Module: Msf::Exploit::Remote::TcpServer

Includes:

SocketServer

Included in:

FtpServer, HttpServer

Defined in:

lib/msf/core/exploit/remote/tcp_server.rb

Overview

This mixin provides a generic interface for running a TCP server of some sort that is designed to exploit clients. Exploits that include this mixin automatically take a passive stance.

Instance Attribute Summary

Attributes included from SocketServer

#service

Instance Method Summary

• #initialize(info = {}) ⇒ Object
• #on_client_close(client) ⇒ Object

  Called when a client has disconnected.

• #on_client_connect(client) ⇒ Object

  Called when a client connects.

• #ssl ⇒ Object

  Returns the SSL option.

• #ssl_cert ⇒ Object

  Returns the SSLCert option.

• #ssl_cipher ⇒ Object

  Returns the SSLCipher option.

• #ssl_compression ⇒ Bool

  Enable SSL/TLS-level compression.

• #ssl_version ⇒ Object

  Returns the SSLVersion option.

• #start_service(opts = {}) ⇒ Object

  Starts the service.

Methods included from SocketServer

#_determine_server_comm, #bindhost, #bindport, #cleanup, #cleanup_service, #exploit, #on_client_data, #primer, #regenerate_payload, #srvhost, #srvport, #via_string

Instance Method Details

#initialize(info = {}) ⇒ Object

# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 16

def initialize(info = {})
  super

  register_options(
    [
      OptBool.new('SSL',        [ false, 'Negotiate SSL for incoming connections', false]),
      # SSLVersion is currently unsupported for TCP servers (only supported by clients at the moment)
      OptPath.new('SSLCert',    [ false, 'Path to a custom SSL certificate (default is randomly generated)'])
    ], Msf::Exploit::Remote::TcpServer
  )

  register_advanced_options(
    [
      OptBool.new('SSLCompression', [ false, 'Enable SSL/TLS-level compression', false ]),
      OptString.new('SSLCipher',    [ false, 'String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"']),
      Opt::SSLVersion
    ], Msf::Exploit::Remote::TcpServer)

  register_evasion_options(
    [
      OptInt.new('TCP::max_send_size', [false, 'Maximum tcp segment size.  (0 = disable)', 0]),
      OptInt.new('TCP::send_delay', [false, 'Delays inserted before every send.  (0 = disable)', 0])
    ], Msf::Exploit::Remote::Tcp
  )
end

#on_client_close(client) ⇒ Object

Called when a client has disconnected.

# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 50

def on_client_close(client)
end

#on_client_connect(client) ⇒ Object

Called when a client connects.

# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 44

def on_client_connect(client)
end

#ssl ⇒ Object

Returns the SSL option

# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 116

def ssl
  datastore['SSL']
end

#ssl_cert ⇒ Object

Returns the SSLCert option

# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 123

def ssl_cert
  datastore['SSLCert']
end

#ssl_cipher ⇒ Object

Returns the SSLCipher option

# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 130

def ssl_cipher
  datastore['SSLCipher']
end

#ssl_compression ⇒ Bool

Returns enable SSL/TLS-level compression.

Returns:

• (Bool) —

  enable SSL/TLS-level compression

# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 135

def ssl_compression
  datastore['SSLCompression']
end

#ssl_version ⇒ Object

Returns the SSLVersion option

# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 142

def ssl_version
  datastore['SSLVersion']
end

#start_service(opts = {}) ⇒ Object

Starts the service.

# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 56

def start_service(opts = {})
  begin
    comm = _determine_server_comm(bindhost)

    self.service = Rex::Socket::TcpServer.create({
      'LocalHost'      => bindhost,
      'LocalPort'      => bindport,
      'SSL'            => ssl,
      'SSLCert'        => ssl_cert,
      'SSLCipher'      => ssl_cipher,
      'SSLCompression' => ssl_compression,
      'SSLVersion'     => ssl_version,
      'Comm'           => comm,
      'Context'        =>
        {
          'Msf'        => framework,
          'MsfExploit' => self,
        }
    }.update(opts))

    self.service.on_client_connect_proc = Proc.new { |client|
      on_client_connect(client)
    }
    self.service.on_client_data_proc = Proc.new { |client|
      on_client_data(client)
    }
    self.service.on_client_close_proc = Proc.new { |client|
      on_client_close(client)
    }

    # Start the listening service
    self.service.start

  rescue ::Errno::EACCES => e
    if (srvport.to_i < 1024)
      print_line(" ")
      print_error("Could not start the TCP server: #{e}.")
      print_error(
        "This module is configured to use a privileged TCP port (#{bindport}). " +
        "On Unix systems, only the root user account is allowed to bind to privileged ports." +
        "Please run the framework as root to use this module."
      )
      print_error(
        "On Microsoft Windows systems, this error is returned when a process attempts to "+
        "listen on a host/port combination that is already in use. For example, Windows XP "+
        "will return this error if a process attempts to bind() over the system SMB/NetBIOS services."
      )
      print_line(" ")
    end
    raise e
  end

  via = via_string(comm)
  hoststr = Rex::Socket.is_ipv6?(bindhost) ? "[#{bindhost}]" : bindhost
  print_status("Started service listener on #{hoststr}:#{bindport} #{via}")
end