root / modules / auxiliary / scanner / tftp / tftpbrute.rb @ master
History | View | Annotate | Download (1.9 kB)
| 1 |
##
|
|---|---|
| 2 |
# $Id$
|
| 3 |
##
|
| 4 |
|
| 5 |
##
|
| 6 |
# This file is part of the Metasploit Framework and may be subject to
|
| 7 |
# redistribution and commercial restrictions. Please see the Metasploit
|
| 8 |
# Framework web site for more information on licensing and terms of use.
|
| 9 |
# http://metasploit.com/framework/
|
| 10 |
##
|
| 11 |
|
| 12 |
|
| 13 |
require 'msf/core'
|
| 14 |
|
| 15 |
class Metasploit3 < Msf::Auxiliary |
| 16 |
|
| 17 |
include Msf::Auxiliary::Scanner |
| 18 |
include Msf::Auxiliary::Report |
| 19 |
|
| 20 |
def initialize |
| 21 |
super(
|
| 22 |
'Name' => 'TFTP Brute Forcer', |
| 23 |
'Description' => 'This module uses a dictionary to brute force valid TFTP image names from a TFTP server.', |
| 24 |
'Author' => 'antoine', |
| 25 |
'Version' => '$Revision$', |
| 26 |
'License' => BSD_LICENSE |
| 27 |
) |
| 28 |
|
| 29 |
register_options( |
| 30 |
[ |
| 31 |
Opt::RPORT(69), |
| 32 |
Opt::CHOST, |
| 33 |
OptPath.new('DICTIONARY', [ true, 'The list of filenames', |
| 34 |
File.join(Msf::Config.install_root, "data", "wordlists", "tftp.txt") ]) |
| 35 |
], self.class)
|
| 36 |
end
|
| 37 |
|
| 38 |
def run_host(ip) |
| 39 |
begin
|
| 40 |
|
| 41 |
# Create an unbound UDP socket if no CHOST is specified, otherwise
|
| 42 |
# create a UDP socket bound to CHOST (in order to avail of pivoting)
|
| 43 |
udp_sock = Rex::Socket::Udp.create( |
| 44 |
{
|
| 45 |
'LocalHost' => datastore['CHOST'] || nil, |
| 46 |
'Context' =>
|
| 47 |
{
|
| 48 |
'Msf' => framework,
|
| 49 |
'MsfExploit' => self, |
| 50 |
} |
| 51 |
} |
| 52 |
) |
| 53 |
add_socket(udp_sock) |
| 54 |
|
| 55 |
fd = File.open(datastore['DICTIONARY'], 'rb') |
| 56 |
fd.read(fd.stat.size).split("\n").each do |filename| |
| 57 |
filename.strip! |
| 58 |
pkt = "\x00\x01" + filename + "\x00" + "netascii" + "\x00" |
| 59 |
udp_sock.sendto(pkt, ip, datastore['RPORT'])
|
| 60 |
resp = udp_sock.get(1)
|
| 61 |
if resp and resp.length >= 2 and resp[0, 2] == "\x00\x03" |
| 62 |
print_status("Found #{filename} on #{ip}")
|
| 63 |
#Add Report
|
| 64 |
report_note( |
| 65 |
:host => ip,
|
| 66 |
:proto => 'udp', |
| 67 |
:sname => 'tftp', |
| 68 |
:port => datastore['RPORT'], |
| 69 |
:type => "Found #{filename}", |
| 70 |
:data => "Found #{filename}" |
| 71 |
) |
| 72 |
end
|
| 73 |
end
|
| 74 |
fd.close |
| 75 |
rescue
|
| 76 |
ensure
|
| 77 |
udp_sock.close |
| 78 |
end
|
| 79 |
end
|
| 80 |
|
| 81 |
end
|