Module: Msf::Exploit::Remote::NDMP

Includes:
Tcp
Defined in:
lib/msf/core/exploit/remote/ndmp.rb

Overview

This module exposes methods for accessing NDMP services

Instance Attribute Summary collapse

Attributes included from Tcp

#sock

Instance Method Summary collapse

Methods included from Tcp

#chost, #cleanup, #connect_timeout, #cport, #disconnect, #handler, #lhost, #lport, #peer, #print_prefix, #proxies, #rhost, #rport, #set_tcp_evasions, #shutdown, #ssl, #ssl_cipher, #ssl_verify_mode, #ssl_version

Instance Attribute Details

#recv_buffObject

Returns the value of attribute recv_buff.



121
122
123
 
# File 'lib/msf/core/exploit/remote/ndmp.rb', line 121

def recv_buff
  @recv_buff
end

Instance Method Details

#connectObject

Flush the receive buffer on a new connection



33
34
35
36
 
# File 'lib/msf/core/exploit/remote/ndmp.rb', line 33

def connect
  super
  self.recv_buff = ''
end

#initialize(info = {}) ⇒ Object

Creates an instance of a NDMP exploit module.



17
18
19
20
21
22
23
24
25
26
27
28
 
# File 'lib/msf/core/exploit/remote/ndmp.rb', line 17

def initialize(info = {})
  super

  # Register the options that all NDMP exploits may make use of.
  register_options(
    [
      Opt::RHOST,
      Opt::RPORT(10000),
    ], Msf::Exploit::Remote::NDMP)

  self.recv_buff = ''
end

#ndmp_infoObject

This method dumps ndmp version information



41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
 
# File 'lib/msf/core/exploit/remote/ndmp.rb', line 41

def ndmp_info
  connect
  req = [
      1,               # Sequence number
      Time.now.to_i,   # Current time
      0,               # Message type (request)
      0x108,           # Message name (version)
      0,               # Reply sequence number
      0,               # Error status
    ].pack('NNNNNN')

  resp = ndmp_recv()
  ndmp_send(req)
  resp = ndmp_recv()
  disconnect

  if !(resp and resp.length > 28)
    return false
  end

  info = { }

  i = 32

  vend_len = resp[i, 4].unpack('N')[0]
  vend     = resp[i + 4, vend_len]
  i += vend_len + 4 + 1

  prod_len = resp[i, 4].unpack('N')[0]
  prod     = resp[i + 4, prod_len]
  i += prod_len + 4 + 1

  vers_len = resp[i, 4].unpack('N')[0]
  vers     = resp[i + 4, vers_len]
  i += vers_len + 4 + 1

  info['Version'] = vers
  info['Product'] = prod
  info['Vendor']  = vend

  return info
end

#ndmp_recv(nsock = self.sock) ⇒ Object

This method reads from the socket and parses out a single NDMP response, buffering the rest



88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
 
# File 'lib/msf/core/exploit/remote/ndmp.rb', line 88

def ndmp_recv(nsock = self.sock)
  # Attempt to read at least four bytes (the length value)
  if (self.recv_buff.length < 4)
    self.recv_buff << ( sock.get_once( 4 - self.recv_buff.length, 5) || '' )
  end

  # If we did not receive a full length value, return early
  if (self.recv_buff.length < 4)
    return false
  end

  # Read the length header out of the message
  dlen = self.recv_buff[0, 4].unpack('N')[0] & 0x7fffffff

  # Read any pending data and append it to the buffer
  self.recv_buff << ( sock.get_once || '' )

  # Do we have the entire response message?
  if (self.recv_buff.length >= dlen + 4)
    return self.recv_buff.slice!(0, dlen + 4)
  end

  return false
end

#ndmp_send(data, nsock = self.sock) ⇒ Object

This method tacks a length header on a packet then sends it out the socket



117
118
119
 
# File 'lib/msf/core/exploit/remote/ndmp.rb', line 117

def ndmp_send(data, nsock = self.sock)
  nsock.put( [ data.length + 0x80000000 ].pack('N') + data )
end