Module: Msf::Exploit::Remote::TcpServer

Includes:
SocketServer
Included in:
FtpServer, HttpServer, SMB::Server
Defined in:
lib/msf/core/exploit/remote/tcp_server.rb

Overview

This mixin provides a generic interface for running a TCP server of some sort that is designed to exploit clients. Exploits that include this mixin automatically take a passive stance.

Instance Attribute Summary

Attributes included from SocketServer

#service

Instance Method Summary collapse

Methods included from SocketServer

#_determine_server_comm, #cleanup, #exploit, #on_client_data, #primer, #regenerate_payload, #srvhost, #srvport, #stop_service, #via_string

Instance Method Details

#initialize(info = {}) ⇒ Object



16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 16

def initialize(info = {})
  super

  register_options(
    [
      OptBool.new('SSL',        [ false, 'Negotiate SSL for incoming connections', false]),
      # SSLVersion is currently unsupported for TCP servers (only supported by clients at the moment)
      OptPath.new('SSLCert',    [ false, 'Path to a custom SSL certificate (default is randomly generated)'])
    ], Msf::Exploit::Remote::TcpServer
  )

  register_advanced_options(
    [
      OptString.new('ListenerComm', [ false, 'The specific communication channel to use for this service']),
      OptBool.new('SSLCompression', [ false, 'Enable SSL/TLS-level compression', false ]),
      OptString.new('SSLCipher',    [ false, 'String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"']),
      Opt::SSLVersion
    ], Msf::Exploit::Remote::TcpServer)

  register_evasion_options(
    [
      OptInt.new('TCP::max_send_size', [false, 'Maximum tcp segment size.  (0 = disable)', 0]),
      OptInt.new('TCP::send_delay', [false, 'Delays inserted before every send.  (0 = disable)', 0])
    ], Msf::Exploit::Remote::Tcp
  )
end

#on_client_close(client) ⇒ Object

Called when a client has disconnected.



51
52
# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 51

def on_client_close(client)
end

#on_client_connect(client) ⇒ Object

Called when a client connects.



45
46
# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 45

def on_client_connect(client)
end

#sslObject

Returns the SSL option



117
118
119
# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 117

def ssl
  datastore['SSL']
end

#ssl_certObject

Returns the SSLCert option



124
125
126
# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 124

def ssl_cert
  datastore['SSLCert']
end

#ssl_cipherObject

Returns the SSLCipher option



131
132
133
# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 131

def ssl_cipher
  datastore['SSLCipher']
end

#ssl_compressionBool

Returns enable SSL/TLS-level compression.

Returns:

  • (Bool)

    enable SSL/TLS-level compression



136
137
138
# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 136

def ssl_compression
  datastore['SSLCompression']
end

#ssl_versionObject

Returns the SSLVersion option



143
144
145
# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 143

def ssl_version
  datastore['SSLVersion']
end

#start_service(opts = {}) ⇒ Object

Starts the service.



57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 57

def start_service(opts = {})
  begin
    comm = _determine_server_comm(srvhost)

    self.service = Rex::Socket::TcpServer.create({
      'LocalHost'      => srvhost,
      'LocalPort'      => srvport,
      'SSL'            => ssl,
      'SSLCert'        => ssl_cert,
      'SSLCipher'      => ssl_cipher,
      'SSLCompression' => ssl_compression,
      'SSLVersion'     => ssl_version,
      'Comm'           => comm,
      'Context'        =>
        {
          'Msf'        => framework,
          'MsfExploit' => self,
        }
    }.update(opts))

    self.service.on_client_connect_proc = Proc.new { |client|
      on_client_connect(client)
    }
    self.service.on_client_data_proc = Proc.new { |client|
      on_client_data(client)
    }
    self.service.on_client_close_proc = Proc.new { |client|
      on_client_close(client)
    }

    # Start the listening service
    self.service.start

  rescue ::Errno::EACCES => e
    if (srvport.to_i < 1024)
      print_line(" ")
      print_error("Could not start the TCP server: #{e}.")
      print_error(
        "This module is configured to use a privileged TCP port (#{srvport}). " +
        "On Unix systems, only the root user account is allowed to bind to privileged ports." +
        "Please run the framework as root to use this module."
      )
      print_error(
        "On Microsoft Windows systems, this error is returned when a process attempts to "+
        "listen on a host/port combination that is already in use. For example, Windows XP "+
        "will return this error if a process attempts to bind() over the system SMB/NetBIOS services."
      )
      print_line(" ")
    end
    raise e
  end

  via = via_string(comm)
  hoststr = Rex::Socket.is_ipv6?(srvhost) ? "[#{srvhost}]" : srvhost
  print_status("Started service listener on #{hoststr}:#{srvport} #{via}")
end