Module: Msf::Exploit::Remote::NDMP

Includes:
Tcp
Defined in:
lib/msf/core/exploit/ndmp.rb

Overview

This module exposes methods for accessing NDMP services

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods included from Tcp

#chost, #cleanup, #connect_timeout, #cport, #disconnect, #handler, #lhost, #lport, #proxies, #rhost, #rport, #set_tcp_evasions, #ssl, #ssl_version

Instance Attribute Details

#recv_buffObject

Returns the value of attribute recv_buff


122
123
124
# File 'lib/msf/core/exploit/ndmp.rb', line 122

def recv_buff
  @recv_buff
end

Instance Method Details

#connectObject

Flush the receive buffer on a new connection


34
35
36
37
# File 'lib/msf/core/exploit/ndmp.rb', line 34

def connect
  super
  self.recv_buff = ''
end

#initialize(info = {}) ⇒ Object

Creates an instance of a NDMP exploit module.


18
19
20
21
22
23
24
25
26
27
28
29
# File 'lib/msf/core/exploit/ndmp.rb', line 18

def initialize(info = {})
  super

  # Register the options that all NDMP exploits may make use of.
  register_options(
    [
      Opt::RHOST,
      Opt::RPORT(10000),
    ], Msf::Exploit::Remote::NDMP)

  self.recv_buff = ''
end

#ndmp_infoObject

This method dumps ndmp version information


42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# File 'lib/msf/core/exploit/ndmp.rb', line 42

def ndmp_info
  connect
  req = [
      1,               # Sequence number
      Time.now.to_i,   # Current time
      0,               # Message type (request)
      0x108,           # Message name (version)
      0,               # Reply sequence number
      0,               # Error status
    ].pack('NNNNNN')

  resp = ndmp_recv()
  ndmp_send(req)
  resp = ndmp_recv()
  disconnect

  if !(resp and resp.length > 28)
    return false
  end

  info = { }

  i = 32

  vend_len = resp[i, 4].unpack('N')[0]
  vend     = resp[i + 4, vend_len]
  i += vend_len + 4 + 1

  prod_len = resp[i, 4].unpack('N')[0]
  prod     = resp[i + 4, prod_len]
  i += prod_len + 4 + 1

  vers_len = resp[i, 4].unpack('N')[0]
  vers     = resp[i + 4, vers_len]
  i += vers_len + 4 + 1

  info['Version'] = vers
  info['Product'] = prod
  info['Vendor']  = vend

  return info
end

#ndmp_recv(nsock = self.sock) ⇒ Object

This method reads from the socket and parses out a single NDMP response, buffering the rest


89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
# File 'lib/msf/core/exploit/ndmp.rb', line 89

def ndmp_recv(nsock = self.sock)
  # Attempt to read at least four bytes (the length value)
  if (self.recv_buff.length < 4)
    self.recv_buff << ( sock.get_once( 4 - self.recv_buff.length, 5) || '' )
  end

  # If we did not recieve a full length value, return early
  if (self.recv_buff.length < 4)
    return false
  end

  # Read the length header out of the message
  dlen = self.recv_buff[0, 4].unpack('N')[0] & 0x7fffffff

  # Read any pending data and append it to the buffer
  self.recv_buff << ( sock.get_once || '' )

  # Do we have the entire response message?
  if (self.recv_buff.length >= dlen + 4)
    return self.recv_buff.slice!(0, dlen + 4)
  end

  return false
end

#ndmp_send(data, nsock = self.sock) ⇒ Object

This method tacks a length header on a packet then sends it out the socket


118
119
120
# File 'lib/msf/core/exploit/ndmp.rb', line 118

def ndmp_send(data, nsock = self.sock)
  nsock.put( [ data.length + 0x80000000 ].pack('N') + data )
end