an undefined value.
Set #on_request_uri to handle the given uri in addition to the one specified by the developer in opts or by the user in URIPATH.
up but we have not yet entered the listen/accept loop.
201 202 203 204 205 206 207 208 209 210 211 212 213 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 201 def hardcoded_uripath(uri) proc = Proc.new do |cli, req| on_request_uri(cli, req) end vprint_status("Adding hardcoded uri #{uri}") begin add_resource({'Path' => uri, 'Proc' => proc}) rescue RuntimeError => e print_error("This module requires a hardcoded uri at #{uri}. Can't run while other modules are using it.") raise e end end |
#initialize(info = {}) ⇒ Object
21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 21 def initialize(info = {}) super ( [ OptString.new('URIPATH', [ false, "The URI to use for this exploit (default is random)"]), ], Exploit::Remote::HttpServer ) ( [ OptBool.new('HTTP::no_cache', [false, 'Disallow the browser to cache HTTP content', false]), OptBool.new('HTTP::chunked', [false, 'Enable chunking of HTTP responses via "Transfer-Encoding: chunked"', false]), OptBool.new('HTTP::header_folding', [false, 'Enable folding of HTTP headers', false]), OptBool.new('HTTP::junk_headers', [false, 'Enable insertion of random junk HTTP headers', false]), OptEnum.new('HTTP::compression', [false, 'Enable compression of HTTP responses via content encoding', 'none', ['none','gzip','deflate']]), OptString.new('HTTP::server_name', [true, 'Configures the Server header of all outgoing replies', 'Apache']) ], Exploit::Remote::HttpServer ) ([ OptAddress.new('URIHOST', [false, 'Host to use in URI (useful for tunnels)']), OptPort.new('URIPORT', [false, 'Port to use in URI (useful for tunnels)']), OptBool.new('SendRobots', [false, 'Return a robots.txt file if asked for one', false]) ]) # Used to keep track of resources added to the service manager by # this module. see #add_resource and #cleanup @my_resources = [] @service_path = nil end |
#on_request_uri(cli, request) ⇒ Object
Called when a request is made to a single URI registered during the start_service. Subsequent registrations will not result in a call to on_request_uri.
Modules should override this method.
697 698 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 697 def on_request_uri(cli, request) end |
#print_prefix ⇒ Object
74 75 76 77 78 79 80 81 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 74 def print_prefix if cli && self.respond_to?(:stance) && !(stance == Msf::Exploit::Stance::Aggressive || stance.include?(Msf::Exploit::Stance::Aggressive)) super + "#{cli.peerhost.ljust(16)} #{self.shortname} - " else super end end |
#random_uri ⇒ Object
Generates a random URI for use with making finger printing more challenging.
661 662 663 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 661 def random_uri "/" + Rex::Text.rand_text_alphanumeric(rand(10) + 6) end |
#regenerate_payload(cli, arch = nil, platform = nil, target = nil) ⇒ Object
Re-generates the payload, substituting the current RHOST and RPORT with the supplied client host and port.
669 670 671 672 673 674 675 676 677 678 679 680 681 682 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 669 def regenerate_payload(cli, arch = nil, platform = nil, target = nil) pcode = nil # If the payload fails to generate for some reason, send a 403. if ((pcode = super(cli, arch, platform, target)) == nil) print_error("Failed to generate payload, sending 403.") cli.send_response( create_response(403, 'Forbidden')) return nil end pcode end |
#remove_resource(name) ⇒ Object
Removes a URI resource.
527 528 529 530 531 532 533 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 527 def remove_resource(name) # Guard against removing resources added by other modules if @my_resources.include?(name) @my_resources.delete(name) service.remove_resource(name) if service end end |
#report_user_agent(address, request, client_opts = {}) ⇒ Object
Store the results of server-side User-Agent fingerprinting in the DB.
Returns a Hash containing host and client information.
362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 362 def report_user_agent(address, request, client_opts={}) fp = fingerprint_user_agent(request["User-Agent"]) host = { :address => address, :host => address, } host[:os_name] = fp[:os_name] if fp[:os_name] host[:os_flavor] = fp[:os_flavor] if fp[:os_flavor] host[:arch] = fp[:arch] if fp[:arch] host[:os_lang] = fp[:os_lang] if fp[:os_lang] report_host(host) client = { :host => address, :ua_string => request['User-Agent'], } client[:ua_name] = fp[:ua_name] if fp[:ua_name] client[:ua_ver] = fp[:ua_ver] if fp[:ua_ver] client.merge!(client_opts) if client_opts report_client(client) report_note( :host => address, :type => 'http.request', :data => "#{address}: #{request.method} #{request.resource} #{client[:os_name]} #{client[:ua_name]} #{client[:ua_ver]}", :update => :unique_data ) return host.merge(client) end |
#resource_uri ⇒ Object
Returns the configured (or random, if not configured) URI path
650 651 652 653 654 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 650 def resource_uri path = datastore['URIPATH'] || random_uri path = '/' + path if path !~ /^\// return path end |
#send_local_redirect(cli, location) ⇒ Object
Sends a 302 redirect relative to our base path
605 606 607 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 605 def send_local_redirect(cli, location) send_redirect(cli, get_resource + location) end |
#send_not_found(cli) ⇒ Object
Sends a 404
613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 613 def send_not_found(cli) resp_404 = create_response(404, 'Not Found') resp_404.body = %Q{\ <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <hr> <address>Apache/2.2.9 (Unix) Server at #{datastore['LHOST']} Port #{datastore['SRVPORT']}</address> </body></html> } cli.send_response(resp_404) end |
#send_redirect(cli, location = '/', body = '', headers = {}) ⇒ Object
Sends a 302 redirect to the client
591 592 593 594 595 596 597 598 599 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 591 def send_redirect(cli, location='/', body='', headers = {}) response = create_response(302, 'Moved') response['Content-Type'] = 'text/html' response['Location'] = location response.body = body.to_s.unpack("C*").pack("C*") headers.each_pair { |k,v| response[k] = v } cli.send_response(response) end |
#send_response(cli, body, headers = {}) ⇒ Object
Transmits a response to the supplied client, default content-type is text/html
Payload evasions are implemented here!
556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 556 def send_response(cli, body, headers = {}) response = create_response response['Content-Type'] = 'text/html' response.body = body.to_s.unpack("C*").pack("C*") if (datastore['HTTP::compression']) self.use_zlib # make sure... response.compress = datastore['HTTP::compression'] end if datastore['HTTP::chunked'] response.auto_cl = false response.transfer_chunked = true end if datastore['HTTP::header_folding'] response.headers.fold = 1 end if datastore['HTTP::junk_headers'] response.headers.junk_headers = 1 end if datastore['HTTP::no_cache'] response.headers['Cache-Control'] = 'no-store, no-cache, must-revalidate' end headers.each_pair { |k,v| response[k] = v } cli.send_response(response) end |
#send_robots(cli, request) ⇒ Object
Sends a canned robots.txt file
633 634 635 636 637 638 639 640 641 642 643 644 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 633 def send_robots(cli, request) print_status('Sending robots.txt') robots = create_response(200, 'Success') robots['Content-Type'] = 'text/plain' robots.body = %Q{\ User-agent: * Disallow: / } cli.send_response(robots) end |
#srvhost_addr ⇒ String
An address to which the client can route.
If available, return LHOST which should be the right thing since it already has to be an address the client can route to for the payload to work. However, LHOST will only be available if we’re using a reverse_* payload, so if we don’t have it, try to use the client’s peerhost address. Failing that, fall back to the addr with the default gateway. All of this will be for naught in the case of a user behind NAT using a bind payload but there’s nothing we can do about it.
NOTE: The address will be incorrect in the following two situations:
-
LHOST is pointed at a exploit/multi/handler on some other box.
-
SRVHOST has a value of ‘0.0.0.0’, the user is behind NAT, and we’re using a bind payload. In that case, we don’t have an LHOST and the source address will be internal.
This can potentially be dealt with in a module by using the Host header from a request if such a header exists.
483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 483 def srvhost_addr if datastore['URIHOST'] host = datastore['URIHOST'] elsif (datastore['LHOST'] and (!datastore['LHOST'].strip.empty?)) host = datastore["LHOST"] else if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") if (respond_to?(:sock) and sock and sock.peerhost) # Then this is a Passive-Aggressive module. It has a socket # connected to the remote server from which we can deduce the # appropriate source address. host = Rex::Socket.source_address(sock.peerhost) else # Otherwise, this module is only a server, not a client, *and* # the payload does not have an LHOST option. This can happen, # for example, with a browser exploit using a download-exec # payload. In that case, just use the address of the interface # with the default gateway and hope for the best. host = Rex::Socket.source_address end else host = datastore['SRVHOST'] end end host end |
#srvport ⇒ Object
Returns the local port that is being listened on.
514 515 516 517 518 519 520 521 522 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 514 def srvport if datastore['URIPORT'] port = datastore['URIPORT'] else port = datastore['SRVPORT'] end port end |
#start_service(opts = {}) ⇒ Object
:category: Exploit::Remote::TcpServer overrides
This mixin starts the HTTP server listener. This routine takes a few different hash parameters:
ServerHost => Override the server host to listen on (default to SRVHOST).
ServerPort => Override the server port to listen on (default to SRVPORT).
Uri => The URI to handle and the associated procedure to call.
TODO: This must be able to take an SSL parameter and not rely completely on the datastore. (See dlink_upnp_exec_noauth)
117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 117 def start_service(opts = {}) # Keep compatibility with modules that don't pass the ssl option to the start server but rely on the datastore instead. opts['ssl'] = opts['ssl'].nil? ? datastore['SSL'] : opts['ssl'] check_dependencies # Start a new HTTP server service. self.service = Rex::ServiceManager.start( Rex::Proto::Http::Server, (opts['ServerPort'] || bindport).to_i, opts['ServerHost'] || bindhost, opts['ssl'], { 'Msf' => framework, 'MsfExploit' => self, }, opts['Comm'] || _determine_server_comm(opts['ServerHost'] || bindhost), datastore['SSLCert'], datastore['SSLCompression'], datastore['SSLCipher'], datastore['SSLVersion'] ) self.service.server_name = datastore['HTTP::server_name'] # Default the procedure of the URI to on_request_uri if one isn't # provided. uopts = { 'Proc' => Proc.new { |cli, req| self.cli = cli ( self.respond_to?(:filter_request_uri) && filter_request_uri(cli, req) ) ? nil : on_request_uri(cli, req) }, 'Path' => opts['Path'] || resource_uri }.update(opts['Uri'] || {}) proto = (opts['ssl'] ? "https" : "http") # SSLCompression may or may not actually be available. For example, on # Ubuntu, it's disabled by default, unless the correct environment # variable is set. See https://github.com/rapid7/metasploit-framework/pull/2666 if proto == "https" and datastore['SSLCompression'] print_status("Intentionally using insecure SSL compression. Your operating system might not respect this!") end netloc = srvhost_addr if (proto == 'http' && srvport != 80) || (proto == 'https' && srvport != 443) if Rex::Socket.is_ipv6?(netloc) netloc = "[#{netloc}]:#{srvport}" else netloc = "#{netloc}:#{srvport}" end end print_status("Using URL: #{proto}://#{netloc}#{uopts['Path']}") add_robots_resource if datastore['SendRobots'] add_resource(uopts) end |
#use_zlib ⇒ Object
Ensures that gzip can be used. If not, an exception is generated. The exception is only raised if the DisableGzip advanced option has not been set.
88 89 90 91 92 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 88 def use_zlib if !Rex::Text.zlib_present? && datastore['HTTP::compression'] raise RuntimeError, "zlib support was not detected, yet the HTTP::compression option was set. Don't do that!" end end |