Class: Rex::Proto::TFTP::Client

Inherits:
Object
  • Object
show all
Defined in:
lib/rex/proto/tftp/client.rb

Overview

TFTP Client class

Note that TFTP has blocks, and so does Ruby. Watch out with the variable names!

The big gotcha right now is that setting the mode between octet, netascii, or anything else doesn't actually do anything other than declare it to the server.

Also, since TFTP clients act as both clients and servers, we use two threads to handle transfers, regardless of the direction. For this reason, the transfer actions are nonblocking; if you need to see the results of a transfer before doing something else, check the boolean complete attribute and any return data in the :status attribute. It's a little weird like that.

Finally, most (all?) clients will alter the data in netascii mode in order to try to conform to the RFC standard for what “netascii” means, but there are ambiguities in implementations on things like if nulls are allowed, what to do with Unicode, and all that. For this reason, “octet” is default, and if you want to send “netascii” data, it's on you to fix up your source data prior to sending it.

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(params) ⇒ Client

Returns a new instance of Client


50
51
52
53
54
55
56
57
58
59
60
61
62
# File 'lib/rex/proto/tftp/client.rb', line 50

def initialize(params)
  self.threads = []
  self.local_host = params["LocalHost"] || "0.0.0.0"
  self.local_port = params["LocalPort"] || (1025 + rand(0xffff-1025))
  self.peer_host = params["PeerHost"] || (raise ArgumentError, "Need a peer host.")
  self.peer_port = params["PeerPort"] || 69
  self.context = params["Context"]
  self.local_file = params["LocalFile"]
  self.remote_file = params["RemoteFile"] || (::File.split(self.local_file).last if self.local_file)
  self.mode = params["Mode"] || "octet"
  self.action = params["Action"] || (raise ArgumentError, "Need an action.")
  self.block_size = params["BlockSize"] || 512
end

Instance Attribute Details

#actionObject

Returns the value of attribute action


37
38
39
# File 'lib/rex/proto/tftp/client.rb', line 37

def action
  @action
end

#block_sizeObject

This definitely breaks spec, should only use for fuzz/sploit.


39
40
41
# File 'lib/rex/proto/tftp/client.rb', line 39

def block_size
  @block_size
end

#client_sockObject

Returns the value of attribute client_sock


36
37
38
# File 'lib/rex/proto/tftp/client.rb', line 36

def client_sock
  @client_sock
end

#completeObject

Returns the value of attribute complete


38
39
40
# File 'lib/rex/proto/tftp/client.rb', line 38

def complete
  @complete
end

#contextObject

Returns the value of attribute context


36
37
38
# File 'lib/rex/proto/tftp/client.rb', line 36

def context
  @context
end

#local_fileObject

Returns the value of attribute local_file


37
38
39
# File 'lib/rex/proto/tftp/client.rb', line 37

def local_file
  @local_file
end

#local_hostObject

Returns the value of attribute local_host


35
36
37
# File 'lib/rex/proto/tftp/client.rb', line 35

def local_host
  @local_host
end

#local_portObject

Returns the value of attribute local_port


35
36
37
# File 'lib/rex/proto/tftp/client.rb', line 35

def local_port
  @local_port
end

#modeObject

Returns the value of attribute mode


37
38
39
# File 'lib/rex/proto/tftp/client.rb', line 37

def mode
  @mode
end

#peer_hostObject

Returns the value of attribute peer_host


35
36
37
# File 'lib/rex/proto/tftp/client.rb', line 35

def peer_host
  @peer_host
end

#peer_portObject

Returns the value of attribute peer_port


35
36
37
# File 'lib/rex/proto/tftp/client.rb', line 35

def peer_port
  @peer_port
end

#recv_tempfileObject

Returns the value of attribute recv_tempfile


38
39
40
# File 'lib/rex/proto/tftp/client.rb', line 38

def recv_tempfile
  @recv_tempfile
end

#remote_fileObject

Returns the value of attribute remote_file


37
38
39
# File 'lib/rex/proto/tftp/client.rb', line 37

def remote_file
  @remote_file
end

#server_sockObject

Returns the value of attribute server_sock


36
37
38
# File 'lib/rex/proto/tftp/client.rb', line 36

def server_sock
  @server_sock
end

#statusObject

Returns the value of attribute status


38
39
40
# File 'lib/rex/proto/tftp/client.rb', line 38

def status
  @status
end

#threadsObject

Returns the value of attribute threads


36
37
38
# File 'lib/rex/proto/tftp/client.rb', line 36

def threads
  @threads
end

Instance Method Details

#ack_packet(blocknum = 0) ⇒ Object


148
149
150
# File 'lib/rex/proto/tftp/client.rb', line 148

def ack_packet(blocknum=0)
  req = [OpAck, blocknum].pack("nn")
end

#blockify_file_or_dataObject

Note that the local filename for uploading need not be a real filename – if it begins with DATA: it can be any old string of bytes. If it's missing completely, then just quit.


244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
# File 'lib/rex/proto/tftp/client.rb', line 244

def blockify_file_or_data
  if self.local_file =~ /^DATA:(.*)/m
    data = $1
  elsif ::File.file?(self.local_file) and ::File.readable?(self.local_file)
    data = ::File.open(self.local_file, "rb") {|f| f.read f.stat.size} rescue []
  else
    return []
  end
  data_blocks = data.scan(/.{1,#{block_size}}/m)
  # Drop any trailing empty blocks
  if data_blocks.size > 1 and data_blocks.last.empty?
    data_blocks.pop
  end
  return data_blocks
end

#monitor_client_sockObject


115
116
117
118
119
120
121
122
123
# File 'lib/rex/proto/tftp/client.rb', line 115

def monitor_client_sock
  res = self.client_sock.recvfrom(65535)
  if res[1] # Got a response back, so that's never good; Acks come back on server_sock.
    code, type, data = parse_tftp_response(res[0])
    yield("Aborting, got code:%d, type:%d, message:'%s'" % [code, type, data]) if block_given?
    self.status = {:error => [code, type, data]}
    stop
  end
end

#monitor_server_sock {|"Listening for incoming ACKs"| ... } ⇒ Object

Yields:

  • ("Listening for incoming ACKs")

86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# File 'lib/rex/proto/tftp/client.rb', line 86

def monitor_server_sock
  yield "Listening for incoming ACKs" if block_given?
  res = self.server_sock.recvfrom(65535)
  if res and res[0]
    code, type, data = parse_tftp_response(res[0])
    if code == OpAck and self.action == :upload
      if block_given?
        yield "WRQ accepted, sending the file." if type == 0
        send_data(res[1], res[2]) {|msg| yield msg}
      else
        send_data(res[1], res[2])
      end
    elsif code == OpData and self.action == :download
      if block_given?
        recv_data(res[1], res[2], data) {|msg| yield msg}
      else
        recv_data(res[1], res[2], data)
      end
    elsif code == OpError
      yield("Aborting, got error type:%d, message:'%s'" % [type, data]) if block_given?
      self.status = {:error => [code, type, data]}
    else
      yield("Aborting, got code:%d, type:%d, message:'%s'" % [code, type, data]) if block_given?
      self.status = {:error => [code, type, data]}
    end
  end
  stop
end

#parse_tftp_response(str) ⇒ Object

Returns an array of [code, type, msg]. Data packets specifically will /not/ unpack, since that would drop any trailing spaces or nulls.


43
44
45
46
47
48
# File 'lib/rex/proto/tftp/client.rb', line 43

def parse_tftp_response(str)
  return nil unless str.length >= 4
  ret = str.unpack("nnA*")
  ret[2] = str[4,str.size] if ret[0] == OpData
  return ret
end

#recv_data(host, port, first_block) ⇒ Object


180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
# File 'lib/rex/proto/tftp/client.rb', line 180

def recv_data(host, port, first_block)
  self.recv_tempfile = Rex::Quickfile.new('msf-tftp')
  recvd_blocks = 1
  if block_given?
    yield "Source file: #{self.remote_file}, destination file: #{self.local_file}"
    yield "Received and acknowledged #{first_block.size} in block #{recvd_blocks}"
  end
  if block_given?
    write_and_ack_data(first_block,1,host,port) {|msg| yield msg}
  else
    write_and_ack_data(first_block,1,host,port)
  end
  current_block = first_block
  while current_block.size == 512
    res = self.server_sock.recvfrom(65535)
    if res and res[0]
      code, block_num, current_block = parse_tftp_response(res[0])
      if code == 3
        if block_given?
          write_and_ack_data(current_block,block_num,host,port) {|msg| yield msg}
        else
          write_and_ack_data(current_block,block_num,host,port)
        end
        recvd_blocks += 1
      else
        yield("Aborting, got code:%d, type:%d, message:'%s'" % [code, type, msg]) if block_given?
        stop
      end
    end
  end
  if block_given?
    yield("Transferred #{self.recv_tempfile.size} bytes in #{recvd_blocks} blocks, download complete!")
  end
  self.status = {:success => [
    self.local_file,
    self.remote_file,
    self.recv_tempfile.size,
    recvd_blocks.size]
  }
  self.recv_tempfile.close
  stop
end

#rrq_packetObject

Methods for download


142
143
144
145
146
# File 'lib/rex/proto/tftp/client.rb', line 142

def rrq_packet
  req = [OpRead, self.remote_file, self.mode]
  packstr = "na#{self.remote_file.length+1}a#{self.mode.length+1}"
  req.pack(packstr)
end

#send_data(host, port) ⇒ Object


288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
# File 'lib/rex/proto/tftp/client.rb', line 288

def send_data(host,port)
  self.status = {:write_allowed => true}
  data_blocks = blockify_file_or_data()
  if data_blocks.empty?
    yield "Closing down since there is no data to send." if block_given?
    self.status = {:success => [self.local_file, self.local_file, 0, 0]}
    return nil
  end
  sent_data = 0
  sent_blocks = 0
  expected_blocks = data_blocks.size
  expected_size = data_blocks.join.size
  if block_given?
    yield "Source file: #{self.local_file =~ /^DATA:/ ? "(Data)" : self.remote_file}, destination file: #{self.remote_file}"
    yield "Sending #{expected_size} bytes (#{expected_blocks} blocks)"
  end
  data_blocks.each_with_index do |data_block,idx|
    req = [OpData, (idx + 1), data_block].pack("nnA*")
    if self.server_sock.sendto(req, host, port) > 0
      sent_data += data_block.size
    end
    res = self.server_sock.recvfrom(65535)
    if res
      code, type, msg = parse_tftp_response(res[0])
      if code == 4
        sent_blocks += 1
        yield "Sent #{data_block.size} bytes in block #{sent_blocks}" if block_given?
      else
        if block_given?
          yield "Got an unexpected response: Code:%d, Type:%d, Message:'%s'. Aborting." % [code, type, msg]
        end
        break
      end
    end
  end
  if block_given?
    if(sent_data == expected_size)
      yield("Transferred #{sent_data} bytes in #{sent_blocks} blocks, upload complete!")
    else
      yield "Upload complete, but with errors."
    end
  end
  if sent_data == expected_size
  self.status = {:success => [
      self.local_file,
      self.remote_file,
      sent_data,
      sent_blocks
    ] }
  end
end

#send_read_request(&block) ⇒ Object


152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
# File 'lib/rex/proto/tftp/client.rb', line 152

def send_read_request(&block)
  self.status = nil
  self.complete = false
  if block_given?
    start_server_socket {|msg| yield msg}
  else
    start_server_socket
  end
  self.client_sock = Rex::Socket::Udp.create(
    'PeerHost'  => peer_host,
    'PeerPort'  => peer_port,
    'LocalHost' => local_host,
    'LocalPort' => local_port,
    'Context'   => context
  )
  self.client_sock.sendto(rrq_packet, peer_host, peer_port)
  self.threads << Rex::ThreadFactory.spawn("TFTPClientMonitor", false) {
    if block_given?
      monitor_client_sock {|msg| yield msg}
    else
      monitor_client_sock
    end
  }
  until self.complete
    return self.status
  end
end

#send_write_request(&block) ⇒ Object


260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
# File 'lib/rex/proto/tftp/client.rb', line 260

def send_write_request(&block)
  self.status = nil
  self.complete = false
  if block_given?
    start_server_socket {|msg| yield msg}
  else
    start_server_socket
  end
  self.client_sock = Rex::Socket::Udp.create(
    'PeerHost'  => peer_host,
    'PeerPort'  => peer_port,
    'LocalHost' => local_host,
    'LocalPort' => local_port,
    'Context'   => context
  )
  self.client_sock.sendto(wrq_packet, peer_host, peer_port)
  self.threads << Rex::ThreadFactory.spawn("TFTPClientMonitor", false) {
    if block_given?
      monitor_client_sock {|msg| yield msg}
    else
      monitor_client_sock
    end
  }
  until self.complete
    return self.status
  end
end

#start_server_socketObject

Methods for both upload and download


68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# File 'lib/rex/proto/tftp/client.rb', line 68

def start_server_socket
  self.server_sock = Rex::Socket::Udp.create(
    'LocalHost' => local_host,
    'LocalPort' => local_port,
    'Context'   => context
  )
  if self.server_sock and block_given?
    yield "Started TFTP client listener on #{local_host}:#{local_port}"
  end
  self.threads << Rex::ThreadFactory.spawn("TFTPServerMonitor", false) {
    if block_given?
      monitor_server_sock {|msg| yield msg}
    else
      monitor_server_sock
    end
  }
end

#stopObject


125
126
127
128
129
130
131
132
133
134
135
136
# File 'lib/rex/proto/tftp/client.rb', line 125

def stop
  self.complete = true
  begin
    self.server_sock.close
    self.client_sock.close
    self.server_sock = nil
    self.client_sock = nil
    self.threads.each {|t| t.kill}
  rescue
    nil
  end
end

#write_and_ack_data(data, blocknum, host, port) {|"Received and acknowledged #{data.size} in block #{blocknum}"| ... } ⇒ Object

Yields:

  • ("Received and acknowledged #{data.size} in block #{blocknum}")

223
224
225
226
227
228
229
# File 'lib/rex/proto/tftp/client.rb', line 223

def write_and_ack_data(data,blocknum,host,port)
  self.recv_tempfile.write(data)
  self.recv_tempfile.flush
  req = ack_packet(blocknum)
  self.server_sock.sendto(req, host, port)
  yield "Received and acknowledged #{data.size} in block #{blocknum}" if block_given?
end

#wrq_packetObject

Methods for upload


235
236
237
238
239
# File 'lib/rex/proto/tftp/client.rb', line 235

def wrq_packet
  req = [OpWrite, self.remote_file, self.mode]
  packstr = "na#{self.remote_file.length+1}a#{self.mode.length+1}"
  req.pack(packstr)
end