Module: Msf::Exploit::Remote::ZeroMQ

Includes:

Tcp

Defined in:

lib/msf/core/exploit/remote/zeromq.rb

Overview

This mixin is a simplistic implementation of ZeroMQ as used by SaltStack Salt

ZMTP 3.0 RFC: rfc.zeromq.org/spec/23/ Wireshark dissector: github.com/whitequark/zmtp-wireshark

TODO: Please iterate on this! I spent little time going over the protocol :(

Constant Summary

ZEROMQ_SIGNATURE =

"\xff\x00\x00\x00\x00\x00\x00\x00\x01\x7f".freeze

ZEROMQ_VERSION =

"\x03".freeze

Instance Attribute Summary

Attributes included from Tcp

#sock

Instance Method Summary

• #serialize_clear_load(load_hash = {}) ⇒ Object

  NOTE: This is Salt-specific code to serialize a cleartext MessagePack “load”.

• #zmq_connect ⇒ Object
• #zmq_disconnect ⇒ Object
• #zmq_negotiate(mechanism: 'NULL', client: 'REQ', server: 'ROUTER') ⇒ Object

  Replay the ZeroMQ elbow bump.

• #zmq_negotiate_ready_command(client = 'REQ', server = 'ROUTER') ⇒ Object
• #zmq_negotiate_security_mechanism(mechanism = 'NULL') ⇒ Object
• #zmq_negotiate_signature ⇒ Object
• #zmq_negotiate_version ⇒ Object
• #zmq_send_message(msg = '') ⇒ Object

Methods included from Tcp

#chost, #cleanup, #connect, #connect_timeout, #cport, #disconnect, #handler, #initialize, #lhost, #lport, #peer, #print_prefix, #proxies, #rhost, #rport, #set_tcp_evasions, #shutdown, #ssl, #ssl_cipher, #ssl_verify_mode, #ssl_version

Instance Method Details

#serialize_clear_load(load_hash = {}) ⇒ Object

NOTE: This is Salt-specific code to serialize a cleartext MessagePack “load”

# File 'lib/msf/core/exploit/remote/zeromq.rb', line 129

def serialize_clear_load(load_hash = {})
  clear_load = {
    'enc' => 'clear',
    'load' => load_hash
  }

  # XXX: Strings NEED to be UTF-8 here, NOT binary!
  # rubocop:disable Security/Eval
  eval(clear_load.to_s.force_encoding(::Encoding::UTF_8)).to_msgpack
  # rubocop:enable Security/Eval
end

#zmq_connect ⇒ Object

# File 'lib/msf/core/exploit/remote/zeromq.rb', line 19

def zmq_connect
  print_status("Connecting to ZeroMQ service at #{peer}")
  connect
end

#zmq_disconnect ⇒ Object

# File 'lib/msf/core/exploit/remote/zeromq.rb', line 24

def zmq_disconnect
  vprint_status("Disconnecting from #{peer}")
  disconnect
end

#zmq_negotiate(mechanism: 'NULL', client: 'REQ', server: 'ROUTER') ⇒ Object

Replay the ZeroMQ elbow bump

# File 'lib/msf/core/exploit/remote/zeromq.rb', line 30

def zmq_negotiate(mechanism: 'NULL', client: 'REQ', server: 'ROUTER')
  zmq_negotiate_signature
  zmq_negotiate_version
  zmq_negotiate_security_mechanism(mechanism)
  zmq_negotiate_ready_command(client, server)
end

#zmq_negotiate_ready_command(client = 'REQ', server = 'ROUTER') ⇒ Object

# File 'lib/msf/core/exploit/remote/zeromq.rb', line 93

def zmq_negotiate_ready_command(client = 'REQ', server = 'ROUTER')
  print_status("Sending READY command of type #{client}")

  # 0x04 indicates an 8-bit command length
  sock.put(
    "\x04\x26" \
    "\x05READY" \
    "\x0bSocket-Type" \
    "\x00\x00\x00#{[client.length].pack('C')}#{client}" \
    "\x08Identity" \
    "\x00\x00\x00\x00"
  )

  unless (res = sock.get_once)
    fail_with(Msf::Exploit::Failure::Unknown, 'Did not receive READY reply')
  end

  unless res.match(/READY.+Socket-Type.+#{server}.+Identity/m)
    fail_with(
      Msf::Exploit::Failure::UnexpectedReply,
      "Did not receive READY reply of type #{server}: #{res.inspect}"
    )
  end

  vprint_good("Received READY reply of type #{server}")
end

#zmq_negotiate_security_mechanism(mechanism = 'NULL') ⇒ Object

# File 'lib/msf/core/exploit/remote/zeromq.rb', line 73

def zmq_negotiate_security_mechanism(mechanism = 'NULL')
  print_status("Negotiating #{mechanism} security mechanism")

  unless (res = sock.get_once)
    fail_with(Msf::Exploit::Failure::Unknown, 'Did not receive security mechanism')
  end

  unless res.include?(mechanism)
    fail_with(
      Msf::Exploit::Failure::UnexpectedReply,
      "Did not receive #{mechanism} security mechanism: #{res.inspect}"
    )
  end

  vprint_good("Received #{mechanism} security mechanism")

  vprint_status("Sending #{mechanism} security mechanism")
  sock.put(res)
end

#zmq_negotiate_signature ⇒ Object

# File 'lib/msf/core/exploit/remote/zeromq.rb', line 37

def zmq_negotiate_signature
  print_status('Negotiating signature')

  unless (res = sock.get_once)
    fail_with(Msf::Exploit::Failure::Unknown, 'Did not receive signature')
  end

  unless res == ZEROMQ_SIGNATURE
    fail_with(Msf::Exploit::Failure::UnexpectedReply,
              "Received invalid signature: #{res.inspect}")
  end

  vprint_good("Received valid signature: #{res.inspect}")

  vprint_status('Sending identical signature')
  sock.put(res)
end

#zmq_negotiate_version ⇒ Object

# File 'lib/msf/core/exploit/remote/zeromq.rb', line 55

def zmq_negotiate_version
  print_status('Negotiating version')

  unless (res = sock.get_once)
    fail_with(Msf::Exploit::Failure::Unknown, 'Did not receive version')
  end

  unless res == ZEROMQ_VERSION
    fail_with(Msf::Exploit::Failure::UnexpectedReply,
              "Received incompatible version: #{res.inspect}")
  end

  vprint_good("Received compatible version: #{res.inspect}")

  vprint_status('Sending identical version')
  sock.put(res)
end

#zmq_send_message(msg = '') ⇒ Object

# File 'lib/msf/core/exploit/remote/zeromq.rb', line 120

def zmq_send_message(msg = '')
  # 0x02 indicates a 64-bit message length
  sock.put(
    "\x01\x00" \
    "\x02#{[msg.length].pack('Q>')}#{msg}"
  )
end