Module: Msf::Exploit::Remote::TcpServer

Includes:
SocketServer
Included in:
FtpServer, HttpServer
Defined in:
lib/msf/core/exploit/remote/tcp_server.rb

Overview

This mixin provides a generic interface for running a TCP server of some sort that is designed to exploit clients. Exploits that include this mixin automatically take a passive stance.

Instance Attribute Summary

Attributes included from SocketServer

#service

Instance Method Summary collapse

Methods included from SocketServer

#_determine_server_comm, #bindhost, #bindport, #cleanup, #cleanup_service, #exploit, #on_client_data, #primer, #regenerate_payload, #srvhost, #srvport, #via_string

Instance Method Details

#initialize(info = {}) ⇒ Object



16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 16

def initialize(info = {})
  super

  register_options(
    [
      OptBool.new('SSL',        [ false, 'Negotiate SSL for incoming connections', false]),
      # SSLVersion is currently unsupported for TCP servers (only supported by clients at the moment)
      OptPath.new('SSLCert',    [ false, 'Path to a custom SSL certificate (default is randomly generated)'])
    ], Msf::Exploit::Remote::TcpServer
  )

  register_advanced_options(
    [
      OptBool.new('SSLCompression', [ false, 'Enable SSL/TLS-level compression', false ]),
      OptString.new('SSLCipher',    [ false, 'String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"']),
      Opt::SSLVersion
    ], Msf::Exploit::Remote::TcpServer)

  register_evasion_options(
    [
      OptInt.new('TCP::max_send_size', [false, 'Maximum tcp segment size.  (0 = disable)', 0]),
      OptInt.new('TCP::send_delay', [false, 'Delays inserted before every send.  (0 = disable)', 0])
    ], Msf::Exploit::Remote::Tcp
  )
end

#on_client_close(client) ⇒ Object

Called when a client has disconnected.



50
51
# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 50

def on_client_close(client)
end

#on_client_connect(client) ⇒ Object

Called when a client connects.



44
45
# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 44

def on_client_connect(client)
end

#sslObject

Returns the SSL option



116
117
118
# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 116

def ssl
  datastore['SSL']
end

#ssl_certObject

Returns the SSLCert option



123
124
125
# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 123

def ssl_cert
  datastore['SSLCert']
end

#ssl_cipherObject

Returns the SSLCipher option



130
131
132
# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 130

def ssl_cipher
  datastore['SSLCipher']
end

#ssl_compressionBool

Returns enable SSL/TLS-level compression.

Returns:

  • (Bool)

    enable SSL/TLS-level compression



135
136
137
# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 135

def ssl_compression
  datastore['SSLCompression']
end

#ssl_versionObject

Returns the SSLVersion option



142
143
144
# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 142

def ssl_version
  datastore['SSLVersion']
end

#start_service(opts = {}) ⇒ Object

Starts the service.



56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
# File 'lib/msf/core/exploit/remote/tcp_server.rb', line 56

def start_service(opts = {})
  begin
    comm = _determine_server_comm(bindhost)

    self.service = Rex::Socket::TcpServer.create({
      'LocalHost'      => bindhost,
      'LocalPort'      => bindport,
      'SSL'            => ssl,
      'SSLCert'        => ssl_cert,
      'SSLCipher'      => ssl_cipher,
      'SSLCompression' => ssl_compression,
      'SSLVersion'     => ssl_version,
      'Comm'           => comm,
      'Context'        =>
        {
          'Msf'        => framework,
          'MsfExploit' => self,
        }
    }.update(opts))

    self.service.on_client_connect_proc = Proc.new { |client|
      on_client_connect(client)
    }
    self.service.on_client_data_proc = Proc.new { |client|
      on_client_data(client)
    }
    self.service.on_client_close_proc = Proc.new { |client|
      on_client_close(client)
    }

    # Start the listening service
    self.service.start

  rescue ::Errno::EACCES => e
    if (srvport.to_i < 1024)
      print_line(" ")
      print_error("Could not start the TCP server: #{e}.")
      print_error(
        "This module is configured to use a privileged TCP port (#{bindport}). " +
        "On Unix systems, only the root user account is allowed to bind to privileged ports." +
        "Please run the framework as root to use this module."
      )
      print_error(
        "On Microsoft Windows systems, this error is returned when a process attempts to "+
        "listen on a host/port combination that is already in use. For example, Windows XP "+
        "will return this error if a process attempts to bind() over the system SMB/NetBIOS services."
      )
      print_line(" ")
    end
    raise e
  end

  via = via_string(comm)
  hoststr = Rex::Socket.is_ipv6?(bindhost) ? "[#{bindhost}]" : bindhost
  print_status("Started service listener on #{hoststr}:#{bindport} #{via}")
end