Module: Msf::Exploit::Remote::Tcp
- Included in:
- Auxiliary::Redis, Auxiliary::Rocketmq, AFP, Arkeia, Asterisk, DB2, DCERPC, DNS::Client, Ftp, Gdb, Imap, Java::Rmi::Client, MSSQL, MYSQL, NDMP, Pop2, RDP, RealPort, SMB::Client, SMB::Client::Psexec_MS17_010, SMTPDeliver, Smtp, SunRPC, TNS, Telnet, TincdExploitClient, Web, ZeroMQ
- Defined in:
- lib/msf/core/exploit/remote/tcp.rb
Overview
This module provides methods for establish a connection to a remote host and communicating with it.
Instance Attribute Summary collapse
-
#sock ⇒ Object
protected
Returns the value of attribute sock.
Instance Method Summary collapse
-
#chost ⇒ Object
Returns the local host for outgoing connections.
-
#cleanup ⇒ Object
Performs cleanup, disconnects the socket if necessary.
-
#connect(global = true, opts = {}) ⇒ Object
Establishes a TCP connection to the specified RHOST/RPORT.
-
#connect_timeout ⇒ Object
Returns the TCP connection timeout.
-
#cport ⇒ Object
Returns the local port for outgoing connections.
-
#disconnect(nsock = self.sock) ⇒ Object
Closes the TCP connection.
- #handler(nsock = self.sock) ⇒ Object
-
#initialize(info = {}) ⇒ Object
Initializes an instance of an exploit module that exploits a vulnerability in a TCP server.
-
#lhost ⇒ Object
Returns the local host.
-
#lport ⇒ Object
Returns the local port.
-
#peer ⇒ Object
Returns the rhost:rport.
- #print_prefix ⇒ Object
-
#proxies ⇒ Object
Returns the proxy configuration.
-
#rhost ⇒ Object
Returns the target host.
-
#rport ⇒ Object
Returns the remote port.
-
#set_tcp_evasions(socket) ⇒ Object
Enable evasions on a given client.
-
#shutdown(how = :SHUT_RDWR) ⇒ Object
Shutdown the TCP connection.
-
#ssl ⇒ Object
Returns the boolean indicating SSL.
-
#ssl_cipher ⇒ Object
Returns the SSL cipher to use for the context.
-
#ssl_verify_mode ⇒ Object
Returns the SSL certification verification mechanism.
-
#ssl_version ⇒ Object
Returns the string indicating SSLVersion.
Instance Attribute Details
#sock ⇒ Object (protected)
Returns the value of attribute sock.
316 317 318 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 316 def sock @sock end |
Instance Method Details
#chost ⇒ Object
Returns the local host for outgoing connections
228 229 230 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 228 def chost datastore['CHOST'] end |
#cleanup ⇒ Object
Performs cleanup, disconnects the socket if necessary
202 203 204 205 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 202 def cleanup super disconnect end |
#connect(global = true, opts = {}) ⇒ Object
Establishes a TCP connection to the specified RHOST/RPORT
90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 90 def connect(global = true, opts={}) dossl = false if(opts.has_key?('SSL')) dossl = opts['SSL'] else dossl = ssl if (datastore.default?('SSL') and rport.to_i == 443) dossl = true end end nsock = Rex::Socket::Tcp.create( 'PeerHost' => opts['RHOST'] || rhost, 'PeerHostname' => opts['SSLServerNameIndication'] || opts['VHOST'] || opts['RHOSTNAME'], 'PeerPort' => (opts['RPORT'] || rport).to_i, 'LocalHost' => opts['CHOST'] || chost || "0.0.0.0", 'LocalPort' => (opts['CPORT'] || cport || 0).to_i, 'SSL' => dossl, 'SSLVersion' => opts['SSLVersion'] || ssl_version, 'SSLVerifyMode' => opts['SSLVerifyMode'] || ssl_verify_mode, 'SSLCipher' => opts['SSLCipher'] || ssl_cipher, 'Proxies' => proxies, 'Timeout' => (opts['ConnectTimeout'] || connect_timeout || 10).to_i, 'Context' => { 'Msf' => framework, 'MsfExploit' => self, }) # enable evasions on this socket set_tcp_evasions(nsock) # Set this socket to the global socket as necessary self.sock = nsock if (global) # Add this socket to the list of sockets created by this exploit add_socket(nsock) return nsock end |
#connect_timeout ⇒ Object
Returns the TCP connection timeout
235 236 237 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 235 def connect_timeout datastore['ConnectTimeout'] end |
#cport ⇒ Object
Returns the local port for outgoing connections
242 243 244 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 242 def cport datastore['CPORT'] end |
#disconnect(nsock = self.sock) ⇒ Object
Closes the TCP connection
182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 182 def disconnect(nsock = self.sock) begin if (nsock) nsock.shutdown nsock.close end rescue IOError end if (nsock == sock) self.sock = nil end # Remove this socket from the list of sockets created by this exploit remove_socket(nsock) end |
#handler(nsock = self.sock) ⇒ Object
155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 155 def handler(nsock = self.sock) # If the handler claims the socket, then we don't want it to get closed # during cleanup if ((rv = super) == Handler::Claimed) if (nsock == self.sock) self.sock = nil end # Remove this socket from the list of sockets so that it will not be # aborted. remove_socket(nsock) end return rv end |
#initialize(info = {}) ⇒ Object
Initializes an instance of an exploit module that exploits a vulnerability in a TCP server.
53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 53 def initialize(info = {}) super ( [ Opt::RHOST, Opt::RPORT ], Msf::Exploit::Remote::Tcp ) ( [ OptBool.new('SSL', [ false, 'Negotiate SSL/TLS for outgoing connections', false]), OptString.new('SSLServerNameIndication', [ false, 'SSL/TLS Server Name Indication (SNI)', nil]), Opt::SSLVersion, OptEnum.new('SSLVerifyMode', [ false, 'SSL verification method', 'PEER', %W{CLIENT_ONCE FAIL_IF_NO_PEER_CERT NONE PEER}]), OptString.new('SSLCipher', [ false, 'String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"']), Opt::Proxies, Opt::CPORT, Opt::CHOST, OptInt.new('ConnectTimeout', [ true, 'Maximum number of seconds to establish a TCP connection', 10]) ], Msf::Exploit::Remote::Tcp ) ( [ OptInt.new('TCP::max_send_size', [false, 'Maxiumum tcp segment size. (0 = disable)', 0]), OptInt.new('TCP::send_delay', [false, 'Delays inserted before every send. (0 = disable)', 0]) ], Msf::Exploit::Remote::Tcp ) end |
#lhost ⇒ Object
Returns the local host
249 250 251 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 249 def lhost datastore['LHOST'] end |
#lport ⇒ Object
Returns the local port
256 257 258 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 256 def lport datastore['LPORT'] end |
#peer ⇒ Object
Returns the rhost:rport
261 262 263 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 261 def peer "#{rhost}:#{rport}" end |
#print_prefix ⇒ Object
207 208 209 210 211 212 213 214 215 216 217 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 207 def print_prefix # Only inject a host/port prefix if we have exactly one entry. # Otherwise we are logging in the global context where rhost can be any # size (being an alias for rhosts), which is not very useful to insert into # a single log line. if rhost && rhost.split(' ').length == 1 super + peer + ' - ' else super end end |
#proxies ⇒ Object
Returns the proxy configuration
268 269 270 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 268 def proxies datastore['Proxies'] end |
#rhost ⇒ Object
Returns the target host
275 276 277 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 275 def rhost datastore['RHOST'] end |
#rport ⇒ Object
Returns the remote port
282 283 284 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 282 def rport datastore['RPORT'] end |
#set_tcp_evasions(socket) ⇒ Object
Enable evasions on a given client
133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 133 def set_tcp_evasions(socket) if( datastore['TCP::max_send_size'].to_i == 0 and datastore['TCP::send_delay'].to_i == 0) return end return if socket.respond_to?('evasive') socket.extend(EvasiveTCP) if ( datastore['TCP::max_send_size'].to_i > 0) socket._send_size = datastore['TCP::max_send_size'] socket.denagle socket.evasive = true end if ( datastore['TCP::send_delay'].to_i > 0) socket._send_delay = datastore['TCP::send_delay'] socket.evasive = true end end |
#shutdown(how = :SHUT_RDWR) ⇒ Object
Shutdown the TCP connection
174 175 176 177 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 174 def shutdown(how = :SHUT_RDWR) self.sock.shutdown(how) if self.sock rescue IOError end |
#ssl ⇒ Object
Returns the boolean indicating SSL
289 290 291 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 289 def ssl datastore['SSL'] end |
#ssl_cipher ⇒ Object
Returns the SSL cipher to use for the context
310 311 312 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 310 def ssl_cipher datastore['SSLCipher'] end |
#ssl_verify_mode ⇒ Object
Returns the SSL certification verification mechanism
303 304 305 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 303 def ssl_verify_mode datastore['SSLVerifyMode'] end |
#ssl_version ⇒ Object
Returns the string indicating SSLVersion
296 297 298 |
# File 'lib/msf/core/exploit/remote/tcp.rb', line 296 def ssl_version datastore['SSLVersion'] end |