Class: Rex::Proto::TFTP::Server

Inherits:
Object
  • Object
show all
Defined in:
lib/rex/proto/tftp/server.rb

Overview

TFTP Server class

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(port = 69, listen_host = '0.0.0.0', context = {}) ⇒ Server

Returns a new instance of Server.


29
30
31
32
33
34
35
36
37
38
39
40
41
# File 'lib/rex/proto/tftp/server.rb', line 29

def initialize(port = 69, listen_host = '0.0.0.0', context = {})
  self.listen_host = listen_host
  self.listen_port = port
  self.context = context
  self.sock = nil
  @shutting_down = false
  @output_dir = nil
  @tftproot = nil

  self.files = []
  self.uploaded = []
  self.transfers = []
end

Instance Attribute Details

#contextObject

Returns the value of attribute context


172
173
174
# File 'lib/rex/proto/tftp/server.rb', line 172

def context
  @context
end

#filesObject

Returns the value of attribute files


173
174
175
# File 'lib/rex/proto/tftp/server.rb', line 173

def files
  @files
end

#incoming_file_hookObject

Returns the value of attribute incoming_file_hook


176
177
178
# File 'lib/rex/proto/tftp/server.rb', line 176

def incoming_file_hook
  @incoming_file_hook
end

#listen_hostObject

Returns the value of attribute listen_host


172
173
174
# File 'lib/rex/proto/tftp/server.rb', line 172

def listen_host
  @listen_host
end

#listen_portObject

Returns the value of attribute listen_port


172
173
174
# File 'lib/rex/proto/tftp/server.rb', line 172

def listen_port
  @listen_port
end

#sockObject

Returns the value of attribute sock


173
174
175
# File 'lib/rex/proto/tftp/server.rb', line 173

def sock
  @sock
end

#threadObject

Returns the value of attribute thread


174
175
176
# File 'lib/rex/proto/tftp/server.rb', line 174

def thread
  @thread
end

#transfersObject

Returns the value of attribute transfers


173
174
175
# File 'lib/rex/proto/tftp/server.rb', line 173

def transfers
  @transfers
end

#uploadedObject

Returns the value of attribute uploaded


173
174
175
# File 'lib/rex/proto/tftp/server.rb', line 173

def uploaded
  @uploaded
end

Instance Method Details

#check_retransmission(tr) ⇒ Object (protected)


206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
# File 'lib/rex/proto/tftp/server.rb', line 206

def check_retransmission(tr)
  elapsed = ::Time.now - tr[:last_sent]
  if (elapsed >= tr[:timeout])
    # max retries reached?
    if (tr[:retries] < 3)
      #if (tr[:type] == OpRead)
      #	puts "[-] ack timed out, resending block"
      #else
      #	puts "[-] block timed out, resending ack"
      #end
      tr[:last_sent] = nil
      tr[:retries] += 1
    else
      #puts "[-] maximum tries reached, terminating transfer"
      self.transfers.delete(tr)
    end
  end
end

#dispatch_request(from, buf) ⇒ Object (protected)

Dispatch a packet that we received


313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
# File 'lib/rex/proto/tftp/server.rb', line 313

def dispatch_request(from, buf)

  op = buf.unpack('n')[0]
  buf.slice!(0,2)

  #XXX: todo - create call backs for status
  #start = "[*] TFTP - %s:%u - %s" % [from[0], from[1], OPCODES[op]]

  case op
  when OpRead
    # Process RRQ packets
    fn = TFTP::get_string(buf)
    mode = TFTP::get_string(buf).downcase

    #puts "%s %s %s" % [start, fn, mode]

    if (not @shutting_down) and (file = self.find_file(fn))
      if (file[:once] and file[:started])
        send_error(from, ErrFileNotFound)
      else
        transfer = {
          :type => OpRead,
          :from => from,
          :file => file,
          :block => 1,
          :blksize => 512,
          :offset => 0,
          :timeout => 3,
          :last_sent => nil,
          :retries => 0
        }

        process_options(from, buf, transfer)

        self.transfers << transfer
      end
    else
      #puts "[-] file not found!"
      send_error(from, ErrFileNotFound)
    end

  when OpWrite
    # Process WRQ packets
    fn = TFTP::get_string(buf)
    mode = TFTP::get_string(buf).downcase

    #puts "%s %s %s" % [start, fn, mode]

    if not @shutting_down
      transfer = {
        :type => OpWrite,
        :from => from,
        :file => { :name => fn, :data => '' },
        :block => 0, # WRQ starts at 0
        :blksize => 512,
        :timeout => 3,
        :last_sent => nil,
        :retries => 0
      }

      process_options(from, buf, transfer)

      self.transfers << transfer
    else
      send_error(from, ErrIllegalOperation)
    end

  when OpAck
    # Process ACK packets
    block = buf.unpack('n')[0]

    #puts "%s %d" % [start, block]

    tr = find_transfer(OpRead, from, block)
    if not tr
      # NOTE: some clients, such as pxelinux, send an ack for block 0.
      # To deal with this, we simply ignore it as we start with block 1.
      return if block == 0

      # If we didn't find it, send an error.
      send_error(from, ErrUnknownTransferId)
    else
      # acked! send the next block
      tr[:offset] += tr[:blksize]
      next_block(tr)

      # If the transfer is finished, delete it
      if (tr[:offset] > tr[:file][:data].length)
        #puts "[*] Transfer complete"
        self.transfers.delete(tr)

        # if the file is a one-serve, delete it from the files array
        if tr[:file][:once]
          #puts "[*] Removed one-serve file: #{tr[:file][:name]}"
          self.files.delete(tr[:file])
        end
      end
    end

  when OpData
    # Process Data packets
    block = buf.unpack('n')[0]
    data = buf.slice(2, buf.length)

    #puts "%s %d %d bytes" % [start, block, data.length]

    tr = find_transfer(OpWrite, from, (block-1))
    if not tr
      # If we didn't find it, send an error.
      send_error(from, ErrUnknownTransferId)
    else
      tr[:file][:data] << data
      tr[:last_size] = data.length
      next_block(tr)

      # Similar to RRQ transfers, we cannot detect that the
      # transfer finished here. We must do so after transmitting
      # the final ACK.
    end

  else
    # Other packets are unsupported
    #puts start
    send_error(from, ErrAccessViolation)

  end
end

#find_file(fname) ⇒ Object

Find the hash entry for a file that may be offered


134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
# File 'lib/rex/proto/tftp/server.rb', line 134

def find_file(fname)
  # Files served via register_file() take precedence.
  self.files.each do |f|
    if (fname == f[:name])
      return f
    end
  end

  # Now, if we have a tftproot, see if it can serve from it
  if @tftproot
    return find_file_in_root(fname)
  end

  nil
end

#find_file_in_root(fname) ⇒ Object

Find the file in the specified tftp root and add a temporary entry to the files hash.


155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
# File 'lib/rex/proto/tftp/server.rb', line 155

def find_file_in_root(fname)
  fn = ::File.expand_path(::File.join(@tftproot, fname))

  # Don't allow directory traversal
  return nil if fn.index(@tftproot) != 0

  return nil if not ::File.file?(fn) or not ::File.readable?(fn)

  # Read the file contents, and register it as being served once
  data = data = ::File.open(fn, "rb") { |fd| fd.read(fd.stat.size) }
  register_file(fname, data)

  # Return the last file in the array
  return self.files[-1]
end

#find_transfer(type, from, block) ⇒ Object (protected)


180
181
182
183
184
185
186
187
# File 'lib/rex/proto/tftp/server.rb', line 180

def find_transfer(type, from, block)
  self.transfers.each do |tr|
    if (tr[:type] == type and tr[:from] == from and tr[:block] == block)
      return tr
    end
  end
  nil
end

#monitor_socketObject (protected)

See if there is anything to do.. If so, dispatch it.


229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
# File 'lib/rex/proto/tftp/server.rb', line 229

def monitor_socket
  while true
    rds = [@sock]
    wds = []
    self.transfers.each do |tr|
      if (not tr[:last_sent])
        wds << @sock
        break
      end
    end
    eds = [@sock]

    r,w,e = ::IO.select(rds,wds,eds,1)

    if (r != nil and r[0] == self.sock)
      buf,host,port = self.sock.recvfrom(65535)
      # Lame compatabilitiy :-/
      from = [host, port]
      dispatch_request(from, buf)
    end

    #
    # Check to see if transfers need maintenance
    #
    self.transfers.each do |tr|
      # We handle RRQ and WRQ separately
      #
      if (tr[:type] == OpRead)
        # Are we awaiting an ack?
        if (tr[:last_sent])
          check_retransmission(tr)
        elsif (w != nil and w[0] == self.sock)
          # No ack waiting, send next block..
          chunk = tr[:file][:data].slice(tr[:offset], tr[:blksize])
          if (chunk and chunk.length >= 0)
            pkt = [OpData, tr[:block]].pack('nn')
            pkt << chunk

            send_packet(tr[:from], pkt)
            tr[:last_sent] = ::Time.now

            # If the file is a one-serve, mark it as started
            tr[:file][:started] = true if (tr[:file][:once])
          else
            # No more chunks.. transfer is most likely done.
            # However, we can only delete it once the last chunk has been
            # acked.
          end
        end
      else
        # Are we awaiting data?
        if (tr[:last_sent])
          check_retransmission(tr)
        elsif (w != nil and w[0] == self.sock)
          # Not waiting for data, send an ack..
          #puts "[*] sending ack for block %d" % [tr[:block]]
          pkt = [OpAck, tr[:block]].pack('nn')

          send_packet(tr[:from], pkt)
          tr[:last_sent] = ::Time.now

          # If we had a 0-511 byte chunk, we're done.
          if (tr[:last_size] and tr[:last_size] < tr[:blksize])
            #puts "[*] Transfer complete, saving output"
            save_output(tr)
            self.transfers.delete(tr)
          end
        end
      end
    end
  end
end

#next_block(tr) ⇒ Object (protected)


303
304
305
306
307
# File 'lib/rex/proto/tftp/server.rb', line 303

def next_block(tr)
  tr[:block] += 1
  tr[:last_sent] = nil
  tr[:retries] = 0
end

#process_options(from, buf, tr) ⇒ Object (protected)


441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
# File 'lib/rex/proto/tftp/server.rb', line 441

def process_options(from, buf, tr)
  found = 0
  to_ack = []
  while buf.length >= 4
    opt = TFTP::get_string(buf)
    break if not opt
    val = TFTP::get_string(buf)
    break if not val

    found += 1

    # Is it one we support?
    opt.downcase!

    case opt
    when "blksize"
      val = val.to_i
      if val > 0
        tr[:blksize] = val
        to_ack << [ opt, val.to_s ]
      end

    when "timeout"
      val = val.to_i
      if val >= 1 and val <= 255
        tr[:timeout] = val
        to_ack << [ opt, val.to_s ]
      end

    when "tsize"
      if tr[:type] == OpRead
        len = tr[:file][:data].length
      else
        val = val.to_i
        len = val
      end
      to_ack << [ opt, len.to_s ]

    end
  end

  return if to_ack.length < 1

  # if we have anything to ack, do it
  data = [OpOptAck].pack('n')
  to_ack.each { |el|
    data << el[0] << "\x00" << el[1] << "\x00"
  }

  send_packet(from, data)
end

#register_file(fn, content, once = false) ⇒ Object

Register a filename and content for a client to request


83
84
85
86
87
88
89
# File 'lib/rex/proto/tftp/server.rb', line 83

def register_file(fn, content, once = false)
  self.files << {
    :name => fn,
    :data => content,
    :once => once
  }
end

#save_output(tr) ⇒ Object (protected)


189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
# File 'lib/rex/proto/tftp/server.rb', line 189

def save_output(tr)
  self.uploaded << tr[:file]

  return incoming_file_hook.call(tr) if incoming_file_hook

  if @output_dir
    fn = tr[:file][:name].split(File::SEPARATOR)[-1]
    if fn
      fn = ::File.join(@output_dir, Rex::FileUtils.clean_path(fn))
      ::File.open(fn, "wb") { |fd|
        fd.write(tr[:file][:data])
      }
    end
  end
end

#send_error(from, num) ⇒ Object

Send an error packet w/the specified code and string


111
112
113
114
115
116
117
118
119
120
# File 'lib/rex/proto/tftp/server.rb', line 111

def send_error(from, num)
  if (num < 1 or num >= ERRCODES.length)
    # ignore..
    return
  end
  pkt = [OpError, num].pack('nn')
  pkt << ERRCODES[num]
  pkt << "\x00"
  send_packet(from, pkt)
end

#send_packet(from, pkt) ⇒ Object

Send a single packet to the specified host


126
127
128
# File 'lib/rex/proto/tftp/server.rb', line 126

def send_packet(from, pkt)
  self.sock.sendto(pkt, from[0], from[1])
end

#set_output_dir(outdir) ⇒ Object

Register a directory to write uploaded files to


103
104
105
# File 'lib/rex/proto/tftp/server.rb', line 103

def set_output_dir(outdir)
  @output_dir = outdir if ::File.directory?(outdir)
end

#set_tftproot(rootdir) ⇒ Object

Register an entire directory to serve files from


95
96
97
# File 'lib/rex/proto/tftp/server.rb', line 95

def set_tftproot(rootdir)
  @tftproot = rootdir if ::File.directory?(rootdir)
end

#startObject

Start the TFTP server


47
48
49
50
51
52
53
54
55
56
57
# File 'lib/rex/proto/tftp/server.rb', line 47

def start
  self.sock = Rex::Socket::Udp.create(
    'LocalHost' => listen_host,
    'LocalPort' => listen_port,
    'Context'   => context
    )

  self.thread = Rex::ThreadFactory.spawn("TFTPServerMonitor", false) {
    monitor_socket
  }
end

#stopObject

Stop the TFTP server


63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# File 'lib/rex/proto/tftp/server.rb', line 63

def stop
  @shutting_down = true

  # Wait a maximum of 30 seconds for all transfers to finish.
  start = ::Time.now
  while (self.transfers.length > 0)
    ::IO.select(nil, nil, nil, 0.5)
    dur = ::Time.now - start
    break if (dur > 30)
  end

  self.files.clear
  self.thread.kill
  self.sock.close rescue nil # might be closed already
end