Module: Msf::Exploit::Remote::Tcp

Included in:
AFP, Arkeia, DB2, DCERPC, Ftp, Imap, MSSQL, MYSQL, NDMP, Pop2, RealPort, SMB, SMTPDeliver, Smtp, SunRPC, TNS, Telnet, Web
Defined in:
lib/msf/core/exploit/tcp.rb

Overview

This module provides methods for establish a connection to a remote host and communicating with it.

Instance Method Summary collapse

Instance Method Details

#chostObject

Returns the local host for outgoing connections


231
232
233
# File 'lib/msf/core/exploit/tcp.rb', line 231

def chost
  datastore['CHOST']
end

#cleanupObject

Performs cleanup, disconnects the socket if necessary


189
190
191
192
# File 'lib/msf/core/exploit/tcp.rb', line 189

def cleanup
  super
  disconnect
end

#connect(global = true, opts = {}) ⇒ Object

Establishes a TCP connection to the specified RHOST/RPORT


88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
# File 'lib/msf/core/exploit/tcp.rb', line 88

def connect(global = true, opts={})

  dossl = false
  if(opts.has_key?('SSL'))
    dossl = opts['SSL']
  else
    dossl = ssl
    if (datastore.default?('SSL') and rport.to_i == 443)
      dossl = true
    end
  end

  nsock = Rex::Socket::Tcp.create(
    'PeerHost'   =>  opts['RHOST'] || rhost,
    'PeerPort'   => (opts['RPORT'] || rport).to_i,
    'LocalHost'  =>  opts['CHOST'] || chost || "0.0.0.0",
    'LocalPort'  => (opts['CPORT'] || cport || 0).to_i,
    'SSL'        =>  dossl,
    'SSLVersion' =>  opts['SSLVersion'] || ssl_version,
    'Proxies'    => proxies,
    'Timeout'    => (opts['ConnectTimeout'] || connect_timeout || 10).to_i,
    'Context'    =>
      {
        'Msf'        => framework,
        'MsfExploit' => self,
      })

  # enable evasions on this socket
  set_tcp_evasions(nsock)

  # Set this socket to the global socket as necessary
  self.sock = nsock if (global)

  # Add this socket to the list of sockets created by this exploit
  add_socket(nsock)

  return nsock
end

#connect_timeoutObject

Returns the TCP connection timeout


266
267
268
# File 'lib/msf/core/exploit/tcp.rb', line 266

def connect_timeout
  datastore['ConnectTimeout']
end

#cportObject

Returns the local port for outgoing connections


238
239
240
# File 'lib/msf/core/exploit/tcp.rb', line 238

def cport
  datastore['CPORT']
end

#disconnect(nsock = self.sock) ⇒ Object

Closes the TCP connection


169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
# File 'lib/msf/core/exploit/tcp.rb', line 169

def disconnect(nsock = self.sock)
  begin
    if (nsock)
      nsock.shutdown
      nsock.close
    end
  rescue IOError
  end

  if (nsock == sock)
    self.sock = nil
  end

  # Remove this socket from the list of sockets created by this exploit
  remove_socket(nsock)
end

#handler(nsock = self.sock) ⇒ Object


150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
# File 'lib/msf/core/exploit/tcp.rb', line 150

def handler(nsock = self.sock)
  # If the handler claims the socket, then we don't want it to get closed
  # during cleanup
  if ((rv = super) == Handler::Claimed)
    if (nsock == self.sock)
      self.sock = nil
    end

    # Remove this socket from the list of sockets so that it will not be
    # aborted.
    remove_socket(nsock)
  end

  return rv
end

#initialize(info = {}) ⇒ Object

Initializes an instance of an exploit module that exploits a vulnerability in a TCP server.


52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
# File 'lib/msf/core/exploit/tcp.rb', line 52

def initialize(info = {})
  super

  register_options(
    [
      Opt::RHOST,
      Opt::RPORT
    ], Msf::Exploit::Remote::Tcp
  )

  register_advanced_options(
    [
      OptBool.new('SSL',        [ false, 'Negotiate SSL for outgoing connections', false]),
      OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'SSL3', ['SSL2', 'SSL3', 'TLS1']]),
      OptEnum.new('SSLVerifyMode',  [ false, 'SSL verification method', 'PEER', %W{CLIENT_ONCE FAIL_IF_NO_PEER_CERT NONE PEER}]),
      OptString.new('SSLCipher',    [ false, 'String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"']),
      Opt::Proxies,
      Opt::CPORT,
      Opt::CHOST,
      OptInt.new('ConnectTimeout', [ true, 'Maximum number of seconds to establish a TCP connection', 10])
    ], Msf::Exploit::Remote::Tcp
  )

  register_evasion_options(
    [
      OptInt.new('TCP::max_send_size', [false, 'Maxiumum tcp segment size.  (0 = disable)', 0]),
      OptInt.new('TCP::send_delay', [false, 'Delays inserted before every send.  (0 = disable)', 0])
    ], Msf::Exploit::Remote::Tcp
  )
end

#lhostObject

Returns the local host


217
218
219
# File 'lib/msf/core/exploit/tcp.rb', line 217

def lhost
  datastore['LHOST']
end

#lportObject

Returns the local port


224
225
226
# File 'lib/msf/core/exploit/tcp.rb', line 224

def lport
  datastore['LPORT']
end

#proxiesObject

Returns the proxy configuration


259
260
261
# File 'lib/msf/core/exploit/tcp.rb', line 259

def proxies
  datastore['Proxies']
end

#rhostObject

Returns the target host


203
204
205
# File 'lib/msf/core/exploit/tcp.rb', line 203

def rhost
  datastore['RHOST']
end

#rportObject

Returns the remote port


210
211
212
# File 'lib/msf/core/exploit/tcp.rb', line 210

def rport
  datastore['RPORT']
end

#set_tcp_evasions(socket) ⇒ Object

Enable evasions on a given client


128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
# File 'lib/msf/core/exploit/tcp.rb', line 128

def set_tcp_evasions(socket)

  if( datastore['TCP::max_send_size'].to_i == 0 and datastore['TCP::send_delay'].to_i == 0)
    return
  end

  return if socket.respond_to?('evasive')

  socket.extend(EvasiveTCP)

  if ( datastore['TCP::max_send_size'].to_i > 0)
    socket._send_size = datastore['TCP::max_send_size']
    socket.denagle
    socket.evasive = true
  end

  if ( datastore['TCP::send_delay'].to_i > 0)
    socket._send_delay = datastore['TCP::send_delay']
    socket.evasive = true
  end
end

#sslObject

Returns the boolean indicating SSL


245
246
247
# File 'lib/msf/core/exploit/tcp.rb', line 245

def ssl
  datastore['SSL']
end

#ssl_versionObject

Returns the string indicating SSLVersion


252
253
254
# File 'lib/msf/core/exploit/tcp.rb', line 252

def ssl_version
  datastore['SSLVersion']
end