Module: Msf::Exploit::Remote::LDAP::Server

Includes:
SocketServer
Included in:
JndiInjection
Defined in:
lib/msf/core/exploit/remote/ldap/server.rb

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods included from SocketServer

#_determine_server_comm, #bindhost, #bindport, #cleanup, #cleanup_service, #exploit, #on_client_data, #primer, #regenerate_payload, #srvhost, #srvport, #via_string

Instance Attribute Details

#serviceObject

:nodoc:


34
35
36
# File 'lib/msf/core/exploit/remote/ldap/server.rb', line 34

def service
  @service
end

Instance Method Details

#initialize(info = {}) ⇒ Object

Initializes an exploit module that serves LDAP requests


16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# File 'lib/msf/core/exploit/remote/ldap/server.rb', line 16

def initialize(info = {})
  super

  register_options(
    [
      OptPort.new('SRVPORT', [true, 'The local port to listen on.', 389]),
      OptPath.new('LDIF_FILE', [ false, 'Directory LDIF file path']),
    ], Exploit::Remote::LDAP::Server
  )

  register_advanced_options(
    [
      OptBool.new('LdapServerUdp', [true, 'Serve UDP LDAP requests', true]),
      OptBool.new('LdapServerTcp', [true, 'Serve TCP LDAP requests', true])
    ], Exploit::Remote::LDAP::Server
  )
end

#on_dispatch_request(cli, data) ⇒ Object

Handle incoming requests Override this method in modules to take flow control


62
63
64
# File 'lib/msf/core/exploit/remote/ldap/server.rb', line 62

def on_dispatch_request(cli, data)
  service.default_dispatch_request(cli, data)
end

#on_send_response(cli, data) ⇒ Object

Handle incoming requests Override this method in modules to take flow control


70
71
72
# File 'lib/msf/core/exploit/remote/ldap/server.rb', line 70

def on_send_response(cli, data)
  cli.write(data)
end

#read_ldifObject

Read LDIF file - from github.com/ruby-ldap/ruby-net-ldap/blob/master/testserver/ldapserver.rb#L162

@ return [Hash] parsed ldif file


40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
# File 'lib/msf/core/exploit/remote/ldap/server.rb', line 40

def read_ldif
  return if datastore['LDIF_FILE'].blank? || !File.exist?(datastore['LDIF_FILE'])

  ary = File.readlines(datastore['LDIF_FILE'])
  ldif = {}
  while (line = ary.shift) && line.chomp!
    next unless line =~ /^dn:\s*/i

    dn = Regexp.last_match.post_match
    ldif[dn] = {}
    while (attrib = ary.shift) && attrib.chomp! && attrib =~ /^(\w+)\s*:\s*/
      ldif[dn][Regexp.last_match(1)] ||= []
      ldif[dn][Regexp.last_match(1)] << Regexp.last_match.post_match
    end
  end
  ldif
end

#start_serviceObject

Starts the server


77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
# File 'lib/msf/core/exploit/remote/ldap/server.rb', line 77

def start_service
  comm = _determine_server_comm(bindhost)
  self.service = Rex::ServiceManager.start(
    Rex::Proto::LDAP::Server,
    bindhost,
    bindport,
    datastore['LdapServerUdp'],
    datastore['LdapServerTcp'],
    read_ldif,
    comm,
    { 'Msf' => framework, 'MsfExploit' => self }
  )

  service.dispatch_request_proc = proc do |cli, data|
    on_dispatch_request(cli, data)
  end
  service.send_response_proc = proc do |cli, data|
    on_send_response(cli, data)
  end
rescue ::Errno::EACCES => e
  raise Rex::BindFailed, e.message
end