Module: Msf::Exploit::Remote::LDAP::Server

Includes:

SocketServer

Included in:

JndiInjection

Defined in:

lib/msf/core/exploit/remote/ldap/server.rb

Instance Attribute Summary

• #service ⇒ Object

  :nodoc:.

Instance Method Summary

• #initialize(info = {}) ⇒ Object

  Initializes an exploit module that serves LDAP requests.

• #on_dispatch_request(cli, data) ⇒ Object

  Handle incoming requests Override this method in modules to take flow control.

• #on_send_response(cli, data) ⇒ Object

  Handle incoming requests Override this method in modules to take flow control.

• #read_ldif ⇒ Object

  Read LDIF file - from github.com/ruby-ldap/ruby-net-ldap/blob/master/testserver/ldapserver.rb#L162.

• #start_service ⇒ Object

  Starts the server.

Methods included from SocketServer

#_determine_server_comm, #bindhost, #bindport, #cleanup, #cleanup_service, #exploit, #on_client_data, #primer, #regenerate_payload, #srvhost, #srvport, #via_string

Instance Attribute Details

#service ⇒ Object

:nodoc:

# File 'lib/msf/core/exploit/remote/ldap/server.rb', line 34

def service
  @service
end

Instance Method Details

#initialize(info = {}) ⇒ Object

Initializes an exploit module that serves LDAP requests

# File 'lib/msf/core/exploit/remote/ldap/server.rb', line 16

def initialize(info = {})
  super

  register_options(
    [
      OptPort.new('SRVPORT', [true, 'The local port to listen on.', 389]),
      OptPath.new('LDIF_FILE', [ false, 'Directory LDIF file path']),
    ], Exploit::Remote::LDAP::Server
  )

  register_advanced_options(
    [
      OptBool.new('LdapServerUdp', [true, 'Serve UDP LDAP requests', true]),
      OptBool.new('LdapServerTcp', [true, 'Serve TCP LDAP requests', true])
    ], Exploit::Remote::LDAP::Server
  )
end

#on_dispatch_request(cli, data) ⇒ Object

Handle incoming requests Override this method in modules to take flow control

# File 'lib/msf/core/exploit/remote/ldap/server.rb', line 62

def on_dispatch_request(cli, data)
  service.default_dispatch_request(cli, data)
end

#on_send_response(cli, data) ⇒ Object

Handle incoming requests Override this method in modules to take flow control

# File 'lib/msf/core/exploit/remote/ldap/server.rb', line 70

def on_send_response(cli, data)
  cli.write(data)
end

#read_ldif ⇒ Object

Read LDIF file - from github.com/ruby-ldap/ruby-net-ldap/blob/master/testserver/ldapserver.rb#L162

@ return [Hash] parsed ldif file

# File 'lib/msf/core/exploit/remote/ldap/server.rb', line 40

def read_ldif
  return if datastore['LDIF_FILE'].blank? || !File.exist?(datastore['LDIF_FILE'])

  ary = File.readlines(datastore['LDIF_FILE'])
  ldif = {}
  while (line = ary.shift) && line.chomp!
    next unless line =~ /^dn:\s*/i

    dn = Regexp.last_match.post_match
    ldif[dn] = {}
    while (attrib = ary.shift) && attrib.chomp! && attrib =~ /^(\w+)\s*:\s*/
      ldif[dn][Regexp.last_match(1)] ||= []
      ldif[dn][Regexp.last_match(1)] << Regexp.last_match.post_match
    end
  end
  ldif
end

#start_service ⇒ Object

Starts the server

# File 'lib/msf/core/exploit/remote/ldap/server.rb', line 77

def start_service
  comm = _determine_server_comm(bindhost)
  auth_handler = Rex::Proto::LDAP::Auth.new(
    datastore['CHALLENGE'],
    datastore['Domain'],
    datastore['Server'],
    datastore['DnsName'],
    datastore['DnsDomain']
  )
  self.service = Rex::ServiceManager.start(
    Rex::Proto::LDAP::Server,
    bindhost,
    bindport,
    datastore['LdapServerUdp'],
    datastore['LdapServerTcp'],
    read_ldif,
    comm,
    auth_handler,
    { 'Msf' => framework, 'MsfExploit' => self }
  )

  service.dispatch_request_proc = proc do |cli, data|
    on_dispatch_request(cli, data)
  end
  service.send_response_proc = proc do |cli, data|
    on_send_response(cli, data)
  end
rescue ::Errno::EACCES => e
  raise Rex::BindFailed, e.message
end