# -*- coding: binary -*- require 'singleton' require 'rex/socket' require 'rex/socket/tcp' require 'rex/socket/ssl_tcp' require 'rex/socket/ssl_tcp_server' require 'rex/socket/udp' require 'rex/socket/ip' require 'timeout' ### # # Local communication class factory. # ### class Rex::Socket::Comm::Local include Singleton include Rex::Socket::Comm # # Creates an instance of a socket using the supplied parameters. # def self.create(param) # Work around jRuby socket implementation issues if(RUBY_PLATFORM == 'java') return self.create_jruby(param) end case param.proto when 'tcp' return create_by_type(param, ::Socket::SOCK_STREAM, ::Socket::IPPROTO_TCP) when 'udp' return create_by_type(param, ::Socket::SOCK_DGRAM, ::Socket::IPPROTO_UDP) when 'ip' return create_ip(param) else raise Rex::UnsupportedProtocol.new(param.proto), caller end end # # Creates an instance of a socket using the supplied parameters. # Use various hacks to make this work with jRuby # def self.create_jruby(param) sock = nil # Notify handlers of the before socket create event. self.instance.notify_before_socket_create(self, param) case param.proto when 'tcp' if (param.server?) sock = TCPServer.new(param.localport, param.localhost) klass = Rex::Socket::TcpServer if (param.ssl) klass = Rex::Socket::SslTcpServer end sock.extend(klass) else sock = TCPSocket.new(param.peerhost, param.peerport) klass = Rex::Socket::Tcp if (param.ssl) klass = Rex::Socket::SslTcp end sock.extend(klass) end when 'udp' if (param.server?) sock = UDPServer.new(param.localport, param.localhost) klass = Rex::Socket::UdpServer sock.extend(klass) else sock = UDPSocket.new(param.peerhost, param.peerport) klass = Rex::Socket::Udp sock.extend(klass) end else raise Rex::UnsupportedProtocol.new(param.proto), caller end sock.initsock(param) self.instance.notify_socket_created(self, sock, param) return sock end # # Creates a raw IP socket using the supplied Parameter instance. # Special-cased because of how different it is from UDP/TCP # def self.create_ip(param) self.instance.notify_before_socket_create(self, param) sock = ::Socket.open(::Socket::PF_INET, ::Socket::SOCK_RAW, ::Socket::IPPROTO_RAW) sock.setsockopt(::Socket::IPPROTO_IP, ::Socket::IP_HDRINCL, 1) # Configure broadcast support sock.setsockopt(::Socket::SOL_SOCKET, ::Socket::SO_BROADCAST, true) if (param.bare? == false) sock.extend(::Rex::Socket::Ip) sock.initsock(param) end self.instance.notify_socket_created(self, sock, param) sock end # # Creates a socket using the supplied Parameter instance. # def self.create_by_type(param, type, proto = 0) # Whether to use IPv6 addressing usev6 = false # Detect IPv6 addresses and enable IPv6 accordingly if ( Rex::Socket.support_ipv6?()) # Allow the caller to force IPv6 if (param.v6) usev6 = true end # Force IPv6 mode for non-connected UDP sockets if (type == ::Socket::SOCK_DGRAM and not param.peerhost) # FreeBSD allows IPv6 socket creation, but throws an error on sendto() # Windows 7 SP1 and newer also fail to sendto with IPv6 udp sockets unless Rex::Compat.is_freebsd or Rex::Compat.is_windows usev6 = true end end local = Rex::Socket.resolv_nbo(param.localhost) if param.localhost peer = Rex::Socket.resolv_nbo(param.peerhost) if param.peerhost if (local and local.length == 16) usev6 = true end if (peer and peer.length == 16) usev6 = true end if (usev6) if (local and local.length == 4) if (local == "\x00\x00\x00\x00") param.localhost = '::' elsif (local == "\x7f\x00\x00\x01") param.localhost = '::1' else param.localhost = '::ffff:' + Rex::Socket.getaddress(param.localhost, true) end end if (peer and peer.length == 4) if (peer == "\x00\x00\x00\x00") param.peerhost = '::' elsif (peer == "\x7f\x00\x00\x01") param.peerhost = '::1' else param.peerhost = '::ffff:' + Rex::Socket.getaddress(param.peerhost, true) end end param.v6 = true end else # No IPv6 support param.v6 = false end # Notify handlers of the before socket create event. self.instance.notify_before_socket_create(self, param) # Create the socket sock = nil if (param.v6) sock = ::Socket.new(::Socket::AF_INET6, type, proto) else sock = ::Socket.new(::Socket::AF_INET, type, proto) end # Bind to a given local address and/or port if they are supplied if param.localport or param.localhost begin sock.setsockopt(::Socket::SOL_SOCKET, ::Socket::SO_REUSEADDR, true) sock.bind(Rex::Socket.to_sockaddr(param.localhost, param.localport)) rescue ::Errno::EADDRNOTAVAIL,::Errno::EADDRINUSE sock.close raise Rex::BindFailed.new(param.localhost, param.localport), caller end end # Configure broadcast support for all datagram sockets if (type == ::Socket::SOCK_DGRAM) sock.setsockopt(::Socket::SOL_SOCKET, ::Socket::SO_BROADCAST, true) end # If a server TCP instance is being created... if (param.server?) sock.listen(256) if (param.bare? == false) klass = Rex::Socket::TcpServer if (param.ssl) klass = Rex::Socket::SslTcpServer end sock.extend(klass) sock.initsock(param) end # Otherwise, if we're creating a client... else chain = [] # If we were supplied with host information if (param.peerhost) # A flag that indicates whether we need to try multiple scopes retry_scopes = false # Always retry with link-local IPv6 addresses if Rex::Socket.is_ipv6?( param.peerhost ) and param.peerhost =~ /^fe80::/ retry_scopes = true end # Prepare a list of scope IDs to try when connecting to # link-level addresses. Read from /proc if it is available, # otherwise increment through the first 255 IDs. @@ip6_lla_scopes ||= [] if @@ip6_lla_scopes.length == 0 and retry_scopes # Linux specific interface lookup code if ::File.exists?( "/proc/self/net/igmp6" ) ::File.open("/proc/self/net/igmp6") do |fd| fd.each_line do |line| line = line.strip tscope, tint, junk = line.split(/\s+/, 3) next if not tint # Specifying lo in any connect call results in the socket # being unusable, even if the correct interface is set. next if tint == "lo" @@ip6_lla_scopes << tscope end end else # Other Unix-like platforms should support a raw scope ID [*(1 .. 255)].map{ |x| @@ip6_lla_scopes << x.to_s } end end ip6_scope_idx = 0 ip = param.peerhost port = param.peerport if param.proxies chain = param.proxies.dup chain.push(['host',param.peerhost,param.peerport]) ip = chain[0][1] port = chain[0][2].to_i end begin begin Timeout.timeout(param.timeout) do sock.connect(Rex::Socket.to_sockaddr(ip, port)) end rescue ::Timeout::Error raise ::Errno::ETIMEDOUT end rescue ::Errno::EHOSTUNREACH,::Errno::ENETDOWN,::Errno::ENETUNREACH,::Errno::ENETRESET,::Errno::EHOSTDOWN,::Errno::EACCES,::Errno::EINVAL,::Errno::ENOPROTOOPT # Rescue errors caused by a bad Scope ID for a link-local address if retry_scopes and @@ip6_lla_scopes[ ip6_scope_idx ] ip = param.peerhost + "%" + @@ip6_lla_scopes[ ip6_scope_idx ] ip6_scope_idx += 1 retry end sock.close raise Rex::HostUnreachable.new(ip, port), caller rescue ::Errno::EADDRNOTAVAIL,::Errno::EADDRINUSE sock.close raise Rex::InvalidDestination.new(ip, port), caller rescue Errno::ETIMEDOUT sock.close raise Rex::ConnectionTimeout.new(ip, port), caller rescue ::Errno::ECONNRESET,::Errno::ECONNREFUSED,::Errno::ENOTCONN,::Errno::ECONNABORTED sock.close # Report the actual thing we were trying to connect to here, not # param.peerhost, since that's the eventual target at the end of the # proxy chain raise Rex::ConnectionRefused.new(ip, port.to_i), caller end end if (param.bare? == false) case param.proto when 'tcp' klass = Rex::Socket::Tcp sock.extend(klass) sock.initsock(param) when 'udp' sock.extend(Rex::Socket::Udp) sock.initsock(param) end end if chain.size > 1 chain.each_with_index { |proxy, i| next_hop = chain[i + 1] if next_hop proxy(sock, proxy[0], next_hop[1], next_hop[2]) end } end # Now extend the socket with SSL and perform the handshake if(param.bare? == false and param.ssl) klass = Rex::Socket::SslTcp sock.extend(klass) sock.initsock(param) end end # Notify handlers that a socket has been created. self.instance.notify_socket_created(self, sock, param) sock end def self.proxy(sock, type, host, port) case type.downcase when 'sapni' packet_type = 'NI_ROUTE' route_info_version = 2 ni_version = 39 num_of_entries = 2 talk_mode = 1 # ref: http://help.sap.com/saphelp_dimp50/helpdata/En/f8/bb960899d743378ccb8372215bb767/content.htm num_rest_nodes = 1 shost, sport = sock.peerinfo.split(":") first_route_item = [shost, 0, sport, 0, 0].pack("A*CA*cc") route_data = [first_route_item.length, first_route_item].pack("NA*") route_data << [host, 0, port.to_s, 0, 0].pack("A*CA*cc") ni_packet = [ packet_type, 0, route_info_version, ni_version, num_of_entries, talk_mode, 0, 0, num_rest_nodes ].pack("A8c8") # Add the data block, according to sap documentation: # A 4-byte header precedes each data block. These 4 bytes give the # length of the data block (length without leading 4 bytes) # The data block (the route data) ni_packet << [route_data.length - 4].pack('N') + route_data # Now that we've built the whole packet, prepend its length before writing it to the wire ni_packet = [ni_packet.length].pack('N') + ni_packet size = sock.put(ni_packet) if size != ni_packet.length raise Rex::ConnectionProxyError.new(host, port, type, "Failed to send the entire request to the proxy"), caller end begin ret_len = sock.get_once(4, 30).unpack('N')[0] if ret_len and ret_len != 0 ret = sock.get_once(ret_len, 30) end rescue IOError raise Rex::ConnectionProxyError.new(host, port, type, "Failed to receive a response from the proxy"), caller end if ret and ret.length < 4 raise Rex::ConnectionProxyError.new(host, port, type, "Failed to receive a complete response from the proxy"), caller end if ret =~ /NI_RTERR/ case ret when /timed out/ raise Rex::ConnectionProxyError.new(host, port, type, "Connection to remote host #{host} timed out") when /refused/ raise Rex::ConnectionProxyError.new(host, port, type, "Connection to remote port #{port} closed") when /denied/ raise Rex::ConnectionProxyError.new(host, port, type, "Connection to #{host}:#{port} blocked by ACL") else raise Rex::ConnectionProxyError.new(host, port, type, "Connection to #{host}:#{port} failed (Unknown fail)") end elsif ret =~ /NI_PONG/ # success case # would like to print this "[*] remote native connection to #{host}:#{port} established\n" else raise Rex::ConnectionProxyError.new(host, port, type, "Connection to #{host}:#{port} failed (Unknown fail)") end when 'http' setup = "CONNECT #{host}:#{port} HTTP/1.0\r\n\r\n" size = sock.put(setup) if (size != setup.length) raise Rex::ConnectionProxyError.new(host, port, type, "Failed to send the entire request to the proxy"), caller end begin ret = sock.get_once(39,30) rescue IOError raise Rex::ConnectionProxyError.new(host, port, type, "Failed to receive a response from the proxy"), caller end if ret.nil? raise Rex::ConnectionProxyError.new(host, port, type, "Failed to receive a response from the proxy"), caller end resp = Rex::Proto::Http::Response.new resp.update_cmd_parts(ret.split(/\r?\n/)[0]) if resp.code != 200 raise Rex::ConnectionProxyError.new(host, port, type, "The proxy returned a non-OK response"), caller end when 'socks4' setup = [4,1,port.to_i].pack('CCn') + Socket.gethostbyname(host)[3] + Rex::Text.rand_text_alpha(rand(8)+1) + "\x00" size = sock.put(setup) if (size != setup.length) raise Rex::ConnectionProxyError.new(host, port, type, "Failed to send the entire request to the proxy"), caller end begin ret = sock.get_once(8, 30) rescue IOError raise Rex::ConnectionProxyError.new(host, port, type, "Failed to receive a response from the proxy"), caller end if (ret.nil? or ret.length < 8) raise Rex::ConnectionProxyError.new(host, port, type, "Failed to receive a complete response from the proxy"), caller end if ret[1,1] != "\x5a" raise Rex::ConnectionProxyError.new(host, port, type, "Proxy responded with error code #{ret[0,1].unpack("C")[0]}"), caller end when 'socks5' auth_methods = [5,1,0].pack('CCC') size = sock.put(auth_methods) if (size != auth_methods.length) raise Rex::ConnectionProxyError.new(host, port, type, "Failed to send the entire request to the proxy"), caller end ret = sock.get_once(2,30) if (ret[1,1] == "\xff") raise Rex::ConnectionProxyError.new(host, port, type, "The proxy requires authentication"), caller end if (Rex::Socket.is_ipv4?(host)) addr = Rex::Socket.gethostbyname(host)[3] setup = [5,1,0,1].pack('C4') + addr + [port.to_i].pack('n') elsif (Rex::Socket.support_ipv6? and Rex::Socket.is_ipv6?(host)) # IPv6 stuff all untested addr = Rex::Socket.gethostbyname(host)[3] setup = [5,1,0,4].pack('C4') + addr + [port.to_i].pack('n') else # Then it must be a domain name. # Unfortunately, it looks like the host has always been # resolved by the time it gets here, so this code never runs. setup = [5,1,0,3].pack('C4') + [host.length].pack('C') + host + [port.to_i].pack('n') end size = sock.put(setup) if (size != setup.length) raise Rex::ConnectionProxyError.new(host, port, type, "Failed to send the entire request to the proxy"), caller end begin response = sock.get_once(10, 30) rescue IOError raise Rex::ConnectionProxyError.new(host, port, type, "Failed to receive a response from the proxy"), caller end if (response.nil? or response.length < 10) raise Rex::ConnectionProxyError.new(host, port, type, "Failed to receive a complete response from the proxy"), caller end if response[1,1] != "\x00" raise Rex::ConnectionProxyError.new(host, port, type, "Proxy responded with error code #{response[1,1].unpack("C")[0]}"), caller end else raise RuntimeError, "The proxy type specified is not valid", caller end end ## # # Registration # ## def self.register_event_handler(handler) # :nodoc: self.instance.register_event_handler(handler) end def self.deregister_event_handler(handler) # :nodoc: self.instance.deregister_event_handler(handler) end def self.each_event_handler(handler) # :nodoc: self.instance.each_event_handler(handler) end end