Module: Msf::Exploit::Remote::TcpServer

Includes:
SocketServer
Included in:
FtpServer, HttpServer, SMB::Server
Defined in:
lib/msf/core/exploit/tcp_server.rb

Overview

This mixin provides a generic interface for running a TCP server of some sort that is designed to exploit clients. Exploits that include this mixin automatically take a passive stance.

Instance Attribute Summary

Attributes included from SocketServer

#service

Instance Method Summary collapse

Methods included from SocketServer

#_determine_server_comm, #cleanup, #exploit, #on_client_data, #primer, #regenerate_payload, #srvhost, #srvport, #stop_service, #via_string_for_ip

Instance Method Details

#initialize(info = {}) ⇒ Object


17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# File 'lib/msf/core/exploit/tcp_server.rb', line 17

def initialize(info = {})
  super

  register_options(
    [
      OptBool.new('SSL',        [ false, 'Negotiate SSL for incoming connections', false]),
      # SSLVersion is currently unsupported for TCP servers (only supported by clients at the moment)
      OptPath.new('SSLCert',    [ false, 'Path to a custom SSL certificate (default is randomly generated)'])
    ], Msf::Exploit::Remote::TcpServer
  )

  register_advanced_options(
    [
      OptString.new('ListenerComm', [ false, 'The specific communication channel to use for this service']),
      OptBool.new('SSLCompression', [ false, 'Enable SSL/TLS-level compression', false ]),
      OptString.new('SSLCipher',    [ false, 'String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"'])
    ], Msf::Exploit::Remote::TcpServer)

  register_evasion_options(
    [
      OptInt.new('TCP::max_send_size', [false, 'Maximum tcp segment size.  (0 = disable)', 0]),
      OptInt.new('TCP::send_delay', [false, 'Delays inserted before every send.  (0 = disable)', 0])
    ], Msf::Exploit::Remote::Tcp
  )
end

#on_client_close(client) ⇒ Object

Called when a client has disconnected.


51
52
# File 'lib/msf/core/exploit/tcp_server.rb', line 51

def on_client_close(client)
end

#on_client_connect(client) ⇒ Object

Called when a client connects.


45
46
# File 'lib/msf/core/exploit/tcp_server.rb', line 45

def on_client_connect(client)
end

#sslObject

Returns the SSL option


116
117
118
# File 'lib/msf/core/exploit/tcp_server.rb', line 116

def ssl
  datastore['SSL']
end

#ssl_certObject

Returns the SSLCert option


123
124
125
# File 'lib/msf/core/exploit/tcp_server.rb', line 123

def ssl_cert
  datastore['SSLCert']
end

#ssl_cipherObject

Returns the SSLCipher option


130
131
132
# File 'lib/msf/core/exploit/tcp_server.rb', line 130

def ssl_cipher
  datastore['SSLCipher']
end

#ssl_compressionBool

Returns enable SSL/TLS-level compression.

Returns:

  • (Bool)

    enable SSL/TLS-level compression


135
136
137
# File 'lib/msf/core/exploit/tcp_server.rb', line 135

def ssl_compression
  datastore['SSLCompression']
end

#start_service(*args) ⇒ Object

Starts the service.


57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
# File 'lib/msf/core/exploit/tcp_server.rb', line 57

def start_service(*args)
  begin

    comm = _determine_server_comm

    self.service = Rex::Socket::TcpServer.create(
      'LocalHost' => srvhost,
      'LocalPort' => srvport,
      'SSL'       => ssl,
      'SSLCert'   => ssl_cert,
      'SSLCipher'   => ssl_cipher,
      'SSLCompression' => ssl_compression,
      'Comm'      => comm,
      'Context'   =>
        {
          'Msf'        => framework,
          'MsfExploit' => self,
        })

    self.service.on_client_connect_proc = Proc.new { |client|
      on_client_connect(client)
    }
    self.service.on_client_data_proc = Proc.new { |client|
      on_client_data(client)
    }
    self.service.on_client_close_proc = Proc.new { |client|
      on_client_close(client)
    }

    # Start the listening service
    self.service.start

  rescue ::Errno::EACCES => e
    if (srvport.to_i < 1024)
      print_line(" ")
      print_error("Could not start the TCP server: #{e}.")
      print_error(
        "This module is configured to use a privileged TCP port (#{srvport}). " +
        "On Unix systems, only the root user account is allowed to bind to privileged ports." +
        "Please run the framework as root to use this module."
      )
      print_error(
        "On Microsoft Windows systems, this error is returned when a process attempts to "+
        "listen on a host/port combination that is already in use. For example, Windows XP "+
        "will return this error if a process attempts to bind() over the system SMB/NetBIOS services."
      )
      print_line(" ")
    end
    raise e
  end

  via = via_string_for_ip(srvhost, comm)
  hoststr = Rex::Socket.is_ipv6?(srvhost) ? "[#{srvhost}]" : srvhost
  print_status("Started service listener on #{hoststr}:#{srvport} #{via}")
end