Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

smtp.rb 1.9KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182
  1. # -*- coding: binary -*-
  2. module Msf
  3. require 'msf/core/exploit/tcp'
  4. ###
  5. #
  6. # This module exposes methods that may be useful to exploits that deal with
  7. # servers that speak the SMTP protocol.
  8. #
  9. ###
  10. module Exploit::Remote::Smtp
  11. include Exploit::Remote::Tcp
  12. #
  13. # Creates an instance of an SMTP exploit module.
  14. #
  15. def initialize(info = {})
  16. super
  17. # Register the options that all SMTP exploits may make use of.
  18. register_options(
  19. [
  20. Opt::RHOST,
  21. Opt::RPORT(25),
  22. OptString.new('MAILFROM', [ true, 'FROM address of the e-mail', 'sender@example.com']),
  23. OptString.new('MAILTO', [ true, 'TO address of the e-mail', 'target@example.com']),
  24. ], Msf::Exploit::Remote::Smtp)
  25. register_autofilter_ports([ 25, 465, 587, 2525, 25025, 25000])
  26. register_autofilter_services(%W{ smtp smtps})
  27. end
  28. #
  29. # This method establishes a SMTP connection to host and port specified by
  30. # the RHOST and RPORT options, respectively. After connecting, the banner
  31. # message is read in and stored in the 'banner' attribute.
  32. #
  33. def connect(global = true)
  34. fd = super
  35. # Wait for a banner to arrive...
  36. self.banner = fd.get_once(-1, 30)
  37. # Return the file descriptor to the caller
  38. fd
  39. end
  40. #
  41. # Connect to the remote SMTP server, and begin a DATA transfer
  42. #
  43. def connect_login(global = true)
  44. smtpsock = connect(global)
  45. raw_send_recv("EHLO X\r\n")
  46. raw_send_recv("MAIL FROM: #{datastore['MAILFROM']}\r\n")
  47. raw_send_recv("RCPT TO: #{datastore['MAILTO']}\r\n")
  48. raw_send_recv("DATA\r\n")
  49. return true
  50. end
  51. #
  52. # This method transmits an IMAP command and waits for a response. If one is
  53. # received, it is returned to the caller.
  54. #
  55. def raw_send_recv(cmd, nsock = self.sock)
  56. nsock.put(cmd)
  57. nsock.get_once
  58. end
  59. protected
  60. #
  61. # This attribute holds the banner that was read in after a successful call
  62. # to connect or connect_login.
  63. #
  64. attr_accessor :banner
  65. end
  66. end