Module: Msf::Exploit::Remote::HttpServer
- Includes:
- Auxiliary::Report, TcpServer
- Included in:
- CmdStager::HTTP, BrowserExploit, HTML, PHPInclude, Java::HTTP::ClassLoader
- Defined in:
- lib/msf/core/exploit/remote/http_server.rb
Overview
This module provides methods for exploiting an HTTP client by acting as an HTTP server.
Defined Under Namespace
Modules: BrowserExploit, HTML, PHPInclude
Instance Attribute Summary
Attributes included from SocketServer
Instance Method Summary collapse
-
#add_resource(opts) ⇒ Object
Adds a URI resource using the supplied hash parameters.
- #add_robots_resource ⇒ Object
-
#autofilter ⇒ Object
By default, all HTTP servers are not subject to automatic exploitation.
-
#check_dependencies ⇒ Object
This method gives a derived class the opportunity to ensure that all dependencies are present before initializing the service.
-
#cleanup ⇒ Object
Take care of removing any resources that we created.
-
#cli ⇒ Object
Thread-local client accessor.
-
#cli=(cli) ⇒ Object
Thread-local client accessor.
-
#close_client(cli) ⇒ Object
Closes a client connection.
-
#create_response(code = 200, message = "OK", proto = Rex::Proto::Http::DefaultProtocol) ⇒ Object
Creates an HTTP response packet.
-
#fingerprint_user_agent(ua_str) ⇒ Object
Return a Hash containing a best guess at the actual browser and operating system versions, based on the User-Agent header.
-
#get_resource ⇒ Object
Returns the last-used resource path.
-
#get_uri(cli = self.cli) ⇒ Object
Return a full url of the form
http://1.1.1.1:8080/resource/
. -
#hardcoded_uripath(uri) ⇒ void
Set #on_request_uri to handle the given
uri
in addition to the one specified by the developer in opts or by the user in URIPATH. - #initialize(info = {}) ⇒ Object
-
#on_request_uri(cli, request) ⇒ Object
Called when a request is made to a single URI registered during the start_service.
- #print_prefix ⇒ Object
-
#random_uri ⇒ Object
Generates a random URI for use with making finger printing more challenging.
-
#regenerate_payload(cli, arch = nil, platform = nil, target = nil) ⇒ Object
Re-generates the payload, substituting the current RHOST and RPORT with the supplied client host and port.
-
#remove_resource(name) ⇒ Object
Removes a URI resource.
-
#report_user_agent(address, request, client_opts = {}) ⇒ Object
Store the results of server-side User-Agent fingerprinting in the DB.
-
#resource_uri ⇒ Object
Returns the configured (or random, if not configured) URI path.
-
#send_local_redirect(cli, location) ⇒ Object
Sends a 302 redirect relative to our base path.
-
#send_not_found(cli) ⇒ Object
Sends a 404.
-
#send_redirect(cli, location = '/', body = '', headers = {}) ⇒ Object
Sends a 302 redirect to the client.
-
#send_response(cli, body, headers = {}) ⇒ Object
Transmits a response to the supplied client, default content-type is text/html.
-
#send_robots(cli, request) ⇒ Object
Sends a canned robots.txt file.
-
#srvhost_addr ⇒ String
An address to which the client can route.
-
#srvport ⇒ Object
Returns the local port that is being listened on.
-
#start_service(opts = {}) ⇒ Object
:category: Exploit::Remote::TcpServer overrides.
-
#use_zlib ⇒ Object
Ensures that gzip can be used.
Methods included from Auxiliary::Report
#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot
Methods included from Metasploit::Framework::Require
optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines
Methods included from TcpServer
#on_client_close, #on_client_connect, #ssl, #ssl_cert, #ssl_cipher, #ssl_compression, #ssl_version
Methods included from SocketServer
#_determine_server_comm, #bindhost, #bindport, #cleanup_service, #exploit, #on_client_data, #primer, #srvhost, #via_string
Instance Method Details
#add_resource(opts) ⇒ Object
Adds a URI resource using the supplied hash parameters.
Path => The path to associate the procedure with.
Proc => The procedure to call when the URI is requested.
LongCall => Indicates that the request is a long call.
NOTE: Calling #add_resource will change the results of subsequent calls to #get_resource!
398 399 400 401 402 403 404 405 406 407 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 398 def add_resource(opts) @service_path = opts['Path'] res = service.add_resource(opts['Path'], opts) # This has to go *after* the call to service.add_resource in case # the service manager doesn't like it for some reason and raises. @my_resources.push(opts['Path']) res end |
#add_robots_resource ⇒ Object
175 176 177 178 179 180 181 182 183 184 185 186 187 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 175 def add_robots_resource proc = Proc.new do |cli, req| self.cli = cli send_robots(cli, req) end vprint_status('Adding hardcoded URI /robots.txt') begin add_resource('Path' => '/robots.txt', 'Proc' => proc) rescue RuntimeError => e print_warning(e.) end end |
#autofilter ⇒ Object
By default, all HTTP servers are not subject to automatic exploitation
56 57 58 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 56 def autofilter false end |
#check_dependencies ⇒ Object
This method gives a derived class the opportunity to ensure that all dependencies are present before initializing the service.
By default, all HTTP server mixins will try to use zlib.
100 101 102 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 100 def check_dependencies use_zlib end |
#cleanup ⇒ Object
Take care of removing any resources that we created
213 214 215 216 217 218 219 220 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 213 def cleanup # Must dup here because remove_resource modifies @my_resources @my_resources.dup.each do |resource| remove_resource(resource) end super end |
#cli ⇒ Object
Thread-local client accessor
63 64 65 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 63 def cli Thread.current[:cli] end |
#cli=(cli) ⇒ Object
Thread-local client accessor
70 71 72 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 70 def cli=(cli) Thread.current[:cli] = cli end |
#close_client(cli) ⇒ Object
Closes a client connection.
535 536 537 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 535 def close_client(cli) service.close_client(cli) end |
#create_response(code = 200, message = "OK", proto = Rex::Proto::Http::DefaultProtocol) ⇒ Object
Creates an HTTP response packet.
542 543 544 545 546 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 542 def create_response(code = 200, = "OK", proto = Rex::Proto::Http::DefaultProtocol) res = Rex::Proto::Http::Response.new(code, , proto); res['Content-Type'] = 'text/html' res end |
#fingerprint_user_agent(ua_str) ⇒ Object
Return a Hash containing a best guess at the actual browser and operating system versions, based on the User-Agent header.
Keys in the returned hash are similar to those expected of Report#report_client, and Msf::DBManager#report_host namely:
:ua_name
-
a brief identifier for the client, e.g. “Firefox”
:ua_ver
-
the version number of the client, e.g. “3.0.11”
:os_name
-
something like “Windows XP”, “Windows 7”, or “Linux”
:os_flavor
-
something like “Enterprise”, “Pro”, or “Home”
:os_lang
-
something like “English”, “French”, or “en-US”
:arch
-
one of the ARCH_* constants
Unknown values may be nil.
237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 237 def fingerprint_user_agent(ua_str) fp = { :ua_string => ua_str } # Guess the browser type based on the user agent # Check for IE last since its often impersonated case (ua_str.downcase) # Chrome tries to look like Safari, so check it first when /chrome\/(\d+(:?\.\d+)*)/ # Matches, e.g.: # Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3 fp[:ua_name] = HttpClients::CHROME fp[:ua_ver] = $1 when /version\/(\d+(:?\.\d+)*)\s*safari/ fp[:ua_name] = HttpClients::SAFARI fp[:ua_ver] = $1 when /firefox\/((:?[0-9]+\.)+[0-9]+)/ fp[:ua_name] = HttpClients::FF fp[:ua_ver] = $1 when /opera\/(\d+(:?\.\d+)*)/ fp[:ua_name] = HttpClients::OPERA fp[:ua_ver] = $1 when /mozilla\/[0-9]+\.[0-9] \(compatible; msie ([0-9]+\.[0-9]+)/i, /mozilla\/[0-9]+\.[0-9] \(.+ rv:([0-9]+\.[0-9])\)/i fp[:ua_name] = HttpClients::IE fp[:ua_ver] = $1 when /git\/([0-9]+(\.[0-9]+)+)/ fp[:ua_name] = HttpClients::GIT fp[:ua_ver] = $1 when /git-lfs\/([0-9]+(\.[0-9]+)+)/ fp[:ua_name] = HttpClients::GIT_LFS fp[:ua_ver] = $1 else fp[:ua_name] = HttpClients::UNKNOWN end # Guess the language case (ua_str.downcase) when /(en-us|en-gb)/ fp[:os_lang] = $1 end # Guess the general OS type case (ua_str.downcase) when /windows|win32/ fp[:os_name] = OperatingSystems::WINDOWS fp[:arch] = ARCH_X86 when /linux/ fp[:os_name] = OperatingSystems::LINUX when /iphone|ipad/ fp[:os_name] = OperatingSystems::APPLE_IOS fp[:arch] = 'armle' when /mac os x/ fp[:os_name] = OperatingSystems::MAC_OSX else fp[:os_name] = OperatingSystems::UNKNOWN end # Determine the specific OS variant # Note that we assume windows variants are the # client version and mismatch server editions. case (ua_str.downcase) when /windows 95/ fp[:os_name] = 'Windows 95' when /windows 98/ fp[:os_name] = 'Windows 98' when /windows nt 4/ fp[:os_name] = 'Windows NT' when /windows nt 5.0/ fp[:os_name] = 'Windows 2000' when /windows nt 5.1/ fp[:os_name] = 'Windows XP' when /windows nt 5.2/ fp[:os_name] = 'Windows 2003' when /windows nt 6.0/ fp[:os_name] = 'Windows Vista' when /windows nt 6.1/ fp[:os_name] = 'Windows 7' when /windows nt 6.2/ fp[:os_name] = 'Windows 8' when /windows nt 6.3/ fp[:os_name] = 'Windows 8.1' when /gentoo/ fp[:os_vendor] = 'Gentoo' when /debian/ fp[:os_vendor] = 'Debian' when /ubuntu/ fp[:os_vendor] = 'Ubuntu' when /fedora/ fp[:os_vendor] = 'Fedora' when /red hat|rhel/ fp[:os_vendor] = 'RHEL' when /android/ fp[:os_name] = OperatingSystems::ANDROID end # Guess the architecture case (ua_str.downcase) when /ppc/ fp[:arch] = ARCH_PPC when /x64|x86_64/ fp[:arch] = ARCH_X64 when /i.86|wow64/ # WOW64 means "Windows on Windows64" and is present # in the useragent of 32-bit IE running on 64-bit # Windows fp[:arch] = ARCH_X86 when /android|iphone|ipod|ipad/ fp[:arch] = ARCH_ARMLE else fp[:arch] = ARCH_X86 end fp end |
#get_resource ⇒ Object
Returns the last-used resource path
412 413 414 415 416 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 412 def get_resource # We don't want modules modifying their service_path inadvertently, so # give them a dup. Can be nil during module setup. @service_path ? @service_path.dup : nil end |
#get_uri(cli = self.cli) ⇒ Object
Return a full url of the form http://1.1.1.1:8080/resource/
The address portion should be something a client would be able to route, but see #srvhost_addr for caveats.
424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 424 def get_uri(cli=self.cli) resource = get_resource # The resource won't exist until the server is started return unless resource ssl = !!(datastore["SSL"]) proto = (ssl ? "https://" : "http://") if datastore['URIHOST'] host = datastore['URIHOST'] elsif (cli and cli.peerhost) host = Rex::Socket.source_address(cli.peerhost) else host = srvhost_addr end if Rex::Socket.is_ipv6?(host) host = "[#{host}]" end if datastore['URIPORT'] && datastore['URIPORT'] != 0 port = ':' + datastore['URIPORT'].to_s elsif (ssl and datastore["SRVPORT"] == 443) port = '' elsif (!ssl and datastore["SRVPORT"] == 80) port = '' else port = ":" + datastore["SRVPORT"].to_s end uri = proto + host + port + resource uri end |
#hardcoded_uripath(uri) ⇒ void
This MUST be called from SocketServer#primer so that the service has been set
This method returns an undefined value.
Set #on_request_uri to handle the given uri
in addition to the one specified by the developer in opts or by the user in URIPATH.
up but we have not yet entered the listen/accept loop.
198 199 200 201 202 203 204 205 206 207 208 209 210 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 198 def hardcoded_uripath(uri) proc = Proc.new do |cli, req| on_request_uri(cli, req) end vprint_status("Adding hardcoded uri #{uri}") begin add_resource({'Path' => uri, 'Proc' => proc}) rescue RuntimeError => e print_error("This module requires a hardcoded uri at #{uri}. Can't run while other modules are using it.") raise e end end |
#initialize(info = {}) ⇒ Object
21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 21 def initialize(info = {}) super ( [ OptString.new('URIPATH', [ false, "The URI to use for this exploit (default is random)"]), ], Exploit::Remote::HttpServer ) ( [ OptBool.new('HTTP::no_cache', [false, 'Disallow the browser to cache HTTP content', false]), OptBool.new('HTTP::chunked', [false, 'Enable chunking of HTTP responses via "Transfer-Encoding: chunked"', false]), OptBool.new('HTTP::header_folding', [false, 'Enable folding of HTTP headers', false]), OptBool.new('HTTP::junk_headers', [false, 'Enable insertion of random junk HTTP headers', false]), OptEnum.new('HTTP::compression', [false, 'Enable compression of HTTP responses via content encoding', 'none', ['none','gzip','deflate']]), OptString.new('HTTP::server_name', [true, 'Configures the Server header of all outgoing replies', 'Apache']) ], Exploit::Remote::HttpServer ) ([ OptAddress.new('URIHOST', [false, 'Host to use in URI (useful for tunnels)']), OptPort.new('URIPORT', [false, 'Port to use in URI (useful for tunnels)']), OptBool.new('SendRobots', [false, 'Return a robots.txt file if asked for one', false]) ]) # Used to keep track of resources added to the service manager by # this module. see #add_resource and #cleanup @my_resources = [] @service_path = nil end |
#on_request_uri(cli, request) ⇒ Object
Called when a request is made to a single URI registered during the start_service. Subsequent registrations will not result in a call to on_request_uri.
Modules should override this method.
694 695 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 694 def on_request_uri(cli, request) end |
#print_prefix ⇒ Object
74 75 76 77 78 79 80 81 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 74 def print_prefix if cli && self.respond_to?(:stance) && !(stance == Msf::Exploit::Stance::Aggressive || stance.include?(Msf::Exploit::Stance::Aggressive)) super + "#{cli.peerhost.ljust(16)} #{self.shortname} - " else super end end |
#random_uri ⇒ Object
Generates a random URI for use with making finger printing more challenging.
658 659 660 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 658 def random_uri "/" + Rex::Text.rand_text_alphanumeric(rand(10) + 6) end |
#regenerate_payload(cli, arch = nil, platform = nil, target = nil) ⇒ Object
Re-generates the payload, substituting the current RHOST and RPORT with the supplied client host and port.
666 667 668 669 670 671 672 673 674 675 676 677 678 679 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 666 def regenerate_payload(cli, arch = nil, platform = nil, target = nil) pcode = nil # If the payload fails to generate for some reason, send a 403. if ((pcode = super(cli, arch, platform, target)) == nil) print_error("Failed to generate payload, sending 403.") cli.send_response( create_response(403, 'Forbidden')) return nil end pcode end |
#remove_resource(name) ⇒ Object
Removes a URI resource.
524 525 526 527 528 529 530 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 524 def remove_resource(name) # Guard against removing resources added by other modules if @my_resources.include?(name) @my_resources.delete(name) service.remove_resource(name) if service end end |
#report_user_agent(address, request, client_opts = {}) ⇒ Object
Store the results of server-side User-Agent fingerprinting in the DB.
Returns a Hash containing host and client information.
359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 359 def report_user_agent(address, request, client_opts={}) fp = fingerprint_user_agent(request["User-Agent"]) host = { :address => address, :host => address, } host[:os_name] = fp[:os_name] if fp[:os_name] host[:os_flavor] = fp[:os_flavor] if fp[:os_flavor] host[:arch] = fp[:arch] if fp[:arch] host[:os_lang] = fp[:os_lang] if fp[:os_lang] report_host(host) client = { :host => address, :ua_string => request['User-Agent'], } client[:ua_name] = fp[:ua_name] if fp[:ua_name] client[:ua_ver] = fp[:ua_ver] if fp[:ua_ver] client.merge!(client_opts) if client_opts report_client(client) report_note( :host => address, :type => 'http.request', :data => "#{address}: #{request.method} #{request.resource} #{client[:os_name]} #{client[:ua_name]} #{client[:ua_ver]}", :update => :unique_data ) return host.merge(client) end |
#resource_uri ⇒ Object
Returns the configured (or random, if not configured) URI path
647 648 649 650 651 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 647 def resource_uri path = datastore['URIPATH'] || random_uri path = '/' + path if path !~ /^\// return path end |
#send_local_redirect(cli, location) ⇒ Object
Sends a 302 redirect relative to our base path
602 603 604 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 602 def send_local_redirect(cli, location) send_redirect(cli, get_resource + location) end |
#send_not_found(cli) ⇒ Object
Sends a 404
610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 610 def send_not_found(cli) resp_404 = create_response(404, 'Not Found') resp_404.body = %Q{\ <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <hr> <address>Apache/2.2.9 (Unix) Server at #{datastore['LHOST']} Port #{datastore['SRVPORT']}</address> </body></html> } cli.send_response(resp_404) end |
#send_redirect(cli, location = '/', body = '', headers = {}) ⇒ Object
Sends a 302 redirect to the client
588 589 590 591 592 593 594 595 596 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 588 def send_redirect(cli, location='/', body='', headers = {}) response = create_response(302, 'Moved') response['Content-Type'] = 'text/html' response['Location'] = location response.body = body.to_s.unpack("C*").pack("C*") headers.each_pair { |k,v| response[k] = v } cli.send_response(response) end |
#send_response(cli, body, headers = {}) ⇒ Object
Transmits a response to the supplied client, default content-type is text/html
Payload evasions are implemented here!
553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 553 def send_response(cli, body, headers = {}) response = create_response response['Content-Type'] = 'text/html' response.body = body.to_s.unpack("C*").pack("C*") if (datastore['HTTP::compression']) self.use_zlib # make sure... response.compress = datastore['HTTP::compression'] end if datastore['HTTP::chunked'] response.auto_cl = false response.transfer_chunked = true end if datastore['HTTP::header_folding'] response.headers.fold = 1 end if datastore['HTTP::junk_headers'] response.headers.junk_headers = 1 end if datastore['HTTP::no_cache'] response.headers['Cache-Control'] = 'no-store, no-cache, must-revalidate' end headers.each_pair { |k,v| response[k] = v } cli.send_response(response) end |
#send_robots(cli, request) ⇒ Object
Sends a canned robots.txt file
630 631 632 633 634 635 636 637 638 639 640 641 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 630 def send_robots(cli, request) print_status('Sending robots.txt') robots = create_response(200, 'Success') robots['Content-Type'] = 'text/plain' robots.body = %Q{\ User-agent: * Disallow: / } cli.send_response(robots) end |
#srvhost_addr ⇒ String
An address to which the client can route.
If available, return LHOST which should be the right thing since it already has to be an address the client can route to for the payload to work. However, LHOST will only be available if we're using a reverse_* payload, so if we don't have it, try to use the client's peerhost address. Failing that, fall back to the addr with the default gateway. All of this will be for naught in the case of a user behind NAT using a bind payload but there's nothing we can do about it.
NOTE: The address will be incorrect in the following two situations:
-
LHOST is pointed at a exploit/multi/handler on some other box.
-
SRVHOST has a value of '0.0.0.0', the user is behind NAT, and we're using a bind payload. In that case, we don't have an LHOST and the source address will be internal.
This can potentially be dealt with in a module by using the Host header from a request if such a header exists.
480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 480 def srvhost_addr if datastore['URIHOST'] host = datastore['URIHOST'] elsif (datastore['LHOST'] and (!datastore['LHOST'].strip.empty?)) host = datastore["LHOST"] else if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") if (respond_to?(:sock) and sock and sock.peerhost) # Then this is a Passive-Aggressive module. It has a socket # connected to the remote server from which we can deduce the # appropriate source address. host = Rex::Socket.source_address(sock.peerhost) else # Otherwise, this module is only a server, not a client, *and* # the payload does not have an LHOST option. This can happen, # for example, with a browser exploit using a download-exec # payload. In that case, just use the address of the interface # with the default gateway and hope for the best. host = Rex::Socket.source_address end else host = datastore['SRVHOST'] end end host end |
#srvport ⇒ Object
Returns the local port that is being listened on.
511 512 513 514 515 516 517 518 519 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 511 def srvport if datastore['URIPORT'] port = datastore['URIPORT'] else port = datastore['SRVPORT'] end port end |
#start_service(opts = {}) ⇒ Object
:category: Exploit::Remote::TcpServer overrides
This mixin starts the HTTP server listener. This routine takes a few different hash parameters:
ServerHost => Override the server host to listen on (default to SRVHOST).
ServerPort => Override the server port to listen on (default to SRVPORT).
Uri => The URI to handle and the associated procedure to call.
TODO: This must be able to take an SSL parameter and not rely completely on the datastore. (See dlink_upnp_exec_noauth)
117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 117 def start_service(opts = {}) check_dependencies # Start a new HTTP server service. self.service = Rex::ServiceManager.start( Rex::Proto::Http::Server, (opts['ServerPort'] || bindport).to_i, opts['ServerHost'] || bindhost, datastore['SSL'], # XXX: Should be in opts, need to test this { 'Msf' => framework, 'MsfExploit' => self, }, opts['Comm'] || _determine_server_comm(opts['ServerHost'] || bindhost), datastore['SSLCert'], datastore['SSLCompression'], datastore['SSLCipher'], datastore['SSLVersion'] ) self.service.server_name = datastore['HTTP::server_name'] # Default the procedure of the URI to on_request_uri if one isn't # provided. uopts = { 'Proc' => Proc.new { |cli, req| self.cli = cli ( self.respond_to?(:filter_request_uri) && filter_request_uri(cli, req) ) ? nil : on_request_uri(cli, req) }, 'Path' => opts['Path'] || resource_uri }.update(opts['Uri'] || {}) proto = (datastore["SSL"] ? "https" : "http") # SSLCompression may or may not actually be available. For example, on # Ubuntu, it's disabled by default, unless the correct environment # variable is set. See https://github.com/rapid7/metasploit-framework/pull/2666 if proto == "https" and datastore['SSLCompression'] print_status("Intentionally using insecure SSL compression. Your operating system might not respect this!") end netloc = srvhost_addr if (proto == 'http' && srvport != 80) || (proto == 'https' && srvport != 443) if Rex::Socket.is_ipv6?(netloc) netloc = "[#{netloc}]:#{srvport}" else netloc = "#{netloc}:#{srvport}" end end print_status("Using URL: #{proto}://#{netloc}#{uopts['Path']}") add_robots_resource if datastore['SendRobots'] add_resource(uopts) end |
#use_zlib ⇒ Object
Ensures that gzip can be used. If not, an exception is generated. The exception is only raised if the DisableGzip advanced option has not been set.
88 89 90 91 92 |
# File 'lib/msf/core/exploit/remote/http_server.rb', line 88 def use_zlib if !Rex::Text.zlib_present? && datastore['HTTP::compression'] raise RuntimeError, "zlib support was not detected, yet the HTTP::compression option was set. Don't do that!" end end |