Class: Rex::Proto::TFTP::Server

Inherits:
Object
  • Object
show all
Defined in:
lib/rex/proto/tftp/server.rb

Overview

TFTP Server class

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(port = 69, listen_host = '0.0.0.0', context = {}) ⇒ Server

Returns a new instance of Server.


28
29
30
31
32
33
34
35
36
37
38
39
40
# File 'lib/rex/proto/tftp/server.rb', line 28

def initialize(port = 69, listen_host = '0.0.0.0', context = {})
  self.listen_host = listen_host
  self.listen_port = port
  self.context = context
  self.sock = nil
  @shutting_down = false
  @output_dir = nil
  @tftproot = nil

  self.files = []
  self.uploaded = []
  self.transfers = []
end

Instance Attribute Details

#contextObject

Returns the value of attribute context


171
172
173
# File 'lib/rex/proto/tftp/server.rb', line 171

def context
  @context
end

#filesObject

Returns the value of attribute files


172
173
174
# File 'lib/rex/proto/tftp/server.rb', line 172

def files
  @files
end

#incoming_file_hookObject

Returns the value of attribute incoming_file_hook


175
176
177
# File 'lib/rex/proto/tftp/server.rb', line 175

def incoming_file_hook
  @incoming_file_hook
end

#listen_hostObject

Returns the value of attribute listen_host


171
172
173
# File 'lib/rex/proto/tftp/server.rb', line 171

def listen_host
  @listen_host
end

#listen_portObject

Returns the value of attribute listen_port


171
172
173
# File 'lib/rex/proto/tftp/server.rb', line 171

def listen_port
  @listen_port
end

#sockObject

Returns the value of attribute sock


172
173
174
# File 'lib/rex/proto/tftp/server.rb', line 172

def sock
  @sock
end

#threadObject

Returns the value of attribute thread


173
174
175
# File 'lib/rex/proto/tftp/server.rb', line 173

def thread
  @thread
end

#transfersObject

Returns the value of attribute transfers


172
173
174
# File 'lib/rex/proto/tftp/server.rb', line 172

def transfers
  @transfers
end

#uploadedObject

Returns the value of attribute uploaded


172
173
174
# File 'lib/rex/proto/tftp/server.rb', line 172

def uploaded
  @uploaded
end

Instance Method Details

#check_retransmission(tr) ⇒ Object (protected)


205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
# File 'lib/rex/proto/tftp/server.rb', line 205

def check_retransmission(tr)
  elapsed = ::Time.now - tr[:last_sent]
  if (elapsed >= tr[:timeout])
    # max retries reached?
    if (tr[:retries] < 3)
      #if (tr[:type] == OpRead)
      #	puts "[-] ack timed out, resending block"
      #else
      #	puts "[-] block timed out, resending ack"
      #end
      tr[:last_sent] = nil
      tr[:retries] += 1
    else
      #puts "[-] maximum tries reached, terminating transfer"
      self.transfers.delete(tr)
    end
  end
end

#dispatch_request(from, buf) ⇒ Object (protected)

Dispatch a packet that we received


312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
# File 'lib/rex/proto/tftp/server.rb', line 312

def dispatch_request(from, buf)

  op = buf.unpack('n')[0]
  buf.slice!(0,2)

  #XXX: todo - create call backs for status
  #start = "[*] TFTP - %s:%u - %s" % [from[0], from[1], OPCODES[op]]

  case op
  when Constants::OpRead
    # Process RRQ packets
    fn = TFTP::get_string(buf)
    mode = TFTP::get_string(buf).downcase

    #puts "%s %s %s" % [start, fn, mode]

    if (not @shutting_down) and (file = self.find_file(fn))
      if (file[:once] and file[:started])
        send_error(from, Constants::ErrFileNotFound)
      else
        transfer = {
          :type => Constants::OpRead,
          :from => from,
          :file => file,
          :block => 1,
          :blksize => 512,
          :offset => 0,
          :timeout => 3,
          :last_sent => nil,
          :retries => 0
        }

        process_options(from, buf, transfer)

        self.transfers << transfer
      end
    else
      #puts "[-] file not found!"
      send_error(from, Constants::ErrFileNotFound)
    end

  when Constants::OpWrite
    # Process WRQ packets
    fn = TFTP::get_string(buf)
    mode = TFTP::get_string(buf).downcase

    #puts "%s %s %s" % [start, fn, mode]

    if not @shutting_down
      transfer = {
        :type => Constants::OpWrite,
        :from => from,
        :file => { :name => fn, :data => '' },
        :block => 0, # WRQ starts at 0
        :blksize => 512,
        :timeout => 3,
        :last_sent => nil,
        :retries => 0
      }

      process_options(from, buf, transfer)

      self.transfers << transfer
    else
      send_error(from, Constants::ErrIllegalOperation)
    end

  when Constants::OpAck
    # Process ACK packets
    block = buf.unpack('n')[0]

    #puts "%s %d" % [start, block]

    tr = find_transfer(Constants::OpRead, from, block)
    if not tr
      # NOTE: some clients, such as pxelinux, send an ack for block 0.
      # To deal with this, we simply ignore it as we start with block 1.
      return if block == 0

      # If we didn't find it, send an error.
      send_error(from, Constants::ErrUnknownTransferId)
    else
      # acked! send the next block
      tr[:offset] += tr[:blksize]
      next_block(tr)

      # If the transfer is finished, delete it
      if (tr[:offset] > tr[:file][:data].length)
        #puts "[*] Transfer complete"
        self.transfers.delete(tr)

        # if the file is a one-serve, delete it from the files array
        if tr[:file][:once]
          #puts "[*] Removed one-serve file: #{tr[:file][:name]}"
          self.files.delete(tr[:file])
        end
      end
    end

  when Constants::OpData
    # Process Data packets
    block = buf.unpack('n')[0]
    data = buf.slice(2, buf.length)

    #puts "%s %d %d bytes" % [start, block, data.length]

    tr = find_transfer(Constants::OpWrite, from, (block-1))
    if not tr
      # If we didn't find it, send an error.
      send_error(from, Constants::ErrUnknownTransferId)
    else
      tr[:file][:data] << data
      tr[:last_size] = data.length
      next_block(tr)

      # Similar to RRQ transfers, we cannot detect that the
      # transfer finished here. We must do so after transmitting
      # the final ACK.
    end

  else
    # Other packets are unsupported
    #puts start
    send_error(from, Constants::ErrAccessViolation)

  end
end

#find_file(fname) ⇒ Object

Find the hash entry for a file that may be offered


133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# File 'lib/rex/proto/tftp/server.rb', line 133

def find_file(fname)
  # Files served via register_file() take precedence.
  self.files.each do |f|
    if (fname == f[:name])
      return f
    end
  end

  # Now, if we have a tftproot, see if it can serve from it
  if @tftproot
    return find_file_in_root(fname)
  end

  nil
end

#find_file_in_root(fname) ⇒ Object

Find the file in the specified tftp root and add a temporary entry to the files hash.


154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
# File 'lib/rex/proto/tftp/server.rb', line 154

def find_file_in_root(fname)
  fn = ::File.expand_path(::File.join(@tftproot, fname))

  # Don't allow directory traversal
  return nil if fn.index(@tftproot) != 0

  return nil if not ::File.file?(fn) or not ::File.readable?(fn)

  # Read the file contents, and register it as being served once
  data = data = ::File.open(fn, "rb") { |fd| fd.read(fd.stat.size) }
  register_file(fname, data)

  # Return the last file in the array
  return self.files[-1]
end

#find_transfer(type, from, block) ⇒ Object (protected)


179
180
181
182
183
184
185
186
# File 'lib/rex/proto/tftp/server.rb', line 179

def find_transfer(type, from, block)
  self.transfers.each do |tr|
    if (tr[:type] == type and tr[:from] == from and tr[:block] == block)
      return tr
    end
  end
  nil
end

#monitor_socketObject (protected)

See if there is anything to do.. If so, dispatch it.


228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
# File 'lib/rex/proto/tftp/server.rb', line 228

def monitor_socket
  while true
    rds = [@sock]
    wds = []
    self.transfers.each do |tr|
      if (not tr[:last_sent])
        wds << @sock
        break
      end
    end
    eds = [@sock]

    r,w,e = ::IO.select(rds,wds,eds,1)

    if (r != nil and r[0] == self.sock)
      buf,host,port = self.sock.recvfrom(65535)
      # Lame compatabilitiy :-/
      from = [host, port]
      dispatch_request(from, buf)
    end

    #
    # Check to see if transfers need maintenance
    #
    self.transfers.each do |tr|
      # We handle RRQ and WRQ separately
      #
      if (tr[:type] == Constants::OpRead)
        # Are we awaiting an ack?
        if (tr[:last_sent])
          check_retransmission(tr)
        elsif (w != nil and w[0] == self.sock)
          # No ack waiting, send next block..
          chunk = tr[:file][:data].slice(tr[:offset], tr[:blksize])
          if (chunk and chunk.length >= 0)
            pkt = [Constants::OpData, tr[:block]].pack('nn')
            pkt << chunk

            send_packet(tr[:from], pkt)
            tr[:last_sent] = ::Time.now

            # If the file is a one-serve, mark it as started
            tr[:file][:started] = true if (tr[:file][:once])
          else
            # No more chunks.. transfer is most likely done.
            # However, we can only delete it once the last chunk has been
            # acked.
          end
        end
      else
        # Are we awaiting data?
        if (tr[:last_sent])
          check_retransmission(tr)
        elsif (w != nil and w[0] == self.sock)
          # Not waiting for data, send an ack..
          #puts "[*] sending ack for block %d" % [tr[:block]]
          pkt = [Constants::OpAck, tr[:block]].pack('nn')

          send_packet(tr[:from], pkt)
          tr[:last_sent] = ::Time.now

          # If we had a 0-511 byte chunk, we're done.
          if (tr[:last_size] and tr[:last_size] < tr[:blksize])
            #puts "[*] Transfer complete, saving output"
            save_output(tr)
            self.transfers.delete(tr)
          end
        end
      end
    end
  end
end

#next_block(tr) ⇒ Object (protected)


302
303
304
305
306
# File 'lib/rex/proto/tftp/server.rb', line 302

def next_block(tr)
  tr[:block] += 1
  tr[:last_sent] = nil
  tr[:retries] = 0
end

#process_options(from, buf, tr) ⇒ Object (protected)


440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
# File 'lib/rex/proto/tftp/server.rb', line 440

def process_options(from, buf, tr)
  found = 0
  to_ack = []
  while buf.length >= 4
    opt = TFTP::get_string(buf)
    break if not opt
    val = TFTP::get_string(buf)
    break if not val

    found += 1

    # Is it one we support?
    opt.downcase!

    case opt
    when "blksize"
      val = val.to_i
      if val > 0
        tr[:blksize] = val
        to_ack << [ opt, val.to_s ]
      end

    when "timeout"
      val = val.to_i
      if val >= 1 and val <= 255
        tr[:timeout] = val
        to_ack << [ opt, val.to_s ]
      end

    when "tsize"
      if tr[:type] == Constants::OpRead
        len = tr[:file][:data].length
      else
        val = val.to_i
        len = val
      end
      to_ack << [ opt, len.to_s ]

    end
  end

  return if to_ack.length < 1

  # if we have anything to ack, do it
  data = [Constants::OpOptAck].pack('n')
  to_ack.each { |el|
    data << el[0] << "\x00" << el[1] << "\x00"
  }

  send_packet(from, data)
end

#register_file(fn, content, once = false) ⇒ Object

Register a filename and content for a client to request


82
83
84
85
86
87
88
# File 'lib/rex/proto/tftp/server.rb', line 82

def register_file(fn, content, once = false)
  self.files << {
    :name => fn,
    :data => content,
    :once => once
  }
end

#save_output(tr) ⇒ Object (protected)


188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
# File 'lib/rex/proto/tftp/server.rb', line 188

def save_output(tr)
  self.uploaded << tr[:file]

  return incoming_file_hook.call(tr) if incoming_file_hook

  if @output_dir
    fn = tr[:file][:name].split(File::SEPARATOR)[-1]
    if fn
      fn = ::File.join(@output_dir, Rex::FileUtils.clean_path(fn))
      ::File.open(fn, "wb") { |fd|
        fd.write(tr[:file][:data])
      }
    end
  end
end

#send_error(from, num) ⇒ Object

Send an error packet w/the specified code and string


110
111
112
113
114
115
116
117
118
119
# File 'lib/rex/proto/tftp/server.rb', line 110

def send_error(from, num)
  if (num < 1 or num >= Constants::ERRCODES.length)
    # ignore..
    return
  end
  pkt = [Constants::OpError, num].pack('nn')
  pkt << Constants::ERRCODES[num]
  pkt << "\x00"
  send_packet(from, pkt)
end

#send_packet(from, pkt) ⇒ Object

Send a single packet to the specified host


125
126
127
# File 'lib/rex/proto/tftp/server.rb', line 125

def send_packet(from, pkt)
  self.sock.sendto(pkt, from[0], from[1])
end

#set_output_dir(outdir) ⇒ Object

Register a directory to write uploaded files to


102
103
104
# File 'lib/rex/proto/tftp/server.rb', line 102

def set_output_dir(outdir)
  @output_dir = outdir if ::File.directory?(outdir)
end

#set_tftproot(rootdir) ⇒ Object

Register an entire directory to serve files from


94
95
96
# File 'lib/rex/proto/tftp/server.rb', line 94

def set_tftproot(rootdir)
  @tftproot = rootdir if ::File.directory?(rootdir)
end

#startObject

Start the TFTP server


46
47
48
49
50
51
52
53
54
55
56
# File 'lib/rex/proto/tftp/server.rb', line 46

def start
  self.sock = Rex::Socket::Udp.create(
    'LocalHost' => listen_host,
    'LocalPort' => listen_port,
    'Context'   => context
    )

  self.thread = Rex::ThreadFactory.spawn("TFTPServerMonitor", false) {
    monitor_socket
  }
end

#stopObject

Stop the TFTP server


62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# File 'lib/rex/proto/tftp/server.rb', line 62

def stop
  @shutting_down = true

  # Wait a maximum of 30 seconds for all transfers to finish.
  start = ::Time.now
  while (self.transfers.length > 0)
    ::IO.select(nil, nil, nil, 0.5)
    dur = ::Time.now - start
    break if (dur > 30)
  end

  self.files.clear
  self.thread.kill
  self.sock.close rescue nil # might be closed already
end