Module: Msf::Exploit::Remote::SocketServer

Included in:
DNS::Server, TcpServer
Defined in:
lib/msf/core/exploit/socket_server.rb

Overview

This mixin provides a generic interface for running a socket server of some sort that is designed to exploit clients. Exploits that include this mixin automatically take a passive stance.

Instance Attribute Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#serviceObject (protected)

:nodoc:


181
182
183
# File 'lib/msf/core/exploit/socket_server.rb', line 181

def service
  @service
end

Instance Method Details

#_determine_server_comm(srv_comm = datastore['ListenerComm'].to_s) ⇒ Object (protected)

Determines appropriate listener comm


150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
# File 'lib/msf/core/exploit/socket_server.rb', line 150

def _determine_server_comm(srv_comm = datastore['ListenerComm'].to_s)
  case srv_comm
  when 'local'
    comm = ::Rex::Socket::Comm::Local
  when /\A[0-9]+\Z/
    comm = framework.sessions[srv_comm.to_i]
    raise(RuntimeError, "Socket Server Comm (Session #{srv_comm}) does not exist") unless comm
    raise(RuntimeError, "Socket Server Comm (Session #{srv_comm}) does not implement Rex::Socket::Comm") unless comm.is_a? ::Rex::Socket::Comm
  when nil, ''
    comm = nil
  else
    raise(RuntimeError, "SocketServer Comm '#{srv_comm}' is invalid")
  end

  comm
end

#cleanupObject

Stops the service, if one was created.


59
60
61
62
63
64
65
# File 'lib/msf/core/exploit/socket_server.rb', line 59

def cleanup
  super
  if(service)
    stop_service()
    print_status("Server stopped.")
  end
end

#exploitObject

This mixin overrides the exploit method so that it can initiate the service that corresponds with what the client has requested.


38
39
40
41
42
43
44
45
46
47
48
# File 'lib/msf/core/exploit/socket_server.rb', line 38

def exploit

  start_service()
  print_status("Server started.")

  # Call the exploit primer
  primer

  # Wait on the service to stop
  self.service.wait
end

#initialize(info = {}) ⇒ Object


15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# File 'lib/msf/core/exploit/socket_server.rb', line 15

def initialize(info = {})
  super(update_info(info,
    'Stance' => Msf::Exploit::Stance::Passive))

  register_options(
    [
      OptAddressLocal.new('SRVHOST', [ true, 'The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.', '0.0.0.0' ]),
      OptPort.new('SRVPORT',    [ true, "The local port to listen on.", 8080 ]),

    ], Msf::Exploit::Remote::SocketServer
  )

  register_advanced_options(
    [
      OptString.new('ListenerComm', [ false, 'The specific communication channel to use for this service'])
    ], Msf::Exploit::Remote::SocketServer
  )
end

#on_client_data(client) ⇒ Object

Called when a client has data available for reading.


70
71
# File 'lib/msf/core/exploit/socket_server.rb', line 70

def on_client_data(client)
end

#primerObject

Primer method to call after starting service but before handling connections


53
54
# File 'lib/msf/core/exploit/socket_server.rb', line 53

def primer
end

#regenerate_payload(cli, arch = nil, platform = nil, target = nil) ⇒ Object

Re-generates the payload, substituting the current RHOST and RPORT with the supplied client host and port from the socket.


115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# File 'lib/msf/core/exploit/socket_server.rb', line 115

def regenerate_payload(cli, arch = nil, platform = nil, target = nil)

  ohost = datastore['RHOST']
  oport = datastore['RPORT']
  p = nil

  begin
    # Update the datastore with the supplied client peerhost/peerport
    datastore['RHOST'] = cli.peerhost
    datastore['RPORT'] = cli.peerport

    if ((p = super(arch, platform, target)) == nil)
      print_error("Failed to generate payload")
      return nil
    end

    # Allow the payload to start a new handler
    add_handler({
      'RHOST' => datastore['RHOST'],
      'RPORT' => datastore['RPORT']
    })

  ensure
    datastore['RHOST'] = ohost
    datastore['RPORT'] = oport
  end

  p
end

#srvhostObject

Returns the local host that is being listened on.


100
101
102
# File 'lib/msf/core/exploit/socket_server.rb', line 100

def srvhost
  datastore['SRVHOST']
end

#srvportObject

Returns the local port that is being listened on.


107
108
109
# File 'lib/msf/core/exploit/socket_server.rb', line 107

def srvport
  datastore['SRVPORT']
end

#start_service(*args) ⇒ Object

Starts the service. Override this method in consumers


76
77
# File 'lib/msf/core/exploit/socket_server.rb', line 76

def start_service(*args)
end

#stop_serviceObject

Stops the service.


82
83
84
85
86
87
88
89
90
91
92
93
94
95
# File 'lib/msf/core/exploit/socket_server.rb', line 82

def stop_service
  if (service)
    begin
      self.service.deref if self.service.kind_of?(Rex::Service)
      if self.service.kind_of?(Rex::Socket) || self.service.kind_of?(Rex::Post::Meterpreter::Channel)
        self.service.close
        self.service.stop
      end

      self.service = nil
    rescue ::Exception
    end
  end
end

#via_string_for_ip(ip, comm) ⇒ Object (protected)


167
168
169
170
171
172
173
174
175
176
177
178
179
# File 'lib/msf/core/exploit/socket_server.rb', line 167

def via_string_for_ip(ip, comm)
  comm_used = comm
  comm_used ||= Rex::Socket::SwitchBoard.best_comm(ip)
  comm_used ||= Rex::Socket::Comm::Local

  if comm_used.respond_to?(:type) && comm_used.respond_to?(:sid)
    via = "via the #{comm_used.type} on session #{comm_used.sid}"
  else
    via = ""
  end

  via
end